1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42 
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46 
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51 
52 #define VERSION "1.11"
53 
54 static bool disable_cfc;
55 static bool l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58 
59 static struct task_struct *rfcomm_thread;
60 
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
64 
65 
66 static LIST_HEAD(session_list);
67 
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78 
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80 
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82 							bdaddr_t *dst,
83 							u8 sec_level,
84 							int *err);
85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86 static void rfcomm_session_del(struct rfcomm_session *s);
87 
88 /* ---- RFCOMM frame parsing macros ---- */
89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
90 #define __get_channel(b)  ((b & 0xf8) >> 3)
91 #define __get_dir(b)      ((b & 0x04) >> 2)
92 #define __get_type(b)     ((b & 0xef))
93 
94 #define __test_ea(b)      ((b & 0x01))
95 #define __test_cr(b)      ((b & 0x02))
96 #define __test_pf(b)      ((b & 0x10))
97 
98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
101 #define __srv_channel(dlci)    (dlci >> 1)
102 #define __dir(dlci)            (dlci & 0x01)
103 
104 #define __len8(len)       (((len) << 1) | 1)
105 #define __len16(len)      ((len) << 1)
106 
107 /* MCC macros */
108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
111 
112 /* RPN macros */
113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114 #define __get_rpn_data_bits(line) ((line) & 0x3)
115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
117 
rfcomm_schedule(void)118 static inline void rfcomm_schedule(void)
119 {
120 	if (!rfcomm_thread)
121 		return;
122 	wake_up_process(rfcomm_thread);
123 }
124 
rfcomm_session_put(struct rfcomm_session * s)125 static inline void rfcomm_session_put(struct rfcomm_session *s)
126 {
127 	if (atomic_dec_and_test(&s->refcnt))
128 		rfcomm_session_del(s);
129 }
130 
131 /* ---- RFCOMM FCS computation ---- */
132 
133 /* reversed, 8-bit, poly=0x07 */
134 static unsigned char rfcomm_crc_table[256] = {
135 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139 
140 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144 
145 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149 
150 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154 
155 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159 
160 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164 
165 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169 
170 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174 };
175 
176 /* CRC on 2 bytes */
177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178 
179 /* FCS on 2 bytes */
__fcs(u8 * data)180 static inline u8 __fcs(u8 *data)
181 {
182 	return 0xff - __crc(data);
183 }
184 
185 /* FCS on 3 bytes */
__fcs2(u8 * data)186 static inline u8 __fcs2(u8 *data)
187 {
188 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189 }
190 
191 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
193 {
194 	u8 f = __crc(data);
195 
196 	if (type != RFCOMM_UIH)
197 		f = rfcomm_crc_table[f ^ data[2]];
198 
199 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
200 }
201 
202 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)203 static void rfcomm_l2state_change(struct sock *sk)
204 {
205 	BT_DBG("%p state %d", sk, sk->sk_state);
206 	rfcomm_schedule();
207 }
208 
rfcomm_l2data_ready(struct sock * sk,int bytes)209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210 {
211 	BT_DBG("%p bytes %d", sk, bytes);
212 	rfcomm_schedule();
213 }
214 
rfcomm_l2sock_create(struct socket ** sock)215 static int rfcomm_l2sock_create(struct socket **sock)
216 {
217 	int err;
218 
219 	BT_DBG("");
220 
221 	err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222 	if (!err) {
223 		struct sock *sk = (*sock)->sk;
224 		sk->sk_data_ready   = rfcomm_l2data_ready;
225 		sk->sk_state_change = rfcomm_l2state_change;
226 	}
227 	return err;
228 }
229 
rfcomm_check_security(struct rfcomm_dlc * d)230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231 {
232 	struct sock *sk = d->session->sock->sk;
233 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234 
235 	__u8 auth_type;
236 
237 	switch (d->sec_level) {
238 	case BT_SECURITY_HIGH:
239 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
240 		break;
241 	case BT_SECURITY_MEDIUM:
242 		auth_type = HCI_AT_GENERAL_BONDING;
243 		break;
244 	default:
245 		auth_type = HCI_AT_NO_BONDING;
246 		break;
247 	}
248 
249 	return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 }
251 
rfcomm_session_timeout(unsigned long arg)252 static void rfcomm_session_timeout(unsigned long arg)
253 {
254 	struct rfcomm_session *s = (void *) arg;
255 
256 	BT_DBG("session %p state %ld", s, s->state);
257 
258 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
259 	rfcomm_schedule();
260 }
261 
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263 {
264 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265 
266 	if (!mod_timer(&s->timer, jiffies + timeout))
267 		rfcomm_session_hold(s);
268 }
269 
rfcomm_session_clear_timer(struct rfcomm_session * s)270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271 {
272 	BT_DBG("session %p state %ld", s, s->state);
273 
274 	if (timer_pending(&s->timer) && del_timer(&s->timer))
275 		rfcomm_session_put(s);
276 }
277 
278 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(unsigned long arg)279 static void rfcomm_dlc_timeout(unsigned long arg)
280 {
281 	struct rfcomm_dlc *d = (void *) arg;
282 
283 	BT_DBG("dlc %p state %ld", d, d->state);
284 
285 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
286 	rfcomm_dlc_put(d);
287 	rfcomm_schedule();
288 }
289 
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291 {
292 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293 
294 	if (!mod_timer(&d->timer, jiffies + timeout))
295 		rfcomm_dlc_hold(d);
296 }
297 
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299 {
300 	BT_DBG("dlc %p state %ld", d, d->state);
301 
302 	if (timer_pending(&d->timer) && del_timer(&d->timer))
303 		rfcomm_dlc_put(d);
304 }
305 
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307 {
308 	BT_DBG("%p", d);
309 
310 	d->state      = BT_OPEN;
311 	d->flags      = 0;
312 	d->mscex      = 0;
313 	d->sec_level  = BT_SECURITY_LOW;
314 	d->mtu        = RFCOMM_DEFAULT_MTU;
315 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316 
317 	d->cfc        = RFCOMM_CFC_DISABLED;
318 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319 }
320 
rfcomm_dlc_alloc(gfp_t prio)321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322 {
323 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324 
325 	if (!d)
326 		return NULL;
327 
328 	setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329 
330 	skb_queue_head_init(&d->tx_queue);
331 	spin_lock_init(&d->lock);
332 	atomic_set(&d->refcnt, 1);
333 
334 	rfcomm_dlc_clear_state(d);
335 
336 	BT_DBG("%p", d);
337 
338 	return d;
339 }
340 
rfcomm_dlc_free(struct rfcomm_dlc * d)341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
342 {
343 	BT_DBG("%p", d);
344 
345 	skb_queue_purge(&d->tx_queue);
346 	kfree(d);
347 }
348 
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350 {
351 	BT_DBG("dlc %p session %p", d, s);
352 
353 	rfcomm_session_hold(s);
354 
355 	rfcomm_session_clear_timer(s);
356 	rfcomm_dlc_hold(d);
357 	list_add(&d->list, &s->dlcs);
358 	d->session = s;
359 }
360 
rfcomm_dlc_unlink(struct rfcomm_dlc * d)361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362 {
363 	struct rfcomm_session *s = d->session;
364 
365 	BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366 
367 	list_del(&d->list);
368 	d->session = NULL;
369 	rfcomm_dlc_put(d);
370 
371 	if (list_empty(&s->dlcs))
372 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373 
374 	rfcomm_session_put(s);
375 }
376 
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378 {
379 	struct rfcomm_dlc *d;
380 
381 	list_for_each_entry(d, &s->dlcs, list)
382 		if (d->dlci == dlci)
383 			return d;
384 
385 	return NULL;
386 }
387 
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
389 {
390 	struct rfcomm_session *s;
391 	int err = 0;
392 	u8 dlci;
393 
394 	BT_DBG("dlc %p state %ld %s %s channel %d",
395 			d, d->state, batostr(src), batostr(dst), channel);
396 
397 	if (channel < 1 || channel > 30)
398 		return -EINVAL;
399 
400 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
401 		return 0;
402 
403 	s = rfcomm_session_get(src, dst);
404 	if (!s) {
405 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
406 		if (!s)
407 			return err;
408 	}
409 
410 	dlci = __dlci(!s->initiator, channel);
411 
412 	/* Check if DLCI already exists */
413 	if (rfcomm_dlc_get(s, dlci))
414 		return -EBUSY;
415 
416 	rfcomm_dlc_clear_state(d);
417 
418 	d->dlci     = dlci;
419 	d->addr     = __addr(s->initiator, dlci);
420 	d->priority = 7;
421 
422 	d->state = BT_CONFIG;
423 	rfcomm_dlc_link(s, d);
424 
425 	d->out = 1;
426 
427 	d->mtu = s->mtu;
428 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
429 
430 	if (s->state == BT_CONNECTED) {
431 		if (rfcomm_check_security(d))
432 			rfcomm_send_pn(s, 1, d);
433 		else
434 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
435 	}
436 
437 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
438 
439 	return 0;
440 }
441 
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
443 {
444 	int r;
445 
446 	rfcomm_lock();
447 
448 	r = __rfcomm_dlc_open(d, src, dst, channel);
449 
450 	rfcomm_unlock();
451 	return r;
452 }
453 
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
455 {
456 	struct rfcomm_session *s = d->session;
457 	if (!s)
458 		return 0;
459 
460 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
461 			d, d->state, d->dlci, err, s);
462 
463 	switch (d->state) {
464 	case BT_CONNECT:
465 	case BT_CONFIG:
466 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
467 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
468 			rfcomm_schedule();
469 			break;
470 		}
471 		/* Fall through */
472 
473 	case BT_CONNECTED:
474 		d->state = BT_DISCONN;
475 		if (skb_queue_empty(&d->tx_queue)) {
476 			rfcomm_send_disc(s, d->dlci);
477 			rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
478 		} else {
479 			rfcomm_queue_disc(d);
480 			rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
481 		}
482 		break;
483 
484 	case BT_OPEN:
485 	case BT_CONNECT2:
486 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
487 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
488 			rfcomm_schedule();
489 			break;
490 		}
491 		/* Fall through */
492 
493 	default:
494 		rfcomm_dlc_clear_timer(d);
495 
496 		rfcomm_dlc_lock(d);
497 		d->state = BT_CLOSED;
498 		d->state_change(d, err);
499 		rfcomm_dlc_unlock(d);
500 
501 		skb_queue_purge(&d->tx_queue);
502 		rfcomm_dlc_unlink(d);
503 	}
504 
505 	return 0;
506 }
507 
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)508 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
509 {
510 	int r;
511 
512 	rfcomm_lock();
513 
514 	r = __rfcomm_dlc_close(d, err);
515 
516 	rfcomm_unlock();
517 	return r;
518 }
519 
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)520 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
521 {
522 	int len = skb->len;
523 
524 	if (d->state != BT_CONNECTED)
525 		return -ENOTCONN;
526 
527 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
528 
529 	if (len > d->mtu)
530 		return -EINVAL;
531 
532 	rfcomm_make_uih(skb, d->addr);
533 	skb_queue_tail(&d->tx_queue, skb);
534 
535 	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
536 		rfcomm_schedule();
537 	return len;
538 }
539 
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)540 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
541 {
542 	BT_DBG("dlc %p state %ld", d, d->state);
543 
544 	if (!d->cfc) {
545 		d->v24_sig |= RFCOMM_V24_FC;
546 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
547 	}
548 	rfcomm_schedule();
549 }
550 
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)551 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
552 {
553 	BT_DBG("dlc %p state %ld", d, d->state);
554 
555 	if (!d->cfc) {
556 		d->v24_sig &= ~RFCOMM_V24_FC;
557 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
558 	}
559 	rfcomm_schedule();
560 }
561 
562 /*
563    Set/get modem status functions use _local_ status i.e. what we report
564    to the other side.
565    Remote status is provided by dlc->modem_status() callback.
566  */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)567 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
568 {
569 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
570 			d, d->state, v24_sig);
571 
572 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
573 		v24_sig |= RFCOMM_V24_FC;
574 	else
575 		v24_sig &= ~RFCOMM_V24_FC;
576 
577 	d->v24_sig = v24_sig;
578 
579 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
580 		rfcomm_schedule();
581 
582 	return 0;
583 }
584 
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)585 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
586 {
587 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
588 			d, d->state, d->v24_sig);
589 
590 	*v24_sig = d->v24_sig;
591 	return 0;
592 }
593 
594 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)595 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
596 {
597 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
598 
599 	if (!s)
600 		return NULL;
601 
602 	BT_DBG("session %p sock %p", s, sock);
603 
604 	setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
605 
606 	INIT_LIST_HEAD(&s->dlcs);
607 	s->state = state;
608 	s->sock  = sock;
609 
610 	s->mtu = RFCOMM_DEFAULT_MTU;
611 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
612 
613 	/* Do not increment module usage count for listening sessions.
614 	 * Otherwise we won't be able to unload the module. */
615 	if (state != BT_LISTEN)
616 		if (!try_module_get(THIS_MODULE)) {
617 			kfree(s);
618 			return NULL;
619 		}
620 
621 	list_add(&s->list, &session_list);
622 
623 	return s;
624 }
625 
rfcomm_session_del(struct rfcomm_session * s)626 static void rfcomm_session_del(struct rfcomm_session *s)
627 {
628 	int state = s->state;
629 
630 	BT_DBG("session %p state %ld", s, s->state);
631 
632 	list_del(&s->list);
633 
634 	if (state == BT_CONNECTED)
635 		rfcomm_send_disc(s, 0);
636 
637 	rfcomm_session_clear_timer(s);
638 	sock_release(s->sock);
639 	kfree(s);
640 
641 	if (state != BT_LISTEN)
642 		module_put(THIS_MODULE);
643 }
644 
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)645 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
646 {
647 	struct rfcomm_session *s;
648 	struct list_head *p, *n;
649 	struct bt_sock *sk;
650 	list_for_each_safe(p, n, &session_list) {
651 		s = list_entry(p, struct rfcomm_session, list);
652 		sk = bt_sk(s->sock->sk);
653 
654 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
655 				!bacmp(&sk->dst, dst))
656 			return s;
657 	}
658 	return NULL;
659 }
660 
rfcomm_session_close(struct rfcomm_session * s,int err)661 static void rfcomm_session_close(struct rfcomm_session *s, int err)
662 {
663 	struct rfcomm_dlc *d;
664 	struct list_head *p, *n;
665 
666 	BT_DBG("session %p state %ld err %d", s, s->state, err);
667 
668 	rfcomm_session_hold(s);
669 
670 	s->state = BT_CLOSED;
671 
672 	/* Close all dlcs */
673 	list_for_each_safe(p, n, &s->dlcs) {
674 		d = list_entry(p, struct rfcomm_dlc, list);
675 		d->state = BT_CLOSED;
676 		__rfcomm_dlc_close(d, err);
677 	}
678 
679 	rfcomm_session_clear_timer(s);
680 	rfcomm_session_put(s);
681 }
682 
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)683 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
684 							bdaddr_t *dst,
685 							u8 sec_level,
686 							int *err)
687 {
688 	struct rfcomm_session *s = NULL;
689 	struct sockaddr_l2 addr;
690 	struct socket *sock;
691 	struct sock *sk;
692 
693 	BT_DBG("%s %s", batostr(src), batostr(dst));
694 
695 	*err = rfcomm_l2sock_create(&sock);
696 	if (*err < 0)
697 		return NULL;
698 
699 	bacpy(&addr.l2_bdaddr, src);
700 	addr.l2_family = AF_BLUETOOTH;
701 	addr.l2_psm    = 0;
702 	addr.l2_cid    = 0;
703 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
704 	if (*err < 0)
705 		goto failed;
706 
707 	/* Set L2CAP options */
708 	sk = sock->sk;
709 	lock_sock(sk);
710 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
711 	l2cap_pi(sk)->chan->sec_level = sec_level;
712 	if (l2cap_ertm)
713 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
714 	release_sock(sk);
715 
716 	s = rfcomm_session_add(sock, BT_BOUND);
717 	if (!s) {
718 		*err = -ENOMEM;
719 		goto failed;
720 	}
721 
722 	s->initiator = 1;
723 
724 	bacpy(&addr.l2_bdaddr, dst);
725 	addr.l2_family = AF_BLUETOOTH;
726 	addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
727 	addr.l2_cid    = 0;
728 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
729 	if (*err == 0 || *err == -EINPROGRESS)
730 		return s;
731 
732 	rfcomm_session_del(s);
733 	return NULL;
734 
735 failed:
736 	sock_release(sock);
737 	return NULL;
738 }
739 
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)740 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
741 {
742 	struct sock *sk = s->sock->sk;
743 	if (src)
744 		bacpy(src, &bt_sk(sk)->src);
745 	if (dst)
746 		bacpy(dst, &bt_sk(sk)->dst);
747 }
748 
749 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)750 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
751 {
752 	struct kvec iv = { data, len };
753 	struct msghdr msg;
754 
755 	BT_DBG("session %p len %d", s, len);
756 
757 	memset(&msg, 0, sizeof(msg));
758 
759 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
760 }
761 
rfcomm_send_cmd(struct rfcomm_session * s,struct rfcomm_cmd * cmd)762 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
763 {
764 	BT_DBG("%p cmd %u", s, cmd->ctrl);
765 
766 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
767 }
768 
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)769 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
770 {
771 	struct rfcomm_cmd cmd;
772 
773 	BT_DBG("%p dlci %d", s, dlci);
774 
775 	cmd.addr = __addr(s->initiator, dlci);
776 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
777 	cmd.len  = __len8(0);
778 	cmd.fcs  = __fcs2((u8 *) &cmd);
779 
780 	return rfcomm_send_cmd(s, &cmd);
781 }
782 
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)783 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
784 {
785 	struct rfcomm_cmd cmd;
786 
787 	BT_DBG("%p dlci %d", s, dlci);
788 
789 	cmd.addr = __addr(!s->initiator, dlci);
790 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
791 	cmd.len  = __len8(0);
792 	cmd.fcs  = __fcs2((u8 *) &cmd);
793 
794 	return rfcomm_send_cmd(s, &cmd);
795 }
796 
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)797 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
798 {
799 	struct rfcomm_cmd cmd;
800 
801 	BT_DBG("%p dlci %d", s, dlci);
802 
803 	cmd.addr = __addr(s->initiator, dlci);
804 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
805 	cmd.len  = __len8(0);
806 	cmd.fcs  = __fcs2((u8 *) &cmd);
807 
808 	return rfcomm_send_cmd(s, &cmd);
809 }
810 
rfcomm_queue_disc(struct rfcomm_dlc * d)811 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
812 {
813 	struct rfcomm_cmd *cmd;
814 	struct sk_buff *skb;
815 
816 	BT_DBG("dlc %p dlci %d", d, d->dlci);
817 
818 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
819 	if (!skb)
820 		return -ENOMEM;
821 
822 	cmd = (void *) __skb_put(skb, sizeof(*cmd));
823 	cmd->addr = d->addr;
824 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
825 	cmd->len  = __len8(0);
826 	cmd->fcs  = __fcs2((u8 *) cmd);
827 
828 	skb_queue_tail(&d->tx_queue, skb);
829 	rfcomm_schedule();
830 	return 0;
831 }
832 
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)833 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
834 {
835 	struct rfcomm_cmd cmd;
836 
837 	BT_DBG("%p dlci %d", s, dlci);
838 
839 	cmd.addr = __addr(!s->initiator, dlci);
840 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
841 	cmd.len  = __len8(0);
842 	cmd.fcs  = __fcs2((u8 *) &cmd);
843 
844 	return rfcomm_send_cmd(s, &cmd);
845 }
846 
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)847 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
848 {
849 	struct rfcomm_hdr *hdr;
850 	struct rfcomm_mcc *mcc;
851 	u8 buf[16], *ptr = buf;
852 
853 	BT_DBG("%p cr %d type %d", s, cr, type);
854 
855 	hdr = (void *) ptr; ptr += sizeof(*hdr);
856 	hdr->addr = __addr(s->initiator, 0);
857 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
858 	hdr->len  = __len8(sizeof(*mcc) + 1);
859 
860 	mcc = (void *) ptr; ptr += sizeof(*mcc);
861 	mcc->type = __mcc_type(cr, RFCOMM_NSC);
862 	mcc->len  = __len8(1);
863 
864 	/* Type that we didn't like */
865 	*ptr = __mcc_type(cr, type); ptr++;
866 
867 	*ptr = __fcs(buf); ptr++;
868 
869 	return rfcomm_send_frame(s, buf, ptr - buf);
870 }
871 
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)872 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
873 {
874 	struct rfcomm_hdr *hdr;
875 	struct rfcomm_mcc *mcc;
876 	struct rfcomm_pn  *pn;
877 	u8 buf[16], *ptr = buf;
878 
879 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
880 
881 	hdr = (void *) ptr; ptr += sizeof(*hdr);
882 	hdr->addr = __addr(s->initiator, 0);
883 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
884 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
885 
886 	mcc = (void *) ptr; ptr += sizeof(*mcc);
887 	mcc->type = __mcc_type(cr, RFCOMM_PN);
888 	mcc->len  = __len8(sizeof(*pn));
889 
890 	pn = (void *) ptr; ptr += sizeof(*pn);
891 	pn->dlci        = d->dlci;
892 	pn->priority    = d->priority;
893 	pn->ack_timer   = 0;
894 	pn->max_retrans = 0;
895 
896 	if (s->cfc) {
897 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
898 		pn->credits = RFCOMM_DEFAULT_CREDITS;
899 	} else {
900 		pn->flow_ctrl = 0;
901 		pn->credits   = 0;
902 	}
903 
904 	if (cr && channel_mtu >= 0)
905 		pn->mtu = cpu_to_le16(channel_mtu);
906 	else
907 		pn->mtu = cpu_to_le16(d->mtu);
908 
909 	*ptr = __fcs(buf); ptr++;
910 
911 	return rfcomm_send_frame(s, buf, ptr - buf);
912 }
913 
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)914 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
915 			u8 bit_rate, u8 data_bits, u8 stop_bits,
916 			u8 parity, u8 flow_ctrl_settings,
917 			u8 xon_char, u8 xoff_char, u16 param_mask)
918 {
919 	struct rfcomm_hdr *hdr;
920 	struct rfcomm_mcc *mcc;
921 	struct rfcomm_rpn *rpn;
922 	u8 buf[16], *ptr = buf;
923 
924 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
925 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
926 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
927 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
928 
929 	hdr = (void *) ptr; ptr += sizeof(*hdr);
930 	hdr->addr = __addr(s->initiator, 0);
931 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
932 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
933 
934 	mcc = (void *) ptr; ptr += sizeof(*mcc);
935 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
936 	mcc->len  = __len8(sizeof(*rpn));
937 
938 	rpn = (void *) ptr; ptr += sizeof(*rpn);
939 	rpn->dlci          = __addr(1, dlci);
940 	rpn->bit_rate      = bit_rate;
941 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
942 	rpn->flow_ctrl     = flow_ctrl_settings;
943 	rpn->xon_char      = xon_char;
944 	rpn->xoff_char     = xoff_char;
945 	rpn->param_mask    = cpu_to_le16(param_mask);
946 
947 	*ptr = __fcs(buf); ptr++;
948 
949 	return rfcomm_send_frame(s, buf, ptr - buf);
950 }
951 
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)952 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
953 {
954 	struct rfcomm_hdr *hdr;
955 	struct rfcomm_mcc *mcc;
956 	struct rfcomm_rls *rls;
957 	u8 buf[16], *ptr = buf;
958 
959 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
960 
961 	hdr = (void *) ptr; ptr += sizeof(*hdr);
962 	hdr->addr = __addr(s->initiator, 0);
963 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
964 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
965 
966 	mcc = (void *) ptr; ptr += sizeof(*mcc);
967 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
968 	mcc->len  = __len8(sizeof(*rls));
969 
970 	rls = (void *) ptr; ptr += sizeof(*rls);
971 	rls->dlci   = __addr(1, dlci);
972 	rls->status = status;
973 
974 	*ptr = __fcs(buf); ptr++;
975 
976 	return rfcomm_send_frame(s, buf, ptr - buf);
977 }
978 
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)979 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
980 {
981 	struct rfcomm_hdr *hdr;
982 	struct rfcomm_mcc *mcc;
983 	struct rfcomm_msc *msc;
984 	u8 buf[16], *ptr = buf;
985 
986 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
987 
988 	hdr = (void *) ptr; ptr += sizeof(*hdr);
989 	hdr->addr = __addr(s->initiator, 0);
990 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
991 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
992 
993 	mcc = (void *) ptr; ptr += sizeof(*mcc);
994 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
995 	mcc->len  = __len8(sizeof(*msc));
996 
997 	msc = (void *) ptr; ptr += sizeof(*msc);
998 	msc->dlci    = __addr(1, dlci);
999 	msc->v24_sig = v24_sig | 0x01;
1000 
1001 	*ptr = __fcs(buf); ptr++;
1002 
1003 	return rfcomm_send_frame(s, buf, ptr - buf);
1004 }
1005 
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)1006 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1007 {
1008 	struct rfcomm_hdr *hdr;
1009 	struct rfcomm_mcc *mcc;
1010 	u8 buf[16], *ptr = buf;
1011 
1012 	BT_DBG("%p cr %d", s, cr);
1013 
1014 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1015 	hdr->addr = __addr(s->initiator, 0);
1016 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1017 	hdr->len  = __len8(sizeof(*mcc));
1018 
1019 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1020 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1021 	mcc->len  = __len8(0);
1022 
1023 	*ptr = __fcs(buf); ptr++;
1024 
1025 	return rfcomm_send_frame(s, buf, ptr - buf);
1026 }
1027 
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1028 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1029 {
1030 	struct rfcomm_hdr *hdr;
1031 	struct rfcomm_mcc *mcc;
1032 	u8 buf[16], *ptr = buf;
1033 
1034 	BT_DBG("%p cr %d", s, cr);
1035 
1036 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1037 	hdr->addr = __addr(s->initiator, 0);
1038 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1039 	hdr->len  = __len8(sizeof(*mcc));
1040 
1041 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1042 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1043 	mcc->len  = __len8(0);
1044 
1045 	*ptr = __fcs(buf); ptr++;
1046 
1047 	return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049 
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1050 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1051 {
1052 	struct socket *sock = s->sock;
1053 	struct kvec iv[3];
1054 	struct msghdr msg;
1055 	unsigned char hdr[5], crc[1];
1056 
1057 	if (len > 125)
1058 		return -EINVAL;
1059 
1060 	BT_DBG("%p cr %d", s, cr);
1061 
1062 	hdr[0] = __addr(s->initiator, 0);
1063 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1064 	hdr[2] = 0x01 | ((len + 2) << 1);
1065 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1066 	hdr[4] = 0x01 | (len << 1);
1067 
1068 	crc[0] = __fcs(hdr);
1069 
1070 	iv[0].iov_base = hdr;
1071 	iv[0].iov_len  = 5;
1072 	iv[1].iov_base = pattern;
1073 	iv[1].iov_len  = len;
1074 	iv[2].iov_base = crc;
1075 	iv[2].iov_len  = 1;
1076 
1077 	memset(&msg, 0, sizeof(msg));
1078 
1079 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1080 }
1081 
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1082 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1083 {
1084 	struct rfcomm_hdr *hdr;
1085 	u8 buf[16], *ptr = buf;
1086 
1087 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1088 
1089 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1090 	hdr->addr = addr;
1091 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1092 	hdr->len  = __len8(0);
1093 
1094 	*ptr = credits; ptr++;
1095 
1096 	*ptr = __fcs(buf); ptr++;
1097 
1098 	return rfcomm_send_frame(s, buf, ptr - buf);
1099 }
1100 
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1101 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1102 {
1103 	struct rfcomm_hdr *hdr;
1104 	int len = skb->len;
1105 	u8 *crc;
1106 
1107 	if (len > 127) {
1108 		hdr = (void *) skb_push(skb, 4);
1109 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1110 	} else {
1111 		hdr = (void *) skb_push(skb, 3);
1112 		hdr->len = __len8(len);
1113 	}
1114 	hdr->addr = addr;
1115 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1116 
1117 	crc = skb_put(skb, 1);
1118 	*crc = __fcs((void *) hdr);
1119 }
1120 
1121 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1122 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1123 {
1124 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1125 
1126 	if (dlci) {
1127 		/* Data channel */
1128 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1129 		if (!d) {
1130 			rfcomm_send_dm(s, dlci);
1131 			return 0;
1132 		}
1133 
1134 		switch (d->state) {
1135 		case BT_CONNECT:
1136 			rfcomm_dlc_clear_timer(d);
1137 
1138 			rfcomm_dlc_lock(d);
1139 			d->state = BT_CONNECTED;
1140 			d->state_change(d, 0);
1141 			rfcomm_dlc_unlock(d);
1142 
1143 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1144 			break;
1145 
1146 		case BT_DISCONN:
1147 			d->state = BT_CLOSED;
1148 			__rfcomm_dlc_close(d, 0);
1149 
1150 			if (list_empty(&s->dlcs)) {
1151 				s->state = BT_DISCONN;
1152 				rfcomm_send_disc(s, 0);
1153 				rfcomm_session_clear_timer(s);
1154 			}
1155 
1156 			break;
1157 		}
1158 	} else {
1159 		/* Control channel */
1160 		switch (s->state) {
1161 		case BT_CONNECT:
1162 			s->state = BT_CONNECTED;
1163 			rfcomm_process_connect(s);
1164 			break;
1165 
1166 		case BT_DISCONN:
1167 			/* rfcomm_session_put is called later so don't do
1168 			 * anything here otherwise we will mess up the session
1169 			 * reference counter:
1170 			 *
1171 			 * (a) when we are the initiator dlc_unlink will drive
1172 			 * the reference counter to 0 (there is no initial put
1173 			 * after session_add)
1174 			 *
1175 			 * (b) when we are not the initiator rfcomm_rx_process
1176 			 * will explicitly call put to balance the initial hold
1177 			 * done after session add.
1178 			 */
1179 			break;
1180 		}
1181 	}
1182 	return 0;
1183 }
1184 
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1185 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1186 {
1187 	int err = 0;
1188 
1189 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1190 
1191 	if (dlci) {
1192 		/* Data DLC */
1193 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1194 		if (d) {
1195 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1196 				err = ECONNREFUSED;
1197 			else
1198 				err = ECONNRESET;
1199 
1200 			d->state = BT_CLOSED;
1201 			__rfcomm_dlc_close(d, err);
1202 		}
1203 	} else {
1204 		if (s->state == BT_CONNECT)
1205 			err = ECONNREFUSED;
1206 		else
1207 			err = ECONNRESET;
1208 
1209 		s->state = BT_CLOSED;
1210 		rfcomm_session_close(s, err);
1211 	}
1212 	return 0;
1213 }
1214 
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1215 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1216 {
1217 	int err = 0;
1218 
1219 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1220 
1221 	if (dlci) {
1222 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1223 		if (d) {
1224 			rfcomm_send_ua(s, dlci);
1225 
1226 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227 				err = ECONNREFUSED;
1228 			else
1229 				err = ECONNRESET;
1230 
1231 			d->state = BT_CLOSED;
1232 			__rfcomm_dlc_close(d, err);
1233 		} else
1234 			rfcomm_send_dm(s, dlci);
1235 
1236 	} else {
1237 		rfcomm_send_ua(s, 0);
1238 
1239 		if (s->state == BT_CONNECT)
1240 			err = ECONNREFUSED;
1241 		else
1242 			err = ECONNRESET;
1243 
1244 		s->state = BT_CLOSED;
1245 		rfcomm_session_close(s, err);
1246 	}
1247 
1248 	return 0;
1249 }
1250 
rfcomm_dlc_accept(struct rfcomm_dlc * d)1251 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1252 {
1253 	struct sock *sk = d->session->sock->sk;
1254 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1255 
1256 	BT_DBG("dlc %p", d);
1257 
1258 	rfcomm_send_ua(d->session, d->dlci);
1259 
1260 	rfcomm_dlc_clear_timer(d);
1261 
1262 	rfcomm_dlc_lock(d);
1263 	d->state = BT_CONNECTED;
1264 	d->state_change(d, 0);
1265 	rfcomm_dlc_unlock(d);
1266 
1267 	if (d->role_switch)
1268 		hci_conn_switch_role(conn->hcon, 0x00);
1269 
1270 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1271 }
1272 
rfcomm_check_accept(struct rfcomm_dlc * d)1273 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1274 {
1275 	if (rfcomm_check_security(d)) {
1276 		if (d->defer_setup) {
1277 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1278 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279 
1280 			rfcomm_dlc_lock(d);
1281 			d->state = BT_CONNECT2;
1282 			d->state_change(d, 0);
1283 			rfcomm_dlc_unlock(d);
1284 		} else
1285 			rfcomm_dlc_accept(d);
1286 	} else {
1287 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1288 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1289 	}
1290 }
1291 
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1292 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1293 {
1294 	struct rfcomm_dlc *d;
1295 	u8 channel;
1296 
1297 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1298 
1299 	if (!dlci) {
1300 		rfcomm_send_ua(s, 0);
1301 
1302 		if (s->state == BT_OPEN) {
1303 			s->state = BT_CONNECTED;
1304 			rfcomm_process_connect(s);
1305 		}
1306 		return 0;
1307 	}
1308 
1309 	/* Check if DLC exists */
1310 	d = rfcomm_dlc_get(s, dlci);
1311 	if (d) {
1312 		if (d->state == BT_OPEN) {
1313 			/* DLC was previously opened by PN request */
1314 			rfcomm_check_accept(d);
1315 		}
1316 		return 0;
1317 	}
1318 
1319 	/* Notify socket layer about incoming connection */
1320 	channel = __srv_channel(dlci);
1321 	if (rfcomm_connect_ind(s, channel, &d)) {
1322 		d->dlci = dlci;
1323 		d->addr = __addr(s->initiator, dlci);
1324 		rfcomm_dlc_link(s, d);
1325 
1326 		rfcomm_check_accept(d);
1327 	} else {
1328 		rfcomm_send_dm(s, dlci);
1329 	}
1330 
1331 	return 0;
1332 }
1333 
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1334 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1335 {
1336 	struct rfcomm_session *s = d->session;
1337 
1338 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1339 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1340 
1341 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1342 						pn->flow_ctrl == 0xe0) {
1343 		d->cfc = RFCOMM_CFC_ENABLED;
1344 		d->tx_credits = pn->credits;
1345 	} else {
1346 		d->cfc = RFCOMM_CFC_DISABLED;
1347 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1348 	}
1349 
1350 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1351 		s->cfc = d->cfc;
1352 
1353 	d->priority = pn->priority;
1354 
1355 	d->mtu = __le16_to_cpu(pn->mtu);
1356 
1357 	if (cr && d->mtu > s->mtu)
1358 		d->mtu = s->mtu;
1359 
1360 	return 0;
1361 }
1362 
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1363 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1364 {
1365 	struct rfcomm_pn *pn = (void *) skb->data;
1366 	struct rfcomm_dlc *d;
1367 	u8 dlci = pn->dlci;
1368 
1369 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1370 
1371 	if (!dlci)
1372 		return 0;
1373 
1374 	d = rfcomm_dlc_get(s, dlci);
1375 	if (d) {
1376 		if (cr) {
1377 			/* PN request */
1378 			rfcomm_apply_pn(d, cr, pn);
1379 			rfcomm_send_pn(s, 0, d);
1380 		} else {
1381 			/* PN response */
1382 			switch (d->state) {
1383 			case BT_CONFIG:
1384 				rfcomm_apply_pn(d, cr, pn);
1385 
1386 				d->state = BT_CONNECT;
1387 				rfcomm_send_sabm(s, d->dlci);
1388 				break;
1389 			}
1390 		}
1391 	} else {
1392 		u8 channel = __srv_channel(dlci);
1393 
1394 		if (!cr)
1395 			return 0;
1396 
1397 		/* PN request for non existing DLC.
1398 		 * Assume incoming connection. */
1399 		if (rfcomm_connect_ind(s, channel, &d)) {
1400 			d->dlci = dlci;
1401 			d->addr = __addr(s->initiator, dlci);
1402 			rfcomm_dlc_link(s, d);
1403 
1404 			rfcomm_apply_pn(d, cr, pn);
1405 
1406 			d->state = BT_OPEN;
1407 			rfcomm_send_pn(s, 0, d);
1408 		} else {
1409 			rfcomm_send_dm(s, dlci);
1410 		}
1411 	}
1412 	return 0;
1413 }
1414 
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1415 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1416 {
1417 	struct rfcomm_rpn *rpn = (void *) skb->data;
1418 	u8 dlci = __get_dlci(rpn->dlci);
1419 
1420 	u8 bit_rate  = 0;
1421 	u8 data_bits = 0;
1422 	u8 stop_bits = 0;
1423 	u8 parity    = 0;
1424 	u8 flow_ctrl = 0;
1425 	u8 xon_char  = 0;
1426 	u8 xoff_char = 0;
1427 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1428 
1429 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1430 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1431 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1432 
1433 	if (!cr)
1434 		return 0;
1435 
1436 	if (len == 1) {
1437 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1438 		bit_rate  = RFCOMM_RPN_BR_9600;
1439 		data_bits = RFCOMM_RPN_DATA_8;
1440 		stop_bits = RFCOMM_RPN_STOP_1;
1441 		parity    = RFCOMM_RPN_PARITY_NONE;
1442 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1443 		xon_char  = RFCOMM_RPN_XON_CHAR;
1444 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445 		goto rpn_out;
1446 	}
1447 
1448 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1449 	 * no parity, no flow control lines, normal XON/XOFF chars */
1450 
1451 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1452 		bit_rate = rpn->bit_rate;
1453 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1454 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1455 			bit_rate = RFCOMM_RPN_BR_9600;
1456 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1457 		}
1458 	}
1459 
1460 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1461 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1462 		if (data_bits != RFCOMM_RPN_DATA_8) {
1463 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1464 			data_bits = RFCOMM_RPN_DATA_8;
1465 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1466 		}
1467 	}
1468 
1469 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1470 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1471 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1472 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1473 			stop_bits = RFCOMM_RPN_STOP_1;
1474 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1475 		}
1476 	}
1477 
1478 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1479 		parity = __get_rpn_parity(rpn->line_settings);
1480 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1481 			BT_DBG("RPN parity mismatch 0x%x", parity);
1482 			parity = RFCOMM_RPN_PARITY_NONE;
1483 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1484 		}
1485 	}
1486 
1487 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1488 		flow_ctrl = rpn->flow_ctrl;
1489 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1490 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1491 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1492 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1493 		}
1494 	}
1495 
1496 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1497 		xon_char = rpn->xon_char;
1498 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1499 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1500 			xon_char = RFCOMM_RPN_XON_CHAR;
1501 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1502 		}
1503 	}
1504 
1505 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1506 		xoff_char = rpn->xoff_char;
1507 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1508 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1509 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1511 		}
1512 	}
1513 
1514 rpn_out:
1515 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1516 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1517 
1518 	return 0;
1519 }
1520 
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1521 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1522 {
1523 	struct rfcomm_rls *rls = (void *) skb->data;
1524 	u8 dlci = __get_dlci(rls->dlci);
1525 
1526 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1527 
1528 	if (!cr)
1529 		return 0;
1530 
1531 	/* We should probably do something with this information here. But
1532 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1533 	 * mandatory to recognise and respond to RLS */
1534 
1535 	rfcomm_send_rls(s, 0, dlci, rls->status);
1536 
1537 	return 0;
1538 }
1539 
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1540 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1541 {
1542 	struct rfcomm_msc *msc = (void *) skb->data;
1543 	struct rfcomm_dlc *d;
1544 	u8 dlci = __get_dlci(msc->dlci);
1545 
1546 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1547 
1548 	d = rfcomm_dlc_get(s, dlci);
1549 	if (!d)
1550 		return 0;
1551 
1552 	if (cr) {
1553 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1554 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1555 		else
1556 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1557 
1558 		rfcomm_dlc_lock(d);
1559 
1560 		d->remote_v24_sig = msc->v24_sig;
1561 
1562 		if (d->modem_status)
1563 			d->modem_status(d, msc->v24_sig);
1564 
1565 		rfcomm_dlc_unlock(d);
1566 
1567 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1568 
1569 		d->mscex |= RFCOMM_MSCEX_RX;
1570 	} else
1571 		d->mscex |= RFCOMM_MSCEX_TX;
1572 
1573 	return 0;
1574 }
1575 
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1576 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1577 {
1578 	struct rfcomm_mcc *mcc = (void *) skb->data;
1579 	u8 type, cr, len;
1580 
1581 	cr   = __test_cr(mcc->type);
1582 	type = __get_mcc_type(mcc->type);
1583 	len  = __get_mcc_len(mcc->len);
1584 
1585 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1586 
1587 	skb_pull(skb, 2);
1588 
1589 	switch (type) {
1590 	case RFCOMM_PN:
1591 		rfcomm_recv_pn(s, cr, skb);
1592 		break;
1593 
1594 	case RFCOMM_RPN:
1595 		rfcomm_recv_rpn(s, cr, len, skb);
1596 		break;
1597 
1598 	case RFCOMM_RLS:
1599 		rfcomm_recv_rls(s, cr, skb);
1600 		break;
1601 
1602 	case RFCOMM_MSC:
1603 		rfcomm_recv_msc(s, cr, skb);
1604 		break;
1605 
1606 	case RFCOMM_FCOFF:
1607 		if (cr) {
1608 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609 			rfcomm_send_fcoff(s, 0);
1610 		}
1611 		break;
1612 
1613 	case RFCOMM_FCON:
1614 		if (cr) {
1615 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1616 			rfcomm_send_fcon(s, 0);
1617 		}
1618 		break;
1619 
1620 	case RFCOMM_TEST:
1621 		if (cr)
1622 			rfcomm_send_test(s, 0, skb->data, skb->len);
1623 		break;
1624 
1625 	case RFCOMM_NSC:
1626 		break;
1627 
1628 	default:
1629 		BT_ERR("Unknown control type 0x%02x", type);
1630 		rfcomm_send_nsc(s, cr, type);
1631 		break;
1632 	}
1633 	return 0;
1634 }
1635 
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1636 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1637 {
1638 	struct rfcomm_dlc *d;
1639 
1640 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1641 
1642 	d = rfcomm_dlc_get(s, dlci);
1643 	if (!d) {
1644 		rfcomm_send_dm(s, dlci);
1645 		goto drop;
1646 	}
1647 
1648 	if (pf && d->cfc) {
1649 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1650 
1651 		d->tx_credits += credits;
1652 		if (d->tx_credits)
1653 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1654 	}
1655 
1656 	if (skb->len && d->state == BT_CONNECTED) {
1657 		rfcomm_dlc_lock(d);
1658 		d->rx_credits--;
1659 		d->data_ready(d, skb);
1660 		rfcomm_dlc_unlock(d);
1661 		return 0;
1662 	}
1663 
1664 drop:
1665 	kfree_skb(skb);
1666 	return 0;
1667 }
1668 
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1669 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1670 {
1671 	struct rfcomm_hdr *hdr = (void *) skb->data;
1672 	u8 type, dlci, fcs;
1673 
1674 	dlci = __get_dlci(hdr->addr);
1675 	type = __get_type(hdr->ctrl);
1676 
1677 	/* Trim FCS */
1678 	skb->len--; skb->tail--;
1679 	fcs = *(u8 *)skb_tail_pointer(skb);
1680 
1681 	if (__check_fcs(skb->data, type, fcs)) {
1682 		BT_ERR("bad checksum in packet");
1683 		kfree_skb(skb);
1684 		return -EILSEQ;
1685 	}
1686 
1687 	if (__test_ea(hdr->len))
1688 		skb_pull(skb, 3);
1689 	else
1690 		skb_pull(skb, 4);
1691 
1692 	switch (type) {
1693 	case RFCOMM_SABM:
1694 		if (__test_pf(hdr->ctrl))
1695 			rfcomm_recv_sabm(s, dlci);
1696 		break;
1697 
1698 	case RFCOMM_DISC:
1699 		if (__test_pf(hdr->ctrl))
1700 			rfcomm_recv_disc(s, dlci);
1701 		break;
1702 
1703 	case RFCOMM_UA:
1704 		if (__test_pf(hdr->ctrl))
1705 			rfcomm_recv_ua(s, dlci);
1706 		break;
1707 
1708 	case RFCOMM_DM:
1709 		rfcomm_recv_dm(s, dlci);
1710 		break;
1711 
1712 	case RFCOMM_UIH:
1713 		if (dlci)
1714 			return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1715 
1716 		rfcomm_recv_mcc(s, skb);
1717 		break;
1718 
1719 	default:
1720 		BT_ERR("Unknown packet type 0x%02x", type);
1721 		break;
1722 	}
1723 	kfree_skb(skb);
1724 	return 0;
1725 }
1726 
1727 /* ---- Connection and data processing ---- */
1728 
rfcomm_process_connect(struct rfcomm_session * s)1729 static void rfcomm_process_connect(struct rfcomm_session *s)
1730 {
1731 	struct rfcomm_dlc *d;
1732 	struct list_head *p, *n;
1733 
1734 	BT_DBG("session %p state %ld", s, s->state);
1735 
1736 	list_for_each_safe(p, n, &s->dlcs) {
1737 		d = list_entry(p, struct rfcomm_dlc, list);
1738 		if (d->state == BT_CONFIG) {
1739 			d->mtu = s->mtu;
1740 			if (rfcomm_check_security(d)) {
1741 				rfcomm_send_pn(s, 1, d);
1742 			} else {
1743 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1744 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1745 			}
1746 		}
1747 	}
1748 }
1749 
1750 /* Send data queued for the DLC.
1751  * Return number of frames left in the queue.
1752  */
rfcomm_process_tx(struct rfcomm_dlc * d)1753 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1754 {
1755 	struct sk_buff *skb;
1756 	int err;
1757 
1758 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1759 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1760 
1761 	/* Send pending MSC */
1762 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1763 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1764 
1765 	if (d->cfc) {
1766 		/* CFC enabled.
1767 		 * Give them some credits */
1768 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1769 				d->rx_credits <= (d->cfc >> 2)) {
1770 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1771 			d->rx_credits = d->cfc;
1772 		}
1773 	} else {
1774 		/* CFC disabled.
1775 		 * Give ourselves some credits */
1776 		d->tx_credits = 5;
1777 	}
1778 
1779 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1780 		return skb_queue_len(&d->tx_queue);
1781 
1782 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1783 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1784 		if (err < 0) {
1785 			skb_queue_head(&d->tx_queue, skb);
1786 			break;
1787 		}
1788 		kfree_skb(skb);
1789 		d->tx_credits--;
1790 	}
1791 
1792 	if (d->cfc && !d->tx_credits) {
1793 		/* We're out of TX credits.
1794 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1795 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1796 	}
1797 
1798 	return skb_queue_len(&d->tx_queue);
1799 }
1800 
rfcomm_process_dlcs(struct rfcomm_session * s)1801 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1802 {
1803 	struct rfcomm_dlc *d;
1804 	struct list_head *p, *n;
1805 
1806 	BT_DBG("session %p state %ld", s, s->state);
1807 
1808 	list_for_each_safe(p, n, &s->dlcs) {
1809 		d = list_entry(p, struct rfcomm_dlc, list);
1810 
1811 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1812 			__rfcomm_dlc_close(d, ETIMEDOUT);
1813 			continue;
1814 		}
1815 
1816 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1817 			__rfcomm_dlc_close(d, ECONNREFUSED);
1818 			continue;
1819 		}
1820 
1821 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1822 			rfcomm_dlc_clear_timer(d);
1823 			if (d->out) {
1824 				rfcomm_send_pn(s, 1, d);
1825 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1826 			} else {
1827 				if (d->defer_setup) {
1828 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1829 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1830 
1831 					rfcomm_dlc_lock(d);
1832 					d->state = BT_CONNECT2;
1833 					d->state_change(d, 0);
1834 					rfcomm_dlc_unlock(d);
1835 				} else
1836 					rfcomm_dlc_accept(d);
1837 			}
1838 			continue;
1839 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1840 			rfcomm_dlc_clear_timer(d);
1841 			if (!d->out)
1842 				rfcomm_send_dm(s, d->dlci);
1843 			else
1844 				d->state = BT_CLOSED;
1845 			__rfcomm_dlc_close(d, ECONNREFUSED);
1846 			continue;
1847 		}
1848 
1849 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1850 			continue;
1851 
1852 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1853 			continue;
1854 
1855 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1856 						d->mscex == RFCOMM_MSCEX_OK)
1857 			rfcomm_process_tx(d);
1858 	}
1859 }
1860 
rfcomm_process_rx(struct rfcomm_session * s)1861 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1862 {
1863 	struct socket *sock = s->sock;
1864 	struct sock *sk = sock->sk;
1865 	struct sk_buff *skb;
1866 
1867 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1868 
1869 	/* Get data directly from socket receive queue without copying it. */
1870 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1871 		skb_orphan(skb);
1872 		if (!skb_linearize(skb))
1873 			rfcomm_recv_frame(s, skb);
1874 		else
1875 			kfree_skb(skb);
1876 	}
1877 
1878 	if (sk->sk_state == BT_CLOSED) {
1879 		if (!s->initiator)
1880 			rfcomm_session_put(s);
1881 
1882 		rfcomm_session_close(s, sk->sk_err);
1883 	}
1884 }
1885 
rfcomm_accept_connection(struct rfcomm_session * s)1886 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1887 {
1888 	struct socket *sock = s->sock, *nsock;
1889 	int err;
1890 
1891 	/* Fast check for a new connection.
1892 	 * Avoids unnesesary socket allocations. */
1893 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1894 		return;
1895 
1896 	BT_DBG("session %p", s);
1897 
1898 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1899 	if (err < 0)
1900 		return;
1901 
1902 	/* Set our callbacks */
1903 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1904 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1905 
1906 	s = rfcomm_session_add(nsock, BT_OPEN);
1907 	if (s) {
1908 		rfcomm_session_hold(s);
1909 
1910 		/* We should adjust MTU on incoming sessions.
1911 		 * L2CAP MTU minus UIH header and FCS. */
1912 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1913 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1914 
1915 		rfcomm_schedule();
1916 	} else
1917 		sock_release(nsock);
1918 }
1919 
rfcomm_check_connection(struct rfcomm_session * s)1920 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1921 {
1922 	struct sock *sk = s->sock->sk;
1923 
1924 	BT_DBG("%p state %ld", s, s->state);
1925 
1926 	switch (sk->sk_state) {
1927 	case BT_CONNECTED:
1928 		s->state = BT_CONNECT;
1929 
1930 		/* We can adjust MTU on outgoing sessions.
1931 		 * L2CAP MTU minus UIH header and FCS. */
1932 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1933 
1934 		rfcomm_send_sabm(s, 0);
1935 		break;
1936 
1937 	case BT_CLOSED:
1938 		s->state = BT_CLOSED;
1939 		rfcomm_session_close(s, sk->sk_err);
1940 		break;
1941 	}
1942 }
1943 
rfcomm_process_sessions(void)1944 static inline void rfcomm_process_sessions(void)
1945 {
1946 	struct list_head *p, *n;
1947 
1948 	rfcomm_lock();
1949 
1950 	list_for_each_safe(p, n, &session_list) {
1951 		struct rfcomm_session *s;
1952 		s = list_entry(p, struct rfcomm_session, list);
1953 
1954 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1955 			s->state = BT_DISCONN;
1956 			rfcomm_send_disc(s, 0);
1957 			rfcomm_session_put(s);
1958 			continue;
1959 		}
1960 
1961 		if (s->state == BT_LISTEN) {
1962 			rfcomm_accept_connection(s);
1963 			continue;
1964 		}
1965 
1966 		rfcomm_session_hold(s);
1967 
1968 		switch (s->state) {
1969 		case BT_BOUND:
1970 			rfcomm_check_connection(s);
1971 			break;
1972 
1973 		default:
1974 			rfcomm_process_rx(s);
1975 			break;
1976 		}
1977 
1978 		rfcomm_process_dlcs(s);
1979 
1980 		rfcomm_session_put(s);
1981 	}
1982 
1983 	rfcomm_unlock();
1984 }
1985 
rfcomm_add_listener(bdaddr_t * ba)1986 static int rfcomm_add_listener(bdaddr_t *ba)
1987 {
1988 	struct sockaddr_l2 addr;
1989 	struct socket *sock;
1990 	struct sock *sk;
1991 	struct rfcomm_session *s;
1992 	int    err = 0;
1993 
1994 	/* Create socket */
1995 	err = rfcomm_l2sock_create(&sock);
1996 	if (err < 0) {
1997 		BT_ERR("Create socket failed %d", err);
1998 		return err;
1999 	}
2000 
2001 	/* Bind socket */
2002 	bacpy(&addr.l2_bdaddr, ba);
2003 	addr.l2_family = AF_BLUETOOTH;
2004 	addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2005 	addr.l2_cid    = 0;
2006 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2007 	if (err < 0) {
2008 		BT_ERR("Bind failed %d", err);
2009 		goto failed;
2010 	}
2011 
2012 	/* Set L2CAP options */
2013 	sk = sock->sk;
2014 	lock_sock(sk);
2015 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2016 	release_sock(sk);
2017 
2018 	/* Start listening on the socket */
2019 	err = kernel_listen(sock, 10);
2020 	if (err) {
2021 		BT_ERR("Listen failed %d", err);
2022 		goto failed;
2023 	}
2024 
2025 	/* Add listening session */
2026 	s = rfcomm_session_add(sock, BT_LISTEN);
2027 	if (!s)
2028 		goto failed;
2029 
2030 	rfcomm_session_hold(s);
2031 	return 0;
2032 failed:
2033 	sock_release(sock);
2034 	return err;
2035 }
2036 
rfcomm_kill_listener(void)2037 static void rfcomm_kill_listener(void)
2038 {
2039 	struct rfcomm_session *s;
2040 	struct list_head *p, *n;
2041 
2042 	BT_DBG("");
2043 
2044 	list_for_each_safe(p, n, &session_list) {
2045 		s = list_entry(p, struct rfcomm_session, list);
2046 		rfcomm_session_del(s);
2047 	}
2048 }
2049 
rfcomm_run(void * unused)2050 static int rfcomm_run(void *unused)
2051 {
2052 	BT_DBG("");
2053 
2054 	set_user_nice(current, -10);
2055 
2056 	rfcomm_add_listener(BDADDR_ANY);
2057 
2058 	while (1) {
2059 		set_current_state(TASK_INTERRUPTIBLE);
2060 
2061 		if (kthread_should_stop())
2062 			break;
2063 
2064 		/* Process stuff */
2065 		rfcomm_process_sessions();
2066 
2067 		schedule();
2068 	}
2069 	__set_current_state(TASK_RUNNING);
2070 
2071 	rfcomm_kill_listener();
2072 
2073 	return 0;
2074 }
2075 
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2076 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2077 {
2078 	struct rfcomm_session *s;
2079 	struct rfcomm_dlc *d;
2080 	struct list_head *p, *n;
2081 
2082 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2083 
2084 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2085 	if (!s)
2086 		return;
2087 
2088 	rfcomm_session_hold(s);
2089 
2090 	list_for_each_safe(p, n, &s->dlcs) {
2091 		d = list_entry(p, struct rfcomm_dlc, list);
2092 
2093 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2094 			rfcomm_dlc_clear_timer(d);
2095 			if (status || encrypt == 0x00) {
2096 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2097 				continue;
2098 			}
2099 		}
2100 
2101 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2102 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2103 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2104 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2105 				continue;
2106 			} else if (d->sec_level == BT_SECURITY_HIGH) {
2107 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2108 				continue;
2109 			}
2110 		}
2111 
2112 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2113 			continue;
2114 
2115 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2116 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2117 		else
2118 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2119 	}
2120 
2121 	rfcomm_session_put(s);
2122 
2123 	rfcomm_schedule();
2124 }
2125 
2126 static struct hci_cb rfcomm_cb = {
2127 	.name		= "RFCOMM",
2128 	.security_cfm	= rfcomm_security_cfm
2129 };
2130 
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2131 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2132 {
2133 	struct rfcomm_session *s;
2134 
2135 	rfcomm_lock();
2136 
2137 	list_for_each_entry(s, &session_list, list) {
2138 		struct rfcomm_dlc *d;
2139 		list_for_each_entry(d, &s->dlcs, list) {
2140 			struct sock *sk = s->sock->sk;
2141 
2142 			seq_printf(f, "%s %s %ld %d %d %d %d\n",
2143 						batostr(&bt_sk(sk)->src),
2144 						batostr(&bt_sk(sk)->dst),
2145 						d->state, d->dlci, d->mtu,
2146 						d->rx_credits, d->tx_credits);
2147 		}
2148 	}
2149 
2150 	rfcomm_unlock();
2151 
2152 	return 0;
2153 }
2154 
rfcomm_dlc_debugfs_open(struct inode * inode,struct file * file)2155 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2156 {
2157 	return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2158 }
2159 
2160 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2161 	.open		= rfcomm_dlc_debugfs_open,
2162 	.read		= seq_read,
2163 	.llseek		= seq_lseek,
2164 	.release	= single_release,
2165 };
2166 
2167 static struct dentry *rfcomm_dlc_debugfs;
2168 
2169 /* ---- Initialization ---- */
rfcomm_init(void)2170 static int __init rfcomm_init(void)
2171 {
2172 	int err;
2173 
2174 	hci_register_cb(&rfcomm_cb);
2175 
2176 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2177 	if (IS_ERR(rfcomm_thread)) {
2178 		err = PTR_ERR(rfcomm_thread);
2179 		goto unregister;
2180 	}
2181 
2182 	if (bt_debugfs) {
2183 		rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2184 				bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2185 		if (!rfcomm_dlc_debugfs)
2186 			BT_ERR("Failed to create RFCOMM debug file");
2187 	}
2188 
2189 	err = rfcomm_init_ttys();
2190 	if (err < 0)
2191 		goto stop;
2192 
2193 	err = rfcomm_init_sockets();
2194 	if (err < 0)
2195 		goto cleanup;
2196 
2197 	BT_INFO("RFCOMM ver %s", VERSION);
2198 
2199 	return 0;
2200 
2201 cleanup:
2202 	rfcomm_cleanup_ttys();
2203 
2204 stop:
2205 	kthread_stop(rfcomm_thread);
2206 
2207 unregister:
2208 	hci_unregister_cb(&rfcomm_cb);
2209 
2210 	return err;
2211 }
2212 
rfcomm_exit(void)2213 static void __exit rfcomm_exit(void)
2214 {
2215 	debugfs_remove(rfcomm_dlc_debugfs);
2216 
2217 	hci_unregister_cb(&rfcomm_cb);
2218 
2219 	kthread_stop(rfcomm_thread);
2220 
2221 	rfcomm_cleanup_ttys();
2222 
2223 	rfcomm_cleanup_sockets();
2224 }
2225 
2226 module_init(rfcomm_init);
2227 module_exit(rfcomm_exit);
2228 
2229 module_param(disable_cfc, bool, 0644);
2230 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2231 
2232 module_param(channel_mtu, int, 0644);
2233 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2234 
2235 module_param(l2cap_mtu, uint, 0644);
2236 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2237 
2238 module_param(l2cap_ertm, bool, 0644);
2239 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2240 
2241 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2242 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2243 MODULE_VERSION(VERSION);
2244 MODULE_LICENSE("GPL");
2245 MODULE_ALIAS("bt-proto-3");
2246