net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <[email protected]>
   4    Copyright (C) 2002 Marcel Holtmann <[email protected]>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/debugfs.h>
  30 #include <linux/kthread.h>
  31 #include <asm/unaligned.h>
  32
  33 #include <net/bluetooth/bluetooth.h>
  34 #include <net/bluetooth/hci_core.h>
  35 #include <net/bluetooth/l2cap.h>
  36 #include <net/bluetooth/rfcomm.h>
  37
  38 #define VERSION "1.11"
  39
  40 static bool disable_cfc;
  41 static bool l2cap_ertm;
  42 static int channel_mtu = -1;
  43
  44 static struct task_struct *rfcomm_thread;
  45
  46 static DEFINE_MUTEX(rfcomm_mutex);
  47 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  48 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  49
  50
  51 static LIST_HEAD(session_list);
  52
  53 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
  54 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  55 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  56 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  57 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  58 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  59 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  60 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  61 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  62 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  63
  64 static void rfcomm_process_connect(struct rfcomm_session *s);
  65
  66 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  67                                                         bdaddr_t *dst,
  68                                                         u8 sec_level,
  69                                                         int *err);
  70 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  71 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
  72
  73 /* ---- RFCOMM frame parsing macros ---- */
  74 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  75 #define __get_type(b)     ((b & 0xef))
  76
  77 #define __test_ea(b)      ((b & 0x01))
  78 #define __test_cr(b)      (!!(b & 0x02))
  79 #define __test_pf(b)      (!!(b & 0x10))
  80
  81 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
  82
  83 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
  84 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
  85 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
  86 #define __srv_channel(dlci)    (dlci >> 1)
  87
  88 #define __len8(len)       (((len) << 1) | 1)
  89 #define __len16(len)      ((len) << 1)
  90
  91 /* MCC macros */
  92 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
  93 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
  94 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
  95
  96 /* RPN macros */
  97 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
  98 #define __get_rpn_data_bits(line) ((line) & 0x3)
  99 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 100 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 101
 102 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
 103
 104 static void rfcomm_schedule(void)
 105 {
 106         wake_up_all(&rfcomm_wq);
 107 }
 108
 109 /* ---- RFCOMM FCS computation ---- */
 110
 111 /* reversed, 8-bit, poly=0x07 */
 112 static unsigned char rfcomm_crc_table[256] = {
 113         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 114         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 115         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 116         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 117
 118         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 119         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 120         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 121         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 122
 123         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 124         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 125         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 126         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 127
 128         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 129         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 130         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 131         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 132
 133         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 134         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 135         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 136         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 137
 138         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 139         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 140         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 141         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 142
 143         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 144         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 145         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 146         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 147
 148         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 149         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 150         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 151         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 152 };
 153
 154 /* CRC on 2 bytes */
 155 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 156
 157 /* FCS on 2 bytes */
 158 static inline u8 __fcs(u8 *data)
 159 {
 160         return 0xff - __crc(data);
 161 }
 162
 163 /* FCS on 3 bytes */
 164 static inline u8 __fcs2(u8 *data)
 165 {
 166         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 167 }
 168
 169 /* Check FCS */
 170 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 171 {
 172         u8 f = __crc(data);
 173
 174         if (type != RFCOMM_UIH)
 175                 f = rfcomm_crc_table[f ^ data[2]];
 176
 177         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 178 }
 179
 180 /* ---- L2CAP callbacks ---- */
 181 static void rfcomm_l2state_change(struct sock *sk)
 182 {
 183         BT_DBG("%p state %d", sk, sk->sk_state);
 184         rfcomm_schedule();
 185 }
 186
 187 static void rfcomm_l2data_ready(struct sock *sk)
 188 {
 189         BT_DBG("%p", sk);
 190         rfcomm_schedule();
 191 }
 192
 193 static int rfcomm_l2sock_create(struct socket **sock)
 194 {
 195         int err;
 196
 197         BT_DBG("");
 198
 199         err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 200         if (!err) {
 201                 struct sock *sk = (*sock)->sk;
 202                 sk->sk_data_ready   = rfcomm_l2data_ready;
 203                 sk->sk_state_change = rfcomm_l2state_change;
 204         }
 205         return err;
 206 }
 207
 208 static int rfcomm_check_security(struct rfcomm_dlc *d)
 209 {
 210         struct sock *sk = d->session->sock->sk;
 211         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 212
 213         __u8 auth_type;
 214
 215         switch (d->sec_level) {
 216         case BT_SECURITY_HIGH:
 217         case BT_SECURITY_FIPS:
 218                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 219                 break;
 220         case BT_SECURITY_MEDIUM:
 221                 auth_type = HCI_AT_GENERAL_BONDING;
 222                 break;
 223         default:
 224                 auth_type = HCI_AT_NO_BONDING;
 225                 break;
 226         }
 227
 228         return hci_conn_security(conn->hcon, d->sec_level, auth_type,
 229                                  d->out);
 230 }
 231
 232 static void rfcomm_session_timeout(struct timer_list *t)
 233 {
 234         struct rfcomm_session *s = from_timer(s, t, timer);
 235
 236         BT_DBG("session %p state %ld", s, s->state);
 237
 238         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 239         rfcomm_schedule();
 240 }
 241
 242 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 243 {
 244         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 245
 246         mod_timer(&s->timer, jiffies + timeout);
 247 }
 248
 249 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 250 {
 251         BT_DBG("session %p state %ld", s, s->state);
 252
 253         del_timer_sync(&s->timer);
 254 }
 255
 256 /* ---- RFCOMM DLCs ---- */
 257 static void rfcomm_dlc_timeout(struct timer_list *t)
 258 {
 259         struct rfcomm_dlc *d = from_timer(d, t, timer);
 260
 261         BT_DBG("dlc %p state %ld", d, d->state);
 262
 263         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 264         rfcomm_dlc_put(d);
 265         rfcomm_schedule();
 266 }
 267
 268 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 269 {
 270         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 271
 272         if (!mod_timer(&d->timer, jiffies + timeout))
 273                 rfcomm_dlc_hold(d);
 274 }
 275
 276 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 277 {
 278         BT_DBG("dlc %p state %ld", d, d->state);
 279
 280         if (del_timer(&d->timer))
 281                 rfcomm_dlc_put(d);
 282 }
 283
 284 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 285 {
 286         BT_DBG("%p", d);
 287
 288         d->state      = BT_OPEN;
 289         d->flags      = 0;
 290         d->mscex      = 0;
 291         d->sec_level  = BT_SECURITY_LOW;
 292         d->mtu        = RFCOMM_DEFAULT_MTU;
 293         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 294
 295         d->cfc        = RFCOMM_CFC_DISABLED;
 296         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 297 }
 298
 299 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 300 {
 301         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 302
 303         if (!d)
 304                 return NULL;
 305
 306         timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
 307
 308         skb_queue_head_init(&d->tx_queue);
 309         mutex_init(&d->lock);
 310         refcount_set(&d->refcnt, 1);
 311
 312         rfcomm_dlc_clear_state(d);
 313
 314         BT_DBG("%p", d);
 315
 316         return d;
 317 }
 318
 319 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 320 {
 321         BT_DBG("%p", d);
 322
 323         skb_queue_purge(&d->tx_queue);
 324         kfree(d);
 325 }
 326
 327 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 328 {
 329         BT_DBG("dlc %p session %p", d, s);
 330
 331         rfcomm_session_clear_timer(s);
 332         rfcomm_dlc_hold(d);
 333         list_add(&d->list, &s->dlcs);
 334         d->session = s;
 335 }
 336
 337 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 338 {
 339         struct rfcomm_session *s = d->session;
 340
 341         BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
 342
 343         list_del(&d->list);
 344         d->session = NULL;
 345         rfcomm_dlc_put(d);
 346
 347         if (list_empty(&s->dlcs))
 348                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 349 }
 350
 351 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 352 {
 353         struct rfcomm_dlc *d;
 354
 355         list_for_each_entry(d, &s->dlcs, list)
 356                 if (d->dlci == dlci)
 357                         return d;
 358
 359         return NULL;
 360 }
 361
 362 static int rfcomm_check_channel(u8 channel)
 363 {
 364         return channel < 1 || channel > 30;
 365 }
 366
 367 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 368 {
 369         struct rfcomm_session *s;
 370         int err = 0;
 371         u8 dlci;
 372
 373         BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
 374                d, d->state, src, dst, channel);
 375
 376         if (rfcomm_check_channel(channel))
 377                 return -EINVAL;
 378
 379         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 380                 return 0;
 381
 382         s = rfcomm_session_get(src, dst);
 383         if (!s) {
 384                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 385                 if (!s)
 386                         return err;
 387         }
 388
 389         dlci = __dlci(__session_dir(s), channel);
 390
 391         /* Check if DLCI already exists */
 392         if (rfcomm_dlc_get(s, dlci))
 393                 return -EBUSY;
 394
 395         rfcomm_dlc_clear_state(d);
 396
 397         d->dlci     = dlci;
 398         d->addr     = __addr(s->initiator, dlci);
 399         d->priority = 7;
 400
 401         d->state = BT_CONFIG;
 402         rfcomm_dlc_link(s, d);
 403
 404         d->out = 1;
 405
 406         d->mtu = s->mtu;
 407         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 408
 409         if (s->state == BT_CONNECTED) {
 410                 if (rfcomm_check_security(d))
 411                         rfcomm_send_pn(s, 1, d);
 412                 else
 413                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 414         }
 415
 416         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 417
 418         return 0;
 419 }
 420
 421 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 422 {
 423         int r;
 424
 425         rfcomm_lock();
 426
 427         r = __rfcomm_dlc_open(d, src, dst, channel);
 428
 429         rfcomm_unlock();
 430         return r;
 431 }
 432
 433 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
 434 {
 435         struct rfcomm_session *s = d->session;
 436
 437         d->state = BT_DISCONN;
 438         if (skb_queue_empty(&d->tx_queue)) {
 439                 rfcomm_send_disc(s, d->dlci);
 440                 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 441         } else {
 442                 rfcomm_queue_disc(d);
 443                 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 444         }
 445 }
 446
 447 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 448 {
 449         struct rfcomm_session *s = d->session;
 450         if (!s)
 451                 return 0;
 452
 453         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 454                         d, d->state, d->dlci, err, s);
 455
 456         switch (d->state) {
 457         case BT_CONNECT:
 458         case BT_CONFIG:
 459         case BT_OPEN:
 460         case BT_CONNECT2:
 461                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 462                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 463                         rfcomm_schedule();
 464                         return 0;
 465                 }
 466         }
 467
 468         switch (d->state) {
 469         case BT_CONNECT:
 470         case BT_CONNECTED:
 471                 __rfcomm_dlc_disconn(d);
 472                 break;
 473
 474         case BT_CONFIG:
 475                 if (s->state != BT_BOUND) {
 476                         __rfcomm_dlc_disconn(d);
 477                         break;
 478                 }
 479                 /* if closing a dlc in a session that hasn't been started,
 480                  * just close and unlink the dlc
 481                  */
 482                 fallthrough;
 483
 484         default:
 485                 rfcomm_dlc_clear_timer(d);
 486
 487                 rfcomm_dlc_lock(d);
 488                 d->state = BT_CLOSED;
 489                 d->state_change(d, err);
 490                 rfcomm_dlc_unlock(d);
 491
 492                 skb_queue_purge(&d->tx_queue);
 493                 rfcomm_dlc_unlink(d);
 494         }
 495
 496         return 0;
 497 }
 498
 499 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 500 {
 501         int r = 0;
 502         struct rfcomm_dlc *d_list;
 503         struct rfcomm_session *s, *s_list;
 504
 505         BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
 506
 507         rfcomm_lock();
 508
 509         s = d->session;
 510         if (!s)
 511                 goto no_session;
 512
 513         /* after waiting on the mutex check the session still exists
 514          * then check the dlc still exists
 515          */
 516         list_for_each_entry(s_list, &session_list, list) {
 517                 if (s_list == s) {
 518                         list_for_each_entry(d_list, &s->dlcs, list) {
 519                                 if (d_list == d) {
 520                                         r = __rfcomm_dlc_close(d, err);
 521                                         break;
 522                                 }
 523                         }
 524                         break;
 525                 }
 526         }
 527
 528 no_session:
 529         rfcomm_unlock();
 530         return r;
 531 }
 532
 533 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
 534 {
 535         struct rfcomm_session *s;
 536         struct rfcomm_dlc *dlc = NULL;
 537         u8 dlci;
 538
 539         if (rfcomm_check_channel(channel))
 540                 return ERR_PTR(-EINVAL);
 541
 542         rfcomm_lock();
 543         s = rfcomm_session_get(src, dst);
 544         if (s) {
 545                 dlci = __dlci(__session_dir(s), channel);
 546                 dlc = rfcomm_dlc_get(s, dlci);
 547         }
 548         rfcomm_unlock();
 549         return dlc;
 550 }
 551
 552 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
 553 {
 554         int len = frag->len;
 555
 556         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 557
 558         if (len > d->mtu)
 559                 return -EINVAL;
 560
 561         rfcomm_make_uih(frag, d->addr);
 562         __skb_queue_tail(&d->tx_queue, frag);
 563
 564         return len;
 565 }
 566
 567 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 568 {
 569         unsigned long flags;
 570         struct sk_buff *frag, *next;
 571         int len;
 572
 573         if (d->state != BT_CONNECTED)
 574                 return -ENOTCONN;
 575
 576         frag = skb_shinfo(skb)->frag_list;
 577         skb_shinfo(skb)->frag_list = NULL;
 578
 579         /* Queue all fragments atomically. */
 580         spin_lock_irqsave(&d->tx_queue.lock, flags);
 581
 582         len = rfcomm_dlc_send_frag(d, skb);
 583         if (len < 0 || !frag)
 584                 goto unlock;
 585
 586         for (; frag; frag = next) {
 587                 int ret;
 588
 589                 next = frag->next;
 590
 591                 ret = rfcomm_dlc_send_frag(d, frag);
 592                 if (ret < 0) {
 593                         kfree_skb(frag);
 594                         goto unlock;
 595                 }
 596
 597                 len += ret;
 598         }
 599
 600 unlock:
 601         spin_unlock_irqrestore(&d->tx_queue.lock, flags);
 602
 603         if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 604                 rfcomm_schedule();
 605         return len;
 606 }
 607
 608 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
 609 {
 610         int len = skb->len;
 611
 612         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 613
 614         rfcomm_make_uih(skb, d->addr);
 615         skb_queue_tail(&d->tx_queue, skb);
 616
 617         if (d->state == BT_CONNECTED &&
 618             !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 619                 rfcomm_schedule();
 620 }
 621
 622 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 623 {
 624         BT_DBG("dlc %p state %ld", d, d->state);
 625
 626         if (!d->cfc) {
 627                 d->v24_sig |= RFCOMM_V24_FC;
 628                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 629         }
 630         rfcomm_schedule();
 631 }
 632
 633 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 634 {
 635         BT_DBG("dlc %p state %ld", d, d->state);
 636
 637         if (!d->cfc) {
 638                 d->v24_sig &= ~RFCOMM_V24_FC;
 639                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 640         }
 641         rfcomm_schedule();
 642 }
 643
 644 /*
 645    Set/get modem status functions use _local_ status i.e. what we report
 646    to the other side.
 647    Remote status is provided by dlc->modem_status() callback.
 648  */
 649 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 650 {
 651         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 652                         d, d->state, v24_sig);
 653
 654         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 655                 v24_sig |= RFCOMM_V24_FC;
 656         else
 657                 v24_sig &= ~RFCOMM_V24_FC;
 658
 659         d->v24_sig = v24_sig;
 660
 661         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 662                 rfcomm_schedule();
 663
 664         return 0;
 665 }
 666
 667 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 668 {
 669         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 670                         d, d->state, d->v24_sig);
 671
 672         *v24_sig = d->v24_sig;
 673         return 0;
 674 }
 675
 676 /* ---- RFCOMM sessions ---- */
 677 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 678 {
 679         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 680
 681         if (!s)
 682                 return NULL;
 683
 684         BT_DBG("session %p sock %p", s, sock);
 685
 686         timer_setup(&s->timer, rfcomm_session_timeout, 0);
 687
 688         INIT_LIST_HEAD(&s->dlcs);
 689         s->state = state;
 690         s->sock  = sock;
 691
 692         s->mtu = RFCOMM_DEFAULT_MTU;
 693         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 694
 695         /* Do not increment module usage count for listening sessions.
 696          * Otherwise we won't be able to unload the module. */
 697         if (state != BT_LISTEN)
 698                 if (!try_module_get(THIS_MODULE)) {
 699                         kfree(s);
 700                         return NULL;
 701                 }
 702
 703         list_add(&s->list, &session_list);
 704
 705         return s;
 706 }
 707
 708 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
 709 {
 710         int state = s->state;
 711
 712         BT_DBG("session %p state %ld", s, s->state);
 713
 714         list_del(&s->list);
 715
 716         rfcomm_session_clear_timer(s);
 717         sock_release(s->sock);
 718         kfree(s);
 719
 720         if (state != BT_LISTEN)
 721                 module_put(THIS_MODULE);
 722
 723         return NULL;
 724 }
 725
 726 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 727 {
 728         struct rfcomm_session *s, *n;
 729         struct l2cap_chan *chan;
 730         list_for_each_entry_safe(s, n, &session_list, list) {
 731                 chan = l2cap_pi(s->sock->sk)->chan;
 732
 733                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
 734                     !bacmp(&chan->dst, dst))
 735                         return s;
 736         }
 737         return NULL;
 738 }
 739
 740 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
 741                                                    int err)
 742 {
 743         struct rfcomm_dlc *d, *n;
 744
 745         s->state = BT_CLOSED;
 746
 747         BT_DBG("session %p state %ld err %d", s, s->state, err);
 748
 749         /* Close all dlcs */
 750         list_for_each_entry_safe(d, n, &s->dlcs, list) {
 751                 d->state = BT_CLOSED;
 752                 __rfcomm_dlc_close(d, err);
 753         }
 754
 755         rfcomm_session_clear_timer(s);
 756         return rfcomm_session_del(s);
 757 }
 758
 759 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 760                                                         bdaddr_t *dst,
 761                                                         u8 sec_level,
 762                                                         int *err)
 763 {
 764         struct rfcomm_session *s = NULL;
 765         struct sockaddr_l2 addr;
 766         struct socket *sock;
 767         struct sock *sk;
 768
 769         BT_DBG("%pMR -> %pMR", src, dst);
 770
 771         *err = rfcomm_l2sock_create(&sock);
 772         if (*err < 0)
 773                 return NULL;
 774
 775         bacpy(&addr.l2_bdaddr, src);
 776         addr.l2_family = AF_BLUETOOTH;
 777         addr.l2_psm    = 0;
 778         addr.l2_cid    = 0;
 779         addr.l2_bdaddr_type = BDADDR_BREDR;
 780         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 781         if (*err < 0)
 782                 goto failed;
 783
 784         /* Set L2CAP options */
 785         sk = sock->sk;
 786         lock_sock(sk);
 787         /* Set MTU to 0 so L2CAP can auto select the MTU */
 788         l2cap_pi(sk)->chan->imtu = 0;
 789         l2cap_pi(sk)->chan->sec_level = sec_level;
 790         if (l2cap_ertm)
 791                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 792         release_sock(sk);
 793
 794         s = rfcomm_session_add(sock, BT_BOUND);
 795         if (!s) {
 796                 *err = -ENOMEM;
 797                 goto failed;
 798         }
 799
 800         s->initiator = 1;
 801
 802         bacpy(&addr.l2_bdaddr, dst);
 803         addr.l2_family = AF_BLUETOOTH;
 804         addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
 805         addr.l2_cid    = 0;
 806         addr.l2_bdaddr_type = BDADDR_BREDR;
 807         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 808         if (*err == 0 || *err == -EINPROGRESS)
 809                 return s;
 810
 811         return rfcomm_session_del(s);
 812
 813 failed:
 814         sock_release(sock);
 815         return NULL;
 816 }
 817
 818 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 819 {
 820         struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
 821         if (src)
 822                 bacpy(src, &chan->src);
 823         if (dst)
 824                 bacpy(dst, &chan->dst);
 825 }
 826
 827 /* ---- RFCOMM frame sending ---- */
 828 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
 829 {
 830         struct kvec iv = { data, len };
 831         struct msghdr msg;
 832
 833         BT_DBG("session %p len %d", s, len);
 834
 835         memset(&msg, 0, sizeof(msg));
 836
 837         return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
 838 }
 839
 840 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
 841 {
 842         BT_DBG("%p cmd %u", s, cmd->ctrl);
 843
 844         return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
 845 }
 846
 847 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 848 {
 849         struct rfcomm_cmd cmd;
 850
 851         BT_DBG("%p dlci %d", s, dlci);
 852
 853         cmd.addr = __addr(s->initiator, dlci);
 854         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 855         cmd.len  = __len8(0);
 856         cmd.fcs  = __fcs2((u8 *) &cmd);
 857
 858         return rfcomm_send_cmd(s, &cmd);
 859 }
 860
 861 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 862 {
 863         struct rfcomm_cmd cmd;
 864
 865         BT_DBG("%p dlci %d", s, dlci);
 866
 867         cmd.addr = __addr(!s->initiator, dlci);
 868         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 869         cmd.len  = __len8(0);
 870         cmd.fcs  = __fcs2((u8 *) &cmd);
 871
 872         return rfcomm_send_cmd(s, &cmd);
 873 }
 874
 875 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 876 {
 877         struct rfcomm_cmd cmd;
 878
 879         BT_DBG("%p dlci %d", s, dlci);
 880
 881         cmd.addr = __addr(s->initiator, dlci);
 882         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 883         cmd.len  = __len8(0);
 884         cmd.fcs  = __fcs2((u8 *) &cmd);
 885
 886         return rfcomm_send_cmd(s, &cmd);
 887 }
 888
 889 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 890 {
 891         struct rfcomm_cmd *cmd;
 892         struct sk_buff *skb;
 893
 894         BT_DBG("dlc %p dlci %d", d, d->dlci);
 895
 896         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 897         if (!skb)
 898                 return -ENOMEM;
 899
 900         cmd = __skb_put(skb, sizeof(*cmd));
 901         cmd->addr = d->addr;
 902         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 903         cmd->len  = __len8(0);
 904         cmd->fcs  = __fcs2((u8 *) cmd);
 905
 906         skb_queue_tail(&d->tx_queue, skb);
 907         rfcomm_schedule();
 908         return 0;
 909 }
 910
 911 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 912 {
 913         struct rfcomm_cmd cmd;
 914
 915         BT_DBG("%p dlci %d", s, dlci);
 916
 917         cmd.addr = __addr(!s->initiator, dlci);
 918         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 919         cmd.len  = __len8(0);
 920         cmd.fcs  = __fcs2((u8 *) &cmd);
 921
 922         return rfcomm_send_cmd(s, &cmd);
 923 }
 924
 925 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 926 {
 927         struct rfcomm_hdr *hdr;
 928         struct rfcomm_mcc *mcc;
 929         u8 buf[16], *ptr = buf;
 930
 931         BT_DBG("%p cr %d type %d", s, cr, type);
 932
 933         hdr = (void *) ptr; ptr += sizeof(*hdr);
 934         hdr->addr = __addr(s->initiator, 0);
 935         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 936         hdr->len  = __len8(sizeof(*mcc) + 1);
 937
 938         mcc = (void *) ptr; ptr += sizeof(*mcc);
 939         mcc->type = __mcc_type(0, RFCOMM_NSC);
 940         mcc->len  = __len8(1);
 941
 942         /* Type that we didn't like */
 943         *ptr = __mcc_type(cr, type); ptr++;
 944
 945         *ptr = __fcs(buf); ptr++;
 946
 947         return rfcomm_send_frame(s, buf, ptr - buf);
 948 }
 949
 950 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 951 {
 952         struct rfcomm_hdr *hdr;
 953         struct rfcomm_mcc *mcc;
 954         struct rfcomm_pn  *pn;
 955         u8 buf[16], *ptr = buf;
 956
 957         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 958
 959         hdr = (void *) ptr; ptr += sizeof(*hdr);
 960         hdr->addr = __addr(s->initiator, 0);
 961         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 962         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 963
 964         mcc = (void *) ptr; ptr += sizeof(*mcc);
 965         mcc->type = __mcc_type(cr, RFCOMM_PN);
 966         mcc->len  = __len8(sizeof(*pn));
 967
 968         pn = (void *) ptr; ptr += sizeof(*pn);
 969         pn->dlci        = d->dlci;
 970         pn->priority    = d->priority;
 971         pn->ack_timer   = 0;
 972         pn->max_retrans = 0;
 973
 974         if (s->cfc) {
 975                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 976                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 977         } else {
 978                 pn->flow_ctrl = 0;
 979                 pn->credits   = 0;
 980         }
 981
 982         if (cr && channel_mtu >= 0)
 983                 pn->mtu = cpu_to_le16(channel_mtu);
 984         else
 985                 pn->mtu = cpu_to_le16(d->mtu);
 986
 987         *ptr = __fcs(buf); ptr++;
 988
 989         return rfcomm_send_frame(s, buf, ptr - buf);
 990 }
 991
 992 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 993                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 994                         u8 parity, u8 flow_ctrl_settings,
 995                         u8 xon_char, u8 xoff_char, u16 param_mask)
 996 {
 997         struct rfcomm_hdr *hdr;
 998         struct rfcomm_mcc *mcc;
 999         struct rfcomm_rpn *rpn;
1000         u8 buf[16], *ptr = buf;
1001
1002         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
1003                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
1004                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
1005                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1006
1007         hdr = (void *) ptr; ptr += sizeof(*hdr);
1008         hdr->addr = __addr(s->initiator, 0);
1009         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1010         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
1011
1012         mcc = (void *) ptr; ptr += sizeof(*mcc);
1013         mcc->type = __mcc_type(cr, RFCOMM_RPN);
1014         mcc->len  = __len8(sizeof(*rpn));
1015
1016         rpn = (void *) ptr; ptr += sizeof(*rpn);
1017         rpn->dlci          = __addr(1, dlci);
1018         rpn->bit_rate      = bit_rate;
1019         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
1020         rpn->flow_ctrl     = flow_ctrl_settings;
1021         rpn->xon_char      = xon_char;
1022         rpn->xoff_char     = xoff_char;
1023         rpn->param_mask    = cpu_to_le16(param_mask);
1024
1025         *ptr = __fcs(buf); ptr++;
1026
1027         return rfcomm_send_frame(s, buf, ptr - buf);
1028 }
1029
1030 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
1031 {
1032         struct rfcomm_hdr *hdr;
1033         struct rfcomm_mcc *mcc;
1034         struct rfcomm_rls *rls;
1035         u8 buf[16], *ptr = buf;
1036
1037         BT_DBG("%p cr %d status 0x%x", s, cr, status);
1038
1039         hdr = (void *) ptr; ptr += sizeof(*hdr);
1040         hdr->addr = __addr(s->initiator, 0);
1041         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1042         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1043
1044         mcc = (void *) ptr; ptr += sizeof(*mcc);
1045         mcc->type = __mcc_type(cr, RFCOMM_RLS);
1046         mcc->len  = __len8(sizeof(*rls));
1047
1048         rls = (void *) ptr; ptr += sizeof(*rls);
1049         rls->dlci   = __addr(1, dlci);
1050         rls->status = status;
1051
1052         *ptr = __fcs(buf); ptr++;
1053
1054         return rfcomm_send_frame(s, buf, ptr - buf);
1055 }
1056
1057 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1058 {
1059         struct rfcomm_hdr *hdr;
1060         struct rfcomm_mcc *mcc;
1061         struct rfcomm_msc *msc;
1062         u8 buf[16], *ptr = buf;
1063
1064         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1065
1066         hdr = (void *) ptr; ptr += sizeof(*hdr);
1067         hdr->addr = __addr(s->initiator, 0);
1068         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1069         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1070
1071         mcc = (void *) ptr; ptr += sizeof(*mcc);
1072         mcc->type = __mcc_type(cr, RFCOMM_MSC);
1073         mcc->len  = __len8(sizeof(*msc));
1074
1075         msc = (void *) ptr; ptr += sizeof(*msc);
1076         msc->dlci    = __addr(1, dlci);
1077         msc->v24_sig = v24_sig | 0x01;
1078
1079         *ptr = __fcs(buf); ptr++;
1080
1081         return rfcomm_send_frame(s, buf, ptr - buf);
1082 }
1083
1084 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1085 {
1086         struct rfcomm_hdr *hdr;
1087         struct rfcomm_mcc *mcc;
1088         u8 buf[16], *ptr = buf;
1089
1090         BT_DBG("%p cr %d", s, cr);
1091
1092         hdr = (void *) ptr; ptr += sizeof(*hdr);
1093         hdr->addr = __addr(s->initiator, 0);
1094         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1095         hdr->len  = __len8(sizeof(*mcc));
1096
1097         mcc = (void *) ptr; ptr += sizeof(*mcc);
1098         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1099         mcc->len  = __len8(0);
1100
1101         *ptr = __fcs(buf); ptr++;
1102
1103         return rfcomm_send_frame(s, buf, ptr - buf);
1104 }
1105
1106 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1107 {
1108         struct rfcomm_hdr *hdr;
1109         struct rfcomm_mcc *mcc;
1110         u8 buf[16], *ptr = buf;
1111
1112         BT_DBG("%p cr %d", s, cr);
1113
1114         hdr = (void *) ptr; ptr += sizeof(*hdr);
1115         hdr->addr = __addr(s->initiator, 0);
1116         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1117         hdr->len  = __len8(sizeof(*mcc));
1118
1119         mcc = (void *) ptr; ptr += sizeof(*mcc);
1120         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1121         mcc->len  = __len8(0);
1122
1123         *ptr = __fcs(buf); ptr++;
1124
1125         return rfcomm_send_frame(s, buf, ptr - buf);
1126 }
1127
1128 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1129 {
1130         struct socket *sock = s->sock;
1131         struct kvec iv[3];
1132         struct msghdr msg;
1133         unsigned char hdr[5], crc[1];
1134
1135         if (len > 125)
1136                 return -EINVAL;
1137
1138         BT_DBG("%p cr %d", s, cr);
1139
1140         hdr[0] = __addr(s->initiator, 0);
1141         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1142         hdr[2] = 0x01 | ((len + 2) << 1);
1143         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1144         hdr[4] = 0x01 | (len << 1);
1145
1146         crc[0] = __fcs(hdr);
1147
1148         iv[0].iov_base = hdr;
1149         iv[0].iov_len  = 5;
1150         iv[1].iov_base = pattern;
1151         iv[1].iov_len  = len;
1152         iv[2].iov_base = crc;
1153         iv[2].iov_len  = 1;
1154
1155         memset(&msg, 0, sizeof(msg));
1156
1157         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1158 }
1159
1160 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1161 {
1162         struct rfcomm_hdr *hdr;
1163         u8 buf[16], *ptr = buf;
1164
1165         BT_DBG("%p addr %d credits %d", s, addr, credits);
1166
1167         hdr = (void *) ptr; ptr += sizeof(*hdr);
1168         hdr->addr = addr;
1169         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1170         hdr->len  = __len8(0);
1171
1172         *ptr = credits; ptr++;
1173
1174         *ptr = __fcs(buf); ptr++;
1175
1176         return rfcomm_send_frame(s, buf, ptr - buf);
1177 }
1178
1179 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1180 {
1181         struct rfcomm_hdr *hdr;
1182         int len = skb->len;
1183         u8 *crc;
1184
1185         if (len > 127) {
1186                 hdr = skb_push(skb, 4);
1187                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1188         } else {
1189                 hdr = skb_push(skb, 3);
1190                 hdr->len = __len8(len);
1191         }
1192         hdr->addr = addr;
1193         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1194
1195         crc = skb_put(skb, 1);
1196         *crc = __fcs((void *) hdr);
1197 }
1198
1199 /* ---- RFCOMM frame reception ---- */
1200 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1201 {
1202         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1203
1204         if (dlci) {
1205                 /* Data channel */
1206                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1207                 if (!d) {
1208                         rfcomm_send_dm(s, dlci);
1209                         return s;
1210                 }
1211
1212                 switch (d->state) {
1213                 case BT_CONNECT:
1214                         rfcomm_dlc_clear_timer(d);
1215
1216                         rfcomm_dlc_lock(d);
1217                         d->state = BT_CONNECTED;
1218                         d->state_change(d, 0);
1219                         rfcomm_dlc_unlock(d);
1220
1221                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1222                         break;
1223
1224                 case BT_DISCONN:
1225                         d->state = BT_CLOSED;
1226                         __rfcomm_dlc_close(d, 0);
1227
1228                         if (list_empty(&s->dlcs)) {
1229                                 s->state = BT_DISCONN;
1230                                 rfcomm_send_disc(s, 0);
1231                                 rfcomm_session_clear_timer(s);
1232                         }
1233
1234                         break;
1235                 }
1236         } else {
1237                 /* Control channel */
1238                 switch (s->state) {
1239                 case BT_CONNECT:
1240                         s->state = BT_CONNECTED;
1241                         rfcomm_process_connect(s);
1242                         break;
1243
1244                 case BT_DISCONN:
1245                         s = rfcomm_session_close(s, ECONNRESET);
1246                         break;
1247                 }
1248         }
1249         return s;
1250 }
1251
1252 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1253 {
1254         int err = 0;
1255
1256         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1257
1258         if (dlci) {
1259                 /* Data DLC */
1260                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1261                 if (d) {
1262                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1263                                 err = ECONNREFUSED;
1264                         else
1265                                 err = ECONNRESET;
1266
1267                         d->state = BT_CLOSED;
1268                         __rfcomm_dlc_close(d, err);
1269                 }
1270         } else {
1271                 if (s->state == BT_CONNECT)
1272                         err = ECONNREFUSED;
1273                 else
1274                         err = ECONNRESET;
1275
1276                 s = rfcomm_session_close(s, err);
1277         }
1278         return s;
1279 }
1280
1281 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1282                                                u8 dlci)
1283 {
1284         int err = 0;
1285
1286         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1287
1288         if (dlci) {
1289                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1290                 if (d) {
1291                         rfcomm_send_ua(s, dlci);
1292
1293                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1294                                 err = ECONNREFUSED;
1295                         else
1296                                 err = ECONNRESET;
1297
1298                         d->state = BT_CLOSED;
1299                         __rfcomm_dlc_close(d, err);
1300                 } else
1301                         rfcomm_send_dm(s, dlci);
1302
1303         } else {
1304                 rfcomm_send_ua(s, 0);
1305
1306                 if (s->state == BT_CONNECT)
1307                         err = ECONNREFUSED;
1308                 else
1309                         err = ECONNRESET;
1310
1311                 s = rfcomm_session_close(s, err);
1312         }
1313         return s;
1314 }
1315
1316 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1317 {
1318         struct sock *sk = d->session->sock->sk;
1319         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1320
1321         BT_DBG("dlc %p", d);
1322
1323         rfcomm_send_ua(d->session, d->dlci);
1324
1325         rfcomm_dlc_clear_timer(d);
1326
1327         rfcomm_dlc_lock(d);
1328         d->state = BT_CONNECTED;
1329         d->state_change(d, 0);
1330         rfcomm_dlc_unlock(d);
1331
1332         if (d->role_switch)
1333                 hci_conn_switch_role(conn->hcon, 0x00);
1334
1335         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1336 }
1337
1338 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1339 {
1340         if (rfcomm_check_security(d)) {
1341                 if (d->defer_setup) {
1342                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1343                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1344
1345                         rfcomm_dlc_lock(d);
1346                         d->state = BT_CONNECT2;
1347                         d->state_change(d, 0);
1348                         rfcomm_dlc_unlock(d);
1349                 } else
1350                         rfcomm_dlc_accept(d);
1351         } else {
1352                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1353                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1354         }
1355 }
1356
1357 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1358 {
1359         struct rfcomm_dlc *d;
1360         u8 channel;
1361
1362         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1363
1364         if (!dlci) {
1365                 rfcomm_send_ua(s, 0);
1366
1367                 if (s->state == BT_OPEN) {
1368                         s->state = BT_CONNECTED;
1369                         rfcomm_process_connect(s);
1370                 }
1371                 return 0;
1372         }
1373
1374         /* Check if DLC exists */
1375         d = rfcomm_dlc_get(s, dlci);
1376         if (d) {
1377                 if (d->state == BT_OPEN) {
1378                         /* DLC was previously opened by PN request */
1379                         rfcomm_check_accept(d);
1380                 }
1381                 return 0;
1382         }
1383
1384         /* Notify socket layer about incoming connection */
1385         channel = __srv_channel(dlci);
1386         if (rfcomm_connect_ind(s, channel, &d)) {
1387                 d->dlci = dlci;
1388                 d->addr = __addr(s->initiator, dlci);
1389                 rfcomm_dlc_link(s, d);
1390
1391                 rfcomm_check_accept(d);
1392         } else {
1393                 rfcomm_send_dm(s, dlci);
1394         }
1395
1396         return 0;
1397 }
1398
1399 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1400 {
1401         struct rfcomm_session *s = d->session;
1402
1403         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1404                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1405
1406         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1407                                                 pn->flow_ctrl == 0xe0) {
1408                 d->cfc = RFCOMM_CFC_ENABLED;
1409                 d->tx_credits = pn->credits;
1410         } else {
1411                 d->cfc = RFCOMM_CFC_DISABLED;
1412                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1413         }
1414
1415         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1416                 s->cfc = d->cfc;
1417
1418         d->priority = pn->priority;
1419
1420         d->mtu = __le16_to_cpu(pn->mtu);
1421
1422         if (cr && d->mtu > s->mtu)
1423                 d->mtu = s->mtu;
1424
1425         return 0;
1426 }
1427
1428 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1429 {
1430         struct rfcomm_pn *pn = (void *) skb->data;
1431         struct rfcomm_dlc *d;
1432         u8 dlci = pn->dlci;
1433
1434         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1435
1436         if (!dlci)
1437                 return 0;
1438
1439         d = rfcomm_dlc_get(s, dlci);
1440         if (d) {
1441                 if (cr) {
1442                         /* PN request */
1443                         rfcomm_apply_pn(d, cr, pn);
1444                         rfcomm_send_pn(s, 0, d);
1445                 } else {
1446                         /* PN response */
1447                         switch (d->state) {
1448                         case BT_CONFIG:
1449                                 rfcomm_apply_pn(d, cr, pn);
1450
1451                                 d->state = BT_CONNECT;
1452                                 rfcomm_send_sabm(s, d->dlci);
1453                                 break;
1454                         }
1455                 }
1456         } else {
1457                 u8 channel = __srv_channel(dlci);
1458
1459                 if (!cr)
1460                         return 0;
1461
1462                 /* PN request for non existing DLC.
1463                  * Assume incoming connection. */
1464                 if (rfcomm_connect_ind(s, channel, &d)) {
1465                         d->dlci = dlci;
1466                         d->addr = __addr(s->initiator, dlci);
1467                         rfcomm_dlc_link(s, d);
1468
1469                         rfcomm_apply_pn(d, cr, pn);
1470
1471                         d->state = BT_OPEN;
1472                         rfcomm_send_pn(s, 0, d);
1473                 } else {
1474                         rfcomm_send_dm(s, dlci);
1475                 }
1476         }
1477         return 0;
1478 }
1479
1480 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1481 {
1482         struct rfcomm_rpn *rpn = (void *) skb->data;
1483         u8 dlci = __get_dlci(rpn->dlci);
1484
1485         u8 bit_rate  = 0;
1486         u8 data_bits = 0;
1487         u8 stop_bits = 0;
1488         u8 parity    = 0;
1489         u8 flow_ctrl = 0;
1490         u8 xon_char  = 0;
1491         u8 xoff_char = 0;
1492         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1493
1494         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1495                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1496                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1497
1498         if (!cr)
1499                 return 0;
1500
1501         if (len == 1) {
1502                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1503                 bit_rate  = RFCOMM_RPN_BR_9600;
1504                 data_bits = RFCOMM_RPN_DATA_8;
1505                 stop_bits = RFCOMM_RPN_STOP_1;
1506                 parity    = RFCOMM_RPN_PARITY_NONE;
1507                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1508                 xon_char  = RFCOMM_RPN_XON_CHAR;
1509                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510                 goto rpn_out;
1511         }
1512
1513         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1514          * no parity, no flow control lines, normal XON/XOFF chars */
1515
1516         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1517                 bit_rate = rpn->bit_rate;
1518                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1519                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1520                         bit_rate = RFCOMM_RPN_BR_9600;
1521                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1522                 }
1523         }
1524
1525         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1526                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1527                 if (data_bits != RFCOMM_RPN_DATA_8) {
1528                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1529                         data_bits = RFCOMM_RPN_DATA_8;
1530                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1531                 }
1532         }
1533
1534         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1535                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1536                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1537                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1538                         stop_bits = RFCOMM_RPN_STOP_1;
1539                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1540                 }
1541         }
1542
1543         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1544                 parity = __get_rpn_parity(rpn->line_settings);
1545                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1546                         BT_DBG("RPN parity mismatch 0x%x", parity);
1547                         parity = RFCOMM_RPN_PARITY_NONE;
1548                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1549                 }
1550         }
1551
1552         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1553                 flow_ctrl = rpn->flow_ctrl;
1554                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1555                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1556                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1557                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1558                 }
1559         }
1560
1561         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1562                 xon_char = rpn->xon_char;
1563                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1564                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1565                         xon_char = RFCOMM_RPN_XON_CHAR;
1566                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1567                 }
1568         }
1569
1570         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1571                 xoff_char = rpn->xoff_char;
1572                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1573                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1574                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1575                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1576                 }
1577         }
1578
1579 rpn_out:
1580         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1581                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1582
1583         return 0;
1584 }
1585
1586 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1587 {
1588         struct rfcomm_rls *rls = (void *) skb->data;
1589         u8 dlci = __get_dlci(rls->dlci);
1590
1591         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1592
1593         if (!cr)
1594                 return 0;
1595
1596         /* We should probably do something with this information here. But
1597          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1598          * mandatory to recognise and respond to RLS */
1599
1600         rfcomm_send_rls(s, 0, dlci, rls->status);
1601
1602         return 0;
1603 }
1604
1605 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1606 {
1607         struct rfcomm_msc *msc = (void *) skb->data;
1608         struct rfcomm_dlc *d;
1609         u8 dlci = __get_dlci(msc->dlci);
1610
1611         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1612
1613         d = rfcomm_dlc_get(s, dlci);
1614         if (!d)
1615                 return 0;
1616
1617         if (cr) {
1618                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1619                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1620                 else
1621                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1622
1623                 rfcomm_dlc_lock(d);
1624
1625                 d->remote_v24_sig = msc->v24_sig;
1626
1627                 if (d->modem_status)
1628                         d->modem_status(d, msc->v24_sig);
1629
1630                 rfcomm_dlc_unlock(d);
1631
1632                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1633
1634                 d->mscex |= RFCOMM_MSCEX_RX;
1635         } else
1636                 d->mscex |= RFCOMM_MSCEX_TX;
1637
1638         return 0;
1639 }
1640
1641 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1642 {
1643         struct rfcomm_mcc *mcc = (void *) skb->data;
1644         u8 type, cr, len;
1645
1646         cr   = __test_cr(mcc->type);
1647         type = __get_mcc_type(mcc->type);
1648         len  = __get_mcc_len(mcc->len);
1649
1650         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1651
1652         skb_pull(skb, 2);
1653
1654         switch (type) {
1655         case RFCOMM_PN:
1656                 rfcomm_recv_pn(s, cr, skb);
1657                 break;
1658
1659         case RFCOMM_RPN:
1660                 rfcomm_recv_rpn(s, cr, len, skb);
1661                 break;
1662
1663         case RFCOMM_RLS:
1664                 rfcomm_recv_rls(s, cr, skb);
1665                 break;
1666
1667         case RFCOMM_MSC:
1668                 rfcomm_recv_msc(s, cr, skb);
1669                 break;
1670
1671         case RFCOMM_FCOFF:
1672                 if (cr) {
1673                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1674                         rfcomm_send_fcoff(s, 0);
1675                 }
1676                 break;
1677
1678         case RFCOMM_FCON:
1679                 if (cr) {
1680                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1681                         rfcomm_send_fcon(s, 0);
1682                 }
1683                 break;
1684
1685         case RFCOMM_TEST:
1686                 if (cr)
1687                         rfcomm_send_test(s, 0, skb->data, skb->len);
1688                 break;
1689
1690         case RFCOMM_NSC:
1691                 break;
1692
1693         default:
1694                 BT_ERR("Unknown control type 0x%02x", type);
1695                 rfcomm_send_nsc(s, cr, type);
1696                 break;
1697         }
1698         return 0;
1699 }
1700
1701 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1702 {
1703         struct rfcomm_dlc *d;
1704
1705         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1706
1707         d = rfcomm_dlc_get(s, dlci);
1708         if (!d) {
1709                 rfcomm_send_dm(s, dlci);
1710                 goto drop;
1711         }
1712
1713         if (pf && d->cfc) {
1714                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1715
1716                 d->tx_credits += credits;
1717                 if (d->tx_credits)
1718                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1719         }
1720
1721         if (skb->len && d->state == BT_CONNECTED) {
1722                 rfcomm_dlc_lock(d);
1723                 d->rx_credits--;
1724                 d->data_ready(d, skb);
1725                 rfcomm_dlc_unlock(d);
1726                 return 0;
1727         }
1728
1729 drop:
1730         kfree_skb(skb);
1731         return 0;
1732 }
1733
1734 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1735                                                 struct sk_buff *skb)
1736 {
1737         struct rfcomm_hdr *hdr = (void *) skb->data;
1738         u8 type, dlci, fcs;
1739
1740         if (!s) {
1741                 /* no session, so free socket data */
1742                 kfree_skb(skb);
1743                 return s;
1744         }
1745
1746         dlci = __get_dlci(hdr->addr);
1747         type = __get_type(hdr->ctrl);
1748
1749         /* Trim FCS */
1750         skb->len--; skb->tail--;
1751         fcs = *(u8 *)skb_tail_pointer(skb);
1752
1753         if (__check_fcs(skb->data, type, fcs)) {
1754                 BT_ERR("bad checksum in packet");
1755                 kfree_skb(skb);
1756                 return s;
1757         }
1758
1759         if (__test_ea(hdr->len))
1760                 skb_pull(skb, 3);
1761         else
1762                 skb_pull(skb, 4);
1763
1764         switch (type) {
1765         case RFCOMM_SABM:
1766                 if (__test_pf(hdr->ctrl))
1767                         rfcomm_recv_sabm(s, dlci);
1768                 break;
1769
1770         case RFCOMM_DISC:
1771                 if (__test_pf(hdr->ctrl))
1772                         s = rfcomm_recv_disc(s, dlci);
1773                 break;
1774
1775         case RFCOMM_UA:
1776                 if (__test_pf(hdr->ctrl))
1777                         s = rfcomm_recv_ua(s, dlci);
1778                 break;
1779
1780         case RFCOMM_DM:
1781                 s = rfcomm_recv_dm(s, dlci);
1782                 break;
1783
1784         case RFCOMM_UIH:
1785                 if (dlci) {
1786                         rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1787                         return s;
1788                 }
1789                 rfcomm_recv_mcc(s, skb);
1790                 break;
1791
1792         default:
1793                 BT_ERR("Unknown packet type 0x%02x", type);
1794                 break;
1795         }
1796         kfree_skb(skb);
1797         return s;
1798 }
1799
1800 /* ---- Connection and data processing ---- */
1801
1802 static void rfcomm_process_connect(struct rfcomm_session *s)
1803 {
1804         struct rfcomm_dlc *d, *n;
1805
1806         BT_DBG("session %p state %ld", s, s->state);
1807
1808         list_for_each_entry_safe(d, n, &s->dlcs, list) {
1809                 if (d->state == BT_CONFIG) {
1810                         d->mtu = s->mtu;
1811                         if (rfcomm_check_security(d)) {
1812                                 rfcomm_send_pn(s, 1, d);
1813                         } else {
1814                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1815                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1816                         }
1817                 }
1818         }
1819 }
1820
1821 /* Send data queued for the DLC.
1822  * Return number of frames left in the queue.
1823  */
1824 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1825 {
1826         struct sk_buff *skb;
1827         int err;
1828
1829         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1830                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1831
1832         /* Send pending MSC */
1833         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1834                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1835
1836         if (d->cfc) {
1837                 /* CFC enabled.
1838                  * Give them some credits */
1839                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1840                                 d->rx_credits <= (d->cfc >> 2)) {
1841                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1842                         d->rx_credits = d->cfc;
1843                 }
1844         } else {
1845                 /* CFC disabled.
1846                  * Give ourselves some credits */
1847                 d->tx_credits = 5;
1848         }
1849
1850         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1851                 return skb_queue_len(&d->tx_queue);
1852
1853         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1854                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1855                 if (err < 0) {
1856                         skb_queue_head(&d->tx_queue, skb);
1857                         break;
1858                 }
1859                 kfree_skb(skb);
1860                 d->tx_credits--;
1861         }
1862
1863         if (d->cfc && !d->tx_credits) {
1864                 /* We're out of TX credits.
1865                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1866                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1867         }
1868
1869         return skb_queue_len(&d->tx_queue);
1870 }
1871
1872 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1873 {
1874         struct rfcomm_dlc *d, *n;
1875
1876         BT_DBG("session %p state %ld", s, s->state);
1877
1878         list_for_each_entry_safe(d, n, &s->dlcs, list) {
1879                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1880                         __rfcomm_dlc_close(d, ETIMEDOUT);
1881                         continue;
1882                 }
1883
1884                 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1885                         __rfcomm_dlc_close(d, ECONNREFUSED);
1886                         continue;
1887                 }
1888
1889                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1890                         rfcomm_dlc_clear_timer(d);
1891                         if (d->out) {
1892                                 rfcomm_send_pn(s, 1, d);
1893                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1894                         } else {
1895                                 if (d->defer_setup) {
1896                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1897                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1898
1899                                         rfcomm_dlc_lock(d);
1900                                         d->state = BT_CONNECT2;
1901                                         d->state_change(d, 0);
1902                                         rfcomm_dlc_unlock(d);
1903                                 } else
1904                                         rfcomm_dlc_accept(d);
1905                         }
1906                         continue;
1907                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1908                         rfcomm_dlc_clear_timer(d);
1909                         if (!d->out)
1910                                 rfcomm_send_dm(s, d->dlci);
1911                         else
1912                                 d->state = BT_CLOSED;
1913                         __rfcomm_dlc_close(d, ECONNREFUSED);
1914                         continue;
1915                 }
1916
1917                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1918                         continue;
1919
1920                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1921                         continue;
1922
1923                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1924                                                 d->mscex == RFCOMM_MSCEX_OK)
1925                         rfcomm_process_tx(d);
1926         }
1927 }
1928
1929 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1930 {
1931         struct socket *sock = s->sock;
1932         struct sock *sk = sock->sk;
1933         struct sk_buff *skb;
1934
1935         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1936
1937         /* Get data directly from socket receive queue without copying it. */
1938         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1939                 skb_orphan(skb);
1940                 if (!skb_linearize(skb)) {
1941                         s = rfcomm_recv_frame(s, skb);
1942                         if (!s)
1943                                 break;
1944                 } else {
1945                         kfree_skb(skb);
1946                 }
1947         }
1948
1949         if (s && (sk->sk_state == BT_CLOSED))
1950                 s = rfcomm_session_close(s, sk->sk_err);
1951
1952         return s;
1953 }
1954
1955 static void rfcomm_accept_connection(struct rfcomm_session *s)
1956 {
1957         struct socket *sock = s->sock, *nsock;
1958         int err;
1959
1960         /* Fast check for a new connection.
1961          * Avoids unnesesary socket allocations. */
1962         if (list_empty(&bt_sk(sock->sk)->accept_q))
1963                 return;
1964
1965         BT_DBG("session %p", s);
1966
1967         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1968         if (err < 0)
1969                 return;
1970
1971         /* Set our callbacks */
1972         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1973         nsock->sk->sk_state_change = rfcomm_l2state_change;
1974
1975         s = rfcomm_session_add(nsock, BT_OPEN);
1976         if (s) {
1977                 /* We should adjust MTU on incoming sessions.
1978                  * L2CAP MTU minus UIH header and FCS. */
1979                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1980                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1981
1982                 rfcomm_schedule();
1983         } else
1984                 sock_release(nsock);
1985 }
1986
1987 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1988 {
1989         struct sock *sk = s->sock->sk;
1990
1991         BT_DBG("%p state %ld", s, s->state);
1992
1993         switch (sk->sk_state) {
1994         case BT_CONNECTED:
1995                 s->state = BT_CONNECT;
1996
1997                 /* We can adjust MTU on outgoing sessions.
1998                  * L2CAP MTU minus UIH header and FCS. */
1999                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
2000
2001                 rfcomm_send_sabm(s, 0);
2002                 break;
2003
2004         case BT_CLOSED:
2005                 s = rfcomm_session_close(s, sk->sk_err);
2006                 break;
2007         }
2008         return s;
2009 }
2010
2011 static void rfcomm_process_sessions(void)
2012 {
2013         struct rfcomm_session *s, *n;
2014
2015         rfcomm_lock();
2016
2017         list_for_each_entry_safe(s, n, &session_list, list) {
2018                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
2019                         s->state = BT_DISCONN;
2020                         rfcomm_send_disc(s, 0);
2021                         continue;
2022                 }
2023
2024                 switch (s->state) {
2025                 case BT_LISTEN:
2026                         rfcomm_accept_connection(s);
2027                         continue;
2028
2029                 case BT_BOUND:
2030                         s = rfcomm_check_connection(s);
2031                         break;
2032
2033                 default:
2034                         s = rfcomm_process_rx(s);
2035                         break;
2036                 }
2037
2038                 if (s)
2039                         rfcomm_process_dlcs(s);
2040         }
2041
2042         rfcomm_unlock();
2043 }
2044
2045 static int rfcomm_add_listener(bdaddr_t *ba)
2046 {
2047         struct sockaddr_l2 addr;
2048         struct socket *sock;
2049         struct sock *sk;
2050         struct rfcomm_session *s;
2051         int    err = 0;
2052
2053         /* Create socket */
2054         err = rfcomm_l2sock_create(&sock);
2055         if (err < 0) {
2056                 BT_ERR("Create socket failed %d", err);
2057                 return err;
2058         }
2059
2060         /* Bind socket */
2061         bacpy(&addr.l2_bdaddr, ba);
2062         addr.l2_family = AF_BLUETOOTH;
2063         addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2064         addr.l2_cid    = 0;
2065         addr.l2_bdaddr_type = BDADDR_BREDR;
2066         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2067         if (err < 0) {
2068                 BT_ERR("Bind failed %d", err);
2069                 goto failed;
2070         }
2071
2072         /* Set L2CAP options */
2073         sk = sock->sk;
2074         lock_sock(sk);
2075         /* Set MTU to 0 so L2CAP can auto select the MTU */
2076         l2cap_pi(sk)->chan->imtu = 0;
2077         release_sock(sk);
2078
2079         /* Start listening on the socket */
2080         err = kernel_listen(sock, 10);
2081         if (err) {
2082                 BT_ERR("Listen failed %d", err);
2083                 goto failed;
2084         }
2085
2086         /* Add listening session */
2087         s = rfcomm_session_add(sock, BT_LISTEN);
2088         if (!s) {
2089                 err = -ENOMEM;
2090                 goto failed;
2091         }
2092
2093         return 0;
2094 failed:
2095         sock_release(sock);
2096         return err;
2097 }
2098
2099 static void rfcomm_kill_listener(void)
2100 {
2101         struct rfcomm_session *s, *n;
2102
2103         BT_DBG("");
2104
2105         list_for_each_entry_safe(s, n, &session_list, list)
2106                 rfcomm_session_del(s);
2107 }
2108
2109 static int rfcomm_run(void *unused)
2110 {
2111         DEFINE_WAIT_FUNC(wait, woken_wake_function);
2112         BT_DBG("");
2113
2114         set_user_nice(current, -10);
2115
2116         rfcomm_add_listener(BDADDR_ANY);
2117
2118         add_wait_queue(&rfcomm_wq, &wait);
2119         while (!kthread_should_stop()) {
2120
2121                 /* Process stuff */
2122                 rfcomm_process_sessions();
2123
2124                 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2125         }
2126         remove_wait_queue(&rfcomm_wq, &wait);
2127
2128         rfcomm_kill_listener();
2129
2130         return 0;
2131 }
2132
2133 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2134 {
2135         struct rfcomm_session *s;
2136         struct rfcomm_dlc *d, *n;
2137
2138         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2139
2140         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2141         if (!s)
2142                 return;
2143
2144         list_for_each_entry_safe(d, n, &s->dlcs, list) {
2145                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2146                         rfcomm_dlc_clear_timer(d);
2147                         if (status || encrypt == 0x00) {
2148                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2149                                 continue;
2150                         }
2151                 }
2152
2153                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2154                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2155                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2156                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2157                                 continue;
2158                         } else if (d->sec_level == BT_SECURITY_HIGH ||
2159                                    d->sec_level == BT_SECURITY_FIPS) {
2160                                 set_bit(RFCOMM_ENC_DROP, &d->flags);
2161                                 continue;
2162                         }
2163                 }
2164
2165                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2166                         continue;
2167
2168                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2169                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2170                 else
2171                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2172         }
2173
2174         rfcomm_schedule();
2175 }
2176
2177 static struct hci_cb rfcomm_cb = {
2178         .name           = "RFCOMM",
2179         .security_cfm   = rfcomm_security_cfm
2180 };
2181
2182 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2183 {
2184         struct rfcomm_session *s;
2185
2186         rfcomm_lock();
2187
2188         list_for_each_entry(s, &session_list, list) {
2189                 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2190                 struct rfcomm_dlc *d;
2191                 list_for_each_entry(d, &s->dlcs, list) {
2192                         seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2193                                    &chan->src, &chan->dst,
2194                                    d->state, d->dlci, d->mtu,
2195                                    d->rx_credits, d->tx_credits);
2196                 }
2197         }
2198
2199         rfcomm_unlock();
2200
2201         return 0;
2202 }
2203
2204 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2205
2206 static struct dentry *rfcomm_dlc_debugfs;
2207
2208 /* ---- Initialization ---- */
2209 static int __init rfcomm_init(void)
2210 {
2211         int err;
2212
2213         hci_register_cb(&rfcomm_cb);
2214
2215         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2216         if (IS_ERR(rfcomm_thread)) {
2217                 err = PTR_ERR(rfcomm_thread);
2218                 goto unregister;
2219         }
2220
2221         err = rfcomm_init_ttys();
2222         if (err < 0)
2223                 goto stop;
2224
2225         err = rfcomm_init_sockets();
2226         if (err < 0)
2227                 goto cleanup;
2228
2229         BT_INFO("RFCOMM ver %s", VERSION);
2230
2231         if (IS_ERR_OR_NULL(bt_debugfs))
2232                 return 0;
2233
2234         rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2235                                                  bt_debugfs, NULL,
2236                                                  &rfcomm_dlc_debugfs_fops);
2237
2238         return 0;
2239
2240 cleanup:
2241         rfcomm_cleanup_ttys();
2242
2243 stop:
2244         kthread_stop(rfcomm_thread);
2245
2246 unregister:
2247         hci_unregister_cb(&rfcomm_cb);
2248
2249         return err;
2250 }
2251
2252 static void __exit rfcomm_exit(void)
2253 {
2254         debugfs_remove(rfcomm_dlc_debugfs);
2255
2256         hci_unregister_cb(&rfcomm_cb);
2257
2258         kthread_stop(rfcomm_thread);
2259
2260         rfcomm_cleanup_ttys();
2261
2262         rfcomm_cleanup_sockets();
2263 }
2264
2265 module_init(rfcomm_init);
2266 module_exit(rfcomm_exit);
2267
2268 module_param(disable_cfc, bool, 0644);
2269 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2270
2271 module_param(channel_mtu, int, 0644);
2272 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2273
2274 module_param(l2cap_ertm, bool, 0644);
2275 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2276
2277 MODULE_AUTHOR("Marcel Holtmann <[email protected]>");
2278 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2279 MODULE_VERSION(VERSION);
2280 MODULE_LICENSE("GPL");
2281 MODULE_ALIAS("bt-proto-3");