1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/debugfs.h> 30 #include <linux/kthread.h> 31 #include <linux/unaligned.h> 32 33 #include <net/bluetooth/bluetooth.h> 34 #include <net/bluetooth/hci_core.h> 35 #include <net/bluetooth/l2cap.h> 36 #include <net/bluetooth/rfcomm.h> 37 38 #include <trace/events/sock.h> 39 40 #define VERSION "1.11" 41 42 static bool disable_cfc; 43 static bool l2cap_ertm; 44 static int channel_mtu = -1; 45 46 static struct task_struct *rfcomm_thread; 47 48 static DEFINE_MUTEX(rfcomm_mutex); 49 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 50 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 51 52 53 static LIST_HEAD(session_list); 54 55 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 56 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 57 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 58 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 59 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 60 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 61 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 62 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 63 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 64 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 65 66 static void rfcomm_process_connect(struct rfcomm_session *s); 67 68 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 69 bdaddr_t *dst, 70 u8 sec_level, 71 int *err); 72 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 73 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 74 75 /* ---- RFCOMM frame parsing macros ---- */ 76 #define __get_dlci(b) ((b & 0xfc) >> 2) 77 #define __get_type(b) ((b & 0xef)) 78 79 #define __test_ea(b) ((b & 0x01)) 80 #define __test_cr(b) (!!(b & 0x02)) 81 #define __test_pf(b) (!!(b & 0x10)) 82 83 #define __session_dir(s) ((s)->initiator ? 0x00 : 0x01) 84 85 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 86 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 87 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 88 #define __srv_channel(dlci) (dlci >> 1) 89 90 #define __len8(len) (((len) << 1) | 1) 91 #define __len16(len) ((len) << 1) 92 93 /* MCC macros */ 94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 96 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 97 98 /* RPN macros */ 99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 100 #define __get_rpn_data_bits(line) ((line) & 0x3) 101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 103 104 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq); 105 106 static void rfcomm_schedule(void) 107 { 108 wake_up_all(&rfcomm_wq); 109 } 110 111 /* ---- RFCOMM FCS computation ---- */ 112 113 /* reversed, 8-bit, poly=0x07 */ 114 static unsigned char rfcomm_crc_table[256] = { 115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 119 120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 124 125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 129 130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 134 135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 139 140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 144 145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 149 150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 154 }; 155 156 /* CRC on 2 bytes */ 157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 158 159 /* FCS on 2 bytes */ 160 static inline u8 __fcs(u8 *data) 161 { 162 return 0xff - __crc(data); 163 } 164 165 /* FCS on 3 bytes */ 166 static inline u8 __fcs2(u8 *data) 167 { 168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 169 } 170 171 /* Check FCS */ 172 static inline int __check_fcs(u8 *data, int type, u8 fcs) 173 { 174 u8 f = __crc(data); 175 176 if (type != RFCOMM_UIH) 177 f = rfcomm_crc_table[f ^ data[2]]; 178 179 return rfcomm_crc_table[f ^ fcs] != 0xcf; 180 } 181 182 /* ---- L2CAP callbacks ---- */ 183 static void rfcomm_l2state_change(struct sock *sk) 184 { 185 BT_DBG("%p state %d", sk, sk->sk_state); 186 rfcomm_schedule(); 187 } 188 189 static void rfcomm_l2data_ready(struct sock *sk) 190 { 191 trace_sk_data_ready(sk); 192 193 BT_DBG("%p", sk); 194 rfcomm_schedule(); 195 } 196 197 static int rfcomm_l2sock_create(struct socket **sock) 198 { 199 int err; 200 201 BT_DBG(""); 202 203 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 204 if (!err) { 205 struct sock *sk = (*sock)->sk; 206 sk->sk_data_ready = rfcomm_l2data_ready; 207 sk->sk_state_change = rfcomm_l2state_change; 208 } 209 return err; 210 } 211 212 static int rfcomm_check_security(struct rfcomm_dlc *d) 213 { 214 struct sock *sk = d->session->sock->sk; 215 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 216 217 __u8 auth_type; 218 219 switch (d->sec_level) { 220 case BT_SECURITY_HIGH: 221 case BT_SECURITY_FIPS: 222 auth_type = HCI_AT_GENERAL_BONDING_MITM; 223 break; 224 case BT_SECURITY_MEDIUM: 225 auth_type = HCI_AT_GENERAL_BONDING; 226 break; 227 default: 228 auth_type = HCI_AT_NO_BONDING; 229 break; 230 } 231 232 return hci_conn_security(conn->hcon, d->sec_level, auth_type, 233 d->out); 234 } 235 236 static void rfcomm_session_timeout(struct timer_list *t) 237 { 238 struct rfcomm_session *s = timer_container_of(s, t, timer); 239 240 BT_DBG("session %p state %ld", s, s->state); 241 242 set_bit(RFCOMM_TIMED_OUT, &s->flags); 243 rfcomm_schedule(); 244 } 245 246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 247 { 248 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 249 250 mod_timer(&s->timer, jiffies + timeout); 251 } 252 253 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 254 { 255 BT_DBG("session %p state %ld", s, s->state); 256 257 timer_delete_sync(&s->timer); 258 } 259 260 /* ---- RFCOMM DLCs ---- */ 261 static void rfcomm_dlc_timeout(struct timer_list *t) 262 { 263 struct rfcomm_dlc *d = timer_container_of(d, t, timer); 264 265 BT_DBG("dlc %p state %ld", d, d->state); 266 267 set_bit(RFCOMM_TIMED_OUT, &d->flags); 268 rfcomm_dlc_put(d); 269 rfcomm_schedule(); 270 } 271 272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 273 { 274 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 275 276 if (!mod_timer(&d->timer, jiffies + timeout)) 277 rfcomm_dlc_hold(d); 278 } 279 280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 281 { 282 BT_DBG("dlc %p state %ld", d, d->state); 283 284 if (timer_delete(&d->timer)) 285 rfcomm_dlc_put(d); 286 } 287 288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 289 { 290 BT_DBG("%p", d); 291 292 d->state = BT_OPEN; 293 d->flags = 0; 294 d->mscex = 0; 295 d->sec_level = BT_SECURITY_LOW; 296 d->mtu = RFCOMM_DEFAULT_MTU; 297 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 298 299 d->cfc = RFCOMM_CFC_DISABLED; 300 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 301 } 302 303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 304 { 305 struct rfcomm_dlc *d = kzalloc_obj(*d, prio); 306 307 if (!d) 308 return NULL; 309 310 timer_setup(&d->timer, rfcomm_dlc_timeout, 0); 311 312 skb_queue_head_init(&d->tx_queue); 313 mutex_init(&d->lock); 314 refcount_set(&d->refcnt, 1); 315 316 rfcomm_dlc_clear_state(d); 317 318 BT_DBG("%p", d); 319 320 return d; 321 } 322 323 void rfcomm_dlc_free(struct rfcomm_dlc *d) 324 { 325 BT_DBG("%p", d); 326 327 skb_queue_purge(&d->tx_queue); 328 kfree(d); 329 } 330 331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 332 { 333 BT_DBG("dlc %p session %p", d, s); 334 335 rfcomm_session_clear_timer(s); 336 rfcomm_dlc_hold(d); 337 list_add(&d->list, &s->dlcs); 338 d->session = s; 339 } 340 341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 342 { 343 struct rfcomm_session *s = d->session; 344 345 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s); 346 347 list_del(&d->list); 348 d->session = NULL; 349 rfcomm_dlc_put(d); 350 351 if (list_empty(&s->dlcs)) 352 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 353 } 354 355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 356 { 357 struct rfcomm_dlc *d; 358 359 list_for_each_entry(d, &s->dlcs, list) 360 if (d->dlci == dlci) 361 return d; 362 363 return NULL; 364 } 365 366 static int rfcomm_check_channel(u8 channel) 367 { 368 return channel < 1 || channel > 30; 369 } 370 371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 372 { 373 struct rfcomm_session *s; 374 int err = 0; 375 u8 dlci; 376 377 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 378 d, d->state, src, dst, channel); 379 380 if (rfcomm_check_channel(channel)) 381 return -EINVAL; 382 383 if (d->state != BT_OPEN && d->state != BT_CLOSED) 384 return 0; 385 386 s = rfcomm_session_get(src, dst); 387 if (!s) { 388 s = rfcomm_session_create(src, dst, d->sec_level, &err); 389 if (!s) 390 return err; 391 } 392 393 dlci = __dlci(__session_dir(s), channel); 394 395 /* Check if DLCI already exists */ 396 if (rfcomm_dlc_get(s, dlci)) 397 return -EBUSY; 398 399 rfcomm_dlc_clear_state(d); 400 401 d->dlci = dlci; 402 d->addr = __addr(s->initiator, dlci); 403 d->priority = 7; 404 405 d->state = BT_CONFIG; 406 rfcomm_dlc_link(s, d); 407 408 d->out = 1; 409 410 d->mtu = s->mtu; 411 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 412 413 if (s->state == BT_CONNECTED) { 414 if (rfcomm_check_security(d)) 415 rfcomm_send_pn(s, 1, d); 416 else 417 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 418 } 419 420 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 421 422 return 0; 423 } 424 425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 426 { 427 int r; 428 429 rfcomm_lock(); 430 431 r = __rfcomm_dlc_open(d, src, dst, channel); 432 433 rfcomm_unlock(); 434 return r; 435 } 436 437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 438 { 439 struct rfcomm_session *s = d->session; 440 441 d->state = BT_DISCONN; 442 if (skb_queue_empty(&d->tx_queue)) { 443 rfcomm_send_disc(s, d->dlci); 444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 445 } else { 446 rfcomm_queue_disc(d); 447 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 448 } 449 } 450 451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 452 { 453 struct rfcomm_session *s = d->session; 454 if (!s) 455 return 0; 456 457 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 458 d, d->state, d->dlci, err, s); 459 460 switch (d->state) { 461 case BT_CONNECT: 462 case BT_CONFIG: 463 case BT_OPEN: 464 case BT_CONNECT2: 465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 466 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 467 rfcomm_schedule(); 468 return 0; 469 } 470 } 471 472 switch (d->state) { 473 case BT_CONNECT: 474 case BT_CONNECTED: 475 __rfcomm_dlc_disconn(d); 476 break; 477 478 case BT_CONFIG: 479 if (s->state != BT_BOUND) { 480 __rfcomm_dlc_disconn(d); 481 break; 482 } 483 /* if closing a dlc in a session that hasn't been started, 484 * just close and unlink the dlc 485 */ 486 fallthrough; 487 488 default: 489 rfcomm_dlc_clear_timer(d); 490 491 rfcomm_dlc_lock(d); 492 d->state = BT_CLOSED; 493 d->state_change(d, err); 494 rfcomm_dlc_unlock(d); 495 496 skb_queue_purge(&d->tx_queue); 497 rfcomm_dlc_unlink(d); 498 } 499 500 return 0; 501 } 502 503 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 504 { 505 int r = 0; 506 struct rfcomm_dlc *d_list; 507 struct rfcomm_session *s, *s_list; 508 509 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 510 511 rfcomm_lock(); 512 513 s = d->session; 514 if (!s) 515 goto no_session; 516 517 /* after waiting on the mutex check the session still exists 518 * then check the dlc still exists 519 */ 520 list_for_each_entry(s_list, &session_list, list) { 521 if (s_list == s) { 522 list_for_each_entry(d_list, &s->dlcs, list) { 523 if (d_list == d) { 524 r = __rfcomm_dlc_close(d, err); 525 break; 526 } 527 } 528 break; 529 } 530 } 531 532 no_session: 533 rfcomm_unlock(); 534 return r; 535 } 536 537 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 538 { 539 struct rfcomm_session *s; 540 struct rfcomm_dlc *dlc = NULL; 541 u8 dlci; 542 543 if (rfcomm_check_channel(channel)) 544 return ERR_PTR(-EINVAL); 545 546 rfcomm_lock(); 547 s = rfcomm_session_get(src, dst); 548 if (s) { 549 dlci = __dlci(__session_dir(s), channel); 550 dlc = rfcomm_dlc_get(s, dlci); 551 } 552 rfcomm_unlock(); 553 return dlc; 554 } 555 556 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag) 557 { 558 int len = frag->len; 559 560 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 561 562 if (len > d->mtu) 563 return -EINVAL; 564 565 rfcomm_make_uih(frag, d->addr); 566 __skb_queue_tail(&d->tx_queue, frag); 567 568 return len; 569 } 570 571 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 572 { 573 unsigned long flags; 574 struct sk_buff *frag, *next; 575 int len; 576 577 if (d->state != BT_CONNECTED) 578 return -ENOTCONN; 579 580 frag = skb_shinfo(skb)->frag_list; 581 skb_shinfo(skb)->frag_list = NULL; 582 583 /* Queue all fragments atomically. */ 584 spin_lock_irqsave(&d->tx_queue.lock, flags); 585 586 len = rfcomm_dlc_send_frag(d, skb); 587 if (len < 0 || !frag) 588 goto unlock; 589 590 for (; frag; frag = next) { 591 int ret; 592 593 next = frag->next; 594 595 ret = rfcomm_dlc_send_frag(d, frag); 596 if (ret < 0) { 597 dev_kfree_skb_irq(frag); 598 goto unlock; 599 } 600 601 len += ret; 602 } 603 604 unlock: 605 spin_unlock_irqrestore(&d->tx_queue.lock, flags); 606 607 if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 608 rfcomm_schedule(); 609 return len; 610 } 611 612 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 613 { 614 int len = skb->len; 615 616 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 617 618 rfcomm_make_uih(skb, d->addr); 619 skb_queue_tail(&d->tx_queue, skb); 620 621 if (d->state == BT_CONNECTED && 622 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 623 rfcomm_schedule(); 624 } 625 626 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 627 { 628 BT_DBG("dlc %p state %ld", d, d->state); 629 630 if (!d->cfc) { 631 d->v24_sig |= RFCOMM_V24_FC; 632 set_bit(RFCOMM_MSC_PENDING, &d->flags); 633 } 634 rfcomm_schedule(); 635 } 636 637 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 638 { 639 BT_DBG("dlc %p state %ld", d, d->state); 640 641 if (!d->cfc) { 642 d->v24_sig &= ~RFCOMM_V24_FC; 643 set_bit(RFCOMM_MSC_PENDING, &d->flags); 644 } 645 rfcomm_schedule(); 646 } 647 648 /* 649 Set/get modem status functions use _local_ status i.e. what we report 650 to the other side. 651 Remote status is provided by dlc->modem_status() callback. 652 */ 653 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 654 { 655 BT_DBG("dlc %p state %ld v24_sig 0x%x", 656 d, d->state, v24_sig); 657 658 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 659 v24_sig |= RFCOMM_V24_FC; 660 else 661 v24_sig &= ~RFCOMM_V24_FC; 662 663 d->v24_sig = v24_sig; 664 665 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 666 rfcomm_schedule(); 667 668 return 0; 669 } 670 671 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 672 { 673 BT_DBG("dlc %p state %ld v24_sig 0x%x", 674 d, d->state, d->v24_sig); 675 676 *v24_sig = d->v24_sig; 677 return 0; 678 } 679 680 /* ---- RFCOMM sessions ---- */ 681 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 682 { 683 struct rfcomm_session *s = kzalloc_obj(*s); 684 685 if (!s) 686 return NULL; 687 688 BT_DBG("session %p sock %p", s, sock); 689 690 timer_setup(&s->timer, rfcomm_session_timeout, 0); 691 692 INIT_LIST_HEAD(&s->dlcs); 693 s->state = state; 694 s->sock = sock; 695 696 s->mtu = RFCOMM_DEFAULT_MTU; 697 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 698 699 /* Do not increment module usage count for listening sessions. 700 * Otherwise we won't be able to unload the module. */ 701 if (state != BT_LISTEN) 702 if (!try_module_get(THIS_MODULE)) { 703 kfree(s); 704 return NULL; 705 } 706 707 list_add(&s->list, &session_list); 708 709 return s; 710 } 711 712 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 713 { 714 int state = s->state; 715 716 BT_DBG("session %p state %ld", s, s->state); 717 718 list_del(&s->list); 719 720 rfcomm_session_clear_timer(s); 721 sock_release(s->sock); 722 kfree(s); 723 724 if (state != BT_LISTEN) 725 module_put(THIS_MODULE); 726 727 return NULL; 728 } 729 730 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 731 { 732 struct rfcomm_session *s, *n; 733 struct l2cap_chan *chan; 734 list_for_each_entry_safe(s, n, &session_list, list) { 735 chan = l2cap_pi(s->sock->sk)->chan; 736 737 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 738 !bacmp(&chan->dst, dst)) 739 return s; 740 } 741 return NULL; 742 } 743 744 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 745 int err) 746 { 747 struct rfcomm_dlc *d, *n; 748 749 s->state = BT_CLOSED; 750 751 BT_DBG("session %p state %ld err %d", s, s->state, err); 752 753 /* Close all dlcs */ 754 list_for_each_entry_safe(d, n, &s->dlcs, list) { 755 d->state = BT_CLOSED; 756 __rfcomm_dlc_close(d, err); 757 } 758 759 rfcomm_session_clear_timer(s); 760 return rfcomm_session_del(s); 761 } 762 763 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 764 bdaddr_t *dst, 765 u8 sec_level, 766 int *err) 767 { 768 struct rfcomm_session *s = NULL; 769 struct sockaddr_l2 addr; 770 struct socket *sock; 771 struct sock *sk; 772 773 BT_DBG("%pMR -> %pMR", src, dst); 774 775 *err = rfcomm_l2sock_create(&sock); 776 if (*err < 0) 777 return NULL; 778 779 bacpy(&addr.l2_bdaddr, src); 780 addr.l2_family = AF_BLUETOOTH; 781 addr.l2_psm = 0; 782 addr.l2_cid = 0; 783 addr.l2_bdaddr_type = BDADDR_BREDR; 784 *err = kernel_bind(sock, (struct sockaddr_unsized *)&addr, sizeof(addr)); 785 if (*err < 0) 786 goto failed; 787 788 /* Set L2CAP options */ 789 sk = sock->sk; 790 lock_sock(sk); 791 /* Set MTU to 0 so L2CAP can auto select the MTU */ 792 l2cap_pi(sk)->chan->imtu = 0; 793 l2cap_pi(sk)->chan->sec_level = sec_level; 794 if (l2cap_ertm) 795 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 796 release_sock(sk); 797 798 s = rfcomm_session_add(sock, BT_BOUND); 799 if (!s) { 800 *err = -ENOMEM; 801 goto failed; 802 } 803 804 s->initiator = 1; 805 806 bacpy(&addr.l2_bdaddr, dst); 807 addr.l2_family = AF_BLUETOOTH; 808 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 809 addr.l2_cid = 0; 810 addr.l2_bdaddr_type = BDADDR_BREDR; 811 *err = kernel_connect(sock, (struct sockaddr_unsized *)&addr, sizeof(addr), O_NONBLOCK); 812 if (*err == 0 || *err == -EINPROGRESS) 813 return s; 814 815 return rfcomm_session_del(s); 816 817 failed: 818 sock_release(sock); 819 return NULL; 820 } 821 822 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 823 { 824 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 825 if (src) 826 bacpy(src, &chan->src); 827 if (dst) 828 bacpy(dst, &chan->dst); 829 } 830 831 /* ---- RFCOMM frame sending ---- */ 832 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 833 { 834 struct kvec iv = { data, len }; 835 struct msghdr msg; 836 837 BT_DBG("session %p len %d", s, len); 838 839 memset(&msg, 0, sizeof(msg)); 840 841 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 842 } 843 844 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 845 { 846 BT_DBG("%p cmd %u", s, cmd->ctrl); 847 848 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 849 } 850 851 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 852 { 853 struct rfcomm_cmd cmd; 854 855 BT_DBG("%p dlci %d", s, dlci); 856 857 cmd.addr = __addr(s->initiator, dlci); 858 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 859 cmd.len = __len8(0); 860 cmd.fcs = __fcs2((u8 *) &cmd); 861 862 return rfcomm_send_cmd(s, &cmd); 863 } 864 865 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 866 { 867 struct rfcomm_cmd cmd; 868 869 BT_DBG("%p dlci %d", s, dlci); 870 871 cmd.addr = __addr(!s->initiator, dlci); 872 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 873 cmd.len = __len8(0); 874 cmd.fcs = __fcs2((u8 *) &cmd); 875 876 return rfcomm_send_cmd(s, &cmd); 877 } 878 879 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 880 { 881 struct rfcomm_cmd cmd; 882 883 BT_DBG("%p dlci %d", s, dlci); 884 885 cmd.addr = __addr(s->initiator, dlci); 886 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 887 cmd.len = __len8(0); 888 cmd.fcs = __fcs2((u8 *) &cmd); 889 890 return rfcomm_send_cmd(s, &cmd); 891 } 892 893 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 894 { 895 struct rfcomm_cmd *cmd; 896 struct sk_buff *skb; 897 898 BT_DBG("dlc %p dlci %d", d, d->dlci); 899 900 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 901 if (!skb) 902 return -ENOMEM; 903 904 cmd = __skb_put(skb, sizeof(*cmd)); 905 cmd->addr = d->addr; 906 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 907 cmd->len = __len8(0); 908 cmd->fcs = __fcs2((u8 *) cmd); 909 910 skb_queue_tail(&d->tx_queue, skb); 911 rfcomm_schedule(); 912 return 0; 913 } 914 915 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 916 { 917 struct rfcomm_cmd cmd; 918 919 BT_DBG("%p dlci %d", s, dlci); 920 921 cmd.addr = __addr(!s->initiator, dlci); 922 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 923 cmd.len = __len8(0); 924 cmd.fcs = __fcs2((u8 *) &cmd); 925 926 return rfcomm_send_cmd(s, &cmd); 927 } 928 929 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 930 { 931 struct rfcomm_hdr *hdr; 932 struct rfcomm_mcc *mcc; 933 u8 buf[16], *ptr = buf; 934 935 BT_DBG("%p cr %d type %d", s, cr, type); 936 937 hdr = (void *) ptr; ptr += sizeof(*hdr); 938 hdr->addr = __addr(s->initiator, 0); 939 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 940 hdr->len = __len8(sizeof(*mcc) + 1); 941 942 mcc = (void *) ptr; ptr += sizeof(*mcc); 943 mcc->type = __mcc_type(0, RFCOMM_NSC); 944 mcc->len = __len8(1); 945 946 /* Type that we didn't like */ 947 *ptr = __mcc_type(cr, type); ptr++; 948 949 *ptr = __fcs(buf); ptr++; 950 951 return rfcomm_send_frame(s, buf, ptr - buf); 952 } 953 954 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 955 { 956 struct rfcomm_hdr *hdr; 957 struct rfcomm_mcc *mcc; 958 struct rfcomm_pn *pn; 959 u8 buf[16], *ptr = buf; 960 961 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 962 963 hdr = (void *) ptr; ptr += sizeof(*hdr); 964 hdr->addr = __addr(s->initiator, 0); 965 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 966 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 967 968 mcc = (void *) ptr; ptr += sizeof(*mcc); 969 mcc->type = __mcc_type(cr, RFCOMM_PN); 970 mcc->len = __len8(sizeof(*pn)); 971 972 pn = (void *) ptr; ptr += sizeof(*pn); 973 pn->dlci = d->dlci; 974 pn->priority = d->priority; 975 pn->ack_timer = 0; 976 pn->max_retrans = 0; 977 978 if (s->cfc) { 979 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 980 pn->credits = RFCOMM_DEFAULT_CREDITS; 981 } else { 982 pn->flow_ctrl = 0; 983 pn->credits = 0; 984 } 985 986 if (cr && channel_mtu >= 0) 987 pn->mtu = cpu_to_le16(channel_mtu); 988 else 989 pn->mtu = cpu_to_le16(d->mtu); 990 991 *ptr = __fcs(buf); ptr++; 992 993 return rfcomm_send_frame(s, buf, ptr - buf); 994 } 995 996 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 997 u8 bit_rate, u8 data_bits, u8 stop_bits, 998 u8 parity, u8 flow_ctrl_settings, 999 u8 xon_char, u8 xoff_char, u16 param_mask) 1000 { 1001 struct rfcomm_hdr *hdr; 1002 struct rfcomm_mcc *mcc; 1003 struct rfcomm_rpn *rpn; 1004 u8 buf[16], *ptr = buf; 1005 1006 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 1007 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 1008 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 1009 flow_ctrl_settings, xon_char, xoff_char, param_mask); 1010 1011 hdr = (void *) ptr; ptr += sizeof(*hdr); 1012 hdr->addr = __addr(s->initiator, 0); 1013 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1014 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 1015 1016 mcc = (void *) ptr; ptr += sizeof(*mcc); 1017 mcc->type = __mcc_type(cr, RFCOMM_RPN); 1018 mcc->len = __len8(sizeof(*rpn)); 1019 1020 rpn = (void *) ptr; ptr += sizeof(*rpn); 1021 rpn->dlci = __addr(1, dlci); 1022 rpn->bit_rate = bit_rate; 1023 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 1024 rpn->flow_ctrl = flow_ctrl_settings; 1025 rpn->xon_char = xon_char; 1026 rpn->xoff_char = xoff_char; 1027 rpn->param_mask = cpu_to_le16(param_mask); 1028 1029 *ptr = __fcs(buf); ptr++; 1030 1031 return rfcomm_send_frame(s, buf, ptr - buf); 1032 } 1033 1034 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 1035 { 1036 struct rfcomm_hdr *hdr; 1037 struct rfcomm_mcc *mcc; 1038 struct rfcomm_rls *rls; 1039 u8 buf[16], *ptr = buf; 1040 1041 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1042 1043 hdr = (void *) ptr; ptr += sizeof(*hdr); 1044 hdr->addr = __addr(s->initiator, 0); 1045 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1046 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1047 1048 mcc = (void *) ptr; ptr += sizeof(*mcc); 1049 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1050 mcc->len = __len8(sizeof(*rls)); 1051 1052 rls = (void *) ptr; ptr += sizeof(*rls); 1053 rls->dlci = __addr(1, dlci); 1054 rls->status = status; 1055 1056 *ptr = __fcs(buf); ptr++; 1057 1058 return rfcomm_send_frame(s, buf, ptr - buf); 1059 } 1060 1061 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1062 { 1063 struct rfcomm_hdr *hdr; 1064 struct rfcomm_mcc *mcc; 1065 struct rfcomm_msc *msc; 1066 u8 buf[16], *ptr = buf; 1067 1068 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1069 1070 hdr = (void *) ptr; ptr += sizeof(*hdr); 1071 hdr->addr = __addr(s->initiator, 0); 1072 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1073 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1074 1075 mcc = (void *) ptr; ptr += sizeof(*mcc); 1076 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1077 mcc->len = __len8(sizeof(*msc)); 1078 1079 msc = (void *) ptr; ptr += sizeof(*msc); 1080 msc->dlci = __addr(1, dlci); 1081 msc->v24_sig = v24_sig | 0x01; 1082 1083 *ptr = __fcs(buf); ptr++; 1084 1085 return rfcomm_send_frame(s, buf, ptr - buf); 1086 } 1087 1088 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1089 { 1090 struct rfcomm_hdr *hdr; 1091 struct rfcomm_mcc *mcc; 1092 u8 buf[16], *ptr = buf; 1093 1094 BT_DBG("%p cr %d", s, cr); 1095 1096 hdr = (void *) ptr; ptr += sizeof(*hdr); 1097 hdr->addr = __addr(s->initiator, 0); 1098 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1099 hdr->len = __len8(sizeof(*mcc)); 1100 1101 mcc = (void *) ptr; ptr += sizeof(*mcc); 1102 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1103 mcc->len = __len8(0); 1104 1105 *ptr = __fcs(buf); ptr++; 1106 1107 return rfcomm_send_frame(s, buf, ptr - buf); 1108 } 1109 1110 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1111 { 1112 struct rfcomm_hdr *hdr; 1113 struct rfcomm_mcc *mcc; 1114 u8 buf[16], *ptr = buf; 1115 1116 BT_DBG("%p cr %d", s, cr); 1117 1118 hdr = (void *) ptr; ptr += sizeof(*hdr); 1119 hdr->addr = __addr(s->initiator, 0); 1120 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1121 hdr->len = __len8(sizeof(*mcc)); 1122 1123 mcc = (void *) ptr; ptr += sizeof(*mcc); 1124 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1125 mcc->len = __len8(0); 1126 1127 *ptr = __fcs(buf); ptr++; 1128 1129 return rfcomm_send_frame(s, buf, ptr - buf); 1130 } 1131 1132 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1133 { 1134 struct socket *sock = s->sock; 1135 struct kvec iv[3]; 1136 struct msghdr msg; 1137 unsigned char hdr[5], crc[1]; 1138 1139 if (len > 125) 1140 return -EINVAL; 1141 1142 BT_DBG("%p cr %d", s, cr); 1143 1144 hdr[0] = __addr(s->initiator, 0); 1145 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1146 hdr[2] = 0x01 | ((len + 2) << 1); 1147 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1148 hdr[4] = 0x01 | (len << 1); 1149 1150 crc[0] = __fcs(hdr); 1151 1152 iv[0].iov_base = hdr; 1153 iv[0].iov_len = 5; 1154 iv[1].iov_base = pattern; 1155 iv[1].iov_len = len; 1156 iv[2].iov_base = crc; 1157 iv[2].iov_len = 1; 1158 1159 memset(&msg, 0, sizeof(msg)); 1160 1161 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1162 } 1163 1164 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1165 { 1166 struct rfcomm_hdr *hdr; 1167 u8 buf[16], *ptr = buf; 1168 1169 BT_DBG("%p addr %d credits %d", s, addr, credits); 1170 1171 hdr = (void *) ptr; ptr += sizeof(*hdr); 1172 hdr->addr = addr; 1173 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1174 hdr->len = __len8(0); 1175 1176 *ptr = credits; ptr++; 1177 1178 *ptr = __fcs(buf); ptr++; 1179 1180 return rfcomm_send_frame(s, buf, ptr - buf); 1181 } 1182 1183 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1184 { 1185 struct rfcomm_hdr *hdr; 1186 int len = skb->len; 1187 u8 *crc; 1188 1189 if (len > 127) { 1190 hdr = skb_push(skb, 4); 1191 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1192 } else { 1193 hdr = skb_push(skb, 3); 1194 hdr->len = __len8(len); 1195 } 1196 hdr->addr = addr; 1197 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1198 1199 crc = skb_put(skb, 1); 1200 *crc = __fcs((void *) hdr); 1201 } 1202 1203 /* ---- RFCOMM frame reception ---- */ 1204 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1205 { 1206 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1207 1208 if (dlci) { 1209 /* Data channel */ 1210 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1211 if (!d) { 1212 rfcomm_send_dm(s, dlci); 1213 return s; 1214 } 1215 1216 switch (d->state) { 1217 case BT_CONNECT: 1218 rfcomm_dlc_clear_timer(d); 1219 1220 rfcomm_dlc_lock(d); 1221 d->state = BT_CONNECTED; 1222 d->state_change(d, 0); 1223 rfcomm_dlc_unlock(d); 1224 1225 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1226 break; 1227 1228 case BT_DISCONN: 1229 d->state = BT_CLOSED; 1230 __rfcomm_dlc_close(d, 0); 1231 1232 if (list_empty(&s->dlcs)) { 1233 s->state = BT_DISCONN; 1234 rfcomm_send_disc(s, 0); 1235 rfcomm_session_clear_timer(s); 1236 } 1237 1238 break; 1239 } 1240 } else { 1241 /* Control channel */ 1242 switch (s->state) { 1243 case BT_CONNECT: 1244 s->state = BT_CONNECTED; 1245 rfcomm_process_connect(s); 1246 break; 1247 1248 case BT_DISCONN: 1249 s = rfcomm_session_close(s, ECONNRESET); 1250 break; 1251 } 1252 } 1253 return s; 1254 } 1255 1256 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1257 { 1258 int err = 0; 1259 1260 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1261 1262 if (dlci) { 1263 /* Data DLC */ 1264 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1265 if (d) { 1266 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1267 err = ECONNREFUSED; 1268 else 1269 err = ECONNRESET; 1270 1271 d->state = BT_CLOSED; 1272 __rfcomm_dlc_close(d, err); 1273 } 1274 } else { 1275 if (s->state == BT_CONNECT) 1276 err = ECONNREFUSED; 1277 else 1278 err = ECONNRESET; 1279 1280 s = rfcomm_session_close(s, err); 1281 } 1282 return s; 1283 } 1284 1285 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1286 u8 dlci) 1287 { 1288 int err = 0; 1289 1290 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1291 1292 if (dlci) { 1293 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1294 if (d) { 1295 rfcomm_send_ua(s, dlci); 1296 1297 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1298 err = ECONNREFUSED; 1299 else 1300 err = ECONNRESET; 1301 1302 d->state = BT_CLOSED; 1303 __rfcomm_dlc_close(d, err); 1304 } else 1305 rfcomm_send_dm(s, dlci); 1306 1307 } else { 1308 rfcomm_send_ua(s, 0); 1309 1310 if (s->state == BT_CONNECT) 1311 err = ECONNREFUSED; 1312 else 1313 err = ECONNRESET; 1314 1315 s = rfcomm_session_close(s, err); 1316 } 1317 return s; 1318 } 1319 1320 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1321 { 1322 struct sock *sk = d->session->sock->sk; 1323 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1324 1325 BT_DBG("dlc %p", d); 1326 1327 rfcomm_send_ua(d->session, d->dlci); 1328 1329 rfcomm_dlc_clear_timer(d); 1330 1331 rfcomm_dlc_lock(d); 1332 d->state = BT_CONNECTED; 1333 d->state_change(d, 0); 1334 rfcomm_dlc_unlock(d); 1335 1336 if (d->role_switch) 1337 hci_conn_switch_role(conn->hcon, 0x00); 1338 1339 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1340 } 1341 1342 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1343 { 1344 if (rfcomm_check_security(d)) { 1345 if (d->defer_setup) { 1346 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1347 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1348 1349 rfcomm_dlc_lock(d); 1350 d->state = BT_CONNECT2; 1351 d->state_change(d, 0); 1352 rfcomm_dlc_unlock(d); 1353 } else 1354 rfcomm_dlc_accept(d); 1355 } else { 1356 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1357 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1358 } 1359 } 1360 1361 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1362 { 1363 struct rfcomm_dlc *d; 1364 u8 channel; 1365 1366 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1367 1368 if (!dlci) { 1369 rfcomm_send_ua(s, 0); 1370 1371 if (s->state == BT_OPEN) { 1372 s->state = BT_CONNECTED; 1373 rfcomm_process_connect(s); 1374 } 1375 return 0; 1376 } 1377 1378 /* Check if DLC exists */ 1379 d = rfcomm_dlc_get(s, dlci); 1380 if (d) { 1381 if (d->state == BT_OPEN) { 1382 /* DLC was previously opened by PN request */ 1383 rfcomm_check_accept(d); 1384 } 1385 return 0; 1386 } 1387 1388 /* Notify socket layer about incoming connection */ 1389 channel = __srv_channel(dlci); 1390 if (rfcomm_connect_ind(s, channel, &d)) { 1391 d->dlci = dlci; 1392 d->addr = __addr(s->initiator, dlci); 1393 rfcomm_dlc_link(s, d); 1394 1395 rfcomm_check_accept(d); 1396 } else { 1397 rfcomm_send_dm(s, dlci); 1398 } 1399 1400 return 0; 1401 } 1402 1403 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1404 { 1405 struct rfcomm_session *s = d->session; 1406 1407 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1408 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1409 1410 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1411 pn->flow_ctrl == 0xe0) { 1412 d->cfc = RFCOMM_CFC_ENABLED; 1413 d->tx_credits = pn->credits; 1414 } else { 1415 d->cfc = RFCOMM_CFC_DISABLED; 1416 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1417 } 1418 1419 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1420 s->cfc = d->cfc; 1421 1422 d->priority = pn->priority; 1423 1424 d->mtu = __le16_to_cpu(pn->mtu); 1425 1426 if (cr && d->mtu > s->mtu) 1427 d->mtu = s->mtu; 1428 1429 return 0; 1430 } 1431 1432 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1433 { 1434 struct rfcomm_pn *pn; 1435 struct rfcomm_dlc *d; 1436 u8 dlci; 1437 1438 pn = skb_pull_data(skb, sizeof(*pn)); 1439 if (!pn) 1440 return -EILSEQ; 1441 1442 dlci = pn->dlci; 1443 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1444 1445 if (!dlci) 1446 return 0; 1447 1448 d = rfcomm_dlc_get(s, dlci); 1449 if (d) { 1450 if (cr) { 1451 /* PN request */ 1452 rfcomm_apply_pn(d, cr, pn); 1453 rfcomm_send_pn(s, 0, d); 1454 } else { 1455 /* PN response */ 1456 switch (d->state) { 1457 case BT_CONFIG: 1458 rfcomm_apply_pn(d, cr, pn); 1459 1460 d->state = BT_CONNECT; 1461 rfcomm_send_sabm(s, d->dlci); 1462 break; 1463 } 1464 } 1465 } else { 1466 u8 channel = __srv_channel(dlci); 1467 1468 if (!cr) 1469 return 0; 1470 1471 /* PN request for non existing DLC. 1472 * Assume incoming connection. */ 1473 if (rfcomm_connect_ind(s, channel, &d)) { 1474 d->dlci = dlci; 1475 d->addr = __addr(s->initiator, dlci); 1476 rfcomm_dlc_link(s, d); 1477 1478 rfcomm_apply_pn(d, cr, pn); 1479 1480 d->state = BT_OPEN; 1481 rfcomm_send_pn(s, 0, d); 1482 } else { 1483 rfcomm_send_dm(s, dlci); 1484 } 1485 } 1486 return 0; 1487 } 1488 1489 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1490 { 1491 struct rfcomm_rpn *rpn; 1492 u8 dlci; 1493 1494 u8 bit_rate = 0; 1495 u8 data_bits = 0; 1496 u8 stop_bits = 0; 1497 u8 parity = 0; 1498 u8 flow_ctrl = 0; 1499 u8 xon_char = 0; 1500 u8 xoff_char = 0; 1501 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1502 1503 if (len == 1) { 1504 rpn = skb_pull_data(skb, 1); 1505 if (!rpn) 1506 return -EILSEQ; 1507 1508 dlci = __get_dlci(rpn->dlci); 1509 1510 if (!cr) 1511 return 0; 1512 1513 bit_rate = RFCOMM_RPN_BR_9600; 1514 data_bits = RFCOMM_RPN_DATA_8; 1515 stop_bits = RFCOMM_RPN_STOP_1; 1516 parity = RFCOMM_RPN_PARITY_NONE; 1517 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1518 xon_char = RFCOMM_RPN_XON_CHAR; 1519 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1520 goto rpn_out; 1521 } 1522 1523 rpn = skb_pull_data(skb, sizeof(*rpn)); 1524 if (!rpn) 1525 return -EILSEQ; 1526 1527 dlci = __get_dlci(rpn->dlci); 1528 1529 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1530 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1531 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1532 1533 if (!cr) 1534 return 0; 1535 1536 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1537 * no parity, no flow control lines, normal XON/XOFF chars */ 1538 1539 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1540 bit_rate = rpn->bit_rate; 1541 if (bit_rate > RFCOMM_RPN_BR_230400) { 1542 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1543 bit_rate = RFCOMM_RPN_BR_9600; 1544 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1545 } 1546 } 1547 1548 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1549 data_bits = __get_rpn_data_bits(rpn->line_settings); 1550 if (data_bits != RFCOMM_RPN_DATA_8) { 1551 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1552 data_bits = RFCOMM_RPN_DATA_8; 1553 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1554 } 1555 } 1556 1557 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1558 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1559 if (stop_bits != RFCOMM_RPN_STOP_1) { 1560 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1561 stop_bits = RFCOMM_RPN_STOP_1; 1562 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1563 } 1564 } 1565 1566 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1567 parity = __get_rpn_parity(rpn->line_settings); 1568 if (parity != RFCOMM_RPN_PARITY_NONE) { 1569 BT_DBG("RPN parity mismatch 0x%x", parity); 1570 parity = RFCOMM_RPN_PARITY_NONE; 1571 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1572 } 1573 } 1574 1575 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1576 flow_ctrl = rpn->flow_ctrl; 1577 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1578 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1579 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1580 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1581 } 1582 } 1583 1584 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1585 xon_char = rpn->xon_char; 1586 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1587 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1588 xon_char = RFCOMM_RPN_XON_CHAR; 1589 rpn_mask ^= RFCOMM_RPN_PM_XON; 1590 } 1591 } 1592 1593 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1594 xoff_char = rpn->xoff_char; 1595 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1596 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1597 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1598 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1599 } 1600 } 1601 1602 rpn_out: 1603 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1604 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1605 1606 return 0; 1607 } 1608 1609 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1610 { 1611 struct rfcomm_rls *rls; 1612 u8 dlci; 1613 1614 rls = skb_pull_data(skb, sizeof(*rls)); 1615 if (!rls) 1616 return -EILSEQ; 1617 1618 dlci = __get_dlci(rls->dlci); 1619 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1620 1621 if (!cr) 1622 return 0; 1623 1624 /* We should probably do something with this information here. But 1625 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1626 * mandatory to recognise and respond to RLS */ 1627 1628 rfcomm_send_rls(s, 0, dlci, rls->status); 1629 1630 return 0; 1631 } 1632 1633 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1634 { 1635 struct rfcomm_msc *msc; 1636 struct rfcomm_dlc *d; 1637 u8 dlci; 1638 1639 msc = skb_pull_data(skb, sizeof(*msc)); 1640 if (!msc) 1641 return -EILSEQ; 1642 1643 dlci = __get_dlci(msc->dlci); 1644 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1645 1646 d = rfcomm_dlc_get(s, dlci); 1647 if (!d) 1648 return 0; 1649 1650 if (cr) { 1651 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1652 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1653 else 1654 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1655 1656 rfcomm_dlc_lock(d); 1657 1658 d->remote_v24_sig = msc->v24_sig; 1659 1660 if (d->modem_status) 1661 d->modem_status(d, msc->v24_sig); 1662 1663 rfcomm_dlc_unlock(d); 1664 1665 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1666 1667 d->mscex |= RFCOMM_MSCEX_RX; 1668 } else 1669 d->mscex |= RFCOMM_MSCEX_TX; 1670 1671 return 0; 1672 } 1673 1674 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1675 { 1676 struct rfcomm_mcc *mcc; 1677 u8 type, cr, len; 1678 1679 mcc = skb_pull_data(skb, sizeof(*mcc)); 1680 if (!mcc) 1681 return -EILSEQ; 1682 1683 cr = __test_cr(mcc->type); 1684 type = __get_mcc_type(mcc->type); 1685 len = __get_mcc_len(mcc->len); 1686 1687 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1688 1689 switch (type) { 1690 case RFCOMM_PN: 1691 rfcomm_recv_pn(s, cr, skb); 1692 break; 1693 1694 case RFCOMM_RPN: 1695 rfcomm_recv_rpn(s, cr, len, skb); 1696 break; 1697 1698 case RFCOMM_RLS: 1699 rfcomm_recv_rls(s, cr, skb); 1700 break; 1701 1702 case RFCOMM_MSC: 1703 rfcomm_recv_msc(s, cr, skb); 1704 break; 1705 1706 case RFCOMM_FCOFF: 1707 if (cr) { 1708 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1709 rfcomm_send_fcoff(s, 0); 1710 } 1711 break; 1712 1713 case RFCOMM_FCON: 1714 if (cr) { 1715 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1716 rfcomm_send_fcon(s, 0); 1717 } 1718 break; 1719 1720 case RFCOMM_TEST: 1721 if (cr) 1722 rfcomm_send_test(s, 0, skb->data, skb->len); 1723 break; 1724 1725 case RFCOMM_NSC: 1726 break; 1727 1728 default: 1729 BT_ERR("Unknown control type 0x%02x", type); 1730 rfcomm_send_nsc(s, cr, type); 1731 break; 1732 } 1733 return 0; 1734 } 1735 1736 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1737 { 1738 struct rfcomm_dlc *d; 1739 1740 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1741 1742 d = rfcomm_dlc_get(s, dlci); 1743 if (!d) { 1744 rfcomm_send_dm(s, dlci); 1745 goto drop; 1746 } 1747 1748 if (pf && d->cfc) { 1749 u8 *credits = skb_pull_data(skb, 1); 1750 1751 if (!credits) 1752 goto drop; 1753 1754 d->tx_credits += *credits; 1755 if (d->tx_credits) 1756 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1757 } 1758 1759 if (skb->len && d->state == BT_CONNECTED) { 1760 rfcomm_dlc_lock(d); 1761 d->rx_credits--; 1762 d->data_ready(d, skb); 1763 rfcomm_dlc_unlock(d); 1764 return 0; 1765 } 1766 1767 drop: 1768 kfree_skb(skb); 1769 return 0; 1770 } 1771 1772 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1773 struct sk_buff *skb) 1774 { 1775 struct rfcomm_hdr *hdr = (void *) skb->data; 1776 u8 type, dlci, fcs; 1777 1778 if (!s) { 1779 /* no session, so free socket data */ 1780 kfree_skb(skb); 1781 return s; 1782 } 1783 1784 dlci = __get_dlci(hdr->addr); 1785 type = __get_type(hdr->ctrl); 1786 1787 /* Trim FCS */ 1788 skb->len--; skb->tail--; 1789 fcs = *(u8 *)skb_tail_pointer(skb); 1790 1791 if (__check_fcs(skb->data, type, fcs)) { 1792 BT_ERR("bad checksum in packet"); 1793 kfree_skb(skb); 1794 return s; 1795 } 1796 1797 if (__test_ea(hdr->len)) 1798 skb_pull(skb, 3); 1799 else 1800 skb_pull(skb, 4); 1801 1802 switch (type) { 1803 case RFCOMM_SABM: 1804 if (__test_pf(hdr->ctrl)) 1805 rfcomm_recv_sabm(s, dlci); 1806 break; 1807 1808 case RFCOMM_DISC: 1809 if (__test_pf(hdr->ctrl)) 1810 s = rfcomm_recv_disc(s, dlci); 1811 break; 1812 1813 case RFCOMM_UA: 1814 if (__test_pf(hdr->ctrl)) 1815 s = rfcomm_recv_ua(s, dlci); 1816 break; 1817 1818 case RFCOMM_DM: 1819 s = rfcomm_recv_dm(s, dlci); 1820 break; 1821 1822 case RFCOMM_UIH: 1823 if (dlci) { 1824 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1825 return s; 1826 } 1827 rfcomm_recv_mcc(s, skb); 1828 break; 1829 1830 default: 1831 BT_ERR("Unknown packet type 0x%02x", type); 1832 break; 1833 } 1834 kfree_skb(skb); 1835 return s; 1836 } 1837 1838 /* ---- Connection and data processing ---- */ 1839 1840 static void rfcomm_process_connect(struct rfcomm_session *s) 1841 { 1842 struct rfcomm_dlc *d, *n; 1843 1844 BT_DBG("session %p state %ld", s, s->state); 1845 1846 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1847 if (d->state == BT_CONFIG) { 1848 d->mtu = s->mtu; 1849 if (rfcomm_check_security(d)) { 1850 rfcomm_send_pn(s, 1, d); 1851 } else { 1852 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1853 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1854 } 1855 } 1856 } 1857 } 1858 1859 /* Send data queued for the DLC. 1860 * Return number of frames left in the queue. 1861 */ 1862 static int rfcomm_process_tx(struct rfcomm_dlc *d) 1863 { 1864 struct sk_buff *skb; 1865 int err; 1866 1867 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1868 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1869 1870 /* Send pending MSC */ 1871 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1872 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1873 1874 if (d->cfc) { 1875 /* CFC enabled. 1876 * Give them some credits */ 1877 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1878 d->rx_credits <= (d->cfc >> 2)) { 1879 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1880 d->rx_credits = d->cfc; 1881 } 1882 } else { 1883 /* CFC disabled. 1884 * Give ourselves some credits */ 1885 d->tx_credits = 5; 1886 } 1887 1888 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1889 return skb_queue_len(&d->tx_queue); 1890 1891 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1892 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1893 if (err < 0) { 1894 skb_queue_head(&d->tx_queue, skb); 1895 break; 1896 } 1897 kfree_skb(skb); 1898 d->tx_credits--; 1899 } 1900 1901 if (d->cfc && !d->tx_credits) { 1902 /* We're out of TX credits. 1903 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1904 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1905 } 1906 1907 return skb_queue_len(&d->tx_queue); 1908 } 1909 1910 static void rfcomm_process_dlcs(struct rfcomm_session *s) 1911 { 1912 struct rfcomm_dlc *d, *n; 1913 1914 BT_DBG("session %p state %ld", s, s->state); 1915 1916 list_for_each_entry_safe(d, n, &s->dlcs, list) { 1917 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1918 __rfcomm_dlc_close(d, ETIMEDOUT); 1919 continue; 1920 } 1921 1922 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1923 __rfcomm_dlc_close(d, ECONNREFUSED); 1924 continue; 1925 } 1926 1927 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1928 rfcomm_dlc_clear_timer(d); 1929 if (d->out) { 1930 rfcomm_send_pn(s, 1, d); 1931 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1932 } else { 1933 if (d->defer_setup) { 1934 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1935 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1936 1937 rfcomm_dlc_lock(d); 1938 d->state = BT_CONNECT2; 1939 d->state_change(d, 0); 1940 rfcomm_dlc_unlock(d); 1941 } else 1942 rfcomm_dlc_accept(d); 1943 } 1944 continue; 1945 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1946 rfcomm_dlc_clear_timer(d); 1947 if (!d->out) 1948 rfcomm_send_dm(s, d->dlci); 1949 else 1950 d->state = BT_CLOSED; 1951 __rfcomm_dlc_close(d, ECONNREFUSED); 1952 continue; 1953 } 1954 1955 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1956 continue; 1957 1958 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1959 continue; 1960 1961 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1962 d->mscex == RFCOMM_MSCEX_OK) 1963 rfcomm_process_tx(d); 1964 } 1965 } 1966 1967 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1968 { 1969 struct socket *sock = s->sock; 1970 struct sock *sk = sock->sk; 1971 struct sk_buff *skb; 1972 1973 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1974 1975 /* Get data directly from socket receive queue without copying it. */ 1976 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1977 skb_orphan(skb); 1978 if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { 1979 s = rfcomm_recv_frame(s, skb); 1980 if (!s) 1981 break; 1982 } else { 1983 kfree_skb(skb); 1984 } 1985 } 1986 1987 if (s && (sk->sk_state == BT_CLOSED)) 1988 s = rfcomm_session_close(s, sk->sk_err); 1989 1990 return s; 1991 } 1992 1993 static void rfcomm_accept_connection(struct rfcomm_session *s) 1994 { 1995 struct socket *sock = s->sock, *nsock; 1996 int err; 1997 1998 /* Fast check for a new connection. 1999 * Avoids unnecessary socket allocations. 2000 */ 2001 if (list_empty(&bt_sk(sock->sk)->accept_q)) 2002 return; 2003 2004 BT_DBG("session %p", s); 2005 2006 err = kernel_accept(sock, &nsock, O_NONBLOCK); 2007 if (err < 0) 2008 return; 2009 2010 /* Set our callbacks */ 2011 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 2012 nsock->sk->sk_state_change = rfcomm_l2state_change; 2013 2014 s = rfcomm_session_add(nsock, BT_OPEN); 2015 if (s) { 2016 /* We should adjust MTU on incoming sessions. 2017 * L2CAP MTU minus UIH header and FCS. */ 2018 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 2019 l2cap_pi(nsock->sk)->chan->imtu) - 5; 2020 2021 rfcomm_schedule(); 2022 } else 2023 sock_release(nsock); 2024 } 2025 2026 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 2027 { 2028 struct sock *sk = s->sock->sk; 2029 2030 BT_DBG("%p state %ld", s, s->state); 2031 2032 switch (sk->sk_state) { 2033 case BT_CONNECTED: 2034 s->state = BT_CONNECT; 2035 2036 /* We can adjust MTU on outgoing sessions. 2037 * L2CAP MTU minus UIH header and FCS. */ 2038 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 2039 2040 rfcomm_send_sabm(s, 0); 2041 break; 2042 2043 case BT_CLOSED: 2044 s = rfcomm_session_close(s, sk->sk_err); 2045 break; 2046 } 2047 return s; 2048 } 2049 2050 static void rfcomm_process_sessions(void) 2051 { 2052 struct rfcomm_session *s, *n; 2053 2054 rfcomm_lock(); 2055 2056 list_for_each_entry_safe(s, n, &session_list, list) { 2057 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 2058 s->state = BT_DISCONN; 2059 rfcomm_send_disc(s, 0); 2060 continue; 2061 } 2062 2063 switch (s->state) { 2064 case BT_LISTEN: 2065 rfcomm_accept_connection(s); 2066 continue; 2067 2068 case BT_BOUND: 2069 s = rfcomm_check_connection(s); 2070 break; 2071 2072 default: 2073 s = rfcomm_process_rx(s); 2074 break; 2075 } 2076 2077 if (s) 2078 rfcomm_process_dlcs(s); 2079 } 2080 2081 rfcomm_unlock(); 2082 } 2083 2084 static int rfcomm_add_listener(bdaddr_t *ba) 2085 { 2086 struct sockaddr_l2 addr; 2087 struct socket *sock; 2088 struct sock *sk; 2089 struct rfcomm_session *s; 2090 int err = 0; 2091 2092 /* Create socket */ 2093 err = rfcomm_l2sock_create(&sock); 2094 if (err < 0) { 2095 BT_ERR("Create socket failed %d", err); 2096 return err; 2097 } 2098 2099 /* Bind socket */ 2100 bacpy(&addr.l2_bdaddr, ba); 2101 addr.l2_family = AF_BLUETOOTH; 2102 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 2103 addr.l2_cid = 0; 2104 addr.l2_bdaddr_type = BDADDR_BREDR; 2105 err = kernel_bind(sock, (struct sockaddr_unsized *)&addr, sizeof(addr)); 2106 if (err < 0) { 2107 BT_ERR("Bind failed %d", err); 2108 goto failed; 2109 } 2110 2111 /* Set L2CAP options */ 2112 sk = sock->sk; 2113 lock_sock(sk); 2114 /* Set MTU to 0 so L2CAP can auto select the MTU */ 2115 l2cap_pi(sk)->chan->imtu = 0; 2116 release_sock(sk); 2117 2118 /* Start listening on the socket */ 2119 err = kernel_listen(sock, 10); 2120 if (err) { 2121 BT_ERR("Listen failed %d", err); 2122 goto failed; 2123 } 2124 2125 /* Add listening session */ 2126 s = rfcomm_session_add(sock, BT_LISTEN); 2127 if (!s) { 2128 err = -ENOMEM; 2129 goto failed; 2130 } 2131 2132 return 0; 2133 failed: 2134 sock_release(sock); 2135 return err; 2136 } 2137 2138 static void rfcomm_kill_listener(void) 2139 { 2140 struct rfcomm_session *s, *n; 2141 2142 BT_DBG(""); 2143 2144 list_for_each_entry_safe(s, n, &session_list, list) 2145 rfcomm_session_del(s); 2146 } 2147 2148 static int rfcomm_run(void *unused) 2149 { 2150 DEFINE_WAIT_FUNC(wait, woken_wake_function); 2151 BT_DBG(""); 2152 2153 set_user_nice(current, -10); 2154 2155 rfcomm_add_listener(BDADDR_ANY); 2156 2157 add_wait_queue(&rfcomm_wq, &wait); 2158 while (!kthread_should_stop()) { 2159 2160 /* Process stuff */ 2161 rfcomm_process_sessions(); 2162 2163 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT); 2164 } 2165 remove_wait_queue(&rfcomm_wq, &wait); 2166 2167 rfcomm_kill_listener(); 2168 2169 return 0; 2170 } 2171 2172 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2173 { 2174 struct rfcomm_session *s; 2175 struct rfcomm_dlc *d, *n; 2176 2177 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2178 2179 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2180 if (!s) 2181 return; 2182 2183 list_for_each_entry_safe(d, n, &s->dlcs, list) { 2184 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2185 rfcomm_dlc_clear_timer(d); 2186 if (status || encrypt == 0x00) { 2187 set_bit(RFCOMM_ENC_DROP, &d->flags); 2188 continue; 2189 } 2190 } 2191 2192 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2193 if (d->sec_level == BT_SECURITY_MEDIUM) { 2194 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2195 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2196 continue; 2197 } else if (d->sec_level == BT_SECURITY_HIGH || 2198 d->sec_level == BT_SECURITY_FIPS) { 2199 set_bit(RFCOMM_ENC_DROP, &d->flags); 2200 continue; 2201 } 2202 } 2203 2204 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2205 continue; 2206 2207 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2208 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2209 else 2210 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2211 } 2212 2213 rfcomm_schedule(); 2214 } 2215 2216 static struct hci_cb rfcomm_cb = { 2217 .name = "RFCOMM", 2218 .security_cfm = rfcomm_security_cfm 2219 }; 2220 2221 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2222 { 2223 struct rfcomm_session *s; 2224 2225 rfcomm_lock(); 2226 2227 list_for_each_entry(s, &session_list, list) { 2228 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2229 struct rfcomm_dlc *d; 2230 list_for_each_entry(d, &s->dlcs, list) { 2231 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2232 &chan->src, &chan->dst, 2233 d->state, d->dlci, d->mtu, 2234 d->rx_credits, d->tx_credits); 2235 } 2236 } 2237 2238 rfcomm_unlock(); 2239 2240 return 0; 2241 } 2242 2243 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs); 2244 2245 static struct dentry *rfcomm_dlc_debugfs; 2246 2247 /* ---- Initialization ---- */ 2248 static int __init rfcomm_init(void) 2249 { 2250 int err; 2251 2252 hci_register_cb(&rfcomm_cb); 2253 2254 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2255 if (IS_ERR(rfcomm_thread)) { 2256 err = PTR_ERR(rfcomm_thread); 2257 goto unregister; 2258 } 2259 2260 err = rfcomm_init_ttys(); 2261 if (err < 0) 2262 goto stop; 2263 2264 err = rfcomm_init_sockets(); 2265 if (err < 0) 2266 goto cleanup; 2267 2268 BT_INFO("RFCOMM ver %s", VERSION); 2269 2270 if (IS_ERR_OR_NULL(bt_debugfs)) 2271 return 0; 2272 2273 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2274 bt_debugfs, NULL, 2275 &rfcomm_dlc_debugfs_fops); 2276 2277 return 0; 2278 2279 cleanup: 2280 rfcomm_cleanup_ttys(); 2281 2282 stop: 2283 kthread_stop(rfcomm_thread); 2284 2285 unregister: 2286 hci_unregister_cb(&rfcomm_cb); 2287 2288 return err; 2289 } 2290 2291 static void __exit rfcomm_exit(void) 2292 { 2293 debugfs_remove(rfcomm_dlc_debugfs); 2294 2295 hci_unregister_cb(&rfcomm_cb); 2296 2297 kthread_stop(rfcomm_thread); 2298 2299 rfcomm_cleanup_ttys(); 2300 2301 rfcomm_cleanup_sockets(); 2302 } 2303 2304 module_init(rfcomm_init); 2305 module_exit(rfcomm_exit); 2306 2307 module_param(disable_cfc, bool, 0644); 2308 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2309 2310 module_param(channel_mtu, int, 0644); 2311 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2312 2313 module_param(l2cap_ertm, bool, 0644); 2314 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2315 2316 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2317 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2318 MODULE_VERSION(VERSION); 2319 MODULE_LICENSE("GPL"); 2320 MODULE_ALIAS("bt-proto-3"); 2321