1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 4 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 5 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 6 7 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 8 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 9 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 10 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 11 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 16 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 17 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 18 SOFTWARE IS DISCLAIMED. 19 */ 20 21 /* 22 * Bluetooth RFCOMM core. 23 */ 24 25 #include <linux/module.h> 26 #include <linux/debugfs.h> 27 #include <linux/kthread.h> 28 #include <linux/unaligned.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/l2cap.h> 33 #include <net/bluetooth/rfcomm.h> 34 35 #include <trace/events/sock.h> 36 37 #define VERSION "1.11" 38 39 static bool disable_cfc; 40 static bool l2cap_ertm; 41 static int channel_mtu = -1; 42 43 static struct task_struct *rfcomm_thread; 44 45 static DEFINE_MUTEX(rfcomm_mutex); 46 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 47 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 48 49 50 static LIST_HEAD(session_list); 51 52 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 53 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 54 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 55 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 56 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 57 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 58 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 59 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 60 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 61 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 62 63 static void rfcomm_process_connect(struct rfcomm_session *s); 64 65 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 66 bdaddr_t *dst, 67 u8 sec_level, 68 int *err); 69 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 70 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 71 72 /* ---- RFCOMM frame parsing macros ---- */ 73 #define __get_dlci(b) ((b & 0xfc) >> 2) 74 #define __get_type(b) ((b & 0xef)) 75 76 #define __test_ea(b) ((b & 0x01)) 77 #define __test_cr(b) (!!(b & 0x02)) 78 #define __test_pf(b) (!!(b & 0x10)) 79 80 #define __session_dir(s) ((s)->initiator ? 0x00 : 0x01) 81 82 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 83 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 84 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 85 #define __srv_channel(dlci) (dlci >> 1) 86 87 #define __len8(len) (((len) << 1) | 1) 88 #define __len16(len) ((len) << 1) 89 90 /* MCC macros */ 91 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 92 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 93 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 94 95 /* RPN macros */ 96 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 97 #define __get_rpn_data_bits(line) ((line) & 0x3) 98 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 99 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 100 101 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq); 102 103 static void rfcomm_schedule(void) 104 { 105 wake_up_all(&rfcomm_wq); 106 } 107 108 /* ---- RFCOMM FCS computation ---- */ 109 110 /* reversed, 8-bit, poly=0x07 */ 111 static unsigned char rfcomm_crc_table[256] = { 112 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 113 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 114 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 115 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 116 117 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 118 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 119 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 120 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 121 122 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 123 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 124 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 125 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 126 127 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 128 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 129 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 130 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 131 132 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 133 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 134 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 135 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 136 137 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 138 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 139 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 140 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 141 142 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 143 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 144 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 145 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 146 147 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 148 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 149 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 150 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 151 }; 152 153 /* CRC on 2 bytes */ 154 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 155 156 /* FCS on 2 bytes */ 157 static inline u8 __fcs(u8 *data) 158 { 159 return 0xff - __crc(data); 160 } 161 162 /* FCS on 3 bytes */ 163 static inline u8 __fcs2(u8 *data) 164 { 165 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 166 } 167 168 /* Check FCS */ 169 static inline int __check_fcs(u8 *data, int type, u8 fcs) 170 { 171 u8 f = __crc(data); 172 173 if (type != RFCOMM_UIH) 174 f = rfcomm_crc_table[f ^ data[2]]; 175 176 return rfcomm_crc_table[f ^ fcs] != 0xcf; 177 } 178 179 /* ---- L2CAP callbacks ---- */ 180 static void rfcomm_l2state_change(struct sock *sk) 181 { 182 BT_DBG("%p state %d", sk, sk->sk_state); 183 rfcomm_schedule(); 184 } 185 186 static void rfcomm_l2data_ready(struct sock *sk) 187 { 188 trace_sk_data_ready(sk); 189 190 BT_DBG("%p", sk); 191 rfcomm_schedule(); 192 } 193 194 static int rfcomm_l2sock_create(struct socket **sock) 195 { 196 int err; 197 198 BT_DBG(""); 199 200 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 201 if (!err) { 202 struct sock *sk = (*sock)->sk; 203 sk->sk_data_ready = rfcomm_l2data_ready; 204 sk->sk_state_change = rfcomm_l2state_change; 205 } 206 return err; 207 } 208 209 static int rfcomm_check_security(struct rfcomm_dlc *d) 210 { 211 struct sock *sk = d->session->sock->sk; 212 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 213 214 __u8 auth_type; 215 216 switch (d->sec_level) { 217 case BT_SECURITY_HIGH: 218 case BT_SECURITY_FIPS: 219 auth_type = HCI_AT_GENERAL_BONDING_MITM; 220 break; 221 case BT_SECURITY_MEDIUM: 222 auth_type = HCI_AT_GENERAL_BONDING; 223 break; 224 default: 225 auth_type = HCI_AT_NO_BONDING; 226 break; 227 } 228 229 return hci_conn_security(conn->hcon, d->sec_level, auth_type, 230 d->out); 231 } 232 233 static void rfcomm_session_timeout(struct timer_list *t) 234 { 235 struct rfcomm_session *s = timer_container_of(s, t, timer); 236 237 BT_DBG("session %p state %ld", s, s->state); 238 239 set_bit(RFCOMM_TIMED_OUT, &s->flags); 240 rfcomm_schedule(); 241 } 242 243 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 244 { 245 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 246 247 mod_timer(&s->timer, jiffies + timeout); 248 } 249 250 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 251 { 252 BT_DBG("session %p state %ld", s, s->state); 253 254 timer_delete_sync(&s->timer); 255 } 256 257 /* ---- RFCOMM DLCs ---- */ 258 static void rfcomm_dlc_timeout(struct timer_list *t) 259 { 260 struct rfcomm_dlc *d = timer_container_of(d, t, timer); 261 262 BT_DBG("dlc %p state %ld", d, d->state); 263 264 set_bit(RFCOMM_TIMED_OUT, &d->flags); 265 rfcomm_dlc_put(d); 266 rfcomm_schedule(); 267 } 268 269 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 270 { 271 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 272 273 if (!mod_timer(&d->timer, jiffies + timeout)) 274 rfcomm_dlc_hold(d); 275 } 276 277 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 278 { 279 BT_DBG("dlc %p state %ld", d, d->state); 280 281 if (timer_delete(&d->timer)) 282 rfcomm_dlc_put(d); 283 } 284 285 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 286 { 287 BT_DBG("%p", d); 288 289 d->state = BT_OPEN; 290 d->flags = 0; 291 d->mscex = 0; 292 d->sec_level = BT_SECURITY_LOW; 293 d->mtu = RFCOMM_DEFAULT_MTU; 294 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 295 296 d->cfc = RFCOMM_CFC_DISABLED; 297 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 298 } 299 300 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 301 { 302 struct rfcomm_dlc *d = kzalloc_obj(*d, prio); 303 304 if (!d) 305 return NULL; 306 307 timer_setup(&d->timer, rfcomm_dlc_timeout, 0); 308 309 skb_queue_head_init(&d->tx_queue); 310 mutex_init(&d->lock); 311 refcount_set(&d->refcnt, 1); 312 313 rfcomm_dlc_clear_state(d); 314 315 BT_DBG("%p", d); 316 317 return d; 318 } 319 320 void rfcomm_dlc_free(struct rfcomm_dlc *d) 321 { 322 BT_DBG("%p", d); 323 324 skb_queue_purge(&d->tx_queue); 325 kfree(d); 326 } 327 328 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 329 { 330 BT_DBG("dlc %p session %p", d, s); 331 332 rfcomm_session_clear_timer(s); 333 rfcomm_dlc_hold(d); 334 list_add(&d->list, &s->dlcs); 335 d->session = s; 336 } 337 338 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 339 { 340 struct rfcomm_session *s = d->session; 341 342 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s); 343 344 list_del(&d->list); 345 d->session = NULL; 346 rfcomm_dlc_put(d); 347 348 if (list_empty(&s->dlcs)) 349 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 350 } 351 352 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 353 { 354 struct rfcomm_dlc *d; 355 356 list_for_each_entry(d, &s->dlcs, list) 357 if (d->dlci == dlci) 358 return d; 359 360 return NULL; 361 } 362 363 static int rfcomm_check_channel(u8 channel) 364 { 365 return channel < 1 || channel > 30; 366 } 367 368 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 369 { 370 struct rfcomm_session *s; 371 int err = 0; 372 u8 dlci; 373 374 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 375 d, d->state, src, dst, channel); 376 377 if (rfcomm_check_channel(channel)) 378 return -EINVAL; 379 380 if (d->state != BT_OPEN && d->state != BT_CLOSED) 381 return 0; 382 383 s = rfcomm_session_get(src, dst); 384 if (!s) { 385 s = rfcomm_session_create(src, dst, d->sec_level, &err); 386 if (!s) 387 return err; 388 } 389 390 dlci = __dlci(__session_dir(s), channel); 391 392 /* Check if DLCI already exists */ 393 if (rfcomm_dlc_get(s, dlci)) 394 return -EBUSY; 395 396 rfcomm_dlc_clear_state(d); 397 398 d->dlci = dlci; 399 d->addr = __addr(s->initiator, dlci); 400 d->priority = 7; 401 402 d->state = BT_CONFIG; 403 rfcomm_dlc_link(s, d); 404 405 d->out = 1; 406 407 d->mtu = s->mtu; 408 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 409 410 if (s->state == BT_CONNECTED) { 411 if (rfcomm_check_security(d)) 412 rfcomm_send_pn(s, 1, d); 413 else 414 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 415 } 416 417 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 418 419 return 0; 420 } 421 422 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 423 { 424 int r; 425 426 rfcomm_lock(); 427 428 r = __rfcomm_dlc_open(d, src, dst, channel); 429 430 rfcomm_unlock(); 431 return r; 432 } 433 434 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 435 { 436 struct rfcomm_session *s = d->session; 437 438 d->state = BT_DISCONN; 439 if (skb_queue_empty(&d->tx_queue)) { 440 rfcomm_send_disc(s, d->dlci); 441 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 442 } else { 443 rfcomm_queue_disc(d); 444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 445 } 446 } 447 448 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 449 { 450 struct rfcomm_session *s = d->session; 451 if (!s) 452 return 0; 453 454 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 455 d, d->state, d->dlci, err, s); 456 457 switch (d->state) { 458 case BT_CONNECT: 459 case BT_CONFIG: 460 case BT_OPEN: 461 case BT_CONNECT2: 462 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 463 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 464 rfcomm_schedule(); 465 return 0; 466 } 467 } 468 469 switch (d->state) { 470 case BT_CONNECT: 471 case BT_CONNECTED: 472 __rfcomm_dlc_disconn(d); 473 break; 474 475 case BT_CONFIG: 476 if (s->state != BT_BOUND) { 477 __rfcomm_dlc_disconn(d); 478 break; 479 } 480 /* if closing a dlc in a session that hasn't been started, 481 * just close and unlink the dlc 482 */ 483 fallthrough; 484 485 default: 486 rfcomm_dlc_clear_timer(d); 487 488 rfcomm_dlc_lock(d); 489 d->state = BT_CLOSED; 490 d->state_change(d, err); 491 rfcomm_dlc_unlock(d); 492 493 skb_queue_purge(&d->tx_queue); 494 rfcomm_dlc_unlink(d); 495 } 496 497 return 0; 498 } 499 500 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 501 { 502 int r = 0; 503 struct rfcomm_dlc *d_list; 504 struct rfcomm_session *s, *s_list; 505 506 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 507 508 rfcomm_lock(); 509 510 s = d->session; 511 if (!s) 512 goto no_session; 513 514 /* after waiting on the mutex check the session still exists 515 * then check the dlc still exists 516 */ 517 list_for_each_entry(s_list, &session_list, list) { 518 if (s_list == s) { 519 list_for_each_entry(d_list, &s->dlcs, list) { 520 if (d_list == d) { 521 r = __rfcomm_dlc_close(d, err); 522 break; 523 } 524 } 525 break; 526 } 527 } 528 529 no_session: 530 rfcomm_unlock(); 531 return r; 532 } 533 534 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 535 { 536 struct rfcomm_session *s; 537 struct rfcomm_dlc *dlc = NULL; 538 u8 dlci; 539 540 if (rfcomm_check_channel(channel)) 541 return ERR_PTR(-EINVAL); 542 543 rfcomm_lock(); 544 s = rfcomm_session_get(src, dst); 545 if (s) { 546 dlci = __dlci(__session_dir(s), channel); 547 dlc = rfcomm_dlc_get(s, dlci); 548 } 549 rfcomm_unlock(); 550 return dlc; 551 } 552 553 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) 554 { 555 int len = frag->len; 556 557 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 558 559 if (len > d->mtu) 560 return -EINVAL; 561 562 rfcomm_make_uih(frag, d->addr); 563 __skb_queue_tail(&d->tx_queue, frag); 564 565 return len; 566 } 567 568 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 569 { 570 unsigned long flags; 571 struct sk_buff *frag, *next; 572 int len; 573 574 if (d->state != BT_CONNECTED) 575 return -ENOTCONN; 576 577 frag = skb_shinfo(skb)->frag_list; 578 skb_shinfo(skb)->frag_list = NULL; 579 580 /* Queue all fragments atomically. */ 581 spin_lock_irqsave(&d->tx_queue.lock, flags); 582 583 len = rfcomm_dlc_send_frag(d, skb); 584 if (len < 0 || !frag) 585 goto unlock; 586 587 for (; frag; frag = next) { 588 int ret; 589 590 next = frag->next; 591 592 ret = rfcomm_dlc_send_frag(d, frag); 593 if (ret < 0) { 594 dev_kfree_skb_irq(frag); 595 goto unlock; 596 } 597 598 len += ret; 599 } 600 601 unlock: 602 spin_unlock_irqrestore(&d->tx_queue.lock, flags); 603 604 if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 605 rfcomm_schedule(); 606 return len; 607 } 608 609 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 610 { 611 int len = skb->len; 612 613 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 614 615 rfcomm_make_uih(skb, d->addr); 616 skb_queue_tail(&d->tx_queue, skb); 617 618 if (d->state == BT_CONNECTED && 619 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 620 rfcomm_schedule(); 621 } 622 623 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 624 { 625 BT_DBG("dlc %p state %ld", d, d->state); 626 627 if (!d->cfc) { 628 d->v24_sig |= RFCOMM_V24_FC; 629 set_bit(RFCOMM_MSC_PENDING, &d->flags); 630 } 631 rfcomm_schedule(); 632 } 633 634 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 635 { 636 BT_DBG("dlc %p state %ld", d, d->state); 637 638 if (!d->cfc) { 639 d->v24_sig &= ~RFCOMM_V24_FC; 640 set_bit(RFCOMM_MSC_PENDING, &d->flags); 641 } 642 rfcomm_schedule(); 643 } 644 645 /* 646 Set/get modem status functions use _local_ status i.e. what we report 647 to the other side. 648 Remote status is provided by dlc->modem_status() callback. 649 */ 650 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 651 { 652 BT_DBG("dlc %p state %ld v24_sig 0x%x", 653 d, d->state, v24_sig); 654 655 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 656 v24_sig |= RFCOMM_V24_FC; 657 else 658 v24_sig &= ~RFCOMM_V24_FC; 659 660 d->v24_sig = v24_sig; 661 662 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 663 rfcomm_schedule(); 664 665 return 0; 666 } 667 668 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 669 { 670 BT_DBG("dlc %p state %ld v24_sig 0x%x", 671 d, d->state, d->v24_sig); 672 673 *v24_sig = d->v24_sig; 674 return 0; 675 } 676 677 /* ---- RFCOMM sessions ---- */ 678 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 679 { 680 struct rfcomm_session *s = kzalloc_obj(*s); 681 682 if (!s) 683 return NULL; 684 685 BT_DBG("session %p sock %p", s, sock); 686 687 timer_setup(&s->timer, rfcomm_session_timeout, 0); 688 689 INIT_LIST_HEAD(&s->dlcs); 690 s->state = state; 691 s->sock = sock; 692 693 s->mtu = RFCOMM_DEFAULT_MTU; 694 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 695 696 /* Do not increment module usage count for listening sessions. 697 * Otherwise we won't be able to unload the module. */ 698 if (state != BT_LISTEN) 699 if (!try_module_get(THIS_MODULE)) { 700 kfree(s); 701 return NULL; 702 } 703 704 list_add(&s->list, &session_list); 705 706 return s; 707 } 708 709 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 710 { 711 int state = s->state; 712 713 BT_DBG("session %p state %ld", s, s->state); 714 715 list_del(&s->list); 716 717 rfcomm_session_clear_timer(s); 718 sock_release(s->sock); 719 kfree(s); 720 721 if (state != BT_LISTEN) 722 module_put(THIS_MODULE); 723 724 return NULL; 725 } 726 727 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 728 { 729 struct rfcomm_session *s, *n; 730 struct l2cap_chan *chan; 731 list_for_each_entry_safe(s, n, &session_list, list) { 732 chan = l2cap_pi(s->sock->sk)->chan; 733 734 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 735 !bacmp(&chan->dst, dst)) 736 return s; 737 } 738 return NULL; 739 } 740 741 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 742 int err) 743 { 744 struct rfcomm_dlc *d, *n; 745 746 s->state = BT_CLOSED; 747 748 BT_DBG("session %p state %ld err %d", s, s->state, err); 749 750 /* Close all dlcs */ 751 list_for_each_entry_safe(d, n, &s->dlcs, list) { 752 d->state = BT_CLOSED; 753 __rfcomm_dlc_close(d, err); 754 } 755 756 rfcomm_session_clear_timer(s); 757 return rfcomm_session_del(s); 758 } 759 760 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 761 bdaddr_t *dst, 762 u8 sec_level, 763 int *err) 764 { 765 struct rfcomm_session *s = NULL; 766 struct sockaddr_l2 addr; 767 struct socket *sock; 768 struct sock *sk; 769 770 BT_DBG("%pMR -> %pMR", src, dst); 771 772 *err = rfcomm_l2sock_create(&sock); 773 if (*err < 0) 774 return NULL; 775 776 bacpy(&addr.l2_bdaddr, src); 777 addr.l2_family = AF_BLUETOOTH; 778 addr.l2_psm = 0; 779 addr.l2_cid = 0; 780 addr.l2_bdaddr_type = BDADDR_BREDR; 781 *err = kernel_bind(sock, (struct sockaddr_unsized *)&addr, sizeof(addr)); 782 if (*err < 0) 783 goto failed; 784 785 /* Set L2CAP options */ 786 sk = sock->sk; 787 lock_sock(sk); 788 /* Set MTU to 0 so L2CAP can auto select the MTU */ 789 l2cap_pi(sk)->chan->imtu = 0; 790 l2cap_pi(sk)->chan->sec_level = sec_level; 791 if (l2cap_ertm) 792 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 793 release_sock(sk); 794 795 s = rfcomm_session_add(sock, BT_BOUND); 796 if (!s) { 797 *err = -ENOMEM; 798 goto failed; 799 } 800 801 s->initiator = 1; 802 803 bacpy(&addr.l2_bdaddr, dst); 804 addr.l2_family = AF_BLUETOOTH; 805 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 806 addr.l2_cid = 0; 807 addr.l2_bdaddr_type = BDADDR_BREDR; 808 *err = kernel_connect(sock, (struct sockaddr_unsized *)&addr, sizeof(addr), O_NONBLOCK); 809 if (*err == 0 || *err == -EINPROGRESS) 810 return s; 811 812 return rfcomm_session_del(s); 813 814 failed: 815 sock_release(sock); 816 return NULL; 817 } 818 819 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 820 { 821 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 822 if (src) 823 bacpy(src, &chan->src); 824 if (dst) 825 bacpy(dst, &chan->dst); 826 } 827 828 /* ---- RFCOMM frame sending ---- */ 829 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 830 { 831 struct kvec iv = { data, len }; 832 struct msghdr msg; 833 834 BT_DBG("session %p len %d", s, len); 835 836 memset(&msg, 0, sizeof(msg)); 837 838 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 839 } 840 841 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 842 { 843 BT_DBG("%p cmd %u", s, cmd->ctrl); 844 845 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 846 } 847 848 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 849 { 850 struct rfcomm_cmd cmd; 851 852 BT_DBG("%p dlci %d", s, dlci); 853 854 cmd.addr = __addr(s->initiator, dlci); 855 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 856 cmd.len = __len8(0); 857 cmd.fcs = __fcs2((u8 *) &cmd); 858 859 return rfcomm_send_cmd(s, &cmd); 860 } 861 862 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 863 { 864 struct rfcomm_cmd cmd; 865 866 BT_DBG("%p dlci %d", s, dlci); 867 868 cmd.addr = __addr(!s->initiator, dlci); 869 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 870 cmd.len = __len8(0); 871 cmd.fcs = __fcs2((u8 *) &cmd); 872 873 return rfcomm_send_cmd(s, &cmd); 874 } 875 876 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 877 { 878 struct rfcomm_cmd cmd; 879 880 BT_DBG("%p dlci %d", s, dlci); 881 882 cmd.addr = __addr(s->initiator, dlci); 883 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 884 cmd.len = __len8(0); 885 cmd.fcs = __fcs2((u8 *) &cmd); 886 887 return rfcomm_send_cmd(s, &cmd); 888 } 889 890 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 891 { 892 struct rfcomm_cmd *cmd; 893 struct sk_buff *skb; 894 895 BT_DBG("dlc %p dlci %d", d, d->dlci); 896 897 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 898 if (!skb) 899 return -ENOMEM; 900 901 cmd = __skb_put(skb, sizeof(*cmd)); 902 cmd->addr = d->addr; 903 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 904 cmd->len = __len8(0); 905 cmd->fcs = __fcs2((u8 *) cmd); 906 907 skb_queue_tail(&d->tx_queue, skb); 908 rfcomm_schedule(); 909 return 0; 910 } 911 912 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 913 { 914 struct rfcomm_cmd cmd; 915 916 BT_DBG("%p dlci %d", s, dlci); 917 918 cmd.addr = __addr(!s->initiator, dlci); 919 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 920 cmd.len = __len8(0); 921 cmd.fcs = __fcs2((u8 *) &cmd); 922 923 return rfcomm_send_cmd(s, &cmd); 924 } 925 926 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 927 { 928 struct rfcomm_hdr *hdr; 929 struct rfcomm_mcc *mcc; 930 u8 buf[16], *ptr = buf; 931 932 BT_DBG("%p cr %d type %d", s, cr, type); 933 934 hdr = (void *) ptr; ptr += sizeof(*hdr); 935 hdr->addr = __addr(s->initiator, 0); 936 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 937 hdr->len = __len8(sizeof(*mcc) + 1); 938 939 mcc = (void *) ptr; ptr += sizeof(*mcc); 940 mcc->type = __mcc_type(0, RFCOMM_NSC); 941 mcc->len = __len8(1); 942 943 /* Type that we didn't like */ 944 *ptr = __mcc_type(cr, type); ptr++; 945 946 *ptr = __fcs(buf); ptr++; 947 948 return rfcomm_send_frame(s, buf, ptr - buf); 949 } 950 951 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 952 { 953 struct rfcomm_hdr *hdr; 954 struct rfcomm_mcc *mcc; 955 struct rfcomm_pn *pn; 956 u8 buf[16], *ptr = buf; 957 958 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 959 960 hdr = (void *) ptr; ptr += sizeof(*hdr); 961 hdr->addr = __addr(s->initiator, 0); 962 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 963 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 964 965 mcc = (void *) ptr; ptr += sizeof(*mcc); 966 mcc->type = __mcc_type(cr, RFCOMM_PN); 967 mcc->len = __len8(sizeof(*pn)); 968 969 pn = (void *) ptr; ptr += sizeof(*pn); 970 pn->dlci = d->dlci; 971 pn->priority = d->priority; 972 pn->ack_timer = 0; 973 pn->max_retrans = 0; 974 975 if (s->cfc) { 976 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 977 pn->credits = RFCOMM_DEFAULT_CREDITS; 978 } else { 979 pn->flow_ctrl = 0; 980 pn->credits = 0; 981 } 982 983 if (cr && channel_mtu >= 0) 984 pn->mtu = cpu_to_le16(channel_mtu); 985 else 986 pn->mtu = cpu_to_le16(d->mtu); 987 988 *ptr = __fcs(buf); ptr++; 989 990 return rfcomm_send_frame(s, buf, ptr - buf); 991 } 992 993 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 994 u8 bit_rate, u8 data_bits, u8 stop_bits, 995 u8 parity, u8 flow_ctrl_settings, 996 u8 xon_char, u8 xoff_char, u16 param_mask) 997 { 998 struct rfcomm_hdr *hdr; 999 struct rfcomm_mcc *mcc; 1000 struct rfcomm_rpn *rpn; 1001 u8 buf[16], *ptr = buf; 1002 1003 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 1004 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 1005 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 1006 flow_ctrl_settings, xon_char, xoff_char, param_mask); 1007 1008 hdr = (void *) ptr; ptr += sizeof(*hdr); 1009 hdr->addr = __addr(s->initiator, 0); 1010 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1011 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 1012 1013 mcc = (void *) ptr; ptr += sizeof(*mcc); 1014 mcc->type = __mcc_type(cr, RFCOMM_RPN); 1015 mcc->len = __len8(sizeof(*rpn)); 1016 1017 rpn = (void *) ptr; ptr += sizeof(*rpn); 1018 rpn->dlci = __addr(1, dlci); 1019 rpn->bit_rate = bit_rate; 1020 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 1021 rpn->flow_ctrl = flow_ctrl_settings; 1022 rpn->xon_char = xon_char; 1023 rpn->xoff_char = xoff_char; 1024 rpn->param_mask = cpu_to_le16(param_mask); 1025 1026 *ptr = __fcs(buf); ptr++; 1027 1028 return rfcomm_send_frame(s, buf, ptr - buf); 1029 } 1030 1031 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 1032 { 1033 struct rfcomm_hdr *hdr; 1034 struct rfcomm_mcc *mcc; 1035 struct rfcomm_rls *rls; 1036 u8 buf[16], *ptr = buf; 1037 1038 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1039 1040 hdr = (void *) ptr; ptr += sizeof(*hdr); 1041 hdr->addr = __addr(s->initiator, 0); 1042 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1043 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1044 1045 mcc = (void *) ptr; ptr += sizeof(*mcc); 1046 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1047 mcc->len = __len8(sizeof(*rls)); 1048 1049 rls = (void *) ptr; ptr += sizeof(*rls); 1050 rls->dlci = __addr(1, dlci); 1051 rls->status = status; 1052 1053 *ptr = __fcs(buf); ptr++; 1054 1055 return rfcomm_send_frame(s, buf, ptr - buf); 1056 } 1057 1058 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1059 { 1060 struct rfcomm_hdr *hdr; 1061 struct rfcomm_mcc *mcc; 1062 struct rfcomm_msc *msc; 1063 u8 buf[16], *ptr = buf; 1064 1065 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1066 1067 hdr = (void *) ptr; ptr += sizeof(*hdr); 1068 hdr->addr = __addr(s->initiator, 0); 1069 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1070 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1071 1072 mcc = (void *) ptr; ptr += sizeof(*mcc); 1073 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1074 mcc->len = __len8(sizeof(*msc)); 1075 1076 msc = (void *) ptr; ptr += sizeof(*msc); 1077 msc->dlci = __addr(1, dlci); 1078 msc->v24_sig = v24_sig | 0x01; 1079 1080 *ptr = __fcs(buf); ptr++; 1081 1082 return rfcomm_send_frame(s, buf, ptr - buf); 1083 } 1084 1085 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1086 { 1087 struct rfcomm_hdr *hdr; 1088 struct rfcomm_mcc *mcc; 1089 u8 buf[16], *ptr = buf; 1090 1091 BT_DBG("%p cr %d", s, cr); 1092 1093 hdr = (void *) ptr; ptr += sizeof(*hdr); 1094 hdr->addr = __addr(s->initiator, 0); 1095 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1096 hdr->len = __len8(sizeof(*mcc)); 1097 1098 mcc = (void *) ptr; ptr += sizeof(*mcc); 1099 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1100 mcc->len = __len8(0); 1101 1102 *ptr = __fcs(buf); ptr++; 1103 1104 return rfcomm_send_frame(s, buf, ptr - buf); 1105 } 1106 1107 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1108 { 1109 struct rfcomm_hdr *hdr; 1110 struct rfcomm_mcc *mcc; 1111 u8 buf[16], *ptr = buf; 1112 1113 BT_DBG("%p cr %d", s, cr); 1114 1115 hdr = (void *) ptr; ptr += sizeof(*hdr); 1116 hdr->addr = __addr(s->initiator, 0); 1117 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1118 hdr->len = __len8(sizeof(*mcc)); 1119 1120 mcc = (void *) ptr; ptr += sizeof(*mcc); 1121 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1122 mcc->len = __len8(0); 1123 1124 *ptr = __fcs(buf); ptr++; 1125 1126 return rfcomm_send_frame(s, buf, ptr - buf); 1127 } 1128 1129 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1130 { 1131 struct socket *sock = s->sock; 1132 struct kvec iv[3]; 1133 struct msghdr msg; 1134 unsigned char hdr[5], crc[1]; 1135 1136 if (len > 125) 1137 return -EINVAL; 1138 1139 BT_DBG("%p cr %d", s, cr); 1140 1141 hdr[0] = __addr(s->initiator, 0); 1142 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1143 hdr[2] = 0x01 | ((len + 2) << 1); 1144 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1145 hdr[4] = 0x01 | (len << 1); 1146 1147 crc[0] = __fcs(hdr); 1148 1149 iv[0].iov_base = hdr; 1150 iv[0].iov_len = 5; 1151 iv[1].iov_base = pattern; 1152 iv[1].iov_len = len; 1153 iv[2].iov_base = crc; 1154 iv[2].iov_len = 1; 1155 1156 memset(&msg, 0, sizeof(msg)); 1157 1158 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1159 } 1160 1161 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1162 { 1163 struct rfcomm_hdr *hdr; 1164 u8 buf[16], *ptr = buf; 1165 1166 BT_DBG("%p addr %d credits %d", s, addr, credits); 1167 1168 hdr = (void *) ptr; ptr += sizeof(*hdr); 1169 hdr->addr = addr; 1170 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1171 hdr->len = __len8(0); 1172 1173 *ptr = credits; ptr++; 1174 1175 *ptr = __fcs(buf); ptr++; 1176 1177 return rfcomm_send_frame(s, buf, ptr - buf); 1178 } 1179 1180 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1181 { 1182 struct rfcomm_hdr *hdr; 1183 int len = skb->len; 1184 u8 *crc; 1185 1186 if (len > 127) { 1187 hdr = skb_push(skb, 4); 1188 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1189 } else { 1190 hdr = skb_push(skb, 3); 1191 hdr->len = __len8(len); 1192 } 1193 hdr->addr = addr; 1194 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1195 1196 crc = skb_put(skb, 1); 1197 *crc = __fcs((void *) hdr); 1198 } 1199 1200 /* ---- RFCOMM frame reception ---- */ 1201 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1202 { 1203 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1204 1205 if (dlci) { 1206 /* Data channel */ 1207 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1208 if (!d) { 1209 rfcomm_send_dm(s, dlci); 1210 return s; 1211 } 1212 1213 switch (d->state) { 1214 case BT_CONNECT: 1215 rfcomm_dlc_clear_timer(d); 1216 1217 rfcomm_dlc_lock(d); 1218 d->state = BT_CONNECTED; 1219 d->state_change(d, 0); 1220 rfcomm_dlc_unlock(d); 1221 1222 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1223 break; 1224 1225 case BT_DISCONN: 1226 d->state = BT_CLOSED; 1227 __rfcomm_dlc_close(d, 0); 1228 1229 if (list_empty(&s->dlcs)) { 1230 s->state = BT_DISCONN; 1231 rfcomm_send_disc(s, 0); 1232 rfcomm_session_clear_timer(s); 1233 } 1234 1235 break; 1236 } 1237 } else { 1238 /* Control channel */ 1239 switch (s->state) { 1240 case BT_CONNECT: 1241 s->state = BT_CONNECTED; 1242 rfcomm_process_connect(s); 1243 break; 1244 1245 case BT_DISCONN: 1246 s = rfcomm_session_close(s, ECONNRESET); 1247 break; 1248 } 1249 } 1250 return s; 1251 } 1252 1253 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1254 { 1255 int err = 0; 1256 1257 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1258 1259 if (dlci) { 1260 /* Data DLC */ 1261 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1262 if (d) { 1263 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1264 err = ECONNREFUSED; 1265 else 1266 err = ECONNRESET; 1267 1268 d->state = BT_CLOSED; 1269 __rfcomm_dlc_close(d, err); 1270 } 1271 } else { 1272 if (s->state == BT_CONNECT) 1273 err = ECONNREFUSED; 1274 else 1275 err = ECONNRESET; 1276 1277 s = rfcomm_session_close(s, err); 1278 } 1279 return s; 1280 } 1281 1282 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1283 u8 dlci) 1284 { 1285 int err = 0; 1286 1287 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1288 1289 if (dlci) { 1290 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1291 if (d) { 1292 rfcomm_send_ua(s, dlci); 1293 1294 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1295 err = ECONNREFUSED; 1296 else 1297 err = ECONNRESET; 1298 1299 d->state = BT_CLOSED; 1300 __rfcomm_dlc_close(d, err); 1301 } else 1302 rfcomm_send_dm(s, dlci); 1303 1304 } else { 1305 rfcomm_send_ua(s, 0); 1306 1307 if (s->state == BT_CONNECT) 1308 err = ECONNREFUSED; 1309 else 1310 err = ECONNRESET; 1311 1312 s = rfcomm_session_close(s, err); 1313 } 1314 return s; 1315 } 1316 1317 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1318 { 1319 struct sock *sk = d->session->sock->sk; 1320 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1321 1322 BT_DBG("dlc %p", d); 1323 1324 rfcomm_send_ua(d->session, d->dlci); 1325 1326 rfcomm_dlc_clear_timer(d); 1327 1328 rfcomm_dlc_lock(d); 1329 d->state = BT_CONNECTED; 1330 d->state_change(d, 0); 1331 rfcomm_dlc_unlock(d); 1332 1333 if (d->role_switch) 1334 hci_conn_switch_role(conn->hcon, 0x00); 1335 1336 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1337 } 1338 1339 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1340 { 1341 if (rfcomm_check_security(d)) { 1342 if (d->defer_setup) { 1343 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1344 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1345 1346 rfcomm_dlc_lock(d); 1347 d->state = BT_CONNECT2; 1348 d->state_change(d, 0); 1349 rfcomm_dlc_unlock(d); 1350 } else 1351 rfcomm_dlc_accept(d); 1352 } else { 1353 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1354 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1355 } 1356 } 1357 1358 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1359 { 1360 struct rfcomm_dlc *d; 1361 u8 channel; 1362 1363 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1364 1365 if (!dlci) { 1366 rfcomm_send_ua(s, 0); 1367 1368 if (s->state == BT_OPEN) { 1369 s->state = BT_CONNECTED; 1370 rfcomm_process_connect(s); 1371 } 1372 return 0; 1373 } 1374 1375 /* Check if DLC exists */ 1376 d = rfcomm_dlc_get(s, dlci); 1377 if (d) { 1378 if (d->state == BT_OPEN) { 1379 /* DLC was previously opened by PN request */ 1380 rfcomm_check_accept(d); 1381 } 1382 return 0; 1383 } 1384 1385 /* Notify socket layer about incoming connection */ 1386 channel = __srv_channel(dlci); 1387 if (rfcomm_connect_ind(s, channel, &d)) { 1388 d->dlci = dlci; 1389 d->addr = __addr(s->initiator, dlci); 1390 rfcomm_dlc_link(s, d); 1391 1392 rfcomm_check_accept(d); 1393 } else { 1394 rfcomm_send_dm(s, dlci); 1395 } 1396 1397 return 0; 1398 } 1399 1400 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1401 { 1402 struct rfcomm_session *s = d->session; 1403 1404 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1405 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1406 1407 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1408 pn->flow_ctrl == 0xe0) { 1409 d->cfc = RFCOMM_CFC_ENABLED; 1410 d->tx_credits = pn->credits; 1411 } else { 1412 d->cfc = RFCOMM_CFC_DISABLED; 1413 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1414 } 1415 1416 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1417 s->cfc = d->cfc; 1418 1419 d->priority = pn->priority; 1420 1421 d->mtu = __le16_to_cpu(pn->mtu); 1422 1423 if (cr && d->mtu > s->mtu) 1424 d->mtu = s->mtu; 1425 1426 return 0; 1427 } 1428 1429 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1430 { 1431 struct rfcomm_pn *pn; 1432 struct rfcomm_dlc *d; 1433 u8 dlci; 1434 1435 pn = skb_pull_data(skb, sizeof(*pn)); 1436 if (!pn) 1437 return -EILSEQ; 1438 1439 dlci = pn->dlci; 1440 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1441 1442 if (!dlci) 1443 return 0; 1444 1445 d = rfcomm_dlc_get(s, dlci); 1446 if (d) { 1447 if (cr) { 1448 /* PN request */ 1449 rfcomm_apply_pn(d, cr, pn); 1450 rfcomm_send_pn(s, 0, d); 1451 } else { 1452 /* PN response */ 1453 switch (d->state) { 1454 case BT_CONFIG: 1455 rfcomm_apply_pn(d, cr, pn); 1456 1457 d->state = BT_CONNECT; 1458 rfcomm_send_sabm(s, d->dlci); 1459 break; 1460 } 1461 } 1462 } else { 1463 u8 channel = __srv_channel(dlci); 1464 1465 if (!cr) 1466 return 0; 1467 1468 /* PN request for non existing DLC. 1469 * Assume incoming connection. */ 1470 if (rfcomm_connect_ind(s, channel, &d)) { 1471 d->dlci = dlci; 1472 d->addr = __addr(s->initiator, dlci); 1473 rfcomm_dlc_link(s, d); 1474 1475 rfcomm_apply_pn(d, cr, pn); 1476 1477 d->state = BT_OPEN; 1478 rfcomm_send_pn(s, 0, d); 1479 } else { 1480 rfcomm_send_dm(s, dlci); 1481 } 1482 } 1483 return 0; 1484 } 1485 1486 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1487 { 1488 struct rfcomm_rpn *rpn; 1489 u8 dlci; 1490 1491 u8 bit_rate = 0; 1492 u8 data_bits = 0; 1493 u8 stop_bits = 0; 1494 u8 parity = 0; 1495 u8 flow_ctrl = 0; 1496 u8 xon_char = 0; 1497 u8 xoff_char = 0; 1498 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1499 1500 if (len == 1) { 1501 rpn = skb_pull_data(skb, 1); 1502 if (!rpn) 1503 return -EILSEQ; 1504 1505 dlci = __get_dlci(rpn->dlci); 1506 1507 if (!cr) 1508 return 0; 1509 1510 bit_rate = RFCOMM_RPN_BR_9600; 1511 data_bits = RFCOMM_RPN_DATA_8; 1512 stop_bits = RFCOMM_RPN_STOP_1; 1513 parity = RFCOMM_RPN_PARITY_NONE; 1514 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1515 xon_char = RFCOMM_RPN_XON_CHAR; 1516 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1517 goto rpn_out; 1518 } 1519 1520 rpn = skb_pull_data(skb, sizeof(*rpn)); 1521 if (!rpn) 1522 return -EILSEQ; 1523 1524 dlci = __get_dlci(rpn->dlci); 1525 1526 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1527 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1528 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1529 1530 if (!cr) 1531 return 0; 1532 1533 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1534 * no parity, no flow control lines, normal XON/XOFF chars */ 1535 1536 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1537 bit_rate = rpn->bit_rate; 1538 if (bit_rate > RFCOMM_RPN_BR_230400) { 1539 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1540 bit_rate = RFCOMM_RPN_BR_9600; 1541 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1542 } 1543 } 1544 1545 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1546 data_bits = __get_rpn_data_bits(rpn->line_settings); 1547 if (data_bits != RFCOMM_RPN_DATA_8) { 1548 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1549 data_bits = RFCOMM_RPN_DATA_8; 1550 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1551 } 1552 } 1553 1554 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1555 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1556 if (stop_bits != RFCOMM_RPN_STOP_1) { 1557 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1558 stop_bits = RFCOMM_RPN_STOP_1; 1559 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1560 } 1561 } 1562 1563 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1564 parity = __get_rpn_parity(rpn->line_settings); 1565 if (parity != RFCOMM_RPN_PARITY_NONE) { 1566 BT_DBG("RPN parity mismatch 0x%x", parity); 1567 parity = RFCOMM_RPN_PARITY_NONE; 1568 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1569 } 1570 } 1571 1572 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1573 flow_ctrl = rpn->flow_ctrl; 1574 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1575 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1576 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1577 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1578 } 1579 } 1580 1581 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1582 xon_char = rpn->xon_char; 1583 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1584 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1585 xon_char = RFCOMM_RPN_XON_CHAR; 1586 rpn_mask ^= RFCOMM_RPN_PM_XON; 1587 } 1588 } 1589 1590 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1591 xoff_char = rpn->xoff_char; 1592 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1593 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1594 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1595 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1596 } 1597 } 1598 1599 rpn_out: 1600 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1601 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1602 1603 return 0; 1604 } 1605 1606 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1607 { 1608 struct rfcomm_rls *rls; 1609 u8 dlci; 1610 1611 rls = skb_pull_data(skb, sizeof(*rls)); 1612 if (!rls) 1613 return -EILSEQ; 1614 1615 dlci = __get_dlci(rls->dlci); 1616 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1617 1618 if (!cr) 1619 return 0; 1620 1621 /* We should probably do something with this information here. But 1622 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1623 * mandatory to recognise and respond to RLS */ 1624 1625 rfcomm_send_rls(s, 0, dlci, rls->status); 1626 1627 return 0; 1628 } 1629 1630 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1631 { 1632 struct rfcomm_msc *msc; 1633 struct rfcomm_dlc *d; 1634 u8 dlci; 1635 1636 msc = skb_pull_data(skb, sizeof(*msc)); 1637 if (!msc) 1638 return -EILSEQ; 1639 1640 dlci = __get_dlci(msc->dlci); 1641 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1642 1643 d = rfcomm_dlc_get(s, dlci); 1644 if (!d) 1645 return 0; 1646 1647 if (cr) { 1648 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1649 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1650 else 1651 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1652 1653 rfcomm_dlc_lock(d); 1654 1655 d->remote_v24_sig = msc->v24_sig; 1656 1657 if (d->modem_status) 1658 d->modem_status(d, msc->v24_sig); 1659 1660 rfcomm_dlc_unlock(d); 1661 1662 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1663 1664 d->mscex |= RFCOMM_MSCEX_RX; 1665 } else 1666 d->mscex |= RFCOMM_MSCEX_TX; 1667 1668 return 0; 1669 } 1670 1671 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1672 { 1673 struct rfcomm_mcc *mcc; 1674 u8 type, cr, len; 1675 1676 mcc = skb_pull_data(skb, sizeof(*mcc)); 1677 if (!mcc) 1678 return -EILSEQ; 1679 1680 cr = __test_cr(mcc->type); 1681 type = __get_mcc_type(mcc->type); 1682 len = __get_mcc_len(mcc->len); 1683 1684 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1685 1686 switch (type) { 1687 case RFCOMM_PN: 1688 rfcomm_recv_pn(s, cr, skb); 1689 break; 1690 1691 case RFCOMM_RPN: 1692 rfcomm_recv_rpn(s, cr, len, skb); 1693 break; 1694 1695 case RFCOMM_RLS: 1696 rfcomm_recv_rls(s, cr, skb); 1697 break; 1698 1699 case RFCOMM_MSC: 1700 rfcomm_recv_msc(s, cr, skb); 1701 break; 1702 1703 case RFCOMM_FCOFF: 1704 if (cr) { 1705 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1706 rfcomm_send_fcoff(s, 0); 1707 } 1708 break; 1709 1710 case RFCOMM_FCON: 1711 if (cr) { 1712 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1713 rfcomm_send_fcon(s, 0); 1714 } 1715 break; 1716 1717 case RFCOMM_TEST: 1718 if (cr) 1719 rfcomm_send_test(s, 0, skb->data, skb->len); 1720 break; 1721 1722 case RFCOMM_NSC: 1723 break; 1724 1725 default: 1726 BT_ERR("Unknown control type 0x%02x", type); 1727 rfcomm_send_nsc(s, cr, type); 1728 break; 1729 } 1730 return 0; 1731 } 1732 1733 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1734 { 1735 struct rfcomm_dlc *d; 1736 1737 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1738 1739 d = rfcomm_dlc_get(s, dlci); 1740 if (!d) { 1741 rfcomm_send_dm(s, dlci); 1742 goto drop; 1743 } 1744 1745 if (pf && d->cfc) { 1746 u8 *credits = skb_pull_data(skb, 1); 1747 1748 if (!credits) 1749 goto drop; 1750 1751 d->tx_credits += *credits; 1752 if (d->tx_credits) 1753 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1754 } 1755 1756 if (skb->len && d->state == BT_CONNECTED) { 1757 rfcomm_dlc_lock(d); 1758 d->rx_credits--; 1759 d->data_ready(d, skb); 1760 rfcomm_dlc_unlock(d); 1761 return 0; 1762 } 1763 1764 drop: 1765 kfree_skb(skb); 1766 return 0; 1767 } 1768 1769 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1770 struct sk_buff *skb) 1771 { 1772 struct rfcomm_hdr *hdr = (void *) skb->data; 1773 u8 type, dlci, fcs; 1774 1775 if (!s) { 1776 /* no session, so free socket data */ 1777 kfree_skb(skb); 1778 return s; 1779 } 1780 1781 dlci = __get_dlci(hdr->addr); 1782 type = __get_type(hdr->ctrl); 1783 1784 /* Trim FCS */ 1785 skb->len--; skb->tail--; 1786 fcs = *(u8 *)skb_tail_pointer(skb); 1787 1788 if (__check_fcs(skb->data, type, fcs)) { 1789 BT_ERR("bad checksum in packet"); 1790 kfree_skb(skb); 1791 return s; 1792 } 1793 1794 if (__test_ea(hdr->len)) 1795 skb_pull(skb, 3); 1796 else 1797 skb_pull(skb, 4); 1798 1799 switch (type) { 1800 case RFCOMM_SABM: 1801 if (__test_pf(hdr->ctrl)) 1802 rfcomm_recv_sabm(s, dlci); 1803 break; 1804 1805 case RFCOMM_DISC: 1806 if (__test_pf(hdr->ctrl)) 1807 s = rfcomm_recv_disc(s, dlci); 1808 break; 1809 1810 case RFCOMM_UA: 1811 if (__test_pf(hdr->ctrl)) 1812 s = rfcomm_recv_ua(s, dlci); 1813 break; 1814 1815 case RFCOMM_DM: 1816 s = rfcomm_recv_dm(s, dlci); 1817 break; 1818 1819 case RFCOMM_UIH: 1820 if (dlci) { 1821 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1822 return s; 1823 } 1824 rfcomm_recv_mcc(s, skb); 1825 break; 1826 1827 default: 1828 BT_ERR("Unknown packet type 0x%02x", type); 1829 break; 1830 } 1831 kfree_skb(skb); 1832 return s; 1833 } 1834 1835 /* ---- Connection and data processing ---- */ 1836 1837 static void rfcomm_process_connect(struct rfcomm_session *s) 1838 { 1839 struct rfcomm_dlc *d, *n; 1840 1841 BT_DBG("session %p state %ld", s, s->state); 1842 1843 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1844 if (d->state == BT_CONFIG) { 1845 d->mtu = s->mtu; 1846 if (rfcomm_check_security(d)) { 1847 rfcomm_send_pn(s, 1, d); 1848 } else { 1849 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1850 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1851 } 1852 } 1853 } 1854 } 1855 1856 /* Send data queued for the DLC. 1857 * Return number of frames left in the queue. 1858 */ 1859 static int rfcomm_process_tx(struct rfcomm_dlc *d) 1860 { 1861 struct sk_buff *skb; 1862 int err; 1863 1864 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1865 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1866 1867 /* Send pending MSC */ 1868 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1869 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1870 1871 if (d->cfc) { 1872 /* CFC enabled. 1873 * Give them some credits */ 1874 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1875 d->rx_credits <= (d->cfc >> 2)) { 1876 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1877 d->rx_credits = d->cfc; 1878 } 1879 } else { 1880 /* CFC disabled. 1881 * Give ourselves some credits */ 1882 d->tx_credits = 5; 1883 } 1884 1885 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1886 return skb_queue_len(&d->tx_queue); 1887 1888 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1889 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1890 if (err < 0) { 1891 skb_queue_head(&d->tx_queue, skb); 1892 break; 1893 } 1894 kfree_skb(skb); 1895 d->tx_credits--; 1896 } 1897 1898 if (d->cfc && !d->tx_credits) { 1899 /* We're out of TX credits. 1900 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1901 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1902 } 1903 1904 return skb_queue_len(&d->tx_queue); 1905 } 1906 1907 static void rfcomm_process_dlcs(struct rfcomm_session *s) 1908 { 1909 struct rfcomm_dlc *d, *n; 1910 1911 BT_DBG("session %p state %ld", s, s->state); 1912 1913 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1914 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1915 __rfcomm_dlc_close(d, ETIMEDOUT); 1916 continue; 1917 } 1918 1919 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1920 __rfcomm_dlc_close(d, ECONNREFUSED); 1921 continue; 1922 } 1923 1924 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1925 rfcomm_dlc_clear_timer(d); 1926 if (d->out) { 1927 rfcomm_send_pn(s, 1, d); 1928 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1929 } else { 1930 if (d->defer_setup) { 1931 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1932 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1933 1934 rfcomm_dlc_lock(d); 1935 d->state = BT_CONNECT2; 1936 d->state_change(d, 0); 1937 rfcomm_dlc_unlock(d); 1938 } else 1939 rfcomm_dlc_accept(d); 1940 } 1941 continue; 1942 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1943 rfcomm_dlc_clear_timer(d); 1944 if (!d->out) 1945 rfcomm_send_dm(s, d->dlci); 1946 else 1947 d->state = BT_CLOSED; 1948 __rfcomm_dlc_close(d, ECONNREFUSED); 1949 continue; 1950 } 1951 1952 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1953 continue; 1954 1955 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1956 continue; 1957 1958 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1959 d->mscex == RFCOMM_MSCEX_OK) 1960 rfcomm_process_tx(d); 1961 } 1962 } 1963 1964 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1965 { 1966 struct socket *sock = s->sock; 1967 struct sock *sk = sock->sk; 1968 struct sk_buff *skb; 1969 1970 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1971 1972 /* Get data directly from socket receive queue without copying it. */ 1973 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1974 skb_orphan(skb); 1975 if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { 1976 s = rfcomm_recv_frame(s, skb); 1977 if (!s) 1978 break; 1979 } else { 1980 kfree_skb(skb); 1981 } 1982 } 1983 1984 if (s && (sk->sk_state == BT_CLOSED)) 1985 s = rfcomm_session_close(s, sk->sk_err); 1986 1987 return s; 1988 } 1989 1990 static void rfcomm_accept_connection(struct rfcomm_session *s) 1991 { 1992 struct socket *sock = s->sock, *nsock; 1993 int err; 1994 1995 /* Fast check for a new connection. 1996 * Avoids unnecessary socket allocations. 1997 */ 1998 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1999 return; 2000 2001 BT_DBG("session %p", s); 2002 2003 err = kernel_accept(sock, &nsock, O_NONBLOCK); 2004 if (err < 0) 2005 return; 2006 2007 /* Set our callbacks */ 2008 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 2009 nsock->sk->sk_state_change = rfcomm_l2state_change; 2010 2011 s = rfcomm_session_add(nsock, BT_OPEN); 2012 if (s) { 2013 /* We should adjust MTU on incoming sessions. 2014 * L2CAP MTU minus UIH header and FCS. */ 2015 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 2016 l2cap_pi(nsock->sk)->chan->imtu) - 5; 2017 2018 rfcomm_schedule(); 2019 } else 2020 sock_release(nsock); 2021 } 2022 2023 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 2024 { 2025 struct sock *sk = s->sock->sk; 2026 2027 BT_DBG("%p state %ld", s, s->state); 2028 2029 switch (sk->sk_state) { 2030 case BT_CONNECTED: 2031 s->state = BT_CONNECT; 2032 2033 /* We can adjust MTU on outgoing sessions. 2034 * L2CAP MTU minus UIH header and FCS. */ 2035 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 2036 2037 rfcomm_send_sabm(s, 0); 2038 break; 2039 2040 case BT_CLOSED: 2041 s = rfcomm_session_close(s, sk->sk_err); 2042 break; 2043 } 2044 return s; 2045 } 2046 2047 static void rfcomm_process_sessions(void) 2048 { 2049 struct rfcomm_session *s, *n; 2050 2051 rfcomm_lock(); 2052 2053 list_for_each_entry_safe(s, n, &session_list, list) { 2054 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 2055 s->state = BT_DISCONN; 2056 rfcomm_send_disc(s, 0); 2057 continue; 2058 } 2059 2060 switch (s->state) { 2061 case BT_LISTEN: 2062 rfcomm_accept_connection(s); 2063 continue; 2064 2065 case BT_BOUND: 2066 s = rfcomm_check_connection(s); 2067 break; 2068 2069 default: 2070 s = rfcomm_process_rx(s); 2071 break; 2072 } 2073 2074 if (s) 2075 rfcomm_process_dlcs(s); 2076 } 2077 2078 rfcomm_unlock(); 2079 } 2080 2081 static int rfcomm_add_listener(bdaddr_t *ba) 2082 { 2083 struct sockaddr_l2 addr; 2084 struct socket *sock; 2085 struct sock *sk; 2086 struct rfcomm_session *s; 2087 int err = 0; 2088 2089 /* Create socket */ 2090 err = rfcomm_l2sock_create(&sock); 2091 if (err < 0) { 2092 BT_ERR("Create socket failed %d", err); 2093 return err; 2094 } 2095 2096 /* Bind socket */ 2097 bacpy(&addr.l2_bdaddr, ba); 2098 addr.l2_family = AF_BLUETOOTH; 2099 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 2100 addr.l2_cid = 0; 2101 addr.l2_bdaddr_type = BDADDR_BREDR; 2102 err = kernel_bind(sock, (struct sockaddr_unsized *)&addr, sizeof(addr)); 2103 if (err < 0) { 2104 BT_ERR("Bind failed %d", err); 2105 goto failed; 2106 } 2107 2108 /* Set L2CAP options */ 2109 sk = sock->sk; 2110 lock_sock(sk); 2111 /* Set MTU to 0 so L2CAP can auto select the MTU */ 2112 l2cap_pi(sk)->chan->imtu = 0; 2113 release_sock(sk); 2114 2115 /* Start listening on the socket */ 2116 err = kernel_listen(sock, 10); 2117 if (err) { 2118 BT_ERR("Listen failed %d", err); 2119 goto failed; 2120 } 2121 2122 /* Add listening session */ 2123 s = rfcomm_session_add(sock, BT_LISTEN); 2124 if (!s) { 2125 err = -ENOMEM; 2126 goto failed; 2127 } 2128 2129 return 0; 2130 failed: 2131 sock_release(sock); 2132 return err; 2133 } 2134 2135 static void rfcomm_kill_listener(void) 2136 { 2137 struct rfcomm_session *s, *n; 2138 2139 BT_DBG(""); 2140 2141 list_for_each_entry_safe(s, n, &session_list, list) 2142 rfcomm_session_del(s); 2143 } 2144 2145 static int rfcomm_run(void *unused) 2146 { 2147 DEFINE_WAIT_FUNC(wait, woken_wake_function); 2148 BT_DBG(""); 2149 2150 set_user_nice(current, -10); 2151 2152 rfcomm_add_listener(BDADDR_ANY); 2153 2154 add_wait_queue(&rfcomm_wq, &wait); 2155 while (!kthread_should_stop()) { 2156 2157 /* Process stuff */ 2158 rfcomm_process_sessions(); 2159 2160 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT); 2161 } 2162 remove_wait_queue(&rfcomm_wq, &wait); 2163 2164 rfcomm_kill_listener(); 2165 2166 return 0; 2167 } 2168 2169 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2170 { 2171 struct rfcomm_session *s; 2172 struct rfcomm_dlc *d, *n; 2173 2174 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2175 2176 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2177 if (!s) 2178 return; 2179 2180 list_for_each_entry_safe(d, n, &s->dlcs, list) { 2181 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2182 rfcomm_dlc_clear_timer(d); 2183 if (status || encrypt == 0x00) { 2184 set_bit(RFCOMM_ENC_DROP, &d->flags); 2185 continue; 2186 } 2187 } 2188 2189 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2190 if (d->sec_level == BT_SECURITY_MEDIUM) { 2191 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2192 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2193 continue; 2194 } else if (d->sec_level == BT_SECURITY_HIGH || 2195 d->sec_level == BT_SECURITY_FIPS) { 2196 set_bit(RFCOMM_ENC_DROP, &d->flags); 2197 continue; 2198 } 2199 } 2200 2201 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2202 continue; 2203 2204 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2205 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2206 else 2207 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2208 } 2209 2210 rfcomm_schedule(); 2211 } 2212 2213 static struct hci_cb rfcomm_cb = { 2214 .name = "RFCOMM", 2215 .security_cfm = rfcomm_security_cfm 2216 }; 2217 2218 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2219 { 2220 struct rfcomm_session *s; 2221 2222 rfcomm_lock(); 2223 2224 list_for_each_entry(s, &session_list, list) { 2225 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2226 struct rfcomm_dlc *d; 2227 list_for_each_entry(d, &s->dlcs, list) { 2228 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2229 &chan->src, &chan->dst, 2230 d->state, d->dlci, d->mtu, 2231 d->rx_credits, d->tx_credits); 2232 } 2233 } 2234 2235 rfcomm_unlock(); 2236 2237 return 0; 2238 } 2239 2240 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs); 2241 2242 static struct dentry *rfcomm_dlc_debugfs; 2243 2244 /* ---- Initialization ---- */ 2245 static int __init rfcomm_init(void) 2246 { 2247 int err; 2248 2249 hci_register_cb(&rfcomm_cb); 2250 2251 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2252 if (IS_ERR(rfcomm_thread)) { 2253 err = PTR_ERR(rfcomm_thread); 2254 goto unregister; 2255 } 2256 2257 err = rfcomm_init_ttys(); 2258 if (err < 0) 2259 goto stop; 2260 2261 err = rfcomm_init_sockets(); 2262 if (err < 0) 2263 goto cleanup; 2264 2265 BT_INFO("RFCOMM ver %s", VERSION); 2266 2267 if (IS_ERR_OR_NULL(bt_debugfs)) 2268 return 0; 2269 2270 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2271 bt_debugfs, NULL, 2272 &rfcomm_dlc_debugfs_fops); 2273 2274 return 0; 2275 2276 cleanup: 2277 rfcomm_cleanup_ttys(); 2278 2279 stop: 2280 kthread_stop(rfcomm_thread); 2281 2282 unregister: 2283 hci_unregister_cb(&rfcomm_cb); 2284 2285 return err; 2286 } 2287 2288 static void __exit rfcomm_exit(void) 2289 { 2290 debugfs_remove(rfcomm_dlc_debugfs); 2291 2292 hci_unregister_cb(&rfcomm_cb); 2293 2294 kthread_stop(rfcomm_thread); 2295 2296 rfcomm_cleanup_ttys(); 2297 2298 rfcomm_cleanup_sockets(); 2299 } 2300 2301 module_init(rfcomm_init); 2302 module_exit(rfcomm_exit); 2303 2304 module_param(disable_cfc, bool, 0644); 2305 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2306 2307 module_param(channel_mtu, int, 0644); 2308 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2309 2310 module_param(l2cap_ertm, bool, 0644); 2311 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2312 2313 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2314 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2315 MODULE_VERSION(VERSION); 2316 MODULE_LICENSE("GPL"); 2317 MODULE_ALIAS("bt-proto-3"); 2318