1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/debugfs.h> 30 #include <linux/kthread.h> 31 #include <asm/unaligned.h> 32 33 #include <net/bluetooth/bluetooth.h> 34 #include <net/bluetooth/hci_core.h> 35 #include <net/bluetooth/l2cap.h> 36 #include <net/bluetooth/rfcomm.h> 37 38 #define VERSION "1.11" 39 40 static bool disable_cfc; 41 static bool l2cap_ertm; 42 static int channel_mtu = -1; 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 44 45 static struct task_struct *rfcomm_thread; 46 47 static DEFINE_MUTEX(rfcomm_mutex); 48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 50 51 52 static LIST_HEAD(session_list); 53 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 64 65 static void rfcomm_process_connect(struct rfcomm_session *s); 66 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 68 bdaddr_t *dst, 69 u8 sec_level, 70 int *err); 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 72 static void rfcomm_session_del(struct rfcomm_session *s); 73 74 /* ---- RFCOMM frame parsing macros ---- */ 75 #define __get_dlci(b) ((b & 0xfc) >> 2) 76 #define __get_channel(b) ((b & 0xf8) >> 3) 77 #define __get_dir(b) ((b & 0x04) >> 2) 78 #define __get_type(b) ((b & 0xef)) 79 80 #define __test_ea(b) ((b & 0x01)) 81 #define __test_cr(b) ((b & 0x02)) 82 #define __test_pf(b) ((b & 0x10)) 83 84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 87 #define __srv_channel(dlci) (dlci >> 1) 88 #define __dir(dlci) (dlci & 0x01) 89 90 #define __len8(len) (((len) << 1) | 1) 91 #define __len16(len) ((len) << 1) 92 93 /* MCC macros */ 94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 96 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 97 98 /* RPN macros */ 99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 100 #define __get_rpn_data_bits(line) ((line) & 0x3) 101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 103 104 static void rfcomm_schedule(void) 105 { 106 if (!rfcomm_thread) 107 return; 108 wake_up_process(rfcomm_thread); 109 } 110 111 static void rfcomm_session_put(struct rfcomm_session *s) 112 { 113 if (atomic_dec_and_test(&s->refcnt)) 114 rfcomm_session_del(s); 115 } 116 117 /* ---- RFCOMM FCS computation ---- */ 118 119 /* reversed, 8-bit, poly=0x07 */ 120 static unsigned char rfcomm_crc_table[256] = { 121 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 122 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 123 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 124 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 125 126 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 127 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 128 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 129 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 130 131 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 132 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 133 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 134 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 135 136 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 137 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 138 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 139 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 140 141 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 142 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 143 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 144 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 145 146 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 147 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 148 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 149 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 150 151 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 152 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 153 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 154 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 155 156 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 157 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 158 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 159 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 160 }; 161 162 /* CRC on 2 bytes */ 163 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 164 165 /* FCS on 2 bytes */ 166 static inline u8 __fcs(u8 *data) 167 { 168 return 0xff - __crc(data); 169 } 170 171 /* FCS on 3 bytes */ 172 static inline u8 __fcs2(u8 *data) 173 { 174 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 175 } 176 177 /* Check FCS */ 178 static inline int __check_fcs(u8 *data, int type, u8 fcs) 179 { 180 u8 f = __crc(data); 181 182 if (type != RFCOMM_UIH) 183 f = rfcomm_crc_table[f ^ data[2]]; 184 185 return rfcomm_crc_table[f ^ fcs] != 0xcf; 186 } 187 188 /* ---- L2CAP callbacks ---- */ 189 static void rfcomm_l2state_change(struct sock *sk) 190 { 191 BT_DBG("%p state %d", sk, sk->sk_state); 192 rfcomm_schedule(); 193 } 194 195 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 196 { 197 BT_DBG("%p bytes %d", sk, bytes); 198 rfcomm_schedule(); 199 } 200 201 static int rfcomm_l2sock_create(struct socket **sock) 202 { 203 int err; 204 205 BT_DBG(""); 206 207 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 208 if (!err) { 209 struct sock *sk = (*sock)->sk; 210 sk->sk_data_ready = rfcomm_l2data_ready; 211 sk->sk_state_change = rfcomm_l2state_change; 212 } 213 return err; 214 } 215 216 static int rfcomm_check_security(struct rfcomm_dlc *d) 217 { 218 struct sock *sk = d->session->sock->sk; 219 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 220 221 __u8 auth_type; 222 223 switch (d->sec_level) { 224 case BT_SECURITY_HIGH: 225 auth_type = HCI_AT_GENERAL_BONDING_MITM; 226 break; 227 case BT_SECURITY_MEDIUM: 228 auth_type = HCI_AT_GENERAL_BONDING; 229 break; 230 default: 231 auth_type = HCI_AT_NO_BONDING; 232 break; 233 } 234 235 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 236 } 237 238 static void rfcomm_session_timeout(unsigned long arg) 239 { 240 struct rfcomm_session *s = (void *) arg; 241 242 BT_DBG("session %p state %ld", s, s->state); 243 244 set_bit(RFCOMM_TIMED_OUT, &s->flags); 245 rfcomm_schedule(); 246 } 247 248 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 249 { 250 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 251 252 if (!mod_timer(&s->timer, jiffies + timeout)) 253 rfcomm_session_hold(s); 254 } 255 256 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 257 { 258 BT_DBG("session %p state %ld", s, s->state); 259 260 if (timer_pending(&s->timer) && del_timer(&s->timer)) 261 rfcomm_session_put(s); 262 } 263 264 /* ---- RFCOMM DLCs ---- */ 265 static void rfcomm_dlc_timeout(unsigned long arg) 266 { 267 struct rfcomm_dlc *d = (void *) arg; 268 269 BT_DBG("dlc %p state %ld", d, d->state); 270 271 set_bit(RFCOMM_TIMED_OUT, &d->flags); 272 rfcomm_dlc_put(d); 273 rfcomm_schedule(); 274 } 275 276 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 277 { 278 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 279 280 if (!mod_timer(&d->timer, jiffies + timeout)) 281 rfcomm_dlc_hold(d); 282 } 283 284 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 285 { 286 BT_DBG("dlc %p state %ld", d, d->state); 287 288 if (timer_pending(&d->timer) && del_timer(&d->timer)) 289 rfcomm_dlc_put(d); 290 } 291 292 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 293 { 294 BT_DBG("%p", d); 295 296 d->state = BT_OPEN; 297 d->flags = 0; 298 d->mscex = 0; 299 d->sec_level = BT_SECURITY_LOW; 300 d->mtu = RFCOMM_DEFAULT_MTU; 301 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 302 303 d->cfc = RFCOMM_CFC_DISABLED; 304 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 305 } 306 307 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 308 { 309 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 310 311 if (!d) 312 return NULL; 313 314 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 315 316 skb_queue_head_init(&d->tx_queue); 317 spin_lock_init(&d->lock); 318 atomic_set(&d->refcnt, 1); 319 320 rfcomm_dlc_clear_state(d); 321 322 BT_DBG("%p", d); 323 324 return d; 325 } 326 327 void rfcomm_dlc_free(struct rfcomm_dlc *d) 328 { 329 BT_DBG("%p", d); 330 331 skb_queue_purge(&d->tx_queue); 332 kfree(d); 333 } 334 335 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 336 { 337 BT_DBG("dlc %p session %p", d, s); 338 339 rfcomm_session_hold(s); 340 341 rfcomm_session_clear_timer(s); 342 rfcomm_dlc_hold(d); 343 list_add(&d->list, &s->dlcs); 344 d->session = s; 345 } 346 347 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 348 { 349 struct rfcomm_session *s = d->session; 350 351 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 352 353 list_del(&d->list); 354 d->session = NULL; 355 rfcomm_dlc_put(d); 356 357 if (list_empty(&s->dlcs)) 358 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 359 360 rfcomm_session_put(s); 361 } 362 363 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 364 { 365 struct rfcomm_dlc *d; 366 367 list_for_each_entry(d, &s->dlcs, list) 368 if (d->dlci == dlci) 369 return d; 370 371 return NULL; 372 } 373 374 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 375 { 376 struct rfcomm_session *s; 377 int err = 0; 378 u8 dlci; 379 380 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 381 d, d->state, src, dst, channel); 382 383 if (channel < 1 || channel > 30) 384 return -EINVAL; 385 386 if (d->state != BT_OPEN && d->state != BT_CLOSED) 387 return 0; 388 389 s = rfcomm_session_get(src, dst); 390 if (!s) { 391 s = rfcomm_session_create(src, dst, d->sec_level, &err); 392 if (!s) 393 return err; 394 } 395 396 dlci = __dlci(!s->initiator, channel); 397 398 /* Check if DLCI already exists */ 399 if (rfcomm_dlc_get(s, dlci)) 400 return -EBUSY; 401 402 rfcomm_dlc_clear_state(d); 403 404 d->dlci = dlci; 405 d->addr = __addr(s->initiator, dlci); 406 d->priority = 7; 407 408 d->state = BT_CONFIG; 409 rfcomm_dlc_link(s, d); 410 411 d->out = 1; 412 413 d->mtu = s->mtu; 414 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 415 416 if (s->state == BT_CONNECTED) { 417 if (rfcomm_check_security(d)) 418 rfcomm_send_pn(s, 1, d); 419 else 420 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 421 } 422 423 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 424 425 return 0; 426 } 427 428 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 429 { 430 int r; 431 432 rfcomm_lock(); 433 434 r = __rfcomm_dlc_open(d, src, dst, channel); 435 436 rfcomm_unlock(); 437 return r; 438 } 439 440 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 441 { 442 struct rfcomm_session *s = d->session; 443 if (!s) 444 return 0; 445 446 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 447 d, d->state, d->dlci, err, s); 448 449 switch (d->state) { 450 case BT_CONNECT: 451 case BT_CONFIG: 452 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 453 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 454 rfcomm_schedule(); 455 break; 456 } 457 /* Fall through */ 458 459 case BT_CONNECTED: 460 d->state = BT_DISCONN; 461 if (skb_queue_empty(&d->tx_queue)) { 462 rfcomm_send_disc(s, d->dlci); 463 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 464 } else { 465 rfcomm_queue_disc(d); 466 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 467 } 468 break; 469 470 case BT_OPEN: 471 case BT_CONNECT2: 472 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 473 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 474 rfcomm_schedule(); 475 break; 476 } 477 /* Fall through */ 478 479 default: 480 rfcomm_dlc_clear_timer(d); 481 482 rfcomm_dlc_lock(d); 483 d->state = BT_CLOSED; 484 d->state_change(d, err); 485 rfcomm_dlc_unlock(d); 486 487 skb_queue_purge(&d->tx_queue); 488 rfcomm_dlc_unlink(d); 489 } 490 491 return 0; 492 } 493 494 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 495 { 496 int r; 497 498 rfcomm_lock(); 499 500 r = __rfcomm_dlc_close(d, err); 501 502 rfcomm_unlock(); 503 return r; 504 } 505 506 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 507 { 508 int len = skb->len; 509 510 if (d->state != BT_CONNECTED) 511 return -ENOTCONN; 512 513 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 514 515 if (len > d->mtu) 516 return -EINVAL; 517 518 rfcomm_make_uih(skb, d->addr); 519 skb_queue_tail(&d->tx_queue, skb); 520 521 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 522 rfcomm_schedule(); 523 return len; 524 } 525 526 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 527 { 528 BT_DBG("dlc %p state %ld", d, d->state); 529 530 if (!d->cfc) { 531 d->v24_sig |= RFCOMM_V24_FC; 532 set_bit(RFCOMM_MSC_PENDING, &d->flags); 533 } 534 rfcomm_schedule(); 535 } 536 537 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 538 { 539 BT_DBG("dlc %p state %ld", d, d->state); 540 541 if (!d->cfc) { 542 d->v24_sig &= ~RFCOMM_V24_FC; 543 set_bit(RFCOMM_MSC_PENDING, &d->flags); 544 } 545 rfcomm_schedule(); 546 } 547 548 /* 549 Set/get modem status functions use _local_ status i.e. what we report 550 to the other side. 551 Remote status is provided by dlc->modem_status() callback. 552 */ 553 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 554 { 555 BT_DBG("dlc %p state %ld v24_sig 0x%x", 556 d, d->state, v24_sig); 557 558 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 559 v24_sig |= RFCOMM_V24_FC; 560 else 561 v24_sig &= ~RFCOMM_V24_FC; 562 563 d->v24_sig = v24_sig; 564 565 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 566 rfcomm_schedule(); 567 568 return 0; 569 } 570 571 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 572 { 573 BT_DBG("dlc %p state %ld v24_sig 0x%x", 574 d, d->state, d->v24_sig); 575 576 *v24_sig = d->v24_sig; 577 return 0; 578 } 579 580 /* ---- RFCOMM sessions ---- */ 581 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 582 { 583 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 584 585 if (!s) 586 return NULL; 587 588 BT_DBG("session %p sock %p", s, sock); 589 590 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 591 592 INIT_LIST_HEAD(&s->dlcs); 593 s->state = state; 594 s->sock = sock; 595 596 s->mtu = RFCOMM_DEFAULT_MTU; 597 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 598 599 /* Do not increment module usage count for listening sessions. 600 * Otherwise we won't be able to unload the module. */ 601 if (state != BT_LISTEN) 602 if (!try_module_get(THIS_MODULE)) { 603 kfree(s); 604 return NULL; 605 } 606 607 list_add(&s->list, &session_list); 608 609 return s; 610 } 611 612 static void rfcomm_session_del(struct rfcomm_session *s) 613 { 614 int state = s->state; 615 616 BT_DBG("session %p state %ld", s, s->state); 617 618 list_del(&s->list); 619 620 if (state == BT_CONNECTED) 621 rfcomm_send_disc(s, 0); 622 623 rfcomm_session_clear_timer(s); 624 sock_release(s->sock); 625 kfree(s); 626 627 if (state != BT_LISTEN) 628 module_put(THIS_MODULE); 629 } 630 631 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 632 { 633 struct rfcomm_session *s; 634 struct list_head *p, *n; 635 struct bt_sock *sk; 636 list_for_each_safe(p, n, &session_list) { 637 s = list_entry(p, struct rfcomm_session, list); 638 sk = bt_sk(s->sock->sk); 639 640 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 641 !bacmp(&sk->dst, dst)) 642 return s; 643 } 644 return NULL; 645 } 646 647 static void rfcomm_session_close(struct rfcomm_session *s, int err) 648 { 649 struct rfcomm_dlc *d; 650 struct list_head *p, *n; 651 652 BT_DBG("session %p state %ld err %d", s, s->state, err); 653 654 rfcomm_session_hold(s); 655 656 s->state = BT_CLOSED; 657 658 /* Close all dlcs */ 659 list_for_each_safe(p, n, &s->dlcs) { 660 d = list_entry(p, struct rfcomm_dlc, list); 661 d->state = BT_CLOSED; 662 __rfcomm_dlc_close(d, err); 663 } 664 665 rfcomm_session_clear_timer(s); 666 rfcomm_session_put(s); 667 } 668 669 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 670 bdaddr_t *dst, 671 u8 sec_level, 672 int *err) 673 { 674 struct rfcomm_session *s = NULL; 675 struct sockaddr_l2 addr; 676 struct socket *sock; 677 struct sock *sk; 678 679 BT_DBG("%pMR -> %pMR", src, dst); 680 681 *err = rfcomm_l2sock_create(&sock); 682 if (*err < 0) 683 return NULL; 684 685 bacpy(&addr.l2_bdaddr, src); 686 addr.l2_family = AF_BLUETOOTH; 687 addr.l2_psm = 0; 688 addr.l2_cid = 0; 689 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 690 if (*err < 0) 691 goto failed; 692 693 /* Set L2CAP options */ 694 sk = sock->sk; 695 lock_sock(sk); 696 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 697 l2cap_pi(sk)->chan->sec_level = sec_level; 698 if (l2cap_ertm) 699 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 700 release_sock(sk); 701 702 s = rfcomm_session_add(sock, BT_BOUND); 703 if (!s) { 704 *err = -ENOMEM; 705 goto failed; 706 } 707 708 s->initiator = 1; 709 710 bacpy(&addr.l2_bdaddr, dst); 711 addr.l2_family = AF_BLUETOOTH; 712 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM); 713 addr.l2_cid = 0; 714 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 715 if (*err == 0 || *err == -EINPROGRESS) 716 return s; 717 718 rfcomm_session_del(s); 719 return NULL; 720 721 failed: 722 sock_release(sock); 723 return NULL; 724 } 725 726 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 727 { 728 struct sock *sk = s->sock->sk; 729 if (src) 730 bacpy(src, &bt_sk(sk)->src); 731 if (dst) 732 bacpy(dst, &bt_sk(sk)->dst); 733 } 734 735 /* ---- RFCOMM frame sending ---- */ 736 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 737 { 738 struct kvec iv = { data, len }; 739 struct msghdr msg; 740 741 BT_DBG("session %p len %d", s, len); 742 743 memset(&msg, 0, sizeof(msg)); 744 745 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 746 } 747 748 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 749 { 750 BT_DBG("%p cmd %u", s, cmd->ctrl); 751 752 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 753 } 754 755 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 756 { 757 struct rfcomm_cmd cmd; 758 759 BT_DBG("%p dlci %d", s, dlci); 760 761 cmd.addr = __addr(s->initiator, dlci); 762 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 763 cmd.len = __len8(0); 764 cmd.fcs = __fcs2((u8 *) &cmd); 765 766 return rfcomm_send_cmd(s, &cmd); 767 } 768 769 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 770 { 771 struct rfcomm_cmd cmd; 772 773 BT_DBG("%p dlci %d", s, dlci); 774 775 cmd.addr = __addr(!s->initiator, dlci); 776 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 777 cmd.len = __len8(0); 778 cmd.fcs = __fcs2((u8 *) &cmd); 779 780 return rfcomm_send_cmd(s, &cmd); 781 } 782 783 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 784 { 785 struct rfcomm_cmd cmd; 786 787 BT_DBG("%p dlci %d", s, dlci); 788 789 cmd.addr = __addr(s->initiator, dlci); 790 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 791 cmd.len = __len8(0); 792 cmd.fcs = __fcs2((u8 *) &cmd); 793 794 return rfcomm_send_cmd(s, &cmd); 795 } 796 797 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 798 { 799 struct rfcomm_cmd *cmd; 800 struct sk_buff *skb; 801 802 BT_DBG("dlc %p dlci %d", d, d->dlci); 803 804 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 805 if (!skb) 806 return -ENOMEM; 807 808 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 809 cmd->addr = d->addr; 810 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 811 cmd->len = __len8(0); 812 cmd->fcs = __fcs2((u8 *) cmd); 813 814 skb_queue_tail(&d->tx_queue, skb); 815 rfcomm_schedule(); 816 return 0; 817 } 818 819 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 820 { 821 struct rfcomm_cmd cmd; 822 823 BT_DBG("%p dlci %d", s, dlci); 824 825 cmd.addr = __addr(!s->initiator, dlci); 826 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 827 cmd.len = __len8(0); 828 cmd.fcs = __fcs2((u8 *) &cmd); 829 830 return rfcomm_send_cmd(s, &cmd); 831 } 832 833 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 834 { 835 struct rfcomm_hdr *hdr; 836 struct rfcomm_mcc *mcc; 837 u8 buf[16], *ptr = buf; 838 839 BT_DBG("%p cr %d type %d", s, cr, type); 840 841 hdr = (void *) ptr; ptr += sizeof(*hdr); 842 hdr->addr = __addr(s->initiator, 0); 843 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 844 hdr->len = __len8(sizeof(*mcc) + 1); 845 846 mcc = (void *) ptr; ptr += sizeof(*mcc); 847 mcc->type = __mcc_type(cr, RFCOMM_NSC); 848 mcc->len = __len8(1); 849 850 /* Type that we didn't like */ 851 *ptr = __mcc_type(cr, type); ptr++; 852 853 *ptr = __fcs(buf); ptr++; 854 855 return rfcomm_send_frame(s, buf, ptr - buf); 856 } 857 858 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 859 { 860 struct rfcomm_hdr *hdr; 861 struct rfcomm_mcc *mcc; 862 struct rfcomm_pn *pn; 863 u8 buf[16], *ptr = buf; 864 865 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 866 867 hdr = (void *) ptr; ptr += sizeof(*hdr); 868 hdr->addr = __addr(s->initiator, 0); 869 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 870 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 871 872 mcc = (void *) ptr; ptr += sizeof(*mcc); 873 mcc->type = __mcc_type(cr, RFCOMM_PN); 874 mcc->len = __len8(sizeof(*pn)); 875 876 pn = (void *) ptr; ptr += sizeof(*pn); 877 pn->dlci = d->dlci; 878 pn->priority = d->priority; 879 pn->ack_timer = 0; 880 pn->max_retrans = 0; 881 882 if (s->cfc) { 883 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 884 pn->credits = RFCOMM_DEFAULT_CREDITS; 885 } else { 886 pn->flow_ctrl = 0; 887 pn->credits = 0; 888 } 889 890 if (cr && channel_mtu >= 0) 891 pn->mtu = cpu_to_le16(channel_mtu); 892 else 893 pn->mtu = cpu_to_le16(d->mtu); 894 895 *ptr = __fcs(buf); ptr++; 896 897 return rfcomm_send_frame(s, buf, ptr - buf); 898 } 899 900 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 901 u8 bit_rate, u8 data_bits, u8 stop_bits, 902 u8 parity, u8 flow_ctrl_settings, 903 u8 xon_char, u8 xoff_char, u16 param_mask) 904 { 905 struct rfcomm_hdr *hdr; 906 struct rfcomm_mcc *mcc; 907 struct rfcomm_rpn *rpn; 908 u8 buf[16], *ptr = buf; 909 910 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 911 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 912 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 913 flow_ctrl_settings, xon_char, xoff_char, param_mask); 914 915 hdr = (void *) ptr; ptr += sizeof(*hdr); 916 hdr->addr = __addr(s->initiator, 0); 917 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 918 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 919 920 mcc = (void *) ptr; ptr += sizeof(*mcc); 921 mcc->type = __mcc_type(cr, RFCOMM_RPN); 922 mcc->len = __len8(sizeof(*rpn)); 923 924 rpn = (void *) ptr; ptr += sizeof(*rpn); 925 rpn->dlci = __addr(1, dlci); 926 rpn->bit_rate = bit_rate; 927 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 928 rpn->flow_ctrl = flow_ctrl_settings; 929 rpn->xon_char = xon_char; 930 rpn->xoff_char = xoff_char; 931 rpn->param_mask = cpu_to_le16(param_mask); 932 933 *ptr = __fcs(buf); ptr++; 934 935 return rfcomm_send_frame(s, buf, ptr - buf); 936 } 937 938 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 939 { 940 struct rfcomm_hdr *hdr; 941 struct rfcomm_mcc *mcc; 942 struct rfcomm_rls *rls; 943 u8 buf[16], *ptr = buf; 944 945 BT_DBG("%p cr %d status 0x%x", s, cr, status); 946 947 hdr = (void *) ptr; ptr += sizeof(*hdr); 948 hdr->addr = __addr(s->initiator, 0); 949 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 950 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 951 952 mcc = (void *) ptr; ptr += sizeof(*mcc); 953 mcc->type = __mcc_type(cr, RFCOMM_RLS); 954 mcc->len = __len8(sizeof(*rls)); 955 956 rls = (void *) ptr; ptr += sizeof(*rls); 957 rls->dlci = __addr(1, dlci); 958 rls->status = status; 959 960 *ptr = __fcs(buf); ptr++; 961 962 return rfcomm_send_frame(s, buf, ptr - buf); 963 } 964 965 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 966 { 967 struct rfcomm_hdr *hdr; 968 struct rfcomm_mcc *mcc; 969 struct rfcomm_msc *msc; 970 u8 buf[16], *ptr = buf; 971 972 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 973 974 hdr = (void *) ptr; ptr += sizeof(*hdr); 975 hdr->addr = __addr(s->initiator, 0); 976 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 977 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 978 979 mcc = (void *) ptr; ptr += sizeof(*mcc); 980 mcc->type = __mcc_type(cr, RFCOMM_MSC); 981 mcc->len = __len8(sizeof(*msc)); 982 983 msc = (void *) ptr; ptr += sizeof(*msc); 984 msc->dlci = __addr(1, dlci); 985 msc->v24_sig = v24_sig | 0x01; 986 987 *ptr = __fcs(buf); ptr++; 988 989 return rfcomm_send_frame(s, buf, ptr - buf); 990 } 991 992 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 993 { 994 struct rfcomm_hdr *hdr; 995 struct rfcomm_mcc *mcc; 996 u8 buf[16], *ptr = buf; 997 998 BT_DBG("%p cr %d", s, cr); 999 1000 hdr = (void *) ptr; ptr += sizeof(*hdr); 1001 hdr->addr = __addr(s->initiator, 0); 1002 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1003 hdr->len = __len8(sizeof(*mcc)); 1004 1005 mcc = (void *) ptr; ptr += sizeof(*mcc); 1006 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1007 mcc->len = __len8(0); 1008 1009 *ptr = __fcs(buf); ptr++; 1010 1011 return rfcomm_send_frame(s, buf, ptr - buf); 1012 } 1013 1014 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1015 { 1016 struct rfcomm_hdr *hdr; 1017 struct rfcomm_mcc *mcc; 1018 u8 buf[16], *ptr = buf; 1019 1020 BT_DBG("%p cr %d", s, cr); 1021 1022 hdr = (void *) ptr; ptr += sizeof(*hdr); 1023 hdr->addr = __addr(s->initiator, 0); 1024 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1025 hdr->len = __len8(sizeof(*mcc)); 1026 1027 mcc = (void *) ptr; ptr += sizeof(*mcc); 1028 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1029 mcc->len = __len8(0); 1030 1031 *ptr = __fcs(buf); ptr++; 1032 1033 return rfcomm_send_frame(s, buf, ptr - buf); 1034 } 1035 1036 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1037 { 1038 struct socket *sock = s->sock; 1039 struct kvec iv[3]; 1040 struct msghdr msg; 1041 unsigned char hdr[5], crc[1]; 1042 1043 if (len > 125) 1044 return -EINVAL; 1045 1046 BT_DBG("%p cr %d", s, cr); 1047 1048 hdr[0] = __addr(s->initiator, 0); 1049 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1050 hdr[2] = 0x01 | ((len + 2) << 1); 1051 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1052 hdr[4] = 0x01 | (len << 1); 1053 1054 crc[0] = __fcs(hdr); 1055 1056 iv[0].iov_base = hdr; 1057 iv[0].iov_len = 5; 1058 iv[1].iov_base = pattern; 1059 iv[1].iov_len = len; 1060 iv[2].iov_base = crc; 1061 iv[2].iov_len = 1; 1062 1063 memset(&msg, 0, sizeof(msg)); 1064 1065 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1066 } 1067 1068 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1069 { 1070 struct rfcomm_hdr *hdr; 1071 u8 buf[16], *ptr = buf; 1072 1073 BT_DBG("%p addr %d credits %d", s, addr, credits); 1074 1075 hdr = (void *) ptr; ptr += sizeof(*hdr); 1076 hdr->addr = addr; 1077 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1078 hdr->len = __len8(0); 1079 1080 *ptr = credits; ptr++; 1081 1082 *ptr = __fcs(buf); ptr++; 1083 1084 return rfcomm_send_frame(s, buf, ptr - buf); 1085 } 1086 1087 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1088 { 1089 struct rfcomm_hdr *hdr; 1090 int len = skb->len; 1091 u8 *crc; 1092 1093 if (len > 127) { 1094 hdr = (void *) skb_push(skb, 4); 1095 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1096 } else { 1097 hdr = (void *) skb_push(skb, 3); 1098 hdr->len = __len8(len); 1099 } 1100 hdr->addr = addr; 1101 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1102 1103 crc = skb_put(skb, 1); 1104 *crc = __fcs((void *) hdr); 1105 } 1106 1107 /* ---- RFCOMM frame reception ---- */ 1108 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1109 { 1110 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1111 1112 if (dlci) { 1113 /* Data channel */ 1114 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1115 if (!d) { 1116 rfcomm_send_dm(s, dlci); 1117 return 0; 1118 } 1119 1120 switch (d->state) { 1121 case BT_CONNECT: 1122 rfcomm_dlc_clear_timer(d); 1123 1124 rfcomm_dlc_lock(d); 1125 d->state = BT_CONNECTED; 1126 d->state_change(d, 0); 1127 rfcomm_dlc_unlock(d); 1128 1129 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1130 break; 1131 1132 case BT_DISCONN: 1133 d->state = BT_CLOSED; 1134 __rfcomm_dlc_close(d, 0); 1135 1136 if (list_empty(&s->dlcs)) { 1137 s->state = BT_DISCONN; 1138 rfcomm_send_disc(s, 0); 1139 rfcomm_session_clear_timer(s); 1140 } 1141 1142 break; 1143 } 1144 } else { 1145 /* Control channel */ 1146 switch (s->state) { 1147 case BT_CONNECT: 1148 s->state = BT_CONNECTED; 1149 rfcomm_process_connect(s); 1150 break; 1151 1152 case BT_DISCONN: 1153 /* rfcomm_session_put is called later so don't do 1154 * anything here otherwise we will mess up the session 1155 * reference counter: 1156 * 1157 * (a) when we are the initiator dlc_unlink will drive 1158 * the reference counter to 0 (there is no initial put 1159 * after session_add) 1160 * 1161 * (b) when we are not the initiator rfcomm_rx_process 1162 * will explicitly call put to balance the initial hold 1163 * done after session add. 1164 */ 1165 break; 1166 } 1167 } 1168 return 0; 1169 } 1170 1171 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1172 { 1173 int err = 0; 1174 1175 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1176 1177 if (dlci) { 1178 /* Data DLC */ 1179 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1180 if (d) { 1181 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1182 err = ECONNREFUSED; 1183 else 1184 err = ECONNRESET; 1185 1186 d->state = BT_CLOSED; 1187 __rfcomm_dlc_close(d, err); 1188 } 1189 } else { 1190 if (s->state == BT_CONNECT) 1191 err = ECONNREFUSED; 1192 else 1193 err = ECONNRESET; 1194 1195 s->state = BT_CLOSED; 1196 rfcomm_session_close(s, err); 1197 } 1198 return 0; 1199 } 1200 1201 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1202 { 1203 int err = 0; 1204 1205 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1206 1207 if (dlci) { 1208 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1209 if (d) { 1210 rfcomm_send_ua(s, dlci); 1211 1212 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1213 err = ECONNREFUSED; 1214 else 1215 err = ECONNRESET; 1216 1217 d->state = BT_CLOSED; 1218 __rfcomm_dlc_close(d, err); 1219 } else 1220 rfcomm_send_dm(s, dlci); 1221 1222 } else { 1223 rfcomm_send_ua(s, 0); 1224 1225 if (s->state == BT_CONNECT) 1226 err = ECONNREFUSED; 1227 else 1228 err = ECONNRESET; 1229 1230 s->state = BT_CLOSED; 1231 rfcomm_session_close(s, err); 1232 } 1233 1234 return 0; 1235 } 1236 1237 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1238 { 1239 struct sock *sk = d->session->sock->sk; 1240 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1241 1242 BT_DBG("dlc %p", d); 1243 1244 rfcomm_send_ua(d->session, d->dlci); 1245 1246 rfcomm_dlc_clear_timer(d); 1247 1248 rfcomm_dlc_lock(d); 1249 d->state = BT_CONNECTED; 1250 d->state_change(d, 0); 1251 rfcomm_dlc_unlock(d); 1252 1253 if (d->role_switch) 1254 hci_conn_switch_role(conn->hcon, 0x00); 1255 1256 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1257 } 1258 1259 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1260 { 1261 if (rfcomm_check_security(d)) { 1262 if (d->defer_setup) { 1263 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1264 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1265 1266 rfcomm_dlc_lock(d); 1267 d->state = BT_CONNECT2; 1268 d->state_change(d, 0); 1269 rfcomm_dlc_unlock(d); 1270 } else 1271 rfcomm_dlc_accept(d); 1272 } else { 1273 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1274 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1275 } 1276 } 1277 1278 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1279 { 1280 struct rfcomm_dlc *d; 1281 u8 channel; 1282 1283 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1284 1285 if (!dlci) { 1286 rfcomm_send_ua(s, 0); 1287 1288 if (s->state == BT_OPEN) { 1289 s->state = BT_CONNECTED; 1290 rfcomm_process_connect(s); 1291 } 1292 return 0; 1293 } 1294 1295 /* Check if DLC exists */ 1296 d = rfcomm_dlc_get(s, dlci); 1297 if (d) { 1298 if (d->state == BT_OPEN) { 1299 /* DLC was previously opened by PN request */ 1300 rfcomm_check_accept(d); 1301 } 1302 return 0; 1303 } 1304 1305 /* Notify socket layer about incoming connection */ 1306 channel = __srv_channel(dlci); 1307 if (rfcomm_connect_ind(s, channel, &d)) { 1308 d->dlci = dlci; 1309 d->addr = __addr(s->initiator, dlci); 1310 rfcomm_dlc_link(s, d); 1311 1312 rfcomm_check_accept(d); 1313 } else { 1314 rfcomm_send_dm(s, dlci); 1315 } 1316 1317 return 0; 1318 } 1319 1320 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1321 { 1322 struct rfcomm_session *s = d->session; 1323 1324 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1325 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1326 1327 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1328 pn->flow_ctrl == 0xe0) { 1329 d->cfc = RFCOMM_CFC_ENABLED; 1330 d->tx_credits = pn->credits; 1331 } else { 1332 d->cfc = RFCOMM_CFC_DISABLED; 1333 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1334 } 1335 1336 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1337 s->cfc = d->cfc; 1338 1339 d->priority = pn->priority; 1340 1341 d->mtu = __le16_to_cpu(pn->mtu); 1342 1343 if (cr && d->mtu > s->mtu) 1344 d->mtu = s->mtu; 1345 1346 return 0; 1347 } 1348 1349 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1350 { 1351 struct rfcomm_pn *pn = (void *) skb->data; 1352 struct rfcomm_dlc *d; 1353 u8 dlci = pn->dlci; 1354 1355 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1356 1357 if (!dlci) 1358 return 0; 1359 1360 d = rfcomm_dlc_get(s, dlci); 1361 if (d) { 1362 if (cr) { 1363 /* PN request */ 1364 rfcomm_apply_pn(d, cr, pn); 1365 rfcomm_send_pn(s, 0, d); 1366 } else { 1367 /* PN response */ 1368 switch (d->state) { 1369 case BT_CONFIG: 1370 rfcomm_apply_pn(d, cr, pn); 1371 1372 d->state = BT_CONNECT; 1373 rfcomm_send_sabm(s, d->dlci); 1374 break; 1375 } 1376 } 1377 } else { 1378 u8 channel = __srv_channel(dlci); 1379 1380 if (!cr) 1381 return 0; 1382 1383 /* PN request for non existing DLC. 1384 * Assume incoming connection. */ 1385 if (rfcomm_connect_ind(s, channel, &d)) { 1386 d->dlci = dlci; 1387 d->addr = __addr(s->initiator, dlci); 1388 rfcomm_dlc_link(s, d); 1389 1390 rfcomm_apply_pn(d, cr, pn); 1391 1392 d->state = BT_OPEN; 1393 rfcomm_send_pn(s, 0, d); 1394 } else { 1395 rfcomm_send_dm(s, dlci); 1396 } 1397 } 1398 return 0; 1399 } 1400 1401 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1402 { 1403 struct rfcomm_rpn *rpn = (void *) skb->data; 1404 u8 dlci = __get_dlci(rpn->dlci); 1405 1406 u8 bit_rate = 0; 1407 u8 data_bits = 0; 1408 u8 stop_bits = 0; 1409 u8 parity = 0; 1410 u8 flow_ctrl = 0; 1411 u8 xon_char = 0; 1412 u8 xoff_char = 0; 1413 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1414 1415 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1416 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1417 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1418 1419 if (!cr) 1420 return 0; 1421 1422 if (len == 1) { 1423 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1424 bit_rate = RFCOMM_RPN_BR_9600; 1425 data_bits = RFCOMM_RPN_DATA_8; 1426 stop_bits = RFCOMM_RPN_STOP_1; 1427 parity = RFCOMM_RPN_PARITY_NONE; 1428 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1429 xon_char = RFCOMM_RPN_XON_CHAR; 1430 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1431 goto rpn_out; 1432 } 1433 1434 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1435 * no parity, no flow control lines, normal XON/XOFF chars */ 1436 1437 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1438 bit_rate = rpn->bit_rate; 1439 if (bit_rate > RFCOMM_RPN_BR_230400) { 1440 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1441 bit_rate = RFCOMM_RPN_BR_9600; 1442 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1443 } 1444 } 1445 1446 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1447 data_bits = __get_rpn_data_bits(rpn->line_settings); 1448 if (data_bits != RFCOMM_RPN_DATA_8) { 1449 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1450 data_bits = RFCOMM_RPN_DATA_8; 1451 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1452 } 1453 } 1454 1455 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1456 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1457 if (stop_bits != RFCOMM_RPN_STOP_1) { 1458 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1459 stop_bits = RFCOMM_RPN_STOP_1; 1460 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1461 } 1462 } 1463 1464 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1465 parity = __get_rpn_parity(rpn->line_settings); 1466 if (parity != RFCOMM_RPN_PARITY_NONE) { 1467 BT_DBG("RPN parity mismatch 0x%x", parity); 1468 parity = RFCOMM_RPN_PARITY_NONE; 1469 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1470 } 1471 } 1472 1473 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1474 flow_ctrl = rpn->flow_ctrl; 1475 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1476 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1477 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1478 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1479 } 1480 } 1481 1482 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1483 xon_char = rpn->xon_char; 1484 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1485 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1486 xon_char = RFCOMM_RPN_XON_CHAR; 1487 rpn_mask ^= RFCOMM_RPN_PM_XON; 1488 } 1489 } 1490 1491 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1492 xoff_char = rpn->xoff_char; 1493 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1494 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1495 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1496 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1497 } 1498 } 1499 1500 rpn_out: 1501 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1502 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1503 1504 return 0; 1505 } 1506 1507 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1508 { 1509 struct rfcomm_rls *rls = (void *) skb->data; 1510 u8 dlci = __get_dlci(rls->dlci); 1511 1512 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1513 1514 if (!cr) 1515 return 0; 1516 1517 /* We should probably do something with this information here. But 1518 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1519 * mandatory to recognise and respond to RLS */ 1520 1521 rfcomm_send_rls(s, 0, dlci, rls->status); 1522 1523 return 0; 1524 } 1525 1526 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1527 { 1528 struct rfcomm_msc *msc = (void *) skb->data; 1529 struct rfcomm_dlc *d; 1530 u8 dlci = __get_dlci(msc->dlci); 1531 1532 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1533 1534 d = rfcomm_dlc_get(s, dlci); 1535 if (!d) 1536 return 0; 1537 1538 if (cr) { 1539 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1540 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1541 else 1542 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1543 1544 rfcomm_dlc_lock(d); 1545 1546 d->remote_v24_sig = msc->v24_sig; 1547 1548 if (d->modem_status) 1549 d->modem_status(d, msc->v24_sig); 1550 1551 rfcomm_dlc_unlock(d); 1552 1553 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1554 1555 d->mscex |= RFCOMM_MSCEX_RX; 1556 } else 1557 d->mscex |= RFCOMM_MSCEX_TX; 1558 1559 return 0; 1560 } 1561 1562 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1563 { 1564 struct rfcomm_mcc *mcc = (void *) skb->data; 1565 u8 type, cr, len; 1566 1567 cr = __test_cr(mcc->type); 1568 type = __get_mcc_type(mcc->type); 1569 len = __get_mcc_len(mcc->len); 1570 1571 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1572 1573 skb_pull(skb, 2); 1574 1575 switch (type) { 1576 case RFCOMM_PN: 1577 rfcomm_recv_pn(s, cr, skb); 1578 break; 1579 1580 case RFCOMM_RPN: 1581 rfcomm_recv_rpn(s, cr, len, skb); 1582 break; 1583 1584 case RFCOMM_RLS: 1585 rfcomm_recv_rls(s, cr, skb); 1586 break; 1587 1588 case RFCOMM_MSC: 1589 rfcomm_recv_msc(s, cr, skb); 1590 break; 1591 1592 case RFCOMM_FCOFF: 1593 if (cr) { 1594 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1595 rfcomm_send_fcoff(s, 0); 1596 } 1597 break; 1598 1599 case RFCOMM_FCON: 1600 if (cr) { 1601 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1602 rfcomm_send_fcon(s, 0); 1603 } 1604 break; 1605 1606 case RFCOMM_TEST: 1607 if (cr) 1608 rfcomm_send_test(s, 0, skb->data, skb->len); 1609 break; 1610 1611 case RFCOMM_NSC: 1612 break; 1613 1614 default: 1615 BT_ERR("Unknown control type 0x%02x", type); 1616 rfcomm_send_nsc(s, cr, type); 1617 break; 1618 } 1619 return 0; 1620 } 1621 1622 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1623 { 1624 struct rfcomm_dlc *d; 1625 1626 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1627 1628 d = rfcomm_dlc_get(s, dlci); 1629 if (!d) { 1630 rfcomm_send_dm(s, dlci); 1631 goto drop; 1632 } 1633 1634 if (pf && d->cfc) { 1635 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1636 1637 d->tx_credits += credits; 1638 if (d->tx_credits) 1639 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1640 } 1641 1642 if (skb->len && d->state == BT_CONNECTED) { 1643 rfcomm_dlc_lock(d); 1644 d->rx_credits--; 1645 d->data_ready(d, skb); 1646 rfcomm_dlc_unlock(d); 1647 return 0; 1648 } 1649 1650 drop: 1651 kfree_skb(skb); 1652 return 0; 1653 } 1654 1655 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1656 { 1657 struct rfcomm_hdr *hdr = (void *) skb->data; 1658 u8 type, dlci, fcs; 1659 1660 dlci = __get_dlci(hdr->addr); 1661 type = __get_type(hdr->ctrl); 1662 1663 /* Trim FCS */ 1664 skb->len--; skb->tail--; 1665 fcs = *(u8 *)skb_tail_pointer(skb); 1666 1667 if (__check_fcs(skb->data, type, fcs)) { 1668 BT_ERR("bad checksum in packet"); 1669 kfree_skb(skb); 1670 return -EILSEQ; 1671 } 1672 1673 if (__test_ea(hdr->len)) 1674 skb_pull(skb, 3); 1675 else 1676 skb_pull(skb, 4); 1677 1678 switch (type) { 1679 case RFCOMM_SABM: 1680 if (__test_pf(hdr->ctrl)) 1681 rfcomm_recv_sabm(s, dlci); 1682 break; 1683 1684 case RFCOMM_DISC: 1685 if (__test_pf(hdr->ctrl)) 1686 rfcomm_recv_disc(s, dlci); 1687 break; 1688 1689 case RFCOMM_UA: 1690 if (__test_pf(hdr->ctrl)) 1691 rfcomm_recv_ua(s, dlci); 1692 break; 1693 1694 case RFCOMM_DM: 1695 rfcomm_recv_dm(s, dlci); 1696 break; 1697 1698 case RFCOMM_UIH: 1699 if (dlci) 1700 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1701 1702 rfcomm_recv_mcc(s, skb); 1703 break; 1704 1705 default: 1706 BT_ERR("Unknown packet type 0x%02x", type); 1707 break; 1708 } 1709 kfree_skb(skb); 1710 return 0; 1711 } 1712 1713 /* ---- Connection and data processing ---- */ 1714 1715 static void rfcomm_process_connect(struct rfcomm_session *s) 1716 { 1717 struct rfcomm_dlc *d; 1718 struct list_head *p, *n; 1719 1720 BT_DBG("session %p state %ld", s, s->state); 1721 1722 list_for_each_safe(p, n, &s->dlcs) { 1723 d = list_entry(p, struct rfcomm_dlc, list); 1724 if (d->state == BT_CONFIG) { 1725 d->mtu = s->mtu; 1726 if (rfcomm_check_security(d)) { 1727 rfcomm_send_pn(s, 1, d); 1728 } else { 1729 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1730 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1731 } 1732 } 1733 } 1734 } 1735 1736 /* Send data queued for the DLC. 1737 * Return number of frames left in the queue. 1738 */ 1739 static int rfcomm_process_tx(struct rfcomm_dlc *d) 1740 { 1741 struct sk_buff *skb; 1742 int err; 1743 1744 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1745 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1746 1747 /* Send pending MSC */ 1748 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1749 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1750 1751 if (d->cfc) { 1752 /* CFC enabled. 1753 * Give them some credits */ 1754 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1755 d->rx_credits <= (d->cfc >> 2)) { 1756 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1757 d->rx_credits = d->cfc; 1758 } 1759 } else { 1760 /* CFC disabled. 1761 * Give ourselves some credits */ 1762 d->tx_credits = 5; 1763 } 1764 1765 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1766 return skb_queue_len(&d->tx_queue); 1767 1768 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1769 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1770 if (err < 0) { 1771 skb_queue_head(&d->tx_queue, skb); 1772 break; 1773 } 1774 kfree_skb(skb); 1775 d->tx_credits--; 1776 } 1777 1778 if (d->cfc && !d->tx_credits) { 1779 /* We're out of TX credits. 1780 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1781 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1782 } 1783 1784 return skb_queue_len(&d->tx_queue); 1785 } 1786 1787 static void rfcomm_process_dlcs(struct rfcomm_session *s) 1788 { 1789 struct rfcomm_dlc *d; 1790 struct list_head *p, *n; 1791 1792 BT_DBG("session %p state %ld", s, s->state); 1793 1794 list_for_each_safe(p, n, &s->dlcs) { 1795 d = list_entry(p, struct rfcomm_dlc, list); 1796 1797 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1798 __rfcomm_dlc_close(d, ETIMEDOUT); 1799 continue; 1800 } 1801 1802 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1803 __rfcomm_dlc_close(d, ECONNREFUSED); 1804 continue; 1805 } 1806 1807 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1808 rfcomm_dlc_clear_timer(d); 1809 if (d->out) { 1810 rfcomm_send_pn(s, 1, d); 1811 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1812 } else { 1813 if (d->defer_setup) { 1814 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1815 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1816 1817 rfcomm_dlc_lock(d); 1818 d->state = BT_CONNECT2; 1819 d->state_change(d, 0); 1820 rfcomm_dlc_unlock(d); 1821 } else 1822 rfcomm_dlc_accept(d); 1823 } 1824 continue; 1825 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1826 rfcomm_dlc_clear_timer(d); 1827 if (!d->out) 1828 rfcomm_send_dm(s, d->dlci); 1829 else 1830 d->state = BT_CLOSED; 1831 __rfcomm_dlc_close(d, ECONNREFUSED); 1832 continue; 1833 } 1834 1835 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1836 continue; 1837 1838 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1839 continue; 1840 1841 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1842 d->mscex == RFCOMM_MSCEX_OK) 1843 rfcomm_process_tx(d); 1844 } 1845 } 1846 1847 static void rfcomm_process_rx(struct rfcomm_session *s) 1848 { 1849 struct socket *sock = s->sock; 1850 struct sock *sk = sock->sk; 1851 struct sk_buff *skb; 1852 1853 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1854 1855 /* Get data directly from socket receive queue without copying it. */ 1856 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1857 skb_orphan(skb); 1858 if (!skb_linearize(skb)) 1859 rfcomm_recv_frame(s, skb); 1860 else 1861 kfree_skb(skb); 1862 } 1863 1864 if (sk->sk_state == BT_CLOSED) { 1865 if (!s->initiator) 1866 rfcomm_session_put(s); 1867 1868 rfcomm_session_close(s, sk->sk_err); 1869 } 1870 } 1871 1872 static void rfcomm_accept_connection(struct rfcomm_session *s) 1873 { 1874 struct socket *sock = s->sock, *nsock; 1875 int err; 1876 1877 /* Fast check for a new connection. 1878 * Avoids unnesesary socket allocations. */ 1879 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1880 return; 1881 1882 BT_DBG("session %p", s); 1883 1884 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1885 if (err < 0) 1886 return; 1887 1888 /* Set our callbacks */ 1889 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1890 nsock->sk->sk_state_change = rfcomm_l2state_change; 1891 1892 s = rfcomm_session_add(nsock, BT_OPEN); 1893 if (s) { 1894 rfcomm_session_hold(s); 1895 1896 /* We should adjust MTU on incoming sessions. 1897 * L2CAP MTU minus UIH header and FCS. */ 1898 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1899 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1900 1901 rfcomm_schedule(); 1902 } else 1903 sock_release(nsock); 1904 } 1905 1906 static void rfcomm_check_connection(struct rfcomm_session *s) 1907 { 1908 struct sock *sk = s->sock->sk; 1909 1910 BT_DBG("%p state %ld", s, s->state); 1911 1912 switch (sk->sk_state) { 1913 case BT_CONNECTED: 1914 s->state = BT_CONNECT; 1915 1916 /* We can adjust MTU on outgoing sessions. 1917 * L2CAP MTU minus UIH header and FCS. */ 1918 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1919 1920 rfcomm_send_sabm(s, 0); 1921 break; 1922 1923 case BT_CLOSED: 1924 s->state = BT_CLOSED; 1925 rfcomm_session_close(s, sk->sk_err); 1926 break; 1927 } 1928 } 1929 1930 static void rfcomm_process_sessions(void) 1931 { 1932 struct list_head *p, *n; 1933 1934 rfcomm_lock(); 1935 1936 list_for_each_safe(p, n, &session_list) { 1937 struct rfcomm_session *s; 1938 s = list_entry(p, struct rfcomm_session, list); 1939 1940 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1941 s->state = BT_DISCONN; 1942 rfcomm_send_disc(s, 0); 1943 rfcomm_session_put(s); 1944 continue; 1945 } 1946 1947 if (s->state == BT_LISTEN) { 1948 rfcomm_accept_connection(s); 1949 continue; 1950 } 1951 1952 rfcomm_session_hold(s); 1953 1954 switch (s->state) { 1955 case BT_BOUND: 1956 rfcomm_check_connection(s); 1957 break; 1958 1959 default: 1960 rfcomm_process_rx(s); 1961 break; 1962 } 1963 1964 rfcomm_process_dlcs(s); 1965 1966 rfcomm_session_put(s); 1967 } 1968 1969 rfcomm_unlock(); 1970 } 1971 1972 static int rfcomm_add_listener(bdaddr_t *ba) 1973 { 1974 struct sockaddr_l2 addr; 1975 struct socket *sock; 1976 struct sock *sk; 1977 struct rfcomm_session *s; 1978 int err = 0; 1979 1980 /* Create socket */ 1981 err = rfcomm_l2sock_create(&sock); 1982 if (err < 0) { 1983 BT_ERR("Create socket failed %d", err); 1984 return err; 1985 } 1986 1987 /* Bind socket */ 1988 bacpy(&addr.l2_bdaddr, ba); 1989 addr.l2_family = AF_BLUETOOTH; 1990 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM); 1991 addr.l2_cid = 0; 1992 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1993 if (err < 0) { 1994 BT_ERR("Bind failed %d", err); 1995 goto failed; 1996 } 1997 1998 /* Set L2CAP options */ 1999 sk = sock->sk; 2000 lock_sock(sk); 2001 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2002 release_sock(sk); 2003 2004 /* Start listening on the socket */ 2005 err = kernel_listen(sock, 10); 2006 if (err) { 2007 BT_ERR("Listen failed %d", err); 2008 goto failed; 2009 } 2010 2011 /* Add listening session */ 2012 s = rfcomm_session_add(sock, BT_LISTEN); 2013 if (!s) 2014 goto failed; 2015 2016 rfcomm_session_hold(s); 2017 return 0; 2018 failed: 2019 sock_release(sock); 2020 return err; 2021 } 2022 2023 static void rfcomm_kill_listener(void) 2024 { 2025 struct rfcomm_session *s; 2026 struct list_head *p, *n; 2027 2028 BT_DBG(""); 2029 2030 list_for_each_safe(p, n, &session_list) { 2031 s = list_entry(p, struct rfcomm_session, list); 2032 rfcomm_session_del(s); 2033 } 2034 } 2035 2036 static int rfcomm_run(void *unused) 2037 { 2038 BT_DBG(""); 2039 2040 set_user_nice(current, -10); 2041 2042 rfcomm_add_listener(BDADDR_ANY); 2043 2044 while (1) { 2045 set_current_state(TASK_INTERRUPTIBLE); 2046 2047 if (kthread_should_stop()) 2048 break; 2049 2050 /* Process stuff */ 2051 rfcomm_process_sessions(); 2052 2053 schedule(); 2054 } 2055 __set_current_state(TASK_RUNNING); 2056 2057 rfcomm_kill_listener(); 2058 2059 return 0; 2060 } 2061 2062 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2063 { 2064 struct rfcomm_session *s; 2065 struct rfcomm_dlc *d; 2066 struct list_head *p, *n; 2067 2068 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2069 2070 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2071 if (!s) 2072 return; 2073 2074 rfcomm_session_hold(s); 2075 2076 list_for_each_safe(p, n, &s->dlcs) { 2077 d = list_entry(p, struct rfcomm_dlc, list); 2078 2079 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2080 rfcomm_dlc_clear_timer(d); 2081 if (status || encrypt == 0x00) { 2082 set_bit(RFCOMM_ENC_DROP, &d->flags); 2083 continue; 2084 } 2085 } 2086 2087 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2088 if (d->sec_level == BT_SECURITY_MEDIUM) { 2089 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2090 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2091 continue; 2092 } else if (d->sec_level == BT_SECURITY_HIGH) { 2093 set_bit(RFCOMM_ENC_DROP, &d->flags); 2094 continue; 2095 } 2096 } 2097 2098 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2099 continue; 2100 2101 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2102 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2103 else 2104 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2105 } 2106 2107 rfcomm_session_put(s); 2108 2109 rfcomm_schedule(); 2110 } 2111 2112 static struct hci_cb rfcomm_cb = { 2113 .name = "RFCOMM", 2114 .security_cfm = rfcomm_security_cfm 2115 }; 2116 2117 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2118 { 2119 struct rfcomm_session *s; 2120 2121 rfcomm_lock(); 2122 2123 list_for_each_entry(s, &session_list, list) { 2124 struct rfcomm_dlc *d; 2125 list_for_each_entry(d, &s->dlcs, list) { 2126 struct sock *sk = s->sock->sk; 2127 2128 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2129 &bt_sk(sk)->src, &bt_sk(sk)->dst, 2130 d->state, d->dlci, d->mtu, 2131 d->rx_credits, d->tx_credits); 2132 } 2133 } 2134 2135 rfcomm_unlock(); 2136 2137 return 0; 2138 } 2139 2140 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2141 { 2142 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2143 } 2144 2145 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2146 .open = rfcomm_dlc_debugfs_open, 2147 .read = seq_read, 2148 .llseek = seq_lseek, 2149 .release = single_release, 2150 }; 2151 2152 static struct dentry *rfcomm_dlc_debugfs; 2153 2154 /* ---- Initialization ---- */ 2155 static int __init rfcomm_init(void) 2156 { 2157 int err; 2158 2159 hci_register_cb(&rfcomm_cb); 2160 2161 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2162 if (IS_ERR(rfcomm_thread)) { 2163 err = PTR_ERR(rfcomm_thread); 2164 goto unregister; 2165 } 2166 2167 if (bt_debugfs) { 2168 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2169 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2170 if (!rfcomm_dlc_debugfs) 2171 BT_ERR("Failed to create RFCOMM debug file"); 2172 } 2173 2174 err = rfcomm_init_ttys(); 2175 if (err < 0) 2176 goto stop; 2177 2178 err = rfcomm_init_sockets(); 2179 if (err < 0) 2180 goto cleanup; 2181 2182 BT_INFO("RFCOMM ver %s", VERSION); 2183 2184 return 0; 2185 2186 cleanup: 2187 rfcomm_cleanup_ttys(); 2188 2189 stop: 2190 kthread_stop(rfcomm_thread); 2191 2192 unregister: 2193 hci_unregister_cb(&rfcomm_cb); 2194 2195 return err; 2196 } 2197 2198 static void __exit rfcomm_exit(void) 2199 { 2200 debugfs_remove(rfcomm_dlc_debugfs); 2201 2202 hci_unregister_cb(&rfcomm_cb); 2203 2204 kthread_stop(rfcomm_thread); 2205 2206 rfcomm_cleanup_ttys(); 2207 2208 rfcomm_cleanup_sockets(); 2209 } 2210 2211 module_init(rfcomm_init); 2212 module_exit(rfcomm_exit); 2213 2214 module_param(disable_cfc, bool, 0644); 2215 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2216 2217 module_param(channel_mtu, int, 0644); 2218 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2219 2220 module_param(l2cap_mtu, uint, 0644); 2221 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2222 2223 module_param(l2cap_ertm, bool, 0644); 2224 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2225 2226 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2227 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2228 MODULE_VERSION(VERSION); 2229 MODULE_LICENSE("GPL"); 2230 MODULE_ALIAS("bt-proto-3"); 2231