1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51
52 #define VERSION "1.11"
53
54 static bool disable_cfc;
55 static bool l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59 static struct task_struct *rfcomm_thread;
60
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66 static LIST_HEAD(session_list);
67
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82 bdaddr_t *dst,
83 u8 sec_level,
84 int *err);
85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86 static void rfcomm_session_del(struct rfcomm_session *s);
87
88 /* ---- RFCOMM frame parsing macros ---- */
89 #define __get_dlci(b) ((b & 0xfc) >> 2)
90 #define __get_channel(b) ((b & 0xf8) >> 3)
91 #define __get_dir(b) ((b & 0x04) >> 2)
92 #define __get_type(b) ((b & 0xef))
93
94 #define __test_ea(b) ((b & 0x01))
95 #define __test_cr(b) ((b & 0x02))
96 #define __test_pf(b) ((b & 0x10))
97
98 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
100 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
101 #define __srv_channel(dlci) (dlci >> 1)
102 #define __dir(dlci) (dlci & 0x01)
103
104 #define __len8(len) (((len) << 1) | 1)
105 #define __len16(len) ((len) << 1)
106
107 /* MCC macros */
108 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
110 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
111
112 /* RPN macros */
113 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114 #define __get_rpn_data_bits(line) ((line) & 0x3)
115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
117
rfcomm_schedule(void)118 static inline void rfcomm_schedule(void)
119 {
120 if (!rfcomm_thread)
121 return;
122 wake_up_process(rfcomm_thread);
123 }
124
rfcomm_session_put(struct rfcomm_session * s)125 static inline void rfcomm_session_put(struct rfcomm_session *s)
126 {
127 if (atomic_dec_and_test(&s->refcnt))
128 rfcomm_session_del(s);
129 }
130
131 /* ---- RFCOMM FCS computation ---- */
132
133 /* reversed, 8-bit, poly=0x07 */
134 static unsigned char rfcomm_crc_table[256] = {
135 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174 };
175
176 /* CRC on 2 bytes */
177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179 /* FCS on 2 bytes */
__fcs(u8 * data)180 static inline u8 __fcs(u8 *data)
181 {
182 return 0xff - __crc(data);
183 }
184
185 /* FCS on 3 bytes */
__fcs2(u8 * data)186 static inline u8 __fcs2(u8 *data)
187 {
188 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189 }
190
191 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
193 {
194 u8 f = __crc(data);
195
196 if (type != RFCOMM_UIH)
197 f = rfcomm_crc_table[f ^ data[2]];
198
199 return rfcomm_crc_table[f ^ fcs] != 0xcf;
200 }
201
202 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)203 static void rfcomm_l2state_change(struct sock *sk)
204 {
205 BT_DBG("%p state %d", sk, sk->sk_state);
206 rfcomm_schedule();
207 }
208
rfcomm_l2data_ready(struct sock * sk,int bytes)209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210 {
211 BT_DBG("%p bytes %d", sk, bytes);
212 rfcomm_schedule();
213 }
214
rfcomm_l2sock_create(struct socket ** sock)215 static int rfcomm_l2sock_create(struct socket **sock)
216 {
217 int err;
218
219 BT_DBG("");
220
221 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222 if (!err) {
223 struct sock *sk = (*sock)->sk;
224 sk->sk_data_ready = rfcomm_l2data_ready;
225 sk->sk_state_change = rfcomm_l2state_change;
226 }
227 return err;
228 }
229
rfcomm_check_security(struct rfcomm_dlc * d)230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231 {
232 struct sock *sk = d->session->sock->sk;
233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235 __u8 auth_type;
236
237 switch (d->sec_level) {
238 case BT_SECURITY_HIGH:
239 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240 break;
241 case BT_SECURITY_MEDIUM:
242 auth_type = HCI_AT_GENERAL_BONDING;
243 break;
244 default:
245 auth_type = HCI_AT_NO_BONDING;
246 break;
247 }
248
249 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 }
251
rfcomm_session_timeout(unsigned long arg)252 static void rfcomm_session_timeout(unsigned long arg)
253 {
254 struct rfcomm_session *s = (void *) arg;
255
256 BT_DBG("session %p state %ld", s, s->state);
257
258 set_bit(RFCOMM_TIMED_OUT, &s->flags);
259 rfcomm_schedule();
260 }
261
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263 {
264 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266 if (!mod_timer(&s->timer, jiffies + timeout))
267 rfcomm_session_hold(s);
268 }
269
rfcomm_session_clear_timer(struct rfcomm_session * s)270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271 {
272 BT_DBG("session %p state %ld", s, s->state);
273
274 if (timer_pending(&s->timer) && del_timer(&s->timer))
275 rfcomm_session_put(s);
276 }
277
278 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(unsigned long arg)279 static void rfcomm_dlc_timeout(unsigned long arg)
280 {
281 struct rfcomm_dlc *d = (void *) arg;
282
283 BT_DBG("dlc %p state %ld", d, d->state);
284
285 set_bit(RFCOMM_TIMED_OUT, &d->flags);
286 rfcomm_dlc_put(d);
287 rfcomm_schedule();
288 }
289
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291 {
292 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294 if (!mod_timer(&d->timer, jiffies + timeout))
295 rfcomm_dlc_hold(d);
296 }
297
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299 {
300 BT_DBG("dlc %p state %ld", d, d->state);
301
302 if (timer_pending(&d->timer) && del_timer(&d->timer))
303 rfcomm_dlc_put(d);
304 }
305
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307 {
308 BT_DBG("%p", d);
309
310 d->state = BT_OPEN;
311 d->flags = 0;
312 d->mscex = 0;
313 d->sec_level = BT_SECURITY_LOW;
314 d->mtu = RFCOMM_DEFAULT_MTU;
315 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317 d->cfc = RFCOMM_CFC_DISABLED;
318 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319 }
320
rfcomm_dlc_alloc(gfp_t prio)321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322 {
323 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325 if (!d)
326 return NULL;
327
328 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330 skb_queue_head_init(&d->tx_queue);
331 spin_lock_init(&d->lock);
332 atomic_set(&d->refcnt, 1);
333
334 rfcomm_dlc_clear_state(d);
335
336 BT_DBG("%p", d);
337
338 return d;
339 }
340
rfcomm_dlc_free(struct rfcomm_dlc * d)341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
342 {
343 BT_DBG("%p", d);
344
345 skb_queue_purge(&d->tx_queue);
346 kfree(d);
347 }
348
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350 {
351 BT_DBG("dlc %p session %p", d, s);
352
353 rfcomm_session_hold(s);
354
355 rfcomm_session_clear_timer(s);
356 rfcomm_dlc_hold(d);
357 list_add(&d->list, &s->dlcs);
358 d->session = s;
359 }
360
rfcomm_dlc_unlink(struct rfcomm_dlc * d)361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362 {
363 struct rfcomm_session *s = d->session;
364
365 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367 list_del(&d->list);
368 d->session = NULL;
369 rfcomm_dlc_put(d);
370
371 if (list_empty(&s->dlcs))
372 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374 rfcomm_session_put(s);
375 }
376
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378 {
379 struct rfcomm_dlc *d;
380
381 list_for_each_entry(d, &s->dlcs, list)
382 if (d->dlci == dlci)
383 return d;
384
385 return NULL;
386 }
387
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
389 {
390 struct rfcomm_session *s;
391 int err = 0;
392 u8 dlci;
393
394 BT_DBG("dlc %p state %ld %s %s channel %d",
395 d, d->state, batostr(src), batostr(dst), channel);
396
397 if (channel < 1 || channel > 30)
398 return -EINVAL;
399
400 if (d->state != BT_OPEN && d->state != BT_CLOSED)
401 return 0;
402
403 s = rfcomm_session_get(src, dst);
404 if (!s) {
405 s = rfcomm_session_create(src, dst, d->sec_level, &err);
406 if (!s)
407 return err;
408 }
409
410 dlci = __dlci(!s->initiator, channel);
411
412 /* Check if DLCI already exists */
413 if (rfcomm_dlc_get(s, dlci))
414 return -EBUSY;
415
416 rfcomm_dlc_clear_state(d);
417
418 d->dlci = dlci;
419 d->addr = __addr(s->initiator, dlci);
420 d->priority = 7;
421
422 d->state = BT_CONFIG;
423 rfcomm_dlc_link(s, d);
424
425 d->out = 1;
426
427 d->mtu = s->mtu;
428 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
429
430 if (s->state == BT_CONNECTED) {
431 if (rfcomm_check_security(d))
432 rfcomm_send_pn(s, 1, d);
433 else
434 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
435 }
436
437 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
438
439 return 0;
440 }
441
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
443 {
444 int r;
445
446 rfcomm_lock();
447
448 r = __rfcomm_dlc_open(d, src, dst, channel);
449
450 rfcomm_unlock();
451 return r;
452 }
453
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
455 {
456 struct rfcomm_session *s = d->session;
457 if (!s)
458 return 0;
459
460 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
461 d, d->state, d->dlci, err, s);
462
463 switch (d->state) {
464 case BT_CONNECT:
465 case BT_CONFIG:
466 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
467 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
468 rfcomm_schedule();
469 break;
470 }
471 /* Fall through */
472
473 case BT_CONNECTED:
474 d->state = BT_DISCONN;
475 if (skb_queue_empty(&d->tx_queue)) {
476 rfcomm_send_disc(s, d->dlci);
477 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
478 } else {
479 rfcomm_queue_disc(d);
480 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
481 }
482 break;
483
484 case BT_OPEN:
485 case BT_CONNECT2:
486 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
487 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
488 rfcomm_schedule();
489 break;
490 }
491 /* Fall through */
492
493 default:
494 rfcomm_dlc_clear_timer(d);
495
496 rfcomm_dlc_lock(d);
497 d->state = BT_CLOSED;
498 d->state_change(d, err);
499 rfcomm_dlc_unlock(d);
500
501 skb_queue_purge(&d->tx_queue);
502 rfcomm_dlc_unlink(d);
503 }
504
505 return 0;
506 }
507
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)508 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
509 {
510 int r;
511
512 rfcomm_lock();
513
514 r = __rfcomm_dlc_close(d, err);
515
516 rfcomm_unlock();
517 return r;
518 }
519
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)520 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
521 {
522 int len = skb->len;
523
524 if (d->state != BT_CONNECTED)
525 return -ENOTCONN;
526
527 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
528
529 if (len > d->mtu)
530 return -EINVAL;
531
532 rfcomm_make_uih(skb, d->addr);
533 skb_queue_tail(&d->tx_queue, skb);
534
535 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
536 rfcomm_schedule();
537 return len;
538 }
539
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)540 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
541 {
542 BT_DBG("dlc %p state %ld", d, d->state);
543
544 if (!d->cfc) {
545 d->v24_sig |= RFCOMM_V24_FC;
546 set_bit(RFCOMM_MSC_PENDING, &d->flags);
547 }
548 rfcomm_schedule();
549 }
550
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)551 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
552 {
553 BT_DBG("dlc %p state %ld", d, d->state);
554
555 if (!d->cfc) {
556 d->v24_sig &= ~RFCOMM_V24_FC;
557 set_bit(RFCOMM_MSC_PENDING, &d->flags);
558 }
559 rfcomm_schedule();
560 }
561
562 /*
563 Set/get modem status functions use _local_ status i.e. what we report
564 to the other side.
565 Remote status is provided by dlc->modem_status() callback.
566 */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)567 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
568 {
569 BT_DBG("dlc %p state %ld v24_sig 0x%x",
570 d, d->state, v24_sig);
571
572 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
573 v24_sig |= RFCOMM_V24_FC;
574 else
575 v24_sig &= ~RFCOMM_V24_FC;
576
577 d->v24_sig = v24_sig;
578
579 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
580 rfcomm_schedule();
581
582 return 0;
583 }
584
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)585 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
586 {
587 BT_DBG("dlc %p state %ld v24_sig 0x%x",
588 d, d->state, d->v24_sig);
589
590 *v24_sig = d->v24_sig;
591 return 0;
592 }
593
594 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)595 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
596 {
597 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
598
599 if (!s)
600 return NULL;
601
602 BT_DBG("session %p sock %p", s, sock);
603
604 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
605
606 INIT_LIST_HEAD(&s->dlcs);
607 s->state = state;
608 s->sock = sock;
609
610 s->mtu = RFCOMM_DEFAULT_MTU;
611 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
612
613 /* Do not increment module usage count for listening sessions.
614 * Otherwise we won't be able to unload the module. */
615 if (state != BT_LISTEN)
616 if (!try_module_get(THIS_MODULE)) {
617 kfree(s);
618 return NULL;
619 }
620
621 list_add(&s->list, &session_list);
622
623 return s;
624 }
625
rfcomm_session_del(struct rfcomm_session * s)626 static void rfcomm_session_del(struct rfcomm_session *s)
627 {
628 int state = s->state;
629
630 BT_DBG("session %p state %ld", s, s->state);
631
632 list_del(&s->list);
633
634 if (state == BT_CONNECTED)
635 rfcomm_send_disc(s, 0);
636
637 rfcomm_session_clear_timer(s);
638 sock_release(s->sock);
639 kfree(s);
640
641 if (state != BT_LISTEN)
642 module_put(THIS_MODULE);
643 }
644
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)645 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
646 {
647 struct rfcomm_session *s;
648 struct list_head *p, *n;
649 struct bt_sock *sk;
650 list_for_each_safe(p, n, &session_list) {
651 s = list_entry(p, struct rfcomm_session, list);
652 sk = bt_sk(s->sock->sk);
653
654 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
655 !bacmp(&sk->dst, dst))
656 return s;
657 }
658 return NULL;
659 }
660
rfcomm_session_close(struct rfcomm_session * s,int err)661 static void rfcomm_session_close(struct rfcomm_session *s, int err)
662 {
663 struct rfcomm_dlc *d;
664 struct list_head *p, *n;
665
666 BT_DBG("session %p state %ld err %d", s, s->state, err);
667
668 rfcomm_session_hold(s);
669
670 s->state = BT_CLOSED;
671
672 /* Close all dlcs */
673 list_for_each_safe(p, n, &s->dlcs) {
674 d = list_entry(p, struct rfcomm_dlc, list);
675 d->state = BT_CLOSED;
676 __rfcomm_dlc_close(d, err);
677 }
678
679 rfcomm_session_clear_timer(s);
680 rfcomm_session_put(s);
681 }
682
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)683 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
684 bdaddr_t *dst,
685 u8 sec_level,
686 int *err)
687 {
688 struct rfcomm_session *s = NULL;
689 struct sockaddr_l2 addr;
690 struct socket *sock;
691 struct sock *sk;
692
693 BT_DBG("%s %s", batostr(src), batostr(dst));
694
695 *err = rfcomm_l2sock_create(&sock);
696 if (*err < 0)
697 return NULL;
698
699 bacpy(&addr.l2_bdaddr, src);
700 addr.l2_family = AF_BLUETOOTH;
701 addr.l2_psm = 0;
702 addr.l2_cid = 0;
703 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
704 if (*err < 0)
705 goto failed;
706
707 /* Set L2CAP options */
708 sk = sock->sk;
709 lock_sock(sk);
710 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
711 l2cap_pi(sk)->chan->sec_level = sec_level;
712 if (l2cap_ertm)
713 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
714 release_sock(sk);
715
716 s = rfcomm_session_add(sock, BT_BOUND);
717 if (!s) {
718 *err = -ENOMEM;
719 goto failed;
720 }
721
722 s->initiator = 1;
723
724 bacpy(&addr.l2_bdaddr, dst);
725 addr.l2_family = AF_BLUETOOTH;
726 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
727 addr.l2_cid = 0;
728 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
729 if (*err == 0 || *err == -EINPROGRESS)
730 return s;
731
732 rfcomm_session_del(s);
733 return NULL;
734
735 failed:
736 sock_release(sock);
737 return NULL;
738 }
739
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)740 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
741 {
742 struct sock *sk = s->sock->sk;
743 if (src)
744 bacpy(src, &bt_sk(sk)->src);
745 if (dst)
746 bacpy(dst, &bt_sk(sk)->dst);
747 }
748
749 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)750 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
751 {
752 struct kvec iv = { data, len };
753 struct msghdr msg;
754
755 BT_DBG("session %p len %d", s, len);
756
757 memset(&msg, 0, sizeof(msg));
758
759 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
760 }
761
rfcomm_send_cmd(struct rfcomm_session * s,struct rfcomm_cmd * cmd)762 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
763 {
764 BT_DBG("%p cmd %u", s, cmd->ctrl);
765
766 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
767 }
768
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)769 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
770 {
771 struct rfcomm_cmd cmd;
772
773 BT_DBG("%p dlci %d", s, dlci);
774
775 cmd.addr = __addr(s->initiator, dlci);
776 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
777 cmd.len = __len8(0);
778 cmd.fcs = __fcs2((u8 *) &cmd);
779
780 return rfcomm_send_cmd(s, &cmd);
781 }
782
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)783 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
784 {
785 struct rfcomm_cmd cmd;
786
787 BT_DBG("%p dlci %d", s, dlci);
788
789 cmd.addr = __addr(!s->initiator, dlci);
790 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
791 cmd.len = __len8(0);
792 cmd.fcs = __fcs2((u8 *) &cmd);
793
794 return rfcomm_send_cmd(s, &cmd);
795 }
796
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)797 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
798 {
799 struct rfcomm_cmd cmd;
800
801 BT_DBG("%p dlci %d", s, dlci);
802
803 cmd.addr = __addr(s->initiator, dlci);
804 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
805 cmd.len = __len8(0);
806 cmd.fcs = __fcs2((u8 *) &cmd);
807
808 return rfcomm_send_cmd(s, &cmd);
809 }
810
rfcomm_queue_disc(struct rfcomm_dlc * d)811 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
812 {
813 struct rfcomm_cmd *cmd;
814 struct sk_buff *skb;
815
816 BT_DBG("dlc %p dlci %d", d, d->dlci);
817
818 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
819 if (!skb)
820 return -ENOMEM;
821
822 cmd = (void *) __skb_put(skb, sizeof(*cmd));
823 cmd->addr = d->addr;
824 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
825 cmd->len = __len8(0);
826 cmd->fcs = __fcs2((u8 *) cmd);
827
828 skb_queue_tail(&d->tx_queue, skb);
829 rfcomm_schedule();
830 return 0;
831 }
832
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)833 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
834 {
835 struct rfcomm_cmd cmd;
836
837 BT_DBG("%p dlci %d", s, dlci);
838
839 cmd.addr = __addr(!s->initiator, dlci);
840 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
841 cmd.len = __len8(0);
842 cmd.fcs = __fcs2((u8 *) &cmd);
843
844 return rfcomm_send_cmd(s, &cmd);
845 }
846
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)847 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
848 {
849 struct rfcomm_hdr *hdr;
850 struct rfcomm_mcc *mcc;
851 u8 buf[16], *ptr = buf;
852
853 BT_DBG("%p cr %d type %d", s, cr, type);
854
855 hdr = (void *) ptr; ptr += sizeof(*hdr);
856 hdr->addr = __addr(s->initiator, 0);
857 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
858 hdr->len = __len8(sizeof(*mcc) + 1);
859
860 mcc = (void *) ptr; ptr += sizeof(*mcc);
861 mcc->type = __mcc_type(cr, RFCOMM_NSC);
862 mcc->len = __len8(1);
863
864 /* Type that we didn't like */
865 *ptr = __mcc_type(cr, type); ptr++;
866
867 *ptr = __fcs(buf); ptr++;
868
869 return rfcomm_send_frame(s, buf, ptr - buf);
870 }
871
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)872 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
873 {
874 struct rfcomm_hdr *hdr;
875 struct rfcomm_mcc *mcc;
876 struct rfcomm_pn *pn;
877 u8 buf[16], *ptr = buf;
878
879 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
880
881 hdr = (void *) ptr; ptr += sizeof(*hdr);
882 hdr->addr = __addr(s->initiator, 0);
883 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
884 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
885
886 mcc = (void *) ptr; ptr += sizeof(*mcc);
887 mcc->type = __mcc_type(cr, RFCOMM_PN);
888 mcc->len = __len8(sizeof(*pn));
889
890 pn = (void *) ptr; ptr += sizeof(*pn);
891 pn->dlci = d->dlci;
892 pn->priority = d->priority;
893 pn->ack_timer = 0;
894 pn->max_retrans = 0;
895
896 if (s->cfc) {
897 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
898 pn->credits = RFCOMM_DEFAULT_CREDITS;
899 } else {
900 pn->flow_ctrl = 0;
901 pn->credits = 0;
902 }
903
904 if (cr && channel_mtu >= 0)
905 pn->mtu = cpu_to_le16(channel_mtu);
906 else
907 pn->mtu = cpu_to_le16(d->mtu);
908
909 *ptr = __fcs(buf); ptr++;
910
911 return rfcomm_send_frame(s, buf, ptr - buf);
912 }
913
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)914 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
915 u8 bit_rate, u8 data_bits, u8 stop_bits,
916 u8 parity, u8 flow_ctrl_settings,
917 u8 xon_char, u8 xoff_char, u16 param_mask)
918 {
919 struct rfcomm_hdr *hdr;
920 struct rfcomm_mcc *mcc;
921 struct rfcomm_rpn *rpn;
922 u8 buf[16], *ptr = buf;
923
924 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
925 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
926 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
927 flow_ctrl_settings, xon_char, xoff_char, param_mask);
928
929 hdr = (void *) ptr; ptr += sizeof(*hdr);
930 hdr->addr = __addr(s->initiator, 0);
931 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
932 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
933
934 mcc = (void *) ptr; ptr += sizeof(*mcc);
935 mcc->type = __mcc_type(cr, RFCOMM_RPN);
936 mcc->len = __len8(sizeof(*rpn));
937
938 rpn = (void *) ptr; ptr += sizeof(*rpn);
939 rpn->dlci = __addr(1, dlci);
940 rpn->bit_rate = bit_rate;
941 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
942 rpn->flow_ctrl = flow_ctrl_settings;
943 rpn->xon_char = xon_char;
944 rpn->xoff_char = xoff_char;
945 rpn->param_mask = cpu_to_le16(param_mask);
946
947 *ptr = __fcs(buf); ptr++;
948
949 return rfcomm_send_frame(s, buf, ptr - buf);
950 }
951
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)952 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
953 {
954 struct rfcomm_hdr *hdr;
955 struct rfcomm_mcc *mcc;
956 struct rfcomm_rls *rls;
957 u8 buf[16], *ptr = buf;
958
959 BT_DBG("%p cr %d status 0x%x", s, cr, status);
960
961 hdr = (void *) ptr; ptr += sizeof(*hdr);
962 hdr->addr = __addr(s->initiator, 0);
963 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
964 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
965
966 mcc = (void *) ptr; ptr += sizeof(*mcc);
967 mcc->type = __mcc_type(cr, RFCOMM_RLS);
968 mcc->len = __len8(sizeof(*rls));
969
970 rls = (void *) ptr; ptr += sizeof(*rls);
971 rls->dlci = __addr(1, dlci);
972 rls->status = status;
973
974 *ptr = __fcs(buf); ptr++;
975
976 return rfcomm_send_frame(s, buf, ptr - buf);
977 }
978
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)979 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
980 {
981 struct rfcomm_hdr *hdr;
982 struct rfcomm_mcc *mcc;
983 struct rfcomm_msc *msc;
984 u8 buf[16], *ptr = buf;
985
986 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
987
988 hdr = (void *) ptr; ptr += sizeof(*hdr);
989 hdr->addr = __addr(s->initiator, 0);
990 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
991 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
992
993 mcc = (void *) ptr; ptr += sizeof(*mcc);
994 mcc->type = __mcc_type(cr, RFCOMM_MSC);
995 mcc->len = __len8(sizeof(*msc));
996
997 msc = (void *) ptr; ptr += sizeof(*msc);
998 msc->dlci = __addr(1, dlci);
999 msc->v24_sig = v24_sig | 0x01;
1000
1001 *ptr = __fcs(buf); ptr++;
1002
1003 return rfcomm_send_frame(s, buf, ptr - buf);
1004 }
1005
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)1006 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1007 {
1008 struct rfcomm_hdr *hdr;
1009 struct rfcomm_mcc *mcc;
1010 u8 buf[16], *ptr = buf;
1011
1012 BT_DBG("%p cr %d", s, cr);
1013
1014 hdr = (void *) ptr; ptr += sizeof(*hdr);
1015 hdr->addr = __addr(s->initiator, 0);
1016 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1017 hdr->len = __len8(sizeof(*mcc));
1018
1019 mcc = (void *) ptr; ptr += sizeof(*mcc);
1020 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1021 mcc->len = __len8(0);
1022
1023 *ptr = __fcs(buf); ptr++;
1024
1025 return rfcomm_send_frame(s, buf, ptr - buf);
1026 }
1027
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1028 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1029 {
1030 struct rfcomm_hdr *hdr;
1031 struct rfcomm_mcc *mcc;
1032 u8 buf[16], *ptr = buf;
1033
1034 BT_DBG("%p cr %d", s, cr);
1035
1036 hdr = (void *) ptr; ptr += sizeof(*hdr);
1037 hdr->addr = __addr(s->initiator, 0);
1038 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1039 hdr->len = __len8(sizeof(*mcc));
1040
1041 mcc = (void *) ptr; ptr += sizeof(*mcc);
1042 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1043 mcc->len = __len8(0);
1044
1045 *ptr = __fcs(buf); ptr++;
1046
1047 return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1050 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1051 {
1052 struct socket *sock = s->sock;
1053 struct kvec iv[3];
1054 struct msghdr msg;
1055 unsigned char hdr[5], crc[1];
1056
1057 if (len > 125)
1058 return -EINVAL;
1059
1060 BT_DBG("%p cr %d", s, cr);
1061
1062 hdr[0] = __addr(s->initiator, 0);
1063 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1064 hdr[2] = 0x01 | ((len + 2) << 1);
1065 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1066 hdr[4] = 0x01 | (len << 1);
1067
1068 crc[0] = __fcs(hdr);
1069
1070 iv[0].iov_base = hdr;
1071 iv[0].iov_len = 5;
1072 iv[1].iov_base = pattern;
1073 iv[1].iov_len = len;
1074 iv[2].iov_base = crc;
1075 iv[2].iov_len = 1;
1076
1077 memset(&msg, 0, sizeof(msg));
1078
1079 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1080 }
1081
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1082 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1083 {
1084 struct rfcomm_hdr *hdr;
1085 u8 buf[16], *ptr = buf;
1086
1087 BT_DBG("%p addr %d credits %d", s, addr, credits);
1088
1089 hdr = (void *) ptr; ptr += sizeof(*hdr);
1090 hdr->addr = addr;
1091 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1092 hdr->len = __len8(0);
1093
1094 *ptr = credits; ptr++;
1095
1096 *ptr = __fcs(buf); ptr++;
1097
1098 return rfcomm_send_frame(s, buf, ptr - buf);
1099 }
1100
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1101 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1102 {
1103 struct rfcomm_hdr *hdr;
1104 int len = skb->len;
1105 u8 *crc;
1106
1107 if (len > 127) {
1108 hdr = (void *) skb_push(skb, 4);
1109 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1110 } else {
1111 hdr = (void *) skb_push(skb, 3);
1112 hdr->len = __len8(len);
1113 }
1114 hdr->addr = addr;
1115 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1116
1117 crc = skb_put(skb, 1);
1118 *crc = __fcs((void *) hdr);
1119 }
1120
1121 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1122 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1123 {
1124 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1125
1126 if (dlci) {
1127 /* Data channel */
1128 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1129 if (!d) {
1130 rfcomm_send_dm(s, dlci);
1131 return 0;
1132 }
1133
1134 switch (d->state) {
1135 case BT_CONNECT:
1136 rfcomm_dlc_clear_timer(d);
1137
1138 rfcomm_dlc_lock(d);
1139 d->state = BT_CONNECTED;
1140 d->state_change(d, 0);
1141 rfcomm_dlc_unlock(d);
1142
1143 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1144 break;
1145
1146 case BT_DISCONN:
1147 d->state = BT_CLOSED;
1148 __rfcomm_dlc_close(d, 0);
1149
1150 if (list_empty(&s->dlcs)) {
1151 s->state = BT_DISCONN;
1152 rfcomm_send_disc(s, 0);
1153 rfcomm_session_clear_timer(s);
1154 }
1155
1156 break;
1157 }
1158 } else {
1159 /* Control channel */
1160 switch (s->state) {
1161 case BT_CONNECT:
1162 s->state = BT_CONNECTED;
1163 rfcomm_process_connect(s);
1164 break;
1165
1166 case BT_DISCONN:
1167 /* rfcomm_session_put is called later so don't do
1168 * anything here otherwise we will mess up the session
1169 * reference counter:
1170 *
1171 * (a) when we are the initiator dlc_unlink will drive
1172 * the reference counter to 0 (there is no initial put
1173 * after session_add)
1174 *
1175 * (b) when we are not the initiator rfcomm_rx_process
1176 * will explicitly call put to balance the initial hold
1177 * done after session add.
1178 */
1179 break;
1180 }
1181 }
1182 return 0;
1183 }
1184
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1185 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1186 {
1187 int err = 0;
1188
1189 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1190
1191 if (dlci) {
1192 /* Data DLC */
1193 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1194 if (d) {
1195 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1196 err = ECONNREFUSED;
1197 else
1198 err = ECONNRESET;
1199
1200 d->state = BT_CLOSED;
1201 __rfcomm_dlc_close(d, err);
1202 }
1203 } else {
1204 if (s->state == BT_CONNECT)
1205 err = ECONNREFUSED;
1206 else
1207 err = ECONNRESET;
1208
1209 s->state = BT_CLOSED;
1210 rfcomm_session_close(s, err);
1211 }
1212 return 0;
1213 }
1214
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1215 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1216 {
1217 int err = 0;
1218
1219 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1220
1221 if (dlci) {
1222 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1223 if (d) {
1224 rfcomm_send_ua(s, dlci);
1225
1226 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227 err = ECONNREFUSED;
1228 else
1229 err = ECONNRESET;
1230
1231 d->state = BT_CLOSED;
1232 __rfcomm_dlc_close(d, err);
1233 } else
1234 rfcomm_send_dm(s, dlci);
1235
1236 } else {
1237 rfcomm_send_ua(s, 0);
1238
1239 if (s->state == BT_CONNECT)
1240 err = ECONNREFUSED;
1241 else
1242 err = ECONNRESET;
1243
1244 s->state = BT_CLOSED;
1245 rfcomm_session_close(s, err);
1246 }
1247
1248 return 0;
1249 }
1250
rfcomm_dlc_accept(struct rfcomm_dlc * d)1251 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1252 {
1253 struct sock *sk = d->session->sock->sk;
1254 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1255
1256 BT_DBG("dlc %p", d);
1257
1258 rfcomm_send_ua(d->session, d->dlci);
1259
1260 rfcomm_dlc_clear_timer(d);
1261
1262 rfcomm_dlc_lock(d);
1263 d->state = BT_CONNECTED;
1264 d->state_change(d, 0);
1265 rfcomm_dlc_unlock(d);
1266
1267 if (d->role_switch)
1268 hci_conn_switch_role(conn->hcon, 0x00);
1269
1270 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1271 }
1272
rfcomm_check_accept(struct rfcomm_dlc * d)1273 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1274 {
1275 if (rfcomm_check_security(d)) {
1276 if (d->defer_setup) {
1277 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1278 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279
1280 rfcomm_dlc_lock(d);
1281 d->state = BT_CONNECT2;
1282 d->state_change(d, 0);
1283 rfcomm_dlc_unlock(d);
1284 } else
1285 rfcomm_dlc_accept(d);
1286 } else {
1287 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1288 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1289 }
1290 }
1291
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1292 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1293 {
1294 struct rfcomm_dlc *d;
1295 u8 channel;
1296
1297 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1298
1299 if (!dlci) {
1300 rfcomm_send_ua(s, 0);
1301
1302 if (s->state == BT_OPEN) {
1303 s->state = BT_CONNECTED;
1304 rfcomm_process_connect(s);
1305 }
1306 return 0;
1307 }
1308
1309 /* Check if DLC exists */
1310 d = rfcomm_dlc_get(s, dlci);
1311 if (d) {
1312 if (d->state == BT_OPEN) {
1313 /* DLC was previously opened by PN request */
1314 rfcomm_check_accept(d);
1315 }
1316 return 0;
1317 }
1318
1319 /* Notify socket layer about incoming connection */
1320 channel = __srv_channel(dlci);
1321 if (rfcomm_connect_ind(s, channel, &d)) {
1322 d->dlci = dlci;
1323 d->addr = __addr(s->initiator, dlci);
1324 rfcomm_dlc_link(s, d);
1325
1326 rfcomm_check_accept(d);
1327 } else {
1328 rfcomm_send_dm(s, dlci);
1329 }
1330
1331 return 0;
1332 }
1333
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1334 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1335 {
1336 struct rfcomm_session *s = d->session;
1337
1338 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1339 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1340
1341 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1342 pn->flow_ctrl == 0xe0) {
1343 d->cfc = RFCOMM_CFC_ENABLED;
1344 d->tx_credits = pn->credits;
1345 } else {
1346 d->cfc = RFCOMM_CFC_DISABLED;
1347 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1348 }
1349
1350 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1351 s->cfc = d->cfc;
1352
1353 d->priority = pn->priority;
1354
1355 d->mtu = __le16_to_cpu(pn->mtu);
1356
1357 if (cr && d->mtu > s->mtu)
1358 d->mtu = s->mtu;
1359
1360 return 0;
1361 }
1362
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1363 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1364 {
1365 struct rfcomm_pn *pn = (void *) skb->data;
1366 struct rfcomm_dlc *d;
1367 u8 dlci = pn->dlci;
1368
1369 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1370
1371 if (!dlci)
1372 return 0;
1373
1374 d = rfcomm_dlc_get(s, dlci);
1375 if (d) {
1376 if (cr) {
1377 /* PN request */
1378 rfcomm_apply_pn(d, cr, pn);
1379 rfcomm_send_pn(s, 0, d);
1380 } else {
1381 /* PN response */
1382 switch (d->state) {
1383 case BT_CONFIG:
1384 rfcomm_apply_pn(d, cr, pn);
1385
1386 d->state = BT_CONNECT;
1387 rfcomm_send_sabm(s, d->dlci);
1388 break;
1389 }
1390 }
1391 } else {
1392 u8 channel = __srv_channel(dlci);
1393
1394 if (!cr)
1395 return 0;
1396
1397 /* PN request for non existing DLC.
1398 * Assume incoming connection. */
1399 if (rfcomm_connect_ind(s, channel, &d)) {
1400 d->dlci = dlci;
1401 d->addr = __addr(s->initiator, dlci);
1402 rfcomm_dlc_link(s, d);
1403
1404 rfcomm_apply_pn(d, cr, pn);
1405
1406 d->state = BT_OPEN;
1407 rfcomm_send_pn(s, 0, d);
1408 } else {
1409 rfcomm_send_dm(s, dlci);
1410 }
1411 }
1412 return 0;
1413 }
1414
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1415 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1416 {
1417 struct rfcomm_rpn *rpn = (void *) skb->data;
1418 u8 dlci = __get_dlci(rpn->dlci);
1419
1420 u8 bit_rate = 0;
1421 u8 data_bits = 0;
1422 u8 stop_bits = 0;
1423 u8 parity = 0;
1424 u8 flow_ctrl = 0;
1425 u8 xon_char = 0;
1426 u8 xoff_char = 0;
1427 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1428
1429 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1430 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1431 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1432
1433 if (!cr)
1434 return 0;
1435
1436 if (len == 1) {
1437 /* This is a request, return default (according to ETSI TS 07.10) settings */
1438 bit_rate = RFCOMM_RPN_BR_9600;
1439 data_bits = RFCOMM_RPN_DATA_8;
1440 stop_bits = RFCOMM_RPN_STOP_1;
1441 parity = RFCOMM_RPN_PARITY_NONE;
1442 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1443 xon_char = RFCOMM_RPN_XON_CHAR;
1444 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445 goto rpn_out;
1446 }
1447
1448 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1449 * no parity, no flow control lines, normal XON/XOFF chars */
1450
1451 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1452 bit_rate = rpn->bit_rate;
1453 if (bit_rate > RFCOMM_RPN_BR_230400) {
1454 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1455 bit_rate = RFCOMM_RPN_BR_9600;
1456 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1457 }
1458 }
1459
1460 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1461 data_bits = __get_rpn_data_bits(rpn->line_settings);
1462 if (data_bits != RFCOMM_RPN_DATA_8) {
1463 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1464 data_bits = RFCOMM_RPN_DATA_8;
1465 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1466 }
1467 }
1468
1469 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1470 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1471 if (stop_bits != RFCOMM_RPN_STOP_1) {
1472 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1473 stop_bits = RFCOMM_RPN_STOP_1;
1474 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1475 }
1476 }
1477
1478 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1479 parity = __get_rpn_parity(rpn->line_settings);
1480 if (parity != RFCOMM_RPN_PARITY_NONE) {
1481 BT_DBG("RPN parity mismatch 0x%x", parity);
1482 parity = RFCOMM_RPN_PARITY_NONE;
1483 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1484 }
1485 }
1486
1487 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1488 flow_ctrl = rpn->flow_ctrl;
1489 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1490 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1491 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1492 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1493 }
1494 }
1495
1496 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1497 xon_char = rpn->xon_char;
1498 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1499 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1500 xon_char = RFCOMM_RPN_XON_CHAR;
1501 rpn_mask ^= RFCOMM_RPN_PM_XON;
1502 }
1503 }
1504
1505 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1506 xoff_char = rpn->xoff_char;
1507 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1508 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1509 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1511 }
1512 }
1513
1514 rpn_out:
1515 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1516 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1517
1518 return 0;
1519 }
1520
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1521 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1522 {
1523 struct rfcomm_rls *rls = (void *) skb->data;
1524 u8 dlci = __get_dlci(rls->dlci);
1525
1526 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1527
1528 if (!cr)
1529 return 0;
1530
1531 /* We should probably do something with this information here. But
1532 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1533 * mandatory to recognise and respond to RLS */
1534
1535 rfcomm_send_rls(s, 0, dlci, rls->status);
1536
1537 return 0;
1538 }
1539
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1540 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1541 {
1542 struct rfcomm_msc *msc = (void *) skb->data;
1543 struct rfcomm_dlc *d;
1544 u8 dlci = __get_dlci(msc->dlci);
1545
1546 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1547
1548 d = rfcomm_dlc_get(s, dlci);
1549 if (!d)
1550 return 0;
1551
1552 if (cr) {
1553 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1554 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1555 else
1556 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1557
1558 rfcomm_dlc_lock(d);
1559
1560 d->remote_v24_sig = msc->v24_sig;
1561
1562 if (d->modem_status)
1563 d->modem_status(d, msc->v24_sig);
1564
1565 rfcomm_dlc_unlock(d);
1566
1567 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1568
1569 d->mscex |= RFCOMM_MSCEX_RX;
1570 } else
1571 d->mscex |= RFCOMM_MSCEX_TX;
1572
1573 return 0;
1574 }
1575
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1576 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1577 {
1578 struct rfcomm_mcc *mcc = (void *) skb->data;
1579 u8 type, cr, len;
1580
1581 cr = __test_cr(mcc->type);
1582 type = __get_mcc_type(mcc->type);
1583 len = __get_mcc_len(mcc->len);
1584
1585 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1586
1587 skb_pull(skb, 2);
1588
1589 switch (type) {
1590 case RFCOMM_PN:
1591 rfcomm_recv_pn(s, cr, skb);
1592 break;
1593
1594 case RFCOMM_RPN:
1595 rfcomm_recv_rpn(s, cr, len, skb);
1596 break;
1597
1598 case RFCOMM_RLS:
1599 rfcomm_recv_rls(s, cr, skb);
1600 break;
1601
1602 case RFCOMM_MSC:
1603 rfcomm_recv_msc(s, cr, skb);
1604 break;
1605
1606 case RFCOMM_FCOFF:
1607 if (cr) {
1608 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609 rfcomm_send_fcoff(s, 0);
1610 }
1611 break;
1612
1613 case RFCOMM_FCON:
1614 if (cr) {
1615 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1616 rfcomm_send_fcon(s, 0);
1617 }
1618 break;
1619
1620 case RFCOMM_TEST:
1621 if (cr)
1622 rfcomm_send_test(s, 0, skb->data, skb->len);
1623 break;
1624
1625 case RFCOMM_NSC:
1626 break;
1627
1628 default:
1629 BT_ERR("Unknown control type 0x%02x", type);
1630 rfcomm_send_nsc(s, cr, type);
1631 break;
1632 }
1633 return 0;
1634 }
1635
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1636 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1637 {
1638 struct rfcomm_dlc *d;
1639
1640 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1641
1642 d = rfcomm_dlc_get(s, dlci);
1643 if (!d) {
1644 rfcomm_send_dm(s, dlci);
1645 goto drop;
1646 }
1647
1648 if (pf && d->cfc) {
1649 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1650
1651 d->tx_credits += credits;
1652 if (d->tx_credits)
1653 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1654 }
1655
1656 if (skb->len && d->state == BT_CONNECTED) {
1657 rfcomm_dlc_lock(d);
1658 d->rx_credits--;
1659 d->data_ready(d, skb);
1660 rfcomm_dlc_unlock(d);
1661 return 0;
1662 }
1663
1664 drop:
1665 kfree_skb(skb);
1666 return 0;
1667 }
1668
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1669 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1670 {
1671 struct rfcomm_hdr *hdr = (void *) skb->data;
1672 u8 type, dlci, fcs;
1673
1674 dlci = __get_dlci(hdr->addr);
1675 type = __get_type(hdr->ctrl);
1676
1677 /* Trim FCS */
1678 skb->len--; skb->tail--;
1679 fcs = *(u8 *)skb_tail_pointer(skb);
1680
1681 if (__check_fcs(skb->data, type, fcs)) {
1682 BT_ERR("bad checksum in packet");
1683 kfree_skb(skb);
1684 return -EILSEQ;
1685 }
1686
1687 if (__test_ea(hdr->len))
1688 skb_pull(skb, 3);
1689 else
1690 skb_pull(skb, 4);
1691
1692 switch (type) {
1693 case RFCOMM_SABM:
1694 if (__test_pf(hdr->ctrl))
1695 rfcomm_recv_sabm(s, dlci);
1696 break;
1697
1698 case RFCOMM_DISC:
1699 if (__test_pf(hdr->ctrl))
1700 rfcomm_recv_disc(s, dlci);
1701 break;
1702
1703 case RFCOMM_UA:
1704 if (__test_pf(hdr->ctrl))
1705 rfcomm_recv_ua(s, dlci);
1706 break;
1707
1708 case RFCOMM_DM:
1709 rfcomm_recv_dm(s, dlci);
1710 break;
1711
1712 case RFCOMM_UIH:
1713 if (dlci)
1714 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1715
1716 rfcomm_recv_mcc(s, skb);
1717 break;
1718
1719 default:
1720 BT_ERR("Unknown packet type 0x%02x", type);
1721 break;
1722 }
1723 kfree_skb(skb);
1724 return 0;
1725 }
1726
1727 /* ---- Connection and data processing ---- */
1728
rfcomm_process_connect(struct rfcomm_session * s)1729 static void rfcomm_process_connect(struct rfcomm_session *s)
1730 {
1731 struct rfcomm_dlc *d;
1732 struct list_head *p, *n;
1733
1734 BT_DBG("session %p state %ld", s, s->state);
1735
1736 list_for_each_safe(p, n, &s->dlcs) {
1737 d = list_entry(p, struct rfcomm_dlc, list);
1738 if (d->state == BT_CONFIG) {
1739 d->mtu = s->mtu;
1740 if (rfcomm_check_security(d)) {
1741 rfcomm_send_pn(s, 1, d);
1742 } else {
1743 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1744 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1745 }
1746 }
1747 }
1748 }
1749
1750 /* Send data queued for the DLC.
1751 * Return number of frames left in the queue.
1752 */
rfcomm_process_tx(struct rfcomm_dlc * d)1753 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1754 {
1755 struct sk_buff *skb;
1756 int err;
1757
1758 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1759 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1760
1761 /* Send pending MSC */
1762 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1763 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1764
1765 if (d->cfc) {
1766 /* CFC enabled.
1767 * Give them some credits */
1768 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1769 d->rx_credits <= (d->cfc >> 2)) {
1770 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1771 d->rx_credits = d->cfc;
1772 }
1773 } else {
1774 /* CFC disabled.
1775 * Give ourselves some credits */
1776 d->tx_credits = 5;
1777 }
1778
1779 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1780 return skb_queue_len(&d->tx_queue);
1781
1782 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1783 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1784 if (err < 0) {
1785 skb_queue_head(&d->tx_queue, skb);
1786 break;
1787 }
1788 kfree_skb(skb);
1789 d->tx_credits--;
1790 }
1791
1792 if (d->cfc && !d->tx_credits) {
1793 /* We're out of TX credits.
1794 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1795 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1796 }
1797
1798 return skb_queue_len(&d->tx_queue);
1799 }
1800
rfcomm_process_dlcs(struct rfcomm_session * s)1801 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1802 {
1803 struct rfcomm_dlc *d;
1804 struct list_head *p, *n;
1805
1806 BT_DBG("session %p state %ld", s, s->state);
1807
1808 list_for_each_safe(p, n, &s->dlcs) {
1809 d = list_entry(p, struct rfcomm_dlc, list);
1810
1811 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1812 __rfcomm_dlc_close(d, ETIMEDOUT);
1813 continue;
1814 }
1815
1816 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1817 __rfcomm_dlc_close(d, ECONNREFUSED);
1818 continue;
1819 }
1820
1821 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1822 rfcomm_dlc_clear_timer(d);
1823 if (d->out) {
1824 rfcomm_send_pn(s, 1, d);
1825 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1826 } else {
1827 if (d->defer_setup) {
1828 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1829 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1830
1831 rfcomm_dlc_lock(d);
1832 d->state = BT_CONNECT2;
1833 d->state_change(d, 0);
1834 rfcomm_dlc_unlock(d);
1835 } else
1836 rfcomm_dlc_accept(d);
1837 }
1838 continue;
1839 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1840 rfcomm_dlc_clear_timer(d);
1841 if (!d->out)
1842 rfcomm_send_dm(s, d->dlci);
1843 else
1844 d->state = BT_CLOSED;
1845 __rfcomm_dlc_close(d, ECONNREFUSED);
1846 continue;
1847 }
1848
1849 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1850 continue;
1851
1852 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1853 continue;
1854
1855 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1856 d->mscex == RFCOMM_MSCEX_OK)
1857 rfcomm_process_tx(d);
1858 }
1859 }
1860
rfcomm_process_rx(struct rfcomm_session * s)1861 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1862 {
1863 struct socket *sock = s->sock;
1864 struct sock *sk = sock->sk;
1865 struct sk_buff *skb;
1866
1867 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1868
1869 /* Get data directly from socket receive queue without copying it. */
1870 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1871 skb_orphan(skb);
1872 if (!skb_linearize(skb))
1873 rfcomm_recv_frame(s, skb);
1874 else
1875 kfree_skb(skb);
1876 }
1877
1878 if (sk->sk_state == BT_CLOSED) {
1879 if (!s->initiator)
1880 rfcomm_session_put(s);
1881
1882 rfcomm_session_close(s, sk->sk_err);
1883 }
1884 }
1885
rfcomm_accept_connection(struct rfcomm_session * s)1886 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1887 {
1888 struct socket *sock = s->sock, *nsock;
1889 int err;
1890
1891 /* Fast check for a new connection.
1892 * Avoids unnesesary socket allocations. */
1893 if (list_empty(&bt_sk(sock->sk)->accept_q))
1894 return;
1895
1896 BT_DBG("session %p", s);
1897
1898 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1899 if (err < 0)
1900 return;
1901
1902 /* Set our callbacks */
1903 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1904 nsock->sk->sk_state_change = rfcomm_l2state_change;
1905
1906 s = rfcomm_session_add(nsock, BT_OPEN);
1907 if (s) {
1908 rfcomm_session_hold(s);
1909
1910 /* We should adjust MTU on incoming sessions.
1911 * L2CAP MTU minus UIH header and FCS. */
1912 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1913 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1914
1915 rfcomm_schedule();
1916 } else
1917 sock_release(nsock);
1918 }
1919
rfcomm_check_connection(struct rfcomm_session * s)1920 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1921 {
1922 struct sock *sk = s->sock->sk;
1923
1924 BT_DBG("%p state %ld", s, s->state);
1925
1926 switch (sk->sk_state) {
1927 case BT_CONNECTED:
1928 s->state = BT_CONNECT;
1929
1930 /* We can adjust MTU on outgoing sessions.
1931 * L2CAP MTU minus UIH header and FCS. */
1932 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1933
1934 rfcomm_send_sabm(s, 0);
1935 break;
1936
1937 case BT_CLOSED:
1938 s->state = BT_CLOSED;
1939 rfcomm_session_close(s, sk->sk_err);
1940 break;
1941 }
1942 }
1943
rfcomm_process_sessions(void)1944 static inline void rfcomm_process_sessions(void)
1945 {
1946 struct list_head *p, *n;
1947
1948 rfcomm_lock();
1949
1950 list_for_each_safe(p, n, &session_list) {
1951 struct rfcomm_session *s;
1952 s = list_entry(p, struct rfcomm_session, list);
1953
1954 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1955 s->state = BT_DISCONN;
1956 rfcomm_send_disc(s, 0);
1957 rfcomm_session_put(s);
1958 continue;
1959 }
1960
1961 if (s->state == BT_LISTEN) {
1962 rfcomm_accept_connection(s);
1963 continue;
1964 }
1965
1966 rfcomm_session_hold(s);
1967
1968 switch (s->state) {
1969 case BT_BOUND:
1970 rfcomm_check_connection(s);
1971 break;
1972
1973 default:
1974 rfcomm_process_rx(s);
1975 break;
1976 }
1977
1978 rfcomm_process_dlcs(s);
1979
1980 rfcomm_session_put(s);
1981 }
1982
1983 rfcomm_unlock();
1984 }
1985
rfcomm_add_listener(bdaddr_t * ba)1986 static int rfcomm_add_listener(bdaddr_t *ba)
1987 {
1988 struct sockaddr_l2 addr;
1989 struct socket *sock;
1990 struct sock *sk;
1991 struct rfcomm_session *s;
1992 int err = 0;
1993
1994 /* Create socket */
1995 err = rfcomm_l2sock_create(&sock);
1996 if (err < 0) {
1997 BT_ERR("Create socket failed %d", err);
1998 return err;
1999 }
2000
2001 /* Bind socket */
2002 bacpy(&addr.l2_bdaddr, ba);
2003 addr.l2_family = AF_BLUETOOTH;
2004 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
2005 addr.l2_cid = 0;
2006 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2007 if (err < 0) {
2008 BT_ERR("Bind failed %d", err);
2009 goto failed;
2010 }
2011
2012 /* Set L2CAP options */
2013 sk = sock->sk;
2014 lock_sock(sk);
2015 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2016 release_sock(sk);
2017
2018 /* Start listening on the socket */
2019 err = kernel_listen(sock, 10);
2020 if (err) {
2021 BT_ERR("Listen failed %d", err);
2022 goto failed;
2023 }
2024
2025 /* Add listening session */
2026 s = rfcomm_session_add(sock, BT_LISTEN);
2027 if (!s)
2028 goto failed;
2029
2030 rfcomm_session_hold(s);
2031 return 0;
2032 failed:
2033 sock_release(sock);
2034 return err;
2035 }
2036
rfcomm_kill_listener(void)2037 static void rfcomm_kill_listener(void)
2038 {
2039 struct rfcomm_session *s;
2040 struct list_head *p, *n;
2041
2042 BT_DBG("");
2043
2044 list_for_each_safe(p, n, &session_list) {
2045 s = list_entry(p, struct rfcomm_session, list);
2046 rfcomm_session_del(s);
2047 }
2048 }
2049
rfcomm_run(void * unused)2050 static int rfcomm_run(void *unused)
2051 {
2052 BT_DBG("");
2053
2054 set_user_nice(current, -10);
2055
2056 rfcomm_add_listener(BDADDR_ANY);
2057
2058 while (1) {
2059 set_current_state(TASK_INTERRUPTIBLE);
2060
2061 if (kthread_should_stop())
2062 break;
2063
2064 /* Process stuff */
2065 rfcomm_process_sessions();
2066
2067 schedule();
2068 }
2069 __set_current_state(TASK_RUNNING);
2070
2071 rfcomm_kill_listener();
2072
2073 return 0;
2074 }
2075
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2076 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2077 {
2078 struct rfcomm_session *s;
2079 struct rfcomm_dlc *d;
2080 struct list_head *p, *n;
2081
2082 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2083
2084 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2085 if (!s)
2086 return;
2087
2088 rfcomm_session_hold(s);
2089
2090 list_for_each_safe(p, n, &s->dlcs) {
2091 d = list_entry(p, struct rfcomm_dlc, list);
2092
2093 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2094 rfcomm_dlc_clear_timer(d);
2095 if (status || encrypt == 0x00) {
2096 set_bit(RFCOMM_ENC_DROP, &d->flags);
2097 continue;
2098 }
2099 }
2100
2101 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2102 if (d->sec_level == BT_SECURITY_MEDIUM) {
2103 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2104 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2105 continue;
2106 } else if (d->sec_level == BT_SECURITY_HIGH) {
2107 set_bit(RFCOMM_ENC_DROP, &d->flags);
2108 continue;
2109 }
2110 }
2111
2112 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2113 continue;
2114
2115 if (!status && hci_conn_check_secure(conn, d->sec_level))
2116 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2117 else
2118 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2119 }
2120
2121 rfcomm_session_put(s);
2122
2123 rfcomm_schedule();
2124 }
2125
2126 static struct hci_cb rfcomm_cb = {
2127 .name = "RFCOMM",
2128 .security_cfm = rfcomm_security_cfm
2129 };
2130
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2131 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2132 {
2133 struct rfcomm_session *s;
2134
2135 rfcomm_lock();
2136
2137 list_for_each_entry(s, &session_list, list) {
2138 struct rfcomm_dlc *d;
2139 list_for_each_entry(d, &s->dlcs, list) {
2140 struct sock *sk = s->sock->sk;
2141
2142 seq_printf(f, "%s %s %ld %d %d %d %d\n",
2143 batostr(&bt_sk(sk)->src),
2144 batostr(&bt_sk(sk)->dst),
2145 d->state, d->dlci, d->mtu,
2146 d->rx_credits, d->tx_credits);
2147 }
2148 }
2149
2150 rfcomm_unlock();
2151
2152 return 0;
2153 }
2154
rfcomm_dlc_debugfs_open(struct inode * inode,struct file * file)2155 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2156 {
2157 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2158 }
2159
2160 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2161 .open = rfcomm_dlc_debugfs_open,
2162 .read = seq_read,
2163 .llseek = seq_lseek,
2164 .release = single_release,
2165 };
2166
2167 static struct dentry *rfcomm_dlc_debugfs;
2168
2169 /* ---- Initialization ---- */
rfcomm_init(void)2170 static int __init rfcomm_init(void)
2171 {
2172 int err;
2173
2174 hci_register_cb(&rfcomm_cb);
2175
2176 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2177 if (IS_ERR(rfcomm_thread)) {
2178 err = PTR_ERR(rfcomm_thread);
2179 goto unregister;
2180 }
2181
2182 if (bt_debugfs) {
2183 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2184 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2185 if (!rfcomm_dlc_debugfs)
2186 BT_ERR("Failed to create RFCOMM debug file");
2187 }
2188
2189 err = rfcomm_init_ttys();
2190 if (err < 0)
2191 goto stop;
2192
2193 err = rfcomm_init_sockets();
2194 if (err < 0)
2195 goto cleanup;
2196
2197 BT_INFO("RFCOMM ver %s", VERSION);
2198
2199 return 0;
2200
2201 cleanup:
2202 rfcomm_cleanup_ttys();
2203
2204 stop:
2205 kthread_stop(rfcomm_thread);
2206
2207 unregister:
2208 hci_unregister_cb(&rfcomm_cb);
2209
2210 return err;
2211 }
2212
rfcomm_exit(void)2213 static void __exit rfcomm_exit(void)
2214 {
2215 debugfs_remove(rfcomm_dlc_debugfs);
2216
2217 hci_unregister_cb(&rfcomm_cb);
2218
2219 kthread_stop(rfcomm_thread);
2220
2221 rfcomm_cleanup_ttys();
2222
2223 rfcomm_cleanup_sockets();
2224 }
2225
2226 module_init(rfcomm_init);
2227 module_exit(rfcomm_exit);
2228
2229 module_param(disable_cfc, bool, 0644);
2230 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2231
2232 module_param(channel_mtu, int, 0644);
2233 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2234
2235 module_param(l2cap_mtu, uint, 0644);
2236 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2237
2238 module_param(l2cap_ertm, bool, 0644);
2239 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2240
2241 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2242 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2243 MODULE_VERSION(VERSION);
2244 MODULE_LICENSE("GPL");
2245 MODULE_ALIAS("bt-proto-3");
2246