1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/debugfs.h> 37 #include <linux/seq_file.h> 38 #include <linux/net.h> 39 #include <linux/mutex.h> 40 #include <linux/kthread.h> 41 #include <linux/slab.h> 42 43 #include <net/sock.h> 44 #include <linux/uaccess.h> 45 #include <asm/unaligned.h> 46 47 #include <net/bluetooth/bluetooth.h> 48 #include <net/bluetooth/hci_core.h> 49 #include <net/bluetooth/l2cap.h> 50 #include <net/bluetooth/rfcomm.h> 51 52 #define VERSION "1.11" 53 54 static bool disable_cfc; 55 static bool l2cap_ertm; 56 static int channel_mtu = -1; 57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 58 59 static struct task_struct *rfcomm_thread; 60 61 static DEFINE_MUTEX(rfcomm_mutex); 62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 64 65 66 static LIST_HEAD(session_list); 67 68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 71 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 78 79 static void rfcomm_process_connect(struct rfcomm_session *s); 80 81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 82 bdaddr_t *dst, 83 u8 sec_level, 84 int *err); 85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 86 static void rfcomm_session_del(struct rfcomm_session *s); 87 88 /* ---- RFCOMM frame parsing macros ---- */ 89 #define __get_dlci(b) ((b & 0xfc) >> 2) 90 #define __get_channel(b) ((b & 0xf8) >> 3) 91 #define __get_dir(b) ((b & 0x04) >> 2) 92 #define __get_type(b) ((b & 0xef)) 93 94 #define __test_ea(b) ((b & 0x01)) 95 #define __test_cr(b) ((b & 0x02)) 96 #define __test_pf(b) ((b & 0x10)) 97 98 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 99 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 100 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 101 #define __srv_channel(dlci) (dlci >> 1) 102 #define __dir(dlci) (dlci & 0x01) 103 104 #define __len8(len) (((len) << 1) | 1) 105 #define __len16(len) ((len) << 1) 106 107 /* MCC macros */ 108 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 109 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 110 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 111 112 /* RPN macros */ 113 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 114 #define __get_rpn_data_bits(line) ((line) & 0x3) 115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 116 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 117 118 static inline void rfcomm_schedule(void) 119 { 120 if (!rfcomm_thread) 121 return; 122 wake_up_process(rfcomm_thread); 123 } 124 125 static inline void rfcomm_session_put(struct rfcomm_session *s) 126 { 127 if (atomic_dec_and_test(&s->refcnt)) 128 rfcomm_session_del(s); 129 } 130 131 /* ---- RFCOMM FCS computation ---- */ 132 133 /* reversed, 8-bit, poly=0x07 */ 134 static unsigned char rfcomm_crc_table[256] = { 135 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 136 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 137 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 138 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 139 140 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 141 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 142 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 143 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 144 145 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 146 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 147 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 148 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 149 150 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 151 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 152 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 153 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 154 155 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 156 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 157 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 158 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 159 160 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 161 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 162 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 163 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 164 165 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 166 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 167 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 168 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 169 170 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 171 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 172 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 173 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 174 }; 175 176 /* CRC on 2 bytes */ 177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 178 179 /* FCS on 2 bytes */ 180 static inline u8 __fcs(u8 *data) 181 { 182 return 0xff - __crc(data); 183 } 184 185 /* FCS on 3 bytes */ 186 static inline u8 __fcs2(u8 *data) 187 { 188 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 189 } 190 191 /* Check FCS */ 192 static inline int __check_fcs(u8 *data, int type, u8 fcs) 193 { 194 u8 f = __crc(data); 195 196 if (type != RFCOMM_UIH) 197 f = rfcomm_crc_table[f ^ data[2]]; 198 199 return rfcomm_crc_table[f ^ fcs] != 0xcf; 200 } 201 202 /* ---- L2CAP callbacks ---- */ 203 static void rfcomm_l2state_change(struct sock *sk) 204 { 205 BT_DBG("%p state %d", sk, sk->sk_state); 206 rfcomm_schedule(); 207 } 208 209 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 210 { 211 BT_DBG("%p bytes %d", sk, bytes); 212 rfcomm_schedule(); 213 } 214 215 static int rfcomm_l2sock_create(struct socket **sock) 216 { 217 int err; 218 219 BT_DBG(""); 220 221 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 222 if (!err) { 223 struct sock *sk = (*sock)->sk; 224 sk->sk_data_ready = rfcomm_l2data_ready; 225 sk->sk_state_change = rfcomm_l2state_change; 226 } 227 return err; 228 } 229 230 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 231 { 232 struct sock *sk = d->session->sock->sk; 233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 234 235 __u8 auth_type; 236 237 switch (d->sec_level) { 238 case BT_SECURITY_HIGH: 239 auth_type = HCI_AT_GENERAL_BONDING_MITM; 240 break; 241 case BT_SECURITY_MEDIUM: 242 auth_type = HCI_AT_GENERAL_BONDING; 243 break; 244 default: 245 auth_type = HCI_AT_NO_BONDING; 246 break; 247 } 248 249 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 250 } 251 252 static void rfcomm_session_timeout(unsigned long arg) 253 { 254 struct rfcomm_session *s = (void *) arg; 255 256 BT_DBG("session %p state %ld", s, s->state); 257 258 set_bit(RFCOMM_TIMED_OUT, &s->flags); 259 rfcomm_schedule(); 260 } 261 262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 263 { 264 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 265 266 if (!mod_timer(&s->timer, jiffies + timeout)) 267 rfcomm_session_hold(s); 268 } 269 270 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 271 { 272 BT_DBG("session %p state %ld", s, s->state); 273 274 if (timer_pending(&s->timer) && del_timer(&s->timer)) 275 rfcomm_session_put(s); 276 } 277 278 /* ---- RFCOMM DLCs ---- */ 279 static void rfcomm_dlc_timeout(unsigned long arg) 280 { 281 struct rfcomm_dlc *d = (void *) arg; 282 283 BT_DBG("dlc %p state %ld", d, d->state); 284 285 set_bit(RFCOMM_TIMED_OUT, &d->flags); 286 rfcomm_dlc_put(d); 287 rfcomm_schedule(); 288 } 289 290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 291 { 292 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 293 294 if (!mod_timer(&d->timer, jiffies + timeout)) 295 rfcomm_dlc_hold(d); 296 } 297 298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 299 { 300 BT_DBG("dlc %p state %ld", d, d->state); 301 302 if (timer_pending(&d->timer) && del_timer(&d->timer)) 303 rfcomm_dlc_put(d); 304 } 305 306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 307 { 308 BT_DBG("%p", d); 309 310 d->state = BT_OPEN; 311 d->flags = 0; 312 d->mscex = 0; 313 d->sec_level = BT_SECURITY_LOW; 314 d->mtu = RFCOMM_DEFAULT_MTU; 315 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 316 317 d->cfc = RFCOMM_CFC_DISABLED; 318 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 319 } 320 321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 322 { 323 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 324 325 if (!d) 326 return NULL; 327 328 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 329 330 skb_queue_head_init(&d->tx_queue); 331 spin_lock_init(&d->lock); 332 atomic_set(&d->refcnt, 1); 333 334 rfcomm_dlc_clear_state(d); 335 336 BT_DBG("%p", d); 337 338 return d; 339 } 340 341 void rfcomm_dlc_free(struct rfcomm_dlc *d) 342 { 343 BT_DBG("%p", d); 344 345 skb_queue_purge(&d->tx_queue); 346 kfree(d); 347 } 348 349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 350 { 351 BT_DBG("dlc %p session %p", d, s); 352 353 rfcomm_session_hold(s); 354 355 rfcomm_session_clear_timer(s); 356 rfcomm_dlc_hold(d); 357 list_add(&d->list, &s->dlcs); 358 d->session = s; 359 } 360 361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 362 { 363 struct rfcomm_session *s = d->session; 364 365 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 366 367 list_del(&d->list); 368 d->session = NULL; 369 rfcomm_dlc_put(d); 370 371 if (list_empty(&s->dlcs)) 372 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 373 374 rfcomm_session_put(s); 375 } 376 377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 378 { 379 struct rfcomm_dlc *d; 380 381 list_for_each_entry(d, &s->dlcs, list) 382 if (d->dlci == dlci) 383 return d; 384 385 return NULL; 386 } 387 388 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 389 { 390 struct rfcomm_session *s; 391 int err = 0; 392 u8 dlci; 393 394 BT_DBG("dlc %p state %ld %s %s channel %d", 395 d, d->state, batostr(src), batostr(dst), channel); 396 397 if (channel < 1 || channel > 30) 398 return -EINVAL; 399 400 if (d->state != BT_OPEN && d->state != BT_CLOSED) 401 return 0; 402 403 s = rfcomm_session_get(src, dst); 404 if (!s) { 405 s = rfcomm_session_create(src, dst, d->sec_level, &err); 406 if (!s) 407 return err; 408 } 409 410 dlci = __dlci(!s->initiator, channel); 411 412 /* Check if DLCI already exists */ 413 if (rfcomm_dlc_get(s, dlci)) 414 return -EBUSY; 415 416 rfcomm_dlc_clear_state(d); 417 418 d->dlci = dlci; 419 d->addr = __addr(s->initiator, dlci); 420 d->priority = 7; 421 422 d->state = BT_CONFIG; 423 rfcomm_dlc_link(s, d); 424 425 d->out = 1; 426 427 d->mtu = s->mtu; 428 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 429 430 if (s->state == BT_CONNECTED) { 431 if (rfcomm_check_security(d)) 432 rfcomm_send_pn(s, 1, d); 433 else 434 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 435 } 436 437 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 438 439 return 0; 440 } 441 442 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 443 { 444 int r; 445 446 rfcomm_lock(); 447 448 r = __rfcomm_dlc_open(d, src, dst, channel); 449 450 rfcomm_unlock(); 451 return r; 452 } 453 454 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 455 { 456 struct rfcomm_session *s = d->session; 457 if (!s) 458 return 0; 459 460 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 461 d, d->state, d->dlci, err, s); 462 463 switch (d->state) { 464 case BT_CONNECT: 465 case BT_CONFIG: 466 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 467 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 468 rfcomm_schedule(); 469 break; 470 } 471 /* Fall through */ 472 473 case BT_CONNECTED: 474 d->state = BT_DISCONN; 475 if (skb_queue_empty(&d->tx_queue)) { 476 rfcomm_send_disc(s, d->dlci); 477 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 478 } else { 479 rfcomm_queue_disc(d); 480 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 481 } 482 break; 483 484 case BT_OPEN: 485 case BT_CONNECT2: 486 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 487 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 488 rfcomm_schedule(); 489 break; 490 } 491 /* Fall through */ 492 493 default: 494 rfcomm_dlc_clear_timer(d); 495 496 rfcomm_dlc_lock(d); 497 d->state = BT_CLOSED; 498 d->state_change(d, err); 499 rfcomm_dlc_unlock(d); 500 501 skb_queue_purge(&d->tx_queue); 502 rfcomm_dlc_unlink(d); 503 } 504 505 return 0; 506 } 507 508 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 509 { 510 int r; 511 512 rfcomm_lock(); 513 514 r = __rfcomm_dlc_close(d, err); 515 516 rfcomm_unlock(); 517 return r; 518 } 519 520 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 521 { 522 int len = skb->len; 523 524 if (d->state != BT_CONNECTED) 525 return -ENOTCONN; 526 527 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 528 529 if (len > d->mtu) 530 return -EINVAL; 531 532 rfcomm_make_uih(skb, d->addr); 533 skb_queue_tail(&d->tx_queue, skb); 534 535 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 536 rfcomm_schedule(); 537 return len; 538 } 539 540 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 541 { 542 BT_DBG("dlc %p state %ld", d, d->state); 543 544 if (!d->cfc) { 545 d->v24_sig |= RFCOMM_V24_FC; 546 set_bit(RFCOMM_MSC_PENDING, &d->flags); 547 } 548 rfcomm_schedule(); 549 } 550 551 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 552 { 553 BT_DBG("dlc %p state %ld", d, d->state); 554 555 if (!d->cfc) { 556 d->v24_sig &= ~RFCOMM_V24_FC; 557 set_bit(RFCOMM_MSC_PENDING, &d->flags); 558 } 559 rfcomm_schedule(); 560 } 561 562 /* 563 Set/get modem status functions use _local_ status i.e. what we report 564 to the other side. 565 Remote status is provided by dlc->modem_status() callback. 566 */ 567 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 568 { 569 BT_DBG("dlc %p state %ld v24_sig 0x%x", 570 d, d->state, v24_sig); 571 572 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 573 v24_sig |= RFCOMM_V24_FC; 574 else 575 v24_sig &= ~RFCOMM_V24_FC; 576 577 d->v24_sig = v24_sig; 578 579 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 580 rfcomm_schedule(); 581 582 return 0; 583 } 584 585 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 586 { 587 BT_DBG("dlc %p state %ld v24_sig 0x%x", 588 d, d->state, d->v24_sig); 589 590 *v24_sig = d->v24_sig; 591 return 0; 592 } 593 594 /* ---- RFCOMM sessions ---- */ 595 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 596 { 597 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 598 599 if (!s) 600 return NULL; 601 602 BT_DBG("session %p sock %p", s, sock); 603 604 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 605 606 INIT_LIST_HEAD(&s->dlcs); 607 s->state = state; 608 s->sock = sock; 609 610 s->mtu = RFCOMM_DEFAULT_MTU; 611 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 612 613 /* Do not increment module usage count for listening sessions. 614 * Otherwise we won't be able to unload the module. */ 615 if (state != BT_LISTEN) 616 if (!try_module_get(THIS_MODULE)) { 617 kfree(s); 618 return NULL; 619 } 620 621 list_add(&s->list, &session_list); 622 623 return s; 624 } 625 626 static void rfcomm_session_del(struct rfcomm_session *s) 627 { 628 int state = s->state; 629 630 BT_DBG("session %p state %ld", s, s->state); 631 632 list_del(&s->list); 633 634 if (state == BT_CONNECTED) 635 rfcomm_send_disc(s, 0); 636 637 rfcomm_session_clear_timer(s); 638 sock_release(s->sock); 639 kfree(s); 640 641 if (state != BT_LISTEN) 642 module_put(THIS_MODULE); 643 } 644 645 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 646 { 647 struct rfcomm_session *s; 648 struct list_head *p, *n; 649 struct bt_sock *sk; 650 list_for_each_safe(p, n, &session_list) { 651 s = list_entry(p, struct rfcomm_session, list); 652 sk = bt_sk(s->sock->sk); 653 654 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 655 !bacmp(&sk->dst, dst)) 656 return s; 657 } 658 return NULL; 659 } 660 661 static void rfcomm_session_close(struct rfcomm_session *s, int err) 662 { 663 struct rfcomm_dlc *d; 664 struct list_head *p, *n; 665 666 BT_DBG("session %p state %ld err %d", s, s->state, err); 667 668 rfcomm_session_hold(s); 669 670 s->state = BT_CLOSED; 671 672 /* Close all dlcs */ 673 list_for_each_safe(p, n, &s->dlcs) { 674 d = list_entry(p, struct rfcomm_dlc, list); 675 d->state = BT_CLOSED; 676 __rfcomm_dlc_close(d, err); 677 } 678 679 rfcomm_session_clear_timer(s); 680 rfcomm_session_put(s); 681 } 682 683 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 684 bdaddr_t *dst, 685 u8 sec_level, 686 int *err) 687 { 688 struct rfcomm_session *s = NULL; 689 struct sockaddr_l2 addr; 690 struct socket *sock; 691 struct sock *sk; 692 693 BT_DBG("%s %s", batostr(src), batostr(dst)); 694 695 *err = rfcomm_l2sock_create(&sock); 696 if (*err < 0) 697 return NULL; 698 699 bacpy(&addr.l2_bdaddr, src); 700 addr.l2_family = AF_BLUETOOTH; 701 addr.l2_psm = 0; 702 addr.l2_cid = 0; 703 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 704 if (*err < 0) 705 goto failed; 706 707 /* Set L2CAP options */ 708 sk = sock->sk; 709 lock_sock(sk); 710 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 711 l2cap_pi(sk)->chan->sec_level = sec_level; 712 if (l2cap_ertm) 713 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 714 release_sock(sk); 715 716 s = rfcomm_session_add(sock, BT_BOUND); 717 if (!s) { 718 *err = -ENOMEM; 719 goto failed; 720 } 721 722 s->initiator = 1; 723 724 bacpy(&addr.l2_bdaddr, dst); 725 addr.l2_family = AF_BLUETOOTH; 726 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 727 addr.l2_cid = 0; 728 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 729 if (*err == 0 || *err == -EINPROGRESS) 730 return s; 731 732 rfcomm_session_del(s); 733 return NULL; 734 735 failed: 736 sock_release(sock); 737 return NULL; 738 } 739 740 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 741 { 742 struct sock *sk = s->sock->sk; 743 if (src) 744 bacpy(src, &bt_sk(sk)->src); 745 if (dst) 746 bacpy(dst, &bt_sk(sk)->dst); 747 } 748 749 /* ---- RFCOMM frame sending ---- */ 750 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 751 { 752 struct kvec iv = { data, len }; 753 struct msghdr msg; 754 755 BT_DBG("session %p len %d", s, len); 756 757 memset(&msg, 0, sizeof(msg)); 758 759 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 760 } 761 762 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 763 { 764 BT_DBG("%p cmd %u", s, cmd->ctrl); 765 766 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 767 } 768 769 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 770 { 771 struct rfcomm_cmd cmd; 772 773 BT_DBG("%p dlci %d", s, dlci); 774 775 cmd.addr = __addr(s->initiator, dlci); 776 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 777 cmd.len = __len8(0); 778 cmd.fcs = __fcs2((u8 *) &cmd); 779 780 return rfcomm_send_cmd(s, &cmd); 781 } 782 783 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 784 { 785 struct rfcomm_cmd cmd; 786 787 BT_DBG("%p dlci %d", s, dlci); 788 789 cmd.addr = __addr(!s->initiator, dlci); 790 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 791 cmd.len = __len8(0); 792 cmd.fcs = __fcs2((u8 *) &cmd); 793 794 return rfcomm_send_cmd(s, &cmd); 795 } 796 797 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 798 { 799 struct rfcomm_cmd cmd; 800 801 BT_DBG("%p dlci %d", s, dlci); 802 803 cmd.addr = __addr(s->initiator, dlci); 804 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 805 cmd.len = __len8(0); 806 cmd.fcs = __fcs2((u8 *) &cmd); 807 808 return rfcomm_send_cmd(s, &cmd); 809 } 810 811 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 812 { 813 struct rfcomm_cmd *cmd; 814 struct sk_buff *skb; 815 816 BT_DBG("dlc %p dlci %d", d, d->dlci); 817 818 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 819 if (!skb) 820 return -ENOMEM; 821 822 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 823 cmd->addr = d->addr; 824 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 825 cmd->len = __len8(0); 826 cmd->fcs = __fcs2((u8 *) cmd); 827 828 skb_queue_tail(&d->tx_queue, skb); 829 rfcomm_schedule(); 830 return 0; 831 } 832 833 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 834 { 835 struct rfcomm_cmd cmd; 836 837 BT_DBG("%p dlci %d", s, dlci); 838 839 cmd.addr = __addr(!s->initiator, dlci); 840 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 841 cmd.len = __len8(0); 842 cmd.fcs = __fcs2((u8 *) &cmd); 843 844 return rfcomm_send_cmd(s, &cmd); 845 } 846 847 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 848 { 849 struct rfcomm_hdr *hdr; 850 struct rfcomm_mcc *mcc; 851 u8 buf[16], *ptr = buf; 852 853 BT_DBG("%p cr %d type %d", s, cr, type); 854 855 hdr = (void *) ptr; ptr += sizeof(*hdr); 856 hdr->addr = __addr(s->initiator, 0); 857 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 858 hdr->len = __len8(sizeof(*mcc) + 1); 859 860 mcc = (void *) ptr; ptr += sizeof(*mcc); 861 mcc->type = __mcc_type(cr, RFCOMM_NSC); 862 mcc->len = __len8(1); 863 864 /* Type that we didn't like */ 865 *ptr = __mcc_type(cr, type); ptr++; 866 867 *ptr = __fcs(buf); ptr++; 868 869 return rfcomm_send_frame(s, buf, ptr - buf); 870 } 871 872 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 873 { 874 struct rfcomm_hdr *hdr; 875 struct rfcomm_mcc *mcc; 876 struct rfcomm_pn *pn; 877 u8 buf[16], *ptr = buf; 878 879 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 880 881 hdr = (void *) ptr; ptr += sizeof(*hdr); 882 hdr->addr = __addr(s->initiator, 0); 883 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 884 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 885 886 mcc = (void *) ptr; ptr += sizeof(*mcc); 887 mcc->type = __mcc_type(cr, RFCOMM_PN); 888 mcc->len = __len8(sizeof(*pn)); 889 890 pn = (void *) ptr; ptr += sizeof(*pn); 891 pn->dlci = d->dlci; 892 pn->priority = d->priority; 893 pn->ack_timer = 0; 894 pn->max_retrans = 0; 895 896 if (s->cfc) { 897 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 898 pn->credits = RFCOMM_DEFAULT_CREDITS; 899 } else { 900 pn->flow_ctrl = 0; 901 pn->credits = 0; 902 } 903 904 if (cr && channel_mtu >= 0) 905 pn->mtu = cpu_to_le16(channel_mtu); 906 else 907 pn->mtu = cpu_to_le16(d->mtu); 908 909 *ptr = __fcs(buf); ptr++; 910 911 return rfcomm_send_frame(s, buf, ptr - buf); 912 } 913 914 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 915 u8 bit_rate, u8 data_bits, u8 stop_bits, 916 u8 parity, u8 flow_ctrl_settings, 917 u8 xon_char, u8 xoff_char, u16 param_mask) 918 { 919 struct rfcomm_hdr *hdr; 920 struct rfcomm_mcc *mcc; 921 struct rfcomm_rpn *rpn; 922 u8 buf[16], *ptr = buf; 923 924 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 925 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 926 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 927 flow_ctrl_settings, xon_char, xoff_char, param_mask); 928 929 hdr = (void *) ptr; ptr += sizeof(*hdr); 930 hdr->addr = __addr(s->initiator, 0); 931 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 932 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 933 934 mcc = (void *) ptr; ptr += sizeof(*mcc); 935 mcc->type = __mcc_type(cr, RFCOMM_RPN); 936 mcc->len = __len8(sizeof(*rpn)); 937 938 rpn = (void *) ptr; ptr += sizeof(*rpn); 939 rpn->dlci = __addr(1, dlci); 940 rpn->bit_rate = bit_rate; 941 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 942 rpn->flow_ctrl = flow_ctrl_settings; 943 rpn->xon_char = xon_char; 944 rpn->xoff_char = xoff_char; 945 rpn->param_mask = cpu_to_le16(param_mask); 946 947 *ptr = __fcs(buf); ptr++; 948 949 return rfcomm_send_frame(s, buf, ptr - buf); 950 } 951 952 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 953 { 954 struct rfcomm_hdr *hdr; 955 struct rfcomm_mcc *mcc; 956 struct rfcomm_rls *rls; 957 u8 buf[16], *ptr = buf; 958 959 BT_DBG("%p cr %d status 0x%x", s, cr, status); 960 961 hdr = (void *) ptr; ptr += sizeof(*hdr); 962 hdr->addr = __addr(s->initiator, 0); 963 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 964 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 965 966 mcc = (void *) ptr; ptr += sizeof(*mcc); 967 mcc->type = __mcc_type(cr, RFCOMM_RLS); 968 mcc->len = __len8(sizeof(*rls)); 969 970 rls = (void *) ptr; ptr += sizeof(*rls); 971 rls->dlci = __addr(1, dlci); 972 rls->status = status; 973 974 *ptr = __fcs(buf); ptr++; 975 976 return rfcomm_send_frame(s, buf, ptr - buf); 977 } 978 979 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 980 { 981 struct rfcomm_hdr *hdr; 982 struct rfcomm_mcc *mcc; 983 struct rfcomm_msc *msc; 984 u8 buf[16], *ptr = buf; 985 986 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 987 988 hdr = (void *) ptr; ptr += sizeof(*hdr); 989 hdr->addr = __addr(s->initiator, 0); 990 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 991 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 992 993 mcc = (void *) ptr; ptr += sizeof(*mcc); 994 mcc->type = __mcc_type(cr, RFCOMM_MSC); 995 mcc->len = __len8(sizeof(*msc)); 996 997 msc = (void *) ptr; ptr += sizeof(*msc); 998 msc->dlci = __addr(1, dlci); 999 msc->v24_sig = v24_sig | 0x01; 1000 1001 *ptr = __fcs(buf); ptr++; 1002 1003 return rfcomm_send_frame(s, buf, ptr - buf); 1004 } 1005 1006 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1007 { 1008 struct rfcomm_hdr *hdr; 1009 struct rfcomm_mcc *mcc; 1010 u8 buf[16], *ptr = buf; 1011 1012 BT_DBG("%p cr %d", s, cr); 1013 1014 hdr = (void *) ptr; ptr += sizeof(*hdr); 1015 hdr->addr = __addr(s->initiator, 0); 1016 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1017 hdr->len = __len8(sizeof(*mcc)); 1018 1019 mcc = (void *) ptr; ptr += sizeof(*mcc); 1020 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1021 mcc->len = __len8(0); 1022 1023 *ptr = __fcs(buf); ptr++; 1024 1025 return rfcomm_send_frame(s, buf, ptr - buf); 1026 } 1027 1028 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1029 { 1030 struct rfcomm_hdr *hdr; 1031 struct rfcomm_mcc *mcc; 1032 u8 buf[16], *ptr = buf; 1033 1034 BT_DBG("%p cr %d", s, cr); 1035 1036 hdr = (void *) ptr; ptr += sizeof(*hdr); 1037 hdr->addr = __addr(s->initiator, 0); 1038 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1039 hdr->len = __len8(sizeof(*mcc)); 1040 1041 mcc = (void *) ptr; ptr += sizeof(*mcc); 1042 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1043 mcc->len = __len8(0); 1044 1045 *ptr = __fcs(buf); ptr++; 1046 1047 return rfcomm_send_frame(s, buf, ptr - buf); 1048 } 1049 1050 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1051 { 1052 struct socket *sock = s->sock; 1053 struct kvec iv[3]; 1054 struct msghdr msg; 1055 unsigned char hdr[5], crc[1]; 1056 1057 if (len > 125) 1058 return -EINVAL; 1059 1060 BT_DBG("%p cr %d", s, cr); 1061 1062 hdr[0] = __addr(s->initiator, 0); 1063 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1064 hdr[2] = 0x01 | ((len + 2) << 1); 1065 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1066 hdr[4] = 0x01 | (len << 1); 1067 1068 crc[0] = __fcs(hdr); 1069 1070 iv[0].iov_base = hdr; 1071 iv[0].iov_len = 5; 1072 iv[1].iov_base = pattern; 1073 iv[1].iov_len = len; 1074 iv[2].iov_base = crc; 1075 iv[2].iov_len = 1; 1076 1077 memset(&msg, 0, sizeof(msg)); 1078 1079 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1080 } 1081 1082 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1083 { 1084 struct rfcomm_hdr *hdr; 1085 u8 buf[16], *ptr = buf; 1086 1087 BT_DBG("%p addr %d credits %d", s, addr, credits); 1088 1089 hdr = (void *) ptr; ptr += sizeof(*hdr); 1090 hdr->addr = addr; 1091 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1092 hdr->len = __len8(0); 1093 1094 *ptr = credits; ptr++; 1095 1096 *ptr = __fcs(buf); ptr++; 1097 1098 return rfcomm_send_frame(s, buf, ptr - buf); 1099 } 1100 1101 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1102 { 1103 struct rfcomm_hdr *hdr; 1104 int len = skb->len; 1105 u8 *crc; 1106 1107 if (len > 127) { 1108 hdr = (void *) skb_push(skb, 4); 1109 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1110 } else { 1111 hdr = (void *) skb_push(skb, 3); 1112 hdr->len = __len8(len); 1113 } 1114 hdr->addr = addr; 1115 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1116 1117 crc = skb_put(skb, 1); 1118 *crc = __fcs((void *) hdr); 1119 } 1120 1121 /* ---- RFCOMM frame reception ---- */ 1122 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1123 { 1124 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1125 1126 if (dlci) { 1127 /* Data channel */ 1128 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1129 if (!d) { 1130 rfcomm_send_dm(s, dlci); 1131 return 0; 1132 } 1133 1134 switch (d->state) { 1135 case BT_CONNECT: 1136 rfcomm_dlc_clear_timer(d); 1137 1138 rfcomm_dlc_lock(d); 1139 d->state = BT_CONNECTED; 1140 d->state_change(d, 0); 1141 rfcomm_dlc_unlock(d); 1142 1143 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1144 break; 1145 1146 case BT_DISCONN: 1147 d->state = BT_CLOSED; 1148 __rfcomm_dlc_close(d, 0); 1149 1150 if (list_empty(&s->dlcs)) { 1151 s->state = BT_DISCONN; 1152 rfcomm_send_disc(s, 0); 1153 rfcomm_session_clear_timer(s); 1154 } 1155 1156 break; 1157 } 1158 } else { 1159 /* Control channel */ 1160 switch (s->state) { 1161 case BT_CONNECT: 1162 s->state = BT_CONNECTED; 1163 rfcomm_process_connect(s); 1164 break; 1165 1166 case BT_DISCONN: 1167 /* When socket is closed and we are not RFCOMM 1168 * initiator rfcomm_process_rx already calls 1169 * rfcomm_session_put() */ 1170 if (s->sock->sk->sk_state != BT_CLOSED) 1171 if (list_empty(&s->dlcs)) 1172 rfcomm_session_put(s); 1173 break; 1174 } 1175 } 1176 return 0; 1177 } 1178 1179 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1180 { 1181 int err = 0; 1182 1183 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1184 1185 if (dlci) { 1186 /* Data DLC */ 1187 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1188 if (d) { 1189 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1190 err = ECONNREFUSED; 1191 else 1192 err = ECONNRESET; 1193 1194 d->state = BT_CLOSED; 1195 __rfcomm_dlc_close(d, err); 1196 } 1197 } else { 1198 if (s->state == BT_CONNECT) 1199 err = ECONNREFUSED; 1200 else 1201 err = ECONNRESET; 1202 1203 s->state = BT_CLOSED; 1204 rfcomm_session_close(s, err); 1205 } 1206 return 0; 1207 } 1208 1209 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1210 { 1211 int err = 0; 1212 1213 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1214 1215 if (dlci) { 1216 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1217 if (d) { 1218 rfcomm_send_ua(s, dlci); 1219 1220 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1221 err = ECONNREFUSED; 1222 else 1223 err = ECONNRESET; 1224 1225 d->state = BT_CLOSED; 1226 __rfcomm_dlc_close(d, err); 1227 } else 1228 rfcomm_send_dm(s, dlci); 1229 1230 } else { 1231 rfcomm_send_ua(s, 0); 1232 1233 if (s->state == BT_CONNECT) 1234 err = ECONNREFUSED; 1235 else 1236 err = ECONNRESET; 1237 1238 s->state = BT_CLOSED; 1239 rfcomm_session_close(s, err); 1240 } 1241 1242 return 0; 1243 } 1244 1245 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1246 { 1247 struct sock *sk = d->session->sock->sk; 1248 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1249 1250 BT_DBG("dlc %p", d); 1251 1252 rfcomm_send_ua(d->session, d->dlci); 1253 1254 rfcomm_dlc_clear_timer(d); 1255 1256 rfcomm_dlc_lock(d); 1257 d->state = BT_CONNECTED; 1258 d->state_change(d, 0); 1259 rfcomm_dlc_unlock(d); 1260 1261 if (d->role_switch) 1262 hci_conn_switch_role(conn->hcon, 0x00); 1263 1264 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1265 } 1266 1267 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1268 { 1269 if (rfcomm_check_security(d)) { 1270 if (d->defer_setup) { 1271 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1272 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1273 1274 rfcomm_dlc_lock(d); 1275 d->state = BT_CONNECT2; 1276 d->state_change(d, 0); 1277 rfcomm_dlc_unlock(d); 1278 } else 1279 rfcomm_dlc_accept(d); 1280 } else { 1281 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1282 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1283 } 1284 } 1285 1286 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1287 { 1288 struct rfcomm_dlc *d; 1289 u8 channel; 1290 1291 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1292 1293 if (!dlci) { 1294 rfcomm_send_ua(s, 0); 1295 1296 if (s->state == BT_OPEN) { 1297 s->state = BT_CONNECTED; 1298 rfcomm_process_connect(s); 1299 } 1300 return 0; 1301 } 1302 1303 /* Check if DLC exists */ 1304 d = rfcomm_dlc_get(s, dlci); 1305 if (d) { 1306 if (d->state == BT_OPEN) { 1307 /* DLC was previously opened by PN request */ 1308 rfcomm_check_accept(d); 1309 } 1310 return 0; 1311 } 1312 1313 /* Notify socket layer about incoming connection */ 1314 channel = __srv_channel(dlci); 1315 if (rfcomm_connect_ind(s, channel, &d)) { 1316 d->dlci = dlci; 1317 d->addr = __addr(s->initiator, dlci); 1318 rfcomm_dlc_link(s, d); 1319 1320 rfcomm_check_accept(d); 1321 } else { 1322 rfcomm_send_dm(s, dlci); 1323 } 1324 1325 return 0; 1326 } 1327 1328 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1329 { 1330 struct rfcomm_session *s = d->session; 1331 1332 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1333 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1334 1335 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1336 pn->flow_ctrl == 0xe0) { 1337 d->cfc = RFCOMM_CFC_ENABLED; 1338 d->tx_credits = pn->credits; 1339 } else { 1340 d->cfc = RFCOMM_CFC_DISABLED; 1341 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1342 } 1343 1344 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1345 s->cfc = d->cfc; 1346 1347 d->priority = pn->priority; 1348 1349 d->mtu = __le16_to_cpu(pn->mtu); 1350 1351 if (cr && d->mtu > s->mtu) 1352 d->mtu = s->mtu; 1353 1354 return 0; 1355 } 1356 1357 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1358 { 1359 struct rfcomm_pn *pn = (void *) skb->data; 1360 struct rfcomm_dlc *d; 1361 u8 dlci = pn->dlci; 1362 1363 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1364 1365 if (!dlci) 1366 return 0; 1367 1368 d = rfcomm_dlc_get(s, dlci); 1369 if (d) { 1370 if (cr) { 1371 /* PN request */ 1372 rfcomm_apply_pn(d, cr, pn); 1373 rfcomm_send_pn(s, 0, d); 1374 } else { 1375 /* PN response */ 1376 switch (d->state) { 1377 case BT_CONFIG: 1378 rfcomm_apply_pn(d, cr, pn); 1379 1380 d->state = BT_CONNECT; 1381 rfcomm_send_sabm(s, d->dlci); 1382 break; 1383 } 1384 } 1385 } else { 1386 u8 channel = __srv_channel(dlci); 1387 1388 if (!cr) 1389 return 0; 1390 1391 /* PN request for non existing DLC. 1392 * Assume incoming connection. */ 1393 if (rfcomm_connect_ind(s, channel, &d)) { 1394 d->dlci = dlci; 1395 d->addr = __addr(s->initiator, dlci); 1396 rfcomm_dlc_link(s, d); 1397 1398 rfcomm_apply_pn(d, cr, pn); 1399 1400 d->state = BT_OPEN; 1401 rfcomm_send_pn(s, 0, d); 1402 } else { 1403 rfcomm_send_dm(s, dlci); 1404 } 1405 } 1406 return 0; 1407 } 1408 1409 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1410 { 1411 struct rfcomm_rpn *rpn = (void *) skb->data; 1412 u8 dlci = __get_dlci(rpn->dlci); 1413 1414 u8 bit_rate = 0; 1415 u8 data_bits = 0; 1416 u8 stop_bits = 0; 1417 u8 parity = 0; 1418 u8 flow_ctrl = 0; 1419 u8 xon_char = 0; 1420 u8 xoff_char = 0; 1421 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1422 1423 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1424 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1425 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1426 1427 if (!cr) 1428 return 0; 1429 1430 if (len == 1) { 1431 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1432 bit_rate = RFCOMM_RPN_BR_9600; 1433 data_bits = RFCOMM_RPN_DATA_8; 1434 stop_bits = RFCOMM_RPN_STOP_1; 1435 parity = RFCOMM_RPN_PARITY_NONE; 1436 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1437 xon_char = RFCOMM_RPN_XON_CHAR; 1438 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1439 goto rpn_out; 1440 } 1441 1442 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1443 * no parity, no flow control lines, normal XON/XOFF chars */ 1444 1445 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1446 bit_rate = rpn->bit_rate; 1447 if (bit_rate > RFCOMM_RPN_BR_230400) { 1448 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1449 bit_rate = RFCOMM_RPN_BR_9600; 1450 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1451 } 1452 } 1453 1454 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1455 data_bits = __get_rpn_data_bits(rpn->line_settings); 1456 if (data_bits != RFCOMM_RPN_DATA_8) { 1457 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1458 data_bits = RFCOMM_RPN_DATA_8; 1459 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1460 } 1461 } 1462 1463 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1464 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1465 if (stop_bits != RFCOMM_RPN_STOP_1) { 1466 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1467 stop_bits = RFCOMM_RPN_STOP_1; 1468 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1469 } 1470 } 1471 1472 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1473 parity = __get_rpn_parity(rpn->line_settings); 1474 if (parity != RFCOMM_RPN_PARITY_NONE) { 1475 BT_DBG("RPN parity mismatch 0x%x", parity); 1476 parity = RFCOMM_RPN_PARITY_NONE; 1477 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1478 } 1479 } 1480 1481 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1482 flow_ctrl = rpn->flow_ctrl; 1483 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1484 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1485 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1486 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1487 } 1488 } 1489 1490 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1491 xon_char = rpn->xon_char; 1492 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1493 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1494 xon_char = RFCOMM_RPN_XON_CHAR; 1495 rpn_mask ^= RFCOMM_RPN_PM_XON; 1496 } 1497 } 1498 1499 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1500 xoff_char = rpn->xoff_char; 1501 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1502 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1503 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1504 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1505 } 1506 } 1507 1508 rpn_out: 1509 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1510 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1511 1512 return 0; 1513 } 1514 1515 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1516 { 1517 struct rfcomm_rls *rls = (void *) skb->data; 1518 u8 dlci = __get_dlci(rls->dlci); 1519 1520 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1521 1522 if (!cr) 1523 return 0; 1524 1525 /* We should probably do something with this information here. But 1526 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1527 * mandatory to recognise and respond to RLS */ 1528 1529 rfcomm_send_rls(s, 0, dlci, rls->status); 1530 1531 return 0; 1532 } 1533 1534 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1535 { 1536 struct rfcomm_msc *msc = (void *) skb->data; 1537 struct rfcomm_dlc *d; 1538 u8 dlci = __get_dlci(msc->dlci); 1539 1540 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1541 1542 d = rfcomm_dlc_get(s, dlci); 1543 if (!d) 1544 return 0; 1545 1546 if (cr) { 1547 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1548 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1549 else 1550 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1551 1552 rfcomm_dlc_lock(d); 1553 1554 d->remote_v24_sig = msc->v24_sig; 1555 1556 if (d->modem_status) 1557 d->modem_status(d, msc->v24_sig); 1558 1559 rfcomm_dlc_unlock(d); 1560 1561 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1562 1563 d->mscex |= RFCOMM_MSCEX_RX; 1564 } else 1565 d->mscex |= RFCOMM_MSCEX_TX; 1566 1567 return 0; 1568 } 1569 1570 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1571 { 1572 struct rfcomm_mcc *mcc = (void *) skb->data; 1573 u8 type, cr, len; 1574 1575 cr = __test_cr(mcc->type); 1576 type = __get_mcc_type(mcc->type); 1577 len = __get_mcc_len(mcc->len); 1578 1579 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1580 1581 skb_pull(skb, 2); 1582 1583 switch (type) { 1584 case RFCOMM_PN: 1585 rfcomm_recv_pn(s, cr, skb); 1586 break; 1587 1588 case RFCOMM_RPN: 1589 rfcomm_recv_rpn(s, cr, len, skb); 1590 break; 1591 1592 case RFCOMM_RLS: 1593 rfcomm_recv_rls(s, cr, skb); 1594 break; 1595 1596 case RFCOMM_MSC: 1597 rfcomm_recv_msc(s, cr, skb); 1598 break; 1599 1600 case RFCOMM_FCOFF: 1601 if (cr) { 1602 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1603 rfcomm_send_fcoff(s, 0); 1604 } 1605 break; 1606 1607 case RFCOMM_FCON: 1608 if (cr) { 1609 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1610 rfcomm_send_fcon(s, 0); 1611 } 1612 break; 1613 1614 case RFCOMM_TEST: 1615 if (cr) 1616 rfcomm_send_test(s, 0, skb->data, skb->len); 1617 break; 1618 1619 case RFCOMM_NSC: 1620 break; 1621 1622 default: 1623 BT_ERR("Unknown control type 0x%02x", type); 1624 rfcomm_send_nsc(s, cr, type); 1625 break; 1626 } 1627 return 0; 1628 } 1629 1630 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1631 { 1632 struct rfcomm_dlc *d; 1633 1634 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1635 1636 d = rfcomm_dlc_get(s, dlci); 1637 if (!d) { 1638 rfcomm_send_dm(s, dlci); 1639 goto drop; 1640 } 1641 1642 if (pf && d->cfc) { 1643 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1644 1645 d->tx_credits += credits; 1646 if (d->tx_credits) 1647 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1648 } 1649 1650 if (skb->len && d->state == BT_CONNECTED) { 1651 rfcomm_dlc_lock(d); 1652 d->rx_credits--; 1653 d->data_ready(d, skb); 1654 rfcomm_dlc_unlock(d); 1655 return 0; 1656 } 1657 1658 drop: 1659 kfree_skb(skb); 1660 return 0; 1661 } 1662 1663 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1664 { 1665 struct rfcomm_hdr *hdr = (void *) skb->data; 1666 u8 type, dlci, fcs; 1667 1668 dlci = __get_dlci(hdr->addr); 1669 type = __get_type(hdr->ctrl); 1670 1671 /* Trim FCS */ 1672 skb->len--; skb->tail--; 1673 fcs = *(u8 *)skb_tail_pointer(skb); 1674 1675 if (__check_fcs(skb->data, type, fcs)) { 1676 BT_ERR("bad checksum in packet"); 1677 kfree_skb(skb); 1678 return -EILSEQ; 1679 } 1680 1681 if (__test_ea(hdr->len)) 1682 skb_pull(skb, 3); 1683 else 1684 skb_pull(skb, 4); 1685 1686 switch (type) { 1687 case RFCOMM_SABM: 1688 if (__test_pf(hdr->ctrl)) 1689 rfcomm_recv_sabm(s, dlci); 1690 break; 1691 1692 case RFCOMM_DISC: 1693 if (__test_pf(hdr->ctrl)) 1694 rfcomm_recv_disc(s, dlci); 1695 break; 1696 1697 case RFCOMM_UA: 1698 if (__test_pf(hdr->ctrl)) 1699 rfcomm_recv_ua(s, dlci); 1700 break; 1701 1702 case RFCOMM_DM: 1703 rfcomm_recv_dm(s, dlci); 1704 break; 1705 1706 case RFCOMM_UIH: 1707 if (dlci) 1708 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1709 1710 rfcomm_recv_mcc(s, skb); 1711 break; 1712 1713 default: 1714 BT_ERR("Unknown packet type 0x%02x", type); 1715 break; 1716 } 1717 kfree_skb(skb); 1718 return 0; 1719 } 1720 1721 /* ---- Connection and data processing ---- */ 1722 1723 static void rfcomm_process_connect(struct rfcomm_session *s) 1724 { 1725 struct rfcomm_dlc *d; 1726 struct list_head *p, *n; 1727 1728 BT_DBG("session %p state %ld", s, s->state); 1729 1730 list_for_each_safe(p, n, &s->dlcs) { 1731 d = list_entry(p, struct rfcomm_dlc, list); 1732 if (d->state == BT_CONFIG) { 1733 d->mtu = s->mtu; 1734 if (rfcomm_check_security(d)) { 1735 rfcomm_send_pn(s, 1, d); 1736 } else { 1737 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1738 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1739 } 1740 } 1741 } 1742 } 1743 1744 /* Send data queued for the DLC. 1745 * Return number of frames left in the queue. 1746 */ 1747 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1748 { 1749 struct sk_buff *skb; 1750 int err; 1751 1752 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1753 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1754 1755 /* Send pending MSC */ 1756 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1757 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1758 1759 if (d->cfc) { 1760 /* CFC enabled. 1761 * Give them some credits */ 1762 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1763 d->rx_credits <= (d->cfc >> 2)) { 1764 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1765 d->rx_credits = d->cfc; 1766 } 1767 } else { 1768 /* CFC disabled. 1769 * Give ourselves some credits */ 1770 d->tx_credits = 5; 1771 } 1772 1773 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1774 return skb_queue_len(&d->tx_queue); 1775 1776 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1777 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1778 if (err < 0) { 1779 skb_queue_head(&d->tx_queue, skb); 1780 break; 1781 } 1782 kfree_skb(skb); 1783 d->tx_credits--; 1784 } 1785 1786 if (d->cfc && !d->tx_credits) { 1787 /* We're out of TX credits. 1788 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1789 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1790 } 1791 1792 return skb_queue_len(&d->tx_queue); 1793 } 1794 1795 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1796 { 1797 struct rfcomm_dlc *d; 1798 struct list_head *p, *n; 1799 1800 BT_DBG("session %p state %ld", s, s->state); 1801 1802 list_for_each_safe(p, n, &s->dlcs) { 1803 d = list_entry(p, struct rfcomm_dlc, list); 1804 1805 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1806 __rfcomm_dlc_close(d, ETIMEDOUT); 1807 continue; 1808 } 1809 1810 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1811 __rfcomm_dlc_close(d, ECONNREFUSED); 1812 continue; 1813 } 1814 1815 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1816 rfcomm_dlc_clear_timer(d); 1817 if (d->out) { 1818 rfcomm_send_pn(s, 1, d); 1819 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1820 } else { 1821 if (d->defer_setup) { 1822 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1823 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1824 1825 rfcomm_dlc_lock(d); 1826 d->state = BT_CONNECT2; 1827 d->state_change(d, 0); 1828 rfcomm_dlc_unlock(d); 1829 } else 1830 rfcomm_dlc_accept(d); 1831 } 1832 continue; 1833 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1834 rfcomm_dlc_clear_timer(d); 1835 if (!d->out) 1836 rfcomm_send_dm(s, d->dlci); 1837 else 1838 d->state = BT_CLOSED; 1839 __rfcomm_dlc_close(d, ECONNREFUSED); 1840 continue; 1841 } 1842 1843 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1844 continue; 1845 1846 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1847 continue; 1848 1849 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1850 d->mscex == RFCOMM_MSCEX_OK) 1851 rfcomm_process_tx(d); 1852 } 1853 } 1854 1855 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1856 { 1857 struct socket *sock = s->sock; 1858 struct sock *sk = sock->sk; 1859 struct sk_buff *skb; 1860 1861 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1862 1863 /* Get data directly from socket receive queue without copying it. */ 1864 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1865 skb_orphan(skb); 1866 if (!skb_linearize(skb)) 1867 rfcomm_recv_frame(s, skb); 1868 else 1869 kfree_skb(skb); 1870 } 1871 1872 if (sk->sk_state == BT_CLOSED) { 1873 if (!s->initiator) 1874 rfcomm_session_put(s); 1875 1876 rfcomm_session_close(s, sk->sk_err); 1877 } 1878 } 1879 1880 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1881 { 1882 struct socket *sock = s->sock, *nsock; 1883 int err; 1884 1885 /* Fast check for a new connection. 1886 * Avoids unnesesary socket allocations. */ 1887 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1888 return; 1889 1890 BT_DBG("session %p", s); 1891 1892 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1893 if (err < 0) 1894 return; 1895 1896 /* Set our callbacks */ 1897 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1898 nsock->sk->sk_state_change = rfcomm_l2state_change; 1899 1900 s = rfcomm_session_add(nsock, BT_OPEN); 1901 if (s) { 1902 rfcomm_session_hold(s); 1903 1904 /* We should adjust MTU on incoming sessions. 1905 * L2CAP MTU minus UIH header and FCS. */ 1906 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1907 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1908 1909 rfcomm_schedule(); 1910 } else 1911 sock_release(nsock); 1912 } 1913 1914 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1915 { 1916 struct sock *sk = s->sock->sk; 1917 1918 BT_DBG("%p state %ld", s, s->state); 1919 1920 switch (sk->sk_state) { 1921 case BT_CONNECTED: 1922 s->state = BT_CONNECT; 1923 1924 /* We can adjust MTU on outgoing sessions. 1925 * L2CAP MTU minus UIH header and FCS. */ 1926 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1927 1928 rfcomm_send_sabm(s, 0); 1929 break; 1930 1931 case BT_CLOSED: 1932 s->state = BT_CLOSED; 1933 rfcomm_session_close(s, sk->sk_err); 1934 break; 1935 } 1936 } 1937 1938 static inline void rfcomm_process_sessions(void) 1939 { 1940 struct list_head *p, *n; 1941 1942 rfcomm_lock(); 1943 1944 list_for_each_safe(p, n, &session_list) { 1945 struct rfcomm_session *s; 1946 s = list_entry(p, struct rfcomm_session, list); 1947 1948 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1949 s->state = BT_DISCONN; 1950 rfcomm_send_disc(s, 0); 1951 rfcomm_session_put(s); 1952 continue; 1953 } 1954 1955 if (s->state == BT_LISTEN) { 1956 rfcomm_accept_connection(s); 1957 continue; 1958 } 1959 1960 rfcomm_session_hold(s); 1961 1962 switch (s->state) { 1963 case BT_BOUND: 1964 rfcomm_check_connection(s); 1965 break; 1966 1967 default: 1968 rfcomm_process_rx(s); 1969 break; 1970 } 1971 1972 rfcomm_process_dlcs(s); 1973 1974 rfcomm_session_put(s); 1975 } 1976 1977 rfcomm_unlock(); 1978 } 1979 1980 static int rfcomm_add_listener(bdaddr_t *ba) 1981 { 1982 struct sockaddr_l2 addr; 1983 struct socket *sock; 1984 struct sock *sk; 1985 struct rfcomm_session *s; 1986 int err = 0; 1987 1988 /* Create socket */ 1989 err = rfcomm_l2sock_create(&sock); 1990 if (err < 0) { 1991 BT_ERR("Create socket failed %d", err); 1992 return err; 1993 } 1994 1995 /* Bind socket */ 1996 bacpy(&addr.l2_bdaddr, ba); 1997 addr.l2_family = AF_BLUETOOTH; 1998 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 1999 addr.l2_cid = 0; 2000 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2001 if (err < 0) { 2002 BT_ERR("Bind failed %d", err); 2003 goto failed; 2004 } 2005 2006 /* Set L2CAP options */ 2007 sk = sock->sk; 2008 lock_sock(sk); 2009 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2010 release_sock(sk); 2011 2012 /* Start listening on the socket */ 2013 err = kernel_listen(sock, 10); 2014 if (err) { 2015 BT_ERR("Listen failed %d", err); 2016 goto failed; 2017 } 2018 2019 /* Add listening session */ 2020 s = rfcomm_session_add(sock, BT_LISTEN); 2021 if (!s) 2022 goto failed; 2023 2024 rfcomm_session_hold(s); 2025 return 0; 2026 failed: 2027 sock_release(sock); 2028 return err; 2029 } 2030 2031 static void rfcomm_kill_listener(void) 2032 { 2033 struct rfcomm_session *s; 2034 struct list_head *p, *n; 2035 2036 BT_DBG(""); 2037 2038 list_for_each_safe(p, n, &session_list) { 2039 s = list_entry(p, struct rfcomm_session, list); 2040 rfcomm_session_del(s); 2041 } 2042 } 2043 2044 static int rfcomm_run(void *unused) 2045 { 2046 BT_DBG(""); 2047 2048 set_user_nice(current, -10); 2049 2050 rfcomm_add_listener(BDADDR_ANY); 2051 2052 while (1) { 2053 set_current_state(TASK_INTERRUPTIBLE); 2054 2055 if (kthread_should_stop()) 2056 break; 2057 2058 /* Process stuff */ 2059 rfcomm_process_sessions(); 2060 2061 schedule(); 2062 } 2063 __set_current_state(TASK_RUNNING); 2064 2065 rfcomm_kill_listener(); 2066 2067 return 0; 2068 } 2069 2070 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2071 { 2072 struct rfcomm_session *s; 2073 struct rfcomm_dlc *d; 2074 struct list_head *p, *n; 2075 2076 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2077 2078 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2079 if (!s) 2080 return; 2081 2082 rfcomm_session_hold(s); 2083 2084 list_for_each_safe(p, n, &s->dlcs) { 2085 d = list_entry(p, struct rfcomm_dlc, list); 2086 2087 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2088 rfcomm_dlc_clear_timer(d); 2089 if (status || encrypt == 0x00) { 2090 set_bit(RFCOMM_ENC_DROP, &d->flags); 2091 continue; 2092 } 2093 } 2094 2095 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2096 if (d->sec_level == BT_SECURITY_MEDIUM) { 2097 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2098 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2099 continue; 2100 } else if (d->sec_level == BT_SECURITY_HIGH) { 2101 set_bit(RFCOMM_ENC_DROP, &d->flags); 2102 continue; 2103 } 2104 } 2105 2106 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2107 continue; 2108 2109 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2110 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2111 else 2112 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2113 } 2114 2115 rfcomm_session_put(s); 2116 2117 rfcomm_schedule(); 2118 } 2119 2120 static struct hci_cb rfcomm_cb = { 2121 .name = "RFCOMM", 2122 .security_cfm = rfcomm_security_cfm 2123 }; 2124 2125 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2126 { 2127 struct rfcomm_session *s; 2128 2129 rfcomm_lock(); 2130 2131 list_for_each_entry(s, &session_list, list) { 2132 struct rfcomm_dlc *d; 2133 list_for_each_entry(d, &s->dlcs, list) { 2134 struct sock *sk = s->sock->sk; 2135 2136 seq_printf(f, "%s %s %ld %d %d %d %d\n", 2137 batostr(&bt_sk(sk)->src), 2138 batostr(&bt_sk(sk)->dst), 2139 d->state, d->dlci, d->mtu, 2140 d->rx_credits, d->tx_credits); 2141 } 2142 } 2143 2144 rfcomm_unlock(); 2145 2146 return 0; 2147 } 2148 2149 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2150 { 2151 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2152 } 2153 2154 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2155 .open = rfcomm_dlc_debugfs_open, 2156 .read = seq_read, 2157 .llseek = seq_lseek, 2158 .release = single_release, 2159 }; 2160 2161 static struct dentry *rfcomm_dlc_debugfs; 2162 2163 /* ---- Initialization ---- */ 2164 static int __init rfcomm_init(void) 2165 { 2166 int err; 2167 2168 hci_register_cb(&rfcomm_cb); 2169 2170 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2171 if (IS_ERR(rfcomm_thread)) { 2172 err = PTR_ERR(rfcomm_thread); 2173 goto unregister; 2174 } 2175 2176 if (bt_debugfs) { 2177 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2178 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2179 if (!rfcomm_dlc_debugfs) 2180 BT_ERR("Failed to create RFCOMM debug file"); 2181 } 2182 2183 err = rfcomm_init_ttys(); 2184 if (err < 0) 2185 goto stop; 2186 2187 err = rfcomm_init_sockets(); 2188 if (err < 0) 2189 goto cleanup; 2190 2191 BT_INFO("RFCOMM ver %s", VERSION); 2192 2193 return 0; 2194 2195 cleanup: 2196 rfcomm_cleanup_ttys(); 2197 2198 stop: 2199 kthread_stop(rfcomm_thread); 2200 2201 unregister: 2202 hci_unregister_cb(&rfcomm_cb); 2203 2204 return err; 2205 } 2206 2207 static void __exit rfcomm_exit(void) 2208 { 2209 debugfs_remove(rfcomm_dlc_debugfs); 2210 2211 hci_unregister_cb(&rfcomm_cb); 2212 2213 kthread_stop(rfcomm_thread); 2214 2215 rfcomm_cleanup_ttys(); 2216 2217 rfcomm_cleanup_sockets(); 2218 } 2219 2220 module_init(rfcomm_init); 2221 module_exit(rfcomm_exit); 2222 2223 module_param(disable_cfc, bool, 0644); 2224 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2225 2226 module_param(channel_mtu, int, 0644); 2227 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2228 2229 module_param(l2cap_mtu, uint, 0644); 2230 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2231 2232 module_param(l2cap_ertm, bool, 0644); 2233 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2234 2235 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2236 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2237 MODULE_VERSION(VERSION); 2238 MODULE_LICENSE("GPL"); 2239 MODULE_ALIAS("bt-proto-3"); 2240