1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51
52 #define VERSION "1.11"
53
54 static int disable_cfc;
55 static int l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59 static struct task_struct *rfcomm_thread;
60
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65 static unsigned long rfcomm_event;
66
67 static LIST_HEAD(session_list);
68
69 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
72 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
79
80 static void rfcomm_process_connect(struct rfcomm_session *s);
81
82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
83 bdaddr_t *dst,
84 u8 sec_level,
85 int *err);
86 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
87 static void rfcomm_session_del(struct rfcomm_session *s);
88
89 /* ---- RFCOMM frame parsing macros ---- */
90 #define __get_dlci(b) ((b & 0xfc) >> 2)
91 #define __get_channel(b) ((b & 0xf8) >> 3)
92 #define __get_dir(b) ((b & 0x04) >> 2)
93 #define __get_type(b) ((b & 0xef))
94
95 #define __test_ea(b) ((b & 0x01))
96 #define __test_cr(b) ((b & 0x02))
97 #define __test_pf(b) ((b & 0x10))
98
99 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
100 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
101 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
102 #define __srv_channel(dlci) (dlci >> 1)
103 #define __dir(dlci) (dlci & 0x01)
104
105 #define __len8(len) (((len) << 1) | 1)
106 #define __len16(len) ((len) << 1)
107
108 /* MCC macros */
109 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
110 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
111 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
112
113 /* RPN macros */
114 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
115 #define __get_rpn_data_bits(line) ((line) & 0x3)
116 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
117 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
118
rfcomm_schedule(void)119 static inline void rfcomm_schedule(void)
120 {
121 if (!rfcomm_thread)
122 return;
123 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
124 wake_up_process(rfcomm_thread);
125 }
126
rfcomm_session_put(struct rfcomm_session * s)127 static inline void rfcomm_session_put(struct rfcomm_session *s)
128 {
129 if (atomic_dec_and_test(&s->refcnt))
130 rfcomm_session_del(s);
131 }
132
133 /* ---- RFCOMM FCS computation ---- */
134
135 /* reversed, 8-bit, poly=0x07 */
136 static unsigned char rfcomm_crc_table[256] = {
137 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
138 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
139 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
140 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
141
142 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
143 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
144 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
145 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
146
147 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
148 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
149 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
150 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
151
152 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
153 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
154 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
155 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
156
157 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
158 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
159 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
160 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
161
162 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
163 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
164 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
165 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
166
167 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
168 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
169 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
170 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
171
172 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
173 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
174 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
175 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
176 };
177
178 /* CRC on 2 bytes */
179 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
180
181 /* FCS on 2 bytes */
__fcs(u8 * data)182 static inline u8 __fcs(u8 *data)
183 {
184 return 0xff - __crc(data);
185 }
186
187 /* FCS on 3 bytes */
__fcs2(u8 * data)188 static inline u8 __fcs2(u8 *data)
189 {
190 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
191 }
192
193 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)194 static inline int __check_fcs(u8 *data, int type, u8 fcs)
195 {
196 u8 f = __crc(data);
197
198 if (type != RFCOMM_UIH)
199 f = rfcomm_crc_table[f ^ data[2]];
200
201 return rfcomm_crc_table[f ^ fcs] != 0xcf;
202 }
203
204 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)205 static void rfcomm_l2state_change(struct sock *sk)
206 {
207 BT_DBG("%p state %d", sk, sk->sk_state);
208 rfcomm_schedule();
209 }
210
rfcomm_l2data_ready(struct sock * sk,int bytes)211 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
212 {
213 BT_DBG("%p bytes %d", sk, bytes);
214 rfcomm_schedule();
215 }
216
rfcomm_l2sock_create(struct socket ** sock)217 static int rfcomm_l2sock_create(struct socket **sock)
218 {
219 int err;
220
221 BT_DBG("");
222
223 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
224 if (!err) {
225 struct sock *sk = (*sock)->sk;
226 sk->sk_data_ready = rfcomm_l2data_ready;
227 sk->sk_state_change = rfcomm_l2state_change;
228 }
229 return err;
230 }
231
rfcomm_check_security(struct rfcomm_dlc * d)232 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
233 {
234 struct sock *sk = d->session->sock->sk;
235 __u8 auth_type;
236
237 switch (d->sec_level) {
238 case BT_SECURITY_HIGH:
239 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240 break;
241 case BT_SECURITY_MEDIUM:
242 auth_type = HCI_AT_GENERAL_BONDING;
243 break;
244 default:
245 auth_type = HCI_AT_NO_BONDING;
246 break;
247 }
248
249 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
250 auth_type);
251 }
252
rfcomm_session_timeout(unsigned long arg)253 static void rfcomm_session_timeout(unsigned long arg)
254 {
255 struct rfcomm_session *s = (void *) arg;
256
257 BT_DBG("session %p state %ld", s, s->state);
258
259 set_bit(RFCOMM_TIMED_OUT, &s->flags);
260 rfcomm_schedule();
261 }
262
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)263 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
264 {
265 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
266
267 if (!mod_timer(&s->timer, jiffies + timeout))
268 rfcomm_session_hold(s);
269 }
270
rfcomm_session_clear_timer(struct rfcomm_session * s)271 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
272 {
273 BT_DBG("session %p state %ld", s, s->state);
274
275 if (timer_pending(&s->timer) && del_timer(&s->timer))
276 rfcomm_session_put(s);
277 }
278
279 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(unsigned long arg)280 static void rfcomm_dlc_timeout(unsigned long arg)
281 {
282 struct rfcomm_dlc *d = (void *) arg;
283
284 BT_DBG("dlc %p state %ld", d, d->state);
285
286 set_bit(RFCOMM_TIMED_OUT, &d->flags);
287 rfcomm_dlc_put(d);
288 rfcomm_schedule();
289 }
290
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)291 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
292 {
293 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
294
295 if (!mod_timer(&d->timer, jiffies + timeout))
296 rfcomm_dlc_hold(d);
297 }
298
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)299 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
300 {
301 BT_DBG("dlc %p state %ld", d, d->state);
302
303 if (timer_pending(&d->timer) && del_timer(&d->timer))
304 rfcomm_dlc_put(d);
305 }
306
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)307 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
308 {
309 BT_DBG("%p", d);
310
311 d->state = BT_OPEN;
312 d->flags = 0;
313 d->mscex = 0;
314 d->sec_level = BT_SECURITY_LOW;
315 d->mtu = RFCOMM_DEFAULT_MTU;
316 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
317
318 d->cfc = RFCOMM_CFC_DISABLED;
319 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
320 }
321
rfcomm_dlc_alloc(gfp_t prio)322 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
323 {
324 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
325
326 if (!d)
327 return NULL;
328
329 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
330
331 skb_queue_head_init(&d->tx_queue);
332 spin_lock_init(&d->lock);
333 atomic_set(&d->refcnt, 1);
334
335 rfcomm_dlc_clear_state(d);
336
337 BT_DBG("%p", d);
338
339 return d;
340 }
341
rfcomm_dlc_free(struct rfcomm_dlc * d)342 void rfcomm_dlc_free(struct rfcomm_dlc *d)
343 {
344 BT_DBG("%p", d);
345
346 skb_queue_purge(&d->tx_queue);
347 kfree(d);
348 }
349
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)350 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
351 {
352 BT_DBG("dlc %p session %p", d, s);
353
354 rfcomm_session_hold(s);
355
356 rfcomm_session_clear_timer(s);
357 rfcomm_dlc_hold(d);
358 list_add(&d->list, &s->dlcs);
359 d->session = s;
360 }
361
rfcomm_dlc_unlink(struct rfcomm_dlc * d)362 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
363 {
364 struct rfcomm_session *s = d->session;
365
366 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
367
368 list_del(&d->list);
369 d->session = NULL;
370 rfcomm_dlc_put(d);
371
372 if (list_empty(&s->dlcs))
373 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
374
375 rfcomm_session_put(s);
376 }
377
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)378 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
379 {
380 struct rfcomm_dlc *d;
381 struct list_head *p;
382
383 list_for_each(p, &s->dlcs) {
384 d = list_entry(p, struct rfcomm_dlc, list);
385 if (d->dlci == dlci)
386 return d;
387 }
388 return NULL;
389 }
390
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)391 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
392 {
393 struct rfcomm_session *s;
394 int err = 0;
395 u8 dlci;
396
397 BT_DBG("dlc %p state %ld %s %s channel %d",
398 d, d->state, batostr(src), batostr(dst), channel);
399
400 if (channel < 1 || channel > 30)
401 return -EINVAL;
402
403 if (d->state != BT_OPEN && d->state != BT_CLOSED)
404 return 0;
405
406 s = rfcomm_session_get(src, dst);
407 if (!s) {
408 s = rfcomm_session_create(src, dst, d->sec_level, &err);
409 if (!s)
410 return err;
411 }
412
413 dlci = __dlci(!s->initiator, channel);
414
415 /* Check if DLCI already exists */
416 if (rfcomm_dlc_get(s, dlci))
417 return -EBUSY;
418
419 rfcomm_dlc_clear_state(d);
420
421 d->dlci = dlci;
422 d->addr = __addr(s->initiator, dlci);
423 d->priority = 7;
424
425 d->state = BT_CONFIG;
426 rfcomm_dlc_link(s, d);
427
428 d->out = 1;
429
430 d->mtu = s->mtu;
431 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
432
433 if (s->state == BT_CONNECTED) {
434 if (rfcomm_check_security(d))
435 rfcomm_send_pn(s, 1, d);
436 else
437 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
438 }
439
440 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
441
442 return 0;
443 }
444
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)445 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
446 {
447 int r;
448
449 rfcomm_lock();
450
451 r = __rfcomm_dlc_open(d, src, dst, channel);
452
453 rfcomm_unlock();
454 return r;
455 }
456
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)457 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
458 {
459 struct rfcomm_session *s = d->session;
460 if (!s)
461 return 0;
462
463 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
464 d, d->state, d->dlci, err, s);
465
466 switch (d->state) {
467 case BT_CONNECT:
468 case BT_CONFIG:
469 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
470 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
471 rfcomm_schedule();
472 break;
473 }
474 /* Fall through */
475
476 case BT_CONNECTED:
477 d->state = BT_DISCONN;
478 if (skb_queue_empty(&d->tx_queue)) {
479 rfcomm_send_disc(s, d->dlci);
480 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
481 } else {
482 rfcomm_queue_disc(d);
483 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
484 }
485 break;
486
487 case BT_OPEN:
488 case BT_CONNECT2:
489 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
490 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
491 rfcomm_schedule();
492 break;
493 }
494 /* Fall through */
495
496 default:
497 rfcomm_dlc_clear_timer(d);
498
499 rfcomm_dlc_lock(d);
500 d->state = BT_CLOSED;
501 d->state_change(d, err);
502 rfcomm_dlc_unlock(d);
503
504 skb_queue_purge(&d->tx_queue);
505 rfcomm_dlc_unlink(d);
506 }
507
508 return 0;
509 }
510
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)511 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
512 {
513 int r;
514
515 rfcomm_lock();
516
517 r = __rfcomm_dlc_close(d, err);
518
519 rfcomm_unlock();
520 return r;
521 }
522
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)523 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
524 {
525 int len = skb->len;
526
527 if (d->state != BT_CONNECTED)
528 return -ENOTCONN;
529
530 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
531
532 if (len > d->mtu)
533 return -EINVAL;
534
535 rfcomm_make_uih(skb, d->addr);
536 skb_queue_tail(&d->tx_queue, skb);
537
538 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
539 rfcomm_schedule();
540 return len;
541 }
542
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)543 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
544 {
545 BT_DBG("dlc %p state %ld", d, d->state);
546
547 if (!d->cfc) {
548 d->v24_sig |= RFCOMM_V24_FC;
549 set_bit(RFCOMM_MSC_PENDING, &d->flags);
550 }
551 rfcomm_schedule();
552 }
553
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)554 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
555 {
556 BT_DBG("dlc %p state %ld", d, d->state);
557
558 if (!d->cfc) {
559 d->v24_sig &= ~RFCOMM_V24_FC;
560 set_bit(RFCOMM_MSC_PENDING, &d->flags);
561 }
562 rfcomm_schedule();
563 }
564
565 /*
566 Set/get modem status functions use _local_ status i.e. what we report
567 to the other side.
568 Remote status is provided by dlc->modem_status() callback.
569 */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)570 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
571 {
572 BT_DBG("dlc %p state %ld v24_sig 0x%x",
573 d, d->state, v24_sig);
574
575 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
576 v24_sig |= RFCOMM_V24_FC;
577 else
578 v24_sig &= ~RFCOMM_V24_FC;
579
580 d->v24_sig = v24_sig;
581
582 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
583 rfcomm_schedule();
584
585 return 0;
586 }
587
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)588 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
589 {
590 BT_DBG("dlc %p state %ld v24_sig 0x%x",
591 d, d->state, d->v24_sig);
592
593 *v24_sig = d->v24_sig;
594 return 0;
595 }
596
597 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)598 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
599 {
600 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
601
602 if (!s)
603 return NULL;
604
605 BT_DBG("session %p sock %p", s, sock);
606
607 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
608
609 INIT_LIST_HEAD(&s->dlcs);
610 s->state = state;
611 s->sock = sock;
612
613 s->mtu = RFCOMM_DEFAULT_MTU;
614 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
615
616 /* Do not increment module usage count for listening sessions.
617 * Otherwise we won't be able to unload the module. */
618 if (state != BT_LISTEN)
619 if (!try_module_get(THIS_MODULE)) {
620 kfree(s);
621 return NULL;
622 }
623
624 list_add(&s->list, &session_list);
625
626 return s;
627 }
628
rfcomm_session_del(struct rfcomm_session * s)629 static void rfcomm_session_del(struct rfcomm_session *s)
630 {
631 int state = s->state;
632
633 BT_DBG("session %p state %ld", s, s->state);
634
635 list_del(&s->list);
636
637 if (state == BT_CONNECTED)
638 rfcomm_send_disc(s, 0);
639
640 rfcomm_session_clear_timer(s);
641 sock_release(s->sock);
642 kfree(s);
643
644 if (state != BT_LISTEN)
645 module_put(THIS_MODULE);
646 }
647
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)648 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
649 {
650 struct rfcomm_session *s;
651 struct list_head *p, *n;
652 struct bt_sock *sk;
653 list_for_each_safe(p, n, &session_list) {
654 s = list_entry(p, struct rfcomm_session, list);
655 sk = bt_sk(s->sock->sk);
656
657 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
658 !bacmp(&sk->dst, dst))
659 return s;
660 }
661 return NULL;
662 }
663
rfcomm_session_close(struct rfcomm_session * s,int err)664 static void rfcomm_session_close(struct rfcomm_session *s, int err)
665 {
666 struct rfcomm_dlc *d;
667 struct list_head *p, *n;
668
669 BT_DBG("session %p state %ld err %d", s, s->state, err);
670
671 rfcomm_session_hold(s);
672
673 s->state = BT_CLOSED;
674
675 /* Close all dlcs */
676 list_for_each_safe(p, n, &s->dlcs) {
677 d = list_entry(p, struct rfcomm_dlc, list);
678 d->state = BT_CLOSED;
679 __rfcomm_dlc_close(d, err);
680 }
681
682 rfcomm_session_clear_timer(s);
683 rfcomm_session_put(s);
684 }
685
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)686 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
687 bdaddr_t *dst,
688 u8 sec_level,
689 int *err)
690 {
691 struct rfcomm_session *s = NULL;
692 struct sockaddr_l2 addr;
693 struct socket *sock;
694 struct sock *sk;
695
696 BT_DBG("%s %s", batostr(src), batostr(dst));
697
698 *err = rfcomm_l2sock_create(&sock);
699 if (*err < 0)
700 return NULL;
701
702 bacpy(&addr.l2_bdaddr, src);
703 addr.l2_family = AF_BLUETOOTH;
704 addr.l2_psm = 0;
705 addr.l2_cid = 0;
706 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
707 if (*err < 0)
708 goto failed;
709
710 /* Set L2CAP options */
711 sk = sock->sk;
712 lock_sock(sk);
713 l2cap_pi(sk)->imtu = l2cap_mtu;
714 l2cap_pi(sk)->sec_level = sec_level;
715 if (l2cap_ertm)
716 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM;
717 release_sock(sk);
718
719 s = rfcomm_session_add(sock, BT_BOUND);
720 if (!s) {
721 *err = -ENOMEM;
722 goto failed;
723 }
724
725 s->initiator = 1;
726
727 bacpy(&addr.l2_bdaddr, dst);
728 addr.l2_family = AF_BLUETOOTH;
729 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
730 addr.l2_cid = 0;
731 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
732 if (*err == 0 || *err == -EINPROGRESS)
733 return s;
734
735 rfcomm_session_del(s);
736 return NULL;
737
738 failed:
739 sock_release(sock);
740 return NULL;
741 }
742
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)743 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
744 {
745 struct sock *sk = s->sock->sk;
746 if (src)
747 bacpy(src, &bt_sk(sk)->src);
748 if (dst)
749 bacpy(dst, &bt_sk(sk)->dst);
750 }
751
752 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)753 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
754 {
755 struct socket *sock = s->sock;
756 struct kvec iv = { data, len };
757 struct msghdr msg;
758
759 BT_DBG("session %p len %d", s, len);
760
761 memset(&msg, 0, sizeof(msg));
762
763 return kernel_sendmsg(sock, &msg, &iv, 1, len);
764 }
765
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)766 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
767 {
768 struct rfcomm_cmd cmd;
769
770 BT_DBG("%p dlci %d", s, dlci);
771
772 cmd.addr = __addr(s->initiator, dlci);
773 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
774 cmd.len = __len8(0);
775 cmd.fcs = __fcs2((u8 *) &cmd);
776
777 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
778 }
779
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)780 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
781 {
782 struct rfcomm_cmd cmd;
783
784 BT_DBG("%p dlci %d", s, dlci);
785
786 cmd.addr = __addr(!s->initiator, dlci);
787 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
788 cmd.len = __len8(0);
789 cmd.fcs = __fcs2((u8 *) &cmd);
790
791 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
792 }
793
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)794 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
795 {
796 struct rfcomm_cmd cmd;
797
798 BT_DBG("%p dlci %d", s, dlci);
799
800 cmd.addr = __addr(s->initiator, dlci);
801 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
802 cmd.len = __len8(0);
803 cmd.fcs = __fcs2((u8 *) &cmd);
804
805 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
806 }
807
rfcomm_queue_disc(struct rfcomm_dlc * d)808 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
809 {
810 struct rfcomm_cmd *cmd;
811 struct sk_buff *skb;
812
813 BT_DBG("dlc %p dlci %d", d, d->dlci);
814
815 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
816 if (!skb)
817 return -ENOMEM;
818
819 cmd = (void *) __skb_put(skb, sizeof(*cmd));
820 cmd->addr = d->addr;
821 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
822 cmd->len = __len8(0);
823 cmd->fcs = __fcs2((u8 *) cmd);
824
825 skb_queue_tail(&d->tx_queue, skb);
826 rfcomm_schedule();
827 return 0;
828 }
829
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)830 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
831 {
832 struct rfcomm_cmd cmd;
833
834 BT_DBG("%p dlci %d", s, dlci);
835
836 cmd.addr = __addr(!s->initiator, dlci);
837 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
838 cmd.len = __len8(0);
839 cmd.fcs = __fcs2((u8 *) &cmd);
840
841 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
842 }
843
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)844 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
845 {
846 struct rfcomm_hdr *hdr;
847 struct rfcomm_mcc *mcc;
848 u8 buf[16], *ptr = buf;
849
850 BT_DBG("%p cr %d type %d", s, cr, type);
851
852 hdr = (void *) ptr; ptr += sizeof(*hdr);
853 hdr->addr = __addr(s->initiator, 0);
854 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
855 hdr->len = __len8(sizeof(*mcc) + 1);
856
857 mcc = (void *) ptr; ptr += sizeof(*mcc);
858 mcc->type = __mcc_type(cr, RFCOMM_NSC);
859 mcc->len = __len8(1);
860
861 /* Type that we didn't like */
862 *ptr = __mcc_type(cr, type); ptr++;
863
864 *ptr = __fcs(buf); ptr++;
865
866 return rfcomm_send_frame(s, buf, ptr - buf);
867 }
868
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)869 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
870 {
871 struct rfcomm_hdr *hdr;
872 struct rfcomm_mcc *mcc;
873 struct rfcomm_pn *pn;
874 u8 buf[16], *ptr = buf;
875
876 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
877
878 hdr = (void *) ptr; ptr += sizeof(*hdr);
879 hdr->addr = __addr(s->initiator, 0);
880 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
881 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
882
883 mcc = (void *) ptr; ptr += sizeof(*mcc);
884 mcc->type = __mcc_type(cr, RFCOMM_PN);
885 mcc->len = __len8(sizeof(*pn));
886
887 pn = (void *) ptr; ptr += sizeof(*pn);
888 pn->dlci = d->dlci;
889 pn->priority = d->priority;
890 pn->ack_timer = 0;
891 pn->max_retrans = 0;
892
893 if (s->cfc) {
894 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
895 pn->credits = RFCOMM_DEFAULT_CREDITS;
896 } else {
897 pn->flow_ctrl = 0;
898 pn->credits = 0;
899 }
900
901 if (cr && channel_mtu >= 0)
902 pn->mtu = cpu_to_le16(channel_mtu);
903 else
904 pn->mtu = cpu_to_le16(d->mtu);
905
906 *ptr = __fcs(buf); ptr++;
907
908 return rfcomm_send_frame(s, buf, ptr - buf);
909 }
910
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)911 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
912 u8 bit_rate, u8 data_bits, u8 stop_bits,
913 u8 parity, u8 flow_ctrl_settings,
914 u8 xon_char, u8 xoff_char, u16 param_mask)
915 {
916 struct rfcomm_hdr *hdr;
917 struct rfcomm_mcc *mcc;
918 struct rfcomm_rpn *rpn;
919 u8 buf[16], *ptr = buf;
920
921 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
922 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
923 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
924 flow_ctrl_settings, xon_char, xoff_char, param_mask);
925
926 hdr = (void *) ptr; ptr += sizeof(*hdr);
927 hdr->addr = __addr(s->initiator, 0);
928 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
929 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
930
931 mcc = (void *) ptr; ptr += sizeof(*mcc);
932 mcc->type = __mcc_type(cr, RFCOMM_RPN);
933 mcc->len = __len8(sizeof(*rpn));
934
935 rpn = (void *) ptr; ptr += sizeof(*rpn);
936 rpn->dlci = __addr(1, dlci);
937 rpn->bit_rate = bit_rate;
938 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
939 rpn->flow_ctrl = flow_ctrl_settings;
940 rpn->xon_char = xon_char;
941 rpn->xoff_char = xoff_char;
942 rpn->param_mask = cpu_to_le16(param_mask);
943
944 *ptr = __fcs(buf); ptr++;
945
946 return rfcomm_send_frame(s, buf, ptr - buf);
947 }
948
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)949 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
950 {
951 struct rfcomm_hdr *hdr;
952 struct rfcomm_mcc *mcc;
953 struct rfcomm_rls *rls;
954 u8 buf[16], *ptr = buf;
955
956 BT_DBG("%p cr %d status 0x%x", s, cr, status);
957
958 hdr = (void *) ptr; ptr += sizeof(*hdr);
959 hdr->addr = __addr(s->initiator, 0);
960 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
961 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
962
963 mcc = (void *) ptr; ptr += sizeof(*mcc);
964 mcc->type = __mcc_type(cr, RFCOMM_RLS);
965 mcc->len = __len8(sizeof(*rls));
966
967 rls = (void *) ptr; ptr += sizeof(*rls);
968 rls->dlci = __addr(1, dlci);
969 rls->status = status;
970
971 *ptr = __fcs(buf); ptr++;
972
973 return rfcomm_send_frame(s, buf, ptr - buf);
974 }
975
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)976 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
977 {
978 struct rfcomm_hdr *hdr;
979 struct rfcomm_mcc *mcc;
980 struct rfcomm_msc *msc;
981 u8 buf[16], *ptr = buf;
982
983 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
984
985 hdr = (void *) ptr; ptr += sizeof(*hdr);
986 hdr->addr = __addr(s->initiator, 0);
987 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
988 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
989
990 mcc = (void *) ptr; ptr += sizeof(*mcc);
991 mcc->type = __mcc_type(cr, RFCOMM_MSC);
992 mcc->len = __len8(sizeof(*msc));
993
994 msc = (void *) ptr; ptr += sizeof(*msc);
995 msc->dlci = __addr(1, dlci);
996 msc->v24_sig = v24_sig | 0x01;
997
998 *ptr = __fcs(buf); ptr++;
999
1000 return rfcomm_send_frame(s, buf, ptr - buf);
1001 }
1002
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)1003 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1004 {
1005 struct rfcomm_hdr *hdr;
1006 struct rfcomm_mcc *mcc;
1007 u8 buf[16], *ptr = buf;
1008
1009 BT_DBG("%p cr %d", s, cr);
1010
1011 hdr = (void *) ptr; ptr += sizeof(*hdr);
1012 hdr->addr = __addr(s->initiator, 0);
1013 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1014 hdr->len = __len8(sizeof(*mcc));
1015
1016 mcc = (void *) ptr; ptr += sizeof(*mcc);
1017 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1018 mcc->len = __len8(0);
1019
1020 *ptr = __fcs(buf); ptr++;
1021
1022 return rfcomm_send_frame(s, buf, ptr - buf);
1023 }
1024
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1025 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1026 {
1027 struct rfcomm_hdr *hdr;
1028 struct rfcomm_mcc *mcc;
1029 u8 buf[16], *ptr = buf;
1030
1031 BT_DBG("%p cr %d", s, cr);
1032
1033 hdr = (void *) ptr; ptr += sizeof(*hdr);
1034 hdr->addr = __addr(s->initiator, 0);
1035 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1036 hdr->len = __len8(sizeof(*mcc));
1037
1038 mcc = (void *) ptr; ptr += sizeof(*mcc);
1039 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1040 mcc->len = __len8(0);
1041
1042 *ptr = __fcs(buf); ptr++;
1043
1044 return rfcomm_send_frame(s, buf, ptr - buf);
1045 }
1046
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1047 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1048 {
1049 struct socket *sock = s->sock;
1050 struct kvec iv[3];
1051 struct msghdr msg;
1052 unsigned char hdr[5], crc[1];
1053
1054 if (len > 125)
1055 return -EINVAL;
1056
1057 BT_DBG("%p cr %d", s, cr);
1058
1059 hdr[0] = __addr(s->initiator, 0);
1060 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1061 hdr[2] = 0x01 | ((len + 2) << 1);
1062 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1063 hdr[4] = 0x01 | (len << 1);
1064
1065 crc[0] = __fcs(hdr);
1066
1067 iv[0].iov_base = hdr;
1068 iv[0].iov_len = 5;
1069 iv[1].iov_base = pattern;
1070 iv[1].iov_len = len;
1071 iv[2].iov_base = crc;
1072 iv[2].iov_len = 1;
1073
1074 memset(&msg, 0, sizeof(msg));
1075
1076 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1077 }
1078
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1079 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1080 {
1081 struct rfcomm_hdr *hdr;
1082 u8 buf[16], *ptr = buf;
1083
1084 BT_DBG("%p addr %d credits %d", s, addr, credits);
1085
1086 hdr = (void *) ptr; ptr += sizeof(*hdr);
1087 hdr->addr = addr;
1088 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1089 hdr->len = __len8(0);
1090
1091 *ptr = credits; ptr++;
1092
1093 *ptr = __fcs(buf); ptr++;
1094
1095 return rfcomm_send_frame(s, buf, ptr - buf);
1096 }
1097
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1098 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1099 {
1100 struct rfcomm_hdr *hdr;
1101 int len = skb->len;
1102 u8 *crc;
1103
1104 if (len > 127) {
1105 hdr = (void *) skb_push(skb, 4);
1106 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1107 } else {
1108 hdr = (void *) skb_push(skb, 3);
1109 hdr->len = __len8(len);
1110 }
1111 hdr->addr = addr;
1112 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1113
1114 crc = skb_put(skb, 1);
1115 *crc = __fcs((void *) hdr);
1116 }
1117
1118 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1119 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1120 {
1121 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1122
1123 if (dlci) {
1124 /* Data channel */
1125 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1126 if (!d) {
1127 rfcomm_send_dm(s, dlci);
1128 return 0;
1129 }
1130
1131 switch (d->state) {
1132 case BT_CONNECT:
1133 rfcomm_dlc_clear_timer(d);
1134
1135 rfcomm_dlc_lock(d);
1136 d->state = BT_CONNECTED;
1137 d->state_change(d, 0);
1138 rfcomm_dlc_unlock(d);
1139
1140 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1141 break;
1142
1143 case BT_DISCONN:
1144 d->state = BT_CLOSED;
1145 __rfcomm_dlc_close(d, 0);
1146
1147 if (list_empty(&s->dlcs)) {
1148 s->state = BT_DISCONN;
1149 rfcomm_send_disc(s, 0);
1150 }
1151
1152 break;
1153 }
1154 } else {
1155 /* Control channel */
1156 switch (s->state) {
1157 case BT_CONNECT:
1158 s->state = BT_CONNECTED;
1159 rfcomm_process_connect(s);
1160 break;
1161
1162 case BT_DISCONN:
1163 /* When socket is closed and we are not RFCOMM
1164 * initiator rfcomm_process_rx already calls
1165 * rfcomm_session_put() */
1166 if (s->sock->sk->sk_state != BT_CLOSED)
1167 if (list_empty(&s->dlcs))
1168 rfcomm_session_put(s);
1169 break;
1170 }
1171 }
1172 return 0;
1173 }
1174
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1175 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1176 {
1177 int err = 0;
1178
1179 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1180
1181 if (dlci) {
1182 /* Data DLC */
1183 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1184 if (d) {
1185 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1186 err = ECONNREFUSED;
1187 else
1188 err = ECONNRESET;
1189
1190 d->state = BT_CLOSED;
1191 __rfcomm_dlc_close(d, err);
1192 }
1193 } else {
1194 if (s->state == BT_CONNECT)
1195 err = ECONNREFUSED;
1196 else
1197 err = ECONNRESET;
1198
1199 s->state = BT_CLOSED;
1200 rfcomm_session_close(s, err);
1201 }
1202 return 0;
1203 }
1204
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1205 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1206 {
1207 int err = 0;
1208
1209 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1210
1211 if (dlci) {
1212 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1213 if (d) {
1214 rfcomm_send_ua(s, dlci);
1215
1216 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1217 err = ECONNREFUSED;
1218 else
1219 err = ECONNRESET;
1220
1221 d->state = BT_CLOSED;
1222 __rfcomm_dlc_close(d, err);
1223 } else
1224 rfcomm_send_dm(s, dlci);
1225
1226 } else {
1227 rfcomm_send_ua(s, 0);
1228
1229 if (s->state == BT_CONNECT)
1230 err = ECONNREFUSED;
1231 else
1232 err = ECONNRESET;
1233
1234 s->state = BT_CLOSED;
1235 rfcomm_session_close(s, err);
1236 }
1237
1238 return 0;
1239 }
1240
rfcomm_dlc_accept(struct rfcomm_dlc * d)1241 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1242 {
1243 struct sock *sk = d->session->sock->sk;
1244
1245 BT_DBG("dlc %p", d);
1246
1247 rfcomm_send_ua(d->session, d->dlci);
1248
1249 rfcomm_dlc_clear_timer(d);
1250
1251 rfcomm_dlc_lock(d);
1252 d->state = BT_CONNECTED;
1253 d->state_change(d, 0);
1254 rfcomm_dlc_unlock(d);
1255
1256 if (d->role_switch)
1257 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1258
1259 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1260 }
1261
rfcomm_check_accept(struct rfcomm_dlc * d)1262 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1263 {
1264 if (rfcomm_check_security(d)) {
1265 if (d->defer_setup) {
1266 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1267 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1268
1269 rfcomm_dlc_lock(d);
1270 d->state = BT_CONNECT2;
1271 d->state_change(d, 0);
1272 rfcomm_dlc_unlock(d);
1273 } else
1274 rfcomm_dlc_accept(d);
1275 } else {
1276 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1277 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1278 }
1279 }
1280
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1281 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1282 {
1283 struct rfcomm_dlc *d;
1284 u8 channel;
1285
1286 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1287
1288 if (!dlci) {
1289 rfcomm_send_ua(s, 0);
1290
1291 if (s->state == BT_OPEN) {
1292 s->state = BT_CONNECTED;
1293 rfcomm_process_connect(s);
1294 }
1295 return 0;
1296 }
1297
1298 /* Check if DLC exists */
1299 d = rfcomm_dlc_get(s, dlci);
1300 if (d) {
1301 if (d->state == BT_OPEN) {
1302 /* DLC was previously opened by PN request */
1303 rfcomm_check_accept(d);
1304 }
1305 return 0;
1306 }
1307
1308 /* Notify socket layer about incoming connection */
1309 channel = __srv_channel(dlci);
1310 if (rfcomm_connect_ind(s, channel, &d)) {
1311 d->dlci = dlci;
1312 d->addr = __addr(s->initiator, dlci);
1313 rfcomm_dlc_link(s, d);
1314
1315 rfcomm_check_accept(d);
1316 } else {
1317 rfcomm_send_dm(s, dlci);
1318 }
1319
1320 return 0;
1321 }
1322
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1323 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1324 {
1325 struct rfcomm_session *s = d->session;
1326
1327 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1328 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1329
1330 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1331 pn->flow_ctrl == 0xe0) {
1332 d->cfc = RFCOMM_CFC_ENABLED;
1333 d->tx_credits = pn->credits;
1334 } else {
1335 d->cfc = RFCOMM_CFC_DISABLED;
1336 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1337 }
1338
1339 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1340 s->cfc = d->cfc;
1341
1342 d->priority = pn->priority;
1343
1344 d->mtu = __le16_to_cpu(pn->mtu);
1345
1346 if (cr && d->mtu > s->mtu)
1347 d->mtu = s->mtu;
1348
1349 return 0;
1350 }
1351
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1352 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1353 {
1354 struct rfcomm_pn *pn = (void *) skb->data;
1355 struct rfcomm_dlc *d;
1356 u8 dlci = pn->dlci;
1357
1358 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1359
1360 if (!dlci)
1361 return 0;
1362
1363 d = rfcomm_dlc_get(s, dlci);
1364 if (d) {
1365 if (cr) {
1366 /* PN request */
1367 rfcomm_apply_pn(d, cr, pn);
1368 rfcomm_send_pn(s, 0, d);
1369 } else {
1370 /* PN response */
1371 switch (d->state) {
1372 case BT_CONFIG:
1373 rfcomm_apply_pn(d, cr, pn);
1374
1375 d->state = BT_CONNECT;
1376 rfcomm_send_sabm(s, d->dlci);
1377 break;
1378 }
1379 }
1380 } else {
1381 u8 channel = __srv_channel(dlci);
1382
1383 if (!cr)
1384 return 0;
1385
1386 /* PN request for non existing DLC.
1387 * Assume incoming connection. */
1388 if (rfcomm_connect_ind(s, channel, &d)) {
1389 d->dlci = dlci;
1390 d->addr = __addr(s->initiator, dlci);
1391 rfcomm_dlc_link(s, d);
1392
1393 rfcomm_apply_pn(d, cr, pn);
1394
1395 d->state = BT_OPEN;
1396 rfcomm_send_pn(s, 0, d);
1397 } else {
1398 rfcomm_send_dm(s, dlci);
1399 }
1400 }
1401 return 0;
1402 }
1403
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1404 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1405 {
1406 struct rfcomm_rpn *rpn = (void *) skb->data;
1407 u8 dlci = __get_dlci(rpn->dlci);
1408
1409 u8 bit_rate = 0;
1410 u8 data_bits = 0;
1411 u8 stop_bits = 0;
1412 u8 parity = 0;
1413 u8 flow_ctrl = 0;
1414 u8 xon_char = 0;
1415 u8 xoff_char = 0;
1416 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1417
1418 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1419 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1420 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1421
1422 if (!cr)
1423 return 0;
1424
1425 if (len == 1) {
1426 /* This is a request, return default (according to ETSI TS 07.10) settings */
1427 bit_rate = RFCOMM_RPN_BR_9600;
1428 data_bits = RFCOMM_RPN_DATA_8;
1429 stop_bits = RFCOMM_RPN_STOP_1;
1430 parity = RFCOMM_RPN_PARITY_NONE;
1431 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1432 xon_char = RFCOMM_RPN_XON_CHAR;
1433 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1434 goto rpn_out;
1435 }
1436
1437 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1438 * no parity, no flow control lines, normal XON/XOFF chars */
1439
1440 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1441 bit_rate = rpn->bit_rate;
1442 if (bit_rate > RFCOMM_RPN_BR_230400) {
1443 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1444 bit_rate = RFCOMM_RPN_BR_9600;
1445 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1446 }
1447 }
1448
1449 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1450 data_bits = __get_rpn_data_bits(rpn->line_settings);
1451 if (data_bits != RFCOMM_RPN_DATA_8) {
1452 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1453 data_bits = RFCOMM_RPN_DATA_8;
1454 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1455 }
1456 }
1457
1458 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1459 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1460 if (stop_bits != RFCOMM_RPN_STOP_1) {
1461 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1462 stop_bits = RFCOMM_RPN_STOP_1;
1463 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1464 }
1465 }
1466
1467 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1468 parity = __get_rpn_parity(rpn->line_settings);
1469 if (parity != RFCOMM_RPN_PARITY_NONE) {
1470 BT_DBG("RPN parity mismatch 0x%x", parity);
1471 parity = RFCOMM_RPN_PARITY_NONE;
1472 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1473 }
1474 }
1475
1476 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1477 flow_ctrl = rpn->flow_ctrl;
1478 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1479 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1480 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1481 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1482 }
1483 }
1484
1485 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1486 xon_char = rpn->xon_char;
1487 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1488 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1489 xon_char = RFCOMM_RPN_XON_CHAR;
1490 rpn_mask ^= RFCOMM_RPN_PM_XON;
1491 }
1492 }
1493
1494 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1495 xoff_char = rpn->xoff_char;
1496 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1497 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1498 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1499 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1500 }
1501 }
1502
1503 rpn_out:
1504 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1505 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1506
1507 return 0;
1508 }
1509
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1510 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1511 {
1512 struct rfcomm_rls *rls = (void *) skb->data;
1513 u8 dlci = __get_dlci(rls->dlci);
1514
1515 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1516
1517 if (!cr)
1518 return 0;
1519
1520 /* We should probably do something with this information here. But
1521 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1522 * mandatory to recognise and respond to RLS */
1523
1524 rfcomm_send_rls(s, 0, dlci, rls->status);
1525
1526 return 0;
1527 }
1528
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1529 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1530 {
1531 struct rfcomm_msc *msc = (void *) skb->data;
1532 struct rfcomm_dlc *d;
1533 u8 dlci = __get_dlci(msc->dlci);
1534
1535 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1536
1537 d = rfcomm_dlc_get(s, dlci);
1538 if (!d)
1539 return 0;
1540
1541 if (cr) {
1542 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1543 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1544 else
1545 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1546
1547 rfcomm_dlc_lock(d);
1548
1549 d->remote_v24_sig = msc->v24_sig;
1550
1551 if (d->modem_status)
1552 d->modem_status(d, msc->v24_sig);
1553
1554 rfcomm_dlc_unlock(d);
1555
1556 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1557
1558 d->mscex |= RFCOMM_MSCEX_RX;
1559 } else
1560 d->mscex |= RFCOMM_MSCEX_TX;
1561
1562 return 0;
1563 }
1564
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1565 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1566 {
1567 struct rfcomm_mcc *mcc = (void *) skb->data;
1568 u8 type, cr, len;
1569
1570 cr = __test_cr(mcc->type);
1571 type = __get_mcc_type(mcc->type);
1572 len = __get_mcc_len(mcc->len);
1573
1574 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1575
1576 skb_pull(skb, 2);
1577
1578 switch (type) {
1579 case RFCOMM_PN:
1580 rfcomm_recv_pn(s, cr, skb);
1581 break;
1582
1583 case RFCOMM_RPN:
1584 rfcomm_recv_rpn(s, cr, len, skb);
1585 break;
1586
1587 case RFCOMM_RLS:
1588 rfcomm_recv_rls(s, cr, skb);
1589 break;
1590
1591 case RFCOMM_MSC:
1592 rfcomm_recv_msc(s, cr, skb);
1593 break;
1594
1595 case RFCOMM_FCOFF:
1596 if (cr) {
1597 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1598 rfcomm_send_fcoff(s, 0);
1599 }
1600 break;
1601
1602 case RFCOMM_FCON:
1603 if (cr) {
1604 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1605 rfcomm_send_fcon(s, 0);
1606 }
1607 break;
1608
1609 case RFCOMM_TEST:
1610 if (cr)
1611 rfcomm_send_test(s, 0, skb->data, skb->len);
1612 break;
1613
1614 case RFCOMM_NSC:
1615 break;
1616
1617 default:
1618 BT_ERR("Unknown control type 0x%02x", type);
1619 rfcomm_send_nsc(s, cr, type);
1620 break;
1621 }
1622 return 0;
1623 }
1624
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1625 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1626 {
1627 struct rfcomm_dlc *d;
1628
1629 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1630
1631 d = rfcomm_dlc_get(s, dlci);
1632 if (!d) {
1633 rfcomm_send_dm(s, dlci);
1634 goto drop;
1635 }
1636
1637 if (pf && d->cfc) {
1638 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1639
1640 d->tx_credits += credits;
1641 if (d->tx_credits)
1642 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1643 }
1644
1645 if (skb->len && d->state == BT_CONNECTED) {
1646 rfcomm_dlc_lock(d);
1647 d->rx_credits--;
1648 d->data_ready(d, skb);
1649 rfcomm_dlc_unlock(d);
1650 return 0;
1651 }
1652
1653 drop:
1654 kfree_skb(skb);
1655 return 0;
1656 }
1657
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1658 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1659 {
1660 struct rfcomm_hdr *hdr = (void *) skb->data;
1661 u8 type, dlci, fcs;
1662
1663 dlci = __get_dlci(hdr->addr);
1664 type = __get_type(hdr->ctrl);
1665
1666 /* Trim FCS */
1667 skb->len--; skb->tail--;
1668 fcs = *(u8 *)skb_tail_pointer(skb);
1669
1670 if (__check_fcs(skb->data, type, fcs)) {
1671 BT_ERR("bad checksum in packet");
1672 kfree_skb(skb);
1673 return -EILSEQ;
1674 }
1675
1676 if (__test_ea(hdr->len))
1677 skb_pull(skb, 3);
1678 else
1679 skb_pull(skb, 4);
1680
1681 switch (type) {
1682 case RFCOMM_SABM:
1683 if (__test_pf(hdr->ctrl))
1684 rfcomm_recv_sabm(s, dlci);
1685 break;
1686
1687 case RFCOMM_DISC:
1688 if (__test_pf(hdr->ctrl))
1689 rfcomm_recv_disc(s, dlci);
1690 break;
1691
1692 case RFCOMM_UA:
1693 if (__test_pf(hdr->ctrl))
1694 rfcomm_recv_ua(s, dlci);
1695 break;
1696
1697 case RFCOMM_DM:
1698 rfcomm_recv_dm(s, dlci);
1699 break;
1700
1701 case RFCOMM_UIH:
1702 if (dlci)
1703 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1704
1705 rfcomm_recv_mcc(s, skb);
1706 break;
1707
1708 default:
1709 BT_ERR("Unknown packet type 0x%02x", type);
1710 break;
1711 }
1712 kfree_skb(skb);
1713 return 0;
1714 }
1715
1716 /* ---- Connection and data processing ---- */
1717
rfcomm_process_connect(struct rfcomm_session * s)1718 static void rfcomm_process_connect(struct rfcomm_session *s)
1719 {
1720 struct rfcomm_dlc *d;
1721 struct list_head *p, *n;
1722
1723 BT_DBG("session %p state %ld", s, s->state);
1724
1725 list_for_each_safe(p, n, &s->dlcs) {
1726 d = list_entry(p, struct rfcomm_dlc, list);
1727 if (d->state == BT_CONFIG) {
1728 d->mtu = s->mtu;
1729 if (rfcomm_check_security(d)) {
1730 rfcomm_send_pn(s, 1, d);
1731 } else {
1732 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1733 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1734 }
1735 }
1736 }
1737 }
1738
1739 /* Send data queued for the DLC.
1740 * Return number of frames left in the queue.
1741 */
rfcomm_process_tx(struct rfcomm_dlc * d)1742 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1743 {
1744 struct sk_buff *skb;
1745 int err;
1746
1747 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1748 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1749
1750 /* Send pending MSC */
1751 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1752 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1753
1754 if (d->cfc) {
1755 /* CFC enabled.
1756 * Give them some credits */
1757 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1758 d->rx_credits <= (d->cfc >> 2)) {
1759 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1760 d->rx_credits = d->cfc;
1761 }
1762 } else {
1763 /* CFC disabled.
1764 * Give ourselves some credits */
1765 d->tx_credits = 5;
1766 }
1767
1768 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1769 return skb_queue_len(&d->tx_queue);
1770
1771 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1772 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1773 if (err < 0) {
1774 skb_queue_head(&d->tx_queue, skb);
1775 break;
1776 }
1777 kfree_skb(skb);
1778 d->tx_credits--;
1779 }
1780
1781 if (d->cfc && !d->tx_credits) {
1782 /* We're out of TX credits.
1783 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1784 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1785 }
1786
1787 return skb_queue_len(&d->tx_queue);
1788 }
1789
rfcomm_process_dlcs(struct rfcomm_session * s)1790 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1791 {
1792 struct rfcomm_dlc *d;
1793 struct list_head *p, *n;
1794
1795 BT_DBG("session %p state %ld", s, s->state);
1796
1797 list_for_each_safe(p, n, &s->dlcs) {
1798 d = list_entry(p, struct rfcomm_dlc, list);
1799
1800 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1801 __rfcomm_dlc_close(d, ETIMEDOUT);
1802 continue;
1803 }
1804
1805 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1806 rfcomm_dlc_clear_timer(d);
1807 if (d->out) {
1808 rfcomm_send_pn(s, 1, d);
1809 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1810 } else {
1811 if (d->defer_setup) {
1812 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1813 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1814
1815 rfcomm_dlc_lock(d);
1816 d->state = BT_CONNECT2;
1817 d->state_change(d, 0);
1818 rfcomm_dlc_unlock(d);
1819 } else
1820 rfcomm_dlc_accept(d);
1821 }
1822 continue;
1823 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1824 rfcomm_dlc_clear_timer(d);
1825 if (!d->out)
1826 rfcomm_send_dm(s, d->dlci);
1827 else
1828 d->state = BT_CLOSED;
1829 __rfcomm_dlc_close(d, ECONNREFUSED);
1830 continue;
1831 }
1832
1833 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1834 continue;
1835
1836 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1837 continue;
1838
1839 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1840 d->mscex == RFCOMM_MSCEX_OK)
1841 rfcomm_process_tx(d);
1842 }
1843 }
1844
rfcomm_process_rx(struct rfcomm_session * s)1845 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1846 {
1847 struct socket *sock = s->sock;
1848 struct sock *sk = sock->sk;
1849 struct sk_buff *skb;
1850
1851 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1852
1853 /* Get data directly from socket receive queue without copying it. */
1854 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1855 skb_orphan(skb);
1856 rfcomm_recv_frame(s, skb);
1857 }
1858
1859 if (sk->sk_state == BT_CLOSED) {
1860 if (!s->initiator)
1861 rfcomm_session_put(s);
1862
1863 rfcomm_session_close(s, sk->sk_err);
1864 }
1865 }
1866
rfcomm_accept_connection(struct rfcomm_session * s)1867 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1868 {
1869 struct socket *sock = s->sock, *nsock;
1870 int err;
1871
1872 /* Fast check for a new connection.
1873 * Avoids unnesesary socket allocations. */
1874 if (list_empty(&bt_sk(sock->sk)->accept_q))
1875 return;
1876
1877 BT_DBG("session %p", s);
1878
1879 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1880 if (err < 0)
1881 return;
1882
1883 /* Set our callbacks */
1884 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1885 nsock->sk->sk_state_change = rfcomm_l2state_change;
1886
1887 s = rfcomm_session_add(nsock, BT_OPEN);
1888 if (s) {
1889 rfcomm_session_hold(s);
1890
1891 /* We should adjust MTU on incoming sessions.
1892 * L2CAP MTU minus UIH header and FCS. */
1893 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1894
1895 rfcomm_schedule();
1896 } else
1897 sock_release(nsock);
1898 }
1899
rfcomm_check_connection(struct rfcomm_session * s)1900 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1901 {
1902 struct sock *sk = s->sock->sk;
1903
1904 BT_DBG("%p state %ld", s, s->state);
1905
1906 switch (sk->sk_state) {
1907 case BT_CONNECTED:
1908 s->state = BT_CONNECT;
1909
1910 /* We can adjust MTU on outgoing sessions.
1911 * L2CAP MTU minus UIH header and FCS. */
1912 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1913
1914 rfcomm_send_sabm(s, 0);
1915 break;
1916
1917 case BT_CLOSED:
1918 s->state = BT_CLOSED;
1919 rfcomm_session_close(s, sk->sk_err);
1920 break;
1921 }
1922 }
1923
rfcomm_process_sessions(void)1924 static inline void rfcomm_process_sessions(void)
1925 {
1926 struct list_head *p, *n;
1927
1928 rfcomm_lock();
1929
1930 list_for_each_safe(p, n, &session_list) {
1931 struct rfcomm_session *s;
1932 s = list_entry(p, struct rfcomm_session, list);
1933
1934 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1935 s->state = BT_DISCONN;
1936 rfcomm_send_disc(s, 0);
1937 rfcomm_session_put(s);
1938 continue;
1939 }
1940
1941 if (s->state == BT_LISTEN) {
1942 rfcomm_accept_connection(s);
1943 continue;
1944 }
1945
1946 rfcomm_session_hold(s);
1947
1948 switch (s->state) {
1949 case BT_BOUND:
1950 rfcomm_check_connection(s);
1951 break;
1952
1953 default:
1954 rfcomm_process_rx(s);
1955 break;
1956 }
1957
1958 rfcomm_process_dlcs(s);
1959
1960 rfcomm_session_put(s);
1961 }
1962
1963 rfcomm_unlock();
1964 }
1965
rfcomm_add_listener(bdaddr_t * ba)1966 static int rfcomm_add_listener(bdaddr_t *ba)
1967 {
1968 struct sockaddr_l2 addr;
1969 struct socket *sock;
1970 struct sock *sk;
1971 struct rfcomm_session *s;
1972 int err = 0;
1973
1974 /* Create socket */
1975 err = rfcomm_l2sock_create(&sock);
1976 if (err < 0) {
1977 BT_ERR("Create socket failed %d", err);
1978 return err;
1979 }
1980
1981 /* Bind socket */
1982 bacpy(&addr.l2_bdaddr, ba);
1983 addr.l2_family = AF_BLUETOOTH;
1984 addr.l2_psm = cpu_to_le16(RFCOMM_PSM);
1985 addr.l2_cid = 0;
1986 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1987 if (err < 0) {
1988 BT_ERR("Bind failed %d", err);
1989 goto failed;
1990 }
1991
1992 /* Set L2CAP options */
1993 sk = sock->sk;
1994 lock_sock(sk);
1995 l2cap_pi(sk)->imtu = l2cap_mtu;
1996 release_sock(sk);
1997
1998 /* Start listening on the socket */
1999 err = kernel_listen(sock, 10);
2000 if (err) {
2001 BT_ERR("Listen failed %d", err);
2002 goto failed;
2003 }
2004
2005 /* Add listening session */
2006 s = rfcomm_session_add(sock, BT_LISTEN);
2007 if (!s)
2008 goto failed;
2009
2010 rfcomm_session_hold(s);
2011 return 0;
2012 failed:
2013 sock_release(sock);
2014 return err;
2015 }
2016
rfcomm_kill_listener(void)2017 static void rfcomm_kill_listener(void)
2018 {
2019 struct rfcomm_session *s;
2020 struct list_head *p, *n;
2021
2022 BT_DBG("");
2023
2024 list_for_each_safe(p, n, &session_list) {
2025 s = list_entry(p, struct rfcomm_session, list);
2026 rfcomm_session_del(s);
2027 }
2028 }
2029
rfcomm_run(void * unused)2030 static int rfcomm_run(void *unused)
2031 {
2032 BT_DBG("");
2033
2034 set_user_nice(current, -10);
2035
2036 rfcomm_add_listener(BDADDR_ANY);
2037
2038 while (!kthread_should_stop()) {
2039 set_current_state(TASK_INTERRUPTIBLE);
2040 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
2041 /* No pending events. Let's sleep.
2042 * Incoming connections and data will wake us up. */
2043 schedule();
2044 }
2045 set_current_state(TASK_RUNNING);
2046
2047 /* Process stuff */
2048 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
2049 rfcomm_process_sessions();
2050 }
2051
2052 rfcomm_kill_listener();
2053
2054 return 0;
2055 }
2056
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2057 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2058 {
2059 struct rfcomm_session *s;
2060 struct rfcomm_dlc *d;
2061 struct list_head *p, *n;
2062
2063 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2064
2065 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2066 if (!s)
2067 return;
2068
2069 rfcomm_session_hold(s);
2070
2071 list_for_each_safe(p, n, &s->dlcs) {
2072 d = list_entry(p, struct rfcomm_dlc, list);
2073
2074 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2075 rfcomm_dlc_clear_timer(d);
2076 if (status || encrypt == 0x00) {
2077 __rfcomm_dlc_close(d, ECONNREFUSED);
2078 continue;
2079 }
2080 }
2081
2082 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2083 if (d->sec_level == BT_SECURITY_MEDIUM) {
2084 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2085 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2086 continue;
2087 } else if (d->sec_level == BT_SECURITY_HIGH) {
2088 __rfcomm_dlc_close(d, ECONNREFUSED);
2089 continue;
2090 }
2091 }
2092
2093 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2094 continue;
2095
2096 if (!status)
2097 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2098 else
2099 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2100 }
2101
2102 rfcomm_session_put(s);
2103
2104 rfcomm_schedule();
2105 }
2106
2107 static struct hci_cb rfcomm_cb = {
2108 .name = "RFCOMM",
2109 .security_cfm = rfcomm_security_cfm
2110 };
2111
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2112 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2113 {
2114 struct rfcomm_session *s;
2115 struct list_head *pp, *p;
2116
2117 rfcomm_lock();
2118
2119 list_for_each(p, &session_list) {
2120 s = list_entry(p, struct rfcomm_session, list);
2121 list_for_each(pp, &s->dlcs) {
2122 struct sock *sk = s->sock->sk;
2123 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2124
2125 seq_printf(f, "%s %s %ld %d %d %d %d\n",
2126 batostr(&bt_sk(sk)->src),
2127 batostr(&bt_sk(sk)->dst),
2128 d->state, d->dlci, d->mtu,
2129 d->rx_credits, d->tx_credits);
2130 }
2131 }
2132
2133 rfcomm_unlock();
2134
2135 return 0;
2136 }
2137
rfcomm_dlc_debugfs_open(struct inode * inode,struct file * file)2138 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2139 {
2140 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2141 }
2142
2143 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2144 .open = rfcomm_dlc_debugfs_open,
2145 .read = seq_read,
2146 .llseek = seq_lseek,
2147 .release = single_release,
2148 };
2149
2150 static struct dentry *rfcomm_dlc_debugfs;
2151
2152 /* ---- Initialization ---- */
rfcomm_init(void)2153 static int __init rfcomm_init(void)
2154 {
2155 int err;
2156
2157 hci_register_cb(&rfcomm_cb);
2158
2159 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2160 if (IS_ERR(rfcomm_thread)) {
2161 err = PTR_ERR(rfcomm_thread);
2162 goto unregister;
2163 }
2164
2165 if (bt_debugfs) {
2166 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2167 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2168 if (!rfcomm_dlc_debugfs)
2169 BT_ERR("Failed to create RFCOMM debug file");
2170 }
2171
2172 err = rfcomm_init_ttys();
2173 if (err < 0)
2174 goto stop;
2175
2176 err = rfcomm_init_sockets();
2177 if (err < 0)
2178 goto cleanup;
2179
2180 BT_INFO("RFCOMM ver %s", VERSION);
2181
2182 return 0;
2183
2184 cleanup:
2185 rfcomm_cleanup_ttys();
2186
2187 stop:
2188 kthread_stop(rfcomm_thread);
2189
2190 unregister:
2191 hci_unregister_cb(&rfcomm_cb);
2192
2193 return err;
2194 }
2195
rfcomm_exit(void)2196 static void __exit rfcomm_exit(void)
2197 {
2198 debugfs_remove(rfcomm_dlc_debugfs);
2199
2200 hci_unregister_cb(&rfcomm_cb);
2201
2202 kthread_stop(rfcomm_thread);
2203
2204 rfcomm_cleanup_ttys();
2205
2206 rfcomm_cleanup_sockets();
2207 }
2208
2209 module_init(rfcomm_init);
2210 module_exit(rfcomm_exit);
2211
2212 module_param(disable_cfc, bool, 0644);
2213 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2214
2215 module_param(channel_mtu, int, 0644);
2216 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2217
2218 module_param(l2cap_mtu, uint, 0644);
2219 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2220
2221 module_param(l2cap_ertm, bool, 0644);
2222 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2223
2224 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2225 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2226 MODULE_VERSION(VERSION);
2227 MODULE_LICENSE("GPL");
2228 MODULE_ALIAS("bt-proto-3");
2229