1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/net.h> 37 #include <linux/mutex.h> 38 #include <linux/kthread.h> 39 40 #include <net/sock.h> 41 #include <asm/uaccess.h> 42 #include <asm/unaligned.h> 43 44 #include <net/bluetooth/bluetooth.h> 45 #include <net/bluetooth/hci_core.h> 46 #include <net/bluetooth/l2cap.h> 47 #include <net/bluetooth/rfcomm.h> 48 49 #define VERSION "1.11" 50 51 static int disable_cfc = 0; 52 static int channel_mtu = -1; 53 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 54 static int l2cap_ertm = 0; 55 56 static struct task_struct *rfcomm_thread; 57 58 static DEFINE_MUTEX(rfcomm_mutex); 59 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 60 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 61 62 static unsigned long rfcomm_event; 63 64 static LIST_HEAD(session_list); 65 66 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 67 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 68 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 69 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 70 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 71 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 72 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 73 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 74 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 75 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 76 77 static void rfcomm_process_connect(struct rfcomm_session *s); 78 79 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err); 80 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 81 static void rfcomm_session_del(struct rfcomm_session *s); 82 83 /* ---- RFCOMM frame parsing macros ---- */ 84 #define __get_dlci(b) ((b & 0xfc) >> 2) 85 #define __get_channel(b) ((b & 0xf8) >> 3) 86 #define __get_dir(b) ((b & 0x04) >> 2) 87 #define __get_type(b) ((b & 0xef)) 88 89 #define __test_ea(b) ((b & 0x01)) 90 #define __test_cr(b) ((b & 0x02)) 91 #define __test_pf(b) ((b & 0x10)) 92 93 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 94 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 95 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 96 #define __srv_channel(dlci) (dlci >> 1) 97 #define __dir(dlci) (dlci & 0x01) 98 99 #define __len8(len) (((len) << 1) | 1) 100 #define __len16(len) ((len) << 1) 101 102 /* MCC macros */ 103 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 104 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 105 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 106 107 /* RPN macros */ 108 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 109 #define __get_rpn_data_bits(line) ((line) & 0x3) 110 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 111 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 112 113 static inline void rfcomm_schedule(uint event) 114 { 115 if (!rfcomm_thread) 116 return; 117 //set_bit(event, &rfcomm_event); 118 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 119 wake_up_process(rfcomm_thread); 120 } 121 122 static inline void rfcomm_session_put(struct rfcomm_session *s) 123 { 124 if (atomic_dec_and_test(&s->refcnt)) 125 rfcomm_session_del(s); 126 } 127 128 /* ---- RFCOMM FCS computation ---- */ 129 130 /* reversed, 8-bit, poly=0x07 */ 131 static unsigned char rfcomm_crc_table[256] = { 132 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 133 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 134 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 135 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 136 137 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 138 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 139 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 140 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 141 142 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 143 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 144 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 145 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 146 147 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 148 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 149 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 150 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 151 152 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 153 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 154 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 155 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 156 157 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 158 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 159 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 160 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 161 162 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 163 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 164 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 165 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 166 167 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 168 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 169 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 170 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 171 }; 172 173 /* CRC on 2 bytes */ 174 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 175 176 /* FCS on 2 bytes */ 177 static inline u8 __fcs(u8 *data) 178 { 179 return (0xff - __crc(data)); 180 } 181 182 /* FCS on 3 bytes */ 183 static inline u8 __fcs2(u8 *data) 184 { 185 return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]); 186 } 187 188 /* Check FCS */ 189 static inline int __check_fcs(u8 *data, int type, u8 fcs) 190 { 191 u8 f = __crc(data); 192 193 if (type != RFCOMM_UIH) 194 f = rfcomm_crc_table[f ^ data[2]]; 195 196 return rfcomm_crc_table[f ^ fcs] != 0xcf; 197 } 198 199 /* ---- L2CAP callbacks ---- */ 200 static void rfcomm_l2state_change(struct sock *sk) 201 { 202 BT_DBG("%p state %d", sk, sk->sk_state); 203 rfcomm_schedule(RFCOMM_SCHED_STATE); 204 } 205 206 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 207 { 208 BT_DBG("%p bytes %d", sk, bytes); 209 rfcomm_schedule(RFCOMM_SCHED_RX); 210 } 211 212 static int rfcomm_l2sock_create(struct socket **sock) 213 { 214 int err; 215 216 BT_DBG(""); 217 218 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 219 if (!err) { 220 struct sock *sk = (*sock)->sk; 221 sk->sk_data_ready = rfcomm_l2data_ready; 222 sk->sk_state_change = rfcomm_l2state_change; 223 } 224 return err; 225 } 226 227 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 228 { 229 struct sock *sk = d->session->sock->sk; 230 __u8 auth_type; 231 232 switch (d->sec_level) { 233 case BT_SECURITY_HIGH: 234 auth_type = HCI_AT_GENERAL_BONDING_MITM; 235 break; 236 case BT_SECURITY_MEDIUM: 237 auth_type = HCI_AT_GENERAL_BONDING; 238 break; 239 default: 240 auth_type = HCI_AT_NO_BONDING; 241 break; 242 } 243 244 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level, 245 auth_type); 246 } 247 248 static void rfcomm_session_timeout(unsigned long arg) 249 { 250 struct rfcomm_session *s = (void *) arg; 251 252 BT_DBG("session %p state %ld", s, s->state); 253 254 set_bit(RFCOMM_TIMED_OUT, &s->flags); 255 rfcomm_schedule(RFCOMM_SCHED_TIMEO); 256 } 257 258 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 259 { 260 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 261 262 if (!mod_timer(&s->timer, jiffies + timeout)) 263 rfcomm_session_hold(s); 264 } 265 266 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 267 { 268 BT_DBG("session %p state %ld", s, s->state); 269 270 if (timer_pending(&s->timer) && del_timer(&s->timer)) 271 rfcomm_session_put(s); 272 } 273 274 /* ---- RFCOMM DLCs ---- */ 275 static void rfcomm_dlc_timeout(unsigned long arg) 276 { 277 struct rfcomm_dlc *d = (void *) arg; 278 279 BT_DBG("dlc %p state %ld", d, d->state); 280 281 set_bit(RFCOMM_TIMED_OUT, &d->flags); 282 rfcomm_dlc_put(d); 283 rfcomm_schedule(RFCOMM_SCHED_TIMEO); 284 } 285 286 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 287 { 288 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 289 290 if (!mod_timer(&d->timer, jiffies + timeout)) 291 rfcomm_dlc_hold(d); 292 } 293 294 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 295 { 296 BT_DBG("dlc %p state %ld", d, d->state); 297 298 if (timer_pending(&d->timer) && del_timer(&d->timer)) 299 rfcomm_dlc_put(d); 300 } 301 302 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 303 { 304 BT_DBG("%p", d); 305 306 d->state = BT_OPEN; 307 d->flags = 0; 308 d->mscex = 0; 309 d->mtu = RFCOMM_DEFAULT_MTU; 310 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 311 312 d->cfc = RFCOMM_CFC_DISABLED; 313 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 314 } 315 316 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 317 { 318 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 319 320 if (!d) 321 return NULL; 322 323 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 324 325 skb_queue_head_init(&d->tx_queue); 326 spin_lock_init(&d->lock); 327 atomic_set(&d->refcnt, 1); 328 329 rfcomm_dlc_clear_state(d); 330 331 BT_DBG("%p", d); 332 333 return d; 334 } 335 336 void rfcomm_dlc_free(struct rfcomm_dlc *d) 337 { 338 BT_DBG("%p", d); 339 340 skb_queue_purge(&d->tx_queue); 341 kfree(d); 342 } 343 344 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 345 { 346 BT_DBG("dlc %p session %p", d, s); 347 348 rfcomm_session_hold(s); 349 350 rfcomm_session_clear_timer(s); 351 rfcomm_dlc_hold(d); 352 list_add(&d->list, &s->dlcs); 353 d->session = s; 354 } 355 356 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 357 { 358 struct rfcomm_session *s = d->session; 359 360 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 361 362 list_del(&d->list); 363 d->session = NULL; 364 rfcomm_dlc_put(d); 365 366 if (list_empty(&s->dlcs)) 367 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 368 369 rfcomm_session_put(s); 370 } 371 372 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 373 { 374 struct rfcomm_dlc *d; 375 struct list_head *p; 376 377 list_for_each(p, &s->dlcs) { 378 d = list_entry(p, struct rfcomm_dlc, list); 379 if (d->dlci == dlci) 380 return d; 381 } 382 return NULL; 383 } 384 385 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 386 { 387 struct rfcomm_session *s; 388 int err = 0; 389 u8 dlci; 390 391 BT_DBG("dlc %p state %ld %s %s channel %d", 392 d, d->state, batostr(src), batostr(dst), channel); 393 394 if (channel < 1 || channel > 30) 395 return -EINVAL; 396 397 if (d->state != BT_OPEN && d->state != BT_CLOSED) 398 return 0; 399 400 s = rfcomm_session_get(src, dst); 401 if (!s) { 402 s = rfcomm_session_create(src, dst, &err); 403 if (!s) 404 return err; 405 } 406 407 dlci = __dlci(!s->initiator, channel); 408 409 /* Check if DLCI already exists */ 410 if (rfcomm_dlc_get(s, dlci)) 411 return -EBUSY; 412 413 rfcomm_dlc_clear_state(d); 414 415 d->dlci = dlci; 416 d->addr = __addr(s->initiator, dlci); 417 d->priority = 7; 418 419 d->state = BT_CONFIG; 420 rfcomm_dlc_link(s, d); 421 422 d->out = 1; 423 424 d->mtu = s->mtu; 425 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 426 427 if (s->state == BT_CONNECTED) { 428 if (rfcomm_check_security(d)) 429 rfcomm_send_pn(s, 1, d); 430 else 431 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 432 } 433 434 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 435 436 return 0; 437 } 438 439 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 440 { 441 int r; 442 443 rfcomm_lock(); 444 445 r = __rfcomm_dlc_open(d, src, dst, channel); 446 447 rfcomm_unlock(); 448 return r; 449 } 450 451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 452 { 453 struct rfcomm_session *s = d->session; 454 if (!s) 455 return 0; 456 457 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 458 d, d->state, d->dlci, err, s); 459 460 switch (d->state) { 461 case BT_CONNECT: 462 case BT_CONFIG: 463 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 464 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 465 rfcomm_schedule(RFCOMM_SCHED_AUTH); 466 break; 467 } 468 /* Fall through */ 469 470 case BT_CONNECTED: 471 d->state = BT_DISCONN; 472 if (skb_queue_empty(&d->tx_queue)) { 473 rfcomm_send_disc(s, d->dlci); 474 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 475 } else { 476 rfcomm_queue_disc(d); 477 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 478 } 479 break; 480 481 case BT_OPEN: 482 case BT_CONNECT2: 483 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 484 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 485 rfcomm_schedule(RFCOMM_SCHED_AUTH); 486 break; 487 } 488 /* Fall through */ 489 490 default: 491 rfcomm_dlc_clear_timer(d); 492 493 rfcomm_dlc_lock(d); 494 d->state = BT_CLOSED; 495 d->state_change(d, err); 496 rfcomm_dlc_unlock(d); 497 498 skb_queue_purge(&d->tx_queue); 499 rfcomm_dlc_unlink(d); 500 } 501 502 return 0; 503 } 504 505 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 506 { 507 int r; 508 509 rfcomm_lock(); 510 511 r = __rfcomm_dlc_close(d, err); 512 513 rfcomm_unlock(); 514 return r; 515 } 516 517 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 518 { 519 int len = skb->len; 520 521 if (d->state != BT_CONNECTED) 522 return -ENOTCONN; 523 524 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 525 526 if (len > d->mtu) 527 return -EINVAL; 528 529 rfcomm_make_uih(skb, d->addr); 530 skb_queue_tail(&d->tx_queue, skb); 531 532 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 533 rfcomm_schedule(RFCOMM_SCHED_TX); 534 return len; 535 } 536 537 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 538 { 539 BT_DBG("dlc %p state %ld", d, d->state); 540 541 if (!d->cfc) { 542 d->v24_sig |= RFCOMM_V24_FC; 543 set_bit(RFCOMM_MSC_PENDING, &d->flags); 544 } 545 rfcomm_schedule(RFCOMM_SCHED_TX); 546 } 547 548 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 549 { 550 BT_DBG("dlc %p state %ld", d, d->state); 551 552 if (!d->cfc) { 553 d->v24_sig &= ~RFCOMM_V24_FC; 554 set_bit(RFCOMM_MSC_PENDING, &d->flags); 555 } 556 rfcomm_schedule(RFCOMM_SCHED_TX); 557 } 558 559 /* 560 Set/get modem status functions use _local_ status i.e. what we report 561 to the other side. 562 Remote status is provided by dlc->modem_status() callback. 563 */ 564 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 565 { 566 BT_DBG("dlc %p state %ld v24_sig 0x%x", 567 d, d->state, v24_sig); 568 569 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 570 v24_sig |= RFCOMM_V24_FC; 571 else 572 v24_sig &= ~RFCOMM_V24_FC; 573 574 d->v24_sig = v24_sig; 575 576 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 577 rfcomm_schedule(RFCOMM_SCHED_TX); 578 579 return 0; 580 } 581 582 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 583 { 584 BT_DBG("dlc %p state %ld v24_sig 0x%x", 585 d, d->state, d->v24_sig); 586 587 *v24_sig = d->v24_sig; 588 return 0; 589 } 590 591 /* ---- RFCOMM sessions ---- */ 592 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 593 { 594 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 595 596 if (!s) 597 return NULL; 598 599 BT_DBG("session %p sock %p", s, sock); 600 601 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 602 603 INIT_LIST_HEAD(&s->dlcs); 604 s->state = state; 605 s->sock = sock; 606 607 s->mtu = RFCOMM_DEFAULT_MTU; 608 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 609 610 /* Do not increment module usage count for listening sessions. 611 * Otherwise we won't be able to unload the module. */ 612 if (state != BT_LISTEN) 613 if (!try_module_get(THIS_MODULE)) { 614 kfree(s); 615 return NULL; 616 } 617 618 list_add(&s->list, &session_list); 619 620 return s; 621 } 622 623 static void rfcomm_session_del(struct rfcomm_session *s) 624 { 625 int state = s->state; 626 627 BT_DBG("session %p state %ld", s, s->state); 628 629 list_del(&s->list); 630 631 if (state == BT_CONNECTED) 632 rfcomm_send_disc(s, 0); 633 634 rfcomm_session_clear_timer(s); 635 sock_release(s->sock); 636 kfree(s); 637 638 if (state != BT_LISTEN) 639 module_put(THIS_MODULE); 640 } 641 642 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 643 { 644 struct rfcomm_session *s; 645 struct list_head *p, *n; 646 struct bt_sock *sk; 647 list_for_each_safe(p, n, &session_list) { 648 s = list_entry(p, struct rfcomm_session, list); 649 sk = bt_sk(s->sock->sk); 650 651 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 652 !bacmp(&sk->dst, dst)) 653 return s; 654 } 655 return NULL; 656 } 657 658 static void rfcomm_session_close(struct rfcomm_session *s, int err) 659 { 660 struct rfcomm_dlc *d; 661 struct list_head *p, *n; 662 663 BT_DBG("session %p state %ld err %d", s, s->state, err); 664 665 rfcomm_session_hold(s); 666 667 s->state = BT_CLOSED; 668 669 /* Close all dlcs */ 670 list_for_each_safe(p, n, &s->dlcs) { 671 d = list_entry(p, struct rfcomm_dlc, list); 672 d->state = BT_CLOSED; 673 __rfcomm_dlc_close(d, err); 674 } 675 676 rfcomm_session_clear_timer(s); 677 rfcomm_session_put(s); 678 } 679 680 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err) 681 { 682 struct rfcomm_session *s = NULL; 683 struct sockaddr_l2 addr; 684 struct socket *sock; 685 struct sock *sk; 686 687 BT_DBG("%s %s", batostr(src), batostr(dst)); 688 689 *err = rfcomm_l2sock_create(&sock); 690 if (*err < 0) 691 return NULL; 692 693 bacpy(&addr.l2_bdaddr, src); 694 addr.l2_family = AF_BLUETOOTH; 695 addr.l2_psm = 0; 696 addr.l2_cid = 0; 697 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 698 if (*err < 0) 699 goto failed; 700 701 /* Set L2CAP options */ 702 sk = sock->sk; 703 lock_sock(sk); 704 l2cap_pi(sk)->imtu = l2cap_mtu; 705 if (l2cap_ertm) 706 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM; 707 release_sock(sk); 708 709 s = rfcomm_session_add(sock, BT_BOUND); 710 if (!s) { 711 *err = -ENOMEM; 712 goto failed; 713 } 714 715 s->initiator = 1; 716 717 bacpy(&addr.l2_bdaddr, dst); 718 addr.l2_family = AF_BLUETOOTH; 719 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 720 addr.l2_cid = 0; 721 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 722 if (*err == 0 || *err == -EINPROGRESS) 723 return s; 724 725 rfcomm_session_del(s); 726 return NULL; 727 728 failed: 729 sock_release(sock); 730 return NULL; 731 } 732 733 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 734 { 735 struct sock *sk = s->sock->sk; 736 if (src) 737 bacpy(src, &bt_sk(sk)->src); 738 if (dst) 739 bacpy(dst, &bt_sk(sk)->dst); 740 } 741 742 /* ---- RFCOMM frame sending ---- */ 743 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 744 { 745 struct socket *sock = s->sock; 746 struct kvec iv = { data, len }; 747 struct msghdr msg; 748 749 BT_DBG("session %p len %d", s, len); 750 751 memset(&msg, 0, sizeof(msg)); 752 753 return kernel_sendmsg(sock, &msg, &iv, 1, len); 754 } 755 756 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 757 { 758 struct rfcomm_cmd cmd; 759 760 BT_DBG("%p dlci %d", s, dlci); 761 762 cmd.addr = __addr(s->initiator, dlci); 763 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 764 cmd.len = __len8(0); 765 cmd.fcs = __fcs2((u8 *) &cmd); 766 767 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 768 } 769 770 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 771 { 772 struct rfcomm_cmd cmd; 773 774 BT_DBG("%p dlci %d", s, dlci); 775 776 cmd.addr = __addr(!s->initiator, dlci); 777 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 778 cmd.len = __len8(0); 779 cmd.fcs = __fcs2((u8 *) &cmd); 780 781 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 782 } 783 784 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 785 { 786 struct rfcomm_cmd cmd; 787 788 BT_DBG("%p dlci %d", s, dlci); 789 790 cmd.addr = __addr(s->initiator, dlci); 791 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 792 cmd.len = __len8(0); 793 cmd.fcs = __fcs2((u8 *) &cmd); 794 795 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 796 } 797 798 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 799 { 800 struct rfcomm_cmd *cmd; 801 struct sk_buff *skb; 802 803 BT_DBG("dlc %p dlci %d", d, d->dlci); 804 805 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 806 if (!skb) 807 return -ENOMEM; 808 809 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 810 cmd->addr = d->addr; 811 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 812 cmd->len = __len8(0); 813 cmd->fcs = __fcs2((u8 *) cmd); 814 815 skb_queue_tail(&d->tx_queue, skb); 816 rfcomm_schedule(RFCOMM_SCHED_TX); 817 return 0; 818 } 819 820 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 821 { 822 struct rfcomm_cmd cmd; 823 824 BT_DBG("%p dlci %d", s, dlci); 825 826 cmd.addr = __addr(!s->initiator, dlci); 827 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 828 cmd.len = __len8(0); 829 cmd.fcs = __fcs2((u8 *) &cmd); 830 831 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 832 } 833 834 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 835 { 836 struct rfcomm_hdr *hdr; 837 struct rfcomm_mcc *mcc; 838 u8 buf[16], *ptr = buf; 839 840 BT_DBG("%p cr %d type %d", s, cr, type); 841 842 hdr = (void *) ptr; ptr += sizeof(*hdr); 843 hdr->addr = __addr(s->initiator, 0); 844 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 845 hdr->len = __len8(sizeof(*mcc) + 1); 846 847 mcc = (void *) ptr; ptr += sizeof(*mcc); 848 mcc->type = __mcc_type(cr, RFCOMM_NSC); 849 mcc->len = __len8(1); 850 851 /* Type that we didn't like */ 852 *ptr = __mcc_type(cr, type); ptr++; 853 854 *ptr = __fcs(buf); ptr++; 855 856 return rfcomm_send_frame(s, buf, ptr - buf); 857 } 858 859 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 860 { 861 struct rfcomm_hdr *hdr; 862 struct rfcomm_mcc *mcc; 863 struct rfcomm_pn *pn; 864 u8 buf[16], *ptr = buf; 865 866 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 867 868 hdr = (void *) ptr; ptr += sizeof(*hdr); 869 hdr->addr = __addr(s->initiator, 0); 870 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 871 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 872 873 mcc = (void *) ptr; ptr += sizeof(*mcc); 874 mcc->type = __mcc_type(cr, RFCOMM_PN); 875 mcc->len = __len8(sizeof(*pn)); 876 877 pn = (void *) ptr; ptr += sizeof(*pn); 878 pn->dlci = d->dlci; 879 pn->priority = d->priority; 880 pn->ack_timer = 0; 881 pn->max_retrans = 0; 882 883 if (s->cfc) { 884 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 885 pn->credits = RFCOMM_DEFAULT_CREDITS; 886 } else { 887 pn->flow_ctrl = 0; 888 pn->credits = 0; 889 } 890 891 if (cr && channel_mtu >= 0) 892 pn->mtu = cpu_to_le16(channel_mtu); 893 else 894 pn->mtu = cpu_to_le16(d->mtu); 895 896 *ptr = __fcs(buf); ptr++; 897 898 return rfcomm_send_frame(s, buf, ptr - buf); 899 } 900 901 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 902 u8 bit_rate, u8 data_bits, u8 stop_bits, 903 u8 parity, u8 flow_ctrl_settings, 904 u8 xon_char, u8 xoff_char, u16 param_mask) 905 { 906 struct rfcomm_hdr *hdr; 907 struct rfcomm_mcc *mcc; 908 struct rfcomm_rpn *rpn; 909 u8 buf[16], *ptr = buf; 910 911 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 912 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 913 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 914 flow_ctrl_settings, xon_char, xoff_char, param_mask); 915 916 hdr = (void *) ptr; ptr += sizeof(*hdr); 917 hdr->addr = __addr(s->initiator, 0); 918 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 919 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 920 921 mcc = (void *) ptr; ptr += sizeof(*mcc); 922 mcc->type = __mcc_type(cr, RFCOMM_RPN); 923 mcc->len = __len8(sizeof(*rpn)); 924 925 rpn = (void *) ptr; ptr += sizeof(*rpn); 926 rpn->dlci = __addr(1, dlci); 927 rpn->bit_rate = bit_rate; 928 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 929 rpn->flow_ctrl = flow_ctrl_settings; 930 rpn->xon_char = xon_char; 931 rpn->xoff_char = xoff_char; 932 rpn->param_mask = cpu_to_le16(param_mask); 933 934 *ptr = __fcs(buf); ptr++; 935 936 return rfcomm_send_frame(s, buf, ptr - buf); 937 } 938 939 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 940 { 941 struct rfcomm_hdr *hdr; 942 struct rfcomm_mcc *mcc; 943 struct rfcomm_rls *rls; 944 u8 buf[16], *ptr = buf; 945 946 BT_DBG("%p cr %d status 0x%x", s, cr, status); 947 948 hdr = (void *) ptr; ptr += sizeof(*hdr); 949 hdr->addr = __addr(s->initiator, 0); 950 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 951 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 952 953 mcc = (void *) ptr; ptr += sizeof(*mcc); 954 mcc->type = __mcc_type(cr, RFCOMM_RLS); 955 mcc->len = __len8(sizeof(*rls)); 956 957 rls = (void *) ptr; ptr += sizeof(*rls); 958 rls->dlci = __addr(1, dlci); 959 rls->status = status; 960 961 *ptr = __fcs(buf); ptr++; 962 963 return rfcomm_send_frame(s, buf, ptr - buf); 964 } 965 966 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 967 { 968 struct rfcomm_hdr *hdr; 969 struct rfcomm_mcc *mcc; 970 struct rfcomm_msc *msc; 971 u8 buf[16], *ptr = buf; 972 973 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 974 975 hdr = (void *) ptr; ptr += sizeof(*hdr); 976 hdr->addr = __addr(s->initiator, 0); 977 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 978 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 979 980 mcc = (void *) ptr; ptr += sizeof(*mcc); 981 mcc->type = __mcc_type(cr, RFCOMM_MSC); 982 mcc->len = __len8(sizeof(*msc)); 983 984 msc = (void *) ptr; ptr += sizeof(*msc); 985 msc->dlci = __addr(1, dlci); 986 msc->v24_sig = v24_sig | 0x01; 987 988 *ptr = __fcs(buf); ptr++; 989 990 return rfcomm_send_frame(s, buf, ptr - buf); 991 } 992 993 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 994 { 995 struct rfcomm_hdr *hdr; 996 struct rfcomm_mcc *mcc; 997 u8 buf[16], *ptr = buf; 998 999 BT_DBG("%p cr %d", s, cr); 1000 1001 hdr = (void *) ptr; ptr += sizeof(*hdr); 1002 hdr->addr = __addr(s->initiator, 0); 1003 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1004 hdr->len = __len8(sizeof(*mcc)); 1005 1006 mcc = (void *) ptr; ptr += sizeof(*mcc); 1007 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1008 mcc->len = __len8(0); 1009 1010 *ptr = __fcs(buf); ptr++; 1011 1012 return rfcomm_send_frame(s, buf, ptr - buf); 1013 } 1014 1015 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1016 { 1017 struct rfcomm_hdr *hdr; 1018 struct rfcomm_mcc *mcc; 1019 u8 buf[16], *ptr = buf; 1020 1021 BT_DBG("%p cr %d", s, cr); 1022 1023 hdr = (void *) ptr; ptr += sizeof(*hdr); 1024 hdr->addr = __addr(s->initiator, 0); 1025 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1026 hdr->len = __len8(sizeof(*mcc)); 1027 1028 mcc = (void *) ptr; ptr += sizeof(*mcc); 1029 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1030 mcc->len = __len8(0); 1031 1032 *ptr = __fcs(buf); ptr++; 1033 1034 return rfcomm_send_frame(s, buf, ptr - buf); 1035 } 1036 1037 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1038 { 1039 struct socket *sock = s->sock; 1040 struct kvec iv[3]; 1041 struct msghdr msg; 1042 unsigned char hdr[5], crc[1]; 1043 1044 if (len > 125) 1045 return -EINVAL; 1046 1047 BT_DBG("%p cr %d", s, cr); 1048 1049 hdr[0] = __addr(s->initiator, 0); 1050 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1051 hdr[2] = 0x01 | ((len + 2) << 1); 1052 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1053 hdr[4] = 0x01 | (len << 1); 1054 1055 crc[0] = __fcs(hdr); 1056 1057 iv[0].iov_base = hdr; 1058 iv[0].iov_len = 5; 1059 iv[1].iov_base = pattern; 1060 iv[1].iov_len = len; 1061 iv[2].iov_base = crc; 1062 iv[2].iov_len = 1; 1063 1064 memset(&msg, 0, sizeof(msg)); 1065 1066 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1067 } 1068 1069 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1070 { 1071 struct rfcomm_hdr *hdr; 1072 u8 buf[16], *ptr = buf; 1073 1074 BT_DBG("%p addr %d credits %d", s, addr, credits); 1075 1076 hdr = (void *) ptr; ptr += sizeof(*hdr); 1077 hdr->addr = addr; 1078 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1079 hdr->len = __len8(0); 1080 1081 *ptr = credits; ptr++; 1082 1083 *ptr = __fcs(buf); ptr++; 1084 1085 return rfcomm_send_frame(s, buf, ptr - buf); 1086 } 1087 1088 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1089 { 1090 struct rfcomm_hdr *hdr; 1091 int len = skb->len; 1092 u8 *crc; 1093 1094 if (len > 127) { 1095 hdr = (void *) skb_push(skb, 4); 1096 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1097 } else { 1098 hdr = (void *) skb_push(skb, 3); 1099 hdr->len = __len8(len); 1100 } 1101 hdr->addr = addr; 1102 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1103 1104 crc = skb_put(skb, 1); 1105 *crc = __fcs((void *) hdr); 1106 } 1107 1108 /* ---- RFCOMM frame reception ---- */ 1109 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1110 { 1111 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1112 1113 if (dlci) { 1114 /* Data channel */ 1115 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1116 if (!d) { 1117 rfcomm_send_dm(s, dlci); 1118 return 0; 1119 } 1120 1121 switch (d->state) { 1122 case BT_CONNECT: 1123 rfcomm_dlc_clear_timer(d); 1124 1125 rfcomm_dlc_lock(d); 1126 d->state = BT_CONNECTED; 1127 d->state_change(d, 0); 1128 rfcomm_dlc_unlock(d); 1129 1130 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1131 break; 1132 1133 case BT_DISCONN: 1134 d->state = BT_CLOSED; 1135 __rfcomm_dlc_close(d, 0); 1136 1137 if (list_empty(&s->dlcs)) { 1138 s->state = BT_DISCONN; 1139 rfcomm_send_disc(s, 0); 1140 } 1141 1142 break; 1143 } 1144 } else { 1145 /* Control channel */ 1146 switch (s->state) { 1147 case BT_CONNECT: 1148 s->state = BT_CONNECTED; 1149 rfcomm_process_connect(s); 1150 break; 1151 1152 case BT_DISCONN: 1153 /* When socket is closed and we are not RFCOMM 1154 * initiator rfcomm_process_rx already calls 1155 * rfcomm_session_put() */ 1156 if (s->sock->sk->sk_state != BT_CLOSED) 1157 rfcomm_session_put(s); 1158 break; 1159 } 1160 } 1161 return 0; 1162 } 1163 1164 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1165 { 1166 int err = 0; 1167 1168 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1169 1170 if (dlci) { 1171 /* Data DLC */ 1172 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1173 if (d) { 1174 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1175 err = ECONNREFUSED; 1176 else 1177 err = ECONNRESET; 1178 1179 d->state = BT_CLOSED; 1180 __rfcomm_dlc_close(d, err); 1181 } 1182 } else { 1183 if (s->state == BT_CONNECT) 1184 err = ECONNREFUSED; 1185 else 1186 err = ECONNRESET; 1187 1188 s->state = BT_CLOSED; 1189 rfcomm_session_close(s, err); 1190 } 1191 return 0; 1192 } 1193 1194 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1195 { 1196 int err = 0; 1197 1198 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1199 1200 if (dlci) { 1201 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1202 if (d) { 1203 rfcomm_send_ua(s, dlci); 1204 1205 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1206 err = ECONNREFUSED; 1207 else 1208 err = ECONNRESET; 1209 1210 d->state = BT_CLOSED; 1211 __rfcomm_dlc_close(d, err); 1212 } else 1213 rfcomm_send_dm(s, dlci); 1214 1215 } else { 1216 rfcomm_send_ua(s, 0); 1217 1218 if (s->state == BT_CONNECT) 1219 err = ECONNREFUSED; 1220 else 1221 err = ECONNRESET; 1222 1223 s->state = BT_CLOSED; 1224 rfcomm_session_close(s, err); 1225 } 1226 1227 return 0; 1228 } 1229 1230 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1231 { 1232 struct sock *sk = d->session->sock->sk; 1233 1234 BT_DBG("dlc %p", d); 1235 1236 rfcomm_send_ua(d->session, d->dlci); 1237 1238 rfcomm_dlc_clear_timer(d); 1239 1240 rfcomm_dlc_lock(d); 1241 d->state = BT_CONNECTED; 1242 d->state_change(d, 0); 1243 rfcomm_dlc_unlock(d); 1244 1245 if (d->role_switch) 1246 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00); 1247 1248 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1249 } 1250 1251 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1252 { 1253 if (rfcomm_check_security(d)) { 1254 if (d->defer_setup) { 1255 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1256 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1257 1258 rfcomm_dlc_lock(d); 1259 d->state = BT_CONNECT2; 1260 d->state_change(d, 0); 1261 rfcomm_dlc_unlock(d); 1262 } else 1263 rfcomm_dlc_accept(d); 1264 } else { 1265 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1266 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1267 } 1268 } 1269 1270 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1271 { 1272 struct rfcomm_dlc *d; 1273 u8 channel; 1274 1275 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1276 1277 if (!dlci) { 1278 rfcomm_send_ua(s, 0); 1279 1280 if (s->state == BT_OPEN) { 1281 s->state = BT_CONNECTED; 1282 rfcomm_process_connect(s); 1283 } 1284 return 0; 1285 } 1286 1287 /* Check if DLC exists */ 1288 d = rfcomm_dlc_get(s, dlci); 1289 if (d) { 1290 if (d->state == BT_OPEN) { 1291 /* DLC was previously opened by PN request */ 1292 rfcomm_check_accept(d); 1293 } 1294 return 0; 1295 } 1296 1297 /* Notify socket layer about incoming connection */ 1298 channel = __srv_channel(dlci); 1299 if (rfcomm_connect_ind(s, channel, &d)) { 1300 d->dlci = dlci; 1301 d->addr = __addr(s->initiator, dlci); 1302 rfcomm_dlc_link(s, d); 1303 1304 rfcomm_check_accept(d); 1305 } else { 1306 rfcomm_send_dm(s, dlci); 1307 } 1308 1309 return 0; 1310 } 1311 1312 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1313 { 1314 struct rfcomm_session *s = d->session; 1315 1316 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1317 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1318 1319 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1320 pn->flow_ctrl == 0xe0) { 1321 d->cfc = RFCOMM_CFC_ENABLED; 1322 d->tx_credits = pn->credits; 1323 } else { 1324 d->cfc = RFCOMM_CFC_DISABLED; 1325 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1326 } 1327 1328 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1329 s->cfc = d->cfc; 1330 1331 d->priority = pn->priority; 1332 1333 d->mtu = __le16_to_cpu(pn->mtu); 1334 1335 if (cr && d->mtu > s->mtu) 1336 d->mtu = s->mtu; 1337 1338 return 0; 1339 } 1340 1341 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1342 { 1343 struct rfcomm_pn *pn = (void *) skb->data; 1344 struct rfcomm_dlc *d; 1345 u8 dlci = pn->dlci; 1346 1347 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1348 1349 if (!dlci) 1350 return 0; 1351 1352 d = rfcomm_dlc_get(s, dlci); 1353 if (d) { 1354 if (cr) { 1355 /* PN request */ 1356 rfcomm_apply_pn(d, cr, pn); 1357 rfcomm_send_pn(s, 0, d); 1358 } else { 1359 /* PN response */ 1360 switch (d->state) { 1361 case BT_CONFIG: 1362 rfcomm_apply_pn(d, cr, pn); 1363 1364 d->state = BT_CONNECT; 1365 rfcomm_send_sabm(s, d->dlci); 1366 break; 1367 } 1368 } 1369 } else { 1370 u8 channel = __srv_channel(dlci); 1371 1372 if (!cr) 1373 return 0; 1374 1375 /* PN request for non existing DLC. 1376 * Assume incoming connection. */ 1377 if (rfcomm_connect_ind(s, channel, &d)) { 1378 d->dlci = dlci; 1379 d->addr = __addr(s->initiator, dlci); 1380 rfcomm_dlc_link(s, d); 1381 1382 rfcomm_apply_pn(d, cr, pn); 1383 1384 d->state = BT_OPEN; 1385 rfcomm_send_pn(s, 0, d); 1386 } else { 1387 rfcomm_send_dm(s, dlci); 1388 } 1389 } 1390 return 0; 1391 } 1392 1393 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1394 { 1395 struct rfcomm_rpn *rpn = (void *) skb->data; 1396 u8 dlci = __get_dlci(rpn->dlci); 1397 1398 u8 bit_rate = 0; 1399 u8 data_bits = 0; 1400 u8 stop_bits = 0; 1401 u8 parity = 0; 1402 u8 flow_ctrl = 0; 1403 u8 xon_char = 0; 1404 u8 xoff_char = 0; 1405 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1406 1407 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1408 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1409 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1410 1411 if (!cr) 1412 return 0; 1413 1414 if (len == 1) { 1415 /* This is a request, return default settings */ 1416 bit_rate = RFCOMM_RPN_BR_115200; 1417 data_bits = RFCOMM_RPN_DATA_8; 1418 stop_bits = RFCOMM_RPN_STOP_1; 1419 parity = RFCOMM_RPN_PARITY_NONE; 1420 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1421 xon_char = RFCOMM_RPN_XON_CHAR; 1422 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1423 goto rpn_out; 1424 } 1425 1426 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1427 * no parity, no flow control lines, normal XON/XOFF chars */ 1428 1429 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1430 bit_rate = rpn->bit_rate; 1431 if (bit_rate != RFCOMM_RPN_BR_115200) { 1432 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1433 bit_rate = RFCOMM_RPN_BR_115200; 1434 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1435 } 1436 } 1437 1438 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1439 data_bits = __get_rpn_data_bits(rpn->line_settings); 1440 if (data_bits != RFCOMM_RPN_DATA_8) { 1441 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1442 data_bits = RFCOMM_RPN_DATA_8; 1443 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1444 } 1445 } 1446 1447 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1448 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1449 if (stop_bits != RFCOMM_RPN_STOP_1) { 1450 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1451 stop_bits = RFCOMM_RPN_STOP_1; 1452 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1453 } 1454 } 1455 1456 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1457 parity = __get_rpn_parity(rpn->line_settings); 1458 if (parity != RFCOMM_RPN_PARITY_NONE) { 1459 BT_DBG("RPN parity mismatch 0x%x", parity); 1460 parity = RFCOMM_RPN_PARITY_NONE; 1461 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1462 } 1463 } 1464 1465 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1466 flow_ctrl = rpn->flow_ctrl; 1467 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1468 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1469 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1470 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1471 } 1472 } 1473 1474 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1475 xon_char = rpn->xon_char; 1476 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1477 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1478 xon_char = RFCOMM_RPN_XON_CHAR; 1479 rpn_mask ^= RFCOMM_RPN_PM_XON; 1480 } 1481 } 1482 1483 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1484 xoff_char = rpn->xoff_char; 1485 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1486 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1487 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1488 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1489 } 1490 } 1491 1492 rpn_out: 1493 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1494 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1495 1496 return 0; 1497 } 1498 1499 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1500 { 1501 struct rfcomm_rls *rls = (void *) skb->data; 1502 u8 dlci = __get_dlci(rls->dlci); 1503 1504 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1505 1506 if (!cr) 1507 return 0; 1508 1509 /* We should probably do something with this information here. But 1510 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1511 * mandatory to recognise and respond to RLS */ 1512 1513 rfcomm_send_rls(s, 0, dlci, rls->status); 1514 1515 return 0; 1516 } 1517 1518 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1519 { 1520 struct rfcomm_msc *msc = (void *) skb->data; 1521 struct rfcomm_dlc *d; 1522 u8 dlci = __get_dlci(msc->dlci); 1523 1524 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1525 1526 d = rfcomm_dlc_get(s, dlci); 1527 if (!d) 1528 return 0; 1529 1530 if (cr) { 1531 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1532 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1533 else 1534 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1535 1536 rfcomm_dlc_lock(d); 1537 1538 d->remote_v24_sig = msc->v24_sig; 1539 1540 if (d->modem_status) 1541 d->modem_status(d, msc->v24_sig); 1542 1543 rfcomm_dlc_unlock(d); 1544 1545 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1546 1547 d->mscex |= RFCOMM_MSCEX_RX; 1548 } else 1549 d->mscex |= RFCOMM_MSCEX_TX; 1550 1551 return 0; 1552 } 1553 1554 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1555 { 1556 struct rfcomm_mcc *mcc = (void *) skb->data; 1557 u8 type, cr, len; 1558 1559 cr = __test_cr(mcc->type); 1560 type = __get_mcc_type(mcc->type); 1561 len = __get_mcc_len(mcc->len); 1562 1563 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1564 1565 skb_pull(skb, 2); 1566 1567 switch (type) { 1568 case RFCOMM_PN: 1569 rfcomm_recv_pn(s, cr, skb); 1570 break; 1571 1572 case RFCOMM_RPN: 1573 rfcomm_recv_rpn(s, cr, len, skb); 1574 break; 1575 1576 case RFCOMM_RLS: 1577 rfcomm_recv_rls(s, cr, skb); 1578 break; 1579 1580 case RFCOMM_MSC: 1581 rfcomm_recv_msc(s, cr, skb); 1582 break; 1583 1584 case RFCOMM_FCOFF: 1585 if (cr) { 1586 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1587 rfcomm_send_fcoff(s, 0); 1588 } 1589 break; 1590 1591 case RFCOMM_FCON: 1592 if (cr) { 1593 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1594 rfcomm_send_fcon(s, 0); 1595 } 1596 break; 1597 1598 case RFCOMM_TEST: 1599 if (cr) 1600 rfcomm_send_test(s, 0, skb->data, skb->len); 1601 break; 1602 1603 case RFCOMM_NSC: 1604 break; 1605 1606 default: 1607 BT_ERR("Unknown control type 0x%02x", type); 1608 rfcomm_send_nsc(s, cr, type); 1609 break; 1610 } 1611 return 0; 1612 } 1613 1614 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1615 { 1616 struct rfcomm_dlc *d; 1617 1618 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1619 1620 d = rfcomm_dlc_get(s, dlci); 1621 if (!d) { 1622 rfcomm_send_dm(s, dlci); 1623 goto drop; 1624 } 1625 1626 if (pf && d->cfc) { 1627 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1628 1629 d->tx_credits += credits; 1630 if (d->tx_credits) 1631 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1632 } 1633 1634 if (skb->len && d->state == BT_CONNECTED) { 1635 rfcomm_dlc_lock(d); 1636 d->rx_credits--; 1637 d->data_ready(d, skb); 1638 rfcomm_dlc_unlock(d); 1639 return 0; 1640 } 1641 1642 drop: 1643 kfree_skb(skb); 1644 return 0; 1645 } 1646 1647 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1648 { 1649 struct rfcomm_hdr *hdr = (void *) skb->data; 1650 u8 type, dlci, fcs; 1651 1652 dlci = __get_dlci(hdr->addr); 1653 type = __get_type(hdr->ctrl); 1654 1655 /* Trim FCS */ 1656 skb->len--; skb->tail--; 1657 fcs = *(u8 *)skb_tail_pointer(skb); 1658 1659 if (__check_fcs(skb->data, type, fcs)) { 1660 BT_ERR("bad checksum in packet"); 1661 kfree_skb(skb); 1662 return -EILSEQ; 1663 } 1664 1665 if (__test_ea(hdr->len)) 1666 skb_pull(skb, 3); 1667 else 1668 skb_pull(skb, 4); 1669 1670 switch (type) { 1671 case RFCOMM_SABM: 1672 if (__test_pf(hdr->ctrl)) 1673 rfcomm_recv_sabm(s, dlci); 1674 break; 1675 1676 case RFCOMM_DISC: 1677 if (__test_pf(hdr->ctrl)) 1678 rfcomm_recv_disc(s, dlci); 1679 break; 1680 1681 case RFCOMM_UA: 1682 if (__test_pf(hdr->ctrl)) 1683 rfcomm_recv_ua(s, dlci); 1684 break; 1685 1686 case RFCOMM_DM: 1687 rfcomm_recv_dm(s, dlci); 1688 break; 1689 1690 case RFCOMM_UIH: 1691 if (dlci) 1692 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1693 1694 rfcomm_recv_mcc(s, skb); 1695 break; 1696 1697 default: 1698 BT_ERR("Unknown packet type 0x%02x\n", type); 1699 break; 1700 } 1701 kfree_skb(skb); 1702 return 0; 1703 } 1704 1705 /* ---- Connection and data processing ---- */ 1706 1707 static void rfcomm_process_connect(struct rfcomm_session *s) 1708 { 1709 struct rfcomm_dlc *d; 1710 struct list_head *p, *n; 1711 1712 BT_DBG("session %p state %ld", s, s->state); 1713 1714 list_for_each_safe(p, n, &s->dlcs) { 1715 d = list_entry(p, struct rfcomm_dlc, list); 1716 if (d->state == BT_CONFIG) { 1717 d->mtu = s->mtu; 1718 if (rfcomm_check_security(d)) { 1719 rfcomm_send_pn(s, 1, d); 1720 } else { 1721 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1722 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1723 } 1724 } 1725 } 1726 } 1727 1728 /* Send data queued for the DLC. 1729 * Return number of frames left in the queue. 1730 */ 1731 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1732 { 1733 struct sk_buff *skb; 1734 int err; 1735 1736 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1737 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1738 1739 /* Send pending MSC */ 1740 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1741 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1742 1743 if (d->cfc) { 1744 /* CFC enabled. 1745 * Give them some credits */ 1746 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1747 d->rx_credits <= (d->cfc >> 2)) { 1748 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1749 d->rx_credits = d->cfc; 1750 } 1751 } else { 1752 /* CFC disabled. 1753 * Give ourselves some credits */ 1754 d->tx_credits = 5; 1755 } 1756 1757 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1758 return skb_queue_len(&d->tx_queue); 1759 1760 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1761 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1762 if (err < 0) { 1763 skb_queue_head(&d->tx_queue, skb); 1764 break; 1765 } 1766 kfree_skb(skb); 1767 d->tx_credits--; 1768 } 1769 1770 if (d->cfc && !d->tx_credits) { 1771 /* We're out of TX credits. 1772 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1773 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1774 } 1775 1776 return skb_queue_len(&d->tx_queue); 1777 } 1778 1779 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1780 { 1781 struct rfcomm_dlc *d; 1782 struct list_head *p, *n; 1783 1784 BT_DBG("session %p state %ld", s, s->state); 1785 1786 list_for_each_safe(p, n, &s->dlcs) { 1787 d = list_entry(p, struct rfcomm_dlc, list); 1788 1789 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1790 __rfcomm_dlc_close(d, ETIMEDOUT); 1791 continue; 1792 } 1793 1794 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1795 rfcomm_dlc_clear_timer(d); 1796 if (d->out) { 1797 rfcomm_send_pn(s, 1, d); 1798 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1799 } else { 1800 if (d->defer_setup) { 1801 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1802 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1803 1804 rfcomm_dlc_lock(d); 1805 d->state = BT_CONNECT2; 1806 d->state_change(d, 0); 1807 rfcomm_dlc_unlock(d); 1808 } else 1809 rfcomm_dlc_accept(d); 1810 } 1811 continue; 1812 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1813 rfcomm_dlc_clear_timer(d); 1814 if (!d->out) 1815 rfcomm_send_dm(s, d->dlci); 1816 else 1817 d->state = BT_CLOSED; 1818 __rfcomm_dlc_close(d, ECONNREFUSED); 1819 continue; 1820 } 1821 1822 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1823 continue; 1824 1825 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1826 continue; 1827 1828 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1829 d->mscex == RFCOMM_MSCEX_OK) 1830 rfcomm_process_tx(d); 1831 } 1832 } 1833 1834 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1835 { 1836 struct socket *sock = s->sock; 1837 struct sock *sk = sock->sk; 1838 struct sk_buff *skb; 1839 1840 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1841 1842 /* Get data directly from socket receive queue without copying it. */ 1843 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1844 skb_orphan(skb); 1845 rfcomm_recv_frame(s, skb); 1846 } 1847 1848 if (sk->sk_state == BT_CLOSED) { 1849 if (!s->initiator) 1850 rfcomm_session_put(s); 1851 1852 rfcomm_session_close(s, sk->sk_err); 1853 } 1854 } 1855 1856 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1857 { 1858 struct socket *sock = s->sock, *nsock; 1859 int err; 1860 1861 /* Fast check for a new connection. 1862 * Avoids unnesesary socket allocations. */ 1863 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1864 return; 1865 1866 BT_DBG("session %p", s); 1867 1868 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1869 if (err < 0) 1870 return; 1871 1872 /* Set our callbacks */ 1873 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1874 nsock->sk->sk_state_change = rfcomm_l2state_change; 1875 1876 s = rfcomm_session_add(nsock, BT_OPEN); 1877 if (s) { 1878 rfcomm_session_hold(s); 1879 1880 /* We should adjust MTU on incoming sessions. 1881 * L2CAP MTU minus UIH header and FCS. */ 1882 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5; 1883 1884 rfcomm_schedule(RFCOMM_SCHED_RX); 1885 } else 1886 sock_release(nsock); 1887 } 1888 1889 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1890 { 1891 struct sock *sk = s->sock->sk; 1892 1893 BT_DBG("%p state %ld", s, s->state); 1894 1895 switch(sk->sk_state) { 1896 case BT_CONNECTED: 1897 s->state = BT_CONNECT; 1898 1899 /* We can adjust MTU on outgoing sessions. 1900 * L2CAP MTU minus UIH header and FCS. */ 1901 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5; 1902 1903 rfcomm_send_sabm(s, 0); 1904 break; 1905 1906 case BT_CLOSED: 1907 s->state = BT_CLOSED; 1908 rfcomm_session_close(s, sk->sk_err); 1909 break; 1910 } 1911 } 1912 1913 static inline void rfcomm_process_sessions(void) 1914 { 1915 struct list_head *p, *n; 1916 1917 rfcomm_lock(); 1918 1919 list_for_each_safe(p, n, &session_list) { 1920 struct rfcomm_session *s; 1921 s = list_entry(p, struct rfcomm_session, list); 1922 1923 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1924 s->state = BT_DISCONN; 1925 rfcomm_send_disc(s, 0); 1926 rfcomm_session_put(s); 1927 continue; 1928 } 1929 1930 if (s->state == BT_LISTEN) { 1931 rfcomm_accept_connection(s); 1932 continue; 1933 } 1934 1935 rfcomm_session_hold(s); 1936 1937 switch (s->state) { 1938 case BT_BOUND: 1939 rfcomm_check_connection(s); 1940 break; 1941 1942 default: 1943 rfcomm_process_rx(s); 1944 break; 1945 } 1946 1947 rfcomm_process_dlcs(s); 1948 1949 rfcomm_session_put(s); 1950 } 1951 1952 rfcomm_unlock(); 1953 } 1954 1955 static int rfcomm_add_listener(bdaddr_t *ba) 1956 { 1957 struct sockaddr_l2 addr; 1958 struct socket *sock; 1959 struct sock *sk; 1960 struct rfcomm_session *s; 1961 int err = 0; 1962 1963 /* Create socket */ 1964 err = rfcomm_l2sock_create(&sock); 1965 if (err < 0) { 1966 BT_ERR("Create socket failed %d", err); 1967 return err; 1968 } 1969 1970 /* Bind socket */ 1971 bacpy(&addr.l2_bdaddr, ba); 1972 addr.l2_family = AF_BLUETOOTH; 1973 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 1974 addr.l2_cid = 0; 1975 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1976 if (err < 0) { 1977 BT_ERR("Bind failed %d", err); 1978 goto failed; 1979 } 1980 1981 /* Set L2CAP options */ 1982 sk = sock->sk; 1983 lock_sock(sk); 1984 l2cap_pi(sk)->imtu = l2cap_mtu; 1985 release_sock(sk); 1986 1987 /* Start listening on the socket */ 1988 err = kernel_listen(sock, 10); 1989 if (err) { 1990 BT_ERR("Listen failed %d", err); 1991 goto failed; 1992 } 1993 1994 /* Add listening session */ 1995 s = rfcomm_session_add(sock, BT_LISTEN); 1996 if (!s) 1997 goto failed; 1998 1999 rfcomm_session_hold(s); 2000 return 0; 2001 failed: 2002 sock_release(sock); 2003 return err; 2004 } 2005 2006 static void rfcomm_kill_listener(void) 2007 { 2008 struct rfcomm_session *s; 2009 struct list_head *p, *n; 2010 2011 BT_DBG(""); 2012 2013 list_for_each_safe(p, n, &session_list) { 2014 s = list_entry(p, struct rfcomm_session, list); 2015 rfcomm_session_del(s); 2016 } 2017 } 2018 2019 static int rfcomm_run(void *unused) 2020 { 2021 BT_DBG(""); 2022 2023 set_user_nice(current, -10); 2024 2025 rfcomm_add_listener(BDADDR_ANY); 2026 2027 while (!kthread_should_stop()) { 2028 set_current_state(TASK_INTERRUPTIBLE); 2029 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) { 2030 /* No pending events. Let's sleep. 2031 * Incoming connections and data will wake us up. */ 2032 schedule(); 2033 } 2034 set_current_state(TASK_RUNNING); 2035 2036 /* Process stuff */ 2037 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 2038 rfcomm_process_sessions(); 2039 } 2040 2041 rfcomm_kill_listener(); 2042 2043 return 0; 2044 } 2045 2046 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2047 { 2048 struct rfcomm_session *s; 2049 struct rfcomm_dlc *d; 2050 struct list_head *p, *n; 2051 2052 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2053 2054 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2055 if (!s) 2056 return; 2057 2058 rfcomm_session_hold(s); 2059 2060 list_for_each_safe(p, n, &s->dlcs) { 2061 d = list_entry(p, struct rfcomm_dlc, list); 2062 2063 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2064 rfcomm_dlc_clear_timer(d); 2065 if (status || encrypt == 0x00) { 2066 __rfcomm_dlc_close(d, ECONNREFUSED); 2067 continue; 2068 } 2069 } 2070 2071 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2072 if (d->sec_level == BT_SECURITY_MEDIUM) { 2073 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2074 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2075 continue; 2076 } else if (d->sec_level == BT_SECURITY_HIGH) { 2077 __rfcomm_dlc_close(d, ECONNREFUSED); 2078 continue; 2079 } 2080 } 2081 2082 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2083 continue; 2084 2085 if (!status) 2086 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2087 else 2088 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2089 } 2090 2091 rfcomm_session_put(s); 2092 2093 rfcomm_schedule(RFCOMM_SCHED_AUTH); 2094 } 2095 2096 static struct hci_cb rfcomm_cb = { 2097 .name = "RFCOMM", 2098 .security_cfm = rfcomm_security_cfm 2099 }; 2100 2101 static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf) 2102 { 2103 struct rfcomm_session *s; 2104 struct list_head *pp, *p; 2105 char *str = buf; 2106 2107 rfcomm_lock(); 2108 2109 list_for_each(p, &session_list) { 2110 s = list_entry(p, struct rfcomm_session, list); 2111 list_for_each(pp, &s->dlcs) { 2112 struct sock *sk = s->sock->sk; 2113 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list); 2114 2115 str += sprintf(str, "%s %s %ld %d %d %d %d\n", 2116 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), 2117 d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits); 2118 } 2119 } 2120 2121 rfcomm_unlock(); 2122 2123 return (str - buf); 2124 } 2125 2126 static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL); 2127 2128 /* ---- Initialization ---- */ 2129 static int __init rfcomm_init(void) 2130 { 2131 int err; 2132 2133 l2cap_load(); 2134 2135 hci_register_cb(&rfcomm_cb); 2136 2137 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2138 if (IS_ERR(rfcomm_thread)) { 2139 err = PTR_ERR(rfcomm_thread); 2140 goto unregister; 2141 } 2142 2143 if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0) 2144 BT_ERR("Failed to create RFCOMM info file"); 2145 2146 err = rfcomm_init_ttys(); 2147 if (err < 0) 2148 goto stop; 2149 2150 err = rfcomm_init_sockets(); 2151 if (err < 0) 2152 goto cleanup; 2153 2154 BT_INFO("RFCOMM ver %s", VERSION); 2155 2156 return 0; 2157 2158 cleanup: 2159 rfcomm_cleanup_ttys(); 2160 2161 stop: 2162 kthread_stop(rfcomm_thread); 2163 2164 unregister: 2165 hci_unregister_cb(&rfcomm_cb); 2166 2167 return err; 2168 } 2169 2170 static void __exit rfcomm_exit(void) 2171 { 2172 class_remove_file(bt_class, &class_attr_rfcomm_dlc); 2173 2174 hci_unregister_cb(&rfcomm_cb); 2175 2176 kthread_stop(rfcomm_thread); 2177 2178 rfcomm_cleanup_ttys(); 2179 2180 rfcomm_cleanup_sockets(); 2181 } 2182 2183 module_init(rfcomm_init); 2184 module_exit(rfcomm_exit); 2185 2186 module_param(disable_cfc, bool, 0644); 2187 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2188 2189 module_param(channel_mtu, int, 0644); 2190 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2191 2192 module_param(l2cap_mtu, uint, 0644); 2193 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2194 2195 module_param(l2cap_ertm, bool, 0644); 2196 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2197 2198 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2199 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2200 MODULE_VERSION(VERSION); 2201 MODULE_LICENSE("GPL"); 2202 MODULE_ALIAS("bt-proto-3"); 2203