1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #include <trace/events/sock.h>
39 
40 #define VERSION "1.11"
41 
42 static bool disable_cfc;
43 static bool l2cap_ertm;
44 static int channel_mtu = -1;
45 
46 static struct task_struct *rfcomm_thread;
47 
48 static DEFINE_MUTEX(rfcomm_mutex);
49 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
50 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
51 
52 
53 static LIST_HEAD(session_list);
54 
55 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
56 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
58 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
59 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
60 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
61 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
62 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
63 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
64 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
65 
66 static void rfcomm_process_connect(struct rfcomm_session *s);
67 
68 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
69 							bdaddr_t *dst,
70 							u8 sec_level,
71 							int *err);
72 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
73 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
74 
75 /* ---- RFCOMM frame parsing macros ---- */
76 #define __get_dlci(b)     ((b & 0xfc) >> 2)
77 #define __get_type(b)     ((b & 0xef))
78 
79 #define __test_ea(b)      ((b & 0x01))
80 #define __test_cr(b)      (!!(b & 0x02))
81 #define __test_pf(b)      (!!(b & 0x10))
82 
83 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
84 
85 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
86 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
87 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
88 #define __srv_channel(dlci)    (dlci >> 1)
89 
90 #define __len8(len)       (((len) << 1) | 1)
91 #define __len16(len)      ((len) << 1)
92 
93 /* MCC macros */
94 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
97 
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103 
104 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
105 
rfcomm_schedule(void)106 static void rfcomm_schedule(void)
107 {
108 	wake_up_all(&rfcomm_wq);
109 }
110 
111 /* ---- RFCOMM FCS computation ---- */
112 
113 /* reversed, 8-bit, poly=0x07 */
114 static unsigned char rfcomm_crc_table[256] = {
115 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119 
120 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124 
125 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129 
130 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134 
135 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139 
140 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144 
145 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149 
150 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154 };
155 
156 /* CRC on 2 bytes */
157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158 
159 /* FCS on 2 bytes */
__fcs(u8 * data)160 static inline u8 __fcs(u8 *data)
161 {
162 	return 0xff - __crc(data);
163 }
164 
165 /* FCS on 3 bytes */
__fcs2(u8 * data)166 static inline u8 __fcs2(u8 *data)
167 {
168 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169 }
170 
171 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)172 static inline int __check_fcs(u8 *data, int type, u8 fcs)
173 {
174 	u8 f = __crc(data);
175 
176 	if (type != RFCOMM_UIH)
177 		f = rfcomm_crc_table[f ^ data[2]];
178 
179 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
180 }
181 
182 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)183 static void rfcomm_l2state_change(struct sock *sk)
184 {
185 	BT_DBG("%p state %d", sk, sk->sk_state);
186 	rfcomm_schedule();
187 }
188 
rfcomm_l2data_ready(struct sock * sk)189 static void rfcomm_l2data_ready(struct sock *sk)
190 {
191 	trace_sk_data_ready(sk);
192 
193 	BT_DBG("%p", sk);
194 	rfcomm_schedule();
195 }
196 
rfcomm_l2sock_create(struct socket ** sock)197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 	int err;
200 
201 	BT_DBG("");
202 
203 	err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 	if (!err) {
205 		struct sock *sk = (*sock)->sk;
206 		sk->sk_data_ready   = rfcomm_l2data_ready;
207 		sk->sk_state_change = rfcomm_l2state_change;
208 	}
209 	return err;
210 }
211 
rfcomm_check_security(struct rfcomm_dlc * d)212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 	struct sock *sk = d->session->sock->sk;
215 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216 
217 	__u8 auth_type;
218 
219 	switch (d->sec_level) {
220 	case BT_SECURITY_HIGH:
221 	case BT_SECURITY_FIPS:
222 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 		break;
224 	case BT_SECURITY_MEDIUM:
225 		auth_type = HCI_AT_GENERAL_BONDING;
226 		break;
227 	default:
228 		auth_type = HCI_AT_NO_BONDING;
229 		break;
230 	}
231 
232 	return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 				 d->out);
234 }
235 
rfcomm_session_timeout(struct timer_list * t)236 static void rfcomm_session_timeout(struct timer_list *t)
237 {
238 	struct rfcomm_session *s = from_timer(s, t, timer);
239 
240 	BT_DBG("session %p state %ld", s, s->state);
241 
242 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 	rfcomm_schedule();
244 }
245 
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249 
250 	mod_timer(&s->timer, jiffies + timeout);
251 }
252 
rfcomm_session_clear_timer(struct rfcomm_session * s)253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 	BT_DBG("session %p state %ld", s, s->state);
256 
257 	del_timer_sync(&s->timer);
258 }
259 
260 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(struct timer_list * t)261 static void rfcomm_dlc_timeout(struct timer_list *t)
262 {
263 	struct rfcomm_dlc *d = from_timer(d, t, timer);
264 
265 	BT_DBG("dlc %p state %ld", d, d->state);
266 
267 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 	rfcomm_dlc_put(d);
269 	rfcomm_schedule();
270 }
271 
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275 
276 	if (!mod_timer(&d->timer, jiffies + timeout))
277 		rfcomm_dlc_hold(d);
278 }
279 
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 	BT_DBG("dlc %p state %ld", d, d->state);
283 
284 	if (del_timer(&d->timer))
285 		rfcomm_dlc_put(d);
286 }
287 
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 	BT_DBG("%p", d);
291 
292 	d->state      = BT_OPEN;
293 	d->flags      = 0;
294 	d->mscex      = 0;
295 	d->sec_level  = BT_SECURITY_LOW;
296 	d->mtu        = RFCOMM_DEFAULT_MTU;
297 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298 
299 	d->cfc        = RFCOMM_CFC_DISABLED;
300 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302 
rfcomm_dlc_alloc(gfp_t prio)303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306 
307 	if (!d)
308 		return NULL;
309 
310 	timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
311 
312 	skb_queue_head_init(&d->tx_queue);
313 	mutex_init(&d->lock);
314 	refcount_set(&d->refcnt, 1);
315 
316 	rfcomm_dlc_clear_state(d);
317 
318 	BT_DBG("%p", d);
319 
320 	return d;
321 }
322 
rfcomm_dlc_free(struct rfcomm_dlc * d)323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 	BT_DBG("%p", d);
326 
327 	skb_queue_purge(&d->tx_queue);
328 	kfree(d);
329 }
330 
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 	BT_DBG("dlc %p session %p", d, s);
334 
335 	rfcomm_session_clear_timer(s);
336 	rfcomm_dlc_hold(d);
337 	list_add(&d->list, &s->dlcs);
338 	d->session = s;
339 }
340 
rfcomm_dlc_unlink(struct rfcomm_dlc * d)341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 	struct rfcomm_session *s = d->session;
344 
345 	BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
346 
347 	list_del(&d->list);
348 	d->session = NULL;
349 	rfcomm_dlc_put(d);
350 
351 	if (list_empty(&s->dlcs))
352 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354 
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 	struct rfcomm_dlc *d;
358 
359 	list_for_each_entry(d, &s->dlcs, list)
360 		if (d->dlci == dlci)
361 			return d;
362 
363 	return NULL;
364 }
365 
rfcomm_check_channel(u8 channel)366 static int rfcomm_check_channel(u8 channel)
367 {
368 	return channel < 1 || channel > 30;
369 }
370 
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 	struct rfcomm_session *s;
374 	int err = 0;
375 	u8 dlci;
376 
377 	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 	       d, d->state, src, dst, channel);
379 
380 	if (rfcomm_check_channel(channel))
381 		return -EINVAL;
382 
383 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 		return 0;
385 
386 	s = rfcomm_session_get(src, dst);
387 	if (!s) {
388 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 		if (!s)
390 			return err;
391 	}
392 
393 	dlci = __dlci(__session_dir(s), channel);
394 
395 	/* Check if DLCI already exists */
396 	if (rfcomm_dlc_get(s, dlci))
397 		return -EBUSY;
398 
399 	rfcomm_dlc_clear_state(d);
400 
401 	d->dlci     = dlci;
402 	d->addr     = __addr(s->initiator, dlci);
403 	d->priority = 7;
404 
405 	d->state = BT_CONFIG;
406 	rfcomm_dlc_link(s, d);
407 
408 	d->out = 1;
409 
410 	d->mtu = s->mtu;
411 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412 
413 	if (s->state == BT_CONNECTED) {
414 		if (rfcomm_check_security(d))
415 			rfcomm_send_pn(s, 1, d);
416 		else
417 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 	}
419 
420 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421 
422 	return 0;
423 }
424 
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 	int r;
428 
429 	rfcomm_lock();
430 
431 	r = __rfcomm_dlc_open(d, src, dst, channel);
432 
433 	rfcomm_unlock();
434 	return r;
435 }
436 
__rfcomm_dlc_disconn(struct rfcomm_dlc * d)437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 	struct rfcomm_session *s = d->session;
440 
441 	d->state = BT_DISCONN;
442 	if (skb_queue_empty(&d->tx_queue)) {
443 		rfcomm_send_disc(s, d->dlci);
444 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 	} else {
446 		rfcomm_queue_disc(d);
447 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 	}
449 }
450 
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 	struct rfcomm_session *s = d->session;
454 	if (!s)
455 		return 0;
456 
457 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 			d, d->state, d->dlci, err, s);
459 
460 	switch (d->state) {
461 	case BT_CONNECT:
462 	case BT_CONFIG:
463 	case BT_OPEN:
464 	case BT_CONNECT2:
465 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 			rfcomm_schedule();
468 			return 0;
469 		}
470 	}
471 
472 	switch (d->state) {
473 	case BT_CONNECT:
474 	case BT_CONNECTED:
475 		__rfcomm_dlc_disconn(d);
476 		break;
477 
478 	case BT_CONFIG:
479 		if (s->state != BT_BOUND) {
480 			__rfcomm_dlc_disconn(d);
481 			break;
482 		}
483 		/* if closing a dlc in a session that hasn't been started,
484 		 * just close and unlink the dlc
485 		 */
486 		fallthrough;
487 
488 	default:
489 		rfcomm_dlc_clear_timer(d);
490 
491 		rfcomm_dlc_lock(d);
492 		d->state = BT_CLOSED;
493 		d->state_change(d, err);
494 		rfcomm_dlc_unlock(d);
495 
496 		skb_queue_purge(&d->tx_queue);
497 		rfcomm_dlc_unlink(d);
498 	}
499 
500 	return 0;
501 }
502 
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)503 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
504 {
505 	int r = 0;
506 	struct rfcomm_dlc *d_list;
507 	struct rfcomm_session *s, *s_list;
508 
509 	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
510 
511 	rfcomm_lock();
512 
513 	s = d->session;
514 	if (!s)
515 		goto no_session;
516 
517 	/* after waiting on the mutex check the session still exists
518 	 * then check the dlc still exists
519 	 */
520 	list_for_each_entry(s_list, &session_list, list) {
521 		if (s_list == s) {
522 			list_for_each_entry(d_list, &s->dlcs, list) {
523 				if (d_list == d) {
524 					r = __rfcomm_dlc_close(d, err);
525 					break;
526 				}
527 			}
528 			break;
529 		}
530 	}
531 
532 no_session:
533 	rfcomm_unlock();
534 	return r;
535 }
536 
rfcomm_dlc_exists(bdaddr_t * src,bdaddr_t * dst,u8 channel)537 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
538 {
539 	struct rfcomm_session *s;
540 	struct rfcomm_dlc *dlc = NULL;
541 	u8 dlci;
542 
543 	if (rfcomm_check_channel(channel))
544 		return ERR_PTR(-EINVAL);
545 
546 	rfcomm_lock();
547 	s = rfcomm_session_get(src, dst);
548 	if (s) {
549 		dlci = __dlci(__session_dir(s), channel);
550 		dlc = rfcomm_dlc_get(s, dlci);
551 	}
552 	rfcomm_unlock();
553 	return dlc;
554 }
555 
rfcomm_dlc_send_frag(struct rfcomm_dlc * d,struct sk_buff * frag)556 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
557 {
558 	int len = frag->len;
559 
560 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
561 
562 	if (len > d->mtu)
563 		return -EINVAL;
564 
565 	rfcomm_make_uih(frag, d->addr);
566 	__skb_queue_tail(&d->tx_queue, frag);
567 
568 	return len;
569 }
570 
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)571 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
572 {
573 	unsigned long flags;
574 	struct sk_buff *frag, *next;
575 	int len;
576 
577 	if (d->state != BT_CONNECTED)
578 		return -ENOTCONN;
579 
580 	frag = skb_shinfo(skb)->frag_list;
581 	skb_shinfo(skb)->frag_list = NULL;
582 
583 	/* Queue all fragments atomically. */
584 	spin_lock_irqsave(&d->tx_queue.lock, flags);
585 
586 	len = rfcomm_dlc_send_frag(d, skb);
587 	if (len < 0 || !frag)
588 		goto unlock;
589 
590 	for (; frag; frag = next) {
591 		int ret;
592 
593 		next = frag->next;
594 
595 		ret = rfcomm_dlc_send_frag(d, frag);
596 		if (ret < 0) {
597 			dev_kfree_skb_irq(frag);
598 			goto unlock;
599 		}
600 
601 		len += ret;
602 	}
603 
604 unlock:
605 	spin_unlock_irqrestore(&d->tx_queue.lock, flags);
606 
607 	if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
608 		rfcomm_schedule();
609 	return len;
610 }
611 
rfcomm_dlc_send_noerror(struct rfcomm_dlc * d,struct sk_buff * skb)612 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
613 {
614 	int len = skb->len;
615 
616 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
617 
618 	rfcomm_make_uih(skb, d->addr);
619 	skb_queue_tail(&d->tx_queue, skb);
620 
621 	if (d->state == BT_CONNECTED &&
622 	    !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
623 		rfcomm_schedule();
624 }
625 
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)626 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
627 {
628 	BT_DBG("dlc %p state %ld", d, d->state);
629 
630 	if (!d->cfc) {
631 		d->v24_sig |= RFCOMM_V24_FC;
632 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
633 	}
634 	rfcomm_schedule();
635 }
636 
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)637 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
638 {
639 	BT_DBG("dlc %p state %ld", d, d->state);
640 
641 	if (!d->cfc) {
642 		d->v24_sig &= ~RFCOMM_V24_FC;
643 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
644 	}
645 	rfcomm_schedule();
646 }
647 
648 /*
649    Set/get modem status functions use _local_ status i.e. what we report
650    to the other side.
651    Remote status is provided by dlc->modem_status() callback.
652  */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)653 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
654 {
655 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
656 			d, d->state, v24_sig);
657 
658 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
659 		v24_sig |= RFCOMM_V24_FC;
660 	else
661 		v24_sig &= ~RFCOMM_V24_FC;
662 
663 	d->v24_sig = v24_sig;
664 
665 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
666 		rfcomm_schedule();
667 
668 	return 0;
669 }
670 
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)671 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
672 {
673 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
674 			d, d->state, d->v24_sig);
675 
676 	*v24_sig = d->v24_sig;
677 	return 0;
678 }
679 
680 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)681 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
682 {
683 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
684 
685 	if (!s)
686 		return NULL;
687 
688 	BT_DBG("session %p sock %p", s, sock);
689 
690 	timer_setup(&s->timer, rfcomm_session_timeout, 0);
691 
692 	INIT_LIST_HEAD(&s->dlcs);
693 	s->state = state;
694 	s->sock  = sock;
695 
696 	s->mtu = RFCOMM_DEFAULT_MTU;
697 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
698 
699 	/* Do not increment module usage count for listening sessions.
700 	 * Otherwise we won't be able to unload the module. */
701 	if (state != BT_LISTEN)
702 		if (!try_module_get(THIS_MODULE)) {
703 			kfree(s);
704 			return NULL;
705 		}
706 
707 	list_add(&s->list, &session_list);
708 
709 	return s;
710 }
711 
rfcomm_session_del(struct rfcomm_session * s)712 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
713 {
714 	int state = s->state;
715 
716 	BT_DBG("session %p state %ld", s, s->state);
717 
718 	list_del(&s->list);
719 
720 	rfcomm_session_clear_timer(s);
721 	sock_release(s->sock);
722 	kfree(s);
723 
724 	if (state != BT_LISTEN)
725 		module_put(THIS_MODULE);
726 
727 	return NULL;
728 }
729 
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)730 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
731 {
732 	struct rfcomm_session *s, *n;
733 	struct l2cap_chan *chan;
734 	list_for_each_entry_safe(s, n, &session_list, list) {
735 		chan = l2cap_pi(s->sock->sk)->chan;
736 
737 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
738 		    !bacmp(&chan->dst, dst))
739 			return s;
740 	}
741 	return NULL;
742 }
743 
rfcomm_session_close(struct rfcomm_session * s,int err)744 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
745 						   int err)
746 {
747 	struct rfcomm_dlc *d, *n;
748 
749 	s->state = BT_CLOSED;
750 
751 	BT_DBG("session %p state %ld err %d", s, s->state, err);
752 
753 	/* Close all dlcs */
754 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
755 		d->state = BT_CLOSED;
756 		__rfcomm_dlc_close(d, err);
757 	}
758 
759 	rfcomm_session_clear_timer(s);
760 	return rfcomm_session_del(s);
761 }
762 
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)763 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
764 							bdaddr_t *dst,
765 							u8 sec_level,
766 							int *err)
767 {
768 	struct rfcomm_session *s = NULL;
769 	struct sockaddr_l2 addr;
770 	struct socket *sock;
771 	struct sock *sk;
772 
773 	BT_DBG("%pMR -> %pMR", src, dst);
774 
775 	*err = rfcomm_l2sock_create(&sock);
776 	if (*err < 0)
777 		return NULL;
778 
779 	bacpy(&addr.l2_bdaddr, src);
780 	addr.l2_family = AF_BLUETOOTH;
781 	addr.l2_psm    = 0;
782 	addr.l2_cid    = 0;
783 	addr.l2_bdaddr_type = BDADDR_BREDR;
784 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
785 	if (*err < 0)
786 		goto failed;
787 
788 	/* Set L2CAP options */
789 	sk = sock->sk;
790 	lock_sock(sk);
791 	/* Set MTU to 0 so L2CAP can auto select the MTU */
792 	l2cap_pi(sk)->chan->imtu = 0;
793 	l2cap_pi(sk)->chan->sec_level = sec_level;
794 	if (l2cap_ertm)
795 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
796 	release_sock(sk);
797 
798 	s = rfcomm_session_add(sock, BT_BOUND);
799 	if (!s) {
800 		*err = -ENOMEM;
801 		goto failed;
802 	}
803 
804 	s->initiator = 1;
805 
806 	bacpy(&addr.l2_bdaddr, dst);
807 	addr.l2_family = AF_BLUETOOTH;
808 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
809 	addr.l2_cid    = 0;
810 	addr.l2_bdaddr_type = BDADDR_BREDR;
811 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
812 	if (*err == 0 || *err == -EINPROGRESS)
813 		return s;
814 
815 	return rfcomm_session_del(s);
816 
817 failed:
818 	sock_release(sock);
819 	return NULL;
820 }
821 
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)822 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
823 {
824 	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
825 	if (src)
826 		bacpy(src, &chan->src);
827 	if (dst)
828 		bacpy(dst, &chan->dst);
829 }
830 
831 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)832 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
833 {
834 	struct kvec iv = { data, len };
835 	struct msghdr msg;
836 
837 	BT_DBG("session %p len %d", s, len);
838 
839 	memset(&msg, 0, sizeof(msg));
840 
841 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
842 }
843 
rfcomm_send_cmd(struct rfcomm_session * s,struct rfcomm_cmd * cmd)844 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
845 {
846 	BT_DBG("%p cmd %u", s, cmd->ctrl);
847 
848 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
849 }
850 
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)851 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
852 {
853 	struct rfcomm_cmd cmd;
854 
855 	BT_DBG("%p dlci %d", s, dlci);
856 
857 	cmd.addr = __addr(s->initiator, dlci);
858 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
859 	cmd.len  = __len8(0);
860 	cmd.fcs  = __fcs2((u8 *) &cmd);
861 
862 	return rfcomm_send_cmd(s, &cmd);
863 }
864 
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)865 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
866 {
867 	struct rfcomm_cmd cmd;
868 
869 	BT_DBG("%p dlci %d", s, dlci);
870 
871 	cmd.addr = __addr(!s->initiator, dlci);
872 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
873 	cmd.len  = __len8(0);
874 	cmd.fcs  = __fcs2((u8 *) &cmd);
875 
876 	return rfcomm_send_cmd(s, &cmd);
877 }
878 
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)879 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
880 {
881 	struct rfcomm_cmd cmd;
882 
883 	BT_DBG("%p dlci %d", s, dlci);
884 
885 	cmd.addr = __addr(s->initiator, dlci);
886 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
887 	cmd.len  = __len8(0);
888 	cmd.fcs  = __fcs2((u8 *) &cmd);
889 
890 	return rfcomm_send_cmd(s, &cmd);
891 }
892 
rfcomm_queue_disc(struct rfcomm_dlc * d)893 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
894 {
895 	struct rfcomm_cmd *cmd;
896 	struct sk_buff *skb;
897 
898 	BT_DBG("dlc %p dlci %d", d, d->dlci);
899 
900 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
901 	if (!skb)
902 		return -ENOMEM;
903 
904 	cmd = __skb_put(skb, sizeof(*cmd));
905 	cmd->addr = d->addr;
906 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
907 	cmd->len  = __len8(0);
908 	cmd->fcs  = __fcs2((u8 *) cmd);
909 
910 	skb_queue_tail(&d->tx_queue, skb);
911 	rfcomm_schedule();
912 	return 0;
913 }
914 
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)915 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
916 {
917 	struct rfcomm_cmd cmd;
918 
919 	BT_DBG("%p dlci %d", s, dlci);
920 
921 	cmd.addr = __addr(!s->initiator, dlci);
922 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
923 	cmd.len  = __len8(0);
924 	cmd.fcs  = __fcs2((u8 *) &cmd);
925 
926 	return rfcomm_send_cmd(s, &cmd);
927 }
928 
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)929 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
930 {
931 	struct rfcomm_hdr *hdr;
932 	struct rfcomm_mcc *mcc;
933 	u8 buf[16], *ptr = buf;
934 
935 	BT_DBG("%p cr %d type %d", s, cr, type);
936 
937 	hdr = (void *) ptr; ptr += sizeof(*hdr);
938 	hdr->addr = __addr(s->initiator, 0);
939 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
940 	hdr->len  = __len8(sizeof(*mcc) + 1);
941 
942 	mcc = (void *) ptr; ptr += sizeof(*mcc);
943 	mcc->type = __mcc_type(0, RFCOMM_NSC);
944 	mcc->len  = __len8(1);
945 
946 	/* Type that we didn't like */
947 	*ptr = __mcc_type(cr, type); ptr++;
948 
949 	*ptr = __fcs(buf); ptr++;
950 
951 	return rfcomm_send_frame(s, buf, ptr - buf);
952 }
953 
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)954 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
955 {
956 	struct rfcomm_hdr *hdr;
957 	struct rfcomm_mcc *mcc;
958 	struct rfcomm_pn  *pn;
959 	u8 buf[16], *ptr = buf;
960 
961 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
962 
963 	hdr = (void *) ptr; ptr += sizeof(*hdr);
964 	hdr->addr = __addr(s->initiator, 0);
965 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
966 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
967 
968 	mcc = (void *) ptr; ptr += sizeof(*mcc);
969 	mcc->type = __mcc_type(cr, RFCOMM_PN);
970 	mcc->len  = __len8(sizeof(*pn));
971 
972 	pn = (void *) ptr; ptr += sizeof(*pn);
973 	pn->dlci        = d->dlci;
974 	pn->priority    = d->priority;
975 	pn->ack_timer   = 0;
976 	pn->max_retrans = 0;
977 
978 	if (s->cfc) {
979 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
980 		pn->credits = RFCOMM_DEFAULT_CREDITS;
981 	} else {
982 		pn->flow_ctrl = 0;
983 		pn->credits   = 0;
984 	}
985 
986 	if (cr && channel_mtu >= 0)
987 		pn->mtu = cpu_to_le16(channel_mtu);
988 	else
989 		pn->mtu = cpu_to_le16(d->mtu);
990 
991 	*ptr = __fcs(buf); ptr++;
992 
993 	return rfcomm_send_frame(s, buf, ptr - buf);
994 }
995 
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)996 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
997 			u8 bit_rate, u8 data_bits, u8 stop_bits,
998 			u8 parity, u8 flow_ctrl_settings,
999 			u8 xon_char, u8 xoff_char, u16 param_mask)
1000 {
1001 	struct rfcomm_hdr *hdr;
1002 	struct rfcomm_mcc *mcc;
1003 	struct rfcomm_rpn *rpn;
1004 	u8 buf[16], *ptr = buf;
1005 
1006 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
1007 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
1008 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
1009 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
1010 
1011 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1012 	hdr->addr = __addr(s->initiator, 0);
1013 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1014 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
1015 
1016 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1017 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
1018 	mcc->len  = __len8(sizeof(*rpn));
1019 
1020 	rpn = (void *) ptr; ptr += sizeof(*rpn);
1021 	rpn->dlci          = __addr(1, dlci);
1022 	rpn->bit_rate      = bit_rate;
1023 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
1024 	rpn->flow_ctrl     = flow_ctrl_settings;
1025 	rpn->xon_char      = xon_char;
1026 	rpn->xoff_char     = xoff_char;
1027 	rpn->param_mask    = cpu_to_le16(param_mask);
1028 
1029 	*ptr = __fcs(buf); ptr++;
1030 
1031 	return rfcomm_send_frame(s, buf, ptr - buf);
1032 }
1033 
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)1034 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
1035 {
1036 	struct rfcomm_hdr *hdr;
1037 	struct rfcomm_mcc *mcc;
1038 	struct rfcomm_rls *rls;
1039 	u8 buf[16], *ptr = buf;
1040 
1041 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
1042 
1043 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1044 	hdr->addr = __addr(s->initiator, 0);
1045 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1046 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1047 
1048 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1049 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
1050 	mcc->len  = __len8(sizeof(*rls));
1051 
1052 	rls = (void *) ptr; ptr += sizeof(*rls);
1053 	rls->dlci   = __addr(1, dlci);
1054 	rls->status = status;
1055 
1056 	*ptr = __fcs(buf); ptr++;
1057 
1058 	return rfcomm_send_frame(s, buf, ptr - buf);
1059 }
1060 
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)1061 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1062 {
1063 	struct rfcomm_hdr *hdr;
1064 	struct rfcomm_mcc *mcc;
1065 	struct rfcomm_msc *msc;
1066 	u8 buf[16], *ptr = buf;
1067 
1068 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1069 
1070 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1071 	hdr->addr = __addr(s->initiator, 0);
1072 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1073 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1074 
1075 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1076 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
1077 	mcc->len  = __len8(sizeof(*msc));
1078 
1079 	msc = (void *) ptr; ptr += sizeof(*msc);
1080 	msc->dlci    = __addr(1, dlci);
1081 	msc->v24_sig = v24_sig | 0x01;
1082 
1083 	*ptr = __fcs(buf); ptr++;
1084 
1085 	return rfcomm_send_frame(s, buf, ptr - buf);
1086 }
1087 
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)1088 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1089 {
1090 	struct rfcomm_hdr *hdr;
1091 	struct rfcomm_mcc *mcc;
1092 	u8 buf[16], *ptr = buf;
1093 
1094 	BT_DBG("%p cr %d", s, cr);
1095 
1096 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1097 	hdr->addr = __addr(s->initiator, 0);
1098 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1099 	hdr->len  = __len8(sizeof(*mcc));
1100 
1101 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1102 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1103 	mcc->len  = __len8(0);
1104 
1105 	*ptr = __fcs(buf); ptr++;
1106 
1107 	return rfcomm_send_frame(s, buf, ptr - buf);
1108 }
1109 
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1110 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1111 {
1112 	struct rfcomm_hdr *hdr;
1113 	struct rfcomm_mcc *mcc;
1114 	u8 buf[16], *ptr = buf;
1115 
1116 	BT_DBG("%p cr %d", s, cr);
1117 
1118 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1119 	hdr->addr = __addr(s->initiator, 0);
1120 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1121 	hdr->len  = __len8(sizeof(*mcc));
1122 
1123 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1124 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1125 	mcc->len  = __len8(0);
1126 
1127 	*ptr = __fcs(buf); ptr++;
1128 
1129 	return rfcomm_send_frame(s, buf, ptr - buf);
1130 }
1131 
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1132 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1133 {
1134 	struct socket *sock = s->sock;
1135 	struct kvec iv[3];
1136 	struct msghdr msg;
1137 	unsigned char hdr[5], crc[1];
1138 
1139 	if (len > 125)
1140 		return -EINVAL;
1141 
1142 	BT_DBG("%p cr %d", s, cr);
1143 
1144 	hdr[0] = __addr(s->initiator, 0);
1145 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1146 	hdr[2] = 0x01 | ((len + 2) << 1);
1147 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1148 	hdr[4] = 0x01 | (len << 1);
1149 
1150 	crc[0] = __fcs(hdr);
1151 
1152 	iv[0].iov_base = hdr;
1153 	iv[0].iov_len  = 5;
1154 	iv[1].iov_base = pattern;
1155 	iv[1].iov_len  = len;
1156 	iv[2].iov_base = crc;
1157 	iv[2].iov_len  = 1;
1158 
1159 	memset(&msg, 0, sizeof(msg));
1160 
1161 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1162 }
1163 
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1164 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1165 {
1166 	struct rfcomm_hdr *hdr;
1167 	u8 buf[16], *ptr = buf;
1168 
1169 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1170 
1171 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1172 	hdr->addr = addr;
1173 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1174 	hdr->len  = __len8(0);
1175 
1176 	*ptr = credits; ptr++;
1177 
1178 	*ptr = __fcs(buf); ptr++;
1179 
1180 	return rfcomm_send_frame(s, buf, ptr - buf);
1181 }
1182 
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1183 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1184 {
1185 	struct rfcomm_hdr *hdr;
1186 	int len = skb->len;
1187 	u8 *crc;
1188 
1189 	if (len > 127) {
1190 		hdr = skb_push(skb, 4);
1191 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1192 	} else {
1193 		hdr = skb_push(skb, 3);
1194 		hdr->len = __len8(len);
1195 	}
1196 	hdr->addr = addr;
1197 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1198 
1199 	crc = skb_put(skb, 1);
1200 	*crc = __fcs((void *) hdr);
1201 }
1202 
1203 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1204 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1205 {
1206 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1207 
1208 	if (dlci) {
1209 		/* Data channel */
1210 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1211 		if (!d) {
1212 			rfcomm_send_dm(s, dlci);
1213 			return s;
1214 		}
1215 
1216 		switch (d->state) {
1217 		case BT_CONNECT:
1218 			rfcomm_dlc_clear_timer(d);
1219 
1220 			rfcomm_dlc_lock(d);
1221 			d->state = BT_CONNECTED;
1222 			d->state_change(d, 0);
1223 			rfcomm_dlc_unlock(d);
1224 
1225 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1226 			break;
1227 
1228 		case BT_DISCONN:
1229 			d->state = BT_CLOSED;
1230 			__rfcomm_dlc_close(d, 0);
1231 
1232 			if (list_empty(&s->dlcs)) {
1233 				s->state = BT_DISCONN;
1234 				rfcomm_send_disc(s, 0);
1235 				rfcomm_session_clear_timer(s);
1236 			}
1237 
1238 			break;
1239 		}
1240 	} else {
1241 		/* Control channel */
1242 		switch (s->state) {
1243 		case BT_CONNECT:
1244 			s->state = BT_CONNECTED;
1245 			rfcomm_process_connect(s);
1246 			break;
1247 
1248 		case BT_DISCONN:
1249 			s = rfcomm_session_close(s, ECONNRESET);
1250 			break;
1251 		}
1252 	}
1253 	return s;
1254 }
1255 
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1256 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1257 {
1258 	int err = 0;
1259 
1260 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1261 
1262 	if (dlci) {
1263 		/* Data DLC */
1264 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1265 		if (d) {
1266 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1267 				err = ECONNREFUSED;
1268 			else
1269 				err = ECONNRESET;
1270 
1271 			d->state = BT_CLOSED;
1272 			__rfcomm_dlc_close(d, err);
1273 		}
1274 	} else {
1275 		if (s->state == BT_CONNECT)
1276 			err = ECONNREFUSED;
1277 		else
1278 			err = ECONNRESET;
1279 
1280 		s = rfcomm_session_close(s, err);
1281 	}
1282 	return s;
1283 }
1284 
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1285 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1286 					       u8 dlci)
1287 {
1288 	int err = 0;
1289 
1290 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1291 
1292 	if (dlci) {
1293 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1294 		if (d) {
1295 			rfcomm_send_ua(s, dlci);
1296 
1297 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1298 				err = ECONNREFUSED;
1299 			else
1300 				err = ECONNRESET;
1301 
1302 			d->state = BT_CLOSED;
1303 			__rfcomm_dlc_close(d, err);
1304 		} else
1305 			rfcomm_send_dm(s, dlci);
1306 
1307 	} else {
1308 		rfcomm_send_ua(s, 0);
1309 
1310 		if (s->state == BT_CONNECT)
1311 			err = ECONNREFUSED;
1312 		else
1313 			err = ECONNRESET;
1314 
1315 		s = rfcomm_session_close(s, err);
1316 	}
1317 	return s;
1318 }
1319 
rfcomm_dlc_accept(struct rfcomm_dlc * d)1320 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1321 {
1322 	struct sock *sk = d->session->sock->sk;
1323 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1324 
1325 	BT_DBG("dlc %p", d);
1326 
1327 	rfcomm_send_ua(d->session, d->dlci);
1328 
1329 	rfcomm_dlc_clear_timer(d);
1330 
1331 	rfcomm_dlc_lock(d);
1332 	d->state = BT_CONNECTED;
1333 	d->state_change(d, 0);
1334 	rfcomm_dlc_unlock(d);
1335 
1336 	if (d->role_switch)
1337 		hci_conn_switch_role(conn->hcon, 0x00);
1338 
1339 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1340 }
1341 
rfcomm_check_accept(struct rfcomm_dlc * d)1342 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1343 {
1344 	if (rfcomm_check_security(d)) {
1345 		if (d->defer_setup) {
1346 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1347 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1348 
1349 			rfcomm_dlc_lock(d);
1350 			d->state = BT_CONNECT2;
1351 			d->state_change(d, 0);
1352 			rfcomm_dlc_unlock(d);
1353 		} else
1354 			rfcomm_dlc_accept(d);
1355 	} else {
1356 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1357 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1358 	}
1359 }
1360 
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1361 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1362 {
1363 	struct rfcomm_dlc *d;
1364 	u8 channel;
1365 
1366 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1367 
1368 	if (!dlci) {
1369 		rfcomm_send_ua(s, 0);
1370 
1371 		if (s->state == BT_OPEN) {
1372 			s->state = BT_CONNECTED;
1373 			rfcomm_process_connect(s);
1374 		}
1375 		return 0;
1376 	}
1377 
1378 	/* Check if DLC exists */
1379 	d = rfcomm_dlc_get(s, dlci);
1380 	if (d) {
1381 		if (d->state == BT_OPEN) {
1382 			/* DLC was previously opened by PN request */
1383 			rfcomm_check_accept(d);
1384 		}
1385 		return 0;
1386 	}
1387 
1388 	/* Notify socket layer about incoming connection */
1389 	channel = __srv_channel(dlci);
1390 	if (rfcomm_connect_ind(s, channel, &d)) {
1391 		d->dlci = dlci;
1392 		d->addr = __addr(s->initiator, dlci);
1393 		rfcomm_dlc_link(s, d);
1394 
1395 		rfcomm_check_accept(d);
1396 	} else {
1397 		rfcomm_send_dm(s, dlci);
1398 	}
1399 
1400 	return 0;
1401 }
1402 
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1403 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1404 {
1405 	struct rfcomm_session *s = d->session;
1406 
1407 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1408 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1409 
1410 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1411 						pn->flow_ctrl == 0xe0) {
1412 		d->cfc = RFCOMM_CFC_ENABLED;
1413 		d->tx_credits = pn->credits;
1414 	} else {
1415 		d->cfc = RFCOMM_CFC_DISABLED;
1416 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1417 	}
1418 
1419 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1420 		s->cfc = d->cfc;
1421 
1422 	d->priority = pn->priority;
1423 
1424 	d->mtu = __le16_to_cpu(pn->mtu);
1425 
1426 	if (cr && d->mtu > s->mtu)
1427 		d->mtu = s->mtu;
1428 
1429 	return 0;
1430 }
1431 
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1432 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1433 {
1434 	struct rfcomm_pn *pn = (void *) skb->data;
1435 	struct rfcomm_dlc *d;
1436 	u8 dlci = pn->dlci;
1437 
1438 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1439 
1440 	if (!dlci)
1441 		return 0;
1442 
1443 	d = rfcomm_dlc_get(s, dlci);
1444 	if (d) {
1445 		if (cr) {
1446 			/* PN request */
1447 			rfcomm_apply_pn(d, cr, pn);
1448 			rfcomm_send_pn(s, 0, d);
1449 		} else {
1450 			/* PN response */
1451 			switch (d->state) {
1452 			case BT_CONFIG:
1453 				rfcomm_apply_pn(d, cr, pn);
1454 
1455 				d->state = BT_CONNECT;
1456 				rfcomm_send_sabm(s, d->dlci);
1457 				break;
1458 			}
1459 		}
1460 	} else {
1461 		u8 channel = __srv_channel(dlci);
1462 
1463 		if (!cr)
1464 			return 0;
1465 
1466 		/* PN request for non existing DLC.
1467 		 * Assume incoming connection. */
1468 		if (rfcomm_connect_ind(s, channel, &d)) {
1469 			d->dlci = dlci;
1470 			d->addr = __addr(s->initiator, dlci);
1471 			rfcomm_dlc_link(s, d);
1472 
1473 			rfcomm_apply_pn(d, cr, pn);
1474 
1475 			d->state = BT_OPEN;
1476 			rfcomm_send_pn(s, 0, d);
1477 		} else {
1478 			rfcomm_send_dm(s, dlci);
1479 		}
1480 	}
1481 	return 0;
1482 }
1483 
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1484 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1485 {
1486 	struct rfcomm_rpn *rpn = (void *) skb->data;
1487 	u8 dlci = __get_dlci(rpn->dlci);
1488 
1489 	u8 bit_rate  = 0;
1490 	u8 data_bits = 0;
1491 	u8 stop_bits = 0;
1492 	u8 parity    = 0;
1493 	u8 flow_ctrl = 0;
1494 	u8 xon_char  = 0;
1495 	u8 xoff_char = 0;
1496 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1497 
1498 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1499 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1500 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1501 
1502 	if (!cr)
1503 		return 0;
1504 
1505 	if (len == 1) {
1506 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1507 		bit_rate  = RFCOMM_RPN_BR_9600;
1508 		data_bits = RFCOMM_RPN_DATA_8;
1509 		stop_bits = RFCOMM_RPN_STOP_1;
1510 		parity    = RFCOMM_RPN_PARITY_NONE;
1511 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1512 		xon_char  = RFCOMM_RPN_XON_CHAR;
1513 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1514 		goto rpn_out;
1515 	}
1516 
1517 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1518 	 * no parity, no flow control lines, normal XON/XOFF chars */
1519 
1520 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1521 		bit_rate = rpn->bit_rate;
1522 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1523 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1524 			bit_rate = RFCOMM_RPN_BR_9600;
1525 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1526 		}
1527 	}
1528 
1529 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1530 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1531 		if (data_bits != RFCOMM_RPN_DATA_8) {
1532 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1533 			data_bits = RFCOMM_RPN_DATA_8;
1534 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1535 		}
1536 	}
1537 
1538 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1539 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1540 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1541 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1542 			stop_bits = RFCOMM_RPN_STOP_1;
1543 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1544 		}
1545 	}
1546 
1547 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1548 		parity = __get_rpn_parity(rpn->line_settings);
1549 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1550 			BT_DBG("RPN parity mismatch 0x%x", parity);
1551 			parity = RFCOMM_RPN_PARITY_NONE;
1552 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1553 		}
1554 	}
1555 
1556 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1557 		flow_ctrl = rpn->flow_ctrl;
1558 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1559 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1560 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1561 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1562 		}
1563 	}
1564 
1565 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1566 		xon_char = rpn->xon_char;
1567 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1568 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1569 			xon_char = RFCOMM_RPN_XON_CHAR;
1570 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1571 		}
1572 	}
1573 
1574 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1575 		xoff_char = rpn->xoff_char;
1576 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1577 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1578 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1579 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1580 		}
1581 	}
1582 
1583 rpn_out:
1584 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1585 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1586 
1587 	return 0;
1588 }
1589 
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1590 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1591 {
1592 	struct rfcomm_rls *rls = (void *) skb->data;
1593 	u8 dlci = __get_dlci(rls->dlci);
1594 
1595 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1596 
1597 	if (!cr)
1598 		return 0;
1599 
1600 	/* We should probably do something with this information here. But
1601 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1602 	 * mandatory to recognise and respond to RLS */
1603 
1604 	rfcomm_send_rls(s, 0, dlci, rls->status);
1605 
1606 	return 0;
1607 }
1608 
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1609 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1610 {
1611 	struct rfcomm_msc *msc = (void *) skb->data;
1612 	struct rfcomm_dlc *d;
1613 	u8 dlci = __get_dlci(msc->dlci);
1614 
1615 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1616 
1617 	d = rfcomm_dlc_get(s, dlci);
1618 	if (!d)
1619 		return 0;
1620 
1621 	if (cr) {
1622 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1623 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1624 		else
1625 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1626 
1627 		rfcomm_dlc_lock(d);
1628 
1629 		d->remote_v24_sig = msc->v24_sig;
1630 
1631 		if (d->modem_status)
1632 			d->modem_status(d, msc->v24_sig);
1633 
1634 		rfcomm_dlc_unlock(d);
1635 
1636 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1637 
1638 		d->mscex |= RFCOMM_MSCEX_RX;
1639 	} else
1640 		d->mscex |= RFCOMM_MSCEX_TX;
1641 
1642 	return 0;
1643 }
1644 
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1645 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1646 {
1647 	struct rfcomm_mcc *mcc = (void *) skb->data;
1648 	u8 type, cr, len;
1649 
1650 	cr   = __test_cr(mcc->type);
1651 	type = __get_mcc_type(mcc->type);
1652 	len  = __get_mcc_len(mcc->len);
1653 
1654 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1655 
1656 	skb_pull(skb, 2);
1657 
1658 	switch (type) {
1659 	case RFCOMM_PN:
1660 		rfcomm_recv_pn(s, cr, skb);
1661 		break;
1662 
1663 	case RFCOMM_RPN:
1664 		rfcomm_recv_rpn(s, cr, len, skb);
1665 		break;
1666 
1667 	case RFCOMM_RLS:
1668 		rfcomm_recv_rls(s, cr, skb);
1669 		break;
1670 
1671 	case RFCOMM_MSC:
1672 		rfcomm_recv_msc(s, cr, skb);
1673 		break;
1674 
1675 	case RFCOMM_FCOFF:
1676 		if (cr) {
1677 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1678 			rfcomm_send_fcoff(s, 0);
1679 		}
1680 		break;
1681 
1682 	case RFCOMM_FCON:
1683 		if (cr) {
1684 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1685 			rfcomm_send_fcon(s, 0);
1686 		}
1687 		break;
1688 
1689 	case RFCOMM_TEST:
1690 		if (cr)
1691 			rfcomm_send_test(s, 0, skb->data, skb->len);
1692 		break;
1693 
1694 	case RFCOMM_NSC:
1695 		break;
1696 
1697 	default:
1698 		BT_ERR("Unknown control type 0x%02x", type);
1699 		rfcomm_send_nsc(s, cr, type);
1700 		break;
1701 	}
1702 	return 0;
1703 }
1704 
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1705 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1706 {
1707 	struct rfcomm_dlc *d;
1708 
1709 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1710 
1711 	d = rfcomm_dlc_get(s, dlci);
1712 	if (!d) {
1713 		rfcomm_send_dm(s, dlci);
1714 		goto drop;
1715 	}
1716 
1717 	if (pf && d->cfc) {
1718 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1719 
1720 		d->tx_credits += credits;
1721 		if (d->tx_credits)
1722 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1723 	}
1724 
1725 	if (skb->len && d->state == BT_CONNECTED) {
1726 		rfcomm_dlc_lock(d);
1727 		d->rx_credits--;
1728 		d->data_ready(d, skb);
1729 		rfcomm_dlc_unlock(d);
1730 		return 0;
1731 	}
1732 
1733 drop:
1734 	kfree_skb(skb);
1735 	return 0;
1736 }
1737 
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1738 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1739 						struct sk_buff *skb)
1740 {
1741 	struct rfcomm_hdr *hdr = (void *) skb->data;
1742 	u8 type, dlci, fcs;
1743 
1744 	if (!s) {
1745 		/* no session, so free socket data */
1746 		kfree_skb(skb);
1747 		return s;
1748 	}
1749 
1750 	dlci = __get_dlci(hdr->addr);
1751 	type = __get_type(hdr->ctrl);
1752 
1753 	/* Trim FCS */
1754 	skb->len--; skb->tail--;
1755 	fcs = *(u8 *)skb_tail_pointer(skb);
1756 
1757 	if (__check_fcs(skb->data, type, fcs)) {
1758 		BT_ERR("bad checksum in packet");
1759 		kfree_skb(skb);
1760 		return s;
1761 	}
1762 
1763 	if (__test_ea(hdr->len))
1764 		skb_pull(skb, 3);
1765 	else
1766 		skb_pull(skb, 4);
1767 
1768 	switch (type) {
1769 	case RFCOMM_SABM:
1770 		if (__test_pf(hdr->ctrl))
1771 			rfcomm_recv_sabm(s, dlci);
1772 		break;
1773 
1774 	case RFCOMM_DISC:
1775 		if (__test_pf(hdr->ctrl))
1776 			s = rfcomm_recv_disc(s, dlci);
1777 		break;
1778 
1779 	case RFCOMM_UA:
1780 		if (__test_pf(hdr->ctrl))
1781 			s = rfcomm_recv_ua(s, dlci);
1782 		break;
1783 
1784 	case RFCOMM_DM:
1785 		s = rfcomm_recv_dm(s, dlci);
1786 		break;
1787 
1788 	case RFCOMM_UIH:
1789 		if (dlci) {
1790 			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1791 			return s;
1792 		}
1793 		rfcomm_recv_mcc(s, skb);
1794 		break;
1795 
1796 	default:
1797 		BT_ERR("Unknown packet type 0x%02x", type);
1798 		break;
1799 	}
1800 	kfree_skb(skb);
1801 	return s;
1802 }
1803 
1804 /* ---- Connection and data processing ---- */
1805 
rfcomm_process_connect(struct rfcomm_session * s)1806 static void rfcomm_process_connect(struct rfcomm_session *s)
1807 {
1808 	struct rfcomm_dlc *d, *n;
1809 
1810 	BT_DBG("session %p state %ld", s, s->state);
1811 
1812 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1813 		if (d->state == BT_CONFIG) {
1814 			d->mtu = s->mtu;
1815 			if (rfcomm_check_security(d)) {
1816 				rfcomm_send_pn(s, 1, d);
1817 			} else {
1818 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1819 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1820 			}
1821 		}
1822 	}
1823 }
1824 
1825 /* Send data queued for the DLC.
1826  * Return number of frames left in the queue.
1827  */
rfcomm_process_tx(struct rfcomm_dlc * d)1828 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1829 {
1830 	struct sk_buff *skb;
1831 	int err;
1832 
1833 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1834 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1835 
1836 	/* Send pending MSC */
1837 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1838 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1839 
1840 	if (d->cfc) {
1841 		/* CFC enabled.
1842 		 * Give them some credits */
1843 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1844 				d->rx_credits <= (d->cfc >> 2)) {
1845 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1846 			d->rx_credits = d->cfc;
1847 		}
1848 	} else {
1849 		/* CFC disabled.
1850 		 * Give ourselves some credits */
1851 		d->tx_credits = 5;
1852 	}
1853 
1854 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1855 		return skb_queue_len(&d->tx_queue);
1856 
1857 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1858 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1859 		if (err < 0) {
1860 			skb_queue_head(&d->tx_queue, skb);
1861 			break;
1862 		}
1863 		kfree_skb(skb);
1864 		d->tx_credits--;
1865 	}
1866 
1867 	if (d->cfc && !d->tx_credits) {
1868 		/* We're out of TX credits.
1869 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1870 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1871 	}
1872 
1873 	return skb_queue_len(&d->tx_queue);
1874 }
1875 
rfcomm_process_dlcs(struct rfcomm_session * s)1876 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1877 {
1878 	struct rfcomm_dlc *d, *n;
1879 
1880 	BT_DBG("session %p state %ld", s, s->state);
1881 
1882 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1883 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1884 			__rfcomm_dlc_close(d, ETIMEDOUT);
1885 			continue;
1886 		}
1887 
1888 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1889 			__rfcomm_dlc_close(d, ECONNREFUSED);
1890 			continue;
1891 		}
1892 
1893 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1894 			rfcomm_dlc_clear_timer(d);
1895 			if (d->out) {
1896 				rfcomm_send_pn(s, 1, d);
1897 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1898 			} else {
1899 				if (d->defer_setup) {
1900 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1901 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1902 
1903 					rfcomm_dlc_lock(d);
1904 					d->state = BT_CONNECT2;
1905 					d->state_change(d, 0);
1906 					rfcomm_dlc_unlock(d);
1907 				} else
1908 					rfcomm_dlc_accept(d);
1909 			}
1910 			continue;
1911 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1912 			rfcomm_dlc_clear_timer(d);
1913 			if (!d->out)
1914 				rfcomm_send_dm(s, d->dlci);
1915 			else
1916 				d->state = BT_CLOSED;
1917 			__rfcomm_dlc_close(d, ECONNREFUSED);
1918 			continue;
1919 		}
1920 
1921 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1922 			continue;
1923 
1924 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1925 			continue;
1926 
1927 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1928 						d->mscex == RFCOMM_MSCEX_OK)
1929 			rfcomm_process_tx(d);
1930 	}
1931 }
1932 
rfcomm_process_rx(struct rfcomm_session * s)1933 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1934 {
1935 	struct socket *sock = s->sock;
1936 	struct sock *sk = sock->sk;
1937 	struct sk_buff *skb;
1938 
1939 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1940 
1941 	/* Get data directly from socket receive queue without copying it. */
1942 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1943 		skb_orphan(skb);
1944 		if (!skb_linearize(skb)) {
1945 			s = rfcomm_recv_frame(s, skb);
1946 			if (!s)
1947 				break;
1948 		} else {
1949 			kfree_skb(skb);
1950 		}
1951 	}
1952 
1953 	if (s && (sk->sk_state == BT_CLOSED))
1954 		s = rfcomm_session_close(s, sk->sk_err);
1955 
1956 	return s;
1957 }
1958 
rfcomm_accept_connection(struct rfcomm_session * s)1959 static void rfcomm_accept_connection(struct rfcomm_session *s)
1960 {
1961 	struct socket *sock = s->sock, *nsock;
1962 	int err;
1963 
1964 	/* Fast check for a new connection.
1965 	 * Avoids unnesesary socket allocations. */
1966 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1967 		return;
1968 
1969 	BT_DBG("session %p", s);
1970 
1971 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1972 	if (err < 0)
1973 		return;
1974 
1975 	/* Set our callbacks */
1976 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1977 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1978 
1979 	s = rfcomm_session_add(nsock, BT_OPEN);
1980 	if (s) {
1981 		/* We should adjust MTU on incoming sessions.
1982 		 * L2CAP MTU minus UIH header and FCS. */
1983 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1984 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1985 
1986 		rfcomm_schedule();
1987 	} else
1988 		sock_release(nsock);
1989 }
1990 
rfcomm_check_connection(struct rfcomm_session * s)1991 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1992 {
1993 	struct sock *sk = s->sock->sk;
1994 
1995 	BT_DBG("%p state %ld", s, s->state);
1996 
1997 	switch (sk->sk_state) {
1998 	case BT_CONNECTED:
1999 		s->state = BT_CONNECT;
2000 
2001 		/* We can adjust MTU on outgoing sessions.
2002 		 * L2CAP MTU minus UIH header and FCS. */
2003 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
2004 
2005 		rfcomm_send_sabm(s, 0);
2006 		break;
2007 
2008 	case BT_CLOSED:
2009 		s = rfcomm_session_close(s, sk->sk_err);
2010 		break;
2011 	}
2012 	return s;
2013 }
2014 
rfcomm_process_sessions(void)2015 static void rfcomm_process_sessions(void)
2016 {
2017 	struct rfcomm_session *s, *n;
2018 
2019 	rfcomm_lock();
2020 
2021 	list_for_each_entry_safe(s, n, &session_list, list) {
2022 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
2023 			s->state = BT_DISCONN;
2024 			rfcomm_send_disc(s, 0);
2025 			continue;
2026 		}
2027 
2028 		switch (s->state) {
2029 		case BT_LISTEN:
2030 			rfcomm_accept_connection(s);
2031 			continue;
2032 
2033 		case BT_BOUND:
2034 			s = rfcomm_check_connection(s);
2035 			break;
2036 
2037 		default:
2038 			s = rfcomm_process_rx(s);
2039 			break;
2040 		}
2041 
2042 		if (s)
2043 			rfcomm_process_dlcs(s);
2044 	}
2045 
2046 	rfcomm_unlock();
2047 }
2048 
rfcomm_add_listener(bdaddr_t * ba)2049 static int rfcomm_add_listener(bdaddr_t *ba)
2050 {
2051 	struct sockaddr_l2 addr;
2052 	struct socket *sock;
2053 	struct sock *sk;
2054 	struct rfcomm_session *s;
2055 	int    err = 0;
2056 
2057 	/* Create socket */
2058 	err = rfcomm_l2sock_create(&sock);
2059 	if (err < 0) {
2060 		BT_ERR("Create socket failed %d", err);
2061 		return err;
2062 	}
2063 
2064 	/* Bind socket */
2065 	bacpy(&addr.l2_bdaddr, ba);
2066 	addr.l2_family = AF_BLUETOOTH;
2067 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2068 	addr.l2_cid    = 0;
2069 	addr.l2_bdaddr_type = BDADDR_BREDR;
2070 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2071 	if (err < 0) {
2072 		BT_ERR("Bind failed %d", err);
2073 		goto failed;
2074 	}
2075 
2076 	/* Set L2CAP options */
2077 	sk = sock->sk;
2078 	lock_sock(sk);
2079 	/* Set MTU to 0 so L2CAP can auto select the MTU */
2080 	l2cap_pi(sk)->chan->imtu = 0;
2081 	release_sock(sk);
2082 
2083 	/* Start listening on the socket */
2084 	err = kernel_listen(sock, 10);
2085 	if (err) {
2086 		BT_ERR("Listen failed %d", err);
2087 		goto failed;
2088 	}
2089 
2090 	/* Add listening session */
2091 	s = rfcomm_session_add(sock, BT_LISTEN);
2092 	if (!s) {
2093 		err = -ENOMEM;
2094 		goto failed;
2095 	}
2096 
2097 	return 0;
2098 failed:
2099 	sock_release(sock);
2100 	return err;
2101 }
2102 
rfcomm_kill_listener(void)2103 static void rfcomm_kill_listener(void)
2104 {
2105 	struct rfcomm_session *s, *n;
2106 
2107 	BT_DBG("");
2108 
2109 	list_for_each_entry_safe(s, n, &session_list, list)
2110 		rfcomm_session_del(s);
2111 }
2112 
rfcomm_run(void * unused)2113 static int rfcomm_run(void *unused)
2114 {
2115 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
2116 	BT_DBG("");
2117 
2118 	set_user_nice(current, -10);
2119 
2120 	rfcomm_add_listener(BDADDR_ANY);
2121 
2122 	add_wait_queue(&rfcomm_wq, &wait);
2123 	while (!kthread_should_stop()) {
2124 
2125 		/* Process stuff */
2126 		rfcomm_process_sessions();
2127 
2128 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2129 	}
2130 	remove_wait_queue(&rfcomm_wq, &wait);
2131 
2132 	rfcomm_kill_listener();
2133 
2134 	return 0;
2135 }
2136 
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2137 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2138 {
2139 	struct rfcomm_session *s;
2140 	struct rfcomm_dlc *d, *n;
2141 
2142 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2143 
2144 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2145 	if (!s)
2146 		return;
2147 
2148 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
2149 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2150 			rfcomm_dlc_clear_timer(d);
2151 			if (status || encrypt == 0x00) {
2152 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2153 				continue;
2154 			}
2155 		}
2156 
2157 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2158 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2159 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2160 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2161 				continue;
2162 			} else if (d->sec_level == BT_SECURITY_HIGH ||
2163 				   d->sec_level == BT_SECURITY_FIPS) {
2164 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2165 				continue;
2166 			}
2167 		}
2168 
2169 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2170 			continue;
2171 
2172 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2173 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2174 		else
2175 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2176 	}
2177 
2178 	rfcomm_schedule();
2179 }
2180 
2181 static struct hci_cb rfcomm_cb = {
2182 	.name		= "RFCOMM",
2183 	.security_cfm	= rfcomm_security_cfm
2184 };
2185 
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2186 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2187 {
2188 	struct rfcomm_session *s;
2189 
2190 	rfcomm_lock();
2191 
2192 	list_for_each_entry(s, &session_list, list) {
2193 		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2194 		struct rfcomm_dlc *d;
2195 		list_for_each_entry(d, &s->dlcs, list) {
2196 			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2197 				   &chan->src, &chan->dst,
2198 				   d->state, d->dlci, d->mtu,
2199 				   d->rx_credits, d->tx_credits);
2200 		}
2201 	}
2202 
2203 	rfcomm_unlock();
2204 
2205 	return 0;
2206 }
2207 
2208 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2209 
2210 static struct dentry *rfcomm_dlc_debugfs;
2211 
2212 /* ---- Initialization ---- */
rfcomm_init(void)2213 static int __init rfcomm_init(void)
2214 {
2215 	int err;
2216 
2217 	hci_register_cb(&rfcomm_cb);
2218 
2219 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2220 	if (IS_ERR(rfcomm_thread)) {
2221 		err = PTR_ERR(rfcomm_thread);
2222 		goto unregister;
2223 	}
2224 
2225 	err = rfcomm_init_ttys();
2226 	if (err < 0)
2227 		goto stop;
2228 
2229 	err = rfcomm_init_sockets();
2230 	if (err < 0)
2231 		goto cleanup;
2232 
2233 	BT_INFO("RFCOMM ver %s", VERSION);
2234 
2235 	if (IS_ERR_OR_NULL(bt_debugfs))
2236 		return 0;
2237 
2238 	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2239 						 bt_debugfs, NULL,
2240 						 &rfcomm_dlc_debugfs_fops);
2241 
2242 	return 0;
2243 
2244 cleanup:
2245 	rfcomm_cleanup_ttys();
2246 
2247 stop:
2248 	kthread_stop(rfcomm_thread);
2249 
2250 unregister:
2251 	hci_unregister_cb(&rfcomm_cb);
2252 
2253 	return err;
2254 }
2255 
rfcomm_exit(void)2256 static void __exit rfcomm_exit(void)
2257 {
2258 	debugfs_remove(rfcomm_dlc_debugfs);
2259 
2260 	hci_unregister_cb(&rfcomm_cb);
2261 
2262 	kthread_stop(rfcomm_thread);
2263 
2264 	rfcomm_cleanup_ttys();
2265 
2266 	rfcomm_cleanup_sockets();
2267 }
2268 
2269 module_init(rfcomm_init);
2270 module_exit(rfcomm_exit);
2271 
2272 module_param(disable_cfc, bool, 0644);
2273 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2274 
2275 module_param(channel_mtu, int, 0644);
2276 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2277 
2278 module_param(l2cap_ertm, bool, 0644);
2279 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2280 
2281 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2282 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2283 MODULE_VERSION(VERSION);
2284 MODULE_LICENSE("GPL");
2285 MODULE_ALIAS("bt-proto-3");
2286