1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/debugfs.h> 37 #include <linux/seq_file.h> 38 #include <linux/net.h> 39 #include <linux/mutex.h> 40 #include <linux/kthread.h> 41 #include <linux/slab.h> 42 43 #include <net/sock.h> 44 #include <asm/uaccess.h> 45 #include <asm/unaligned.h> 46 47 #include <net/bluetooth/bluetooth.h> 48 #include <net/bluetooth/hci_core.h> 49 #include <net/bluetooth/l2cap.h> 50 #include <net/bluetooth/rfcomm.h> 51 52 #define VERSION "1.11" 53 54 static int disable_cfc = 0; 55 static int channel_mtu = -1; 56 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 57 static int l2cap_ertm = 0; 58 59 static struct task_struct *rfcomm_thread; 60 61 static DEFINE_MUTEX(rfcomm_mutex); 62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 64 65 static unsigned long rfcomm_event; 66 67 static LIST_HEAD(session_list); 68 69 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 70 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 71 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 72 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 73 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 74 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 75 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 76 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 77 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 78 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 79 80 static void rfcomm_process_connect(struct rfcomm_session *s); 81 82 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err); 83 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 84 static void rfcomm_session_del(struct rfcomm_session *s); 85 86 /* ---- RFCOMM frame parsing macros ---- */ 87 #define __get_dlci(b) ((b & 0xfc) >> 2) 88 #define __get_channel(b) ((b & 0xf8) >> 3) 89 #define __get_dir(b) ((b & 0x04) >> 2) 90 #define __get_type(b) ((b & 0xef)) 91 92 #define __test_ea(b) ((b & 0x01)) 93 #define __test_cr(b) ((b & 0x02)) 94 #define __test_pf(b) ((b & 0x10)) 95 96 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 97 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 98 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 99 #define __srv_channel(dlci) (dlci >> 1) 100 #define __dir(dlci) (dlci & 0x01) 101 102 #define __len8(len) (((len) << 1) | 1) 103 #define __len16(len) ((len) << 1) 104 105 /* MCC macros */ 106 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 107 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 108 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 109 110 /* RPN macros */ 111 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 112 #define __get_rpn_data_bits(line) ((line) & 0x3) 113 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 114 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 115 116 static inline void rfcomm_schedule(void) 117 { 118 if (!rfcomm_thread) 119 return; 120 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 121 wake_up_process(rfcomm_thread); 122 } 123 124 static inline void rfcomm_session_put(struct rfcomm_session *s) 125 { 126 if (atomic_dec_and_test(&s->refcnt)) 127 rfcomm_session_del(s); 128 } 129 130 /* ---- RFCOMM FCS computation ---- */ 131 132 /* reversed, 8-bit, poly=0x07 */ 133 static unsigned char rfcomm_crc_table[256] = { 134 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 135 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 136 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 137 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 138 139 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 140 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 141 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 142 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 143 144 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 145 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 146 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 147 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 148 149 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 150 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 151 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 152 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 153 154 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 155 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 156 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 157 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 158 159 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 160 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 161 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 162 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 163 164 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 165 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 166 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 167 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 168 169 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 170 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 171 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 172 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 173 }; 174 175 /* CRC on 2 bytes */ 176 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 177 178 /* FCS on 2 bytes */ 179 static inline u8 __fcs(u8 *data) 180 { 181 return 0xff - __crc(data); 182 } 183 184 /* FCS on 3 bytes */ 185 static inline u8 __fcs2(u8 *data) 186 { 187 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 188 } 189 190 /* Check FCS */ 191 static inline int __check_fcs(u8 *data, int type, u8 fcs) 192 { 193 u8 f = __crc(data); 194 195 if (type != RFCOMM_UIH) 196 f = rfcomm_crc_table[f ^ data[2]]; 197 198 return rfcomm_crc_table[f ^ fcs] != 0xcf; 199 } 200 201 /* ---- L2CAP callbacks ---- */ 202 static void rfcomm_l2state_change(struct sock *sk) 203 { 204 BT_DBG("%p state %d", sk, sk->sk_state); 205 rfcomm_schedule(); 206 } 207 208 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 209 { 210 BT_DBG("%p bytes %d", sk, bytes); 211 rfcomm_schedule(); 212 } 213 214 static int rfcomm_l2sock_create(struct socket **sock) 215 { 216 int err; 217 218 BT_DBG(""); 219 220 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 221 if (!err) { 222 struct sock *sk = (*sock)->sk; 223 sk->sk_data_ready = rfcomm_l2data_ready; 224 sk->sk_state_change = rfcomm_l2state_change; 225 } 226 return err; 227 } 228 229 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 230 { 231 struct sock *sk = d->session->sock->sk; 232 __u8 auth_type; 233 234 switch (d->sec_level) { 235 case BT_SECURITY_HIGH: 236 auth_type = HCI_AT_GENERAL_BONDING_MITM; 237 break; 238 case BT_SECURITY_MEDIUM: 239 auth_type = HCI_AT_GENERAL_BONDING; 240 break; 241 default: 242 auth_type = HCI_AT_NO_BONDING; 243 break; 244 } 245 246 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level, 247 auth_type); 248 } 249 250 static void rfcomm_session_timeout(unsigned long arg) 251 { 252 struct rfcomm_session *s = (void *) arg; 253 254 BT_DBG("session %p state %ld", s, s->state); 255 256 set_bit(RFCOMM_TIMED_OUT, &s->flags); 257 rfcomm_schedule(); 258 } 259 260 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 261 { 262 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 263 264 if (!mod_timer(&s->timer, jiffies + timeout)) 265 rfcomm_session_hold(s); 266 } 267 268 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 269 { 270 BT_DBG("session %p state %ld", s, s->state); 271 272 if (timer_pending(&s->timer) && del_timer(&s->timer)) 273 rfcomm_session_put(s); 274 } 275 276 /* ---- RFCOMM DLCs ---- */ 277 static void rfcomm_dlc_timeout(unsigned long arg) 278 { 279 struct rfcomm_dlc *d = (void *) arg; 280 281 BT_DBG("dlc %p state %ld", d, d->state); 282 283 set_bit(RFCOMM_TIMED_OUT, &d->flags); 284 rfcomm_dlc_put(d); 285 rfcomm_schedule(); 286 } 287 288 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 289 { 290 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 291 292 if (!mod_timer(&d->timer, jiffies + timeout)) 293 rfcomm_dlc_hold(d); 294 } 295 296 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 297 { 298 BT_DBG("dlc %p state %ld", d, d->state); 299 300 if (timer_pending(&d->timer) && del_timer(&d->timer)) 301 rfcomm_dlc_put(d); 302 } 303 304 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 305 { 306 BT_DBG("%p", d); 307 308 d->state = BT_OPEN; 309 d->flags = 0; 310 d->mscex = 0; 311 d->mtu = RFCOMM_DEFAULT_MTU; 312 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 313 314 d->cfc = RFCOMM_CFC_DISABLED; 315 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 316 } 317 318 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 319 { 320 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 321 322 if (!d) 323 return NULL; 324 325 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 326 327 skb_queue_head_init(&d->tx_queue); 328 spin_lock_init(&d->lock); 329 atomic_set(&d->refcnt, 1); 330 331 rfcomm_dlc_clear_state(d); 332 333 BT_DBG("%p", d); 334 335 return d; 336 } 337 338 void rfcomm_dlc_free(struct rfcomm_dlc *d) 339 { 340 BT_DBG("%p", d); 341 342 skb_queue_purge(&d->tx_queue); 343 kfree(d); 344 } 345 346 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 347 { 348 BT_DBG("dlc %p session %p", d, s); 349 350 rfcomm_session_hold(s); 351 352 rfcomm_session_clear_timer(s); 353 rfcomm_dlc_hold(d); 354 list_add(&d->list, &s->dlcs); 355 d->session = s; 356 } 357 358 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 359 { 360 struct rfcomm_session *s = d->session; 361 362 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 363 364 list_del(&d->list); 365 d->session = NULL; 366 rfcomm_dlc_put(d); 367 368 if (list_empty(&s->dlcs)) 369 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 370 371 rfcomm_session_put(s); 372 } 373 374 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 375 { 376 struct rfcomm_dlc *d; 377 struct list_head *p; 378 379 list_for_each(p, &s->dlcs) { 380 d = list_entry(p, struct rfcomm_dlc, list); 381 if (d->dlci == dlci) 382 return d; 383 } 384 return NULL; 385 } 386 387 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 388 { 389 struct rfcomm_session *s; 390 int err = 0; 391 u8 dlci; 392 393 BT_DBG("dlc %p state %ld %s %s channel %d", 394 d, d->state, batostr(src), batostr(dst), channel); 395 396 if (channel < 1 || channel > 30) 397 return -EINVAL; 398 399 if (d->state != BT_OPEN && d->state != BT_CLOSED) 400 return 0; 401 402 s = rfcomm_session_get(src, dst); 403 if (!s) { 404 s = rfcomm_session_create(src, dst, &err); 405 if (!s) 406 return err; 407 } 408 409 dlci = __dlci(!s->initiator, channel); 410 411 /* Check if DLCI already exists */ 412 if (rfcomm_dlc_get(s, dlci)) 413 return -EBUSY; 414 415 rfcomm_dlc_clear_state(d); 416 417 d->dlci = dlci; 418 d->addr = __addr(s->initiator, dlci); 419 d->priority = 7; 420 421 d->state = BT_CONFIG; 422 rfcomm_dlc_link(s, d); 423 424 d->out = 1; 425 426 d->mtu = s->mtu; 427 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 428 429 if (s->state == BT_CONNECTED) { 430 if (rfcomm_check_security(d)) 431 rfcomm_send_pn(s, 1, d); 432 else 433 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 434 } 435 436 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 437 438 return 0; 439 } 440 441 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 442 { 443 int r; 444 445 rfcomm_lock(); 446 447 r = __rfcomm_dlc_open(d, src, dst, channel); 448 449 rfcomm_unlock(); 450 return r; 451 } 452 453 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 454 { 455 struct rfcomm_session *s = d->session; 456 if (!s) 457 return 0; 458 459 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 460 d, d->state, d->dlci, err, s); 461 462 switch (d->state) { 463 case BT_CONNECT: 464 case BT_CONFIG: 465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 466 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 467 rfcomm_schedule(); 468 break; 469 } 470 /* Fall through */ 471 472 case BT_CONNECTED: 473 d->state = BT_DISCONN; 474 if (skb_queue_empty(&d->tx_queue)) { 475 rfcomm_send_disc(s, d->dlci); 476 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 477 } else { 478 rfcomm_queue_disc(d); 479 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 480 } 481 break; 482 483 case BT_OPEN: 484 case BT_CONNECT2: 485 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 486 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 487 rfcomm_schedule(); 488 break; 489 } 490 /* Fall through */ 491 492 default: 493 rfcomm_dlc_clear_timer(d); 494 495 rfcomm_dlc_lock(d); 496 d->state = BT_CLOSED; 497 d->state_change(d, err); 498 rfcomm_dlc_unlock(d); 499 500 skb_queue_purge(&d->tx_queue); 501 rfcomm_dlc_unlink(d); 502 } 503 504 return 0; 505 } 506 507 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 508 { 509 int r; 510 511 rfcomm_lock(); 512 513 r = __rfcomm_dlc_close(d, err); 514 515 rfcomm_unlock(); 516 return r; 517 } 518 519 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 520 { 521 int len = skb->len; 522 523 if (d->state != BT_CONNECTED) 524 return -ENOTCONN; 525 526 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 527 528 if (len > d->mtu) 529 return -EINVAL; 530 531 rfcomm_make_uih(skb, d->addr); 532 skb_queue_tail(&d->tx_queue, skb); 533 534 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 535 rfcomm_schedule(); 536 return len; 537 } 538 539 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 540 { 541 BT_DBG("dlc %p state %ld", d, d->state); 542 543 if (!d->cfc) { 544 d->v24_sig |= RFCOMM_V24_FC; 545 set_bit(RFCOMM_MSC_PENDING, &d->flags); 546 } 547 rfcomm_schedule(); 548 } 549 550 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 551 { 552 BT_DBG("dlc %p state %ld", d, d->state); 553 554 if (!d->cfc) { 555 d->v24_sig &= ~RFCOMM_V24_FC; 556 set_bit(RFCOMM_MSC_PENDING, &d->flags); 557 } 558 rfcomm_schedule(); 559 } 560 561 /* 562 Set/get modem status functions use _local_ status i.e. what we report 563 to the other side. 564 Remote status is provided by dlc->modem_status() callback. 565 */ 566 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 567 { 568 BT_DBG("dlc %p state %ld v24_sig 0x%x", 569 d, d->state, v24_sig); 570 571 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 572 v24_sig |= RFCOMM_V24_FC; 573 else 574 v24_sig &= ~RFCOMM_V24_FC; 575 576 d->v24_sig = v24_sig; 577 578 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 579 rfcomm_schedule(); 580 581 return 0; 582 } 583 584 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 585 { 586 BT_DBG("dlc %p state %ld v24_sig 0x%x", 587 d, d->state, d->v24_sig); 588 589 *v24_sig = d->v24_sig; 590 return 0; 591 } 592 593 /* ---- RFCOMM sessions ---- */ 594 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 595 { 596 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 597 598 if (!s) 599 return NULL; 600 601 BT_DBG("session %p sock %p", s, sock); 602 603 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 604 605 INIT_LIST_HEAD(&s->dlcs); 606 s->state = state; 607 s->sock = sock; 608 609 s->mtu = RFCOMM_DEFAULT_MTU; 610 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 611 612 /* Do not increment module usage count for listening sessions. 613 * Otherwise we won't be able to unload the module. */ 614 if (state != BT_LISTEN) 615 if (!try_module_get(THIS_MODULE)) { 616 kfree(s); 617 return NULL; 618 } 619 620 list_add(&s->list, &session_list); 621 622 return s; 623 } 624 625 static void rfcomm_session_del(struct rfcomm_session *s) 626 { 627 int state = s->state; 628 629 BT_DBG("session %p state %ld", s, s->state); 630 631 list_del(&s->list); 632 633 if (state == BT_CONNECTED) 634 rfcomm_send_disc(s, 0); 635 636 rfcomm_session_clear_timer(s); 637 sock_release(s->sock); 638 kfree(s); 639 640 if (state != BT_LISTEN) 641 module_put(THIS_MODULE); 642 } 643 644 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 645 { 646 struct rfcomm_session *s; 647 struct list_head *p, *n; 648 struct bt_sock *sk; 649 list_for_each_safe(p, n, &session_list) { 650 s = list_entry(p, struct rfcomm_session, list); 651 sk = bt_sk(s->sock->sk); 652 653 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 654 !bacmp(&sk->dst, dst)) 655 return s; 656 } 657 return NULL; 658 } 659 660 static void rfcomm_session_close(struct rfcomm_session *s, int err) 661 { 662 struct rfcomm_dlc *d; 663 struct list_head *p, *n; 664 665 BT_DBG("session %p state %ld err %d", s, s->state, err); 666 667 rfcomm_session_hold(s); 668 669 s->state = BT_CLOSED; 670 671 /* Close all dlcs */ 672 list_for_each_safe(p, n, &s->dlcs) { 673 d = list_entry(p, struct rfcomm_dlc, list); 674 d->state = BT_CLOSED; 675 __rfcomm_dlc_close(d, err); 676 } 677 678 rfcomm_session_clear_timer(s); 679 rfcomm_session_put(s); 680 } 681 682 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err) 683 { 684 struct rfcomm_session *s = NULL; 685 struct sockaddr_l2 addr; 686 struct socket *sock; 687 struct sock *sk; 688 689 BT_DBG("%s %s", batostr(src), batostr(dst)); 690 691 *err = rfcomm_l2sock_create(&sock); 692 if (*err < 0) 693 return NULL; 694 695 bacpy(&addr.l2_bdaddr, src); 696 addr.l2_family = AF_BLUETOOTH; 697 addr.l2_psm = 0; 698 addr.l2_cid = 0; 699 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 700 if (*err < 0) 701 goto failed; 702 703 /* Set L2CAP options */ 704 sk = sock->sk; 705 lock_sock(sk); 706 l2cap_pi(sk)->imtu = l2cap_mtu; 707 if (l2cap_ertm) 708 l2cap_pi(sk)->mode = L2CAP_MODE_ERTM; 709 release_sock(sk); 710 711 s = rfcomm_session_add(sock, BT_BOUND); 712 if (!s) { 713 *err = -ENOMEM; 714 goto failed; 715 } 716 717 s->initiator = 1; 718 719 bacpy(&addr.l2_bdaddr, dst); 720 addr.l2_family = AF_BLUETOOTH; 721 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 722 addr.l2_cid = 0; 723 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 724 if (*err == 0 || *err == -EINPROGRESS) 725 return s; 726 727 rfcomm_session_del(s); 728 return NULL; 729 730 failed: 731 sock_release(sock); 732 return NULL; 733 } 734 735 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 736 { 737 struct sock *sk = s->sock->sk; 738 if (src) 739 bacpy(src, &bt_sk(sk)->src); 740 if (dst) 741 bacpy(dst, &bt_sk(sk)->dst); 742 } 743 744 /* ---- RFCOMM frame sending ---- */ 745 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 746 { 747 struct socket *sock = s->sock; 748 struct kvec iv = { data, len }; 749 struct msghdr msg; 750 751 BT_DBG("session %p len %d", s, len); 752 753 memset(&msg, 0, sizeof(msg)); 754 755 return kernel_sendmsg(sock, &msg, &iv, 1, len); 756 } 757 758 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 759 { 760 struct rfcomm_cmd cmd; 761 762 BT_DBG("%p dlci %d", s, dlci); 763 764 cmd.addr = __addr(s->initiator, dlci); 765 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 766 cmd.len = __len8(0); 767 cmd.fcs = __fcs2((u8 *) &cmd); 768 769 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 770 } 771 772 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 773 { 774 struct rfcomm_cmd cmd; 775 776 BT_DBG("%p dlci %d", s, dlci); 777 778 cmd.addr = __addr(!s->initiator, dlci); 779 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 780 cmd.len = __len8(0); 781 cmd.fcs = __fcs2((u8 *) &cmd); 782 783 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 784 } 785 786 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 787 { 788 struct rfcomm_cmd cmd; 789 790 BT_DBG("%p dlci %d", s, dlci); 791 792 cmd.addr = __addr(s->initiator, dlci); 793 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 794 cmd.len = __len8(0); 795 cmd.fcs = __fcs2((u8 *) &cmd); 796 797 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 798 } 799 800 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 801 { 802 struct rfcomm_cmd *cmd; 803 struct sk_buff *skb; 804 805 BT_DBG("dlc %p dlci %d", d, d->dlci); 806 807 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 808 if (!skb) 809 return -ENOMEM; 810 811 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 812 cmd->addr = d->addr; 813 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 814 cmd->len = __len8(0); 815 cmd->fcs = __fcs2((u8 *) cmd); 816 817 skb_queue_tail(&d->tx_queue, skb); 818 rfcomm_schedule(); 819 return 0; 820 } 821 822 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 823 { 824 struct rfcomm_cmd cmd; 825 826 BT_DBG("%p dlci %d", s, dlci); 827 828 cmd.addr = __addr(!s->initiator, dlci); 829 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 830 cmd.len = __len8(0); 831 cmd.fcs = __fcs2((u8 *) &cmd); 832 833 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 834 } 835 836 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 837 { 838 struct rfcomm_hdr *hdr; 839 struct rfcomm_mcc *mcc; 840 u8 buf[16], *ptr = buf; 841 842 BT_DBG("%p cr %d type %d", s, cr, type); 843 844 hdr = (void *) ptr; ptr += sizeof(*hdr); 845 hdr->addr = __addr(s->initiator, 0); 846 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 847 hdr->len = __len8(sizeof(*mcc) + 1); 848 849 mcc = (void *) ptr; ptr += sizeof(*mcc); 850 mcc->type = __mcc_type(cr, RFCOMM_NSC); 851 mcc->len = __len8(1); 852 853 /* Type that we didn't like */ 854 *ptr = __mcc_type(cr, type); ptr++; 855 856 *ptr = __fcs(buf); ptr++; 857 858 return rfcomm_send_frame(s, buf, ptr - buf); 859 } 860 861 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 862 { 863 struct rfcomm_hdr *hdr; 864 struct rfcomm_mcc *mcc; 865 struct rfcomm_pn *pn; 866 u8 buf[16], *ptr = buf; 867 868 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 869 870 hdr = (void *) ptr; ptr += sizeof(*hdr); 871 hdr->addr = __addr(s->initiator, 0); 872 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 873 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 874 875 mcc = (void *) ptr; ptr += sizeof(*mcc); 876 mcc->type = __mcc_type(cr, RFCOMM_PN); 877 mcc->len = __len8(sizeof(*pn)); 878 879 pn = (void *) ptr; ptr += sizeof(*pn); 880 pn->dlci = d->dlci; 881 pn->priority = d->priority; 882 pn->ack_timer = 0; 883 pn->max_retrans = 0; 884 885 if (s->cfc) { 886 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 887 pn->credits = RFCOMM_DEFAULT_CREDITS; 888 } else { 889 pn->flow_ctrl = 0; 890 pn->credits = 0; 891 } 892 893 if (cr && channel_mtu >= 0) 894 pn->mtu = cpu_to_le16(channel_mtu); 895 else 896 pn->mtu = cpu_to_le16(d->mtu); 897 898 *ptr = __fcs(buf); ptr++; 899 900 return rfcomm_send_frame(s, buf, ptr - buf); 901 } 902 903 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 904 u8 bit_rate, u8 data_bits, u8 stop_bits, 905 u8 parity, u8 flow_ctrl_settings, 906 u8 xon_char, u8 xoff_char, u16 param_mask) 907 { 908 struct rfcomm_hdr *hdr; 909 struct rfcomm_mcc *mcc; 910 struct rfcomm_rpn *rpn; 911 u8 buf[16], *ptr = buf; 912 913 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 914 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 915 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 916 flow_ctrl_settings, xon_char, xoff_char, param_mask); 917 918 hdr = (void *) ptr; ptr += sizeof(*hdr); 919 hdr->addr = __addr(s->initiator, 0); 920 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 921 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 922 923 mcc = (void *) ptr; ptr += sizeof(*mcc); 924 mcc->type = __mcc_type(cr, RFCOMM_RPN); 925 mcc->len = __len8(sizeof(*rpn)); 926 927 rpn = (void *) ptr; ptr += sizeof(*rpn); 928 rpn->dlci = __addr(1, dlci); 929 rpn->bit_rate = bit_rate; 930 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 931 rpn->flow_ctrl = flow_ctrl_settings; 932 rpn->xon_char = xon_char; 933 rpn->xoff_char = xoff_char; 934 rpn->param_mask = cpu_to_le16(param_mask); 935 936 *ptr = __fcs(buf); ptr++; 937 938 return rfcomm_send_frame(s, buf, ptr - buf); 939 } 940 941 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 942 { 943 struct rfcomm_hdr *hdr; 944 struct rfcomm_mcc *mcc; 945 struct rfcomm_rls *rls; 946 u8 buf[16], *ptr = buf; 947 948 BT_DBG("%p cr %d status 0x%x", s, cr, status); 949 950 hdr = (void *) ptr; ptr += sizeof(*hdr); 951 hdr->addr = __addr(s->initiator, 0); 952 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 953 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 954 955 mcc = (void *) ptr; ptr += sizeof(*mcc); 956 mcc->type = __mcc_type(cr, RFCOMM_RLS); 957 mcc->len = __len8(sizeof(*rls)); 958 959 rls = (void *) ptr; ptr += sizeof(*rls); 960 rls->dlci = __addr(1, dlci); 961 rls->status = status; 962 963 *ptr = __fcs(buf); ptr++; 964 965 return rfcomm_send_frame(s, buf, ptr - buf); 966 } 967 968 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 969 { 970 struct rfcomm_hdr *hdr; 971 struct rfcomm_mcc *mcc; 972 struct rfcomm_msc *msc; 973 u8 buf[16], *ptr = buf; 974 975 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 976 977 hdr = (void *) ptr; ptr += sizeof(*hdr); 978 hdr->addr = __addr(s->initiator, 0); 979 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 980 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 981 982 mcc = (void *) ptr; ptr += sizeof(*mcc); 983 mcc->type = __mcc_type(cr, RFCOMM_MSC); 984 mcc->len = __len8(sizeof(*msc)); 985 986 msc = (void *) ptr; ptr += sizeof(*msc); 987 msc->dlci = __addr(1, dlci); 988 msc->v24_sig = v24_sig | 0x01; 989 990 *ptr = __fcs(buf); ptr++; 991 992 return rfcomm_send_frame(s, buf, ptr - buf); 993 } 994 995 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 996 { 997 struct rfcomm_hdr *hdr; 998 struct rfcomm_mcc *mcc; 999 u8 buf[16], *ptr = buf; 1000 1001 BT_DBG("%p cr %d", s, cr); 1002 1003 hdr = (void *) ptr; ptr += sizeof(*hdr); 1004 hdr->addr = __addr(s->initiator, 0); 1005 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1006 hdr->len = __len8(sizeof(*mcc)); 1007 1008 mcc = (void *) ptr; ptr += sizeof(*mcc); 1009 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1010 mcc->len = __len8(0); 1011 1012 *ptr = __fcs(buf); ptr++; 1013 1014 return rfcomm_send_frame(s, buf, ptr - buf); 1015 } 1016 1017 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1018 { 1019 struct rfcomm_hdr *hdr; 1020 struct rfcomm_mcc *mcc; 1021 u8 buf[16], *ptr = buf; 1022 1023 BT_DBG("%p cr %d", s, cr); 1024 1025 hdr = (void *) ptr; ptr += sizeof(*hdr); 1026 hdr->addr = __addr(s->initiator, 0); 1027 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1028 hdr->len = __len8(sizeof(*mcc)); 1029 1030 mcc = (void *) ptr; ptr += sizeof(*mcc); 1031 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1032 mcc->len = __len8(0); 1033 1034 *ptr = __fcs(buf); ptr++; 1035 1036 return rfcomm_send_frame(s, buf, ptr - buf); 1037 } 1038 1039 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1040 { 1041 struct socket *sock = s->sock; 1042 struct kvec iv[3]; 1043 struct msghdr msg; 1044 unsigned char hdr[5], crc[1]; 1045 1046 if (len > 125) 1047 return -EINVAL; 1048 1049 BT_DBG("%p cr %d", s, cr); 1050 1051 hdr[0] = __addr(s->initiator, 0); 1052 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1053 hdr[2] = 0x01 | ((len + 2) << 1); 1054 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1055 hdr[4] = 0x01 | (len << 1); 1056 1057 crc[0] = __fcs(hdr); 1058 1059 iv[0].iov_base = hdr; 1060 iv[0].iov_len = 5; 1061 iv[1].iov_base = pattern; 1062 iv[1].iov_len = len; 1063 iv[2].iov_base = crc; 1064 iv[2].iov_len = 1; 1065 1066 memset(&msg, 0, sizeof(msg)); 1067 1068 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1069 } 1070 1071 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1072 { 1073 struct rfcomm_hdr *hdr; 1074 u8 buf[16], *ptr = buf; 1075 1076 BT_DBG("%p addr %d credits %d", s, addr, credits); 1077 1078 hdr = (void *) ptr; ptr += sizeof(*hdr); 1079 hdr->addr = addr; 1080 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1081 hdr->len = __len8(0); 1082 1083 *ptr = credits; ptr++; 1084 1085 *ptr = __fcs(buf); ptr++; 1086 1087 return rfcomm_send_frame(s, buf, ptr - buf); 1088 } 1089 1090 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1091 { 1092 struct rfcomm_hdr *hdr; 1093 int len = skb->len; 1094 u8 *crc; 1095 1096 if (len > 127) { 1097 hdr = (void *) skb_push(skb, 4); 1098 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1099 } else { 1100 hdr = (void *) skb_push(skb, 3); 1101 hdr->len = __len8(len); 1102 } 1103 hdr->addr = addr; 1104 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1105 1106 crc = skb_put(skb, 1); 1107 *crc = __fcs((void *) hdr); 1108 } 1109 1110 /* ---- RFCOMM frame reception ---- */ 1111 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1112 { 1113 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1114 1115 if (dlci) { 1116 /* Data channel */ 1117 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1118 if (!d) { 1119 rfcomm_send_dm(s, dlci); 1120 return 0; 1121 } 1122 1123 switch (d->state) { 1124 case BT_CONNECT: 1125 rfcomm_dlc_clear_timer(d); 1126 1127 rfcomm_dlc_lock(d); 1128 d->state = BT_CONNECTED; 1129 d->state_change(d, 0); 1130 rfcomm_dlc_unlock(d); 1131 1132 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1133 break; 1134 1135 case BT_DISCONN: 1136 d->state = BT_CLOSED; 1137 __rfcomm_dlc_close(d, 0); 1138 1139 if (list_empty(&s->dlcs)) { 1140 s->state = BT_DISCONN; 1141 rfcomm_send_disc(s, 0); 1142 } 1143 1144 break; 1145 } 1146 } else { 1147 /* Control channel */ 1148 switch (s->state) { 1149 case BT_CONNECT: 1150 s->state = BT_CONNECTED; 1151 rfcomm_process_connect(s); 1152 break; 1153 1154 case BT_DISCONN: 1155 /* When socket is closed and we are not RFCOMM 1156 * initiator rfcomm_process_rx already calls 1157 * rfcomm_session_put() */ 1158 if (s->sock->sk->sk_state != BT_CLOSED) 1159 rfcomm_session_put(s); 1160 break; 1161 } 1162 } 1163 return 0; 1164 } 1165 1166 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1167 { 1168 int err = 0; 1169 1170 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1171 1172 if (dlci) { 1173 /* Data DLC */ 1174 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1175 if (d) { 1176 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1177 err = ECONNREFUSED; 1178 else 1179 err = ECONNRESET; 1180 1181 d->state = BT_CLOSED; 1182 __rfcomm_dlc_close(d, err); 1183 } 1184 } else { 1185 if (s->state == BT_CONNECT) 1186 err = ECONNREFUSED; 1187 else 1188 err = ECONNRESET; 1189 1190 s->state = BT_CLOSED; 1191 rfcomm_session_close(s, err); 1192 } 1193 return 0; 1194 } 1195 1196 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1197 { 1198 int err = 0; 1199 1200 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1201 1202 if (dlci) { 1203 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1204 if (d) { 1205 rfcomm_send_ua(s, dlci); 1206 1207 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1208 err = ECONNREFUSED; 1209 else 1210 err = ECONNRESET; 1211 1212 d->state = BT_CLOSED; 1213 __rfcomm_dlc_close(d, err); 1214 } else 1215 rfcomm_send_dm(s, dlci); 1216 1217 } else { 1218 rfcomm_send_ua(s, 0); 1219 1220 if (s->state == BT_CONNECT) 1221 err = ECONNREFUSED; 1222 else 1223 err = ECONNRESET; 1224 1225 s->state = BT_CLOSED; 1226 rfcomm_session_close(s, err); 1227 } 1228 1229 return 0; 1230 } 1231 1232 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1233 { 1234 struct sock *sk = d->session->sock->sk; 1235 1236 BT_DBG("dlc %p", d); 1237 1238 rfcomm_send_ua(d->session, d->dlci); 1239 1240 rfcomm_dlc_clear_timer(d); 1241 1242 rfcomm_dlc_lock(d); 1243 d->state = BT_CONNECTED; 1244 d->state_change(d, 0); 1245 rfcomm_dlc_unlock(d); 1246 1247 if (d->role_switch) 1248 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00); 1249 1250 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1251 } 1252 1253 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1254 { 1255 if (rfcomm_check_security(d)) { 1256 if (d->defer_setup) { 1257 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1258 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1259 1260 rfcomm_dlc_lock(d); 1261 d->state = BT_CONNECT2; 1262 d->state_change(d, 0); 1263 rfcomm_dlc_unlock(d); 1264 } else 1265 rfcomm_dlc_accept(d); 1266 } else { 1267 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1268 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1269 } 1270 } 1271 1272 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1273 { 1274 struct rfcomm_dlc *d; 1275 u8 channel; 1276 1277 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1278 1279 if (!dlci) { 1280 rfcomm_send_ua(s, 0); 1281 1282 if (s->state == BT_OPEN) { 1283 s->state = BT_CONNECTED; 1284 rfcomm_process_connect(s); 1285 } 1286 return 0; 1287 } 1288 1289 /* Check if DLC exists */ 1290 d = rfcomm_dlc_get(s, dlci); 1291 if (d) { 1292 if (d->state == BT_OPEN) { 1293 /* DLC was previously opened by PN request */ 1294 rfcomm_check_accept(d); 1295 } 1296 return 0; 1297 } 1298 1299 /* Notify socket layer about incoming connection */ 1300 channel = __srv_channel(dlci); 1301 if (rfcomm_connect_ind(s, channel, &d)) { 1302 d->dlci = dlci; 1303 d->addr = __addr(s->initiator, dlci); 1304 rfcomm_dlc_link(s, d); 1305 1306 rfcomm_check_accept(d); 1307 } else { 1308 rfcomm_send_dm(s, dlci); 1309 } 1310 1311 return 0; 1312 } 1313 1314 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1315 { 1316 struct rfcomm_session *s = d->session; 1317 1318 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1319 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1320 1321 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1322 pn->flow_ctrl == 0xe0) { 1323 d->cfc = RFCOMM_CFC_ENABLED; 1324 d->tx_credits = pn->credits; 1325 } else { 1326 d->cfc = RFCOMM_CFC_DISABLED; 1327 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1328 } 1329 1330 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1331 s->cfc = d->cfc; 1332 1333 d->priority = pn->priority; 1334 1335 d->mtu = __le16_to_cpu(pn->mtu); 1336 1337 if (cr && d->mtu > s->mtu) 1338 d->mtu = s->mtu; 1339 1340 return 0; 1341 } 1342 1343 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1344 { 1345 struct rfcomm_pn *pn = (void *) skb->data; 1346 struct rfcomm_dlc *d; 1347 u8 dlci = pn->dlci; 1348 1349 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1350 1351 if (!dlci) 1352 return 0; 1353 1354 d = rfcomm_dlc_get(s, dlci); 1355 if (d) { 1356 if (cr) { 1357 /* PN request */ 1358 rfcomm_apply_pn(d, cr, pn); 1359 rfcomm_send_pn(s, 0, d); 1360 } else { 1361 /* PN response */ 1362 switch (d->state) { 1363 case BT_CONFIG: 1364 rfcomm_apply_pn(d, cr, pn); 1365 1366 d->state = BT_CONNECT; 1367 rfcomm_send_sabm(s, d->dlci); 1368 break; 1369 } 1370 } 1371 } else { 1372 u8 channel = __srv_channel(dlci); 1373 1374 if (!cr) 1375 return 0; 1376 1377 /* PN request for non existing DLC. 1378 * Assume incoming connection. */ 1379 if (rfcomm_connect_ind(s, channel, &d)) { 1380 d->dlci = dlci; 1381 d->addr = __addr(s->initiator, dlci); 1382 rfcomm_dlc_link(s, d); 1383 1384 rfcomm_apply_pn(d, cr, pn); 1385 1386 d->state = BT_OPEN; 1387 rfcomm_send_pn(s, 0, d); 1388 } else { 1389 rfcomm_send_dm(s, dlci); 1390 } 1391 } 1392 return 0; 1393 } 1394 1395 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1396 { 1397 struct rfcomm_rpn *rpn = (void *) skb->data; 1398 u8 dlci = __get_dlci(rpn->dlci); 1399 1400 u8 bit_rate = 0; 1401 u8 data_bits = 0; 1402 u8 stop_bits = 0; 1403 u8 parity = 0; 1404 u8 flow_ctrl = 0; 1405 u8 xon_char = 0; 1406 u8 xoff_char = 0; 1407 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1408 1409 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1410 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1411 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1412 1413 if (!cr) 1414 return 0; 1415 1416 if (len == 1) { 1417 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1418 bit_rate = RFCOMM_RPN_BR_9600; 1419 data_bits = RFCOMM_RPN_DATA_8; 1420 stop_bits = RFCOMM_RPN_STOP_1; 1421 parity = RFCOMM_RPN_PARITY_NONE; 1422 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1423 xon_char = RFCOMM_RPN_XON_CHAR; 1424 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1425 goto rpn_out; 1426 } 1427 1428 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1429 * no parity, no flow control lines, normal XON/XOFF chars */ 1430 1431 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1432 bit_rate = rpn->bit_rate; 1433 if (bit_rate > RFCOMM_RPN_BR_230400) { 1434 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1435 bit_rate = RFCOMM_RPN_BR_9600; 1436 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1437 } 1438 } 1439 1440 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1441 data_bits = __get_rpn_data_bits(rpn->line_settings); 1442 if (data_bits != RFCOMM_RPN_DATA_8) { 1443 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1444 data_bits = RFCOMM_RPN_DATA_8; 1445 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1446 } 1447 } 1448 1449 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1450 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1451 if (stop_bits != RFCOMM_RPN_STOP_1) { 1452 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1453 stop_bits = RFCOMM_RPN_STOP_1; 1454 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1455 } 1456 } 1457 1458 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1459 parity = __get_rpn_parity(rpn->line_settings); 1460 if (parity != RFCOMM_RPN_PARITY_NONE) { 1461 BT_DBG("RPN parity mismatch 0x%x", parity); 1462 parity = RFCOMM_RPN_PARITY_NONE; 1463 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1464 } 1465 } 1466 1467 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1468 flow_ctrl = rpn->flow_ctrl; 1469 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1470 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1471 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1472 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1473 } 1474 } 1475 1476 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1477 xon_char = rpn->xon_char; 1478 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1479 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1480 xon_char = RFCOMM_RPN_XON_CHAR; 1481 rpn_mask ^= RFCOMM_RPN_PM_XON; 1482 } 1483 } 1484 1485 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1486 xoff_char = rpn->xoff_char; 1487 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1488 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1489 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1490 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1491 } 1492 } 1493 1494 rpn_out: 1495 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1496 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1497 1498 return 0; 1499 } 1500 1501 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1502 { 1503 struct rfcomm_rls *rls = (void *) skb->data; 1504 u8 dlci = __get_dlci(rls->dlci); 1505 1506 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1507 1508 if (!cr) 1509 return 0; 1510 1511 /* We should probably do something with this information here. But 1512 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1513 * mandatory to recognise and respond to RLS */ 1514 1515 rfcomm_send_rls(s, 0, dlci, rls->status); 1516 1517 return 0; 1518 } 1519 1520 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1521 { 1522 struct rfcomm_msc *msc = (void *) skb->data; 1523 struct rfcomm_dlc *d; 1524 u8 dlci = __get_dlci(msc->dlci); 1525 1526 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1527 1528 d = rfcomm_dlc_get(s, dlci); 1529 if (!d) 1530 return 0; 1531 1532 if (cr) { 1533 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1534 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1535 else 1536 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1537 1538 rfcomm_dlc_lock(d); 1539 1540 d->remote_v24_sig = msc->v24_sig; 1541 1542 if (d->modem_status) 1543 d->modem_status(d, msc->v24_sig); 1544 1545 rfcomm_dlc_unlock(d); 1546 1547 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1548 1549 d->mscex |= RFCOMM_MSCEX_RX; 1550 } else 1551 d->mscex |= RFCOMM_MSCEX_TX; 1552 1553 return 0; 1554 } 1555 1556 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1557 { 1558 struct rfcomm_mcc *mcc = (void *) skb->data; 1559 u8 type, cr, len; 1560 1561 cr = __test_cr(mcc->type); 1562 type = __get_mcc_type(mcc->type); 1563 len = __get_mcc_len(mcc->len); 1564 1565 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1566 1567 skb_pull(skb, 2); 1568 1569 switch (type) { 1570 case RFCOMM_PN: 1571 rfcomm_recv_pn(s, cr, skb); 1572 break; 1573 1574 case RFCOMM_RPN: 1575 rfcomm_recv_rpn(s, cr, len, skb); 1576 break; 1577 1578 case RFCOMM_RLS: 1579 rfcomm_recv_rls(s, cr, skb); 1580 break; 1581 1582 case RFCOMM_MSC: 1583 rfcomm_recv_msc(s, cr, skb); 1584 break; 1585 1586 case RFCOMM_FCOFF: 1587 if (cr) { 1588 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1589 rfcomm_send_fcoff(s, 0); 1590 } 1591 break; 1592 1593 case RFCOMM_FCON: 1594 if (cr) { 1595 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1596 rfcomm_send_fcon(s, 0); 1597 } 1598 break; 1599 1600 case RFCOMM_TEST: 1601 if (cr) 1602 rfcomm_send_test(s, 0, skb->data, skb->len); 1603 break; 1604 1605 case RFCOMM_NSC: 1606 break; 1607 1608 default: 1609 BT_ERR("Unknown control type 0x%02x", type); 1610 rfcomm_send_nsc(s, cr, type); 1611 break; 1612 } 1613 return 0; 1614 } 1615 1616 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1617 { 1618 struct rfcomm_dlc *d; 1619 1620 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1621 1622 d = rfcomm_dlc_get(s, dlci); 1623 if (!d) { 1624 rfcomm_send_dm(s, dlci); 1625 goto drop; 1626 } 1627 1628 if (pf && d->cfc) { 1629 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1630 1631 d->tx_credits += credits; 1632 if (d->tx_credits) 1633 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1634 } 1635 1636 if (skb->len && d->state == BT_CONNECTED) { 1637 rfcomm_dlc_lock(d); 1638 d->rx_credits--; 1639 d->data_ready(d, skb); 1640 rfcomm_dlc_unlock(d); 1641 return 0; 1642 } 1643 1644 drop: 1645 kfree_skb(skb); 1646 return 0; 1647 } 1648 1649 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1650 { 1651 struct rfcomm_hdr *hdr = (void *) skb->data; 1652 u8 type, dlci, fcs; 1653 1654 dlci = __get_dlci(hdr->addr); 1655 type = __get_type(hdr->ctrl); 1656 1657 /* Trim FCS */ 1658 skb->len--; skb->tail--; 1659 fcs = *(u8 *)skb_tail_pointer(skb); 1660 1661 if (__check_fcs(skb->data, type, fcs)) { 1662 BT_ERR("bad checksum in packet"); 1663 kfree_skb(skb); 1664 return -EILSEQ; 1665 } 1666 1667 if (__test_ea(hdr->len)) 1668 skb_pull(skb, 3); 1669 else 1670 skb_pull(skb, 4); 1671 1672 switch (type) { 1673 case RFCOMM_SABM: 1674 if (__test_pf(hdr->ctrl)) 1675 rfcomm_recv_sabm(s, dlci); 1676 break; 1677 1678 case RFCOMM_DISC: 1679 if (__test_pf(hdr->ctrl)) 1680 rfcomm_recv_disc(s, dlci); 1681 break; 1682 1683 case RFCOMM_UA: 1684 if (__test_pf(hdr->ctrl)) 1685 rfcomm_recv_ua(s, dlci); 1686 break; 1687 1688 case RFCOMM_DM: 1689 rfcomm_recv_dm(s, dlci); 1690 break; 1691 1692 case RFCOMM_UIH: 1693 if (dlci) 1694 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1695 1696 rfcomm_recv_mcc(s, skb); 1697 break; 1698 1699 default: 1700 BT_ERR("Unknown packet type 0x%02x", type); 1701 break; 1702 } 1703 kfree_skb(skb); 1704 return 0; 1705 } 1706 1707 /* ---- Connection and data processing ---- */ 1708 1709 static void rfcomm_process_connect(struct rfcomm_session *s) 1710 { 1711 struct rfcomm_dlc *d; 1712 struct list_head *p, *n; 1713 1714 BT_DBG("session %p state %ld", s, s->state); 1715 1716 list_for_each_safe(p, n, &s->dlcs) { 1717 d = list_entry(p, struct rfcomm_dlc, list); 1718 if (d->state == BT_CONFIG) { 1719 d->mtu = s->mtu; 1720 if (rfcomm_check_security(d)) { 1721 rfcomm_send_pn(s, 1, d); 1722 } else { 1723 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1724 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1725 } 1726 } 1727 } 1728 } 1729 1730 /* Send data queued for the DLC. 1731 * Return number of frames left in the queue. 1732 */ 1733 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1734 { 1735 struct sk_buff *skb; 1736 int err; 1737 1738 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1739 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1740 1741 /* Send pending MSC */ 1742 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1743 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1744 1745 if (d->cfc) { 1746 /* CFC enabled. 1747 * Give them some credits */ 1748 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1749 d->rx_credits <= (d->cfc >> 2)) { 1750 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1751 d->rx_credits = d->cfc; 1752 } 1753 } else { 1754 /* CFC disabled. 1755 * Give ourselves some credits */ 1756 d->tx_credits = 5; 1757 } 1758 1759 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1760 return skb_queue_len(&d->tx_queue); 1761 1762 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1763 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1764 if (err < 0) { 1765 skb_queue_head(&d->tx_queue, skb); 1766 break; 1767 } 1768 kfree_skb(skb); 1769 d->tx_credits--; 1770 } 1771 1772 if (d->cfc && !d->tx_credits) { 1773 /* We're out of TX credits. 1774 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1775 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1776 } 1777 1778 return skb_queue_len(&d->tx_queue); 1779 } 1780 1781 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1782 { 1783 struct rfcomm_dlc *d; 1784 struct list_head *p, *n; 1785 1786 BT_DBG("session %p state %ld", s, s->state); 1787 1788 list_for_each_safe(p, n, &s->dlcs) { 1789 d = list_entry(p, struct rfcomm_dlc, list); 1790 1791 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1792 __rfcomm_dlc_close(d, ETIMEDOUT); 1793 continue; 1794 } 1795 1796 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1797 rfcomm_dlc_clear_timer(d); 1798 if (d->out) { 1799 rfcomm_send_pn(s, 1, d); 1800 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1801 } else { 1802 if (d->defer_setup) { 1803 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1804 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1805 1806 rfcomm_dlc_lock(d); 1807 d->state = BT_CONNECT2; 1808 d->state_change(d, 0); 1809 rfcomm_dlc_unlock(d); 1810 } else 1811 rfcomm_dlc_accept(d); 1812 } 1813 continue; 1814 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1815 rfcomm_dlc_clear_timer(d); 1816 if (!d->out) 1817 rfcomm_send_dm(s, d->dlci); 1818 else 1819 d->state = BT_CLOSED; 1820 __rfcomm_dlc_close(d, ECONNREFUSED); 1821 continue; 1822 } 1823 1824 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1825 continue; 1826 1827 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1828 continue; 1829 1830 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1831 d->mscex == RFCOMM_MSCEX_OK) 1832 rfcomm_process_tx(d); 1833 } 1834 } 1835 1836 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1837 { 1838 struct socket *sock = s->sock; 1839 struct sock *sk = sock->sk; 1840 struct sk_buff *skb; 1841 1842 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1843 1844 /* Get data directly from socket receive queue without copying it. */ 1845 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1846 skb_orphan(skb); 1847 rfcomm_recv_frame(s, skb); 1848 } 1849 1850 if (sk->sk_state == BT_CLOSED) { 1851 if (!s->initiator) 1852 rfcomm_session_put(s); 1853 1854 rfcomm_session_close(s, sk->sk_err); 1855 } 1856 } 1857 1858 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1859 { 1860 struct socket *sock = s->sock, *nsock; 1861 int err; 1862 1863 /* Fast check for a new connection. 1864 * Avoids unnesesary socket allocations. */ 1865 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1866 return; 1867 1868 BT_DBG("session %p", s); 1869 1870 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1871 if (err < 0) 1872 return; 1873 1874 /* Set our callbacks */ 1875 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1876 nsock->sk->sk_state_change = rfcomm_l2state_change; 1877 1878 s = rfcomm_session_add(nsock, BT_OPEN); 1879 if (s) { 1880 rfcomm_session_hold(s); 1881 1882 /* We should adjust MTU on incoming sessions. 1883 * L2CAP MTU minus UIH header and FCS. */ 1884 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5; 1885 1886 rfcomm_schedule(); 1887 } else 1888 sock_release(nsock); 1889 } 1890 1891 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1892 { 1893 struct sock *sk = s->sock->sk; 1894 1895 BT_DBG("%p state %ld", s, s->state); 1896 1897 switch(sk->sk_state) { 1898 case BT_CONNECTED: 1899 s->state = BT_CONNECT; 1900 1901 /* We can adjust MTU on outgoing sessions. 1902 * L2CAP MTU minus UIH header and FCS. */ 1903 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5; 1904 1905 rfcomm_send_sabm(s, 0); 1906 break; 1907 1908 case BT_CLOSED: 1909 s->state = BT_CLOSED; 1910 rfcomm_session_close(s, sk->sk_err); 1911 break; 1912 } 1913 } 1914 1915 static inline void rfcomm_process_sessions(void) 1916 { 1917 struct list_head *p, *n; 1918 1919 rfcomm_lock(); 1920 1921 list_for_each_safe(p, n, &session_list) { 1922 struct rfcomm_session *s; 1923 s = list_entry(p, struct rfcomm_session, list); 1924 1925 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1926 s->state = BT_DISCONN; 1927 rfcomm_send_disc(s, 0); 1928 rfcomm_session_put(s); 1929 continue; 1930 } 1931 1932 if (s->state == BT_LISTEN) { 1933 rfcomm_accept_connection(s); 1934 continue; 1935 } 1936 1937 rfcomm_session_hold(s); 1938 1939 switch (s->state) { 1940 case BT_BOUND: 1941 rfcomm_check_connection(s); 1942 break; 1943 1944 default: 1945 rfcomm_process_rx(s); 1946 break; 1947 } 1948 1949 rfcomm_process_dlcs(s); 1950 1951 rfcomm_session_put(s); 1952 } 1953 1954 rfcomm_unlock(); 1955 } 1956 1957 static int rfcomm_add_listener(bdaddr_t *ba) 1958 { 1959 struct sockaddr_l2 addr; 1960 struct socket *sock; 1961 struct sock *sk; 1962 struct rfcomm_session *s; 1963 int err = 0; 1964 1965 /* Create socket */ 1966 err = rfcomm_l2sock_create(&sock); 1967 if (err < 0) { 1968 BT_ERR("Create socket failed %d", err); 1969 return err; 1970 } 1971 1972 /* Bind socket */ 1973 bacpy(&addr.l2_bdaddr, ba); 1974 addr.l2_family = AF_BLUETOOTH; 1975 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 1976 addr.l2_cid = 0; 1977 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1978 if (err < 0) { 1979 BT_ERR("Bind failed %d", err); 1980 goto failed; 1981 } 1982 1983 /* Set L2CAP options */ 1984 sk = sock->sk; 1985 lock_sock(sk); 1986 l2cap_pi(sk)->imtu = l2cap_mtu; 1987 release_sock(sk); 1988 1989 /* Start listening on the socket */ 1990 err = kernel_listen(sock, 10); 1991 if (err) { 1992 BT_ERR("Listen failed %d", err); 1993 goto failed; 1994 } 1995 1996 /* Add listening session */ 1997 s = rfcomm_session_add(sock, BT_LISTEN); 1998 if (!s) 1999 goto failed; 2000 2001 rfcomm_session_hold(s); 2002 return 0; 2003 failed: 2004 sock_release(sock); 2005 return err; 2006 } 2007 2008 static void rfcomm_kill_listener(void) 2009 { 2010 struct rfcomm_session *s; 2011 struct list_head *p, *n; 2012 2013 BT_DBG(""); 2014 2015 list_for_each_safe(p, n, &session_list) { 2016 s = list_entry(p, struct rfcomm_session, list); 2017 rfcomm_session_del(s); 2018 } 2019 } 2020 2021 static int rfcomm_run(void *unused) 2022 { 2023 BT_DBG(""); 2024 2025 set_user_nice(current, -10); 2026 2027 rfcomm_add_listener(BDADDR_ANY); 2028 2029 while (!kthread_should_stop()) { 2030 set_current_state(TASK_INTERRUPTIBLE); 2031 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) { 2032 /* No pending events. Let's sleep. 2033 * Incoming connections and data will wake us up. */ 2034 schedule(); 2035 } 2036 set_current_state(TASK_RUNNING); 2037 2038 /* Process stuff */ 2039 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event); 2040 rfcomm_process_sessions(); 2041 } 2042 2043 rfcomm_kill_listener(); 2044 2045 return 0; 2046 } 2047 2048 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2049 { 2050 struct rfcomm_session *s; 2051 struct rfcomm_dlc *d; 2052 struct list_head *p, *n; 2053 2054 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2055 2056 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2057 if (!s) 2058 return; 2059 2060 rfcomm_session_hold(s); 2061 2062 list_for_each_safe(p, n, &s->dlcs) { 2063 d = list_entry(p, struct rfcomm_dlc, list); 2064 2065 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2066 rfcomm_dlc_clear_timer(d); 2067 if (status || encrypt == 0x00) { 2068 __rfcomm_dlc_close(d, ECONNREFUSED); 2069 continue; 2070 } 2071 } 2072 2073 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2074 if (d->sec_level == BT_SECURITY_MEDIUM) { 2075 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2076 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2077 continue; 2078 } else if (d->sec_level == BT_SECURITY_HIGH) { 2079 __rfcomm_dlc_close(d, ECONNREFUSED); 2080 continue; 2081 } 2082 } 2083 2084 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2085 continue; 2086 2087 if (!status) 2088 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2089 else 2090 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2091 } 2092 2093 rfcomm_session_put(s); 2094 2095 rfcomm_schedule(); 2096 } 2097 2098 static struct hci_cb rfcomm_cb = { 2099 .name = "RFCOMM", 2100 .security_cfm = rfcomm_security_cfm 2101 }; 2102 2103 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2104 { 2105 struct rfcomm_session *s; 2106 struct list_head *pp, *p; 2107 2108 rfcomm_lock(); 2109 2110 list_for_each(p, &session_list) { 2111 s = list_entry(p, struct rfcomm_session, list); 2112 list_for_each(pp, &s->dlcs) { 2113 struct sock *sk = s->sock->sk; 2114 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list); 2115 2116 seq_printf(f, "%s %s %ld %d %d %d %d\n", 2117 batostr(&bt_sk(sk)->src), 2118 batostr(&bt_sk(sk)->dst), 2119 d->state, d->dlci, d->mtu, 2120 d->rx_credits, d->tx_credits); 2121 } 2122 } 2123 2124 rfcomm_unlock(); 2125 2126 return 0; 2127 } 2128 2129 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2130 { 2131 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2132 } 2133 2134 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2135 .open = rfcomm_dlc_debugfs_open, 2136 .read = seq_read, 2137 .llseek = seq_lseek, 2138 .release = single_release, 2139 }; 2140 2141 static struct dentry *rfcomm_dlc_debugfs; 2142 2143 /* ---- Initialization ---- */ 2144 static int __init rfcomm_init(void) 2145 { 2146 int err; 2147 2148 l2cap_load(); 2149 2150 hci_register_cb(&rfcomm_cb); 2151 2152 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2153 if (IS_ERR(rfcomm_thread)) { 2154 err = PTR_ERR(rfcomm_thread); 2155 goto unregister; 2156 } 2157 2158 if (bt_debugfs) { 2159 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2160 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2161 if (!rfcomm_dlc_debugfs) 2162 BT_ERR("Failed to create RFCOMM debug file"); 2163 } 2164 2165 err = rfcomm_init_ttys(); 2166 if (err < 0) 2167 goto stop; 2168 2169 err = rfcomm_init_sockets(); 2170 if (err < 0) 2171 goto cleanup; 2172 2173 BT_INFO("RFCOMM ver %s", VERSION); 2174 2175 return 0; 2176 2177 cleanup: 2178 rfcomm_cleanup_ttys(); 2179 2180 stop: 2181 kthread_stop(rfcomm_thread); 2182 2183 unregister: 2184 hci_unregister_cb(&rfcomm_cb); 2185 2186 return err; 2187 } 2188 2189 static void __exit rfcomm_exit(void) 2190 { 2191 debugfs_remove(rfcomm_dlc_debugfs); 2192 2193 hci_unregister_cb(&rfcomm_cb); 2194 2195 kthread_stop(rfcomm_thread); 2196 2197 rfcomm_cleanup_ttys(); 2198 2199 rfcomm_cleanup_sockets(); 2200 } 2201 2202 module_init(rfcomm_init); 2203 module_exit(rfcomm_exit); 2204 2205 module_param(disable_cfc, bool, 0644); 2206 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2207 2208 module_param(channel_mtu, int, 0644); 2209 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2210 2211 module_param(l2cap_mtu, uint, 0644); 2212 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2213 2214 module_param(l2cap_ertm, bool, 0644); 2215 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2216 2217 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2218 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2219 MODULE_VERSION(VERSION); 2220 MODULE_LICENSE("GPL"); 2221 MODULE_ALIAS("bt-proto-3"); 2222