1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/debugfs.h> 37 #include <linux/seq_file.h> 38 #include <linux/net.h> 39 #include <linux/mutex.h> 40 #include <linux/kthread.h> 41 #include <linux/slab.h> 42 43 #include <net/sock.h> 44 #include <linux/uaccess.h> 45 #include <asm/unaligned.h> 46 47 #include <net/bluetooth/bluetooth.h> 48 #include <net/bluetooth/hci_core.h> 49 #include <net/bluetooth/l2cap.h> 50 #include <net/bluetooth/rfcomm.h> 51 52 #define VERSION "1.11" 53 54 static bool disable_cfc; 55 static bool l2cap_ertm; 56 static int channel_mtu = -1; 57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 58 59 static struct task_struct *rfcomm_thread; 60 61 static DEFINE_MUTEX(rfcomm_mutex); 62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 64 65 66 static LIST_HEAD(session_list); 67 68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 69 u32 priority); 70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 72 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 79 80 static void rfcomm_process_connect(struct rfcomm_session *s); 81 82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 83 bdaddr_t *dst, 84 u8 sec_level, 85 int *err); 86 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 87 static void rfcomm_session_del(struct rfcomm_session *s); 88 89 /* ---- RFCOMM frame parsing macros ---- */ 90 #define __get_dlci(b) ((b & 0xfc) >> 2) 91 #define __get_channel(b) ((b & 0xf8) >> 3) 92 #define __get_dir(b) ((b & 0x04) >> 2) 93 #define __get_type(b) ((b & 0xef)) 94 95 #define __test_ea(b) ((b & 0x01)) 96 #define __test_cr(b) ((b & 0x02)) 97 #define __test_pf(b) ((b & 0x10)) 98 99 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 100 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 101 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 102 #define __srv_channel(dlci) (dlci >> 1) 103 #define __dir(dlci) (dlci & 0x01) 104 105 #define __len8(len) (((len) << 1) | 1) 106 #define __len16(len) ((len) << 1) 107 108 /* MCC macros */ 109 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 110 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 111 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 112 113 /* RPN macros */ 114 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 115 #define __get_rpn_data_bits(line) ((line) & 0x3) 116 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 117 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 118 119 static inline void rfcomm_schedule(void) 120 { 121 if (!rfcomm_thread) 122 return; 123 wake_up_process(rfcomm_thread); 124 } 125 126 static inline void rfcomm_session_put(struct rfcomm_session *s) 127 { 128 if (atomic_dec_and_test(&s->refcnt)) 129 rfcomm_session_del(s); 130 } 131 132 /* ---- RFCOMM FCS computation ---- */ 133 134 /* reversed, 8-bit, poly=0x07 */ 135 static unsigned char rfcomm_crc_table[256] = { 136 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 137 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 138 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 139 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 140 141 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 142 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 143 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 144 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 145 146 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 147 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 148 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 149 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 150 151 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 152 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 153 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 154 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 155 156 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 157 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 158 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 159 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 160 161 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 162 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 163 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 164 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 165 166 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 167 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 168 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 169 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 170 171 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 172 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 173 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 174 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 175 }; 176 177 /* CRC on 2 bytes */ 178 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 179 180 /* FCS on 2 bytes */ 181 static inline u8 __fcs(u8 *data) 182 { 183 return 0xff - __crc(data); 184 } 185 186 /* FCS on 3 bytes */ 187 static inline u8 __fcs2(u8 *data) 188 { 189 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 190 } 191 192 /* Check FCS */ 193 static inline int __check_fcs(u8 *data, int type, u8 fcs) 194 { 195 u8 f = __crc(data); 196 197 if (type != RFCOMM_UIH) 198 f = rfcomm_crc_table[f ^ data[2]]; 199 200 return rfcomm_crc_table[f ^ fcs] != 0xcf; 201 } 202 203 /* ---- L2CAP callbacks ---- */ 204 static void rfcomm_l2state_change(struct sock *sk) 205 { 206 BT_DBG("%p state %d", sk, sk->sk_state); 207 rfcomm_schedule(); 208 } 209 210 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 211 { 212 BT_DBG("%p bytes %d", sk, bytes); 213 rfcomm_schedule(); 214 } 215 216 static int rfcomm_l2sock_create(struct socket **sock) 217 { 218 int err; 219 220 BT_DBG(""); 221 222 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 223 if (!err) { 224 struct sock *sk = (*sock)->sk; 225 sk->sk_data_ready = rfcomm_l2data_ready; 226 sk->sk_state_change = rfcomm_l2state_change; 227 } 228 return err; 229 } 230 231 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 232 { 233 struct sock *sk = d->session->sock->sk; 234 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 235 236 __u8 auth_type; 237 238 switch (d->sec_level) { 239 case BT_SECURITY_HIGH: 240 auth_type = HCI_AT_GENERAL_BONDING_MITM; 241 break; 242 case BT_SECURITY_MEDIUM: 243 auth_type = HCI_AT_GENERAL_BONDING; 244 break; 245 default: 246 auth_type = HCI_AT_NO_BONDING; 247 break; 248 } 249 250 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 251 } 252 253 static void rfcomm_session_timeout(unsigned long arg) 254 { 255 struct rfcomm_session *s = (void *) arg; 256 257 BT_DBG("session %p state %ld", s, s->state); 258 259 set_bit(RFCOMM_TIMED_OUT, &s->flags); 260 rfcomm_schedule(); 261 } 262 263 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 264 { 265 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 266 267 if (!mod_timer(&s->timer, jiffies + timeout)) 268 rfcomm_session_hold(s); 269 } 270 271 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 272 { 273 BT_DBG("session %p state %ld", s, s->state); 274 275 if (timer_pending(&s->timer) && del_timer(&s->timer)) 276 rfcomm_session_put(s); 277 } 278 279 /* ---- RFCOMM DLCs ---- */ 280 static void rfcomm_dlc_timeout(unsigned long arg) 281 { 282 struct rfcomm_dlc *d = (void *) arg; 283 284 BT_DBG("dlc %p state %ld", d, d->state); 285 286 set_bit(RFCOMM_TIMED_OUT, &d->flags); 287 rfcomm_dlc_put(d); 288 rfcomm_schedule(); 289 } 290 291 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 292 { 293 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 294 295 if (!mod_timer(&d->timer, jiffies + timeout)) 296 rfcomm_dlc_hold(d); 297 } 298 299 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 300 { 301 BT_DBG("dlc %p state %ld", d, d->state); 302 303 if (timer_pending(&d->timer) && del_timer(&d->timer)) 304 rfcomm_dlc_put(d); 305 } 306 307 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 308 { 309 BT_DBG("%p", d); 310 311 d->state = BT_OPEN; 312 d->flags = 0; 313 d->mscex = 0; 314 d->sec_level = BT_SECURITY_LOW; 315 d->mtu = RFCOMM_DEFAULT_MTU; 316 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 317 318 d->cfc = RFCOMM_CFC_DISABLED; 319 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 320 } 321 322 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 323 { 324 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 325 326 if (!d) 327 return NULL; 328 329 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 330 331 skb_queue_head_init(&d->tx_queue); 332 spin_lock_init(&d->lock); 333 atomic_set(&d->refcnt, 1); 334 335 rfcomm_dlc_clear_state(d); 336 337 BT_DBG("%p", d); 338 339 return d; 340 } 341 342 void rfcomm_dlc_free(struct rfcomm_dlc *d) 343 { 344 BT_DBG("%p", d); 345 346 skb_queue_purge(&d->tx_queue); 347 kfree(d); 348 } 349 350 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 351 { 352 BT_DBG("dlc %p session %p", d, s); 353 354 rfcomm_session_hold(s); 355 356 rfcomm_session_clear_timer(s); 357 rfcomm_dlc_hold(d); 358 list_add(&d->list, &s->dlcs); 359 d->session = s; 360 } 361 362 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 363 { 364 struct rfcomm_session *s = d->session; 365 366 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 367 368 list_del(&d->list); 369 d->session = NULL; 370 rfcomm_dlc_put(d); 371 372 if (list_empty(&s->dlcs)) 373 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 374 375 rfcomm_session_put(s); 376 } 377 378 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 379 { 380 struct rfcomm_dlc *d; 381 382 list_for_each_entry(d, &s->dlcs, list) 383 if (d->dlci == dlci) 384 return d; 385 386 return NULL; 387 } 388 389 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 390 { 391 struct rfcomm_session *s; 392 int err = 0; 393 u8 dlci; 394 395 BT_DBG("dlc %p state %ld %s %s channel %d", 396 d, d->state, batostr(src), batostr(dst), channel); 397 398 if (channel < 1 || channel > 30) 399 return -EINVAL; 400 401 if (d->state != BT_OPEN && d->state != BT_CLOSED) 402 return 0; 403 404 s = rfcomm_session_get(src, dst); 405 if (!s) { 406 s = rfcomm_session_create(src, dst, d->sec_level, &err); 407 if (!s) 408 return err; 409 } 410 411 dlci = __dlci(!s->initiator, channel); 412 413 /* Check if DLCI already exists */ 414 if (rfcomm_dlc_get(s, dlci)) 415 return -EBUSY; 416 417 rfcomm_dlc_clear_state(d); 418 419 d->dlci = dlci; 420 d->addr = __addr(s->initiator, dlci); 421 d->priority = 7; 422 423 d->state = BT_CONFIG; 424 rfcomm_dlc_link(s, d); 425 426 d->out = 1; 427 428 d->mtu = s->mtu; 429 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 430 431 if (s->state == BT_CONNECTED) { 432 if (rfcomm_check_security(d)) 433 rfcomm_send_pn(s, 1, d); 434 else 435 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 436 } 437 438 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 439 440 return 0; 441 } 442 443 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 444 { 445 int r; 446 447 rfcomm_lock(); 448 449 r = __rfcomm_dlc_open(d, src, dst, channel); 450 451 rfcomm_unlock(); 452 return r; 453 } 454 455 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 456 { 457 struct rfcomm_session *s = d->session; 458 if (!s) 459 return 0; 460 461 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 462 d, d->state, d->dlci, err, s); 463 464 switch (d->state) { 465 case BT_CONNECT: 466 case BT_CONFIG: 467 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 468 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 469 rfcomm_schedule(); 470 break; 471 } 472 /* Fall through */ 473 474 case BT_CONNECTED: 475 d->state = BT_DISCONN; 476 if (skb_queue_empty(&d->tx_queue)) { 477 rfcomm_send_disc(s, d->dlci); 478 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 479 } else { 480 rfcomm_queue_disc(d); 481 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 482 } 483 break; 484 485 case BT_OPEN: 486 case BT_CONNECT2: 487 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 488 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 489 rfcomm_schedule(); 490 break; 491 } 492 /* Fall through */ 493 494 default: 495 rfcomm_dlc_clear_timer(d); 496 497 rfcomm_dlc_lock(d); 498 d->state = BT_CLOSED; 499 d->state_change(d, err); 500 rfcomm_dlc_unlock(d); 501 502 skb_queue_purge(&d->tx_queue); 503 rfcomm_dlc_unlink(d); 504 } 505 506 return 0; 507 } 508 509 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 510 { 511 int r; 512 513 rfcomm_lock(); 514 515 r = __rfcomm_dlc_close(d, err); 516 517 rfcomm_unlock(); 518 return r; 519 } 520 521 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 522 { 523 int len = skb->len; 524 525 if (d->state != BT_CONNECTED) 526 return -ENOTCONN; 527 528 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 529 530 if (len > d->mtu) 531 return -EINVAL; 532 533 rfcomm_make_uih(skb, d->addr); 534 skb_queue_tail(&d->tx_queue, skb); 535 536 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 537 rfcomm_schedule(); 538 return len; 539 } 540 541 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 542 { 543 BT_DBG("dlc %p state %ld", d, d->state); 544 545 if (!d->cfc) { 546 d->v24_sig |= RFCOMM_V24_FC; 547 set_bit(RFCOMM_MSC_PENDING, &d->flags); 548 } 549 rfcomm_schedule(); 550 } 551 552 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 553 { 554 BT_DBG("dlc %p state %ld", d, d->state); 555 556 if (!d->cfc) { 557 d->v24_sig &= ~RFCOMM_V24_FC; 558 set_bit(RFCOMM_MSC_PENDING, &d->flags); 559 } 560 rfcomm_schedule(); 561 } 562 563 /* 564 Set/get modem status functions use _local_ status i.e. what we report 565 to the other side. 566 Remote status is provided by dlc->modem_status() callback. 567 */ 568 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 569 { 570 BT_DBG("dlc %p state %ld v24_sig 0x%x", 571 d, d->state, v24_sig); 572 573 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 574 v24_sig |= RFCOMM_V24_FC; 575 else 576 v24_sig &= ~RFCOMM_V24_FC; 577 578 d->v24_sig = v24_sig; 579 580 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 581 rfcomm_schedule(); 582 583 return 0; 584 } 585 586 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 587 { 588 BT_DBG("dlc %p state %ld v24_sig 0x%x", 589 d, d->state, d->v24_sig); 590 591 *v24_sig = d->v24_sig; 592 return 0; 593 } 594 595 /* ---- RFCOMM sessions ---- */ 596 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 597 { 598 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 599 600 if (!s) 601 return NULL; 602 603 BT_DBG("session %p sock %p", s, sock); 604 605 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 606 607 INIT_LIST_HEAD(&s->dlcs); 608 s->state = state; 609 s->sock = sock; 610 611 s->mtu = RFCOMM_DEFAULT_MTU; 612 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 613 614 /* Do not increment module usage count for listening sessions. 615 * Otherwise we won't be able to unload the module. */ 616 if (state != BT_LISTEN) 617 if (!try_module_get(THIS_MODULE)) { 618 kfree(s); 619 return NULL; 620 } 621 622 list_add(&s->list, &session_list); 623 624 return s; 625 } 626 627 static void rfcomm_session_del(struct rfcomm_session *s) 628 { 629 int state = s->state; 630 631 BT_DBG("session %p state %ld", s, s->state); 632 633 list_del(&s->list); 634 635 if (state == BT_CONNECTED) 636 rfcomm_send_disc(s, 0); 637 638 rfcomm_session_clear_timer(s); 639 sock_release(s->sock); 640 kfree(s); 641 642 if (state != BT_LISTEN) 643 module_put(THIS_MODULE); 644 } 645 646 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 647 { 648 struct rfcomm_session *s; 649 struct list_head *p, *n; 650 struct bt_sock *sk; 651 list_for_each_safe(p, n, &session_list) { 652 s = list_entry(p, struct rfcomm_session, list); 653 sk = bt_sk(s->sock->sk); 654 655 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 656 !bacmp(&sk->dst, dst)) 657 return s; 658 } 659 return NULL; 660 } 661 662 static void rfcomm_session_close(struct rfcomm_session *s, int err) 663 { 664 struct rfcomm_dlc *d; 665 struct list_head *p, *n; 666 667 BT_DBG("session %p state %ld err %d", s, s->state, err); 668 669 rfcomm_session_hold(s); 670 671 s->state = BT_CLOSED; 672 673 /* Close all dlcs */ 674 list_for_each_safe(p, n, &s->dlcs) { 675 d = list_entry(p, struct rfcomm_dlc, list); 676 d->state = BT_CLOSED; 677 __rfcomm_dlc_close(d, err); 678 } 679 680 rfcomm_session_clear_timer(s); 681 rfcomm_session_put(s); 682 } 683 684 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 685 bdaddr_t *dst, 686 u8 sec_level, 687 int *err) 688 { 689 struct rfcomm_session *s = NULL; 690 struct sockaddr_l2 addr; 691 struct socket *sock; 692 struct sock *sk; 693 694 BT_DBG("%s %s", batostr(src), batostr(dst)); 695 696 *err = rfcomm_l2sock_create(&sock); 697 if (*err < 0) 698 return NULL; 699 700 bacpy(&addr.l2_bdaddr, src); 701 addr.l2_family = AF_BLUETOOTH; 702 addr.l2_psm = 0; 703 addr.l2_cid = 0; 704 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 705 if (*err < 0) 706 goto failed; 707 708 /* Set L2CAP options */ 709 sk = sock->sk; 710 lock_sock(sk); 711 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 712 l2cap_pi(sk)->chan->sec_level = sec_level; 713 if (l2cap_ertm) 714 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 715 release_sock(sk); 716 717 s = rfcomm_session_add(sock, BT_BOUND); 718 if (!s) { 719 *err = -ENOMEM; 720 goto failed; 721 } 722 723 s->initiator = 1; 724 725 bacpy(&addr.l2_bdaddr, dst); 726 addr.l2_family = AF_BLUETOOTH; 727 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 728 addr.l2_cid = 0; 729 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 730 if (*err == 0 || *err == -EINPROGRESS) 731 return s; 732 733 rfcomm_session_del(s); 734 return NULL; 735 736 failed: 737 sock_release(sock); 738 return NULL; 739 } 740 741 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 742 { 743 struct sock *sk = s->sock->sk; 744 if (src) 745 bacpy(src, &bt_sk(sk)->src); 746 if (dst) 747 bacpy(dst, &bt_sk(sk)->dst); 748 } 749 750 /* ---- RFCOMM frame sending ---- */ 751 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 752 u32 priority) 753 { 754 struct socket *sock = s->sock; 755 struct sock *sk = sock->sk; 756 struct kvec iv = { data, len }; 757 struct msghdr msg; 758 759 BT_DBG("session %p len %d priority %u", s, len, priority); 760 761 if (sk->sk_priority != priority) { 762 lock_sock(sk); 763 sk->sk_priority = priority; 764 release_sock(sk); 765 } 766 767 memset(&msg, 0, sizeof(msg)); 768 769 return kernel_sendmsg(sock, &msg, &iv, 1, len); 770 } 771 772 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 773 { 774 BT_DBG("%p cmd %u", s, cmd->ctrl); 775 776 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd), HCI_PRIO_MAX); 777 } 778 779 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 780 { 781 struct rfcomm_cmd cmd; 782 783 BT_DBG("%p dlci %d", s, dlci); 784 785 cmd.addr = __addr(s->initiator, dlci); 786 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 787 cmd.len = __len8(0); 788 cmd.fcs = __fcs2((u8 *) &cmd); 789 790 return rfcomm_send_cmd(s, &cmd); 791 } 792 793 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 794 { 795 struct rfcomm_cmd cmd; 796 797 BT_DBG("%p dlci %d", s, dlci); 798 799 cmd.addr = __addr(!s->initiator, dlci); 800 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 801 cmd.len = __len8(0); 802 cmd.fcs = __fcs2((u8 *) &cmd); 803 804 return rfcomm_send_cmd(s, &cmd); 805 } 806 807 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 808 { 809 struct rfcomm_cmd cmd; 810 811 BT_DBG("%p dlci %d", s, dlci); 812 813 cmd.addr = __addr(s->initiator, dlci); 814 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 815 cmd.len = __len8(0); 816 cmd.fcs = __fcs2((u8 *) &cmd); 817 818 return rfcomm_send_cmd(s, &cmd); 819 } 820 821 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 822 { 823 struct rfcomm_cmd *cmd; 824 struct sk_buff *skb; 825 826 BT_DBG("dlc %p dlci %d", d, d->dlci); 827 828 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 829 if (!skb) 830 return -ENOMEM; 831 832 skb->priority = HCI_PRIO_MAX; 833 834 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 835 cmd->addr = d->addr; 836 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 837 cmd->len = __len8(0); 838 cmd->fcs = __fcs2((u8 *) cmd); 839 840 skb_queue_tail(&d->tx_queue, skb); 841 rfcomm_schedule(); 842 return 0; 843 } 844 845 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 846 { 847 struct rfcomm_cmd cmd; 848 849 BT_DBG("%p dlci %d", s, dlci); 850 851 cmd.addr = __addr(!s->initiator, dlci); 852 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 853 cmd.len = __len8(0); 854 cmd.fcs = __fcs2((u8 *) &cmd); 855 856 return rfcomm_send_cmd(s, &cmd); 857 } 858 859 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 860 { 861 struct rfcomm_hdr *hdr; 862 struct rfcomm_mcc *mcc; 863 u8 buf[16], *ptr = buf; 864 865 BT_DBG("%p cr %d type %d", s, cr, type); 866 867 hdr = (void *) ptr; ptr += sizeof(*hdr); 868 hdr->addr = __addr(s->initiator, 0); 869 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 870 hdr->len = __len8(sizeof(*mcc) + 1); 871 872 mcc = (void *) ptr; ptr += sizeof(*mcc); 873 mcc->type = __mcc_type(cr, RFCOMM_NSC); 874 mcc->len = __len8(1); 875 876 /* Type that we didn't like */ 877 *ptr = __mcc_type(cr, type); ptr++; 878 879 *ptr = __fcs(buf); ptr++; 880 881 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 882 } 883 884 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 885 { 886 struct rfcomm_hdr *hdr; 887 struct rfcomm_mcc *mcc; 888 struct rfcomm_pn *pn; 889 u8 buf[16], *ptr = buf; 890 891 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 892 893 hdr = (void *) ptr; ptr += sizeof(*hdr); 894 hdr->addr = __addr(s->initiator, 0); 895 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 896 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 897 898 mcc = (void *) ptr; ptr += sizeof(*mcc); 899 mcc->type = __mcc_type(cr, RFCOMM_PN); 900 mcc->len = __len8(sizeof(*pn)); 901 902 pn = (void *) ptr; ptr += sizeof(*pn); 903 pn->dlci = d->dlci; 904 pn->priority = d->priority; 905 pn->ack_timer = 0; 906 pn->max_retrans = 0; 907 908 if (s->cfc) { 909 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 910 pn->credits = RFCOMM_DEFAULT_CREDITS; 911 } else { 912 pn->flow_ctrl = 0; 913 pn->credits = 0; 914 } 915 916 if (cr && channel_mtu >= 0) 917 pn->mtu = cpu_to_le16(channel_mtu); 918 else 919 pn->mtu = cpu_to_le16(d->mtu); 920 921 *ptr = __fcs(buf); ptr++; 922 923 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 924 } 925 926 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 927 u8 bit_rate, u8 data_bits, u8 stop_bits, 928 u8 parity, u8 flow_ctrl_settings, 929 u8 xon_char, u8 xoff_char, u16 param_mask) 930 { 931 struct rfcomm_hdr *hdr; 932 struct rfcomm_mcc *mcc; 933 struct rfcomm_rpn *rpn; 934 u8 buf[16], *ptr = buf; 935 936 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 937 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 938 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 939 flow_ctrl_settings, xon_char, xoff_char, param_mask); 940 941 hdr = (void *) ptr; ptr += sizeof(*hdr); 942 hdr->addr = __addr(s->initiator, 0); 943 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 944 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 945 946 mcc = (void *) ptr; ptr += sizeof(*mcc); 947 mcc->type = __mcc_type(cr, RFCOMM_RPN); 948 mcc->len = __len8(sizeof(*rpn)); 949 950 rpn = (void *) ptr; ptr += sizeof(*rpn); 951 rpn->dlci = __addr(1, dlci); 952 rpn->bit_rate = bit_rate; 953 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 954 rpn->flow_ctrl = flow_ctrl_settings; 955 rpn->xon_char = xon_char; 956 rpn->xoff_char = xoff_char; 957 rpn->param_mask = cpu_to_le16(param_mask); 958 959 *ptr = __fcs(buf); ptr++; 960 961 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 962 } 963 964 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 965 { 966 struct rfcomm_hdr *hdr; 967 struct rfcomm_mcc *mcc; 968 struct rfcomm_rls *rls; 969 u8 buf[16], *ptr = buf; 970 971 BT_DBG("%p cr %d status 0x%x", s, cr, status); 972 973 hdr = (void *) ptr; ptr += sizeof(*hdr); 974 hdr->addr = __addr(s->initiator, 0); 975 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 976 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 977 978 mcc = (void *) ptr; ptr += sizeof(*mcc); 979 mcc->type = __mcc_type(cr, RFCOMM_RLS); 980 mcc->len = __len8(sizeof(*rls)); 981 982 rls = (void *) ptr; ptr += sizeof(*rls); 983 rls->dlci = __addr(1, dlci); 984 rls->status = status; 985 986 *ptr = __fcs(buf); ptr++; 987 988 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 989 } 990 991 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 992 { 993 struct rfcomm_hdr *hdr; 994 struct rfcomm_mcc *mcc; 995 struct rfcomm_msc *msc; 996 u8 buf[16], *ptr = buf; 997 998 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 999 1000 hdr = (void *) ptr; ptr += sizeof(*hdr); 1001 hdr->addr = __addr(s->initiator, 0); 1002 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1003 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1004 1005 mcc = (void *) ptr; ptr += sizeof(*mcc); 1006 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1007 mcc->len = __len8(sizeof(*msc)); 1008 1009 msc = (void *) ptr; ptr += sizeof(*msc); 1010 msc->dlci = __addr(1, dlci); 1011 msc->v24_sig = v24_sig | 0x01; 1012 1013 *ptr = __fcs(buf); ptr++; 1014 1015 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1016 } 1017 1018 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1019 { 1020 struct rfcomm_hdr *hdr; 1021 struct rfcomm_mcc *mcc; 1022 u8 buf[16], *ptr = buf; 1023 1024 BT_DBG("%p cr %d", s, cr); 1025 1026 hdr = (void *) ptr; ptr += sizeof(*hdr); 1027 hdr->addr = __addr(s->initiator, 0); 1028 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1029 hdr->len = __len8(sizeof(*mcc)); 1030 1031 mcc = (void *) ptr; ptr += sizeof(*mcc); 1032 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1033 mcc->len = __len8(0); 1034 1035 *ptr = __fcs(buf); ptr++; 1036 1037 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1038 } 1039 1040 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1041 { 1042 struct rfcomm_hdr *hdr; 1043 struct rfcomm_mcc *mcc; 1044 u8 buf[16], *ptr = buf; 1045 1046 BT_DBG("%p cr %d", s, cr); 1047 1048 hdr = (void *) ptr; ptr += sizeof(*hdr); 1049 hdr->addr = __addr(s->initiator, 0); 1050 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1051 hdr->len = __len8(sizeof(*mcc)); 1052 1053 mcc = (void *) ptr; ptr += sizeof(*mcc); 1054 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1055 mcc->len = __len8(0); 1056 1057 *ptr = __fcs(buf); ptr++; 1058 1059 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1060 } 1061 1062 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1063 { 1064 struct socket *sock = s->sock; 1065 struct kvec iv[3]; 1066 struct msghdr msg; 1067 unsigned char hdr[5], crc[1]; 1068 1069 if (len > 125) 1070 return -EINVAL; 1071 1072 BT_DBG("%p cr %d", s, cr); 1073 1074 hdr[0] = __addr(s->initiator, 0); 1075 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1076 hdr[2] = 0x01 | ((len + 2) << 1); 1077 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1078 hdr[4] = 0x01 | (len << 1); 1079 1080 crc[0] = __fcs(hdr); 1081 1082 iv[0].iov_base = hdr; 1083 iv[0].iov_len = 5; 1084 iv[1].iov_base = pattern; 1085 iv[1].iov_len = len; 1086 iv[2].iov_base = crc; 1087 iv[2].iov_len = 1; 1088 1089 memset(&msg, 0, sizeof(msg)); 1090 1091 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1092 } 1093 1094 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1095 { 1096 struct rfcomm_hdr *hdr; 1097 u8 buf[16], *ptr = buf; 1098 1099 BT_DBG("%p addr %d credits %d", s, addr, credits); 1100 1101 hdr = (void *) ptr; ptr += sizeof(*hdr); 1102 hdr->addr = addr; 1103 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1104 hdr->len = __len8(0); 1105 1106 *ptr = credits; ptr++; 1107 1108 *ptr = __fcs(buf); ptr++; 1109 1110 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1111 } 1112 1113 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1114 { 1115 struct rfcomm_hdr *hdr; 1116 int len = skb->len; 1117 u8 *crc; 1118 1119 if (len > 127) { 1120 hdr = (void *) skb_push(skb, 4); 1121 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1122 } else { 1123 hdr = (void *) skb_push(skb, 3); 1124 hdr->len = __len8(len); 1125 } 1126 hdr->addr = addr; 1127 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1128 1129 crc = skb_put(skb, 1); 1130 *crc = __fcs((void *) hdr); 1131 } 1132 1133 /* ---- RFCOMM frame reception ---- */ 1134 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1135 { 1136 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1137 1138 if (dlci) { 1139 /* Data channel */ 1140 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1141 if (!d) { 1142 rfcomm_send_dm(s, dlci); 1143 return 0; 1144 } 1145 1146 switch (d->state) { 1147 case BT_CONNECT: 1148 rfcomm_dlc_clear_timer(d); 1149 1150 rfcomm_dlc_lock(d); 1151 d->state = BT_CONNECTED; 1152 d->state_change(d, 0); 1153 rfcomm_dlc_unlock(d); 1154 1155 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1156 break; 1157 1158 case BT_DISCONN: 1159 d->state = BT_CLOSED; 1160 __rfcomm_dlc_close(d, 0); 1161 1162 if (list_empty(&s->dlcs)) { 1163 s->state = BT_DISCONN; 1164 rfcomm_send_disc(s, 0); 1165 } 1166 1167 break; 1168 } 1169 } else { 1170 /* Control channel */ 1171 switch (s->state) { 1172 case BT_CONNECT: 1173 s->state = BT_CONNECTED; 1174 rfcomm_process_connect(s); 1175 break; 1176 1177 case BT_DISCONN: 1178 /* When socket is closed and we are not RFCOMM 1179 * initiator rfcomm_process_rx already calls 1180 * rfcomm_session_put() */ 1181 if (s->sock->sk->sk_state != BT_CLOSED) 1182 if (list_empty(&s->dlcs)) 1183 rfcomm_session_put(s); 1184 break; 1185 } 1186 } 1187 return 0; 1188 } 1189 1190 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1191 { 1192 int err = 0; 1193 1194 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1195 1196 if (dlci) { 1197 /* Data DLC */ 1198 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1199 if (d) { 1200 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1201 err = ECONNREFUSED; 1202 else 1203 err = ECONNRESET; 1204 1205 d->state = BT_CLOSED; 1206 __rfcomm_dlc_close(d, err); 1207 } 1208 } else { 1209 if (s->state == BT_CONNECT) 1210 err = ECONNREFUSED; 1211 else 1212 err = ECONNRESET; 1213 1214 s->state = BT_CLOSED; 1215 rfcomm_session_close(s, err); 1216 } 1217 return 0; 1218 } 1219 1220 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1221 { 1222 int err = 0; 1223 1224 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1225 1226 if (dlci) { 1227 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1228 if (d) { 1229 rfcomm_send_ua(s, dlci); 1230 1231 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1232 err = ECONNREFUSED; 1233 else 1234 err = ECONNRESET; 1235 1236 d->state = BT_CLOSED; 1237 __rfcomm_dlc_close(d, err); 1238 } else 1239 rfcomm_send_dm(s, dlci); 1240 1241 } else { 1242 rfcomm_send_ua(s, 0); 1243 1244 if (s->state == BT_CONNECT) 1245 err = ECONNREFUSED; 1246 else 1247 err = ECONNRESET; 1248 1249 s->state = BT_CLOSED; 1250 rfcomm_session_close(s, err); 1251 } 1252 1253 return 0; 1254 } 1255 1256 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1257 { 1258 struct sock *sk = d->session->sock->sk; 1259 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1260 1261 BT_DBG("dlc %p", d); 1262 1263 rfcomm_send_ua(d->session, d->dlci); 1264 1265 rfcomm_dlc_clear_timer(d); 1266 1267 rfcomm_dlc_lock(d); 1268 d->state = BT_CONNECTED; 1269 d->state_change(d, 0); 1270 rfcomm_dlc_unlock(d); 1271 1272 if (d->role_switch) 1273 hci_conn_switch_role(conn->hcon, 0x00); 1274 1275 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1276 } 1277 1278 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1279 { 1280 if (rfcomm_check_security(d)) { 1281 if (d->defer_setup) { 1282 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1283 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1284 1285 rfcomm_dlc_lock(d); 1286 d->state = BT_CONNECT2; 1287 d->state_change(d, 0); 1288 rfcomm_dlc_unlock(d); 1289 } else 1290 rfcomm_dlc_accept(d); 1291 } else { 1292 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1293 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1294 } 1295 } 1296 1297 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1298 { 1299 struct rfcomm_dlc *d; 1300 u8 channel; 1301 1302 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1303 1304 if (!dlci) { 1305 rfcomm_send_ua(s, 0); 1306 1307 if (s->state == BT_OPEN) { 1308 s->state = BT_CONNECTED; 1309 rfcomm_process_connect(s); 1310 } 1311 return 0; 1312 } 1313 1314 /* Check if DLC exists */ 1315 d = rfcomm_dlc_get(s, dlci); 1316 if (d) { 1317 if (d->state == BT_OPEN) { 1318 /* DLC was previously opened by PN request */ 1319 rfcomm_check_accept(d); 1320 } 1321 return 0; 1322 } 1323 1324 /* Notify socket layer about incoming connection */ 1325 channel = __srv_channel(dlci); 1326 if (rfcomm_connect_ind(s, channel, &d)) { 1327 d->dlci = dlci; 1328 d->addr = __addr(s->initiator, dlci); 1329 rfcomm_dlc_link(s, d); 1330 1331 rfcomm_check_accept(d); 1332 } else { 1333 rfcomm_send_dm(s, dlci); 1334 } 1335 1336 return 0; 1337 } 1338 1339 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1340 { 1341 struct rfcomm_session *s = d->session; 1342 1343 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1344 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1345 1346 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1347 pn->flow_ctrl == 0xe0) { 1348 d->cfc = RFCOMM_CFC_ENABLED; 1349 d->tx_credits = pn->credits; 1350 } else { 1351 d->cfc = RFCOMM_CFC_DISABLED; 1352 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1353 } 1354 1355 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1356 s->cfc = d->cfc; 1357 1358 d->priority = pn->priority; 1359 1360 d->mtu = __le16_to_cpu(pn->mtu); 1361 1362 if (cr && d->mtu > s->mtu) 1363 d->mtu = s->mtu; 1364 1365 return 0; 1366 } 1367 1368 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1369 { 1370 struct rfcomm_pn *pn = (void *) skb->data; 1371 struct rfcomm_dlc *d; 1372 u8 dlci = pn->dlci; 1373 1374 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1375 1376 if (!dlci) 1377 return 0; 1378 1379 d = rfcomm_dlc_get(s, dlci); 1380 if (d) { 1381 if (cr) { 1382 /* PN request */ 1383 rfcomm_apply_pn(d, cr, pn); 1384 rfcomm_send_pn(s, 0, d); 1385 } else { 1386 /* PN response */ 1387 switch (d->state) { 1388 case BT_CONFIG: 1389 rfcomm_apply_pn(d, cr, pn); 1390 1391 d->state = BT_CONNECT; 1392 rfcomm_send_sabm(s, d->dlci); 1393 break; 1394 } 1395 } 1396 } else { 1397 u8 channel = __srv_channel(dlci); 1398 1399 if (!cr) 1400 return 0; 1401 1402 /* PN request for non existing DLC. 1403 * Assume incoming connection. */ 1404 if (rfcomm_connect_ind(s, channel, &d)) { 1405 d->dlci = dlci; 1406 d->addr = __addr(s->initiator, dlci); 1407 rfcomm_dlc_link(s, d); 1408 1409 rfcomm_apply_pn(d, cr, pn); 1410 1411 d->state = BT_OPEN; 1412 rfcomm_send_pn(s, 0, d); 1413 } else { 1414 rfcomm_send_dm(s, dlci); 1415 } 1416 } 1417 return 0; 1418 } 1419 1420 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1421 { 1422 struct rfcomm_rpn *rpn = (void *) skb->data; 1423 u8 dlci = __get_dlci(rpn->dlci); 1424 1425 u8 bit_rate = 0; 1426 u8 data_bits = 0; 1427 u8 stop_bits = 0; 1428 u8 parity = 0; 1429 u8 flow_ctrl = 0; 1430 u8 xon_char = 0; 1431 u8 xoff_char = 0; 1432 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1433 1434 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1435 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1436 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1437 1438 if (!cr) 1439 return 0; 1440 1441 if (len == 1) { 1442 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1443 bit_rate = RFCOMM_RPN_BR_9600; 1444 data_bits = RFCOMM_RPN_DATA_8; 1445 stop_bits = RFCOMM_RPN_STOP_1; 1446 parity = RFCOMM_RPN_PARITY_NONE; 1447 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1448 xon_char = RFCOMM_RPN_XON_CHAR; 1449 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1450 goto rpn_out; 1451 } 1452 1453 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1454 * no parity, no flow control lines, normal XON/XOFF chars */ 1455 1456 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1457 bit_rate = rpn->bit_rate; 1458 if (bit_rate > RFCOMM_RPN_BR_230400) { 1459 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1460 bit_rate = RFCOMM_RPN_BR_9600; 1461 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1462 } 1463 } 1464 1465 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1466 data_bits = __get_rpn_data_bits(rpn->line_settings); 1467 if (data_bits != RFCOMM_RPN_DATA_8) { 1468 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1469 data_bits = RFCOMM_RPN_DATA_8; 1470 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1471 } 1472 } 1473 1474 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1475 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1476 if (stop_bits != RFCOMM_RPN_STOP_1) { 1477 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1478 stop_bits = RFCOMM_RPN_STOP_1; 1479 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1480 } 1481 } 1482 1483 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1484 parity = __get_rpn_parity(rpn->line_settings); 1485 if (parity != RFCOMM_RPN_PARITY_NONE) { 1486 BT_DBG("RPN parity mismatch 0x%x", parity); 1487 parity = RFCOMM_RPN_PARITY_NONE; 1488 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1489 } 1490 } 1491 1492 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1493 flow_ctrl = rpn->flow_ctrl; 1494 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1495 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1496 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1497 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1498 } 1499 } 1500 1501 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1502 xon_char = rpn->xon_char; 1503 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1504 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1505 xon_char = RFCOMM_RPN_XON_CHAR; 1506 rpn_mask ^= RFCOMM_RPN_PM_XON; 1507 } 1508 } 1509 1510 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1511 xoff_char = rpn->xoff_char; 1512 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1513 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1514 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1515 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1516 } 1517 } 1518 1519 rpn_out: 1520 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1521 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1522 1523 return 0; 1524 } 1525 1526 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1527 { 1528 struct rfcomm_rls *rls = (void *) skb->data; 1529 u8 dlci = __get_dlci(rls->dlci); 1530 1531 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1532 1533 if (!cr) 1534 return 0; 1535 1536 /* We should probably do something with this information here. But 1537 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1538 * mandatory to recognise and respond to RLS */ 1539 1540 rfcomm_send_rls(s, 0, dlci, rls->status); 1541 1542 return 0; 1543 } 1544 1545 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1546 { 1547 struct rfcomm_msc *msc = (void *) skb->data; 1548 struct rfcomm_dlc *d; 1549 u8 dlci = __get_dlci(msc->dlci); 1550 1551 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1552 1553 d = rfcomm_dlc_get(s, dlci); 1554 if (!d) 1555 return 0; 1556 1557 if (cr) { 1558 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1559 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1560 else 1561 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1562 1563 rfcomm_dlc_lock(d); 1564 1565 d->remote_v24_sig = msc->v24_sig; 1566 1567 if (d->modem_status) 1568 d->modem_status(d, msc->v24_sig); 1569 1570 rfcomm_dlc_unlock(d); 1571 1572 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1573 1574 d->mscex |= RFCOMM_MSCEX_RX; 1575 } else 1576 d->mscex |= RFCOMM_MSCEX_TX; 1577 1578 return 0; 1579 } 1580 1581 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1582 { 1583 struct rfcomm_mcc *mcc = (void *) skb->data; 1584 u8 type, cr, len; 1585 1586 cr = __test_cr(mcc->type); 1587 type = __get_mcc_type(mcc->type); 1588 len = __get_mcc_len(mcc->len); 1589 1590 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1591 1592 skb_pull(skb, 2); 1593 1594 switch (type) { 1595 case RFCOMM_PN: 1596 rfcomm_recv_pn(s, cr, skb); 1597 break; 1598 1599 case RFCOMM_RPN: 1600 rfcomm_recv_rpn(s, cr, len, skb); 1601 break; 1602 1603 case RFCOMM_RLS: 1604 rfcomm_recv_rls(s, cr, skb); 1605 break; 1606 1607 case RFCOMM_MSC: 1608 rfcomm_recv_msc(s, cr, skb); 1609 break; 1610 1611 case RFCOMM_FCOFF: 1612 if (cr) { 1613 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1614 rfcomm_send_fcoff(s, 0); 1615 } 1616 break; 1617 1618 case RFCOMM_FCON: 1619 if (cr) { 1620 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1621 rfcomm_send_fcon(s, 0); 1622 } 1623 break; 1624 1625 case RFCOMM_TEST: 1626 if (cr) 1627 rfcomm_send_test(s, 0, skb->data, skb->len); 1628 break; 1629 1630 case RFCOMM_NSC: 1631 break; 1632 1633 default: 1634 BT_ERR("Unknown control type 0x%02x", type); 1635 rfcomm_send_nsc(s, cr, type); 1636 break; 1637 } 1638 return 0; 1639 } 1640 1641 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1642 { 1643 struct rfcomm_dlc *d; 1644 1645 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1646 1647 d = rfcomm_dlc_get(s, dlci); 1648 if (!d) { 1649 rfcomm_send_dm(s, dlci); 1650 goto drop; 1651 } 1652 1653 if (pf && d->cfc) { 1654 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1655 1656 d->tx_credits += credits; 1657 if (d->tx_credits) 1658 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1659 } 1660 1661 if (skb->len && d->state == BT_CONNECTED) { 1662 rfcomm_dlc_lock(d); 1663 d->rx_credits--; 1664 d->data_ready(d, skb); 1665 rfcomm_dlc_unlock(d); 1666 return 0; 1667 } 1668 1669 drop: 1670 kfree_skb(skb); 1671 return 0; 1672 } 1673 1674 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1675 { 1676 struct rfcomm_hdr *hdr = (void *) skb->data; 1677 u8 type, dlci, fcs; 1678 1679 dlci = __get_dlci(hdr->addr); 1680 type = __get_type(hdr->ctrl); 1681 1682 /* Trim FCS */ 1683 skb->len--; skb->tail--; 1684 fcs = *(u8 *)skb_tail_pointer(skb); 1685 1686 if (__check_fcs(skb->data, type, fcs)) { 1687 BT_ERR("bad checksum in packet"); 1688 kfree_skb(skb); 1689 return -EILSEQ; 1690 } 1691 1692 if (__test_ea(hdr->len)) 1693 skb_pull(skb, 3); 1694 else 1695 skb_pull(skb, 4); 1696 1697 switch (type) { 1698 case RFCOMM_SABM: 1699 if (__test_pf(hdr->ctrl)) 1700 rfcomm_recv_sabm(s, dlci); 1701 break; 1702 1703 case RFCOMM_DISC: 1704 if (__test_pf(hdr->ctrl)) 1705 rfcomm_recv_disc(s, dlci); 1706 break; 1707 1708 case RFCOMM_UA: 1709 if (__test_pf(hdr->ctrl)) 1710 rfcomm_recv_ua(s, dlci); 1711 break; 1712 1713 case RFCOMM_DM: 1714 rfcomm_recv_dm(s, dlci); 1715 break; 1716 1717 case RFCOMM_UIH: 1718 if (dlci) 1719 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1720 1721 rfcomm_recv_mcc(s, skb); 1722 break; 1723 1724 default: 1725 BT_ERR("Unknown packet type 0x%02x", type); 1726 break; 1727 } 1728 kfree_skb(skb); 1729 return 0; 1730 } 1731 1732 /* ---- Connection and data processing ---- */ 1733 1734 static void rfcomm_process_connect(struct rfcomm_session *s) 1735 { 1736 struct rfcomm_dlc *d; 1737 struct list_head *p, *n; 1738 1739 BT_DBG("session %p state %ld", s, s->state); 1740 1741 list_for_each_safe(p, n, &s->dlcs) { 1742 d = list_entry(p, struct rfcomm_dlc, list); 1743 if (d->state == BT_CONFIG) { 1744 d->mtu = s->mtu; 1745 if (rfcomm_check_security(d)) { 1746 rfcomm_send_pn(s, 1, d); 1747 } else { 1748 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1749 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1750 } 1751 } 1752 } 1753 } 1754 1755 /* Send data queued for the DLC. 1756 * Return number of frames left in the queue. 1757 */ 1758 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1759 { 1760 struct sk_buff *skb; 1761 int err; 1762 1763 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1764 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1765 1766 /* Send pending MSC */ 1767 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1768 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1769 1770 if (d->cfc) { 1771 /* CFC enabled. 1772 * Give them some credits */ 1773 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1774 d->rx_credits <= (d->cfc >> 2)) { 1775 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1776 d->rx_credits = d->cfc; 1777 } 1778 } else { 1779 /* CFC disabled. 1780 * Give ourselves some credits */ 1781 d->tx_credits = 5; 1782 } 1783 1784 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1785 return skb_queue_len(&d->tx_queue); 1786 1787 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1788 err = rfcomm_send_frame(d->session, skb->data, skb->len, 1789 skb->priority); 1790 if (err < 0) { 1791 skb_queue_head(&d->tx_queue, skb); 1792 break; 1793 } 1794 kfree_skb(skb); 1795 d->tx_credits--; 1796 } 1797 1798 if (d->cfc && !d->tx_credits) { 1799 /* We're out of TX credits. 1800 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1801 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1802 } 1803 1804 return skb_queue_len(&d->tx_queue); 1805 } 1806 1807 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1808 { 1809 struct rfcomm_dlc *d; 1810 struct list_head *p, *n; 1811 1812 BT_DBG("session %p state %ld", s, s->state); 1813 1814 list_for_each_safe(p, n, &s->dlcs) { 1815 d = list_entry(p, struct rfcomm_dlc, list); 1816 1817 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1818 __rfcomm_dlc_close(d, ETIMEDOUT); 1819 continue; 1820 } 1821 1822 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1823 __rfcomm_dlc_close(d, ECONNREFUSED); 1824 continue; 1825 } 1826 1827 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1828 rfcomm_dlc_clear_timer(d); 1829 if (d->out) { 1830 rfcomm_send_pn(s, 1, d); 1831 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1832 } else { 1833 if (d->defer_setup) { 1834 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1835 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1836 1837 rfcomm_dlc_lock(d); 1838 d->state = BT_CONNECT2; 1839 d->state_change(d, 0); 1840 rfcomm_dlc_unlock(d); 1841 } else 1842 rfcomm_dlc_accept(d); 1843 } 1844 continue; 1845 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1846 rfcomm_dlc_clear_timer(d); 1847 if (!d->out) 1848 rfcomm_send_dm(s, d->dlci); 1849 else 1850 d->state = BT_CLOSED; 1851 __rfcomm_dlc_close(d, ECONNREFUSED); 1852 continue; 1853 } 1854 1855 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1856 continue; 1857 1858 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1859 continue; 1860 1861 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1862 d->mscex == RFCOMM_MSCEX_OK) 1863 rfcomm_process_tx(d); 1864 } 1865 } 1866 1867 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1868 { 1869 struct socket *sock = s->sock; 1870 struct sock *sk = sock->sk; 1871 struct sk_buff *skb; 1872 1873 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1874 1875 /* Get data directly from socket receive queue without copying it. */ 1876 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1877 skb_orphan(skb); 1878 if (!skb_linearize(skb)) 1879 rfcomm_recv_frame(s, skb); 1880 else 1881 kfree_skb(skb); 1882 } 1883 1884 if (sk->sk_state == BT_CLOSED) { 1885 if (!s->initiator) 1886 rfcomm_session_put(s); 1887 1888 rfcomm_session_close(s, sk->sk_err); 1889 } 1890 } 1891 1892 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1893 { 1894 struct socket *sock = s->sock, *nsock; 1895 int err; 1896 1897 /* Fast check for a new connection. 1898 * Avoids unnesesary socket allocations. */ 1899 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1900 return; 1901 1902 BT_DBG("session %p", s); 1903 1904 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1905 if (err < 0) 1906 return; 1907 1908 /* Set our callbacks */ 1909 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1910 nsock->sk->sk_state_change = rfcomm_l2state_change; 1911 1912 s = rfcomm_session_add(nsock, BT_OPEN); 1913 if (s) { 1914 rfcomm_session_hold(s); 1915 1916 /* We should adjust MTU on incoming sessions. 1917 * L2CAP MTU minus UIH header and FCS. */ 1918 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1919 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1920 1921 rfcomm_schedule(); 1922 } else 1923 sock_release(nsock); 1924 } 1925 1926 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1927 { 1928 struct sock *sk = s->sock->sk; 1929 1930 BT_DBG("%p state %ld", s, s->state); 1931 1932 switch (sk->sk_state) { 1933 case BT_CONNECTED: 1934 s->state = BT_CONNECT; 1935 1936 /* We can adjust MTU on outgoing sessions. 1937 * L2CAP MTU minus UIH header and FCS. */ 1938 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1939 1940 rfcomm_send_sabm(s, 0); 1941 break; 1942 1943 case BT_CLOSED: 1944 s->state = BT_CLOSED; 1945 rfcomm_session_close(s, sk->sk_err); 1946 break; 1947 } 1948 } 1949 1950 static inline void rfcomm_process_sessions(void) 1951 { 1952 struct list_head *p, *n; 1953 1954 rfcomm_lock(); 1955 1956 list_for_each_safe(p, n, &session_list) { 1957 struct rfcomm_session *s; 1958 s = list_entry(p, struct rfcomm_session, list); 1959 1960 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1961 s->state = BT_DISCONN; 1962 rfcomm_send_disc(s, 0); 1963 rfcomm_session_put(s); 1964 continue; 1965 } 1966 1967 if (s->state == BT_LISTEN) { 1968 rfcomm_accept_connection(s); 1969 continue; 1970 } 1971 1972 rfcomm_session_hold(s); 1973 1974 switch (s->state) { 1975 case BT_BOUND: 1976 rfcomm_check_connection(s); 1977 break; 1978 1979 default: 1980 rfcomm_process_rx(s); 1981 break; 1982 } 1983 1984 rfcomm_process_dlcs(s); 1985 1986 rfcomm_session_put(s); 1987 } 1988 1989 rfcomm_unlock(); 1990 } 1991 1992 static int rfcomm_add_listener(bdaddr_t *ba) 1993 { 1994 struct sockaddr_l2 addr; 1995 struct socket *sock; 1996 struct sock *sk; 1997 struct rfcomm_session *s; 1998 int err = 0; 1999 2000 /* Create socket */ 2001 err = rfcomm_l2sock_create(&sock); 2002 if (err < 0) { 2003 BT_ERR("Create socket failed %d", err); 2004 return err; 2005 } 2006 2007 /* Bind socket */ 2008 bacpy(&addr.l2_bdaddr, ba); 2009 addr.l2_family = AF_BLUETOOTH; 2010 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 2011 addr.l2_cid = 0; 2012 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2013 if (err < 0) { 2014 BT_ERR("Bind failed %d", err); 2015 goto failed; 2016 } 2017 2018 /* Set L2CAP options */ 2019 sk = sock->sk; 2020 lock_sock(sk); 2021 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2022 release_sock(sk); 2023 2024 /* Start listening on the socket */ 2025 err = kernel_listen(sock, 10); 2026 if (err) { 2027 BT_ERR("Listen failed %d", err); 2028 goto failed; 2029 } 2030 2031 /* Add listening session */ 2032 s = rfcomm_session_add(sock, BT_LISTEN); 2033 if (!s) 2034 goto failed; 2035 2036 rfcomm_session_hold(s); 2037 return 0; 2038 failed: 2039 sock_release(sock); 2040 return err; 2041 } 2042 2043 static void rfcomm_kill_listener(void) 2044 { 2045 struct rfcomm_session *s; 2046 struct list_head *p, *n; 2047 2048 BT_DBG(""); 2049 2050 list_for_each_safe(p, n, &session_list) { 2051 s = list_entry(p, struct rfcomm_session, list); 2052 rfcomm_session_del(s); 2053 } 2054 } 2055 2056 static int rfcomm_run(void *unused) 2057 { 2058 BT_DBG(""); 2059 2060 set_user_nice(current, -10); 2061 2062 rfcomm_add_listener(BDADDR_ANY); 2063 2064 while (1) { 2065 set_current_state(TASK_INTERRUPTIBLE); 2066 2067 if (kthread_should_stop()) 2068 break; 2069 2070 /* Process stuff */ 2071 rfcomm_process_sessions(); 2072 2073 schedule(); 2074 } 2075 __set_current_state(TASK_RUNNING); 2076 2077 rfcomm_kill_listener(); 2078 2079 return 0; 2080 } 2081 2082 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2083 { 2084 struct rfcomm_session *s; 2085 struct rfcomm_dlc *d; 2086 struct list_head *p, *n; 2087 2088 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2089 2090 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2091 if (!s) 2092 return; 2093 2094 rfcomm_session_hold(s); 2095 2096 list_for_each_safe(p, n, &s->dlcs) { 2097 d = list_entry(p, struct rfcomm_dlc, list); 2098 2099 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2100 rfcomm_dlc_clear_timer(d); 2101 if (status || encrypt == 0x00) { 2102 set_bit(RFCOMM_ENC_DROP, &d->flags); 2103 continue; 2104 } 2105 } 2106 2107 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2108 if (d->sec_level == BT_SECURITY_MEDIUM) { 2109 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2110 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2111 continue; 2112 } else if (d->sec_level == BT_SECURITY_HIGH) { 2113 set_bit(RFCOMM_ENC_DROP, &d->flags); 2114 continue; 2115 } 2116 } 2117 2118 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2119 continue; 2120 2121 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2122 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2123 else 2124 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2125 } 2126 2127 rfcomm_session_put(s); 2128 2129 rfcomm_schedule(); 2130 } 2131 2132 static struct hci_cb rfcomm_cb = { 2133 .name = "RFCOMM", 2134 .security_cfm = rfcomm_security_cfm 2135 }; 2136 2137 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2138 { 2139 struct rfcomm_session *s; 2140 2141 rfcomm_lock(); 2142 2143 list_for_each_entry(s, &session_list, list) { 2144 struct rfcomm_dlc *d; 2145 list_for_each_entry(d, &s->dlcs, list) { 2146 struct sock *sk = s->sock->sk; 2147 2148 seq_printf(f, "%s %s %ld %d %d %d %d\n", 2149 batostr(&bt_sk(sk)->src), 2150 batostr(&bt_sk(sk)->dst), 2151 d->state, d->dlci, d->mtu, 2152 d->rx_credits, d->tx_credits); 2153 } 2154 } 2155 2156 rfcomm_unlock(); 2157 2158 return 0; 2159 } 2160 2161 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2162 { 2163 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2164 } 2165 2166 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2167 .open = rfcomm_dlc_debugfs_open, 2168 .read = seq_read, 2169 .llseek = seq_lseek, 2170 .release = single_release, 2171 }; 2172 2173 static struct dentry *rfcomm_dlc_debugfs; 2174 2175 /* ---- Initialization ---- */ 2176 static int __init rfcomm_init(void) 2177 { 2178 int err; 2179 2180 hci_register_cb(&rfcomm_cb); 2181 2182 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2183 if (IS_ERR(rfcomm_thread)) { 2184 err = PTR_ERR(rfcomm_thread); 2185 goto unregister; 2186 } 2187 2188 if (bt_debugfs) { 2189 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2190 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2191 if (!rfcomm_dlc_debugfs) 2192 BT_ERR("Failed to create RFCOMM debug file"); 2193 } 2194 2195 err = rfcomm_init_ttys(); 2196 if (err < 0) 2197 goto stop; 2198 2199 err = rfcomm_init_sockets(); 2200 if (err < 0) 2201 goto cleanup; 2202 2203 BT_INFO("RFCOMM ver %s", VERSION); 2204 2205 return 0; 2206 2207 cleanup: 2208 rfcomm_cleanup_ttys(); 2209 2210 stop: 2211 kthread_stop(rfcomm_thread); 2212 2213 unregister: 2214 hci_unregister_cb(&rfcomm_cb); 2215 2216 return err; 2217 } 2218 2219 static void __exit rfcomm_exit(void) 2220 { 2221 debugfs_remove(rfcomm_dlc_debugfs); 2222 2223 hci_unregister_cb(&rfcomm_cb); 2224 2225 kthread_stop(rfcomm_thread); 2226 2227 rfcomm_cleanup_ttys(); 2228 2229 rfcomm_cleanup_sockets(); 2230 } 2231 2232 module_init(rfcomm_init); 2233 module_exit(rfcomm_exit); 2234 2235 module_param(disable_cfc, bool, 0644); 2236 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2237 2238 module_param(channel_mtu, int, 0644); 2239 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2240 2241 module_param(l2cap_mtu, uint, 0644); 2242 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2243 2244 module_param(l2cap_ertm, bool, 0644); 2245 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2246 2247 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2248 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2249 MODULE_VERSION(VERSION); 2250 MODULE_LICENSE("GPL"); 2251 MODULE_ALIAS("bt-proto-3"); 2252