1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/debugfs.h> 37 #include <linux/seq_file.h> 38 #include <linux/net.h> 39 #include <linux/mutex.h> 40 #include <linux/kthread.h> 41 #include <linux/slab.h> 42 43 #include <net/sock.h> 44 #include <linux/uaccess.h> 45 #include <asm/unaligned.h> 46 47 #include <net/bluetooth/bluetooth.h> 48 #include <net/bluetooth/hci_core.h> 49 #include <net/bluetooth/l2cap.h> 50 #include <net/bluetooth/rfcomm.h> 51 52 #define VERSION "1.11" 53 54 static int disable_cfc; 55 static int l2cap_ertm; 56 static int channel_mtu = -1; 57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 58 59 static struct task_struct *rfcomm_thread; 60 61 static DEFINE_MUTEX(rfcomm_mutex); 62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 64 65 static unsigned long rfcomm_event; 66 67 static LIST_HEAD(session_list); 68 69 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 72 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 79 80 static void rfcomm_process_connect(struct rfcomm_session *s); 81 82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 83 bdaddr_t *dst, 84 u8 sec_level, 85 int *err); 86 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 87 static void rfcomm_session_del(struct rfcomm_session *s); 88 89 /* ---- RFCOMM frame parsing macros ---- */ 90 #define __get_dlci(b) ((b & 0xfc) >> 2) 91 #define __get_channel(b) ((b & 0xf8) >> 3) 92 #define __get_dir(b) ((b & 0x04) >> 2) 93 #define __get_type(b) ((b & 0xef)) 94 95 #define __test_ea(b) ((b & 0x01)) 96 #define __test_cr(b) ((b & 0x02)) 97 #define __test_pf(b) ((b & 0x10)) 98 99 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 100 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 101 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 102 #define __srv_channel(dlci) (dlci >> 1) 103 #define __dir(dlci) (dlci & 0x01) 104 105 #define __len8(len) (((len) << 1) | 1) 106 #define __len16(len) ((len) << 1) 107 108 /* MCC macros */ 109 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 110 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 111 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 112 113 /* RPN macros */ 114 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 115 #define __get_rpn_data_bits(line) ((line) & 0x3) 116 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 117 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 118 119 static inline void rfcomm_schedule(void) 120 { 121 if (!rfcomm_thread) 122 return; 123 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 124 wake_up_process(rfcomm_thread); 125 } 126 127 static inline void rfcomm_session_put(struct rfcomm_session *s) 128 { 129 if (atomic_dec_and_test(&s->refcnt)) 130 rfcomm_session_del(s); 131 } 132 133 /* ---- RFCOMM FCS computation ---- */ 134 135 /* reversed, 8-bit, poly=0x07 */ 136 static unsigned char rfcomm_crc_table[256] = { 137 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 138 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 139 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 140 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 141 142 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 143 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 144 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 145 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 146 147 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 148 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 149 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 150 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 151 152 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 153 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 154 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 155 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 156 157 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 158 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 159 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 160 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 161 162 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 163 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 164 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 165 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 166 167 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 168 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 169 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 170 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 171 172 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 173 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 174 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 175 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 176 }; 177 178 /* CRC on 2 bytes */ 179 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 180 181 /* FCS on 2 bytes */ 182 static inline u8 __fcs(u8 *data) 183 { 184 return 0xff - __crc(data); 185 } 186 187 /* FCS on 3 bytes */ 188 static inline u8 __fcs2(u8 *data) 189 { 190 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 191 } 192 193 /* Check FCS */ 194 static inline int __check_fcs(u8 *data, int type, u8 fcs) 195 { 196 u8 f = __crc(data); 197 198 if (type != RFCOMM_UIH) 199 f = rfcomm_crc_table[f ^ data[2]]; 200 201 return rfcomm_crc_table[f ^ fcs] != 0xcf; 202 } 203 204 /* ---- L2CAP callbacks ---- */ 205 static void rfcomm_l2state_change(struct sock *sk) 206 { 207 BT_DBG("%p state %d", sk, sk->sk_state); 208 rfcomm_schedule(); 209 } 210 211 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 212 { 213 BT_DBG("%p bytes %d", sk, bytes); 214 rfcomm_schedule(); 215 } 216 217 static int rfcomm_l2sock_create(struct socket **sock) 218 { 219 int err; 220 221 BT_DBG(""); 222 223 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 224 if (!err) { 225 struct sock *sk = (*sock)->sk; 226 sk->sk_data_ready = rfcomm_l2data_ready; 227 sk->sk_state_change = rfcomm_l2state_change; 228 } 229 return err; 230 } 231 232 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 233 { 234 struct sock *sk = d->session->sock->sk; 235 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 236 237 __u8 auth_type; 238 239 switch (d->sec_level) { 240 case BT_SECURITY_HIGH: 241 auth_type = HCI_AT_GENERAL_BONDING_MITM; 242 break; 243 case BT_SECURITY_MEDIUM: 244 auth_type = HCI_AT_GENERAL_BONDING; 245 break; 246 default: 247 auth_type = HCI_AT_NO_BONDING; 248 break; 249 } 250 251 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 252 } 253 254 static void rfcomm_session_timeout(unsigned long arg) 255 { 256 struct rfcomm_session *s = (void *) arg; 257 258 BT_DBG("session %p state %ld", s, s->state); 259 260 set_bit(RFCOMM_TIMED_OUT, &s->flags); 261 rfcomm_schedule(); 262 } 263 264 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 265 { 266 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 267 268 if (!mod_timer(&s->timer, jiffies + timeout)) 269 rfcomm_session_hold(s); 270 } 271 272 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 273 { 274 BT_DBG("session %p state %ld", s, s->state); 275 276 if (timer_pending(&s->timer) && del_timer(&s->timer)) 277 rfcomm_session_put(s); 278 } 279 280 /* ---- RFCOMM DLCs ---- */ 281 static void rfcomm_dlc_timeout(unsigned long arg) 282 { 283 struct rfcomm_dlc *d = (void *) arg; 284 285 BT_DBG("dlc %p state %ld", d, d->state); 286 287 set_bit(RFCOMM_TIMED_OUT, &d->flags); 288 rfcomm_dlc_put(d); 289 rfcomm_schedule(); 290 } 291 292 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 293 { 294 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 295 296 if (!mod_timer(&d->timer, jiffies + timeout)) 297 rfcomm_dlc_hold(d); 298 } 299 300 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 301 { 302 BT_DBG("dlc %p state %ld", d, d->state); 303 304 if (timer_pending(&d->timer) && del_timer(&d->timer)) 305 rfcomm_dlc_put(d); 306 } 307 308 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 309 { 310 BT_DBG("%p", d); 311 312 d->state = BT_OPEN; 313 d->flags = 0; 314 d->mscex = 0; 315 d->sec_level = BT_SECURITY_LOW; 316 d->mtu = RFCOMM_DEFAULT_MTU; 317 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 318 319 d->cfc = RFCOMM_CFC_DISABLED; 320 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 321 } 322 323 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 324 { 325 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 326 327 if (!d) 328 return NULL; 329 330 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 331 332 skb_queue_head_init(&d->tx_queue); 333 spin_lock_init(&d->lock); 334 atomic_set(&d->refcnt, 1); 335 336 rfcomm_dlc_clear_state(d); 337 338 BT_DBG("%p", d); 339 340 return d; 341 } 342 343 void rfcomm_dlc_free(struct rfcomm_dlc *d) 344 { 345 BT_DBG("%p", d); 346 347 skb_queue_purge(&d->tx_queue); 348 kfree(d); 349 } 350 351 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 352 { 353 BT_DBG("dlc %p session %p", d, s); 354 355 rfcomm_session_hold(s); 356 357 rfcomm_session_clear_timer(s); 358 rfcomm_dlc_hold(d); 359 list_add(&d->list, &s->dlcs); 360 d->session = s; 361 } 362 363 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 364 { 365 struct rfcomm_session *s = d->session; 366 367 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 368 369 list_del(&d->list); 370 d->session = NULL; 371 rfcomm_dlc_put(d); 372 373 if (list_empty(&s->dlcs)) 374 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 375 376 rfcomm_session_put(s); 377 } 378 379 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 380 { 381 struct rfcomm_dlc *d; 382 struct list_head *p; 383 384 list_for_each(p, &s->dlcs) { 385 d = list_entry(p, struct rfcomm_dlc, list); 386 if (d->dlci == dlci) 387 return d; 388 } 389 return NULL; 390 } 391 392 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 393 { 394 struct rfcomm_session *s; 395 int err = 0; 396 u8 dlci; 397 398 BT_DBG("dlc %p state %ld %s %s channel %d", 399 d, d->state, batostr(src), batostr(dst), channel); 400 401 if (channel < 1 || channel > 30) 402 return -EINVAL; 403 404 if (d->state != BT_OPEN && d->state != BT_CLOSED) 405 return 0; 406 407 s = rfcomm_session_get(src, dst); 408 if (!s) { 409 s = rfcomm_session_create(src, dst, d->sec_level, &err); 410 if (!s) 411 return err; 412 } 413 414 dlci = __dlci(!s->initiator, channel); 415 416 /* Check if DLCI already exists */ 417 if (rfcomm_dlc_get(s, dlci)) 418 return -EBUSY; 419 420 rfcomm_dlc_clear_state(d); 421 422 d->dlci = dlci; 423 d->addr = __addr(s->initiator, dlci); 424 d->priority = 7; 425 426 d->state = BT_CONFIG; 427 rfcomm_dlc_link(s, d); 428 429 d->out = 1; 430 431 d->mtu = s->mtu; 432 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 433 434 if (s->state == BT_CONNECTED) { 435 if (rfcomm_check_security(d)) 436 rfcomm_send_pn(s, 1, d); 437 else 438 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 439 } 440 441 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 442 443 return 0; 444 } 445 446 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 447 { 448 int r; 449 450 rfcomm_lock(); 451 452 r = __rfcomm_dlc_open(d, src, dst, channel); 453 454 rfcomm_unlock(); 455 return r; 456 } 457 458 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 459 { 460 struct rfcomm_session *s = d->session; 461 if (!s) 462 return 0; 463 464 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 465 d, d->state, d->dlci, err, s); 466 467 switch (d->state) { 468 case BT_CONNECT: 469 case BT_CONFIG: 470 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 471 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 472 rfcomm_schedule(); 473 break; 474 } 475 /* Fall through */ 476 477 case BT_CONNECTED: 478 d->state = BT_DISCONN; 479 if (skb_queue_empty(&d->tx_queue)) { 480 rfcomm_send_disc(s, d->dlci); 481 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 482 } else { 483 rfcomm_queue_disc(d); 484 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 485 } 486 break; 487 488 case BT_OPEN: 489 case BT_CONNECT2: 490 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 491 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 492 rfcomm_schedule(); 493 break; 494 } 495 /* Fall through */ 496 497 default: 498 rfcomm_dlc_clear_timer(d); 499 500 rfcomm_dlc_lock(d); 501 d->state = BT_CLOSED; 502 d->state_change(d, err); 503 rfcomm_dlc_unlock(d); 504 505 skb_queue_purge(&d->tx_queue); 506 rfcomm_dlc_unlink(d); 507 } 508 509 return 0; 510 } 511 512 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 513 { 514 int r; 515 516 rfcomm_lock(); 517 518 r = __rfcomm_dlc_close(d, err); 519 520 rfcomm_unlock(); 521 return r; 522 } 523 524 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 525 { 526 int len = skb->len; 527 528 if (d->state != BT_CONNECTED) 529 return -ENOTCONN; 530 531 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 532 533 if (len > d->mtu) 534 return -EINVAL; 535 536 rfcomm_make_uih(skb, d->addr); 537 skb_queue_tail(&d->tx_queue, skb); 538 539 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 540 rfcomm_schedule(); 541 return len; 542 } 543 544 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 545 { 546 BT_DBG("dlc %p state %ld", d, d->state); 547 548 if (!d->cfc) { 549 d->v24_sig |= RFCOMM_V24_FC; 550 set_bit(RFCOMM_MSC_PENDING, &d->flags); 551 } 552 rfcomm_schedule(); 553 } 554 555 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 556 { 557 BT_DBG("dlc %p state %ld", d, d->state); 558 559 if (!d->cfc) { 560 d->v24_sig &= ~RFCOMM_V24_FC; 561 set_bit(RFCOMM_MSC_PENDING, &d->flags); 562 } 563 rfcomm_schedule(); 564 } 565 566 /* 567 Set/get modem status functions use _local_ status i.e. what we report 568 to the other side. 569 Remote status is provided by dlc->modem_status() callback. 570 */ 571 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 572 { 573 BT_DBG("dlc %p state %ld v24_sig 0x%x", 574 d, d->state, v24_sig); 575 576 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 577 v24_sig |= RFCOMM_V24_FC; 578 else 579 v24_sig &= ~RFCOMM_V24_FC; 580 581 d->v24_sig = v24_sig; 582 583 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 584 rfcomm_schedule(); 585 586 return 0; 587 } 588 589 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 590 { 591 BT_DBG("dlc %p state %ld v24_sig 0x%x", 592 d, d->state, d->v24_sig); 593 594 *v24_sig = d->v24_sig; 595 return 0; 596 } 597 598 /* ---- RFCOMM sessions ---- */ 599 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 600 { 601 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 602 603 if (!s) 604 return NULL; 605 606 BT_DBG("session %p sock %p", s, sock); 607 608 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 609 610 INIT_LIST_HEAD(&s->dlcs); 611 s->state = state; 612 s->sock = sock; 613 614 s->mtu = RFCOMM_DEFAULT_MTU; 615 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 616 617 /* Do not increment module usage count for listening sessions. 618 * Otherwise we won't be able to unload the module. */ 619 if (state != BT_LISTEN) 620 if (!try_module_get(THIS_MODULE)) { 621 kfree(s); 622 return NULL; 623 } 624 625 list_add(&s->list, &session_list); 626 627 return s; 628 } 629 630 static void rfcomm_session_del(struct rfcomm_session *s) 631 { 632 int state = s->state; 633 634 BT_DBG("session %p state %ld", s, s->state); 635 636 list_del(&s->list); 637 638 if (state == BT_CONNECTED) 639 rfcomm_send_disc(s, 0); 640 641 rfcomm_session_clear_timer(s); 642 sock_release(s->sock); 643 kfree(s); 644 645 if (state != BT_LISTEN) 646 module_put(THIS_MODULE); 647 } 648 649 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 650 { 651 struct rfcomm_session *s; 652 struct list_head *p, *n; 653 struct bt_sock *sk; 654 list_for_each_safe(p, n, &session_list) { 655 s = list_entry(p, struct rfcomm_session, list); 656 sk = bt_sk(s->sock->sk); 657 658 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 659 !bacmp(&sk->dst, dst)) 660 return s; 661 } 662 return NULL; 663 } 664 665 static void rfcomm_session_close(struct rfcomm_session *s, int err) 666 { 667 struct rfcomm_dlc *d; 668 struct list_head *p, *n; 669 670 BT_DBG("session %p state %ld err %d", s, s->state, err); 671 672 rfcomm_session_hold(s); 673 674 s->state = BT_CLOSED; 675 676 /* Close all dlcs */ 677 list_for_each_safe(p, n, &s->dlcs) { 678 d = list_entry(p, struct rfcomm_dlc, list); 679 d->state = BT_CLOSED; 680 __rfcomm_dlc_close(d, err); 681 } 682 683 rfcomm_session_clear_timer(s); 684 rfcomm_session_put(s); 685 } 686 687 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 688 bdaddr_t *dst, 689 u8 sec_level, 690 int *err) 691 { 692 struct rfcomm_session *s = NULL; 693 struct sockaddr_l2 addr; 694 struct socket *sock; 695 struct sock *sk; 696 697 BT_DBG("%s %s", batostr(src), batostr(dst)); 698 699 *err = rfcomm_l2sock_create(&sock); 700 if (*err < 0) 701 return NULL; 702 703 bacpy(&addr.l2_bdaddr, src); 704 addr.l2_family = AF_BLUETOOTH; 705 addr.l2_psm = 0; 706 addr.l2_cid = 0; 707 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 708 if (*err < 0) 709 goto failed; 710 711 /* Set L2CAP options */ 712 sk = sock->sk; 713 lock_sock(sk); 714 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 715 l2cap_pi(sk)->chan->sec_level = sec_level; 716 if (l2cap_ertm) 717 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 718 release_sock(sk); 719 720 s = rfcomm_session_add(sock, BT_BOUND); 721 if (!s) { 722 *err = -ENOMEM; 723 goto failed; 724 } 725 726 s->initiator = 1; 727 728 bacpy(&addr.l2_bdaddr, dst); 729 addr.l2_family = AF_BLUETOOTH; 730 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 731 addr.l2_cid = 0; 732 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 733 if (*err == 0 || *err == -EINPROGRESS) 734 return s; 735 736 rfcomm_session_del(s); 737 return NULL; 738 739 failed: 740 sock_release(sock); 741 return NULL; 742 } 743 744 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 745 { 746 struct sock *sk = s->sock->sk; 747 if (src) 748 bacpy(src, &bt_sk(sk)->src); 749 if (dst) 750 bacpy(dst, &bt_sk(sk)->dst); 751 } 752 753 /* ---- RFCOMM frame sending ---- */ 754 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 755 { 756 struct socket *sock = s->sock; 757 struct kvec iv = { data, len }; 758 struct msghdr msg; 759 760 BT_DBG("session %p len %d", s, len); 761 762 memset(&msg, 0, sizeof(msg)); 763 764 return kernel_sendmsg(sock, &msg, &iv, 1, len); 765 } 766 767 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 768 { 769 struct rfcomm_cmd cmd; 770 771 BT_DBG("%p dlci %d", s, dlci); 772 773 cmd.addr = __addr(s->initiator, dlci); 774 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 775 cmd.len = __len8(0); 776 cmd.fcs = __fcs2((u8 *) &cmd); 777 778 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 779 } 780 781 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 782 { 783 struct rfcomm_cmd cmd; 784 785 BT_DBG("%p dlci %d", s, dlci); 786 787 cmd.addr = __addr(!s->initiator, dlci); 788 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 789 cmd.len = __len8(0); 790 cmd.fcs = __fcs2((u8 *) &cmd); 791 792 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 793 } 794 795 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 796 { 797 struct rfcomm_cmd cmd; 798 799 BT_DBG("%p dlci %d", s, dlci); 800 801 cmd.addr = __addr(s->initiator, dlci); 802 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 803 cmd.len = __len8(0); 804 cmd.fcs = __fcs2((u8 *) &cmd); 805 806 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 807 } 808 809 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 810 { 811 struct rfcomm_cmd *cmd; 812 struct sk_buff *skb; 813 814 BT_DBG("dlc %p dlci %d", d, d->dlci); 815 816 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 817 if (!skb) 818 return -ENOMEM; 819 820 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 821 cmd->addr = d->addr; 822 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 823 cmd->len = __len8(0); 824 cmd->fcs = __fcs2((u8 *) cmd); 825 826 skb_queue_tail(&d->tx_queue, skb); 827 rfcomm_schedule(); 828 return 0; 829 } 830 831 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 832 { 833 struct rfcomm_cmd cmd; 834 835 BT_DBG("%p dlci %d", s, dlci); 836 837 cmd.addr = __addr(!s->initiator, dlci); 838 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 839 cmd.len = __len8(0); 840 cmd.fcs = __fcs2((u8 *) &cmd); 841 842 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 843 } 844 845 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 846 { 847 struct rfcomm_hdr *hdr; 848 struct rfcomm_mcc *mcc; 849 u8 buf[16], *ptr = buf; 850 851 BT_DBG("%p cr %d type %d", s, cr, type); 852 853 hdr = (void *) ptr; ptr += sizeof(*hdr); 854 hdr->addr = __addr(s->initiator, 0); 855 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 856 hdr->len = __len8(sizeof(*mcc) + 1); 857 858 mcc = (void *) ptr; ptr += sizeof(*mcc); 859 mcc->type = __mcc_type(cr, RFCOMM_NSC); 860 mcc->len = __len8(1); 861 862 /* Type that we didn't like */ 863 *ptr = __mcc_type(cr, type); ptr++; 864 865 *ptr = __fcs(buf); ptr++; 866 867 return rfcomm_send_frame(s, buf, ptr - buf); 868 } 869 870 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 871 { 872 struct rfcomm_hdr *hdr; 873 struct rfcomm_mcc *mcc; 874 struct rfcomm_pn *pn; 875 u8 buf[16], *ptr = buf; 876 877 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 878 879 hdr = (void *) ptr; ptr += sizeof(*hdr); 880 hdr->addr = __addr(s->initiator, 0); 881 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 882 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 883 884 mcc = (void *) ptr; ptr += sizeof(*mcc); 885 mcc->type = __mcc_type(cr, RFCOMM_PN); 886 mcc->len = __len8(sizeof(*pn)); 887 888 pn = (void *) ptr; ptr += sizeof(*pn); 889 pn->dlci = d->dlci; 890 pn->priority = d->priority; 891 pn->ack_timer = 0; 892 pn->max_retrans = 0; 893 894 if (s->cfc) { 895 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 896 pn->credits = RFCOMM_DEFAULT_CREDITS; 897 } else { 898 pn->flow_ctrl = 0; 899 pn->credits = 0; 900 } 901 902 if (cr && channel_mtu >= 0) 903 pn->mtu = cpu_to_le16(channel_mtu); 904 else 905 pn->mtu = cpu_to_le16(d->mtu); 906 907 *ptr = __fcs(buf); ptr++; 908 909 return rfcomm_send_frame(s, buf, ptr - buf); 910 } 911 912 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 913 u8 bit_rate, u8 data_bits, u8 stop_bits, 914 u8 parity, u8 flow_ctrl_settings, 915 u8 xon_char, u8 xoff_char, u16 param_mask) 916 { 917 struct rfcomm_hdr *hdr; 918 struct rfcomm_mcc *mcc; 919 struct rfcomm_rpn *rpn; 920 u8 buf[16], *ptr = buf; 921 922 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 923 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 924 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 925 flow_ctrl_settings, xon_char, xoff_char, param_mask); 926 927 hdr = (void *) ptr; ptr += sizeof(*hdr); 928 hdr->addr = __addr(s->initiator, 0); 929 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 930 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 931 932 mcc = (void *) ptr; ptr += sizeof(*mcc); 933 mcc->type = __mcc_type(cr, RFCOMM_RPN); 934 mcc->len = __len8(sizeof(*rpn)); 935 936 rpn = (void *) ptr; ptr += sizeof(*rpn); 937 rpn->dlci = __addr(1, dlci); 938 rpn->bit_rate = bit_rate; 939 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 940 rpn->flow_ctrl = flow_ctrl_settings; 941 rpn->xon_char = xon_char; 942 rpn->xoff_char = xoff_char; 943 rpn->param_mask = cpu_to_le16(param_mask); 944 945 *ptr = __fcs(buf); ptr++; 946 947 return rfcomm_send_frame(s, buf, ptr - buf); 948 } 949 950 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 951 { 952 struct rfcomm_hdr *hdr; 953 struct rfcomm_mcc *mcc; 954 struct rfcomm_rls *rls; 955 u8 buf[16], *ptr = buf; 956 957 BT_DBG("%p cr %d status 0x%x", s, cr, status); 958 959 hdr = (void *) ptr; ptr += sizeof(*hdr); 960 hdr->addr = __addr(s->initiator, 0); 961 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 962 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 963 964 mcc = (void *) ptr; ptr += sizeof(*mcc); 965 mcc->type = __mcc_type(cr, RFCOMM_RLS); 966 mcc->len = __len8(sizeof(*rls)); 967 968 rls = (void *) ptr; ptr += sizeof(*rls); 969 rls->dlci = __addr(1, dlci); 970 rls->status = status; 971 972 *ptr = __fcs(buf); ptr++; 973 974 return rfcomm_send_frame(s, buf, ptr - buf); 975 } 976 977 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 978 { 979 struct rfcomm_hdr *hdr; 980 struct rfcomm_mcc *mcc; 981 struct rfcomm_msc *msc; 982 u8 buf[16], *ptr = buf; 983 984 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 985 986 hdr = (void *) ptr; ptr += sizeof(*hdr); 987 hdr->addr = __addr(s->initiator, 0); 988 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 989 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 990 991 mcc = (void *) ptr; ptr += sizeof(*mcc); 992 mcc->type = __mcc_type(cr, RFCOMM_MSC); 993 mcc->len = __len8(sizeof(*msc)); 994 995 msc = (void *) ptr; ptr += sizeof(*msc); 996 msc->dlci = __addr(1, dlci); 997 msc->v24_sig = v24_sig | 0x01; 998 999 *ptr = __fcs(buf); ptr++; 1000 1001 return rfcomm_send_frame(s, buf, ptr - buf); 1002 } 1003 1004 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1005 { 1006 struct rfcomm_hdr *hdr; 1007 struct rfcomm_mcc *mcc; 1008 u8 buf[16], *ptr = buf; 1009 1010 BT_DBG("%p cr %d", s, cr); 1011 1012 hdr = (void *) ptr; ptr += sizeof(*hdr); 1013 hdr->addr = __addr(s->initiator, 0); 1014 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1015 hdr->len = __len8(sizeof(*mcc)); 1016 1017 mcc = (void *) ptr; ptr += sizeof(*mcc); 1018 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1019 mcc->len = __len8(0); 1020 1021 *ptr = __fcs(buf); ptr++; 1022 1023 return rfcomm_send_frame(s, buf, ptr - buf); 1024 } 1025 1026 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1027 { 1028 struct rfcomm_hdr *hdr; 1029 struct rfcomm_mcc *mcc; 1030 u8 buf[16], *ptr = buf; 1031 1032 BT_DBG("%p cr %d", s, cr); 1033 1034 hdr = (void *) ptr; ptr += sizeof(*hdr); 1035 hdr->addr = __addr(s->initiator, 0); 1036 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1037 hdr->len = __len8(sizeof(*mcc)); 1038 1039 mcc = (void *) ptr; ptr += sizeof(*mcc); 1040 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1041 mcc->len = __len8(0); 1042 1043 *ptr = __fcs(buf); ptr++; 1044 1045 return rfcomm_send_frame(s, buf, ptr - buf); 1046 } 1047 1048 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1049 { 1050 struct socket *sock = s->sock; 1051 struct kvec iv[3]; 1052 struct msghdr msg; 1053 unsigned char hdr[5], crc[1]; 1054 1055 if (len > 125) 1056 return -EINVAL; 1057 1058 BT_DBG("%p cr %d", s, cr); 1059 1060 hdr[0] = __addr(s->initiator, 0); 1061 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1062 hdr[2] = 0x01 | ((len + 2) << 1); 1063 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1064 hdr[4] = 0x01 | (len << 1); 1065 1066 crc[0] = __fcs(hdr); 1067 1068 iv[0].iov_base = hdr; 1069 iv[0].iov_len = 5; 1070 iv[1].iov_base = pattern; 1071 iv[1].iov_len = len; 1072 iv[2].iov_base = crc; 1073 iv[2].iov_len = 1; 1074 1075 memset(&msg, 0, sizeof(msg)); 1076 1077 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1078 } 1079 1080 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1081 { 1082 struct rfcomm_hdr *hdr; 1083 u8 buf[16], *ptr = buf; 1084 1085 BT_DBG("%p addr %d credits %d", s, addr, credits); 1086 1087 hdr = (void *) ptr; ptr += sizeof(*hdr); 1088 hdr->addr = addr; 1089 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1090 hdr->len = __len8(0); 1091 1092 *ptr = credits; ptr++; 1093 1094 *ptr = __fcs(buf); ptr++; 1095 1096 return rfcomm_send_frame(s, buf, ptr - buf); 1097 } 1098 1099 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1100 { 1101 struct rfcomm_hdr *hdr; 1102 int len = skb->len; 1103 u8 *crc; 1104 1105 if (len > 127) { 1106 hdr = (void *) skb_push(skb, 4); 1107 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1108 } else { 1109 hdr = (void *) skb_push(skb, 3); 1110 hdr->len = __len8(len); 1111 } 1112 hdr->addr = addr; 1113 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1114 1115 crc = skb_put(skb, 1); 1116 *crc = __fcs((void *) hdr); 1117 } 1118 1119 /* ---- RFCOMM frame reception ---- */ 1120 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1121 { 1122 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1123 1124 if (dlci) { 1125 /* Data channel */ 1126 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1127 if (!d) { 1128 rfcomm_send_dm(s, dlci); 1129 return 0; 1130 } 1131 1132 switch (d->state) { 1133 case BT_CONNECT: 1134 rfcomm_dlc_clear_timer(d); 1135 1136 rfcomm_dlc_lock(d); 1137 d->state = BT_CONNECTED; 1138 d->state_change(d, 0); 1139 rfcomm_dlc_unlock(d); 1140 1141 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1142 break; 1143 1144 case BT_DISCONN: 1145 d->state = BT_CLOSED; 1146 __rfcomm_dlc_close(d, 0); 1147 1148 if (list_empty(&s->dlcs)) { 1149 s->state = BT_DISCONN; 1150 rfcomm_send_disc(s, 0); 1151 } 1152 1153 break; 1154 } 1155 } else { 1156 /* Control channel */ 1157 switch (s->state) { 1158 case BT_CONNECT: 1159 s->state = BT_CONNECTED; 1160 rfcomm_process_connect(s); 1161 break; 1162 1163 case BT_DISCONN: 1164 /* When socket is closed and we are not RFCOMM 1165 * initiator rfcomm_process_rx already calls 1166 * rfcomm_session_put() */ 1167 if (s->sock->sk->sk_state != BT_CLOSED) 1168 if (list_empty(&s->dlcs)) 1169 rfcomm_session_put(s); 1170 break; 1171 } 1172 } 1173 return 0; 1174 } 1175 1176 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1177 { 1178 int err = 0; 1179 1180 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1181 1182 if (dlci) { 1183 /* Data DLC */ 1184 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1185 if (d) { 1186 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1187 err = ECONNREFUSED; 1188 else 1189 err = ECONNRESET; 1190 1191 d->state = BT_CLOSED; 1192 __rfcomm_dlc_close(d, err); 1193 } 1194 } else { 1195 if (s->state == BT_CONNECT) 1196 err = ECONNREFUSED; 1197 else 1198 err = ECONNRESET; 1199 1200 s->state = BT_CLOSED; 1201 rfcomm_session_close(s, err); 1202 } 1203 return 0; 1204 } 1205 1206 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1207 { 1208 int err = 0; 1209 1210 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1211 1212 if (dlci) { 1213 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1214 if (d) { 1215 rfcomm_send_ua(s, dlci); 1216 1217 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1218 err = ECONNREFUSED; 1219 else 1220 err = ECONNRESET; 1221 1222 d->state = BT_CLOSED; 1223 __rfcomm_dlc_close(d, err); 1224 } else 1225 rfcomm_send_dm(s, dlci); 1226 1227 } else { 1228 rfcomm_send_ua(s, 0); 1229 1230 if (s->state == BT_CONNECT) 1231 err = ECONNREFUSED; 1232 else 1233 err = ECONNRESET; 1234 1235 s->state = BT_CLOSED; 1236 rfcomm_session_close(s, err); 1237 } 1238 1239 return 0; 1240 } 1241 1242 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1243 { 1244 struct sock *sk = d->session->sock->sk; 1245 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1246 1247 BT_DBG("dlc %p", d); 1248 1249 rfcomm_send_ua(d->session, d->dlci); 1250 1251 rfcomm_dlc_clear_timer(d); 1252 1253 rfcomm_dlc_lock(d); 1254 d->state = BT_CONNECTED; 1255 d->state_change(d, 0); 1256 rfcomm_dlc_unlock(d); 1257 1258 if (d->role_switch) 1259 hci_conn_switch_role(conn->hcon, 0x00); 1260 1261 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1262 } 1263 1264 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1265 { 1266 if (rfcomm_check_security(d)) { 1267 if (d->defer_setup) { 1268 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1269 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1270 1271 rfcomm_dlc_lock(d); 1272 d->state = BT_CONNECT2; 1273 d->state_change(d, 0); 1274 rfcomm_dlc_unlock(d); 1275 } else 1276 rfcomm_dlc_accept(d); 1277 } else { 1278 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1279 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1280 } 1281 } 1282 1283 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1284 { 1285 struct rfcomm_dlc *d; 1286 u8 channel; 1287 1288 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1289 1290 if (!dlci) { 1291 rfcomm_send_ua(s, 0); 1292 1293 if (s->state == BT_OPEN) { 1294 s->state = BT_CONNECTED; 1295 rfcomm_process_connect(s); 1296 } 1297 return 0; 1298 } 1299 1300 /* Check if DLC exists */ 1301 d = rfcomm_dlc_get(s, dlci); 1302 if (d) { 1303 if (d->state == BT_OPEN) { 1304 /* DLC was previously opened by PN request */ 1305 rfcomm_check_accept(d); 1306 } 1307 return 0; 1308 } 1309 1310 /* Notify socket layer about incoming connection */ 1311 channel = __srv_channel(dlci); 1312 if (rfcomm_connect_ind(s, channel, &d)) { 1313 d->dlci = dlci; 1314 d->addr = __addr(s->initiator, dlci); 1315 rfcomm_dlc_link(s, d); 1316 1317 rfcomm_check_accept(d); 1318 } else { 1319 rfcomm_send_dm(s, dlci); 1320 } 1321 1322 return 0; 1323 } 1324 1325 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1326 { 1327 struct rfcomm_session *s = d->session; 1328 1329 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1330 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1331 1332 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1333 pn->flow_ctrl == 0xe0) { 1334 d->cfc = RFCOMM_CFC_ENABLED; 1335 d->tx_credits = pn->credits; 1336 } else { 1337 d->cfc = RFCOMM_CFC_DISABLED; 1338 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1339 } 1340 1341 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1342 s->cfc = d->cfc; 1343 1344 d->priority = pn->priority; 1345 1346 d->mtu = __le16_to_cpu(pn->mtu); 1347 1348 if (cr && d->mtu > s->mtu) 1349 d->mtu = s->mtu; 1350 1351 return 0; 1352 } 1353 1354 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1355 { 1356 struct rfcomm_pn *pn = (void *) skb->data; 1357 struct rfcomm_dlc *d; 1358 u8 dlci = pn->dlci; 1359 1360 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1361 1362 if (!dlci) 1363 return 0; 1364 1365 d = rfcomm_dlc_get(s, dlci); 1366 if (d) { 1367 if (cr) { 1368 /* PN request */ 1369 rfcomm_apply_pn(d, cr, pn); 1370 rfcomm_send_pn(s, 0, d); 1371 } else { 1372 /* PN response */ 1373 switch (d->state) { 1374 case BT_CONFIG: 1375 rfcomm_apply_pn(d, cr, pn); 1376 1377 d->state = BT_CONNECT; 1378 rfcomm_send_sabm(s, d->dlci); 1379 break; 1380 } 1381 } 1382 } else { 1383 u8 channel = __srv_channel(dlci); 1384 1385 if (!cr) 1386 return 0; 1387 1388 /* PN request for non existing DLC. 1389 * Assume incoming connection. */ 1390 if (rfcomm_connect_ind(s, channel, &d)) { 1391 d->dlci = dlci; 1392 d->addr = __addr(s->initiator, dlci); 1393 rfcomm_dlc_link(s, d); 1394 1395 rfcomm_apply_pn(d, cr, pn); 1396 1397 d->state = BT_OPEN; 1398 rfcomm_send_pn(s, 0, d); 1399 } else { 1400 rfcomm_send_dm(s, dlci); 1401 } 1402 } 1403 return 0; 1404 } 1405 1406 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1407 { 1408 struct rfcomm_rpn *rpn = (void *) skb->data; 1409 u8 dlci = __get_dlci(rpn->dlci); 1410 1411 u8 bit_rate = 0; 1412 u8 data_bits = 0; 1413 u8 stop_bits = 0; 1414 u8 parity = 0; 1415 u8 flow_ctrl = 0; 1416 u8 xon_char = 0; 1417 u8 xoff_char = 0; 1418 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1419 1420 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1421 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1422 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1423 1424 if (!cr) 1425 return 0; 1426 1427 if (len == 1) { 1428 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1429 bit_rate = RFCOMM_RPN_BR_9600; 1430 data_bits = RFCOMM_RPN_DATA_8; 1431 stop_bits = RFCOMM_RPN_STOP_1; 1432 parity = RFCOMM_RPN_PARITY_NONE; 1433 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1434 xon_char = RFCOMM_RPN_XON_CHAR; 1435 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1436 goto rpn_out; 1437 } 1438 1439 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1440 * no parity, no flow control lines, normal XON/XOFF chars */ 1441 1442 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1443 bit_rate = rpn->bit_rate; 1444 if (bit_rate > RFCOMM_RPN_BR_230400) { 1445 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1446 bit_rate = RFCOMM_RPN_BR_9600; 1447 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1448 } 1449 } 1450 1451 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1452 data_bits = __get_rpn_data_bits(rpn->line_settings); 1453 if (data_bits != RFCOMM_RPN_DATA_8) { 1454 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1455 data_bits = RFCOMM_RPN_DATA_8; 1456 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1457 } 1458 } 1459 1460 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1461 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1462 if (stop_bits != RFCOMM_RPN_STOP_1) { 1463 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1464 stop_bits = RFCOMM_RPN_STOP_1; 1465 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1466 } 1467 } 1468 1469 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1470 parity = __get_rpn_parity(rpn->line_settings); 1471 if (parity != RFCOMM_RPN_PARITY_NONE) { 1472 BT_DBG("RPN parity mismatch 0x%x", parity); 1473 parity = RFCOMM_RPN_PARITY_NONE; 1474 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1475 } 1476 } 1477 1478 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1479 flow_ctrl = rpn->flow_ctrl; 1480 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1481 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1482 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1483 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1484 } 1485 } 1486 1487 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1488 xon_char = rpn->xon_char; 1489 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1490 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1491 xon_char = RFCOMM_RPN_XON_CHAR; 1492 rpn_mask ^= RFCOMM_RPN_PM_XON; 1493 } 1494 } 1495 1496 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1497 xoff_char = rpn->xoff_char; 1498 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1499 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1500 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1501 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1502 } 1503 } 1504 1505 rpn_out: 1506 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1507 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1508 1509 return 0; 1510 } 1511 1512 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1513 { 1514 struct rfcomm_rls *rls = (void *) skb->data; 1515 u8 dlci = __get_dlci(rls->dlci); 1516 1517 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1518 1519 if (!cr) 1520 return 0; 1521 1522 /* We should probably do something with this information here. But 1523 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1524 * mandatory to recognise and respond to RLS */ 1525 1526 rfcomm_send_rls(s, 0, dlci, rls->status); 1527 1528 return 0; 1529 } 1530 1531 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1532 { 1533 struct rfcomm_msc *msc = (void *) skb->data; 1534 struct rfcomm_dlc *d; 1535 u8 dlci = __get_dlci(msc->dlci); 1536 1537 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1538 1539 d = rfcomm_dlc_get(s, dlci); 1540 if (!d) 1541 return 0; 1542 1543 if (cr) { 1544 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1545 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1546 else 1547 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1548 1549 rfcomm_dlc_lock(d); 1550 1551 d->remote_v24_sig = msc->v24_sig; 1552 1553 if (d->modem_status) 1554 d->modem_status(d, msc->v24_sig); 1555 1556 rfcomm_dlc_unlock(d); 1557 1558 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1559 1560 d->mscex |= RFCOMM_MSCEX_RX; 1561 } else 1562 d->mscex |= RFCOMM_MSCEX_TX; 1563 1564 return 0; 1565 } 1566 1567 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1568 { 1569 struct rfcomm_mcc *mcc = (void *) skb->data; 1570 u8 type, cr, len; 1571 1572 cr = __test_cr(mcc->type); 1573 type = __get_mcc_type(mcc->type); 1574 len = __get_mcc_len(mcc->len); 1575 1576 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1577 1578 skb_pull(skb, 2); 1579 1580 switch (type) { 1581 case RFCOMM_PN: 1582 rfcomm_recv_pn(s, cr, skb); 1583 break; 1584 1585 case RFCOMM_RPN: 1586 rfcomm_recv_rpn(s, cr, len, skb); 1587 break; 1588 1589 case RFCOMM_RLS: 1590 rfcomm_recv_rls(s, cr, skb); 1591 break; 1592 1593 case RFCOMM_MSC: 1594 rfcomm_recv_msc(s, cr, skb); 1595 break; 1596 1597 case RFCOMM_FCOFF: 1598 if (cr) { 1599 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1600 rfcomm_send_fcoff(s, 0); 1601 } 1602 break; 1603 1604 case RFCOMM_FCON: 1605 if (cr) { 1606 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1607 rfcomm_send_fcon(s, 0); 1608 } 1609 break; 1610 1611 case RFCOMM_TEST: 1612 if (cr) 1613 rfcomm_send_test(s, 0, skb->data, skb->len); 1614 break; 1615 1616 case RFCOMM_NSC: 1617 break; 1618 1619 default: 1620 BT_ERR("Unknown control type 0x%02x", type); 1621 rfcomm_send_nsc(s, cr, type); 1622 break; 1623 } 1624 return 0; 1625 } 1626 1627 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1628 { 1629 struct rfcomm_dlc *d; 1630 1631 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1632 1633 d = rfcomm_dlc_get(s, dlci); 1634 if (!d) { 1635 rfcomm_send_dm(s, dlci); 1636 goto drop; 1637 } 1638 1639 if (pf && d->cfc) { 1640 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1641 1642 d->tx_credits += credits; 1643 if (d->tx_credits) 1644 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1645 } 1646 1647 if (skb->len && d->state == BT_CONNECTED) { 1648 rfcomm_dlc_lock(d); 1649 d->rx_credits--; 1650 d->data_ready(d, skb); 1651 rfcomm_dlc_unlock(d); 1652 return 0; 1653 } 1654 1655 drop: 1656 kfree_skb(skb); 1657 return 0; 1658 } 1659 1660 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1661 { 1662 struct rfcomm_hdr *hdr = (void *) skb->data; 1663 u8 type, dlci, fcs; 1664 1665 dlci = __get_dlci(hdr->addr); 1666 type = __get_type(hdr->ctrl); 1667 1668 /* Trim FCS */ 1669 skb->len--; skb->tail--; 1670 fcs = *(u8 *)skb_tail_pointer(skb); 1671 1672 if (__check_fcs(skb->data, type, fcs)) { 1673 BT_ERR("bad checksum in packet"); 1674 kfree_skb(skb); 1675 return -EILSEQ; 1676 } 1677 1678 if (__test_ea(hdr->len)) 1679 skb_pull(skb, 3); 1680 else 1681 skb_pull(skb, 4); 1682 1683 switch (type) { 1684 case RFCOMM_SABM: 1685 if (__test_pf(hdr->ctrl)) 1686 rfcomm_recv_sabm(s, dlci); 1687 break; 1688 1689 case RFCOMM_DISC: 1690 if (__test_pf(hdr->ctrl)) 1691 rfcomm_recv_disc(s, dlci); 1692 break; 1693 1694 case RFCOMM_UA: 1695 if (__test_pf(hdr->ctrl)) 1696 rfcomm_recv_ua(s, dlci); 1697 break; 1698 1699 case RFCOMM_DM: 1700 rfcomm_recv_dm(s, dlci); 1701 break; 1702 1703 case RFCOMM_UIH: 1704 if (dlci) 1705 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1706 1707 rfcomm_recv_mcc(s, skb); 1708 break; 1709 1710 default: 1711 BT_ERR("Unknown packet type 0x%02x", type); 1712 break; 1713 } 1714 kfree_skb(skb); 1715 return 0; 1716 } 1717 1718 /* ---- Connection and data processing ---- */ 1719 1720 static void rfcomm_process_connect(struct rfcomm_session *s) 1721 { 1722 struct rfcomm_dlc *d; 1723 struct list_head *p, *n; 1724 1725 BT_DBG("session %p state %ld", s, s->state); 1726 1727 list_for_each_safe(p, n, &s->dlcs) { 1728 d = list_entry(p, struct rfcomm_dlc, list); 1729 if (d->state == BT_CONFIG) { 1730 d->mtu = s->mtu; 1731 if (rfcomm_check_security(d)) { 1732 rfcomm_send_pn(s, 1, d); 1733 } else { 1734 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1735 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1736 } 1737 } 1738 } 1739 } 1740 1741 /* Send data queued for the DLC. 1742 * Return number of frames left in the queue. 1743 */ 1744 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1745 { 1746 struct sk_buff *skb; 1747 int err; 1748 1749 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1750 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1751 1752 /* Send pending MSC */ 1753 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1754 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1755 1756 if (d->cfc) { 1757 /* CFC enabled. 1758 * Give them some credits */ 1759 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1760 d->rx_credits <= (d->cfc >> 2)) { 1761 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1762 d->rx_credits = d->cfc; 1763 } 1764 } else { 1765 /* CFC disabled. 1766 * Give ourselves some credits */ 1767 d->tx_credits = 5; 1768 } 1769 1770 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1771 return skb_queue_len(&d->tx_queue); 1772 1773 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1774 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1775 if (err < 0) { 1776 skb_queue_head(&d->tx_queue, skb); 1777 break; 1778 } 1779 kfree_skb(skb); 1780 d->tx_credits--; 1781 } 1782 1783 if (d->cfc && !d->tx_credits) { 1784 /* We're out of TX credits. 1785 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1786 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1787 } 1788 1789 return skb_queue_len(&d->tx_queue); 1790 } 1791 1792 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1793 { 1794 struct rfcomm_dlc *d; 1795 struct list_head *p, *n; 1796 1797 BT_DBG("session %p state %ld", s, s->state); 1798 1799 list_for_each_safe(p, n, &s->dlcs) { 1800 d = list_entry(p, struct rfcomm_dlc, list); 1801 1802 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1803 __rfcomm_dlc_close(d, ETIMEDOUT); 1804 continue; 1805 } 1806 1807 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1808 rfcomm_dlc_clear_timer(d); 1809 if (d->out) { 1810 rfcomm_send_pn(s, 1, d); 1811 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1812 } else { 1813 if (d->defer_setup) { 1814 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1815 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1816 1817 rfcomm_dlc_lock(d); 1818 d->state = BT_CONNECT2; 1819 d->state_change(d, 0); 1820 rfcomm_dlc_unlock(d); 1821 } else 1822 rfcomm_dlc_accept(d); 1823 } 1824 continue; 1825 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1826 rfcomm_dlc_clear_timer(d); 1827 if (!d->out) 1828 rfcomm_send_dm(s, d->dlci); 1829 else 1830 d->state = BT_CLOSED; 1831 __rfcomm_dlc_close(d, ECONNREFUSED); 1832 continue; 1833 } 1834 1835 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1836 continue; 1837 1838 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1839 continue; 1840 1841 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1842 d->mscex == RFCOMM_MSCEX_OK) 1843 rfcomm_process_tx(d); 1844 } 1845 } 1846 1847 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1848 { 1849 struct socket *sock = s->sock; 1850 struct sock *sk = sock->sk; 1851 struct sk_buff *skb; 1852 1853 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1854 1855 /* Get data directly from socket receive queue without copying it. */ 1856 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1857 skb_orphan(skb); 1858 rfcomm_recv_frame(s, skb); 1859 } 1860 1861 if (sk->sk_state == BT_CLOSED) { 1862 if (!s->initiator) 1863 rfcomm_session_put(s); 1864 1865 rfcomm_session_close(s, sk->sk_err); 1866 } 1867 } 1868 1869 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1870 { 1871 struct socket *sock = s->sock, *nsock; 1872 int err; 1873 1874 /* Fast check for a new connection. 1875 * Avoids unnesesary socket allocations. */ 1876 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1877 return; 1878 1879 BT_DBG("session %p", s); 1880 1881 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1882 if (err < 0) 1883 return; 1884 1885 /* Set our callbacks */ 1886 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1887 nsock->sk->sk_state_change = rfcomm_l2state_change; 1888 1889 s = rfcomm_session_add(nsock, BT_OPEN); 1890 if (s) { 1891 rfcomm_session_hold(s); 1892 1893 /* We should adjust MTU on incoming sessions. 1894 * L2CAP MTU minus UIH header and FCS. */ 1895 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1896 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1897 1898 rfcomm_schedule(); 1899 } else 1900 sock_release(nsock); 1901 } 1902 1903 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1904 { 1905 struct sock *sk = s->sock->sk; 1906 1907 BT_DBG("%p state %ld", s, s->state); 1908 1909 switch (sk->sk_state) { 1910 case BT_CONNECTED: 1911 s->state = BT_CONNECT; 1912 1913 /* We can adjust MTU on outgoing sessions. 1914 * L2CAP MTU minus UIH header and FCS. */ 1915 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1916 1917 rfcomm_send_sabm(s, 0); 1918 break; 1919 1920 case BT_CLOSED: 1921 s->state = BT_CLOSED; 1922 rfcomm_session_close(s, sk->sk_err); 1923 break; 1924 } 1925 } 1926 1927 static inline void rfcomm_process_sessions(void) 1928 { 1929 struct list_head *p, *n; 1930 1931 rfcomm_lock(); 1932 1933 list_for_each_safe(p, n, &session_list) { 1934 struct rfcomm_session *s; 1935 s = list_entry(p, struct rfcomm_session, list); 1936 1937 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1938 s->state = BT_DISCONN; 1939 rfcomm_send_disc(s, 0); 1940 rfcomm_session_put(s); 1941 continue; 1942 } 1943 1944 if (s->state == BT_LISTEN) { 1945 rfcomm_accept_connection(s); 1946 continue; 1947 } 1948 1949 rfcomm_session_hold(s); 1950 1951 switch (s->state) { 1952 case BT_BOUND: 1953 rfcomm_check_connection(s); 1954 break; 1955 1956 default: 1957 rfcomm_process_rx(s); 1958 break; 1959 } 1960 1961 rfcomm_process_dlcs(s); 1962 1963 rfcomm_session_put(s); 1964 } 1965 1966 rfcomm_unlock(); 1967 } 1968 1969 static int rfcomm_add_listener(bdaddr_t *ba) 1970 { 1971 struct sockaddr_l2 addr; 1972 struct socket *sock; 1973 struct sock *sk; 1974 struct rfcomm_session *s; 1975 int err = 0; 1976 1977 /* Create socket */ 1978 err = rfcomm_l2sock_create(&sock); 1979 if (err < 0) { 1980 BT_ERR("Create socket failed %d", err); 1981 return err; 1982 } 1983 1984 /* Bind socket */ 1985 bacpy(&addr.l2_bdaddr, ba); 1986 addr.l2_family = AF_BLUETOOTH; 1987 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 1988 addr.l2_cid = 0; 1989 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1990 if (err < 0) { 1991 BT_ERR("Bind failed %d", err); 1992 goto failed; 1993 } 1994 1995 /* Set L2CAP options */ 1996 sk = sock->sk; 1997 lock_sock(sk); 1998 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 1999 release_sock(sk); 2000 2001 /* Start listening on the socket */ 2002 err = kernel_listen(sock, 10); 2003 if (err) { 2004 BT_ERR("Listen failed %d", err); 2005 goto failed; 2006 } 2007 2008 /* Add listening session */ 2009 s = rfcomm_session_add(sock, BT_LISTEN); 2010 if (!s) 2011 goto failed; 2012 2013 rfcomm_session_hold(s); 2014 return 0; 2015 failed: 2016 sock_release(sock); 2017 return err; 2018 } 2019 2020 static void rfcomm_kill_listener(void) 2021 { 2022 struct rfcomm_session *s; 2023 struct list_head *p, *n; 2024 2025 BT_DBG(""); 2026 2027 list_for_each_safe(p, n, &session_list) { 2028 s = list_entry(p, struct rfcomm_session, list); 2029 rfcomm_session_del(s); 2030 } 2031 } 2032 2033 static int rfcomm_run(void *unused) 2034 { 2035 BT_DBG(""); 2036 2037 set_user_nice(current, -10); 2038 2039 rfcomm_add_listener(BDADDR_ANY); 2040 2041 while (!kthread_should_stop()) { 2042 set_current_state(TASK_INTERRUPTIBLE); 2043 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) { 2044 /* No pending events. Let's sleep. 2045 * Incoming connections and data will wake us up. */ 2046 schedule(); 2047 } 2048 set_current_state(TASK_RUNNING); 2049 2050 /* Process stuff */ 2051 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 2052 rfcomm_process_sessions(); 2053 } 2054 2055 rfcomm_kill_listener(); 2056 2057 return 0; 2058 } 2059 2060 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2061 { 2062 struct rfcomm_session *s; 2063 struct rfcomm_dlc *d; 2064 struct list_head *p, *n; 2065 2066 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2067 2068 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2069 if (!s) 2070 return; 2071 2072 rfcomm_session_hold(s); 2073 2074 list_for_each_safe(p, n, &s->dlcs) { 2075 d = list_entry(p, struct rfcomm_dlc, list); 2076 2077 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2078 rfcomm_dlc_clear_timer(d); 2079 if (status || encrypt == 0x00) { 2080 __rfcomm_dlc_close(d, ECONNREFUSED); 2081 continue; 2082 } 2083 } 2084 2085 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2086 if (d->sec_level == BT_SECURITY_MEDIUM) { 2087 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2088 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2089 continue; 2090 } else if (d->sec_level == BT_SECURITY_HIGH) { 2091 __rfcomm_dlc_close(d, ECONNREFUSED); 2092 continue; 2093 } 2094 } 2095 2096 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2097 continue; 2098 2099 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2100 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2101 else 2102 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2103 } 2104 2105 rfcomm_session_put(s); 2106 2107 rfcomm_schedule(); 2108 } 2109 2110 static struct hci_cb rfcomm_cb = { 2111 .name = "RFCOMM", 2112 .security_cfm = rfcomm_security_cfm 2113 }; 2114 2115 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2116 { 2117 struct rfcomm_session *s; 2118 struct list_head *pp, *p; 2119 2120 rfcomm_lock(); 2121 2122 list_for_each(p, &session_list) { 2123 s = list_entry(p, struct rfcomm_session, list); 2124 list_for_each(pp, &s->dlcs) { 2125 struct sock *sk = s->sock->sk; 2126 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list); 2127 2128 seq_printf(f, "%s %s %ld %d %d %d %d\n", 2129 batostr(&bt_sk(sk)->src), 2130 batostr(&bt_sk(sk)->dst), 2131 d->state, d->dlci, d->mtu, 2132 d->rx_credits, d->tx_credits); 2133 } 2134 } 2135 2136 rfcomm_unlock(); 2137 2138 return 0; 2139 } 2140 2141 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2142 { 2143 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2144 } 2145 2146 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2147 .open = rfcomm_dlc_debugfs_open, 2148 .read = seq_read, 2149 .llseek = seq_lseek, 2150 .release = single_release, 2151 }; 2152 2153 static struct dentry *rfcomm_dlc_debugfs; 2154 2155 /* ---- Initialization ---- */ 2156 static int __init rfcomm_init(void) 2157 { 2158 int err; 2159 2160 hci_register_cb(&rfcomm_cb); 2161 2162 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2163 if (IS_ERR(rfcomm_thread)) { 2164 err = PTR_ERR(rfcomm_thread); 2165 goto unregister; 2166 } 2167 2168 if (bt_debugfs) { 2169 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2170 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2171 if (!rfcomm_dlc_debugfs) 2172 BT_ERR("Failed to create RFCOMM debug file"); 2173 } 2174 2175 err = rfcomm_init_ttys(); 2176 if (err < 0) 2177 goto stop; 2178 2179 err = rfcomm_init_sockets(); 2180 if (err < 0) 2181 goto cleanup; 2182 2183 BT_INFO("RFCOMM ver %s", VERSION); 2184 2185 return 0; 2186 2187 cleanup: 2188 rfcomm_cleanup_ttys(); 2189 2190 stop: 2191 kthread_stop(rfcomm_thread); 2192 2193 unregister: 2194 hci_unregister_cb(&rfcomm_cb); 2195 2196 return err; 2197 } 2198 2199 static void __exit rfcomm_exit(void) 2200 { 2201 debugfs_remove(rfcomm_dlc_debugfs); 2202 2203 hci_unregister_cb(&rfcomm_cb); 2204 2205 kthread_stop(rfcomm_thread); 2206 2207 rfcomm_cleanup_ttys(); 2208 2209 rfcomm_cleanup_sockets(); 2210 } 2211 2212 module_init(rfcomm_init); 2213 module_exit(rfcomm_exit); 2214 2215 module_param(disable_cfc, bool, 0644); 2216 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2217 2218 module_param(channel_mtu, int, 0644); 2219 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2220 2221 module_param(l2cap_mtu, uint, 0644); 2222 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2223 2224 module_param(l2cap_ertm, bool, 0644); 2225 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2226 2227 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2228 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2229 MODULE_VERSION(VERSION); 2230 MODULE_LICENSE("GPL"); 2231 MODULE_ALIAS("bt-proto-3"); 2232