xref: /openbmc/linux/net/bluetooth/rfcomm/core.c (revision 176f011b)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define VERSION "1.11"
39 
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44 
45 static struct task_struct *rfcomm_thread;
46 
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
50 
51 
52 static LIST_HEAD(session_list);
53 
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64 
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66 
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 							bdaddr_t *dst,
69 							u8 sec_level,
70 							int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73 
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
76 #define __get_channel(b)  ((b & 0xf8) >> 3)
77 #define __get_dir(b)      ((b & 0x04) >> 2)
78 #define __get_type(b)     ((b & 0xef))
79 
80 #define __test_ea(b)      ((b & 0x01))
81 #define __test_cr(b)      (!!(b & 0x02))
82 #define __test_pf(b)      (!!(b & 0x10))
83 
84 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
85 
86 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
87 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
88 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
89 #define __srv_channel(dlci)    (dlci >> 1)
90 #define __dir(dlci)            (dlci & 0x01)
91 
92 #define __len8(len)       (((len) << 1) | 1)
93 #define __len16(len)      ((len) << 1)
94 
95 /* MCC macros */
96 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
97 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
98 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
99 
100 /* RPN macros */
101 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102 #define __get_rpn_data_bits(line) ((line) & 0x3)
103 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
105 
106 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107 
108 static void rfcomm_schedule(void)
109 {
110 	wake_up_all(&rfcomm_wq);
111 }
112 
113 /* ---- RFCOMM FCS computation ---- */
114 
115 /* reversed, 8-bit, poly=0x07 */
116 static unsigned char rfcomm_crc_table[256] = {
117 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121 
122 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126 
127 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131 
132 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136 
137 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141 
142 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146 
147 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151 
152 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156 };
157 
158 /* CRC on 2 bytes */
159 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160 
161 /* FCS on 2 bytes */
162 static inline u8 __fcs(u8 *data)
163 {
164 	return 0xff - __crc(data);
165 }
166 
167 /* FCS on 3 bytes */
168 static inline u8 __fcs2(u8 *data)
169 {
170 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171 }
172 
173 /* Check FCS */
174 static inline int __check_fcs(u8 *data, int type, u8 fcs)
175 {
176 	u8 f = __crc(data);
177 
178 	if (type != RFCOMM_UIH)
179 		f = rfcomm_crc_table[f ^ data[2]];
180 
181 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
182 }
183 
184 /* ---- L2CAP callbacks ---- */
185 static void rfcomm_l2state_change(struct sock *sk)
186 {
187 	BT_DBG("%p state %d", sk, sk->sk_state);
188 	rfcomm_schedule();
189 }
190 
191 static void rfcomm_l2data_ready(struct sock *sk)
192 {
193 	BT_DBG("%p", sk);
194 	rfcomm_schedule();
195 }
196 
197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 	int err;
200 
201 	BT_DBG("");
202 
203 	err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 	if (!err) {
205 		struct sock *sk = (*sock)->sk;
206 		sk->sk_data_ready   = rfcomm_l2data_ready;
207 		sk->sk_state_change = rfcomm_l2state_change;
208 	}
209 	return err;
210 }
211 
212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 	struct sock *sk = d->session->sock->sk;
215 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216 
217 	__u8 auth_type;
218 
219 	switch (d->sec_level) {
220 	case BT_SECURITY_HIGH:
221 	case BT_SECURITY_FIPS:
222 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 		break;
224 	case BT_SECURITY_MEDIUM:
225 		auth_type = HCI_AT_GENERAL_BONDING;
226 		break;
227 	default:
228 		auth_type = HCI_AT_NO_BONDING;
229 		break;
230 	}
231 
232 	return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 				 d->out);
234 }
235 
236 static void rfcomm_session_timeout(struct timer_list *t)
237 {
238 	struct rfcomm_session *s = from_timer(s, t, timer);
239 
240 	BT_DBG("session %p state %ld", s, s->state);
241 
242 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 	rfcomm_schedule();
244 }
245 
246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249 
250 	mod_timer(&s->timer, jiffies + timeout);
251 }
252 
253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 	BT_DBG("session %p state %ld", s, s->state);
256 
257 	del_timer_sync(&s->timer);
258 }
259 
260 /* ---- RFCOMM DLCs ---- */
261 static void rfcomm_dlc_timeout(struct timer_list *t)
262 {
263 	struct rfcomm_dlc *d = from_timer(d, t, timer);
264 
265 	BT_DBG("dlc %p state %ld", d, d->state);
266 
267 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 	rfcomm_dlc_put(d);
269 	rfcomm_schedule();
270 }
271 
272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275 
276 	if (!mod_timer(&d->timer, jiffies + timeout))
277 		rfcomm_dlc_hold(d);
278 }
279 
280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 	BT_DBG("dlc %p state %ld", d, d->state);
283 
284 	if (del_timer(&d->timer))
285 		rfcomm_dlc_put(d);
286 }
287 
288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 	BT_DBG("%p", d);
291 
292 	d->state      = BT_OPEN;
293 	d->flags      = 0;
294 	d->mscex      = 0;
295 	d->sec_level  = BT_SECURITY_LOW;
296 	d->mtu        = RFCOMM_DEFAULT_MTU;
297 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298 
299 	d->cfc        = RFCOMM_CFC_DISABLED;
300 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302 
303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306 
307 	if (!d)
308 		return NULL;
309 
310 	timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
311 
312 	skb_queue_head_init(&d->tx_queue);
313 	mutex_init(&d->lock);
314 	refcount_set(&d->refcnt, 1);
315 
316 	rfcomm_dlc_clear_state(d);
317 
318 	BT_DBG("%p", d);
319 
320 	return d;
321 }
322 
323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 	BT_DBG("%p", d);
326 
327 	skb_queue_purge(&d->tx_queue);
328 	kfree(d);
329 }
330 
331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 	BT_DBG("dlc %p session %p", d, s);
334 
335 	rfcomm_session_clear_timer(s);
336 	rfcomm_dlc_hold(d);
337 	list_add(&d->list, &s->dlcs);
338 	d->session = s;
339 }
340 
341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 	struct rfcomm_session *s = d->session;
344 
345 	BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
346 
347 	list_del(&d->list);
348 	d->session = NULL;
349 	rfcomm_dlc_put(d);
350 
351 	if (list_empty(&s->dlcs))
352 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354 
355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 	struct rfcomm_dlc *d;
358 
359 	list_for_each_entry(d, &s->dlcs, list)
360 		if (d->dlci == dlci)
361 			return d;
362 
363 	return NULL;
364 }
365 
366 static int rfcomm_check_channel(u8 channel)
367 {
368 	return channel < 1 || channel > 30;
369 }
370 
371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 	struct rfcomm_session *s;
374 	int err = 0;
375 	u8 dlci;
376 
377 	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 	       d, d->state, src, dst, channel);
379 
380 	if (rfcomm_check_channel(channel))
381 		return -EINVAL;
382 
383 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 		return 0;
385 
386 	s = rfcomm_session_get(src, dst);
387 	if (!s) {
388 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 		if (!s)
390 			return err;
391 	}
392 
393 	dlci = __dlci(__session_dir(s), channel);
394 
395 	/* Check if DLCI already exists */
396 	if (rfcomm_dlc_get(s, dlci))
397 		return -EBUSY;
398 
399 	rfcomm_dlc_clear_state(d);
400 
401 	d->dlci     = dlci;
402 	d->addr     = __addr(s->initiator, dlci);
403 	d->priority = 7;
404 
405 	d->state = BT_CONFIG;
406 	rfcomm_dlc_link(s, d);
407 
408 	d->out = 1;
409 
410 	d->mtu = s->mtu;
411 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412 
413 	if (s->state == BT_CONNECTED) {
414 		if (rfcomm_check_security(d))
415 			rfcomm_send_pn(s, 1, d);
416 		else
417 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 	}
419 
420 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421 
422 	return 0;
423 }
424 
425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 	int r;
428 
429 	rfcomm_lock();
430 
431 	r = __rfcomm_dlc_open(d, src, dst, channel);
432 
433 	rfcomm_unlock();
434 	return r;
435 }
436 
437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 	struct rfcomm_session *s = d->session;
440 
441 	d->state = BT_DISCONN;
442 	if (skb_queue_empty(&d->tx_queue)) {
443 		rfcomm_send_disc(s, d->dlci);
444 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 	} else {
446 		rfcomm_queue_disc(d);
447 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 	}
449 }
450 
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 	struct rfcomm_session *s = d->session;
454 	if (!s)
455 		return 0;
456 
457 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 			d, d->state, d->dlci, err, s);
459 
460 	switch (d->state) {
461 	case BT_CONNECT:
462 	case BT_CONFIG:
463 	case BT_OPEN:
464 	case BT_CONNECT2:
465 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 			rfcomm_schedule();
468 			return 0;
469 		}
470 	}
471 
472 	switch (d->state) {
473 	case BT_CONNECT:
474 	case BT_CONNECTED:
475 		__rfcomm_dlc_disconn(d);
476 		break;
477 
478 	case BT_CONFIG:
479 		if (s->state != BT_BOUND) {
480 			__rfcomm_dlc_disconn(d);
481 			break;
482 		}
483 		/* if closing a dlc in a session that hasn't been started,
484 		 * just close and unlink the dlc
485 		 */
486 
487 	default:
488 		rfcomm_dlc_clear_timer(d);
489 
490 		rfcomm_dlc_lock(d);
491 		d->state = BT_CLOSED;
492 		d->state_change(d, err);
493 		rfcomm_dlc_unlock(d);
494 
495 		skb_queue_purge(&d->tx_queue);
496 		rfcomm_dlc_unlink(d);
497 	}
498 
499 	return 0;
500 }
501 
502 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
503 {
504 	int r = 0;
505 	struct rfcomm_dlc *d_list;
506 	struct rfcomm_session *s, *s_list;
507 
508 	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
509 
510 	rfcomm_lock();
511 
512 	s = d->session;
513 	if (!s)
514 		goto no_session;
515 
516 	/* after waiting on the mutex check the session still exists
517 	 * then check the dlc still exists
518 	 */
519 	list_for_each_entry(s_list, &session_list, list) {
520 		if (s_list == s) {
521 			list_for_each_entry(d_list, &s->dlcs, list) {
522 				if (d_list == d) {
523 					r = __rfcomm_dlc_close(d, err);
524 					break;
525 				}
526 			}
527 			break;
528 		}
529 	}
530 
531 no_session:
532 	rfcomm_unlock();
533 	return r;
534 }
535 
536 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
537 {
538 	struct rfcomm_session *s;
539 	struct rfcomm_dlc *dlc = NULL;
540 	u8 dlci;
541 
542 	if (rfcomm_check_channel(channel))
543 		return ERR_PTR(-EINVAL);
544 
545 	rfcomm_lock();
546 	s = rfcomm_session_get(src, dst);
547 	if (s) {
548 		dlci = __dlci(__session_dir(s), channel);
549 		dlc = rfcomm_dlc_get(s, dlci);
550 	}
551 	rfcomm_unlock();
552 	return dlc;
553 }
554 
555 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
556 {
557 	int len = skb->len;
558 
559 	if (d->state != BT_CONNECTED)
560 		return -ENOTCONN;
561 
562 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
563 
564 	if (len > d->mtu)
565 		return -EINVAL;
566 
567 	rfcomm_make_uih(skb, d->addr);
568 	skb_queue_tail(&d->tx_queue, skb);
569 
570 	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
571 		rfcomm_schedule();
572 	return len;
573 }
574 
575 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
576 {
577 	int len = skb->len;
578 
579 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
580 
581 	rfcomm_make_uih(skb, d->addr);
582 	skb_queue_tail(&d->tx_queue, skb);
583 
584 	if (d->state == BT_CONNECTED &&
585 	    !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
586 		rfcomm_schedule();
587 }
588 
589 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
590 {
591 	BT_DBG("dlc %p state %ld", d, d->state);
592 
593 	if (!d->cfc) {
594 		d->v24_sig |= RFCOMM_V24_FC;
595 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
596 	}
597 	rfcomm_schedule();
598 }
599 
600 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
601 {
602 	BT_DBG("dlc %p state %ld", d, d->state);
603 
604 	if (!d->cfc) {
605 		d->v24_sig &= ~RFCOMM_V24_FC;
606 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
607 	}
608 	rfcomm_schedule();
609 }
610 
611 /*
612    Set/get modem status functions use _local_ status i.e. what we report
613    to the other side.
614    Remote status is provided by dlc->modem_status() callback.
615  */
616 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
617 {
618 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
619 			d, d->state, v24_sig);
620 
621 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
622 		v24_sig |= RFCOMM_V24_FC;
623 	else
624 		v24_sig &= ~RFCOMM_V24_FC;
625 
626 	d->v24_sig = v24_sig;
627 
628 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
629 		rfcomm_schedule();
630 
631 	return 0;
632 }
633 
634 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
635 {
636 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
637 			d, d->state, d->v24_sig);
638 
639 	*v24_sig = d->v24_sig;
640 	return 0;
641 }
642 
643 /* ---- RFCOMM sessions ---- */
644 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
645 {
646 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
647 
648 	if (!s)
649 		return NULL;
650 
651 	BT_DBG("session %p sock %p", s, sock);
652 
653 	timer_setup(&s->timer, rfcomm_session_timeout, 0);
654 
655 	INIT_LIST_HEAD(&s->dlcs);
656 	s->state = state;
657 	s->sock  = sock;
658 
659 	s->mtu = RFCOMM_DEFAULT_MTU;
660 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
661 
662 	/* Do not increment module usage count for listening sessions.
663 	 * Otherwise we won't be able to unload the module. */
664 	if (state != BT_LISTEN)
665 		if (!try_module_get(THIS_MODULE)) {
666 			kfree(s);
667 			return NULL;
668 		}
669 
670 	list_add(&s->list, &session_list);
671 
672 	return s;
673 }
674 
675 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
676 {
677 	int state = s->state;
678 
679 	BT_DBG("session %p state %ld", s, s->state);
680 
681 	list_del(&s->list);
682 
683 	rfcomm_session_clear_timer(s);
684 	sock_release(s->sock);
685 	kfree(s);
686 
687 	if (state != BT_LISTEN)
688 		module_put(THIS_MODULE);
689 
690 	return NULL;
691 }
692 
693 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
694 {
695 	struct rfcomm_session *s, *n;
696 	struct l2cap_chan *chan;
697 	list_for_each_entry_safe(s, n, &session_list, list) {
698 		chan = l2cap_pi(s->sock->sk)->chan;
699 
700 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
701 		    !bacmp(&chan->dst, dst))
702 			return s;
703 	}
704 	return NULL;
705 }
706 
707 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
708 						   int err)
709 {
710 	struct rfcomm_dlc *d, *n;
711 
712 	s->state = BT_CLOSED;
713 
714 	BT_DBG("session %p state %ld err %d", s, s->state, err);
715 
716 	/* Close all dlcs */
717 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
718 		d->state = BT_CLOSED;
719 		__rfcomm_dlc_close(d, err);
720 	}
721 
722 	rfcomm_session_clear_timer(s);
723 	return rfcomm_session_del(s);
724 }
725 
726 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
727 							bdaddr_t *dst,
728 							u8 sec_level,
729 							int *err)
730 {
731 	struct rfcomm_session *s = NULL;
732 	struct sockaddr_l2 addr;
733 	struct socket *sock;
734 	struct sock *sk;
735 
736 	BT_DBG("%pMR -> %pMR", src, dst);
737 
738 	*err = rfcomm_l2sock_create(&sock);
739 	if (*err < 0)
740 		return NULL;
741 
742 	bacpy(&addr.l2_bdaddr, src);
743 	addr.l2_family = AF_BLUETOOTH;
744 	addr.l2_psm    = 0;
745 	addr.l2_cid    = 0;
746 	addr.l2_bdaddr_type = BDADDR_BREDR;
747 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
748 	if (*err < 0)
749 		goto failed;
750 
751 	/* Set L2CAP options */
752 	sk = sock->sk;
753 	lock_sock(sk);
754 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
755 	l2cap_pi(sk)->chan->sec_level = sec_level;
756 	if (l2cap_ertm)
757 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
758 	release_sock(sk);
759 
760 	s = rfcomm_session_add(sock, BT_BOUND);
761 	if (!s) {
762 		*err = -ENOMEM;
763 		goto failed;
764 	}
765 
766 	s->initiator = 1;
767 
768 	bacpy(&addr.l2_bdaddr, dst);
769 	addr.l2_family = AF_BLUETOOTH;
770 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
771 	addr.l2_cid    = 0;
772 	addr.l2_bdaddr_type = BDADDR_BREDR;
773 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
774 	if (*err == 0 || *err == -EINPROGRESS)
775 		return s;
776 
777 	return rfcomm_session_del(s);
778 
779 failed:
780 	sock_release(sock);
781 	return NULL;
782 }
783 
784 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
785 {
786 	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
787 	if (src)
788 		bacpy(src, &chan->src);
789 	if (dst)
790 		bacpy(dst, &chan->dst);
791 }
792 
793 /* ---- RFCOMM frame sending ---- */
794 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
795 {
796 	struct kvec iv = { data, len };
797 	struct msghdr msg;
798 
799 	BT_DBG("session %p len %d", s, len);
800 
801 	memset(&msg, 0, sizeof(msg));
802 
803 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
804 }
805 
806 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
807 {
808 	BT_DBG("%p cmd %u", s, cmd->ctrl);
809 
810 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
811 }
812 
813 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
814 {
815 	struct rfcomm_cmd cmd;
816 
817 	BT_DBG("%p dlci %d", s, dlci);
818 
819 	cmd.addr = __addr(s->initiator, dlci);
820 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
821 	cmd.len  = __len8(0);
822 	cmd.fcs  = __fcs2((u8 *) &cmd);
823 
824 	return rfcomm_send_cmd(s, &cmd);
825 }
826 
827 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
828 {
829 	struct rfcomm_cmd cmd;
830 
831 	BT_DBG("%p dlci %d", s, dlci);
832 
833 	cmd.addr = __addr(!s->initiator, dlci);
834 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
835 	cmd.len  = __len8(0);
836 	cmd.fcs  = __fcs2((u8 *) &cmd);
837 
838 	return rfcomm_send_cmd(s, &cmd);
839 }
840 
841 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
842 {
843 	struct rfcomm_cmd cmd;
844 
845 	BT_DBG("%p dlci %d", s, dlci);
846 
847 	cmd.addr = __addr(s->initiator, dlci);
848 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
849 	cmd.len  = __len8(0);
850 	cmd.fcs  = __fcs2((u8 *) &cmd);
851 
852 	return rfcomm_send_cmd(s, &cmd);
853 }
854 
855 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
856 {
857 	struct rfcomm_cmd *cmd;
858 	struct sk_buff *skb;
859 
860 	BT_DBG("dlc %p dlci %d", d, d->dlci);
861 
862 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
863 	if (!skb)
864 		return -ENOMEM;
865 
866 	cmd = __skb_put(skb, sizeof(*cmd));
867 	cmd->addr = d->addr;
868 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
869 	cmd->len  = __len8(0);
870 	cmd->fcs  = __fcs2((u8 *) cmd);
871 
872 	skb_queue_tail(&d->tx_queue, skb);
873 	rfcomm_schedule();
874 	return 0;
875 }
876 
877 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
878 {
879 	struct rfcomm_cmd cmd;
880 
881 	BT_DBG("%p dlci %d", s, dlci);
882 
883 	cmd.addr = __addr(!s->initiator, dlci);
884 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
885 	cmd.len  = __len8(0);
886 	cmd.fcs  = __fcs2((u8 *) &cmd);
887 
888 	return rfcomm_send_cmd(s, &cmd);
889 }
890 
891 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
892 {
893 	struct rfcomm_hdr *hdr;
894 	struct rfcomm_mcc *mcc;
895 	u8 buf[16], *ptr = buf;
896 
897 	BT_DBG("%p cr %d type %d", s, cr, type);
898 
899 	hdr = (void *) ptr; ptr += sizeof(*hdr);
900 	hdr->addr = __addr(s->initiator, 0);
901 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
902 	hdr->len  = __len8(sizeof(*mcc) + 1);
903 
904 	mcc = (void *) ptr; ptr += sizeof(*mcc);
905 	mcc->type = __mcc_type(0, RFCOMM_NSC);
906 	mcc->len  = __len8(1);
907 
908 	/* Type that we didn't like */
909 	*ptr = __mcc_type(cr, type); ptr++;
910 
911 	*ptr = __fcs(buf); ptr++;
912 
913 	return rfcomm_send_frame(s, buf, ptr - buf);
914 }
915 
916 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
917 {
918 	struct rfcomm_hdr *hdr;
919 	struct rfcomm_mcc *mcc;
920 	struct rfcomm_pn  *pn;
921 	u8 buf[16], *ptr = buf;
922 
923 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
924 
925 	hdr = (void *) ptr; ptr += sizeof(*hdr);
926 	hdr->addr = __addr(s->initiator, 0);
927 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
928 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
929 
930 	mcc = (void *) ptr; ptr += sizeof(*mcc);
931 	mcc->type = __mcc_type(cr, RFCOMM_PN);
932 	mcc->len  = __len8(sizeof(*pn));
933 
934 	pn = (void *) ptr; ptr += sizeof(*pn);
935 	pn->dlci        = d->dlci;
936 	pn->priority    = d->priority;
937 	pn->ack_timer   = 0;
938 	pn->max_retrans = 0;
939 
940 	if (s->cfc) {
941 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
942 		pn->credits = RFCOMM_DEFAULT_CREDITS;
943 	} else {
944 		pn->flow_ctrl = 0;
945 		pn->credits   = 0;
946 	}
947 
948 	if (cr && channel_mtu >= 0)
949 		pn->mtu = cpu_to_le16(channel_mtu);
950 	else
951 		pn->mtu = cpu_to_le16(d->mtu);
952 
953 	*ptr = __fcs(buf); ptr++;
954 
955 	return rfcomm_send_frame(s, buf, ptr - buf);
956 }
957 
958 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
959 			u8 bit_rate, u8 data_bits, u8 stop_bits,
960 			u8 parity, u8 flow_ctrl_settings,
961 			u8 xon_char, u8 xoff_char, u16 param_mask)
962 {
963 	struct rfcomm_hdr *hdr;
964 	struct rfcomm_mcc *mcc;
965 	struct rfcomm_rpn *rpn;
966 	u8 buf[16], *ptr = buf;
967 
968 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
969 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
970 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
971 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
972 
973 	hdr = (void *) ptr; ptr += sizeof(*hdr);
974 	hdr->addr = __addr(s->initiator, 0);
975 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
976 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
977 
978 	mcc = (void *) ptr; ptr += sizeof(*mcc);
979 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
980 	mcc->len  = __len8(sizeof(*rpn));
981 
982 	rpn = (void *) ptr; ptr += sizeof(*rpn);
983 	rpn->dlci          = __addr(1, dlci);
984 	rpn->bit_rate      = bit_rate;
985 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
986 	rpn->flow_ctrl     = flow_ctrl_settings;
987 	rpn->xon_char      = xon_char;
988 	rpn->xoff_char     = xoff_char;
989 	rpn->param_mask    = cpu_to_le16(param_mask);
990 
991 	*ptr = __fcs(buf); ptr++;
992 
993 	return rfcomm_send_frame(s, buf, ptr - buf);
994 }
995 
996 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
997 {
998 	struct rfcomm_hdr *hdr;
999 	struct rfcomm_mcc *mcc;
1000 	struct rfcomm_rls *rls;
1001 	u8 buf[16], *ptr = buf;
1002 
1003 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
1004 
1005 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1006 	hdr->addr = __addr(s->initiator, 0);
1007 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1008 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1009 
1010 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1011 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
1012 	mcc->len  = __len8(sizeof(*rls));
1013 
1014 	rls = (void *) ptr; ptr += sizeof(*rls);
1015 	rls->dlci   = __addr(1, dlci);
1016 	rls->status = status;
1017 
1018 	*ptr = __fcs(buf); ptr++;
1019 
1020 	return rfcomm_send_frame(s, buf, ptr - buf);
1021 }
1022 
1023 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1024 {
1025 	struct rfcomm_hdr *hdr;
1026 	struct rfcomm_mcc *mcc;
1027 	struct rfcomm_msc *msc;
1028 	u8 buf[16], *ptr = buf;
1029 
1030 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1031 
1032 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1033 	hdr->addr = __addr(s->initiator, 0);
1034 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1035 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1036 
1037 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1038 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
1039 	mcc->len  = __len8(sizeof(*msc));
1040 
1041 	msc = (void *) ptr; ptr += sizeof(*msc);
1042 	msc->dlci    = __addr(1, dlci);
1043 	msc->v24_sig = v24_sig | 0x01;
1044 
1045 	*ptr = __fcs(buf); ptr++;
1046 
1047 	return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049 
1050 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1051 {
1052 	struct rfcomm_hdr *hdr;
1053 	struct rfcomm_mcc *mcc;
1054 	u8 buf[16], *ptr = buf;
1055 
1056 	BT_DBG("%p cr %d", s, cr);
1057 
1058 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1059 	hdr->addr = __addr(s->initiator, 0);
1060 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1061 	hdr->len  = __len8(sizeof(*mcc));
1062 
1063 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1064 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1065 	mcc->len  = __len8(0);
1066 
1067 	*ptr = __fcs(buf); ptr++;
1068 
1069 	return rfcomm_send_frame(s, buf, ptr - buf);
1070 }
1071 
1072 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1073 {
1074 	struct rfcomm_hdr *hdr;
1075 	struct rfcomm_mcc *mcc;
1076 	u8 buf[16], *ptr = buf;
1077 
1078 	BT_DBG("%p cr %d", s, cr);
1079 
1080 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1081 	hdr->addr = __addr(s->initiator, 0);
1082 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1083 	hdr->len  = __len8(sizeof(*mcc));
1084 
1085 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1086 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1087 	mcc->len  = __len8(0);
1088 
1089 	*ptr = __fcs(buf); ptr++;
1090 
1091 	return rfcomm_send_frame(s, buf, ptr - buf);
1092 }
1093 
1094 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1095 {
1096 	struct socket *sock = s->sock;
1097 	struct kvec iv[3];
1098 	struct msghdr msg;
1099 	unsigned char hdr[5], crc[1];
1100 
1101 	if (len > 125)
1102 		return -EINVAL;
1103 
1104 	BT_DBG("%p cr %d", s, cr);
1105 
1106 	hdr[0] = __addr(s->initiator, 0);
1107 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1108 	hdr[2] = 0x01 | ((len + 2) << 1);
1109 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1110 	hdr[4] = 0x01 | (len << 1);
1111 
1112 	crc[0] = __fcs(hdr);
1113 
1114 	iv[0].iov_base = hdr;
1115 	iv[0].iov_len  = 5;
1116 	iv[1].iov_base = pattern;
1117 	iv[1].iov_len  = len;
1118 	iv[2].iov_base = crc;
1119 	iv[2].iov_len  = 1;
1120 
1121 	memset(&msg, 0, sizeof(msg));
1122 
1123 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1124 }
1125 
1126 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1127 {
1128 	struct rfcomm_hdr *hdr;
1129 	u8 buf[16], *ptr = buf;
1130 
1131 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1132 
1133 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1134 	hdr->addr = addr;
1135 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1136 	hdr->len  = __len8(0);
1137 
1138 	*ptr = credits; ptr++;
1139 
1140 	*ptr = __fcs(buf); ptr++;
1141 
1142 	return rfcomm_send_frame(s, buf, ptr - buf);
1143 }
1144 
1145 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1146 {
1147 	struct rfcomm_hdr *hdr;
1148 	int len = skb->len;
1149 	u8 *crc;
1150 
1151 	if (len > 127) {
1152 		hdr = skb_push(skb, 4);
1153 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1154 	} else {
1155 		hdr = skb_push(skb, 3);
1156 		hdr->len = __len8(len);
1157 	}
1158 	hdr->addr = addr;
1159 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1160 
1161 	crc = skb_put(skb, 1);
1162 	*crc = __fcs((void *) hdr);
1163 }
1164 
1165 /* ---- RFCOMM frame reception ---- */
1166 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1167 {
1168 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1169 
1170 	if (dlci) {
1171 		/* Data channel */
1172 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1173 		if (!d) {
1174 			rfcomm_send_dm(s, dlci);
1175 			return s;
1176 		}
1177 
1178 		switch (d->state) {
1179 		case BT_CONNECT:
1180 			rfcomm_dlc_clear_timer(d);
1181 
1182 			rfcomm_dlc_lock(d);
1183 			d->state = BT_CONNECTED;
1184 			d->state_change(d, 0);
1185 			rfcomm_dlc_unlock(d);
1186 
1187 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1188 			break;
1189 
1190 		case BT_DISCONN:
1191 			d->state = BT_CLOSED;
1192 			__rfcomm_dlc_close(d, 0);
1193 
1194 			if (list_empty(&s->dlcs)) {
1195 				s->state = BT_DISCONN;
1196 				rfcomm_send_disc(s, 0);
1197 				rfcomm_session_clear_timer(s);
1198 			}
1199 
1200 			break;
1201 		}
1202 	} else {
1203 		/* Control channel */
1204 		switch (s->state) {
1205 		case BT_CONNECT:
1206 			s->state = BT_CONNECTED;
1207 			rfcomm_process_connect(s);
1208 			break;
1209 
1210 		case BT_DISCONN:
1211 			s = rfcomm_session_close(s, ECONNRESET);
1212 			break;
1213 		}
1214 	}
1215 	return s;
1216 }
1217 
1218 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1219 {
1220 	int err = 0;
1221 
1222 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1223 
1224 	if (dlci) {
1225 		/* Data DLC */
1226 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1227 		if (d) {
1228 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1229 				err = ECONNREFUSED;
1230 			else
1231 				err = ECONNRESET;
1232 
1233 			d->state = BT_CLOSED;
1234 			__rfcomm_dlc_close(d, err);
1235 		}
1236 	} else {
1237 		if (s->state == BT_CONNECT)
1238 			err = ECONNREFUSED;
1239 		else
1240 			err = ECONNRESET;
1241 
1242 		s = rfcomm_session_close(s, err);
1243 	}
1244 	return s;
1245 }
1246 
1247 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1248 					       u8 dlci)
1249 {
1250 	int err = 0;
1251 
1252 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1253 
1254 	if (dlci) {
1255 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1256 		if (d) {
1257 			rfcomm_send_ua(s, dlci);
1258 
1259 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1260 				err = ECONNREFUSED;
1261 			else
1262 				err = ECONNRESET;
1263 
1264 			d->state = BT_CLOSED;
1265 			__rfcomm_dlc_close(d, err);
1266 		} else
1267 			rfcomm_send_dm(s, dlci);
1268 
1269 	} else {
1270 		rfcomm_send_ua(s, 0);
1271 
1272 		if (s->state == BT_CONNECT)
1273 			err = ECONNREFUSED;
1274 		else
1275 			err = ECONNRESET;
1276 
1277 		s = rfcomm_session_close(s, err);
1278 	}
1279 	return s;
1280 }
1281 
1282 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1283 {
1284 	struct sock *sk = d->session->sock->sk;
1285 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1286 
1287 	BT_DBG("dlc %p", d);
1288 
1289 	rfcomm_send_ua(d->session, d->dlci);
1290 
1291 	rfcomm_dlc_clear_timer(d);
1292 
1293 	rfcomm_dlc_lock(d);
1294 	d->state = BT_CONNECTED;
1295 	d->state_change(d, 0);
1296 	rfcomm_dlc_unlock(d);
1297 
1298 	if (d->role_switch)
1299 		hci_conn_switch_role(conn->hcon, 0x00);
1300 
1301 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1302 }
1303 
1304 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1305 {
1306 	if (rfcomm_check_security(d)) {
1307 		if (d->defer_setup) {
1308 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1309 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1310 
1311 			rfcomm_dlc_lock(d);
1312 			d->state = BT_CONNECT2;
1313 			d->state_change(d, 0);
1314 			rfcomm_dlc_unlock(d);
1315 		} else
1316 			rfcomm_dlc_accept(d);
1317 	} else {
1318 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1319 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1320 	}
1321 }
1322 
1323 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1324 {
1325 	struct rfcomm_dlc *d;
1326 	u8 channel;
1327 
1328 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1329 
1330 	if (!dlci) {
1331 		rfcomm_send_ua(s, 0);
1332 
1333 		if (s->state == BT_OPEN) {
1334 			s->state = BT_CONNECTED;
1335 			rfcomm_process_connect(s);
1336 		}
1337 		return 0;
1338 	}
1339 
1340 	/* Check if DLC exists */
1341 	d = rfcomm_dlc_get(s, dlci);
1342 	if (d) {
1343 		if (d->state == BT_OPEN) {
1344 			/* DLC was previously opened by PN request */
1345 			rfcomm_check_accept(d);
1346 		}
1347 		return 0;
1348 	}
1349 
1350 	/* Notify socket layer about incoming connection */
1351 	channel = __srv_channel(dlci);
1352 	if (rfcomm_connect_ind(s, channel, &d)) {
1353 		d->dlci = dlci;
1354 		d->addr = __addr(s->initiator, dlci);
1355 		rfcomm_dlc_link(s, d);
1356 
1357 		rfcomm_check_accept(d);
1358 	} else {
1359 		rfcomm_send_dm(s, dlci);
1360 	}
1361 
1362 	return 0;
1363 }
1364 
1365 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1366 {
1367 	struct rfcomm_session *s = d->session;
1368 
1369 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1370 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1371 
1372 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1373 						pn->flow_ctrl == 0xe0) {
1374 		d->cfc = RFCOMM_CFC_ENABLED;
1375 		d->tx_credits = pn->credits;
1376 	} else {
1377 		d->cfc = RFCOMM_CFC_DISABLED;
1378 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1379 	}
1380 
1381 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1382 		s->cfc = d->cfc;
1383 
1384 	d->priority = pn->priority;
1385 
1386 	d->mtu = __le16_to_cpu(pn->mtu);
1387 
1388 	if (cr && d->mtu > s->mtu)
1389 		d->mtu = s->mtu;
1390 
1391 	return 0;
1392 }
1393 
1394 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1395 {
1396 	struct rfcomm_pn *pn = (void *) skb->data;
1397 	struct rfcomm_dlc *d;
1398 	u8 dlci = pn->dlci;
1399 
1400 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1401 
1402 	if (!dlci)
1403 		return 0;
1404 
1405 	d = rfcomm_dlc_get(s, dlci);
1406 	if (d) {
1407 		if (cr) {
1408 			/* PN request */
1409 			rfcomm_apply_pn(d, cr, pn);
1410 			rfcomm_send_pn(s, 0, d);
1411 		} else {
1412 			/* PN response */
1413 			switch (d->state) {
1414 			case BT_CONFIG:
1415 				rfcomm_apply_pn(d, cr, pn);
1416 
1417 				d->state = BT_CONNECT;
1418 				rfcomm_send_sabm(s, d->dlci);
1419 				break;
1420 			}
1421 		}
1422 	} else {
1423 		u8 channel = __srv_channel(dlci);
1424 
1425 		if (!cr)
1426 			return 0;
1427 
1428 		/* PN request for non existing DLC.
1429 		 * Assume incoming connection. */
1430 		if (rfcomm_connect_ind(s, channel, &d)) {
1431 			d->dlci = dlci;
1432 			d->addr = __addr(s->initiator, dlci);
1433 			rfcomm_dlc_link(s, d);
1434 
1435 			rfcomm_apply_pn(d, cr, pn);
1436 
1437 			d->state = BT_OPEN;
1438 			rfcomm_send_pn(s, 0, d);
1439 		} else {
1440 			rfcomm_send_dm(s, dlci);
1441 		}
1442 	}
1443 	return 0;
1444 }
1445 
1446 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1447 {
1448 	struct rfcomm_rpn *rpn = (void *) skb->data;
1449 	u8 dlci = __get_dlci(rpn->dlci);
1450 
1451 	u8 bit_rate  = 0;
1452 	u8 data_bits = 0;
1453 	u8 stop_bits = 0;
1454 	u8 parity    = 0;
1455 	u8 flow_ctrl = 0;
1456 	u8 xon_char  = 0;
1457 	u8 xoff_char = 0;
1458 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1459 
1460 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1461 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1462 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1463 
1464 	if (!cr)
1465 		return 0;
1466 
1467 	if (len == 1) {
1468 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1469 		bit_rate  = RFCOMM_RPN_BR_9600;
1470 		data_bits = RFCOMM_RPN_DATA_8;
1471 		stop_bits = RFCOMM_RPN_STOP_1;
1472 		parity    = RFCOMM_RPN_PARITY_NONE;
1473 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1474 		xon_char  = RFCOMM_RPN_XON_CHAR;
1475 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1476 		goto rpn_out;
1477 	}
1478 
1479 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1480 	 * no parity, no flow control lines, normal XON/XOFF chars */
1481 
1482 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1483 		bit_rate = rpn->bit_rate;
1484 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1485 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1486 			bit_rate = RFCOMM_RPN_BR_9600;
1487 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1488 		}
1489 	}
1490 
1491 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1492 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1493 		if (data_bits != RFCOMM_RPN_DATA_8) {
1494 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1495 			data_bits = RFCOMM_RPN_DATA_8;
1496 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1497 		}
1498 	}
1499 
1500 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1501 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1502 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1503 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1504 			stop_bits = RFCOMM_RPN_STOP_1;
1505 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1506 		}
1507 	}
1508 
1509 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1510 		parity = __get_rpn_parity(rpn->line_settings);
1511 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1512 			BT_DBG("RPN parity mismatch 0x%x", parity);
1513 			parity = RFCOMM_RPN_PARITY_NONE;
1514 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1515 		}
1516 	}
1517 
1518 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1519 		flow_ctrl = rpn->flow_ctrl;
1520 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1521 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1522 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1523 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1524 		}
1525 	}
1526 
1527 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1528 		xon_char = rpn->xon_char;
1529 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1530 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1531 			xon_char = RFCOMM_RPN_XON_CHAR;
1532 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1533 		}
1534 	}
1535 
1536 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1537 		xoff_char = rpn->xoff_char;
1538 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1539 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1540 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1541 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1542 		}
1543 	}
1544 
1545 rpn_out:
1546 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1547 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1548 
1549 	return 0;
1550 }
1551 
1552 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1553 {
1554 	struct rfcomm_rls *rls = (void *) skb->data;
1555 	u8 dlci = __get_dlci(rls->dlci);
1556 
1557 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1558 
1559 	if (!cr)
1560 		return 0;
1561 
1562 	/* We should probably do something with this information here. But
1563 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1564 	 * mandatory to recognise and respond to RLS */
1565 
1566 	rfcomm_send_rls(s, 0, dlci, rls->status);
1567 
1568 	return 0;
1569 }
1570 
1571 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1572 {
1573 	struct rfcomm_msc *msc = (void *) skb->data;
1574 	struct rfcomm_dlc *d;
1575 	u8 dlci = __get_dlci(msc->dlci);
1576 
1577 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1578 
1579 	d = rfcomm_dlc_get(s, dlci);
1580 	if (!d)
1581 		return 0;
1582 
1583 	if (cr) {
1584 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1585 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1586 		else
1587 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1588 
1589 		rfcomm_dlc_lock(d);
1590 
1591 		d->remote_v24_sig = msc->v24_sig;
1592 
1593 		if (d->modem_status)
1594 			d->modem_status(d, msc->v24_sig);
1595 
1596 		rfcomm_dlc_unlock(d);
1597 
1598 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1599 
1600 		d->mscex |= RFCOMM_MSCEX_RX;
1601 	} else
1602 		d->mscex |= RFCOMM_MSCEX_TX;
1603 
1604 	return 0;
1605 }
1606 
1607 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1608 {
1609 	struct rfcomm_mcc *mcc = (void *) skb->data;
1610 	u8 type, cr, len;
1611 
1612 	cr   = __test_cr(mcc->type);
1613 	type = __get_mcc_type(mcc->type);
1614 	len  = __get_mcc_len(mcc->len);
1615 
1616 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1617 
1618 	skb_pull(skb, 2);
1619 
1620 	switch (type) {
1621 	case RFCOMM_PN:
1622 		rfcomm_recv_pn(s, cr, skb);
1623 		break;
1624 
1625 	case RFCOMM_RPN:
1626 		rfcomm_recv_rpn(s, cr, len, skb);
1627 		break;
1628 
1629 	case RFCOMM_RLS:
1630 		rfcomm_recv_rls(s, cr, skb);
1631 		break;
1632 
1633 	case RFCOMM_MSC:
1634 		rfcomm_recv_msc(s, cr, skb);
1635 		break;
1636 
1637 	case RFCOMM_FCOFF:
1638 		if (cr) {
1639 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1640 			rfcomm_send_fcoff(s, 0);
1641 		}
1642 		break;
1643 
1644 	case RFCOMM_FCON:
1645 		if (cr) {
1646 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1647 			rfcomm_send_fcon(s, 0);
1648 		}
1649 		break;
1650 
1651 	case RFCOMM_TEST:
1652 		if (cr)
1653 			rfcomm_send_test(s, 0, skb->data, skb->len);
1654 		break;
1655 
1656 	case RFCOMM_NSC:
1657 		break;
1658 
1659 	default:
1660 		BT_ERR("Unknown control type 0x%02x", type);
1661 		rfcomm_send_nsc(s, cr, type);
1662 		break;
1663 	}
1664 	return 0;
1665 }
1666 
1667 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1668 {
1669 	struct rfcomm_dlc *d;
1670 
1671 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1672 
1673 	d = rfcomm_dlc_get(s, dlci);
1674 	if (!d) {
1675 		rfcomm_send_dm(s, dlci);
1676 		goto drop;
1677 	}
1678 
1679 	if (pf && d->cfc) {
1680 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1681 
1682 		d->tx_credits += credits;
1683 		if (d->tx_credits)
1684 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1685 	}
1686 
1687 	if (skb->len && d->state == BT_CONNECTED) {
1688 		rfcomm_dlc_lock(d);
1689 		d->rx_credits--;
1690 		d->data_ready(d, skb);
1691 		rfcomm_dlc_unlock(d);
1692 		return 0;
1693 	}
1694 
1695 drop:
1696 	kfree_skb(skb);
1697 	return 0;
1698 }
1699 
1700 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1701 						struct sk_buff *skb)
1702 {
1703 	struct rfcomm_hdr *hdr = (void *) skb->data;
1704 	u8 type, dlci, fcs;
1705 
1706 	if (!s) {
1707 		/* no session, so free socket data */
1708 		kfree_skb(skb);
1709 		return s;
1710 	}
1711 
1712 	dlci = __get_dlci(hdr->addr);
1713 	type = __get_type(hdr->ctrl);
1714 
1715 	/* Trim FCS */
1716 	skb->len--; skb->tail--;
1717 	fcs = *(u8 *)skb_tail_pointer(skb);
1718 
1719 	if (__check_fcs(skb->data, type, fcs)) {
1720 		BT_ERR("bad checksum in packet");
1721 		kfree_skb(skb);
1722 		return s;
1723 	}
1724 
1725 	if (__test_ea(hdr->len))
1726 		skb_pull(skb, 3);
1727 	else
1728 		skb_pull(skb, 4);
1729 
1730 	switch (type) {
1731 	case RFCOMM_SABM:
1732 		if (__test_pf(hdr->ctrl))
1733 			rfcomm_recv_sabm(s, dlci);
1734 		break;
1735 
1736 	case RFCOMM_DISC:
1737 		if (__test_pf(hdr->ctrl))
1738 			s = rfcomm_recv_disc(s, dlci);
1739 		break;
1740 
1741 	case RFCOMM_UA:
1742 		if (__test_pf(hdr->ctrl))
1743 			s = rfcomm_recv_ua(s, dlci);
1744 		break;
1745 
1746 	case RFCOMM_DM:
1747 		s = rfcomm_recv_dm(s, dlci);
1748 		break;
1749 
1750 	case RFCOMM_UIH:
1751 		if (dlci) {
1752 			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1753 			return s;
1754 		}
1755 		rfcomm_recv_mcc(s, skb);
1756 		break;
1757 
1758 	default:
1759 		BT_ERR("Unknown packet type 0x%02x", type);
1760 		break;
1761 	}
1762 	kfree_skb(skb);
1763 	return s;
1764 }
1765 
1766 /* ---- Connection and data processing ---- */
1767 
1768 static void rfcomm_process_connect(struct rfcomm_session *s)
1769 {
1770 	struct rfcomm_dlc *d, *n;
1771 
1772 	BT_DBG("session %p state %ld", s, s->state);
1773 
1774 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1775 		if (d->state == BT_CONFIG) {
1776 			d->mtu = s->mtu;
1777 			if (rfcomm_check_security(d)) {
1778 				rfcomm_send_pn(s, 1, d);
1779 			} else {
1780 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1781 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1782 			}
1783 		}
1784 	}
1785 }
1786 
1787 /* Send data queued for the DLC.
1788  * Return number of frames left in the queue.
1789  */
1790 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1791 {
1792 	struct sk_buff *skb;
1793 	int err;
1794 
1795 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1796 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1797 
1798 	/* Send pending MSC */
1799 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1800 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1801 
1802 	if (d->cfc) {
1803 		/* CFC enabled.
1804 		 * Give them some credits */
1805 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1806 				d->rx_credits <= (d->cfc >> 2)) {
1807 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1808 			d->rx_credits = d->cfc;
1809 		}
1810 	} else {
1811 		/* CFC disabled.
1812 		 * Give ourselves some credits */
1813 		d->tx_credits = 5;
1814 	}
1815 
1816 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1817 		return skb_queue_len(&d->tx_queue);
1818 
1819 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1820 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1821 		if (err < 0) {
1822 			skb_queue_head(&d->tx_queue, skb);
1823 			break;
1824 		}
1825 		kfree_skb(skb);
1826 		d->tx_credits--;
1827 	}
1828 
1829 	if (d->cfc && !d->tx_credits) {
1830 		/* We're out of TX credits.
1831 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1832 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1833 	}
1834 
1835 	return skb_queue_len(&d->tx_queue);
1836 }
1837 
1838 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1839 {
1840 	struct rfcomm_dlc *d, *n;
1841 
1842 	BT_DBG("session %p state %ld", s, s->state);
1843 
1844 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1845 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1846 			__rfcomm_dlc_close(d, ETIMEDOUT);
1847 			continue;
1848 		}
1849 
1850 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1851 			__rfcomm_dlc_close(d, ECONNREFUSED);
1852 			continue;
1853 		}
1854 
1855 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1856 			rfcomm_dlc_clear_timer(d);
1857 			if (d->out) {
1858 				rfcomm_send_pn(s, 1, d);
1859 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1860 			} else {
1861 				if (d->defer_setup) {
1862 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1863 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1864 
1865 					rfcomm_dlc_lock(d);
1866 					d->state = BT_CONNECT2;
1867 					d->state_change(d, 0);
1868 					rfcomm_dlc_unlock(d);
1869 				} else
1870 					rfcomm_dlc_accept(d);
1871 			}
1872 			continue;
1873 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1874 			rfcomm_dlc_clear_timer(d);
1875 			if (!d->out)
1876 				rfcomm_send_dm(s, d->dlci);
1877 			else
1878 				d->state = BT_CLOSED;
1879 			__rfcomm_dlc_close(d, ECONNREFUSED);
1880 			continue;
1881 		}
1882 
1883 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1884 			continue;
1885 
1886 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1887 			continue;
1888 
1889 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1890 						d->mscex == RFCOMM_MSCEX_OK)
1891 			rfcomm_process_tx(d);
1892 	}
1893 }
1894 
1895 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1896 {
1897 	struct socket *sock = s->sock;
1898 	struct sock *sk = sock->sk;
1899 	struct sk_buff *skb;
1900 
1901 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1902 
1903 	/* Get data directly from socket receive queue without copying it. */
1904 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1905 		skb_orphan(skb);
1906 		if (!skb_linearize(skb)) {
1907 			s = rfcomm_recv_frame(s, skb);
1908 			if (!s)
1909 				break;
1910 		} else {
1911 			kfree_skb(skb);
1912 		}
1913 	}
1914 
1915 	if (s && (sk->sk_state == BT_CLOSED))
1916 		s = rfcomm_session_close(s, sk->sk_err);
1917 
1918 	return s;
1919 }
1920 
1921 static void rfcomm_accept_connection(struct rfcomm_session *s)
1922 {
1923 	struct socket *sock = s->sock, *nsock;
1924 	int err;
1925 
1926 	/* Fast check for a new connection.
1927 	 * Avoids unnesesary socket allocations. */
1928 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1929 		return;
1930 
1931 	BT_DBG("session %p", s);
1932 
1933 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1934 	if (err < 0)
1935 		return;
1936 
1937 	/* Set our callbacks */
1938 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1939 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1940 
1941 	s = rfcomm_session_add(nsock, BT_OPEN);
1942 	if (s) {
1943 		/* We should adjust MTU on incoming sessions.
1944 		 * L2CAP MTU minus UIH header and FCS. */
1945 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1946 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1947 
1948 		rfcomm_schedule();
1949 	} else
1950 		sock_release(nsock);
1951 }
1952 
1953 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1954 {
1955 	struct sock *sk = s->sock->sk;
1956 
1957 	BT_DBG("%p state %ld", s, s->state);
1958 
1959 	switch (sk->sk_state) {
1960 	case BT_CONNECTED:
1961 		s->state = BT_CONNECT;
1962 
1963 		/* We can adjust MTU on outgoing sessions.
1964 		 * L2CAP MTU minus UIH header and FCS. */
1965 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1966 
1967 		rfcomm_send_sabm(s, 0);
1968 		break;
1969 
1970 	case BT_CLOSED:
1971 		s = rfcomm_session_close(s, sk->sk_err);
1972 		break;
1973 	}
1974 	return s;
1975 }
1976 
1977 static void rfcomm_process_sessions(void)
1978 {
1979 	struct rfcomm_session *s, *n;
1980 
1981 	rfcomm_lock();
1982 
1983 	list_for_each_entry_safe(s, n, &session_list, list) {
1984 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1985 			s->state = BT_DISCONN;
1986 			rfcomm_send_disc(s, 0);
1987 			continue;
1988 		}
1989 
1990 		switch (s->state) {
1991 		case BT_LISTEN:
1992 			rfcomm_accept_connection(s);
1993 			continue;
1994 
1995 		case BT_BOUND:
1996 			s = rfcomm_check_connection(s);
1997 			break;
1998 
1999 		default:
2000 			s = rfcomm_process_rx(s);
2001 			break;
2002 		}
2003 
2004 		if (s)
2005 			rfcomm_process_dlcs(s);
2006 	}
2007 
2008 	rfcomm_unlock();
2009 }
2010 
2011 static int rfcomm_add_listener(bdaddr_t *ba)
2012 {
2013 	struct sockaddr_l2 addr;
2014 	struct socket *sock;
2015 	struct sock *sk;
2016 	struct rfcomm_session *s;
2017 	int    err = 0;
2018 
2019 	/* Create socket */
2020 	err = rfcomm_l2sock_create(&sock);
2021 	if (err < 0) {
2022 		BT_ERR("Create socket failed %d", err);
2023 		return err;
2024 	}
2025 
2026 	/* Bind socket */
2027 	bacpy(&addr.l2_bdaddr, ba);
2028 	addr.l2_family = AF_BLUETOOTH;
2029 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2030 	addr.l2_cid    = 0;
2031 	addr.l2_bdaddr_type = BDADDR_BREDR;
2032 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2033 	if (err < 0) {
2034 		BT_ERR("Bind failed %d", err);
2035 		goto failed;
2036 	}
2037 
2038 	/* Set L2CAP options */
2039 	sk = sock->sk;
2040 	lock_sock(sk);
2041 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2042 	release_sock(sk);
2043 
2044 	/* Start listening on the socket */
2045 	err = kernel_listen(sock, 10);
2046 	if (err) {
2047 		BT_ERR("Listen failed %d", err);
2048 		goto failed;
2049 	}
2050 
2051 	/* Add listening session */
2052 	s = rfcomm_session_add(sock, BT_LISTEN);
2053 	if (!s) {
2054 		err = -ENOMEM;
2055 		goto failed;
2056 	}
2057 
2058 	return 0;
2059 failed:
2060 	sock_release(sock);
2061 	return err;
2062 }
2063 
2064 static void rfcomm_kill_listener(void)
2065 {
2066 	struct rfcomm_session *s, *n;
2067 
2068 	BT_DBG("");
2069 
2070 	list_for_each_entry_safe(s, n, &session_list, list)
2071 		rfcomm_session_del(s);
2072 }
2073 
2074 static int rfcomm_run(void *unused)
2075 {
2076 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
2077 	BT_DBG("");
2078 
2079 	set_user_nice(current, -10);
2080 
2081 	rfcomm_add_listener(BDADDR_ANY);
2082 
2083 	add_wait_queue(&rfcomm_wq, &wait);
2084 	while (!kthread_should_stop()) {
2085 
2086 		/* Process stuff */
2087 		rfcomm_process_sessions();
2088 
2089 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2090 	}
2091 	remove_wait_queue(&rfcomm_wq, &wait);
2092 
2093 	rfcomm_kill_listener();
2094 
2095 	return 0;
2096 }
2097 
2098 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2099 {
2100 	struct rfcomm_session *s;
2101 	struct rfcomm_dlc *d, *n;
2102 
2103 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2104 
2105 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2106 	if (!s)
2107 		return;
2108 
2109 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
2110 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2111 			rfcomm_dlc_clear_timer(d);
2112 			if (status || encrypt == 0x00) {
2113 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2114 				continue;
2115 			}
2116 		}
2117 
2118 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2119 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2120 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2121 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2122 				continue;
2123 			} else if (d->sec_level == BT_SECURITY_HIGH ||
2124 				   d->sec_level == BT_SECURITY_FIPS) {
2125 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2126 				continue;
2127 			}
2128 		}
2129 
2130 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2131 			continue;
2132 
2133 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2134 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2135 		else
2136 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2137 	}
2138 
2139 	rfcomm_schedule();
2140 }
2141 
2142 static struct hci_cb rfcomm_cb = {
2143 	.name		= "RFCOMM",
2144 	.security_cfm	= rfcomm_security_cfm
2145 };
2146 
2147 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2148 {
2149 	struct rfcomm_session *s;
2150 
2151 	rfcomm_lock();
2152 
2153 	list_for_each_entry(s, &session_list, list) {
2154 		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2155 		struct rfcomm_dlc *d;
2156 		list_for_each_entry(d, &s->dlcs, list) {
2157 			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2158 				   &chan->src, &chan->dst,
2159 				   d->state, d->dlci, d->mtu,
2160 				   d->rx_credits, d->tx_credits);
2161 		}
2162 	}
2163 
2164 	rfcomm_unlock();
2165 
2166 	return 0;
2167 }
2168 
2169 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2170 
2171 static struct dentry *rfcomm_dlc_debugfs;
2172 
2173 /* ---- Initialization ---- */
2174 static int __init rfcomm_init(void)
2175 {
2176 	int err;
2177 
2178 	hci_register_cb(&rfcomm_cb);
2179 
2180 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2181 	if (IS_ERR(rfcomm_thread)) {
2182 		err = PTR_ERR(rfcomm_thread);
2183 		goto unregister;
2184 	}
2185 
2186 	err = rfcomm_init_ttys();
2187 	if (err < 0)
2188 		goto stop;
2189 
2190 	err = rfcomm_init_sockets();
2191 	if (err < 0)
2192 		goto cleanup;
2193 
2194 	BT_INFO("RFCOMM ver %s", VERSION);
2195 
2196 	if (IS_ERR_OR_NULL(bt_debugfs))
2197 		return 0;
2198 
2199 	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2200 						 bt_debugfs, NULL,
2201 						 &rfcomm_dlc_debugfs_fops);
2202 
2203 	return 0;
2204 
2205 cleanup:
2206 	rfcomm_cleanup_ttys();
2207 
2208 stop:
2209 	kthread_stop(rfcomm_thread);
2210 
2211 unregister:
2212 	hci_unregister_cb(&rfcomm_cb);
2213 
2214 	return err;
2215 }
2216 
2217 static void __exit rfcomm_exit(void)
2218 {
2219 	debugfs_remove(rfcomm_dlc_debugfs);
2220 
2221 	hci_unregister_cb(&rfcomm_cb);
2222 
2223 	kthread_stop(rfcomm_thread);
2224 
2225 	rfcomm_cleanup_ttys();
2226 
2227 	rfcomm_cleanup_sockets();
2228 }
2229 
2230 module_init(rfcomm_init);
2231 module_exit(rfcomm_exit);
2232 
2233 module_param(disable_cfc, bool, 0644);
2234 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2235 
2236 module_param(channel_mtu, int, 0644);
2237 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2238 
2239 module_param(l2cap_mtu, uint, 0644);
2240 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2241 
2242 module_param(l2cap_ertm, bool, 0644);
2243 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2244 
2245 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2246 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2247 MODULE_VERSION(VERSION);
2248 MODULE_LICENSE("GPL");
2249 MODULE_ALIAS("bt-proto-3");
2250