Merge commit 'v3.3-rc6' into android-3.3
[linux-2.6.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51
52 #define VERSION "1.11"
53
54 static bool disable_cfc;
55 static bool l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59 static struct task_struct *rfcomm_thread;
60
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66 static LIST_HEAD(session_list);
67
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82                                                         bdaddr_t *dst,
83                                                         u8 sec_level,
84                                                         int *err);
85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86 static void rfcomm_session_del(struct rfcomm_session *s);
87
88 /* ---- RFCOMM frame parsing macros ---- */
89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
90 #define __get_channel(b)  ((b & 0xf8) >> 3)
91 #define __get_dir(b)      ((b & 0x04) >> 2)
92 #define __get_type(b)     ((b & 0xef))
93
94 #define __test_ea(b)      ((b & 0x01))
95 #define __test_cr(b)      ((b & 0x02))
96 #define __test_pf(b)      ((b & 0x10))
97
98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
101 #define __srv_channel(dlci)    (dlci >> 1)
102 #define __dir(dlci)            (dlci & 0x01)
103
104 #define __len8(len)       (((len) << 1) | 1)
105 #define __len16(len)      ((len) << 1)
106
107 /* MCC macros */
108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
111
112 /* RPN macros */
113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114 #define __get_rpn_data_bits(line) ((line) & 0x3)
115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
117
118 static inline void rfcomm_schedule(void)
119 {
120         if (!rfcomm_thread)
121                 return;
122         wake_up_process(rfcomm_thread);
123 }
124
125 static inline void rfcomm_session_put(struct rfcomm_session *s)
126 {
127         if (atomic_dec_and_test(&s->refcnt))
128                 rfcomm_session_del(s);
129 }
130
131 /* ---- RFCOMM FCS computation ---- */
132
133 /* reversed, 8-bit, poly=0x07 */
134 static unsigned char rfcomm_crc_table[256] = {
135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174 };
175
176 /* CRC on 2 bytes */
177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179 /* FCS on 2 bytes */
180 static inline u8 __fcs(u8 *data)
181 {
182         return 0xff - __crc(data);
183 }
184
185 /* FCS on 3 bytes */
186 static inline u8 __fcs2(u8 *data)
187 {
188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189 }
190
191 /* Check FCS */
192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
193 {
194         u8 f = __crc(data);
195
196         if (type != RFCOMM_UIH)
197                 f = rfcomm_crc_table[f ^ data[2]];
198
199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
200 }
201
202 /* ---- L2CAP callbacks ---- */
203 static void rfcomm_l2state_change(struct sock *sk)
204 {
205         BT_DBG("%p state %d", sk, sk->sk_state);
206         rfcomm_schedule();
207 }
208
209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210 {
211         BT_DBG("%p bytes %d", sk, bytes);
212         rfcomm_schedule();
213 }
214
215 static int rfcomm_l2sock_create(struct socket **sock)
216 {
217         int err;
218
219         BT_DBG("");
220
221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222         if (!err) {
223                 struct sock *sk = (*sock)->sk;
224                 sk->sk_data_ready   = rfcomm_l2data_ready;
225                 sk->sk_state_change = rfcomm_l2state_change;
226         }
227         return err;
228 }
229
230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231 {
232         struct sock *sk = d->session->sock->sk;
233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235         __u8 auth_type;
236
237         switch (d->sec_level) {
238         case BT_SECURITY_HIGH:
239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240                 break;
241         case BT_SECURITY_MEDIUM:
242                 auth_type = HCI_AT_GENERAL_BONDING;
243                 break;
244         default:
245                 auth_type = HCI_AT_NO_BONDING;
246                 break;
247         }
248
249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 }
251
252 static void rfcomm_session_timeout(unsigned long arg)
253 {
254         struct rfcomm_session *s = (void *) arg;
255
256         BT_DBG("session %p state %ld", s, s->state);
257
258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
259         rfcomm_schedule();
260 }
261
262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263 {
264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266         if (!mod_timer(&s->timer, jiffies + timeout))
267                 rfcomm_session_hold(s);
268 }
269
270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271 {
272         BT_DBG("session %p state %ld", s, s->state);
273
274         if (timer_pending(&s->timer) && del_timer(&s->timer))
275                 rfcomm_session_put(s);
276 }
277
278 /* ---- RFCOMM DLCs ---- */
279 static void rfcomm_dlc_timeout(unsigned long arg)
280 {
281         struct rfcomm_dlc *d = (void *) arg;
282
283         BT_DBG("dlc %p state %ld", d, d->state);
284
285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
286         rfcomm_dlc_put(d);
287         rfcomm_schedule();
288 }
289
290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291 {
292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294         if (!mod_timer(&d->timer, jiffies + timeout))
295                 rfcomm_dlc_hold(d);
296 }
297
298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299 {
300         BT_DBG("dlc %p state %ld", d, d->state);
301
302         if (timer_pending(&d->timer) && del_timer(&d->timer))
303                 rfcomm_dlc_put(d);
304 }
305
306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307 {
308         BT_DBG("%p", d);
309
310         d->state      = BT_OPEN;
311         d->flags      = 0;
312         d->mscex      = 0;
313         d->sec_level  = BT_SECURITY_LOW;
314         d->mtu        = RFCOMM_DEFAULT_MTU;
315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317         d->cfc        = RFCOMM_CFC_DISABLED;
318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319 }
320
321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322 {
323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325         if (!d)
326                 return NULL;
327
328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330         skb_queue_head_init(&d->tx_queue);
331         spin_lock_init(&d->lock);
332         atomic_set(&d->refcnt, 1);
333
334         rfcomm_dlc_clear_state(d);
335
336         BT_DBG("%p", d);
337
338         return d;
339 }
340
341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
342 {
343         BT_DBG("%p", d);
344
345         skb_queue_purge(&d->tx_queue);
346         kfree(d);
347 }
348
349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350 {
351         BT_DBG("dlc %p session %p", d, s);
352
353         rfcomm_session_hold(s);
354
355         rfcomm_session_clear_timer(s);
356         rfcomm_dlc_hold(d);
357         list_add(&d->list, &s->dlcs);
358         d->session = s;
359 }
360
361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362 {
363         struct rfcomm_session *s = d->session;
364
365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367         list_del(&d->list);
368         d->session = NULL;
369         rfcomm_dlc_put(d);
370
371         if (list_empty(&s->dlcs))
372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374         rfcomm_session_put(s);
375 }
376
377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378 {
379         struct rfcomm_dlc *d;
380
381         list_for_each_entry(d, &s->dlcs, list)
382                 if (d->dlci == dlci)
383                         return d;
384
385         return NULL;
386 }
387
388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
389 {
390         struct rfcomm_session *s;
391         int err = 0;
392         u8 dlci;
393
394         BT_DBG("dlc %p state %ld %s %s channel %d",
395                         d, d->state, batostr(src), batostr(dst), channel);
396
397         if (channel < 1 || channel > 30)
398                 return -EINVAL;
399
400         if (d->state != BT_OPEN && d->state != BT_CLOSED)
401                 return 0;
402
403         s = rfcomm_session_get(src, dst);
404         if (!s) {
405                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
406                 if (!s)
407                         return err;
408         }
409
410         dlci = __dlci(!s->initiator, channel);
411
412         /* Check if DLCI already exists */
413         if (rfcomm_dlc_get(s, dlci))
414                 return -EBUSY;
415
416         rfcomm_dlc_clear_state(d);
417
418         d->dlci     = dlci;
419         d->addr     = __addr(s->initiator, dlci);
420         d->priority = 7;
421
422         d->state = BT_CONFIG;
423         rfcomm_dlc_link(s, d);
424
425         d->out = 1;
426
427         d->mtu = s->mtu;
428         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
429
430         if (s->state == BT_CONNECTED) {
431                 if (rfcomm_check_security(d))
432                         rfcomm_send_pn(s, 1, d);
433                 else
434                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
435         }
436
437         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
438
439         return 0;
440 }
441
442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
443 {
444         int r;
445
446         rfcomm_lock();
447
448         r = __rfcomm_dlc_open(d, src, dst, channel);
449
450         rfcomm_unlock();
451         return r;
452 }
453
454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
455 {
456         struct rfcomm_session *s = d->session;
457         if (!s)
458                 return 0;
459
460         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
461                         d, d->state, d->dlci, err, s);
462
463         switch (d->state) {
464         case BT_CONNECT:
465                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467                         rfcomm_schedule();
468                         break;
469                 }
470                 /* Fall through */
471
472         case BT_CONNECTED:
473                 d->state = BT_DISCONN;
474                 if (skb_queue_empty(&d->tx_queue)) {
475                         rfcomm_send_disc(s, d->dlci);
476                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
477                 } else {
478                         rfcomm_queue_disc(d);
479                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
480                 }
481                 break;
482
483         case BT_OPEN:
484         case BT_CONNECT2:
485                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
486                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
487                         rfcomm_schedule();
488                         break;
489                 }
490                 /* Fall through */
491
492         default:
493                 rfcomm_dlc_clear_timer(d);
494
495                 rfcomm_dlc_lock(d);
496                 d->state = BT_CLOSED;
497                 d->state_change(d, err);
498                 rfcomm_dlc_unlock(d);
499
500                 skb_queue_purge(&d->tx_queue);
501                 rfcomm_dlc_unlink(d);
502         }
503
504         return 0;
505 }
506
507 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
508 {
509         int r;
510
511         rfcomm_lock();
512
513         r = __rfcomm_dlc_close(d, err);
514
515         rfcomm_unlock();
516         return r;
517 }
518
519 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
520 {
521         int len = skb->len;
522
523         if (d->state != BT_CONNECTED)
524                 return -ENOTCONN;
525
526         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
527
528         if (len > d->mtu)
529                 return -EINVAL;
530
531         rfcomm_make_uih(skb, d->addr);
532         skb_queue_tail(&d->tx_queue, skb);
533
534         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
535                 rfcomm_schedule();
536         return len;
537 }
538
539 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
540 {
541         BT_DBG("dlc %p state %ld", d, d->state);
542
543         if (!d->cfc) {
544                 d->v24_sig |= RFCOMM_V24_FC;
545                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
546         }
547         rfcomm_schedule();
548 }
549
550 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
551 {
552         BT_DBG("dlc %p state %ld", d, d->state);
553
554         if (!d->cfc) {
555                 d->v24_sig &= ~RFCOMM_V24_FC;
556                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
557         }
558         rfcomm_schedule();
559 }
560
561 /*
562    Set/get modem status functions use _local_ status i.e. what we report
563    to the other side.
564    Remote status is provided by dlc->modem_status() callback.
565  */
566 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
567 {
568         BT_DBG("dlc %p state %ld v24_sig 0x%x",
569                         d, d->state, v24_sig);
570
571         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
572                 v24_sig |= RFCOMM_V24_FC;
573         else
574                 v24_sig &= ~RFCOMM_V24_FC;
575
576         d->v24_sig = v24_sig;
577
578         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
579                 rfcomm_schedule();
580
581         return 0;
582 }
583
584 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
585 {
586         BT_DBG("dlc %p state %ld v24_sig 0x%x",
587                         d, d->state, d->v24_sig);
588
589         *v24_sig = d->v24_sig;
590         return 0;
591 }
592
593 /* ---- RFCOMM sessions ---- */
594 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
595 {
596         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
597
598         if (!s)
599                 return NULL;
600
601         BT_DBG("session %p sock %p", s, sock);
602
603         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
604
605         INIT_LIST_HEAD(&s->dlcs);
606         s->state = state;
607         s->sock  = sock;
608
609         s->mtu = RFCOMM_DEFAULT_MTU;
610         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
611
612         /* Do not increment module usage count for listening sessions.
613          * Otherwise we won't be able to unload the module. */
614         if (state != BT_LISTEN)
615                 if (!try_module_get(THIS_MODULE)) {
616                         kfree(s);
617                         return NULL;
618                 }
619
620         list_add(&s->list, &session_list);
621
622         return s;
623 }
624
625 static void rfcomm_session_del(struct rfcomm_session *s)
626 {
627         int state = s->state;
628
629         BT_DBG("session %p state %ld", s, s->state);
630
631         list_del(&s->list);
632
633         if (state == BT_CONNECTED)
634                 rfcomm_send_disc(s, 0);
635
636         rfcomm_session_clear_timer(s);
637         sock_release(s->sock);
638         kfree(s);
639
640         if (state != BT_LISTEN)
641                 module_put(THIS_MODULE);
642 }
643
644 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
645 {
646         struct rfcomm_session *s;
647         struct list_head *p, *n;
648         struct bt_sock *sk;
649         list_for_each_safe(p, n, &session_list) {
650                 s = list_entry(p, struct rfcomm_session, list);
651                 sk = bt_sk(s->sock->sk);
652
653                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
654                                 !bacmp(&sk->dst, dst))
655                         return s;
656         }
657         return NULL;
658 }
659
660 static void rfcomm_session_close(struct rfcomm_session *s, int err)
661 {
662         struct rfcomm_dlc *d;
663         struct list_head *p, *n;
664
665         BT_DBG("session %p state %ld err %d", s, s->state, err);
666
667         rfcomm_session_hold(s);
668
669         s->state = BT_CLOSED;
670
671         /* Close all dlcs */
672         list_for_each_safe(p, n, &s->dlcs) {
673                 d = list_entry(p, struct rfcomm_dlc, list);
674                 d->state = BT_CLOSED;
675                 __rfcomm_dlc_close(d, err);
676         }
677
678         rfcomm_session_clear_timer(s);
679         rfcomm_session_put(s);
680 }
681
682 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
683                                                         bdaddr_t *dst,
684                                                         u8 sec_level,
685                                                         int *err)
686 {
687         struct rfcomm_session *s = NULL;
688         struct sockaddr_l2 addr;
689         struct socket *sock;
690         struct sock *sk;
691
692         BT_DBG("%s %s", batostr(src), batostr(dst));
693
694         *err = rfcomm_l2sock_create(&sock);
695         if (*err < 0)
696                 return NULL;
697
698         bacpy(&addr.l2_bdaddr, src);
699         addr.l2_family = AF_BLUETOOTH;
700         addr.l2_psm    = 0;
701         addr.l2_cid    = 0;
702         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
703         if (*err < 0)
704                 goto failed;
705
706         /* Set L2CAP options */
707         sk = sock->sk;
708         lock_sock(sk);
709         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
710         l2cap_pi(sk)->chan->sec_level = sec_level;
711         if (l2cap_ertm)
712                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
713         release_sock(sk);
714
715         s = rfcomm_session_add(sock, BT_BOUND);
716         if (!s) {
717                 *err = -ENOMEM;
718                 goto failed;
719         }
720
721         s->initiator = 1;
722
723         bacpy(&addr.l2_bdaddr, dst);
724         addr.l2_family = AF_BLUETOOTH;
725         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
726         addr.l2_cid    = 0;
727         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
728         if (*err == 0 || *err == -EINPROGRESS)
729                 return s;
730
731         rfcomm_session_del(s);
732         return NULL;
733
734 failed:
735         sock_release(sock);
736         return NULL;
737 }
738
739 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
740 {
741         struct sock *sk = s->sock->sk;
742         if (src)
743                 bacpy(src, &bt_sk(sk)->src);
744         if (dst)
745                 bacpy(dst, &bt_sk(sk)->dst);
746 }
747
748 /* ---- RFCOMM frame sending ---- */
749 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
750 {
751         struct kvec iv = { data, len };
752         struct msghdr msg;
753
754         BT_DBG("session %p len %d", s, len);
755
756         memset(&msg, 0, sizeof(msg));
757
758         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
759 }
760
761 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
762 {
763         BT_DBG("%p cmd %u", s, cmd->ctrl);
764
765         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
766 }
767
768 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
769 {
770         struct rfcomm_cmd cmd;
771
772         BT_DBG("%p dlci %d", s, dlci);
773
774         cmd.addr = __addr(s->initiator, dlci);
775         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
776         cmd.len  = __len8(0);
777         cmd.fcs  = __fcs2((u8 *) &cmd);
778
779         return rfcomm_send_cmd(s, &cmd);
780 }
781
782 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
783 {
784         struct rfcomm_cmd cmd;
785
786         BT_DBG("%p dlci %d", s, dlci);
787
788         cmd.addr = __addr(!s->initiator, dlci);
789         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
790         cmd.len  = __len8(0);
791         cmd.fcs  = __fcs2((u8 *) &cmd);
792
793         return rfcomm_send_cmd(s, &cmd);
794 }
795
796 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
797 {
798         struct rfcomm_cmd cmd;
799
800         BT_DBG("%p dlci %d", s, dlci);
801
802         cmd.addr = __addr(s->initiator, dlci);
803         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
804         cmd.len  = __len8(0);
805         cmd.fcs  = __fcs2((u8 *) &cmd);
806
807         return rfcomm_send_cmd(s, &cmd);
808 }
809
810 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
811 {
812         struct rfcomm_cmd *cmd;
813         struct sk_buff *skb;
814
815         BT_DBG("dlc %p dlci %d", d, d->dlci);
816
817         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
818         if (!skb)
819                 return -ENOMEM;
820
821         cmd = (void *) __skb_put(skb, sizeof(*cmd));
822         cmd->addr = d->addr;
823         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
824         cmd->len  = __len8(0);
825         cmd->fcs  = __fcs2((u8 *) cmd);
826
827         skb_queue_tail(&d->tx_queue, skb);
828         rfcomm_schedule();
829         return 0;
830 }
831
832 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
833 {
834         struct rfcomm_cmd cmd;
835
836         BT_DBG("%p dlci %d", s, dlci);
837
838         cmd.addr = __addr(!s->initiator, dlci);
839         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
840         cmd.len  = __len8(0);
841         cmd.fcs  = __fcs2((u8 *) &cmd);
842
843         return rfcomm_send_cmd(s, &cmd);
844 }
845
846 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
847 {
848         struct rfcomm_hdr *hdr;
849         struct rfcomm_mcc *mcc;
850         u8 buf[16], *ptr = buf;
851
852         BT_DBG("%p cr %d type %d", s, cr, type);
853
854         hdr = (void *) ptr; ptr += sizeof(*hdr);
855         hdr->addr = __addr(s->initiator, 0);
856         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
857         hdr->len  = __len8(sizeof(*mcc) + 1);
858
859         mcc = (void *) ptr; ptr += sizeof(*mcc);
860         mcc->type = __mcc_type(cr, RFCOMM_NSC);
861         mcc->len  = __len8(1);
862
863         /* Type that we didn't like */
864         *ptr = __mcc_type(cr, type); ptr++;
865
866         *ptr = __fcs(buf); ptr++;
867
868         return rfcomm_send_frame(s, buf, ptr - buf);
869 }
870
871 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
872 {
873         struct rfcomm_hdr *hdr;
874         struct rfcomm_mcc *mcc;
875         struct rfcomm_pn  *pn;
876         u8 buf[16], *ptr = buf;
877
878         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
879
880         hdr = (void *) ptr; ptr += sizeof(*hdr);
881         hdr->addr = __addr(s->initiator, 0);
882         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
883         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
884
885         mcc = (void *) ptr; ptr += sizeof(*mcc);
886         mcc->type = __mcc_type(cr, RFCOMM_PN);
887         mcc->len  = __len8(sizeof(*pn));
888
889         pn = (void *) ptr; ptr += sizeof(*pn);
890         pn->dlci        = d->dlci;
891         pn->priority    = d->priority;
892         pn->ack_timer   = 0;
893         pn->max_retrans = 0;
894
895         if (s->cfc) {
896                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
897                 pn->credits = RFCOMM_DEFAULT_CREDITS;
898         } else {
899                 pn->flow_ctrl = 0;
900                 pn->credits   = 0;
901         }
902
903         if (cr && channel_mtu >= 0)
904                 pn->mtu = cpu_to_le16(channel_mtu);
905         else
906                 pn->mtu = cpu_to_le16(d->mtu);
907
908         *ptr = __fcs(buf); ptr++;
909
910         return rfcomm_send_frame(s, buf, ptr - buf);
911 }
912
913 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
914                         u8 bit_rate, u8 data_bits, u8 stop_bits,
915                         u8 parity, u8 flow_ctrl_settings,
916                         u8 xon_char, u8 xoff_char, u16 param_mask)
917 {
918         struct rfcomm_hdr *hdr;
919         struct rfcomm_mcc *mcc;
920         struct rfcomm_rpn *rpn;
921         u8 buf[16], *ptr = buf;
922
923         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
924                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
925                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
926                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
927
928         hdr = (void *) ptr; ptr += sizeof(*hdr);
929         hdr->addr = __addr(s->initiator, 0);
930         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
931         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
932
933         mcc = (void *) ptr; ptr += sizeof(*mcc);
934         mcc->type = __mcc_type(cr, RFCOMM_RPN);
935         mcc->len  = __len8(sizeof(*rpn));
936
937         rpn = (void *) ptr; ptr += sizeof(*rpn);
938         rpn->dlci          = __addr(1, dlci);
939         rpn->bit_rate      = bit_rate;
940         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
941         rpn->flow_ctrl     = flow_ctrl_settings;
942         rpn->xon_char      = xon_char;
943         rpn->xoff_char     = xoff_char;
944         rpn->param_mask    = cpu_to_le16(param_mask);
945
946         *ptr = __fcs(buf); ptr++;
947
948         return rfcomm_send_frame(s, buf, ptr - buf);
949 }
950
951 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
952 {
953         struct rfcomm_hdr *hdr;
954         struct rfcomm_mcc *mcc;
955         struct rfcomm_rls *rls;
956         u8 buf[16], *ptr = buf;
957
958         BT_DBG("%p cr %d status 0x%x", s, cr, status);
959
960         hdr = (void *) ptr; ptr += sizeof(*hdr);
961         hdr->addr = __addr(s->initiator, 0);
962         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
963         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
964
965         mcc = (void *) ptr; ptr += sizeof(*mcc);
966         mcc->type = __mcc_type(cr, RFCOMM_RLS);
967         mcc->len  = __len8(sizeof(*rls));
968
969         rls = (void *) ptr; ptr += sizeof(*rls);
970         rls->dlci   = __addr(1, dlci);
971         rls->status = status;
972
973         *ptr = __fcs(buf); ptr++;
974
975         return rfcomm_send_frame(s, buf, ptr - buf);
976 }
977
978 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
979 {
980         struct rfcomm_hdr *hdr;
981         struct rfcomm_mcc *mcc;
982         struct rfcomm_msc *msc;
983         u8 buf[16], *ptr = buf;
984
985         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
986
987         hdr = (void *) ptr; ptr += sizeof(*hdr);
988         hdr->addr = __addr(s->initiator, 0);
989         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
990         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
991
992         mcc = (void *) ptr; ptr += sizeof(*mcc);
993         mcc->type = __mcc_type(cr, RFCOMM_MSC);
994         mcc->len  = __len8(sizeof(*msc));
995
996         msc = (void *) ptr; ptr += sizeof(*msc);
997         msc->dlci    = __addr(1, dlci);
998         msc->v24_sig = v24_sig | 0x01;
999
1000         *ptr = __fcs(buf); ptr++;
1001
1002         return rfcomm_send_frame(s, buf, ptr - buf);
1003 }
1004
1005 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1006 {
1007         struct rfcomm_hdr *hdr;
1008         struct rfcomm_mcc *mcc;
1009         u8 buf[16], *ptr = buf;
1010
1011         BT_DBG("%p cr %d", s, cr);
1012
1013         hdr = (void *) ptr; ptr += sizeof(*hdr);
1014         hdr->addr = __addr(s->initiator, 0);
1015         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1016         hdr->len  = __len8(sizeof(*mcc));
1017
1018         mcc = (void *) ptr; ptr += sizeof(*mcc);
1019         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1020         mcc->len  = __len8(0);
1021
1022         *ptr = __fcs(buf); ptr++;
1023
1024         return rfcomm_send_frame(s, buf, ptr - buf);
1025 }
1026
1027 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1028 {
1029         struct rfcomm_hdr *hdr;
1030         struct rfcomm_mcc *mcc;
1031         u8 buf[16], *ptr = buf;
1032
1033         BT_DBG("%p cr %d", s, cr);
1034
1035         hdr = (void *) ptr; ptr += sizeof(*hdr);
1036         hdr->addr = __addr(s->initiator, 0);
1037         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1038         hdr->len  = __len8(sizeof(*mcc));
1039
1040         mcc = (void *) ptr; ptr += sizeof(*mcc);
1041         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1042         mcc->len  = __len8(0);
1043
1044         *ptr = __fcs(buf); ptr++;
1045
1046         return rfcomm_send_frame(s, buf, ptr - buf);
1047 }
1048
1049 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1050 {
1051         struct socket *sock = s->sock;
1052         struct kvec iv[3];
1053         struct msghdr msg;
1054         unsigned char hdr[5], crc[1];
1055
1056         if (len > 125)
1057                 return -EINVAL;
1058
1059         BT_DBG("%p cr %d", s, cr);
1060
1061         hdr[0] = __addr(s->initiator, 0);
1062         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1063         hdr[2] = 0x01 | ((len + 2) << 1);
1064         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1065         hdr[4] = 0x01 | (len << 1);
1066
1067         crc[0] = __fcs(hdr);
1068
1069         iv[0].iov_base = hdr;
1070         iv[0].iov_len  = 5;
1071         iv[1].iov_base = pattern;
1072         iv[1].iov_len  = len;
1073         iv[2].iov_base = crc;
1074         iv[2].iov_len  = 1;
1075
1076         memset(&msg, 0, sizeof(msg));
1077
1078         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1079 }
1080
1081 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1082 {
1083         struct rfcomm_hdr *hdr;
1084         u8 buf[16], *ptr = buf;
1085
1086         BT_DBG("%p addr %d credits %d", s, addr, credits);
1087
1088         hdr = (void *) ptr; ptr += sizeof(*hdr);
1089         hdr->addr = addr;
1090         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1091         hdr->len  = __len8(0);
1092
1093         *ptr = credits; ptr++;
1094
1095         *ptr = __fcs(buf); ptr++;
1096
1097         return rfcomm_send_frame(s, buf, ptr - buf);
1098 }
1099
1100 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1101 {
1102         struct rfcomm_hdr *hdr;
1103         int len = skb->len;
1104         u8 *crc;
1105
1106         if (len > 127) {
1107                 hdr = (void *) skb_push(skb, 4);
1108                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1109         } else {
1110                 hdr = (void *) skb_push(skb, 3);
1111                 hdr->len = __len8(len);
1112         }
1113         hdr->addr = addr;
1114         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1115
1116         crc = skb_put(skb, 1);
1117         *crc = __fcs((void *) hdr);
1118 }
1119
1120 /* ---- RFCOMM frame reception ---- */
1121 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1122 {
1123         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1124
1125         if (dlci) {
1126                 /* Data channel */
1127                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1128                 if (!d) {
1129                         rfcomm_send_dm(s, dlci);
1130                         return 0;
1131                 }
1132
1133                 switch (d->state) {
1134                 case BT_CONNECT:
1135                         rfcomm_dlc_clear_timer(d);
1136
1137                         rfcomm_dlc_lock(d);
1138                         d->state = BT_CONNECTED;
1139                         d->state_change(d, 0);
1140                         rfcomm_dlc_unlock(d);
1141
1142                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1143                         break;
1144
1145                 case BT_DISCONN:
1146                         d->state = BT_CLOSED;
1147                         __rfcomm_dlc_close(d, 0);
1148
1149                         if (list_empty(&s->dlcs)) {
1150                                 s->state = BT_DISCONN;
1151                                 rfcomm_send_disc(s, 0);
1152                                 rfcomm_session_clear_timer(s);
1153                         }
1154
1155                         break;
1156                 }
1157         } else {
1158                 /* Control channel */
1159                 switch (s->state) {
1160                 case BT_CONNECT:
1161                         s->state = BT_CONNECTED;
1162                         rfcomm_process_connect(s);
1163                         break;
1164
1165                 case BT_DISCONN:
1166                         /* rfcomm_session_put is called later so don't do
1167                          * anything here otherwise we will mess up the session
1168                          * reference counter:
1169                          *
1170                          * (a) when we are the initiator dlc_unlink will drive
1171                          * the reference counter to 0 (there is no initial put
1172                          * after session_add)
1173                          *
1174                          * (b) when we are not the initiator rfcomm_rx_process
1175                          * will explicitly call put to balance the initial hold
1176                          * done after session add.
1177                          */
1178                         break;
1179                 }
1180         }
1181         return 0;
1182 }
1183
1184 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1185 {
1186         int err = 0;
1187
1188         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1189
1190         if (dlci) {
1191                 /* Data DLC */
1192                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1193                 if (d) {
1194                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1195                                 err = ECONNREFUSED;
1196                         else
1197                                 err = ECONNRESET;
1198
1199                         d->state = BT_CLOSED;
1200                         __rfcomm_dlc_close(d, err);
1201                 }
1202         } else {
1203                 if (s->state == BT_CONNECT)
1204                         err = ECONNREFUSED;
1205                 else
1206                         err = ECONNRESET;
1207
1208                 s->state = BT_CLOSED;
1209                 rfcomm_session_close(s, err);
1210         }
1211         return 0;
1212 }
1213
1214 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1215 {
1216         int err = 0;
1217
1218         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1219
1220         if (dlci) {
1221                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1222                 if (d) {
1223                         rfcomm_send_ua(s, dlci);
1224
1225                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1226                                 err = ECONNREFUSED;
1227                         else
1228                                 err = ECONNRESET;
1229
1230                         d->state = BT_CLOSED;
1231                         __rfcomm_dlc_close(d, err);
1232                 } else
1233                         rfcomm_send_dm(s, dlci);
1234
1235         } else {
1236                 rfcomm_send_ua(s, 0);
1237
1238                 if (s->state == BT_CONNECT)
1239                         err = ECONNREFUSED;
1240                 else
1241                         err = ECONNRESET;
1242
1243                 s->state = BT_CLOSED;
1244                 rfcomm_session_close(s, err);
1245         }
1246
1247         return 0;
1248 }
1249
1250 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1251 {
1252         struct sock *sk = d->session->sock->sk;
1253         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1254
1255         BT_DBG("dlc %p", d);
1256
1257         rfcomm_send_ua(d->session, d->dlci);
1258
1259         rfcomm_dlc_clear_timer(d);
1260
1261         rfcomm_dlc_lock(d);
1262         d->state = BT_CONNECTED;
1263         d->state_change(d, 0);
1264         rfcomm_dlc_unlock(d);
1265
1266         if (d->role_switch)
1267                 hci_conn_switch_role(conn->hcon, 0x00);
1268
1269         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1270 }
1271
1272 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1273 {
1274         if (rfcomm_check_security(d)) {
1275                 if (d->defer_setup) {
1276                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1277                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1278
1279                         rfcomm_dlc_lock(d);
1280                         d->state = BT_CONNECT2;
1281                         d->state_change(d, 0);
1282                         rfcomm_dlc_unlock(d);
1283                 } else
1284                         rfcomm_dlc_accept(d);
1285         } else {
1286                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1287                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1288         }
1289 }
1290
1291 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1292 {
1293         struct rfcomm_dlc *d;
1294         u8 channel;
1295
1296         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1297
1298         if (!dlci) {
1299                 rfcomm_send_ua(s, 0);
1300
1301                 if (s->state == BT_OPEN) {
1302                         s->state = BT_CONNECTED;
1303                         rfcomm_process_connect(s);
1304                 }
1305                 return 0;
1306         }
1307
1308         /* Check if DLC exists */
1309         d = rfcomm_dlc_get(s, dlci);
1310         if (d) {
1311                 if (d->state == BT_OPEN) {
1312                         /* DLC was previously opened by PN request */
1313                         rfcomm_check_accept(d);
1314                 }
1315                 return 0;
1316         }
1317
1318         /* Notify socket layer about incoming connection */
1319         channel = __srv_channel(dlci);
1320         if (rfcomm_connect_ind(s, channel, &d)) {
1321                 d->dlci = dlci;
1322                 d->addr = __addr(s->initiator, dlci);
1323                 rfcomm_dlc_link(s, d);
1324
1325                 rfcomm_check_accept(d);
1326         } else {
1327                 rfcomm_send_dm(s, dlci);
1328         }
1329
1330         return 0;
1331 }
1332
1333 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1334 {
1335         struct rfcomm_session *s = d->session;
1336
1337         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1338                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1339
1340         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1341                                                 pn->flow_ctrl == 0xe0) {
1342                 d->cfc = RFCOMM_CFC_ENABLED;
1343                 d->tx_credits = pn->credits;
1344         } else {
1345                 d->cfc = RFCOMM_CFC_DISABLED;
1346                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1347         }
1348
1349         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1350                 s->cfc = d->cfc;
1351
1352         d->priority = pn->priority;
1353
1354         d->mtu = __le16_to_cpu(pn->mtu);
1355
1356         if (cr && d->mtu > s->mtu)
1357                 d->mtu = s->mtu;
1358
1359         return 0;
1360 }
1361
1362 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1363 {
1364         struct rfcomm_pn *pn = (void *) skb->data;
1365         struct rfcomm_dlc *d;
1366         u8 dlci = pn->dlci;
1367
1368         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1369
1370         if (!dlci)
1371                 return 0;
1372
1373         d = rfcomm_dlc_get(s, dlci);
1374         if (d) {
1375                 if (cr) {
1376                         /* PN request */
1377                         rfcomm_apply_pn(d, cr, pn);
1378                         rfcomm_send_pn(s, 0, d);
1379                 } else {
1380                         /* PN response */
1381                         switch (d->state) {
1382                         case BT_CONFIG:
1383                                 rfcomm_apply_pn(d, cr, pn);
1384
1385                                 d->state = BT_CONNECT;
1386                                 rfcomm_send_sabm(s, d->dlci);
1387                                 break;
1388                         }
1389                 }
1390         } else {
1391                 u8 channel = __srv_channel(dlci);
1392
1393                 if (!cr)
1394                         return 0;
1395
1396                 /* PN request for non existing DLC.
1397                  * Assume incoming connection. */
1398                 if (rfcomm_connect_ind(s, channel, &d)) {
1399                         d->dlci = dlci;
1400                         d->addr = __addr(s->initiator, dlci);
1401                         rfcomm_dlc_link(s, d);
1402
1403                         rfcomm_apply_pn(d, cr, pn);
1404
1405                         d->state = BT_OPEN;
1406                         rfcomm_send_pn(s, 0, d);
1407                 } else {
1408                         rfcomm_send_dm(s, dlci);
1409                 }
1410         }
1411         return 0;
1412 }
1413
1414 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1415 {
1416         struct rfcomm_rpn *rpn = (void *) skb->data;
1417         u8 dlci = __get_dlci(rpn->dlci);
1418
1419         u8 bit_rate  = 0;
1420         u8 data_bits = 0;
1421         u8 stop_bits = 0;
1422         u8 parity    = 0;
1423         u8 flow_ctrl = 0;
1424         u8 xon_char  = 0;
1425         u8 xoff_char = 0;
1426         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1427
1428         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1429                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1430                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1431
1432         if (!cr)
1433                 return 0;
1434
1435         if (len == 1) {
1436                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1437                 bit_rate  = RFCOMM_RPN_BR_9600;
1438                 data_bits = RFCOMM_RPN_DATA_8;
1439                 stop_bits = RFCOMM_RPN_STOP_1;
1440                 parity    = RFCOMM_RPN_PARITY_NONE;
1441                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1442                 xon_char  = RFCOMM_RPN_XON_CHAR;
1443                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1444                 goto rpn_out;
1445         }
1446
1447         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1448          * no parity, no flow control lines, normal XON/XOFF chars */
1449
1450         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1451                 bit_rate = rpn->bit_rate;
1452                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1453                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1454                         bit_rate = RFCOMM_RPN_BR_9600;
1455                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1456                 }
1457         }
1458
1459         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1460                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1461                 if (data_bits != RFCOMM_RPN_DATA_8) {
1462                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1463                         data_bits = RFCOMM_RPN_DATA_8;
1464                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1465                 }
1466         }
1467
1468         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1469                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1470                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1471                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1472                         stop_bits = RFCOMM_RPN_STOP_1;
1473                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1474                 }
1475         }
1476
1477         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1478                 parity = __get_rpn_parity(rpn->line_settings);
1479                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1480                         BT_DBG("RPN parity mismatch 0x%x", parity);
1481                         parity = RFCOMM_RPN_PARITY_NONE;
1482                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1483                 }
1484         }
1485
1486         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1487                 flow_ctrl = rpn->flow_ctrl;
1488                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1489                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1490                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1491                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1492                 }
1493         }
1494
1495         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1496                 xon_char = rpn->xon_char;
1497                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1498                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1499                         xon_char = RFCOMM_RPN_XON_CHAR;
1500                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1501                 }
1502         }
1503
1504         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1505                 xoff_char = rpn->xoff_char;
1506                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1507                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1508                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1509                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1510                 }
1511         }
1512
1513 rpn_out:
1514         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1515                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1516
1517         return 0;
1518 }
1519
1520 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1521 {
1522         struct rfcomm_rls *rls = (void *) skb->data;
1523         u8 dlci = __get_dlci(rls->dlci);
1524
1525         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1526
1527         if (!cr)
1528                 return 0;
1529
1530         /* We should probably do something with this information here. But
1531          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1532          * mandatory to recognise and respond to RLS */
1533
1534         rfcomm_send_rls(s, 0, dlci, rls->status);
1535
1536         return 0;
1537 }
1538
1539 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1540 {
1541         struct rfcomm_msc *msc = (void *) skb->data;
1542         struct rfcomm_dlc *d;
1543         u8 dlci = __get_dlci(msc->dlci);
1544
1545         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1546
1547         d = rfcomm_dlc_get(s, dlci);
1548         if (!d)
1549                 return 0;
1550
1551         if (cr) {
1552                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1553                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1554                 else
1555                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1556
1557                 rfcomm_dlc_lock(d);
1558
1559                 d->remote_v24_sig = msc->v24_sig;
1560
1561                 if (d->modem_status)
1562                         d->modem_status(d, msc->v24_sig);
1563
1564                 rfcomm_dlc_unlock(d);
1565
1566                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1567
1568                 d->mscex |= RFCOMM_MSCEX_RX;
1569         } else
1570                 d->mscex |= RFCOMM_MSCEX_TX;
1571
1572         return 0;
1573 }
1574
1575 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1576 {
1577         struct rfcomm_mcc *mcc = (void *) skb->data;
1578         u8 type, cr, len;
1579
1580         cr   = __test_cr(mcc->type);
1581         type = __get_mcc_type(mcc->type);
1582         len  = __get_mcc_len(mcc->len);
1583
1584         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1585
1586         skb_pull(skb, 2);
1587
1588         switch (type) {
1589         case RFCOMM_PN:
1590                 rfcomm_recv_pn(s, cr, skb);
1591                 break;
1592
1593         case RFCOMM_RPN:
1594                 rfcomm_recv_rpn(s, cr, len, skb);
1595                 break;
1596
1597         case RFCOMM_RLS:
1598                 rfcomm_recv_rls(s, cr, skb);
1599                 break;
1600
1601         case RFCOMM_MSC:
1602                 rfcomm_recv_msc(s, cr, skb);
1603                 break;
1604
1605         case RFCOMM_FCOFF:
1606                 if (cr) {
1607                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1608                         rfcomm_send_fcoff(s, 0);
1609                 }
1610                 break;
1611
1612         case RFCOMM_FCON:
1613                 if (cr) {
1614                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1615                         rfcomm_send_fcon(s, 0);
1616                 }
1617                 break;
1618
1619         case RFCOMM_TEST:
1620                 if (cr)
1621                         rfcomm_send_test(s, 0, skb->data, skb->len);
1622                 break;
1623
1624         case RFCOMM_NSC:
1625                 break;
1626
1627         default:
1628                 BT_ERR("Unknown control type 0x%02x", type);
1629                 rfcomm_send_nsc(s, cr, type);
1630                 break;
1631         }
1632         return 0;
1633 }
1634
1635 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1636 {
1637         struct rfcomm_dlc *d;
1638
1639         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1640
1641         d = rfcomm_dlc_get(s, dlci);
1642         if (!d) {
1643                 rfcomm_send_dm(s, dlci);
1644                 goto drop;
1645         }
1646
1647         if (pf && d->cfc) {
1648                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1649
1650                 d->tx_credits += credits;
1651                 if (d->tx_credits)
1652                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1653         }
1654
1655         if (skb->len && d->state == BT_CONNECTED) {
1656                 rfcomm_dlc_lock(d);
1657                 d->rx_credits--;
1658                 d->data_ready(d, skb);
1659                 rfcomm_dlc_unlock(d);
1660                 return 0;
1661         }
1662
1663 drop:
1664         kfree_skb(skb);
1665         return 0;
1666 }
1667
1668 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1669 {
1670         struct rfcomm_hdr *hdr = (void *) skb->data;
1671         u8 type, dlci, fcs;
1672
1673         dlci = __get_dlci(hdr->addr);
1674         type = __get_type(hdr->ctrl);
1675
1676         /* Trim FCS */
1677         skb->len--; skb->tail--;
1678         fcs = *(u8 *)skb_tail_pointer(skb);
1679
1680         if (__check_fcs(skb->data, type, fcs)) {
1681                 BT_ERR("bad checksum in packet");
1682                 kfree_skb(skb);
1683                 return -EILSEQ;
1684         }
1685
1686         if (__test_ea(hdr->len))
1687                 skb_pull(skb, 3);
1688         else
1689                 skb_pull(skb, 4);
1690
1691         switch (type) {
1692         case RFCOMM_SABM:
1693                 if (__test_pf(hdr->ctrl))
1694                         rfcomm_recv_sabm(s, dlci);
1695                 break;
1696
1697         case RFCOMM_DISC:
1698                 if (__test_pf(hdr->ctrl))
1699                         rfcomm_recv_disc(s, dlci);
1700                 break;
1701
1702         case RFCOMM_UA:
1703                 if (__test_pf(hdr->ctrl))
1704                         rfcomm_recv_ua(s, dlci);
1705                 break;
1706
1707         case RFCOMM_DM:
1708                 rfcomm_recv_dm(s, dlci);
1709                 break;
1710
1711         case RFCOMM_UIH:
1712                 if (dlci)
1713                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1714
1715                 rfcomm_recv_mcc(s, skb);
1716                 break;
1717
1718         default:
1719                 BT_ERR("Unknown packet type 0x%02x", type);
1720                 break;
1721         }
1722         kfree_skb(skb);
1723         return 0;
1724 }
1725
1726 /* ---- Connection and data processing ---- */
1727
1728 static void rfcomm_process_connect(struct rfcomm_session *s)
1729 {
1730         struct rfcomm_dlc *d;
1731         struct list_head *p, *n;
1732
1733         BT_DBG("session %p state %ld", s, s->state);
1734
1735         list_for_each_safe(p, n, &s->dlcs) {
1736                 d = list_entry(p, struct rfcomm_dlc, list);
1737                 if (d->state == BT_CONFIG) {
1738                         d->mtu = s->mtu;
1739                         if (rfcomm_check_security(d)) {
1740                                 rfcomm_send_pn(s, 1, d);
1741                         } else {
1742                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1743                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1744                         }
1745                 }
1746         }
1747 }
1748
1749 /* Send data queued for the DLC.
1750  * Return number of frames left in the queue.
1751  */
1752 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1753 {
1754         struct sk_buff *skb;
1755         int err;
1756
1757         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1758                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1759
1760         /* Send pending MSC */
1761         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1762                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1763
1764         if (d->cfc) {
1765                 /* CFC enabled.
1766                  * Give them some credits */
1767                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1768                                 d->rx_credits <= (d->cfc >> 2)) {
1769                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1770                         d->rx_credits = d->cfc;
1771                 }
1772         } else {
1773                 /* CFC disabled.
1774                  * Give ourselves some credits */
1775                 d->tx_credits = 5;
1776         }
1777
1778         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1779                 return skb_queue_len(&d->tx_queue);
1780
1781         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1782                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1783                 if (err < 0) {
1784                         skb_queue_head(&d->tx_queue, skb);
1785                         break;
1786                 }
1787                 kfree_skb(skb);
1788                 d->tx_credits--;
1789         }
1790
1791         if (d->cfc && !d->tx_credits) {
1792                 /* We're out of TX credits.
1793                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1794                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1795         }
1796
1797         return skb_queue_len(&d->tx_queue);
1798 }
1799
1800 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1801 {
1802         struct rfcomm_dlc *d;
1803         struct list_head *p, *n;
1804
1805         BT_DBG("session %p state %ld", s, s->state);
1806
1807         list_for_each_safe(p, n, &s->dlcs) {
1808                 d = list_entry(p, struct rfcomm_dlc, list);
1809
1810                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1811                         __rfcomm_dlc_close(d, ETIMEDOUT);
1812                         continue;
1813                 }
1814
1815                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1816                         __rfcomm_dlc_close(d, ECONNREFUSED);
1817                         continue;
1818                 }
1819
1820                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1821                         rfcomm_dlc_clear_timer(d);
1822                         if (d->out) {
1823                                 rfcomm_send_pn(s, 1, d);
1824                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1825                         } else {
1826                                 if (d->defer_setup) {
1827                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1828                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1829
1830                                         rfcomm_dlc_lock(d);
1831                                         d->state = BT_CONNECT2;
1832                                         d->state_change(d, 0);
1833                                         rfcomm_dlc_unlock(d);
1834                                 } else
1835                                         rfcomm_dlc_accept(d);
1836                         }
1837                         continue;
1838                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1839                         rfcomm_dlc_clear_timer(d);
1840                         if (!d->out)
1841                                 rfcomm_send_dm(s, d->dlci);
1842                         else
1843                                 d->state = BT_CLOSED;
1844                         __rfcomm_dlc_close(d, ECONNREFUSED);
1845                         continue;
1846                 }
1847
1848                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1849                         continue;
1850
1851                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1852                         continue;
1853
1854                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1855                                                 d->mscex == RFCOMM_MSCEX_OK)
1856                         rfcomm_process_tx(d);
1857         }
1858 }
1859
1860 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1861 {
1862         struct socket *sock = s->sock;
1863         struct sock *sk = sock->sk;
1864         struct sk_buff *skb;
1865
1866         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1867
1868         /* Get data directly from socket receive queue without copying it. */
1869         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1870                 skb_orphan(skb);
1871                 if (!skb_linearize(skb))
1872                         rfcomm_recv_frame(s, skb);
1873                 else
1874                         kfree_skb(skb);
1875         }
1876
1877         if (sk->sk_state == BT_CLOSED) {
1878                 if (!s->initiator)
1879                         rfcomm_session_put(s);
1880
1881                 rfcomm_session_close(s, sk->sk_err);
1882         }
1883 }
1884
1885 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1886 {
1887         struct socket *sock = s->sock, *nsock;
1888         int err;
1889
1890         /* Fast check for a new connection.
1891          * Avoids unnesesary socket allocations. */
1892         if (list_empty(&bt_sk(sock->sk)->accept_q))
1893                 return;
1894
1895         BT_DBG("session %p", s);
1896
1897         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1898         if (err < 0)
1899                 return;
1900
1901         /* Set our callbacks */
1902         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1903         nsock->sk->sk_state_change = rfcomm_l2state_change;
1904
1905         s = rfcomm_session_add(nsock, BT_OPEN);
1906         if (s) {
1907                 rfcomm_session_hold(s);
1908
1909                 /* We should adjust MTU on incoming sessions.
1910                  * L2CAP MTU minus UIH header and FCS. */
1911                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1912                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1913
1914                 rfcomm_schedule();
1915         } else
1916                 sock_release(nsock);
1917 }
1918
1919 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1920 {
1921         struct sock *sk = s->sock->sk;
1922
1923         BT_DBG("%p state %ld", s, s->state);
1924
1925         switch (sk->sk_state) {
1926         case BT_CONNECTED:
1927                 s->state = BT_CONNECT;
1928
1929                 /* We can adjust MTU on outgoing sessions.
1930                  * L2CAP MTU minus UIH header and FCS. */
1931                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1932
1933                 rfcomm_send_sabm(s, 0);
1934                 break;
1935
1936         case BT_CLOSED:
1937                 s->state = BT_CLOSED;
1938                 rfcomm_session_close(s, sk->sk_err);
1939                 break;
1940         }
1941 }
1942
1943 static inline void rfcomm_process_sessions(void)
1944 {
1945         struct list_head *p, *n;
1946
1947         rfcomm_lock();
1948
1949         list_for_each_safe(p, n, &session_list) {
1950                 struct rfcomm_session *s;
1951                 s = list_entry(p, struct rfcomm_session, list);
1952
1953                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1954                         s->state = BT_DISCONN;
1955                         rfcomm_send_disc(s, 0);
1956                         rfcomm_session_put(s);
1957                         continue;
1958                 }
1959
1960                 if (s->state == BT_LISTEN) {
1961                         rfcomm_accept_connection(s);
1962                         continue;
1963                 }
1964
1965                 rfcomm_session_hold(s);
1966
1967                 switch (s->state) {
1968                 case BT_BOUND:
1969                         rfcomm_check_connection(s);
1970                         break;
1971
1972                 default:
1973                         rfcomm_process_rx(s);
1974                         break;
1975                 }
1976
1977                 rfcomm_process_dlcs(s);
1978
1979                 rfcomm_session_put(s);
1980         }
1981
1982         rfcomm_unlock();
1983 }
1984
1985 static int rfcomm_add_listener(bdaddr_t *ba)
1986 {
1987         struct sockaddr_l2 addr;
1988         struct socket *sock;
1989         struct sock *sk;
1990         struct rfcomm_session *s;
1991         int    err = 0;
1992
1993         /* Create socket */
1994         err = rfcomm_l2sock_create(&sock);
1995         if (err < 0) {
1996                 BT_ERR("Create socket failed %d", err);
1997                 return err;
1998         }
1999
2000         /* Bind socket */
2001         bacpy(&addr.l2_bdaddr, ba);
2002         addr.l2_family = AF_BLUETOOTH;
2003         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2004         addr.l2_cid    = 0;
2005         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2006         if (err < 0) {
2007                 BT_ERR("Bind failed %d", err);
2008                 goto failed;
2009         }
2010
2011         /* Set L2CAP options */
2012         sk = sock->sk;
2013         lock_sock(sk);
2014         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2015         release_sock(sk);
2016
2017         /* Start listening on the socket */
2018         err = kernel_listen(sock, 10);
2019         if (err) {
2020                 BT_ERR("Listen failed %d", err);
2021                 goto failed;
2022         }
2023
2024         /* Add listening session */
2025         s = rfcomm_session_add(sock, BT_LISTEN);
2026         if (!s)
2027                 goto failed;
2028
2029         rfcomm_session_hold(s);
2030         return 0;
2031 failed:
2032         sock_release(sock);
2033         return err;
2034 }
2035
2036 static void rfcomm_kill_listener(void)
2037 {
2038         struct rfcomm_session *s;
2039         struct list_head *p, *n;
2040
2041         BT_DBG("");
2042
2043         list_for_each_safe(p, n, &session_list) {
2044                 s = list_entry(p, struct rfcomm_session, list);
2045                 rfcomm_session_del(s);
2046         }
2047 }
2048
2049 static int rfcomm_run(void *unused)
2050 {
2051         BT_DBG("");
2052
2053         set_user_nice(current, -10);
2054
2055         rfcomm_add_listener(BDADDR_ANY);
2056
2057         while (1) {
2058                 set_current_state(TASK_INTERRUPTIBLE);
2059
2060                 if (kthread_should_stop())
2061                         break;
2062
2063                 /* Process stuff */
2064                 rfcomm_process_sessions();
2065
2066                 schedule();
2067         }
2068         __set_current_state(TASK_RUNNING);
2069
2070         rfcomm_kill_listener();
2071
2072         return 0;
2073 }
2074
2075 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2076 {
2077         struct rfcomm_session *s;
2078         struct rfcomm_dlc *d;
2079         struct list_head *p, *n;
2080
2081         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2082
2083         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2084         if (!s)
2085                 return;
2086
2087         rfcomm_session_hold(s);
2088
2089         list_for_each_safe(p, n, &s->dlcs) {
2090                 d = list_entry(p, struct rfcomm_dlc, list);
2091
2092                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2093                         rfcomm_dlc_clear_timer(d);
2094                         if (status || encrypt == 0x00) {
2095                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2096                                 continue;
2097                         }
2098                 }
2099
2100                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2101                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2102                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2103                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2104                                 continue;
2105                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2106                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2107                                 continue;
2108                         }
2109                 }
2110
2111                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2112                         continue;
2113
2114                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2115                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2116                 else
2117                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2118         }
2119
2120         rfcomm_session_put(s);
2121
2122         rfcomm_schedule();
2123 }
2124
2125 static struct hci_cb rfcomm_cb = {
2126         .name           = "RFCOMM",
2127         .security_cfm   = rfcomm_security_cfm
2128 };
2129
2130 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2131 {
2132         struct rfcomm_session *s;
2133
2134         rfcomm_lock();
2135
2136         list_for_each_entry(s, &session_list, list) {
2137                 struct rfcomm_dlc *d;
2138                 list_for_each_entry(d, &s->dlcs, list) {
2139                         struct sock *sk = s->sock->sk;
2140
2141                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2142                                                 batostr(&bt_sk(sk)->src),
2143                                                 batostr(&bt_sk(sk)->dst),
2144                                                 d->state, d->dlci, d->mtu,
2145                                                 d->rx_credits, d->tx_credits);
2146                 }
2147         }
2148
2149         rfcomm_unlock();
2150
2151         return 0;
2152 }
2153
2154 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2155 {
2156         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2157 }
2158
2159 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2160         .open           = rfcomm_dlc_debugfs_open,
2161         .read           = seq_read,
2162         .llseek         = seq_lseek,
2163         .release        = single_release,
2164 };
2165
2166 static struct dentry *rfcomm_dlc_debugfs;
2167
2168 /* ---- Initialization ---- */
2169 static int __init rfcomm_init(void)
2170 {
2171         int err;
2172
2173         hci_register_cb(&rfcomm_cb);
2174
2175         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2176         if (IS_ERR(rfcomm_thread)) {
2177                 err = PTR_ERR(rfcomm_thread);
2178                 goto unregister;
2179         }
2180
2181         if (bt_debugfs) {
2182                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2183                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2184                 if (!rfcomm_dlc_debugfs)
2185                         BT_ERR("Failed to create RFCOMM debug file");
2186         }
2187
2188         err = rfcomm_init_ttys();
2189         if (err < 0)
2190                 goto stop;
2191
2192         err = rfcomm_init_sockets();
2193         if (err < 0)
2194                 goto cleanup;
2195
2196         BT_INFO("RFCOMM ver %s", VERSION);
2197
2198         return 0;
2199
2200 cleanup:
2201         rfcomm_cleanup_ttys();
2202
2203 stop:
2204         kthread_stop(rfcomm_thread);
2205
2206 unregister:
2207         hci_unregister_cb(&rfcomm_cb);
2208
2209         return err;
2210 }
2211
2212 static void __exit rfcomm_exit(void)
2213 {
2214         debugfs_remove(rfcomm_dlc_debugfs);
2215
2216         hci_unregister_cb(&rfcomm_cb);
2217
2218         kthread_stop(rfcomm_thread);
2219
2220         rfcomm_cleanup_ttys();
2221
2222         rfcomm_cleanup_sockets();
2223 }
2224
2225 module_init(rfcomm_init);
2226 module_exit(rfcomm_exit);
2227
2228 module_param(disable_cfc, bool, 0644);
2229 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2230
2231 module_param(channel_mtu, int, 0644);
2232 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2233
2234 module_param(l2cap_mtu, uint, 0644);
2235 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2236
2237 module_param(l2cap_ertm, bool, 0644);
2238 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2239
2240 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2241 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2242 MODULE_VERSION(VERSION);
2243 MODULE_LICENSE("GPL");
2244 MODULE_ALIAS("bt-proto-3");