1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/errno.h> 30 #include <linux/kernel.h> 31 #include <linux/sched.h> 32 #include <linux/signal.h> 33 #include <linux/init.h> 34 #include <linux/wait.h> 35 #include <linux/device.h> 36 #include <linux/debugfs.h> 37 #include <linux/seq_file.h> 38 #include <linux/net.h> 39 #include <linux/mutex.h> 40 #include <linux/kthread.h> 41 #include <linux/slab.h> 42 43 #include <net/sock.h> 44 #include <linux/uaccess.h> 45 #include <asm/unaligned.h> 46 47 #include <net/bluetooth/bluetooth.h> 48 #include <net/bluetooth/hci_core.h> 49 #include <net/bluetooth/l2cap.h> 50 #include <net/bluetooth/rfcomm.h> 51 52 #define VERSION "1.11" 53 54 static int disable_cfc; 55 static int l2cap_ertm; 56 static int channel_mtu = -1; 57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 58 59 static struct task_struct *rfcomm_thread; 60 61 static DEFINE_MUTEX(rfcomm_mutex); 62 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 64 65 66 static LIST_HEAD(session_list); 67 68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 71 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 78 79 static void rfcomm_process_connect(struct rfcomm_session *s); 80 81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 82 bdaddr_t *dst, 83 u8 sec_level, 84 int *err); 85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 86 static void rfcomm_session_del(struct rfcomm_session *s); 87 88 /* ---- RFCOMM frame parsing macros ---- */ 89 #define __get_dlci(b) ((b & 0xfc) >> 2) 90 #define __get_channel(b) ((b & 0xf8) >> 3) 91 #define __get_dir(b) ((b & 0x04) >> 2) 92 #define __get_type(b) ((b & 0xef)) 93 94 #define __test_ea(b) ((b & 0x01)) 95 #define __test_cr(b) ((b & 0x02)) 96 #define __test_pf(b) ((b & 0x10)) 97 98 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 99 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 100 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 101 #define __srv_channel(dlci) (dlci >> 1) 102 #define __dir(dlci) (dlci & 0x01) 103 104 #define __len8(len) (((len) << 1) | 1) 105 #define __len16(len) ((len) << 1) 106 107 /* MCC macros */ 108 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 109 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 110 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 111 112 /* RPN macros */ 113 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 114 #define __get_rpn_data_bits(line) ((line) & 0x3) 115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 116 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 117 118 static inline void rfcomm_schedule(void) 119 { 120 if (!rfcomm_thread) 121 return; 122 wake_up_process(rfcomm_thread); 123 } 124 125 static inline void rfcomm_session_put(struct rfcomm_session *s) 126 { 127 if (atomic_dec_and_test(&s->refcnt)) 128 rfcomm_session_del(s); 129 } 130 131 /* ---- RFCOMM FCS computation ---- */ 132 133 /* reversed, 8-bit, poly=0x07 */ 134 static unsigned char rfcomm_crc_table[256] = { 135 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 136 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 137 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 138 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 139 140 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 141 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 142 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 143 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 144 145 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 146 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 147 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 148 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 149 150 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 151 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 152 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 153 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 154 155 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 156 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 157 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 158 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 159 160 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 161 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 162 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 163 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 164 165 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 166 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 167 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 168 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 169 170 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 171 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 172 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 173 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 174 }; 175 176 /* CRC on 2 bytes */ 177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 178 179 /* FCS on 2 bytes */ 180 static inline u8 __fcs(u8 *data) 181 { 182 return 0xff - __crc(data); 183 } 184 185 /* FCS on 3 bytes */ 186 static inline u8 __fcs2(u8 *data) 187 { 188 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 189 } 190 191 /* Check FCS */ 192 static inline int __check_fcs(u8 *data, int type, u8 fcs) 193 { 194 u8 f = __crc(data); 195 196 if (type != RFCOMM_UIH) 197 f = rfcomm_crc_table[f ^ data[2]]; 198 199 return rfcomm_crc_table[f ^ fcs] != 0xcf; 200 } 201 202 /* ---- L2CAP callbacks ---- */ 203 static void rfcomm_l2state_change(struct sock *sk) 204 { 205 BT_DBG("%p state %d", sk, sk->sk_state); 206 rfcomm_schedule(); 207 } 208 209 static void rfcomm_l2data_ready(struct sock *sk, int bytes) 210 { 211 BT_DBG("%p bytes %d", sk, bytes); 212 rfcomm_schedule(); 213 } 214 215 static int rfcomm_l2sock_create(struct socket **sock) 216 { 217 int err; 218 219 BT_DBG(""); 220 221 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 222 if (!err) { 223 struct sock *sk = (*sock)->sk; 224 sk->sk_data_ready = rfcomm_l2data_ready; 225 sk->sk_state_change = rfcomm_l2state_change; 226 } 227 return err; 228 } 229 230 static inline int rfcomm_check_security(struct rfcomm_dlc *d) 231 { 232 struct sock *sk = d->session->sock->sk; 233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 234 235 __u8 auth_type; 236 237 switch (d->sec_level) { 238 case BT_SECURITY_HIGH: 239 auth_type = HCI_AT_GENERAL_BONDING_MITM; 240 break; 241 case BT_SECURITY_MEDIUM: 242 auth_type = HCI_AT_GENERAL_BONDING; 243 break; 244 default: 245 auth_type = HCI_AT_NO_BONDING; 246 break; 247 } 248 249 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 250 } 251 252 static void rfcomm_session_timeout(unsigned long arg) 253 { 254 struct rfcomm_session *s = (void *) arg; 255 256 BT_DBG("session %p state %ld", s, s->state); 257 258 set_bit(RFCOMM_TIMED_OUT, &s->flags); 259 rfcomm_schedule(); 260 } 261 262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 263 { 264 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 265 266 if (!mod_timer(&s->timer, jiffies + timeout)) 267 rfcomm_session_hold(s); 268 } 269 270 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 271 { 272 BT_DBG("session %p state %ld", s, s->state); 273 274 if (timer_pending(&s->timer) && del_timer(&s->timer)) 275 rfcomm_session_put(s); 276 } 277 278 /* ---- RFCOMM DLCs ---- */ 279 static void rfcomm_dlc_timeout(unsigned long arg) 280 { 281 struct rfcomm_dlc *d = (void *) arg; 282 283 BT_DBG("dlc %p state %ld", d, d->state); 284 285 set_bit(RFCOMM_TIMED_OUT, &d->flags); 286 rfcomm_dlc_put(d); 287 rfcomm_schedule(); 288 } 289 290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 291 { 292 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 293 294 if (!mod_timer(&d->timer, jiffies + timeout)) 295 rfcomm_dlc_hold(d); 296 } 297 298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 299 { 300 BT_DBG("dlc %p state %ld", d, d->state); 301 302 if (timer_pending(&d->timer) && del_timer(&d->timer)) 303 rfcomm_dlc_put(d); 304 } 305 306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 307 { 308 BT_DBG("%p", d); 309 310 d->state = BT_OPEN; 311 d->flags = 0; 312 d->mscex = 0; 313 d->sec_level = BT_SECURITY_LOW; 314 d->mtu = RFCOMM_DEFAULT_MTU; 315 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 316 317 d->cfc = RFCOMM_CFC_DISABLED; 318 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 319 } 320 321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 322 { 323 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 324 325 if (!d) 326 return NULL; 327 328 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 329 330 skb_queue_head_init(&d->tx_queue); 331 spin_lock_init(&d->lock); 332 atomic_set(&d->refcnt, 1); 333 334 rfcomm_dlc_clear_state(d); 335 336 BT_DBG("%p", d); 337 338 return d; 339 } 340 341 void rfcomm_dlc_free(struct rfcomm_dlc *d) 342 { 343 BT_DBG("%p", d); 344 345 skb_queue_purge(&d->tx_queue); 346 kfree(d); 347 } 348 349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 350 { 351 BT_DBG("dlc %p session %p", d, s); 352 353 rfcomm_session_hold(s); 354 355 rfcomm_session_clear_timer(s); 356 rfcomm_dlc_hold(d); 357 list_add(&d->list, &s->dlcs); 358 d->session = s; 359 } 360 361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 362 { 363 struct rfcomm_session *s = d->session; 364 365 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 366 367 list_del(&d->list); 368 d->session = NULL; 369 rfcomm_dlc_put(d); 370 371 if (list_empty(&s->dlcs)) 372 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 373 374 rfcomm_session_put(s); 375 } 376 377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 378 { 379 struct rfcomm_dlc *d; 380 struct list_head *p; 381 382 list_for_each(p, &s->dlcs) { 383 d = list_entry(p, struct rfcomm_dlc, list); 384 if (d->dlci == dlci) 385 return d; 386 } 387 return NULL; 388 } 389 390 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 391 { 392 struct rfcomm_session *s; 393 int err = 0; 394 u8 dlci; 395 396 BT_DBG("dlc %p state %ld %s %s channel %d", 397 d, d->state, batostr(src), batostr(dst), channel); 398 399 if (channel < 1 || channel > 30) 400 return -EINVAL; 401 402 if (d->state != BT_OPEN && d->state != BT_CLOSED) 403 return 0; 404 405 s = rfcomm_session_get(src, dst); 406 if (!s) { 407 s = rfcomm_session_create(src, dst, d->sec_level, &err); 408 if (!s) 409 return err; 410 } 411 412 dlci = __dlci(!s->initiator, channel); 413 414 /* Check if DLCI already exists */ 415 if (rfcomm_dlc_get(s, dlci)) 416 return -EBUSY; 417 418 rfcomm_dlc_clear_state(d); 419 420 d->dlci = dlci; 421 d->addr = __addr(s->initiator, dlci); 422 d->priority = 7; 423 424 d->state = BT_CONFIG; 425 rfcomm_dlc_link(s, d); 426 427 d->out = 1; 428 429 d->mtu = s->mtu; 430 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 431 432 if (s->state == BT_CONNECTED) { 433 if (rfcomm_check_security(d)) 434 rfcomm_send_pn(s, 1, d); 435 else 436 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 437 } 438 439 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 440 441 return 0; 442 } 443 444 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 445 { 446 int r; 447 448 rfcomm_lock(); 449 450 r = __rfcomm_dlc_open(d, src, dst, channel); 451 452 rfcomm_unlock(); 453 return r; 454 } 455 456 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 457 { 458 struct rfcomm_session *s = d->session; 459 if (!s) 460 return 0; 461 462 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 463 d, d->state, d->dlci, err, s); 464 465 switch (d->state) { 466 case BT_CONNECT: 467 case BT_CONFIG: 468 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 469 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 470 rfcomm_schedule(); 471 break; 472 } 473 /* Fall through */ 474 475 case BT_CONNECTED: 476 d->state = BT_DISCONN; 477 if (skb_queue_empty(&d->tx_queue)) { 478 rfcomm_send_disc(s, d->dlci); 479 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 480 } else { 481 rfcomm_queue_disc(d); 482 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 483 } 484 break; 485 486 case BT_OPEN: 487 case BT_CONNECT2: 488 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 489 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 490 rfcomm_schedule(); 491 break; 492 } 493 /* Fall through */ 494 495 default: 496 rfcomm_dlc_clear_timer(d); 497 498 rfcomm_dlc_lock(d); 499 d->state = BT_CLOSED; 500 d->state_change(d, err); 501 rfcomm_dlc_unlock(d); 502 503 skb_queue_purge(&d->tx_queue); 504 rfcomm_dlc_unlink(d); 505 } 506 507 return 0; 508 } 509 510 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 511 { 512 int r; 513 514 rfcomm_lock(); 515 516 r = __rfcomm_dlc_close(d, err); 517 518 rfcomm_unlock(); 519 return r; 520 } 521 522 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 523 { 524 int len = skb->len; 525 526 if (d->state != BT_CONNECTED) 527 return -ENOTCONN; 528 529 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 530 531 if (len > d->mtu) 532 return -EINVAL; 533 534 rfcomm_make_uih(skb, d->addr); 535 skb_queue_tail(&d->tx_queue, skb); 536 537 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 538 rfcomm_schedule(); 539 return len; 540 } 541 542 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 543 { 544 BT_DBG("dlc %p state %ld", d, d->state); 545 546 if (!d->cfc) { 547 d->v24_sig |= RFCOMM_V24_FC; 548 set_bit(RFCOMM_MSC_PENDING, &d->flags); 549 } 550 rfcomm_schedule(); 551 } 552 553 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 554 { 555 BT_DBG("dlc %p state %ld", d, d->state); 556 557 if (!d->cfc) { 558 d->v24_sig &= ~RFCOMM_V24_FC; 559 set_bit(RFCOMM_MSC_PENDING, &d->flags); 560 } 561 rfcomm_schedule(); 562 } 563 564 /* 565 Set/get modem status functions use _local_ status i.e. what we report 566 to the other side. 567 Remote status is provided by dlc->modem_status() callback. 568 */ 569 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 570 { 571 BT_DBG("dlc %p state %ld v24_sig 0x%x", 572 d, d->state, v24_sig); 573 574 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 575 v24_sig |= RFCOMM_V24_FC; 576 else 577 v24_sig &= ~RFCOMM_V24_FC; 578 579 d->v24_sig = v24_sig; 580 581 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 582 rfcomm_schedule(); 583 584 return 0; 585 } 586 587 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 588 { 589 BT_DBG("dlc %p state %ld v24_sig 0x%x", 590 d, d->state, d->v24_sig); 591 592 *v24_sig = d->v24_sig; 593 return 0; 594 } 595 596 /* ---- RFCOMM sessions ---- */ 597 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 598 { 599 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 600 601 if (!s) 602 return NULL; 603 604 BT_DBG("session %p sock %p", s, sock); 605 606 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 607 608 INIT_LIST_HEAD(&s->dlcs); 609 s->state = state; 610 s->sock = sock; 611 612 s->mtu = RFCOMM_DEFAULT_MTU; 613 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 614 615 /* Do not increment module usage count for listening sessions. 616 * Otherwise we won't be able to unload the module. */ 617 if (state != BT_LISTEN) 618 if (!try_module_get(THIS_MODULE)) { 619 kfree(s); 620 return NULL; 621 } 622 623 list_add(&s->list, &session_list); 624 625 return s; 626 } 627 628 static void rfcomm_session_del(struct rfcomm_session *s) 629 { 630 int state = s->state; 631 632 BT_DBG("session %p state %ld", s, s->state); 633 634 list_del(&s->list); 635 636 if (state == BT_CONNECTED) 637 rfcomm_send_disc(s, 0); 638 639 rfcomm_session_clear_timer(s); 640 sock_release(s->sock); 641 kfree(s); 642 643 if (state != BT_LISTEN) 644 module_put(THIS_MODULE); 645 } 646 647 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 648 { 649 struct rfcomm_session *s; 650 struct list_head *p, *n; 651 struct bt_sock *sk; 652 list_for_each_safe(p, n, &session_list) { 653 s = list_entry(p, struct rfcomm_session, list); 654 sk = bt_sk(s->sock->sk); 655 656 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) && 657 !bacmp(&sk->dst, dst)) 658 return s; 659 } 660 return NULL; 661 } 662 663 static void rfcomm_session_close(struct rfcomm_session *s, int err) 664 { 665 struct rfcomm_dlc *d; 666 struct list_head *p, *n; 667 668 BT_DBG("session %p state %ld err %d", s, s->state, err); 669 670 rfcomm_session_hold(s); 671 672 s->state = BT_CLOSED; 673 674 /* Close all dlcs */ 675 list_for_each_safe(p, n, &s->dlcs) { 676 d = list_entry(p, struct rfcomm_dlc, list); 677 d->state = BT_CLOSED; 678 __rfcomm_dlc_close(d, err); 679 } 680 681 rfcomm_session_clear_timer(s); 682 rfcomm_session_put(s); 683 } 684 685 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 686 bdaddr_t *dst, 687 u8 sec_level, 688 int *err) 689 { 690 struct rfcomm_session *s = NULL; 691 struct sockaddr_l2 addr; 692 struct socket *sock; 693 struct sock *sk; 694 695 BT_DBG("%s %s", batostr(src), batostr(dst)); 696 697 *err = rfcomm_l2sock_create(&sock); 698 if (*err < 0) 699 return NULL; 700 701 bacpy(&addr.l2_bdaddr, src); 702 addr.l2_family = AF_BLUETOOTH; 703 addr.l2_psm = 0; 704 addr.l2_cid = 0; 705 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 706 if (*err < 0) 707 goto failed; 708 709 /* Set L2CAP options */ 710 sk = sock->sk; 711 lock_sock(sk); 712 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 713 l2cap_pi(sk)->chan->sec_level = sec_level; 714 if (l2cap_ertm) 715 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 716 release_sock(sk); 717 718 s = rfcomm_session_add(sock, BT_BOUND); 719 if (!s) { 720 *err = -ENOMEM; 721 goto failed; 722 } 723 724 s->initiator = 1; 725 726 bacpy(&addr.l2_bdaddr, dst); 727 addr.l2_family = AF_BLUETOOTH; 728 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 729 addr.l2_cid = 0; 730 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 731 if (*err == 0 || *err == -EINPROGRESS) 732 return s; 733 734 rfcomm_session_del(s); 735 return NULL; 736 737 failed: 738 sock_release(sock); 739 return NULL; 740 } 741 742 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 743 { 744 struct sock *sk = s->sock->sk; 745 if (src) 746 bacpy(src, &bt_sk(sk)->src); 747 if (dst) 748 bacpy(dst, &bt_sk(sk)->dst); 749 } 750 751 /* ---- RFCOMM frame sending ---- */ 752 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 753 { 754 struct socket *sock = s->sock; 755 struct kvec iv = { data, len }; 756 struct msghdr msg; 757 758 BT_DBG("session %p len %d", s, len); 759 760 memset(&msg, 0, sizeof(msg)); 761 762 return kernel_sendmsg(sock, &msg, &iv, 1, len); 763 } 764 765 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 766 { 767 struct rfcomm_cmd cmd; 768 769 BT_DBG("%p dlci %d", s, dlci); 770 771 cmd.addr = __addr(s->initiator, dlci); 772 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 773 cmd.len = __len8(0); 774 cmd.fcs = __fcs2((u8 *) &cmd); 775 776 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 777 } 778 779 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 780 { 781 struct rfcomm_cmd cmd; 782 783 BT_DBG("%p dlci %d", s, dlci); 784 785 cmd.addr = __addr(!s->initiator, dlci); 786 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 787 cmd.len = __len8(0); 788 cmd.fcs = __fcs2((u8 *) &cmd); 789 790 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 791 } 792 793 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 794 { 795 struct rfcomm_cmd cmd; 796 797 BT_DBG("%p dlci %d", s, dlci); 798 799 cmd.addr = __addr(s->initiator, dlci); 800 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 801 cmd.len = __len8(0); 802 cmd.fcs = __fcs2((u8 *) &cmd); 803 804 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 805 } 806 807 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 808 { 809 struct rfcomm_cmd *cmd; 810 struct sk_buff *skb; 811 812 BT_DBG("dlc %p dlci %d", d, d->dlci); 813 814 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 815 if (!skb) 816 return -ENOMEM; 817 818 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 819 cmd->addr = d->addr; 820 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 821 cmd->len = __len8(0); 822 cmd->fcs = __fcs2((u8 *) cmd); 823 824 skb_queue_tail(&d->tx_queue, skb); 825 rfcomm_schedule(); 826 return 0; 827 } 828 829 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 830 { 831 struct rfcomm_cmd cmd; 832 833 BT_DBG("%p dlci %d", s, dlci); 834 835 cmd.addr = __addr(!s->initiator, dlci); 836 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 837 cmd.len = __len8(0); 838 cmd.fcs = __fcs2((u8 *) &cmd); 839 840 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd)); 841 } 842 843 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 844 { 845 struct rfcomm_hdr *hdr; 846 struct rfcomm_mcc *mcc; 847 u8 buf[16], *ptr = buf; 848 849 BT_DBG("%p cr %d type %d", s, cr, type); 850 851 hdr = (void *) ptr; ptr += sizeof(*hdr); 852 hdr->addr = __addr(s->initiator, 0); 853 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 854 hdr->len = __len8(sizeof(*mcc) + 1); 855 856 mcc = (void *) ptr; ptr += sizeof(*mcc); 857 mcc->type = __mcc_type(cr, RFCOMM_NSC); 858 mcc->len = __len8(1); 859 860 /* Type that we didn't like */ 861 *ptr = __mcc_type(cr, type); ptr++; 862 863 *ptr = __fcs(buf); ptr++; 864 865 return rfcomm_send_frame(s, buf, ptr - buf); 866 } 867 868 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 869 { 870 struct rfcomm_hdr *hdr; 871 struct rfcomm_mcc *mcc; 872 struct rfcomm_pn *pn; 873 u8 buf[16], *ptr = buf; 874 875 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 876 877 hdr = (void *) ptr; ptr += sizeof(*hdr); 878 hdr->addr = __addr(s->initiator, 0); 879 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 880 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 881 882 mcc = (void *) ptr; ptr += sizeof(*mcc); 883 mcc->type = __mcc_type(cr, RFCOMM_PN); 884 mcc->len = __len8(sizeof(*pn)); 885 886 pn = (void *) ptr; ptr += sizeof(*pn); 887 pn->dlci = d->dlci; 888 pn->priority = d->priority; 889 pn->ack_timer = 0; 890 pn->max_retrans = 0; 891 892 if (s->cfc) { 893 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 894 pn->credits = RFCOMM_DEFAULT_CREDITS; 895 } else { 896 pn->flow_ctrl = 0; 897 pn->credits = 0; 898 } 899 900 if (cr && channel_mtu >= 0) 901 pn->mtu = cpu_to_le16(channel_mtu); 902 else 903 pn->mtu = cpu_to_le16(d->mtu); 904 905 *ptr = __fcs(buf); ptr++; 906 907 return rfcomm_send_frame(s, buf, ptr - buf); 908 } 909 910 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 911 u8 bit_rate, u8 data_bits, u8 stop_bits, 912 u8 parity, u8 flow_ctrl_settings, 913 u8 xon_char, u8 xoff_char, u16 param_mask) 914 { 915 struct rfcomm_hdr *hdr; 916 struct rfcomm_mcc *mcc; 917 struct rfcomm_rpn *rpn; 918 u8 buf[16], *ptr = buf; 919 920 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 921 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 922 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 923 flow_ctrl_settings, xon_char, xoff_char, param_mask); 924 925 hdr = (void *) ptr; ptr += sizeof(*hdr); 926 hdr->addr = __addr(s->initiator, 0); 927 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 928 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 929 930 mcc = (void *) ptr; ptr += sizeof(*mcc); 931 mcc->type = __mcc_type(cr, RFCOMM_RPN); 932 mcc->len = __len8(sizeof(*rpn)); 933 934 rpn = (void *) ptr; ptr += sizeof(*rpn); 935 rpn->dlci = __addr(1, dlci); 936 rpn->bit_rate = bit_rate; 937 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 938 rpn->flow_ctrl = flow_ctrl_settings; 939 rpn->xon_char = xon_char; 940 rpn->xoff_char = xoff_char; 941 rpn->param_mask = cpu_to_le16(param_mask); 942 943 *ptr = __fcs(buf); ptr++; 944 945 return rfcomm_send_frame(s, buf, ptr - buf); 946 } 947 948 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 949 { 950 struct rfcomm_hdr *hdr; 951 struct rfcomm_mcc *mcc; 952 struct rfcomm_rls *rls; 953 u8 buf[16], *ptr = buf; 954 955 BT_DBG("%p cr %d status 0x%x", s, cr, status); 956 957 hdr = (void *) ptr; ptr += sizeof(*hdr); 958 hdr->addr = __addr(s->initiator, 0); 959 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 960 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 961 962 mcc = (void *) ptr; ptr += sizeof(*mcc); 963 mcc->type = __mcc_type(cr, RFCOMM_RLS); 964 mcc->len = __len8(sizeof(*rls)); 965 966 rls = (void *) ptr; ptr += sizeof(*rls); 967 rls->dlci = __addr(1, dlci); 968 rls->status = status; 969 970 *ptr = __fcs(buf); ptr++; 971 972 return rfcomm_send_frame(s, buf, ptr - buf); 973 } 974 975 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 976 { 977 struct rfcomm_hdr *hdr; 978 struct rfcomm_mcc *mcc; 979 struct rfcomm_msc *msc; 980 u8 buf[16], *ptr = buf; 981 982 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 983 984 hdr = (void *) ptr; ptr += sizeof(*hdr); 985 hdr->addr = __addr(s->initiator, 0); 986 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 987 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 988 989 mcc = (void *) ptr; ptr += sizeof(*mcc); 990 mcc->type = __mcc_type(cr, RFCOMM_MSC); 991 mcc->len = __len8(sizeof(*msc)); 992 993 msc = (void *) ptr; ptr += sizeof(*msc); 994 msc->dlci = __addr(1, dlci); 995 msc->v24_sig = v24_sig | 0x01; 996 997 *ptr = __fcs(buf); ptr++; 998 999 return rfcomm_send_frame(s, buf, ptr - buf); 1000 } 1001 1002 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1003 { 1004 struct rfcomm_hdr *hdr; 1005 struct rfcomm_mcc *mcc; 1006 u8 buf[16], *ptr = buf; 1007 1008 BT_DBG("%p cr %d", s, cr); 1009 1010 hdr = (void *) ptr; ptr += sizeof(*hdr); 1011 hdr->addr = __addr(s->initiator, 0); 1012 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1013 hdr->len = __len8(sizeof(*mcc)); 1014 1015 mcc = (void *) ptr; ptr += sizeof(*mcc); 1016 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1017 mcc->len = __len8(0); 1018 1019 *ptr = __fcs(buf); ptr++; 1020 1021 return rfcomm_send_frame(s, buf, ptr - buf); 1022 } 1023 1024 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1025 { 1026 struct rfcomm_hdr *hdr; 1027 struct rfcomm_mcc *mcc; 1028 u8 buf[16], *ptr = buf; 1029 1030 BT_DBG("%p cr %d", s, cr); 1031 1032 hdr = (void *) ptr; ptr += sizeof(*hdr); 1033 hdr->addr = __addr(s->initiator, 0); 1034 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1035 hdr->len = __len8(sizeof(*mcc)); 1036 1037 mcc = (void *) ptr; ptr += sizeof(*mcc); 1038 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1039 mcc->len = __len8(0); 1040 1041 *ptr = __fcs(buf); ptr++; 1042 1043 return rfcomm_send_frame(s, buf, ptr - buf); 1044 } 1045 1046 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1047 { 1048 struct socket *sock = s->sock; 1049 struct kvec iv[3]; 1050 struct msghdr msg; 1051 unsigned char hdr[5], crc[1]; 1052 1053 if (len > 125) 1054 return -EINVAL; 1055 1056 BT_DBG("%p cr %d", s, cr); 1057 1058 hdr[0] = __addr(s->initiator, 0); 1059 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1060 hdr[2] = 0x01 | ((len + 2) << 1); 1061 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1062 hdr[4] = 0x01 | (len << 1); 1063 1064 crc[0] = __fcs(hdr); 1065 1066 iv[0].iov_base = hdr; 1067 iv[0].iov_len = 5; 1068 iv[1].iov_base = pattern; 1069 iv[1].iov_len = len; 1070 iv[2].iov_base = crc; 1071 iv[2].iov_len = 1; 1072 1073 memset(&msg, 0, sizeof(msg)); 1074 1075 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1076 } 1077 1078 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1079 { 1080 struct rfcomm_hdr *hdr; 1081 u8 buf[16], *ptr = buf; 1082 1083 BT_DBG("%p addr %d credits %d", s, addr, credits); 1084 1085 hdr = (void *) ptr; ptr += sizeof(*hdr); 1086 hdr->addr = addr; 1087 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1088 hdr->len = __len8(0); 1089 1090 *ptr = credits; ptr++; 1091 1092 *ptr = __fcs(buf); ptr++; 1093 1094 return rfcomm_send_frame(s, buf, ptr - buf); 1095 } 1096 1097 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1098 { 1099 struct rfcomm_hdr *hdr; 1100 int len = skb->len; 1101 u8 *crc; 1102 1103 if (len > 127) { 1104 hdr = (void *) skb_push(skb, 4); 1105 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1106 } else { 1107 hdr = (void *) skb_push(skb, 3); 1108 hdr->len = __len8(len); 1109 } 1110 hdr->addr = addr; 1111 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1112 1113 crc = skb_put(skb, 1); 1114 *crc = __fcs((void *) hdr); 1115 } 1116 1117 /* ---- RFCOMM frame reception ---- */ 1118 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1119 { 1120 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1121 1122 if (dlci) { 1123 /* Data channel */ 1124 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1125 if (!d) { 1126 rfcomm_send_dm(s, dlci); 1127 return 0; 1128 } 1129 1130 switch (d->state) { 1131 case BT_CONNECT: 1132 rfcomm_dlc_clear_timer(d); 1133 1134 rfcomm_dlc_lock(d); 1135 d->state = BT_CONNECTED; 1136 d->state_change(d, 0); 1137 rfcomm_dlc_unlock(d); 1138 1139 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1140 break; 1141 1142 case BT_DISCONN: 1143 d->state = BT_CLOSED; 1144 __rfcomm_dlc_close(d, 0); 1145 1146 if (list_empty(&s->dlcs)) { 1147 s->state = BT_DISCONN; 1148 rfcomm_send_disc(s, 0); 1149 rfcomm_session_clear_timer(s); 1150 } 1151 1152 break; 1153 } 1154 } else { 1155 /* Control channel */ 1156 switch (s->state) { 1157 case BT_CONNECT: 1158 s->state = BT_CONNECTED; 1159 rfcomm_process_connect(s); 1160 break; 1161 1162 case BT_DISCONN: 1163 /* When socket is closed and we are not RFCOMM 1164 * initiator rfcomm_process_rx already calls 1165 * rfcomm_session_put() */ 1166 if (s->sock->sk->sk_state != BT_CLOSED) 1167 if (list_empty(&s->dlcs)) 1168 rfcomm_session_put(s); 1169 break; 1170 } 1171 } 1172 return 0; 1173 } 1174 1175 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1176 { 1177 int err = 0; 1178 1179 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1180 1181 if (dlci) { 1182 /* Data DLC */ 1183 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1184 if (d) { 1185 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1186 err = ECONNREFUSED; 1187 else 1188 err = ECONNRESET; 1189 1190 d->state = BT_CLOSED; 1191 __rfcomm_dlc_close(d, err); 1192 } 1193 } else { 1194 if (s->state == BT_CONNECT) 1195 err = ECONNREFUSED; 1196 else 1197 err = ECONNRESET; 1198 1199 s->state = BT_CLOSED; 1200 rfcomm_session_close(s, err); 1201 } 1202 return 0; 1203 } 1204 1205 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci) 1206 { 1207 int err = 0; 1208 1209 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1210 1211 if (dlci) { 1212 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1213 if (d) { 1214 rfcomm_send_ua(s, dlci); 1215 1216 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1217 err = ECONNREFUSED; 1218 else 1219 err = ECONNRESET; 1220 1221 d->state = BT_CLOSED; 1222 __rfcomm_dlc_close(d, err); 1223 } else 1224 rfcomm_send_dm(s, dlci); 1225 1226 } else { 1227 rfcomm_send_ua(s, 0); 1228 1229 if (s->state == BT_CONNECT) 1230 err = ECONNREFUSED; 1231 else 1232 err = ECONNRESET; 1233 1234 s->state = BT_CLOSED; 1235 rfcomm_session_close(s, err); 1236 } 1237 1238 return 0; 1239 } 1240 1241 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1242 { 1243 struct sock *sk = d->session->sock->sk; 1244 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1245 1246 BT_DBG("dlc %p", d); 1247 1248 rfcomm_send_ua(d->session, d->dlci); 1249 1250 rfcomm_dlc_clear_timer(d); 1251 1252 rfcomm_dlc_lock(d); 1253 d->state = BT_CONNECTED; 1254 d->state_change(d, 0); 1255 rfcomm_dlc_unlock(d); 1256 1257 if (d->role_switch) 1258 hci_conn_switch_role(conn->hcon, 0x00); 1259 1260 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1261 } 1262 1263 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1264 { 1265 if (rfcomm_check_security(d)) { 1266 if (d->defer_setup) { 1267 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1268 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1269 1270 rfcomm_dlc_lock(d); 1271 d->state = BT_CONNECT2; 1272 d->state_change(d, 0); 1273 rfcomm_dlc_unlock(d); 1274 } else 1275 rfcomm_dlc_accept(d); 1276 } else { 1277 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1278 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1279 } 1280 } 1281 1282 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1283 { 1284 struct rfcomm_dlc *d; 1285 u8 channel; 1286 1287 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1288 1289 if (!dlci) { 1290 rfcomm_send_ua(s, 0); 1291 1292 if (s->state == BT_OPEN) { 1293 s->state = BT_CONNECTED; 1294 rfcomm_process_connect(s); 1295 } 1296 return 0; 1297 } 1298 1299 /* Check if DLC exists */ 1300 d = rfcomm_dlc_get(s, dlci); 1301 if (d) { 1302 if (d->state == BT_OPEN) { 1303 /* DLC was previously opened by PN request */ 1304 rfcomm_check_accept(d); 1305 } 1306 return 0; 1307 } 1308 1309 /* Notify socket layer about incoming connection */ 1310 channel = __srv_channel(dlci); 1311 if (rfcomm_connect_ind(s, channel, &d)) { 1312 d->dlci = dlci; 1313 d->addr = __addr(s->initiator, dlci); 1314 rfcomm_dlc_link(s, d); 1315 1316 rfcomm_check_accept(d); 1317 } else { 1318 rfcomm_send_dm(s, dlci); 1319 } 1320 1321 return 0; 1322 } 1323 1324 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1325 { 1326 struct rfcomm_session *s = d->session; 1327 1328 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1329 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1330 1331 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1332 pn->flow_ctrl == 0xe0) { 1333 d->cfc = RFCOMM_CFC_ENABLED; 1334 d->tx_credits = pn->credits; 1335 } else { 1336 d->cfc = RFCOMM_CFC_DISABLED; 1337 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1338 } 1339 1340 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1341 s->cfc = d->cfc; 1342 1343 d->priority = pn->priority; 1344 1345 d->mtu = __le16_to_cpu(pn->mtu); 1346 1347 if (cr && d->mtu > s->mtu) 1348 d->mtu = s->mtu; 1349 1350 return 0; 1351 } 1352 1353 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1354 { 1355 struct rfcomm_pn *pn = (void *) skb->data; 1356 struct rfcomm_dlc *d; 1357 u8 dlci = pn->dlci; 1358 1359 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1360 1361 if (!dlci) 1362 return 0; 1363 1364 d = rfcomm_dlc_get(s, dlci); 1365 if (d) { 1366 if (cr) { 1367 /* PN request */ 1368 rfcomm_apply_pn(d, cr, pn); 1369 rfcomm_send_pn(s, 0, d); 1370 } else { 1371 /* PN response */ 1372 switch (d->state) { 1373 case BT_CONFIG: 1374 rfcomm_apply_pn(d, cr, pn); 1375 1376 d->state = BT_CONNECT; 1377 rfcomm_send_sabm(s, d->dlci); 1378 break; 1379 } 1380 } 1381 } else { 1382 u8 channel = __srv_channel(dlci); 1383 1384 if (!cr) 1385 return 0; 1386 1387 /* PN request for non existing DLC. 1388 * Assume incoming connection. */ 1389 if (rfcomm_connect_ind(s, channel, &d)) { 1390 d->dlci = dlci; 1391 d->addr = __addr(s->initiator, dlci); 1392 rfcomm_dlc_link(s, d); 1393 1394 rfcomm_apply_pn(d, cr, pn); 1395 1396 d->state = BT_OPEN; 1397 rfcomm_send_pn(s, 0, d); 1398 } else { 1399 rfcomm_send_dm(s, dlci); 1400 } 1401 } 1402 return 0; 1403 } 1404 1405 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1406 { 1407 struct rfcomm_rpn *rpn = (void *) skb->data; 1408 u8 dlci = __get_dlci(rpn->dlci); 1409 1410 u8 bit_rate = 0; 1411 u8 data_bits = 0; 1412 u8 stop_bits = 0; 1413 u8 parity = 0; 1414 u8 flow_ctrl = 0; 1415 u8 xon_char = 0; 1416 u8 xoff_char = 0; 1417 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1418 1419 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1420 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1421 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1422 1423 if (!cr) 1424 return 0; 1425 1426 if (len == 1) { 1427 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1428 bit_rate = RFCOMM_RPN_BR_9600; 1429 data_bits = RFCOMM_RPN_DATA_8; 1430 stop_bits = RFCOMM_RPN_STOP_1; 1431 parity = RFCOMM_RPN_PARITY_NONE; 1432 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1433 xon_char = RFCOMM_RPN_XON_CHAR; 1434 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1435 goto rpn_out; 1436 } 1437 1438 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1439 * no parity, no flow control lines, normal XON/XOFF chars */ 1440 1441 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1442 bit_rate = rpn->bit_rate; 1443 if (bit_rate > RFCOMM_RPN_BR_230400) { 1444 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1445 bit_rate = RFCOMM_RPN_BR_9600; 1446 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1447 } 1448 } 1449 1450 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1451 data_bits = __get_rpn_data_bits(rpn->line_settings); 1452 if (data_bits != RFCOMM_RPN_DATA_8) { 1453 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1454 data_bits = RFCOMM_RPN_DATA_8; 1455 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1456 } 1457 } 1458 1459 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1460 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1461 if (stop_bits != RFCOMM_RPN_STOP_1) { 1462 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1463 stop_bits = RFCOMM_RPN_STOP_1; 1464 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1465 } 1466 } 1467 1468 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1469 parity = __get_rpn_parity(rpn->line_settings); 1470 if (parity != RFCOMM_RPN_PARITY_NONE) { 1471 BT_DBG("RPN parity mismatch 0x%x", parity); 1472 parity = RFCOMM_RPN_PARITY_NONE; 1473 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1474 } 1475 } 1476 1477 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1478 flow_ctrl = rpn->flow_ctrl; 1479 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1480 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1481 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1482 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1483 } 1484 } 1485 1486 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1487 xon_char = rpn->xon_char; 1488 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1489 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1490 xon_char = RFCOMM_RPN_XON_CHAR; 1491 rpn_mask ^= RFCOMM_RPN_PM_XON; 1492 } 1493 } 1494 1495 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1496 xoff_char = rpn->xoff_char; 1497 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1498 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1499 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1500 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1501 } 1502 } 1503 1504 rpn_out: 1505 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1506 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1507 1508 return 0; 1509 } 1510 1511 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1512 { 1513 struct rfcomm_rls *rls = (void *) skb->data; 1514 u8 dlci = __get_dlci(rls->dlci); 1515 1516 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1517 1518 if (!cr) 1519 return 0; 1520 1521 /* We should probably do something with this information here. But 1522 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1523 * mandatory to recognise and respond to RLS */ 1524 1525 rfcomm_send_rls(s, 0, dlci, rls->status); 1526 1527 return 0; 1528 } 1529 1530 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1531 { 1532 struct rfcomm_msc *msc = (void *) skb->data; 1533 struct rfcomm_dlc *d; 1534 u8 dlci = __get_dlci(msc->dlci); 1535 1536 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1537 1538 d = rfcomm_dlc_get(s, dlci); 1539 if (!d) 1540 return 0; 1541 1542 if (cr) { 1543 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1544 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1545 else 1546 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1547 1548 rfcomm_dlc_lock(d); 1549 1550 d->remote_v24_sig = msc->v24_sig; 1551 1552 if (d->modem_status) 1553 d->modem_status(d, msc->v24_sig); 1554 1555 rfcomm_dlc_unlock(d); 1556 1557 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1558 1559 d->mscex |= RFCOMM_MSCEX_RX; 1560 } else 1561 d->mscex |= RFCOMM_MSCEX_TX; 1562 1563 return 0; 1564 } 1565 1566 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1567 { 1568 struct rfcomm_mcc *mcc = (void *) skb->data; 1569 u8 type, cr, len; 1570 1571 cr = __test_cr(mcc->type); 1572 type = __get_mcc_type(mcc->type); 1573 len = __get_mcc_len(mcc->len); 1574 1575 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1576 1577 skb_pull(skb, 2); 1578 1579 switch (type) { 1580 case RFCOMM_PN: 1581 rfcomm_recv_pn(s, cr, skb); 1582 break; 1583 1584 case RFCOMM_RPN: 1585 rfcomm_recv_rpn(s, cr, len, skb); 1586 break; 1587 1588 case RFCOMM_RLS: 1589 rfcomm_recv_rls(s, cr, skb); 1590 break; 1591 1592 case RFCOMM_MSC: 1593 rfcomm_recv_msc(s, cr, skb); 1594 break; 1595 1596 case RFCOMM_FCOFF: 1597 if (cr) { 1598 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1599 rfcomm_send_fcoff(s, 0); 1600 } 1601 break; 1602 1603 case RFCOMM_FCON: 1604 if (cr) { 1605 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1606 rfcomm_send_fcon(s, 0); 1607 } 1608 break; 1609 1610 case RFCOMM_TEST: 1611 if (cr) 1612 rfcomm_send_test(s, 0, skb->data, skb->len); 1613 break; 1614 1615 case RFCOMM_NSC: 1616 break; 1617 1618 default: 1619 BT_ERR("Unknown control type 0x%02x", type); 1620 rfcomm_send_nsc(s, cr, type); 1621 break; 1622 } 1623 return 0; 1624 } 1625 1626 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1627 { 1628 struct rfcomm_dlc *d; 1629 1630 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1631 1632 d = rfcomm_dlc_get(s, dlci); 1633 if (!d) { 1634 rfcomm_send_dm(s, dlci); 1635 goto drop; 1636 } 1637 1638 if (pf && d->cfc) { 1639 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1640 1641 d->tx_credits += credits; 1642 if (d->tx_credits) 1643 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1644 } 1645 1646 if (skb->len && d->state == BT_CONNECTED) { 1647 rfcomm_dlc_lock(d); 1648 d->rx_credits--; 1649 d->data_ready(d, skb); 1650 rfcomm_dlc_unlock(d); 1651 return 0; 1652 } 1653 1654 drop: 1655 kfree_skb(skb); 1656 return 0; 1657 } 1658 1659 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb) 1660 { 1661 struct rfcomm_hdr *hdr = (void *) skb->data; 1662 u8 type, dlci, fcs; 1663 1664 dlci = __get_dlci(hdr->addr); 1665 type = __get_type(hdr->ctrl); 1666 1667 /* Trim FCS */ 1668 skb->len--; skb->tail--; 1669 fcs = *(u8 *)skb_tail_pointer(skb); 1670 1671 if (__check_fcs(skb->data, type, fcs)) { 1672 BT_ERR("bad checksum in packet"); 1673 kfree_skb(skb); 1674 return -EILSEQ; 1675 } 1676 1677 if (__test_ea(hdr->len)) 1678 skb_pull(skb, 3); 1679 else 1680 skb_pull(skb, 4); 1681 1682 switch (type) { 1683 case RFCOMM_SABM: 1684 if (__test_pf(hdr->ctrl)) 1685 rfcomm_recv_sabm(s, dlci); 1686 break; 1687 1688 case RFCOMM_DISC: 1689 if (__test_pf(hdr->ctrl)) 1690 rfcomm_recv_disc(s, dlci); 1691 break; 1692 1693 case RFCOMM_UA: 1694 if (__test_pf(hdr->ctrl)) 1695 rfcomm_recv_ua(s, dlci); 1696 break; 1697 1698 case RFCOMM_DM: 1699 rfcomm_recv_dm(s, dlci); 1700 break; 1701 1702 case RFCOMM_UIH: 1703 if (dlci) 1704 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1705 1706 rfcomm_recv_mcc(s, skb); 1707 break; 1708 1709 default: 1710 BT_ERR("Unknown packet type 0x%02x", type); 1711 break; 1712 } 1713 kfree_skb(skb); 1714 return 0; 1715 } 1716 1717 /* ---- Connection and data processing ---- */ 1718 1719 static void rfcomm_process_connect(struct rfcomm_session *s) 1720 { 1721 struct rfcomm_dlc *d; 1722 struct list_head *p, *n; 1723 1724 BT_DBG("session %p state %ld", s, s->state); 1725 1726 list_for_each_safe(p, n, &s->dlcs) { 1727 d = list_entry(p, struct rfcomm_dlc, list); 1728 if (d->state == BT_CONFIG) { 1729 d->mtu = s->mtu; 1730 if (rfcomm_check_security(d)) { 1731 rfcomm_send_pn(s, 1, d); 1732 } else { 1733 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1734 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1735 } 1736 } 1737 } 1738 } 1739 1740 /* Send data queued for the DLC. 1741 * Return number of frames left in the queue. 1742 */ 1743 static inline int rfcomm_process_tx(struct rfcomm_dlc *d) 1744 { 1745 struct sk_buff *skb; 1746 int err; 1747 1748 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1749 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1750 1751 /* Send pending MSC */ 1752 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1753 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1754 1755 if (d->cfc) { 1756 /* CFC enabled. 1757 * Give them some credits */ 1758 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1759 d->rx_credits <= (d->cfc >> 2)) { 1760 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1761 d->rx_credits = d->cfc; 1762 } 1763 } else { 1764 /* CFC disabled. 1765 * Give ourselves some credits */ 1766 d->tx_credits = 5; 1767 } 1768 1769 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1770 return skb_queue_len(&d->tx_queue); 1771 1772 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1773 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1774 if (err < 0) { 1775 skb_queue_head(&d->tx_queue, skb); 1776 break; 1777 } 1778 kfree_skb(skb); 1779 d->tx_credits--; 1780 } 1781 1782 if (d->cfc && !d->tx_credits) { 1783 /* We're out of TX credits. 1784 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1785 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1786 } 1787 1788 return skb_queue_len(&d->tx_queue); 1789 } 1790 1791 static inline void rfcomm_process_dlcs(struct rfcomm_session *s) 1792 { 1793 struct rfcomm_dlc *d; 1794 struct list_head *p, *n; 1795 1796 BT_DBG("session %p state %ld", s, s->state); 1797 1798 list_for_each_safe(p, n, &s->dlcs) { 1799 d = list_entry(p, struct rfcomm_dlc, list); 1800 1801 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1802 __rfcomm_dlc_close(d, ETIMEDOUT); 1803 continue; 1804 } 1805 1806 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1807 __rfcomm_dlc_close(d, ECONNREFUSED); 1808 continue; 1809 } 1810 1811 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1812 rfcomm_dlc_clear_timer(d); 1813 if (d->out) { 1814 rfcomm_send_pn(s, 1, d); 1815 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1816 } else { 1817 if (d->defer_setup) { 1818 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1819 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1820 1821 rfcomm_dlc_lock(d); 1822 d->state = BT_CONNECT2; 1823 d->state_change(d, 0); 1824 rfcomm_dlc_unlock(d); 1825 } else 1826 rfcomm_dlc_accept(d); 1827 } 1828 continue; 1829 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1830 rfcomm_dlc_clear_timer(d); 1831 if (!d->out) 1832 rfcomm_send_dm(s, d->dlci); 1833 else 1834 d->state = BT_CLOSED; 1835 __rfcomm_dlc_close(d, ECONNREFUSED); 1836 continue; 1837 } 1838 1839 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1840 continue; 1841 1842 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1843 continue; 1844 1845 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1846 d->mscex == RFCOMM_MSCEX_OK) 1847 rfcomm_process_tx(d); 1848 } 1849 } 1850 1851 static inline void rfcomm_process_rx(struct rfcomm_session *s) 1852 { 1853 struct socket *sock = s->sock; 1854 struct sock *sk = sock->sk; 1855 struct sk_buff *skb; 1856 1857 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1858 1859 /* Get data directly from socket receive queue without copying it. */ 1860 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1861 skb_orphan(skb); 1862 if (!skb_linearize(skb)) 1863 rfcomm_recv_frame(s, skb); 1864 else 1865 kfree_skb(skb); 1866 } 1867 1868 if (sk->sk_state == BT_CLOSED) { 1869 if (!s->initiator) 1870 rfcomm_session_put(s); 1871 1872 rfcomm_session_close(s, sk->sk_err); 1873 } 1874 } 1875 1876 static inline void rfcomm_accept_connection(struct rfcomm_session *s) 1877 { 1878 struct socket *sock = s->sock, *nsock; 1879 int err; 1880 1881 /* Fast check for a new connection. 1882 * Avoids unnesesary socket allocations. */ 1883 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1884 return; 1885 1886 BT_DBG("session %p", s); 1887 1888 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1889 if (err < 0) 1890 return; 1891 1892 /* Set our callbacks */ 1893 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1894 nsock->sk->sk_state_change = rfcomm_l2state_change; 1895 1896 s = rfcomm_session_add(nsock, BT_OPEN); 1897 if (s) { 1898 rfcomm_session_hold(s); 1899 1900 /* We should adjust MTU on incoming sessions. 1901 * L2CAP MTU minus UIH header and FCS. */ 1902 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1903 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1904 1905 rfcomm_schedule(); 1906 } else 1907 sock_release(nsock); 1908 } 1909 1910 static inline void rfcomm_check_connection(struct rfcomm_session *s) 1911 { 1912 struct sock *sk = s->sock->sk; 1913 1914 BT_DBG("%p state %ld", s, s->state); 1915 1916 switch (sk->sk_state) { 1917 case BT_CONNECTED: 1918 s->state = BT_CONNECT; 1919 1920 /* We can adjust MTU on outgoing sessions. 1921 * L2CAP MTU minus UIH header and FCS. */ 1922 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1923 1924 rfcomm_send_sabm(s, 0); 1925 break; 1926 1927 case BT_CLOSED: 1928 s->state = BT_CLOSED; 1929 rfcomm_session_close(s, sk->sk_err); 1930 break; 1931 } 1932 } 1933 1934 static inline void rfcomm_process_sessions(void) 1935 { 1936 struct list_head *p, *n; 1937 1938 rfcomm_lock(); 1939 1940 list_for_each_safe(p, n, &session_list) { 1941 struct rfcomm_session *s; 1942 s = list_entry(p, struct rfcomm_session, list); 1943 1944 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1945 s->state = BT_DISCONN; 1946 rfcomm_send_disc(s, 0); 1947 rfcomm_session_put(s); 1948 continue; 1949 } 1950 1951 if (s->state == BT_LISTEN) { 1952 rfcomm_accept_connection(s); 1953 continue; 1954 } 1955 1956 rfcomm_session_hold(s); 1957 1958 switch (s->state) { 1959 case BT_BOUND: 1960 rfcomm_check_connection(s); 1961 break; 1962 1963 default: 1964 rfcomm_process_rx(s); 1965 break; 1966 } 1967 1968 rfcomm_process_dlcs(s); 1969 1970 rfcomm_session_put(s); 1971 } 1972 1973 rfcomm_unlock(); 1974 } 1975 1976 static int rfcomm_add_listener(bdaddr_t *ba) 1977 { 1978 struct sockaddr_l2 addr; 1979 struct socket *sock; 1980 struct sock *sk; 1981 struct rfcomm_session *s; 1982 int err = 0; 1983 1984 /* Create socket */ 1985 err = rfcomm_l2sock_create(&sock); 1986 if (err < 0) { 1987 BT_ERR("Create socket failed %d", err); 1988 return err; 1989 } 1990 1991 /* Bind socket */ 1992 bacpy(&addr.l2_bdaddr, ba); 1993 addr.l2_family = AF_BLUETOOTH; 1994 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 1995 addr.l2_cid = 0; 1996 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 1997 if (err < 0) { 1998 BT_ERR("Bind failed %d", err); 1999 goto failed; 2000 } 2001 2002 /* Set L2CAP options */ 2003 sk = sock->sk; 2004 lock_sock(sk); 2005 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2006 release_sock(sk); 2007 2008 /* Start listening on the socket */ 2009 err = kernel_listen(sock, 10); 2010 if (err) { 2011 BT_ERR("Listen failed %d", err); 2012 goto failed; 2013 } 2014 2015 /* Add listening session */ 2016 s = rfcomm_session_add(sock, BT_LISTEN); 2017 if (!s) 2018 goto failed; 2019 2020 rfcomm_session_hold(s); 2021 return 0; 2022 failed: 2023 sock_release(sock); 2024 return err; 2025 } 2026 2027 static void rfcomm_kill_listener(void) 2028 { 2029 struct rfcomm_session *s; 2030 struct list_head *p, *n; 2031 2032 BT_DBG(""); 2033 2034 list_for_each_safe(p, n, &session_list) { 2035 s = list_entry(p, struct rfcomm_session, list); 2036 rfcomm_session_del(s); 2037 } 2038 } 2039 2040 static int rfcomm_run(void *unused) 2041 { 2042 BT_DBG(""); 2043 2044 set_user_nice(current, -10); 2045 2046 rfcomm_add_listener(BDADDR_ANY); 2047 2048 while (1) { 2049 set_current_state(TASK_INTERRUPTIBLE); 2050 2051 if (kthread_should_stop()) 2052 break; 2053 2054 /* Process stuff */ 2055 rfcomm_process_sessions(); 2056 2057 schedule(); 2058 } 2059 __set_current_state(TASK_RUNNING); 2060 2061 rfcomm_kill_listener(); 2062 2063 return 0; 2064 } 2065 2066 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2067 { 2068 struct rfcomm_session *s; 2069 struct rfcomm_dlc *d; 2070 struct list_head *p, *n; 2071 2072 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2073 2074 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2075 if (!s) 2076 return; 2077 2078 rfcomm_session_hold(s); 2079 2080 list_for_each_safe(p, n, &s->dlcs) { 2081 d = list_entry(p, struct rfcomm_dlc, list); 2082 2083 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2084 rfcomm_dlc_clear_timer(d); 2085 if (status || encrypt == 0x00) { 2086 set_bit(RFCOMM_ENC_DROP, &d->flags); 2087 continue; 2088 } 2089 } 2090 2091 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2092 if (d->sec_level == BT_SECURITY_MEDIUM) { 2093 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2094 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2095 continue; 2096 } else if (d->sec_level == BT_SECURITY_HIGH) { 2097 set_bit(RFCOMM_ENC_DROP, &d->flags); 2098 continue; 2099 } 2100 } 2101 2102 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2103 continue; 2104 2105 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2106 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2107 else 2108 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2109 } 2110 2111 rfcomm_session_put(s); 2112 2113 rfcomm_schedule(); 2114 } 2115 2116 static struct hci_cb rfcomm_cb = { 2117 .name = "RFCOMM", 2118 .security_cfm = rfcomm_security_cfm 2119 }; 2120 2121 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2122 { 2123 struct rfcomm_session *s; 2124 struct list_head *pp, *p; 2125 2126 rfcomm_lock(); 2127 2128 list_for_each(p, &session_list) { 2129 s = list_entry(p, struct rfcomm_session, list); 2130 list_for_each(pp, &s->dlcs) { 2131 struct sock *sk = s->sock->sk; 2132 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list); 2133 2134 seq_printf(f, "%s %s %ld %d %d %d %d\n", 2135 batostr(&bt_sk(sk)->src), 2136 batostr(&bt_sk(sk)->dst), 2137 d->state, d->dlci, d->mtu, 2138 d->rx_credits, d->tx_credits); 2139 } 2140 } 2141 2142 rfcomm_unlock(); 2143 2144 return 0; 2145 } 2146 2147 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2148 { 2149 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2150 } 2151 2152 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2153 .open = rfcomm_dlc_debugfs_open, 2154 .read = seq_read, 2155 .llseek = seq_lseek, 2156 .release = single_release, 2157 }; 2158 2159 static struct dentry *rfcomm_dlc_debugfs; 2160 2161 /* ---- Initialization ---- */ 2162 static int __init rfcomm_init(void) 2163 { 2164 int err; 2165 2166 hci_register_cb(&rfcomm_cb); 2167 2168 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2169 if (IS_ERR(rfcomm_thread)) { 2170 err = PTR_ERR(rfcomm_thread); 2171 goto unregister; 2172 } 2173 2174 if (bt_debugfs) { 2175 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2176 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops); 2177 if (!rfcomm_dlc_debugfs) 2178 BT_ERR("Failed to create RFCOMM debug file"); 2179 } 2180 2181 err = rfcomm_init_ttys(); 2182 if (err < 0) 2183 goto stop; 2184 2185 err = rfcomm_init_sockets(); 2186 if (err < 0) 2187 goto cleanup; 2188 2189 BT_INFO("RFCOMM ver %s", VERSION); 2190 2191 return 0; 2192 2193 cleanup: 2194 rfcomm_cleanup_ttys(); 2195 2196 stop: 2197 kthread_stop(rfcomm_thread); 2198 2199 unregister: 2200 hci_unregister_cb(&rfcomm_cb); 2201 2202 return err; 2203 } 2204 2205 static void __exit rfcomm_exit(void) 2206 { 2207 debugfs_remove(rfcomm_dlc_debugfs); 2208 2209 hci_unregister_cb(&rfcomm_cb); 2210 2211 kthread_stop(rfcomm_thread); 2212 2213 rfcomm_cleanup_ttys(); 2214 2215 rfcomm_cleanup_sockets(); 2216 } 2217 2218 module_init(rfcomm_init); 2219 module_exit(rfcomm_exit); 2220 2221 module_param(disable_cfc, bool, 0644); 2222 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2223 2224 module_param(channel_mtu, int, 0644); 2225 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2226 2227 module_param(l2cap_mtu, uint, 0644); 2228 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2229 2230 module_param(l2cap_ertm, bool, 0644); 2231 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2232 2233 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2234 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2235 MODULE_VERSION(VERSION); 2236 MODULE_LICENSE("GPL"); 2237 MODULE_ALIAS("bt-proto-3"); 2238