1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/debugfs.h> 30 #include <linux/kthread.h> 31 #include <asm/unaligned.h> 32 33 #include <net/bluetooth/bluetooth.h> 34 #include <net/bluetooth/hci_core.h> 35 #include <net/bluetooth/l2cap.h> 36 #include <net/bluetooth/rfcomm.h> 37 38 #define VERSION "1.11" 39 40 static bool disable_cfc; 41 static bool l2cap_ertm; 42 static int channel_mtu = -1; 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 44 45 static struct task_struct *rfcomm_thread; 46 47 static DEFINE_MUTEX(rfcomm_mutex); 48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 50 51 52 static LIST_HEAD(session_list); 53 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 64 65 static void rfcomm_process_connect(struct rfcomm_session *s); 66 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 68 bdaddr_t *dst, 69 u8 sec_level, 70 int *err); 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 73 74 /* ---- RFCOMM frame parsing macros ---- */ 75 #define __get_dlci(b) ((b & 0xfc) >> 2) 76 #define __get_channel(b) ((b & 0xf8) >> 3) 77 #define __get_dir(b) ((b & 0x04) >> 2) 78 #define __get_type(b) ((b & 0xef)) 79 80 #define __test_ea(b) ((b & 0x01)) 81 #define __test_cr(b) ((b & 0x02)) 82 #define __test_pf(b) ((b & 0x10)) 83 84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 87 #define __srv_channel(dlci) (dlci >> 1) 88 #define __dir(dlci) (dlci & 0x01) 89 90 #define __len8(len) (((len) << 1) | 1) 91 #define __len16(len) ((len) << 1) 92 93 /* MCC macros */ 94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 96 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 97 98 /* RPN macros */ 99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 100 #define __get_rpn_data_bits(line) ((line) & 0x3) 101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 103 104 static void rfcomm_schedule(void) 105 { 106 if (!rfcomm_thread) 107 return; 108 wake_up_process(rfcomm_thread); 109 } 110 111 /* ---- RFCOMM FCS computation ---- */ 112 113 /* reversed, 8-bit, poly=0x07 */ 114 static unsigned char rfcomm_crc_table[256] = { 115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 119 120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 124 125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 129 130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 134 135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 139 140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 144 145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 149 150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 154 }; 155 156 /* CRC on 2 bytes */ 157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 158 159 /* FCS on 2 bytes */ 160 static inline u8 __fcs(u8 *data) 161 { 162 return 0xff - __crc(data); 163 } 164 165 /* FCS on 3 bytes */ 166 static inline u8 __fcs2(u8 *data) 167 { 168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 169 } 170 171 /* Check FCS */ 172 static inline int __check_fcs(u8 *data, int type, u8 fcs) 173 { 174 u8 f = __crc(data); 175 176 if (type != RFCOMM_UIH) 177 f = rfcomm_crc_table[f ^ data[2]]; 178 179 return rfcomm_crc_table[f ^ fcs] != 0xcf; 180 } 181 182 /* ---- L2CAP callbacks ---- */ 183 static void rfcomm_l2state_change(struct sock *sk) 184 { 185 BT_DBG("%p state %d", sk, sk->sk_state); 186 rfcomm_schedule(); 187 } 188 189 static void rfcomm_l2data_ready(struct sock *sk) 190 { 191 BT_DBG("%p", sk); 192 rfcomm_schedule(); 193 } 194 195 static int rfcomm_l2sock_create(struct socket **sock) 196 { 197 int err; 198 199 BT_DBG(""); 200 201 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 202 if (!err) { 203 struct sock *sk = (*sock)->sk; 204 sk->sk_data_ready = rfcomm_l2data_ready; 205 sk->sk_state_change = rfcomm_l2state_change; 206 } 207 return err; 208 } 209 210 static int rfcomm_check_security(struct rfcomm_dlc *d) 211 { 212 struct sock *sk = d->session->sock->sk; 213 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 214 215 __u8 auth_type; 216 217 switch (d->sec_level) { 218 case BT_SECURITY_HIGH: 219 case BT_SECURITY_FIPS: 220 auth_type = HCI_AT_GENERAL_BONDING_MITM; 221 break; 222 case BT_SECURITY_MEDIUM: 223 auth_type = HCI_AT_GENERAL_BONDING; 224 break; 225 default: 226 auth_type = HCI_AT_NO_BONDING; 227 break; 228 } 229 230 return hci_conn_security(conn->hcon, d->sec_level, auth_type, 231 d->out); 232 } 233 234 static void rfcomm_session_timeout(unsigned long arg) 235 { 236 struct rfcomm_session *s = (void *) arg; 237 238 BT_DBG("session %p state %ld", s, s->state); 239 240 set_bit(RFCOMM_TIMED_OUT, &s->flags); 241 rfcomm_schedule(); 242 } 243 244 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 245 { 246 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 247 248 mod_timer(&s->timer, jiffies + timeout); 249 } 250 251 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 252 { 253 BT_DBG("session %p state %ld", s, s->state); 254 255 del_timer_sync(&s->timer); 256 } 257 258 /* ---- RFCOMM DLCs ---- */ 259 static void rfcomm_dlc_timeout(unsigned long arg) 260 { 261 struct rfcomm_dlc *d = (void *) arg; 262 263 BT_DBG("dlc %p state %ld", d, d->state); 264 265 set_bit(RFCOMM_TIMED_OUT, &d->flags); 266 rfcomm_dlc_put(d); 267 rfcomm_schedule(); 268 } 269 270 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 271 { 272 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 273 274 if (!mod_timer(&d->timer, jiffies + timeout)) 275 rfcomm_dlc_hold(d); 276 } 277 278 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 279 { 280 BT_DBG("dlc %p state %ld", d, d->state); 281 282 if (del_timer(&d->timer)) 283 rfcomm_dlc_put(d); 284 } 285 286 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 287 { 288 BT_DBG("%p", d); 289 290 d->state = BT_OPEN; 291 d->flags = 0; 292 d->mscex = 0; 293 d->sec_level = BT_SECURITY_LOW; 294 d->mtu = RFCOMM_DEFAULT_MTU; 295 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 296 297 d->cfc = RFCOMM_CFC_DISABLED; 298 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 299 } 300 301 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 302 { 303 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 304 305 if (!d) 306 return NULL; 307 308 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 309 310 skb_queue_head_init(&d->tx_queue); 311 mutex_init(&d->lock); 312 atomic_set(&d->refcnt, 1); 313 314 rfcomm_dlc_clear_state(d); 315 316 BT_DBG("%p", d); 317 318 return d; 319 } 320 321 void rfcomm_dlc_free(struct rfcomm_dlc *d) 322 { 323 BT_DBG("%p", d); 324 325 skb_queue_purge(&d->tx_queue); 326 kfree(d); 327 } 328 329 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 330 { 331 BT_DBG("dlc %p session %p", d, s); 332 333 rfcomm_session_clear_timer(s); 334 rfcomm_dlc_hold(d); 335 list_add(&d->list, &s->dlcs); 336 d->session = s; 337 } 338 339 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 340 { 341 struct rfcomm_session *s = d->session; 342 343 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 344 345 list_del(&d->list); 346 d->session = NULL; 347 rfcomm_dlc_put(d); 348 349 if (list_empty(&s->dlcs)) 350 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 351 } 352 353 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 354 { 355 struct rfcomm_dlc *d; 356 357 list_for_each_entry(d, &s->dlcs, list) 358 if (d->dlci == dlci) 359 return d; 360 361 return NULL; 362 } 363 364 static int rfcomm_check_channel(u8 channel) 365 { 366 return channel < 1 || channel > 30; 367 } 368 369 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 370 { 371 struct rfcomm_session *s; 372 int err = 0; 373 u8 dlci; 374 375 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 376 d, d->state, src, dst, channel); 377 378 if (rfcomm_check_channel(channel)) 379 return -EINVAL; 380 381 if (d->state != BT_OPEN && d->state != BT_CLOSED) 382 return 0; 383 384 s = rfcomm_session_get(src, dst); 385 if (!s) { 386 s = rfcomm_session_create(src, dst, d->sec_level, &err); 387 if (!s) 388 return err; 389 } 390 391 dlci = __dlci(!s->initiator, channel); 392 393 /* Check if DLCI already exists */ 394 if (rfcomm_dlc_get(s, dlci)) 395 return -EBUSY; 396 397 rfcomm_dlc_clear_state(d); 398 399 d->dlci = dlci; 400 d->addr = __addr(s->initiator, dlci); 401 d->priority = 7; 402 403 d->state = BT_CONFIG; 404 rfcomm_dlc_link(s, d); 405 406 d->out = 1; 407 408 d->mtu = s->mtu; 409 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 410 411 if (s->state == BT_CONNECTED) { 412 if (rfcomm_check_security(d)) 413 rfcomm_send_pn(s, 1, d); 414 else 415 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 416 } 417 418 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 419 420 return 0; 421 } 422 423 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 424 { 425 int r; 426 427 rfcomm_lock(); 428 429 r = __rfcomm_dlc_open(d, src, dst, channel); 430 431 rfcomm_unlock(); 432 return r; 433 } 434 435 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 436 { 437 struct rfcomm_session *s = d->session; 438 439 d->state = BT_DISCONN; 440 if (skb_queue_empty(&d->tx_queue)) { 441 rfcomm_send_disc(s, d->dlci); 442 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 443 } else { 444 rfcomm_queue_disc(d); 445 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 446 } 447 } 448 449 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 450 { 451 struct rfcomm_session *s = d->session; 452 if (!s) 453 return 0; 454 455 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 456 d, d->state, d->dlci, err, s); 457 458 switch (d->state) { 459 case BT_CONNECT: 460 case BT_CONFIG: 461 case BT_OPEN: 462 case BT_CONNECT2: 463 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 464 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 465 rfcomm_schedule(); 466 return 0; 467 } 468 } 469 470 switch (d->state) { 471 case BT_CONNECT: 472 case BT_CONNECTED: 473 __rfcomm_dlc_disconn(d); 474 break; 475 476 case BT_CONFIG: 477 if (s->state != BT_BOUND) { 478 __rfcomm_dlc_disconn(d); 479 break; 480 } 481 /* if closing a dlc in a session that hasn't been started, 482 * just close and unlink the dlc 483 */ 484 485 default: 486 rfcomm_dlc_clear_timer(d); 487 488 rfcomm_dlc_lock(d); 489 d->state = BT_CLOSED; 490 d->state_change(d, err); 491 rfcomm_dlc_unlock(d); 492 493 skb_queue_purge(&d->tx_queue); 494 rfcomm_dlc_unlink(d); 495 } 496 497 return 0; 498 } 499 500 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 501 { 502 int r = 0; 503 struct rfcomm_dlc *d_list; 504 struct rfcomm_session *s, *s_list; 505 506 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 507 508 rfcomm_lock(); 509 510 s = d->session; 511 if (!s) 512 goto no_session; 513 514 /* after waiting on the mutex check the session still exists 515 * then check the dlc still exists 516 */ 517 list_for_each_entry(s_list, &session_list, list) { 518 if (s_list == s) { 519 list_for_each_entry(d_list, &s->dlcs, list) { 520 if (d_list == d) { 521 r = __rfcomm_dlc_close(d, err); 522 break; 523 } 524 } 525 break; 526 } 527 } 528 529 no_session: 530 rfcomm_unlock(); 531 return r; 532 } 533 534 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 535 { 536 struct rfcomm_session *s; 537 struct rfcomm_dlc *dlc = NULL; 538 u8 dlci; 539 540 if (rfcomm_check_channel(channel)) 541 return ERR_PTR(-EINVAL); 542 543 rfcomm_lock(); 544 s = rfcomm_session_get(src, dst); 545 if (s) { 546 dlci = __dlci(!s->initiator, channel); 547 dlc = rfcomm_dlc_get(s, dlci); 548 } 549 rfcomm_unlock(); 550 return dlc; 551 } 552 553 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 554 { 555 int len = skb->len; 556 557 if (d->state != BT_CONNECTED) 558 return -ENOTCONN; 559 560 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 561 562 if (len > d->mtu) 563 return -EINVAL; 564 565 rfcomm_make_uih(skb, d->addr); 566 skb_queue_tail(&d->tx_queue, skb); 567 568 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 569 rfcomm_schedule(); 570 return len; 571 } 572 573 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 574 { 575 int len = skb->len; 576 577 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 578 579 rfcomm_make_uih(skb, d->addr); 580 skb_queue_tail(&d->tx_queue, skb); 581 582 if (d->state == BT_CONNECTED && 583 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 584 rfcomm_schedule(); 585 } 586 587 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 588 { 589 BT_DBG("dlc %p state %ld", d, d->state); 590 591 if (!d->cfc) { 592 d->v24_sig |= RFCOMM_V24_FC; 593 set_bit(RFCOMM_MSC_PENDING, &d->flags); 594 } 595 rfcomm_schedule(); 596 } 597 598 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 599 { 600 BT_DBG("dlc %p state %ld", d, d->state); 601 602 if (!d->cfc) { 603 d->v24_sig &= ~RFCOMM_V24_FC; 604 set_bit(RFCOMM_MSC_PENDING, &d->flags); 605 } 606 rfcomm_schedule(); 607 } 608 609 /* 610 Set/get modem status functions use _local_ status i.e. what we report 611 to the other side. 612 Remote status is provided by dlc->modem_status() callback. 613 */ 614 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 615 { 616 BT_DBG("dlc %p state %ld v24_sig 0x%x", 617 d, d->state, v24_sig); 618 619 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 620 v24_sig |= RFCOMM_V24_FC; 621 else 622 v24_sig &= ~RFCOMM_V24_FC; 623 624 d->v24_sig = v24_sig; 625 626 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 627 rfcomm_schedule(); 628 629 return 0; 630 } 631 632 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 633 { 634 BT_DBG("dlc %p state %ld v24_sig 0x%x", 635 d, d->state, d->v24_sig); 636 637 *v24_sig = d->v24_sig; 638 return 0; 639 } 640 641 /* ---- RFCOMM sessions ---- */ 642 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 643 { 644 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 645 646 if (!s) 647 return NULL; 648 649 BT_DBG("session %p sock %p", s, sock); 650 651 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 652 653 INIT_LIST_HEAD(&s->dlcs); 654 s->state = state; 655 s->sock = sock; 656 657 s->mtu = RFCOMM_DEFAULT_MTU; 658 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 659 660 /* Do not increment module usage count for listening sessions. 661 * Otherwise we won't be able to unload the module. */ 662 if (state != BT_LISTEN) 663 if (!try_module_get(THIS_MODULE)) { 664 kfree(s); 665 return NULL; 666 } 667 668 list_add(&s->list, &session_list); 669 670 return s; 671 } 672 673 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 674 { 675 int state = s->state; 676 677 BT_DBG("session %p state %ld", s, s->state); 678 679 list_del(&s->list); 680 681 rfcomm_session_clear_timer(s); 682 sock_release(s->sock); 683 kfree(s); 684 685 if (state != BT_LISTEN) 686 module_put(THIS_MODULE); 687 688 return NULL; 689 } 690 691 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 692 { 693 struct rfcomm_session *s; 694 struct list_head *p, *n; 695 struct l2cap_chan *chan; 696 list_for_each_safe(p, n, &session_list) { 697 s = list_entry(p, struct rfcomm_session, list); 698 chan = l2cap_pi(s->sock->sk)->chan; 699 700 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 701 !bacmp(&chan->dst, dst)) 702 return s; 703 } 704 return NULL; 705 } 706 707 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 708 int err) 709 { 710 struct rfcomm_dlc *d; 711 struct list_head *p, *n; 712 713 s->state = BT_CLOSED; 714 715 BT_DBG("session %p state %ld err %d", s, s->state, err); 716 717 /* Close all dlcs */ 718 list_for_each_safe(p, n, &s->dlcs) { 719 d = list_entry(p, struct rfcomm_dlc, list); 720 d->state = BT_CLOSED; 721 __rfcomm_dlc_close(d, err); 722 } 723 724 rfcomm_session_clear_timer(s); 725 return rfcomm_session_del(s); 726 } 727 728 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 729 bdaddr_t *dst, 730 u8 sec_level, 731 int *err) 732 { 733 struct rfcomm_session *s = NULL; 734 struct sockaddr_l2 addr; 735 struct socket *sock; 736 struct sock *sk; 737 738 BT_DBG("%pMR -> %pMR", src, dst); 739 740 *err = rfcomm_l2sock_create(&sock); 741 if (*err < 0) 742 return NULL; 743 744 bacpy(&addr.l2_bdaddr, src); 745 addr.l2_family = AF_BLUETOOTH; 746 addr.l2_psm = 0; 747 addr.l2_cid = 0; 748 addr.l2_bdaddr_type = BDADDR_BREDR; 749 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 750 if (*err < 0) 751 goto failed; 752 753 /* Set L2CAP options */ 754 sk = sock->sk; 755 lock_sock(sk); 756 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 757 l2cap_pi(sk)->chan->sec_level = sec_level; 758 if (l2cap_ertm) 759 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 760 release_sock(sk); 761 762 s = rfcomm_session_add(sock, BT_BOUND); 763 if (!s) { 764 *err = -ENOMEM; 765 goto failed; 766 } 767 768 s->initiator = 1; 769 770 bacpy(&addr.l2_bdaddr, dst); 771 addr.l2_family = AF_BLUETOOTH; 772 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 773 addr.l2_cid = 0; 774 addr.l2_bdaddr_type = BDADDR_BREDR; 775 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 776 if (*err == 0 || *err == -EINPROGRESS) 777 return s; 778 779 return rfcomm_session_del(s); 780 781 failed: 782 sock_release(sock); 783 return NULL; 784 } 785 786 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 787 { 788 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 789 if (src) 790 bacpy(src, &chan->src); 791 if (dst) 792 bacpy(dst, &chan->dst); 793 } 794 795 /* ---- RFCOMM frame sending ---- */ 796 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 797 { 798 struct kvec iv = { data, len }; 799 struct msghdr msg; 800 801 BT_DBG("session %p len %d", s, len); 802 803 memset(&msg, 0, sizeof(msg)); 804 805 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 806 } 807 808 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 809 { 810 BT_DBG("%p cmd %u", s, cmd->ctrl); 811 812 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 813 } 814 815 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 816 { 817 struct rfcomm_cmd cmd; 818 819 BT_DBG("%p dlci %d", s, dlci); 820 821 cmd.addr = __addr(s->initiator, dlci); 822 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 823 cmd.len = __len8(0); 824 cmd.fcs = __fcs2((u8 *) &cmd); 825 826 return rfcomm_send_cmd(s, &cmd); 827 } 828 829 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 830 { 831 struct rfcomm_cmd cmd; 832 833 BT_DBG("%p dlci %d", s, dlci); 834 835 cmd.addr = __addr(!s->initiator, dlci); 836 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 837 cmd.len = __len8(0); 838 cmd.fcs = __fcs2((u8 *) &cmd); 839 840 return rfcomm_send_cmd(s, &cmd); 841 } 842 843 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 844 { 845 struct rfcomm_cmd cmd; 846 847 BT_DBG("%p dlci %d", s, dlci); 848 849 cmd.addr = __addr(s->initiator, dlci); 850 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 851 cmd.len = __len8(0); 852 cmd.fcs = __fcs2((u8 *) &cmd); 853 854 return rfcomm_send_cmd(s, &cmd); 855 } 856 857 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 858 { 859 struct rfcomm_cmd *cmd; 860 struct sk_buff *skb; 861 862 BT_DBG("dlc %p dlci %d", d, d->dlci); 863 864 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 865 if (!skb) 866 return -ENOMEM; 867 868 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 869 cmd->addr = d->addr; 870 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 871 cmd->len = __len8(0); 872 cmd->fcs = __fcs2((u8 *) cmd); 873 874 skb_queue_tail(&d->tx_queue, skb); 875 rfcomm_schedule(); 876 return 0; 877 } 878 879 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 880 { 881 struct rfcomm_cmd cmd; 882 883 BT_DBG("%p dlci %d", s, dlci); 884 885 cmd.addr = __addr(!s->initiator, dlci); 886 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 887 cmd.len = __len8(0); 888 cmd.fcs = __fcs2((u8 *) &cmd); 889 890 return rfcomm_send_cmd(s, &cmd); 891 } 892 893 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 894 { 895 struct rfcomm_hdr *hdr; 896 struct rfcomm_mcc *mcc; 897 u8 buf[16], *ptr = buf; 898 899 BT_DBG("%p cr %d type %d", s, cr, type); 900 901 hdr = (void *) ptr; ptr += sizeof(*hdr); 902 hdr->addr = __addr(s->initiator, 0); 903 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 904 hdr->len = __len8(sizeof(*mcc) + 1); 905 906 mcc = (void *) ptr; ptr += sizeof(*mcc); 907 mcc->type = __mcc_type(cr, RFCOMM_NSC); 908 mcc->len = __len8(1); 909 910 /* Type that we didn't like */ 911 *ptr = __mcc_type(cr, type); ptr++; 912 913 *ptr = __fcs(buf); ptr++; 914 915 return rfcomm_send_frame(s, buf, ptr - buf); 916 } 917 918 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 919 { 920 struct rfcomm_hdr *hdr; 921 struct rfcomm_mcc *mcc; 922 struct rfcomm_pn *pn; 923 u8 buf[16], *ptr = buf; 924 925 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 926 927 hdr = (void *) ptr; ptr += sizeof(*hdr); 928 hdr->addr = __addr(s->initiator, 0); 929 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 930 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 931 932 mcc = (void *) ptr; ptr += sizeof(*mcc); 933 mcc->type = __mcc_type(cr, RFCOMM_PN); 934 mcc->len = __len8(sizeof(*pn)); 935 936 pn = (void *) ptr; ptr += sizeof(*pn); 937 pn->dlci = d->dlci; 938 pn->priority = d->priority; 939 pn->ack_timer = 0; 940 pn->max_retrans = 0; 941 942 if (s->cfc) { 943 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 944 pn->credits = RFCOMM_DEFAULT_CREDITS; 945 } else { 946 pn->flow_ctrl = 0; 947 pn->credits = 0; 948 } 949 950 if (cr && channel_mtu >= 0) 951 pn->mtu = cpu_to_le16(channel_mtu); 952 else 953 pn->mtu = cpu_to_le16(d->mtu); 954 955 *ptr = __fcs(buf); ptr++; 956 957 return rfcomm_send_frame(s, buf, ptr - buf); 958 } 959 960 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 961 u8 bit_rate, u8 data_bits, u8 stop_bits, 962 u8 parity, u8 flow_ctrl_settings, 963 u8 xon_char, u8 xoff_char, u16 param_mask) 964 { 965 struct rfcomm_hdr *hdr; 966 struct rfcomm_mcc *mcc; 967 struct rfcomm_rpn *rpn; 968 u8 buf[16], *ptr = buf; 969 970 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 971 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 972 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 973 flow_ctrl_settings, xon_char, xoff_char, param_mask); 974 975 hdr = (void *) ptr; ptr += sizeof(*hdr); 976 hdr->addr = __addr(s->initiator, 0); 977 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 978 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 979 980 mcc = (void *) ptr; ptr += sizeof(*mcc); 981 mcc->type = __mcc_type(cr, RFCOMM_RPN); 982 mcc->len = __len8(sizeof(*rpn)); 983 984 rpn = (void *) ptr; ptr += sizeof(*rpn); 985 rpn->dlci = __addr(1, dlci); 986 rpn->bit_rate = bit_rate; 987 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 988 rpn->flow_ctrl = flow_ctrl_settings; 989 rpn->xon_char = xon_char; 990 rpn->xoff_char = xoff_char; 991 rpn->param_mask = cpu_to_le16(param_mask); 992 993 *ptr = __fcs(buf); ptr++; 994 995 return rfcomm_send_frame(s, buf, ptr - buf); 996 } 997 998 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 999 { 1000 struct rfcomm_hdr *hdr; 1001 struct rfcomm_mcc *mcc; 1002 struct rfcomm_rls *rls; 1003 u8 buf[16], *ptr = buf; 1004 1005 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1006 1007 hdr = (void *) ptr; ptr += sizeof(*hdr); 1008 hdr->addr = __addr(s->initiator, 0); 1009 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1010 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1011 1012 mcc = (void *) ptr; ptr += sizeof(*mcc); 1013 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1014 mcc->len = __len8(sizeof(*rls)); 1015 1016 rls = (void *) ptr; ptr += sizeof(*rls); 1017 rls->dlci = __addr(1, dlci); 1018 rls->status = status; 1019 1020 *ptr = __fcs(buf); ptr++; 1021 1022 return rfcomm_send_frame(s, buf, ptr - buf); 1023 } 1024 1025 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1026 { 1027 struct rfcomm_hdr *hdr; 1028 struct rfcomm_mcc *mcc; 1029 struct rfcomm_msc *msc; 1030 u8 buf[16], *ptr = buf; 1031 1032 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1033 1034 hdr = (void *) ptr; ptr += sizeof(*hdr); 1035 hdr->addr = __addr(s->initiator, 0); 1036 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1037 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1038 1039 mcc = (void *) ptr; ptr += sizeof(*mcc); 1040 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1041 mcc->len = __len8(sizeof(*msc)); 1042 1043 msc = (void *) ptr; ptr += sizeof(*msc); 1044 msc->dlci = __addr(1, dlci); 1045 msc->v24_sig = v24_sig | 0x01; 1046 1047 *ptr = __fcs(buf); ptr++; 1048 1049 return rfcomm_send_frame(s, buf, ptr - buf); 1050 } 1051 1052 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1053 { 1054 struct rfcomm_hdr *hdr; 1055 struct rfcomm_mcc *mcc; 1056 u8 buf[16], *ptr = buf; 1057 1058 BT_DBG("%p cr %d", s, cr); 1059 1060 hdr = (void *) ptr; ptr += sizeof(*hdr); 1061 hdr->addr = __addr(s->initiator, 0); 1062 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1063 hdr->len = __len8(sizeof(*mcc)); 1064 1065 mcc = (void *) ptr; ptr += sizeof(*mcc); 1066 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1067 mcc->len = __len8(0); 1068 1069 *ptr = __fcs(buf); ptr++; 1070 1071 return rfcomm_send_frame(s, buf, ptr - buf); 1072 } 1073 1074 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1075 { 1076 struct rfcomm_hdr *hdr; 1077 struct rfcomm_mcc *mcc; 1078 u8 buf[16], *ptr = buf; 1079 1080 BT_DBG("%p cr %d", s, cr); 1081 1082 hdr = (void *) ptr; ptr += sizeof(*hdr); 1083 hdr->addr = __addr(s->initiator, 0); 1084 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1085 hdr->len = __len8(sizeof(*mcc)); 1086 1087 mcc = (void *) ptr; ptr += sizeof(*mcc); 1088 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1089 mcc->len = __len8(0); 1090 1091 *ptr = __fcs(buf); ptr++; 1092 1093 return rfcomm_send_frame(s, buf, ptr - buf); 1094 } 1095 1096 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1097 { 1098 struct socket *sock = s->sock; 1099 struct kvec iv[3]; 1100 struct msghdr msg; 1101 unsigned char hdr[5], crc[1]; 1102 1103 if (len > 125) 1104 return -EINVAL; 1105 1106 BT_DBG("%p cr %d", s, cr); 1107 1108 hdr[0] = __addr(s->initiator, 0); 1109 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1110 hdr[2] = 0x01 | ((len + 2) << 1); 1111 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1112 hdr[4] = 0x01 | (len << 1); 1113 1114 crc[0] = __fcs(hdr); 1115 1116 iv[0].iov_base = hdr; 1117 iv[0].iov_len = 5; 1118 iv[1].iov_base = pattern; 1119 iv[1].iov_len = len; 1120 iv[2].iov_base = crc; 1121 iv[2].iov_len = 1; 1122 1123 memset(&msg, 0, sizeof(msg)); 1124 1125 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1126 } 1127 1128 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1129 { 1130 struct rfcomm_hdr *hdr; 1131 u8 buf[16], *ptr = buf; 1132 1133 BT_DBG("%p addr %d credits %d", s, addr, credits); 1134 1135 hdr = (void *) ptr; ptr += sizeof(*hdr); 1136 hdr->addr = addr; 1137 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1138 hdr->len = __len8(0); 1139 1140 *ptr = credits; ptr++; 1141 1142 *ptr = __fcs(buf); ptr++; 1143 1144 return rfcomm_send_frame(s, buf, ptr - buf); 1145 } 1146 1147 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1148 { 1149 struct rfcomm_hdr *hdr; 1150 int len = skb->len; 1151 u8 *crc; 1152 1153 if (len > 127) { 1154 hdr = (void *) skb_push(skb, 4); 1155 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1156 } else { 1157 hdr = (void *) skb_push(skb, 3); 1158 hdr->len = __len8(len); 1159 } 1160 hdr->addr = addr; 1161 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1162 1163 crc = skb_put(skb, 1); 1164 *crc = __fcs((void *) hdr); 1165 } 1166 1167 /* ---- RFCOMM frame reception ---- */ 1168 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1169 { 1170 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1171 1172 if (dlci) { 1173 /* Data channel */ 1174 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1175 if (!d) { 1176 rfcomm_send_dm(s, dlci); 1177 return s; 1178 } 1179 1180 switch (d->state) { 1181 case BT_CONNECT: 1182 rfcomm_dlc_clear_timer(d); 1183 1184 rfcomm_dlc_lock(d); 1185 d->state = BT_CONNECTED; 1186 d->state_change(d, 0); 1187 rfcomm_dlc_unlock(d); 1188 1189 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1190 break; 1191 1192 case BT_DISCONN: 1193 d->state = BT_CLOSED; 1194 __rfcomm_dlc_close(d, 0); 1195 1196 if (list_empty(&s->dlcs)) { 1197 s->state = BT_DISCONN; 1198 rfcomm_send_disc(s, 0); 1199 rfcomm_session_clear_timer(s); 1200 } 1201 1202 break; 1203 } 1204 } else { 1205 /* Control channel */ 1206 switch (s->state) { 1207 case BT_CONNECT: 1208 s->state = BT_CONNECTED; 1209 rfcomm_process_connect(s); 1210 break; 1211 1212 case BT_DISCONN: 1213 s = rfcomm_session_close(s, ECONNRESET); 1214 break; 1215 } 1216 } 1217 return s; 1218 } 1219 1220 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1221 { 1222 int err = 0; 1223 1224 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1225 1226 if (dlci) { 1227 /* Data DLC */ 1228 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1229 if (d) { 1230 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1231 err = ECONNREFUSED; 1232 else 1233 err = ECONNRESET; 1234 1235 d->state = BT_CLOSED; 1236 __rfcomm_dlc_close(d, err); 1237 } 1238 } else { 1239 if (s->state == BT_CONNECT) 1240 err = ECONNREFUSED; 1241 else 1242 err = ECONNRESET; 1243 1244 s = rfcomm_session_close(s, err); 1245 } 1246 return s; 1247 } 1248 1249 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1250 u8 dlci) 1251 { 1252 int err = 0; 1253 1254 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1255 1256 if (dlci) { 1257 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1258 if (d) { 1259 rfcomm_send_ua(s, dlci); 1260 1261 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1262 err = ECONNREFUSED; 1263 else 1264 err = ECONNRESET; 1265 1266 d->state = BT_CLOSED; 1267 __rfcomm_dlc_close(d, err); 1268 } else 1269 rfcomm_send_dm(s, dlci); 1270 1271 } else { 1272 rfcomm_send_ua(s, 0); 1273 1274 if (s->state == BT_CONNECT) 1275 err = ECONNREFUSED; 1276 else 1277 err = ECONNRESET; 1278 1279 s = rfcomm_session_close(s, err); 1280 } 1281 return s; 1282 } 1283 1284 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1285 { 1286 struct sock *sk = d->session->sock->sk; 1287 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1288 1289 BT_DBG("dlc %p", d); 1290 1291 rfcomm_send_ua(d->session, d->dlci); 1292 1293 rfcomm_dlc_clear_timer(d); 1294 1295 rfcomm_dlc_lock(d); 1296 d->state = BT_CONNECTED; 1297 d->state_change(d, 0); 1298 rfcomm_dlc_unlock(d); 1299 1300 if (d->role_switch) 1301 hci_conn_switch_role(conn->hcon, 0x00); 1302 1303 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1304 } 1305 1306 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1307 { 1308 if (rfcomm_check_security(d)) { 1309 if (d->defer_setup) { 1310 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1311 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1312 1313 rfcomm_dlc_lock(d); 1314 d->state = BT_CONNECT2; 1315 d->state_change(d, 0); 1316 rfcomm_dlc_unlock(d); 1317 } else 1318 rfcomm_dlc_accept(d); 1319 } else { 1320 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1321 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1322 } 1323 } 1324 1325 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1326 { 1327 struct rfcomm_dlc *d; 1328 u8 channel; 1329 1330 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1331 1332 if (!dlci) { 1333 rfcomm_send_ua(s, 0); 1334 1335 if (s->state == BT_OPEN) { 1336 s->state = BT_CONNECTED; 1337 rfcomm_process_connect(s); 1338 } 1339 return 0; 1340 } 1341 1342 /* Check if DLC exists */ 1343 d = rfcomm_dlc_get(s, dlci); 1344 if (d) { 1345 if (d->state == BT_OPEN) { 1346 /* DLC was previously opened by PN request */ 1347 rfcomm_check_accept(d); 1348 } 1349 return 0; 1350 } 1351 1352 /* Notify socket layer about incoming connection */ 1353 channel = __srv_channel(dlci); 1354 if (rfcomm_connect_ind(s, channel, &d)) { 1355 d->dlci = dlci; 1356 d->addr = __addr(s->initiator, dlci); 1357 rfcomm_dlc_link(s, d); 1358 1359 rfcomm_check_accept(d); 1360 } else { 1361 rfcomm_send_dm(s, dlci); 1362 } 1363 1364 return 0; 1365 } 1366 1367 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1368 { 1369 struct rfcomm_session *s = d->session; 1370 1371 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1372 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1373 1374 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1375 pn->flow_ctrl == 0xe0) { 1376 d->cfc = RFCOMM_CFC_ENABLED; 1377 d->tx_credits = pn->credits; 1378 } else { 1379 d->cfc = RFCOMM_CFC_DISABLED; 1380 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1381 } 1382 1383 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1384 s->cfc = d->cfc; 1385 1386 d->priority = pn->priority; 1387 1388 d->mtu = __le16_to_cpu(pn->mtu); 1389 1390 if (cr && d->mtu > s->mtu) 1391 d->mtu = s->mtu; 1392 1393 return 0; 1394 } 1395 1396 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1397 { 1398 struct rfcomm_pn *pn = (void *) skb->data; 1399 struct rfcomm_dlc *d; 1400 u8 dlci = pn->dlci; 1401 1402 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1403 1404 if (!dlci) 1405 return 0; 1406 1407 d = rfcomm_dlc_get(s, dlci); 1408 if (d) { 1409 if (cr) { 1410 /* PN request */ 1411 rfcomm_apply_pn(d, cr, pn); 1412 rfcomm_send_pn(s, 0, d); 1413 } else { 1414 /* PN response */ 1415 switch (d->state) { 1416 case BT_CONFIG: 1417 rfcomm_apply_pn(d, cr, pn); 1418 1419 d->state = BT_CONNECT; 1420 rfcomm_send_sabm(s, d->dlci); 1421 break; 1422 } 1423 } 1424 } else { 1425 u8 channel = __srv_channel(dlci); 1426 1427 if (!cr) 1428 return 0; 1429 1430 /* PN request for non existing DLC. 1431 * Assume incoming connection. */ 1432 if (rfcomm_connect_ind(s, channel, &d)) { 1433 d->dlci = dlci; 1434 d->addr = __addr(s->initiator, dlci); 1435 rfcomm_dlc_link(s, d); 1436 1437 rfcomm_apply_pn(d, cr, pn); 1438 1439 d->state = BT_OPEN; 1440 rfcomm_send_pn(s, 0, d); 1441 } else { 1442 rfcomm_send_dm(s, dlci); 1443 } 1444 } 1445 return 0; 1446 } 1447 1448 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1449 { 1450 struct rfcomm_rpn *rpn = (void *) skb->data; 1451 u8 dlci = __get_dlci(rpn->dlci); 1452 1453 u8 bit_rate = 0; 1454 u8 data_bits = 0; 1455 u8 stop_bits = 0; 1456 u8 parity = 0; 1457 u8 flow_ctrl = 0; 1458 u8 xon_char = 0; 1459 u8 xoff_char = 0; 1460 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1461 1462 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1463 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1464 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1465 1466 if (!cr) 1467 return 0; 1468 1469 if (len == 1) { 1470 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1471 bit_rate = RFCOMM_RPN_BR_9600; 1472 data_bits = RFCOMM_RPN_DATA_8; 1473 stop_bits = RFCOMM_RPN_STOP_1; 1474 parity = RFCOMM_RPN_PARITY_NONE; 1475 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1476 xon_char = RFCOMM_RPN_XON_CHAR; 1477 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1478 goto rpn_out; 1479 } 1480 1481 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1482 * no parity, no flow control lines, normal XON/XOFF chars */ 1483 1484 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1485 bit_rate = rpn->bit_rate; 1486 if (bit_rate > RFCOMM_RPN_BR_230400) { 1487 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1488 bit_rate = RFCOMM_RPN_BR_9600; 1489 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1490 } 1491 } 1492 1493 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1494 data_bits = __get_rpn_data_bits(rpn->line_settings); 1495 if (data_bits != RFCOMM_RPN_DATA_8) { 1496 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1497 data_bits = RFCOMM_RPN_DATA_8; 1498 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1499 } 1500 } 1501 1502 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1503 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1504 if (stop_bits != RFCOMM_RPN_STOP_1) { 1505 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1506 stop_bits = RFCOMM_RPN_STOP_1; 1507 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1508 } 1509 } 1510 1511 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1512 parity = __get_rpn_parity(rpn->line_settings); 1513 if (parity != RFCOMM_RPN_PARITY_NONE) { 1514 BT_DBG("RPN parity mismatch 0x%x", parity); 1515 parity = RFCOMM_RPN_PARITY_NONE; 1516 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1517 } 1518 } 1519 1520 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1521 flow_ctrl = rpn->flow_ctrl; 1522 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1523 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1524 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1525 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1526 } 1527 } 1528 1529 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1530 xon_char = rpn->xon_char; 1531 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1532 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1533 xon_char = RFCOMM_RPN_XON_CHAR; 1534 rpn_mask ^= RFCOMM_RPN_PM_XON; 1535 } 1536 } 1537 1538 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1539 xoff_char = rpn->xoff_char; 1540 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1541 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1542 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1543 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1544 } 1545 } 1546 1547 rpn_out: 1548 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1549 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1550 1551 return 0; 1552 } 1553 1554 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1555 { 1556 struct rfcomm_rls *rls = (void *) skb->data; 1557 u8 dlci = __get_dlci(rls->dlci); 1558 1559 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1560 1561 if (!cr) 1562 return 0; 1563 1564 /* We should probably do something with this information here. But 1565 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1566 * mandatory to recognise and respond to RLS */ 1567 1568 rfcomm_send_rls(s, 0, dlci, rls->status); 1569 1570 return 0; 1571 } 1572 1573 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1574 { 1575 struct rfcomm_msc *msc = (void *) skb->data; 1576 struct rfcomm_dlc *d; 1577 u8 dlci = __get_dlci(msc->dlci); 1578 1579 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1580 1581 d = rfcomm_dlc_get(s, dlci); 1582 if (!d) 1583 return 0; 1584 1585 if (cr) { 1586 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1587 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1588 else 1589 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1590 1591 rfcomm_dlc_lock(d); 1592 1593 d->remote_v24_sig = msc->v24_sig; 1594 1595 if (d->modem_status) 1596 d->modem_status(d, msc->v24_sig); 1597 1598 rfcomm_dlc_unlock(d); 1599 1600 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1601 1602 d->mscex |= RFCOMM_MSCEX_RX; 1603 } else 1604 d->mscex |= RFCOMM_MSCEX_TX; 1605 1606 return 0; 1607 } 1608 1609 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1610 { 1611 struct rfcomm_mcc *mcc = (void *) skb->data; 1612 u8 type, cr, len; 1613 1614 cr = __test_cr(mcc->type); 1615 type = __get_mcc_type(mcc->type); 1616 len = __get_mcc_len(mcc->len); 1617 1618 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1619 1620 skb_pull(skb, 2); 1621 1622 switch (type) { 1623 case RFCOMM_PN: 1624 rfcomm_recv_pn(s, cr, skb); 1625 break; 1626 1627 case RFCOMM_RPN: 1628 rfcomm_recv_rpn(s, cr, len, skb); 1629 break; 1630 1631 case RFCOMM_RLS: 1632 rfcomm_recv_rls(s, cr, skb); 1633 break; 1634 1635 case RFCOMM_MSC: 1636 rfcomm_recv_msc(s, cr, skb); 1637 break; 1638 1639 case RFCOMM_FCOFF: 1640 if (cr) { 1641 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1642 rfcomm_send_fcoff(s, 0); 1643 } 1644 break; 1645 1646 case RFCOMM_FCON: 1647 if (cr) { 1648 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1649 rfcomm_send_fcon(s, 0); 1650 } 1651 break; 1652 1653 case RFCOMM_TEST: 1654 if (cr) 1655 rfcomm_send_test(s, 0, skb->data, skb->len); 1656 break; 1657 1658 case RFCOMM_NSC: 1659 break; 1660 1661 default: 1662 BT_ERR("Unknown control type 0x%02x", type); 1663 rfcomm_send_nsc(s, cr, type); 1664 break; 1665 } 1666 return 0; 1667 } 1668 1669 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1670 { 1671 struct rfcomm_dlc *d; 1672 1673 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1674 1675 d = rfcomm_dlc_get(s, dlci); 1676 if (!d) { 1677 rfcomm_send_dm(s, dlci); 1678 goto drop; 1679 } 1680 1681 if (pf && d->cfc) { 1682 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1683 1684 d->tx_credits += credits; 1685 if (d->tx_credits) 1686 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1687 } 1688 1689 if (skb->len && d->state == BT_CONNECTED) { 1690 rfcomm_dlc_lock(d); 1691 d->rx_credits--; 1692 d->data_ready(d, skb); 1693 rfcomm_dlc_unlock(d); 1694 return 0; 1695 } 1696 1697 drop: 1698 kfree_skb(skb); 1699 return 0; 1700 } 1701 1702 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1703 struct sk_buff *skb) 1704 { 1705 struct rfcomm_hdr *hdr = (void *) skb->data; 1706 u8 type, dlci, fcs; 1707 1708 if (!s) { 1709 /* no session, so free socket data */ 1710 kfree_skb(skb); 1711 return s; 1712 } 1713 1714 dlci = __get_dlci(hdr->addr); 1715 type = __get_type(hdr->ctrl); 1716 1717 /* Trim FCS */ 1718 skb->len--; skb->tail--; 1719 fcs = *(u8 *)skb_tail_pointer(skb); 1720 1721 if (__check_fcs(skb->data, type, fcs)) { 1722 BT_ERR("bad checksum in packet"); 1723 kfree_skb(skb); 1724 return s; 1725 } 1726 1727 if (__test_ea(hdr->len)) 1728 skb_pull(skb, 3); 1729 else 1730 skb_pull(skb, 4); 1731 1732 switch (type) { 1733 case RFCOMM_SABM: 1734 if (__test_pf(hdr->ctrl)) 1735 rfcomm_recv_sabm(s, dlci); 1736 break; 1737 1738 case RFCOMM_DISC: 1739 if (__test_pf(hdr->ctrl)) 1740 s = rfcomm_recv_disc(s, dlci); 1741 break; 1742 1743 case RFCOMM_UA: 1744 if (__test_pf(hdr->ctrl)) 1745 s = rfcomm_recv_ua(s, dlci); 1746 break; 1747 1748 case RFCOMM_DM: 1749 s = rfcomm_recv_dm(s, dlci); 1750 break; 1751 1752 case RFCOMM_UIH: 1753 if (dlci) { 1754 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1755 return s; 1756 } 1757 rfcomm_recv_mcc(s, skb); 1758 break; 1759 1760 default: 1761 BT_ERR("Unknown packet type 0x%02x", type); 1762 break; 1763 } 1764 kfree_skb(skb); 1765 return s; 1766 } 1767 1768 /* ---- Connection and data processing ---- */ 1769 1770 static void rfcomm_process_connect(struct rfcomm_session *s) 1771 { 1772 struct rfcomm_dlc *d; 1773 struct list_head *p, *n; 1774 1775 BT_DBG("session %p state %ld", s, s->state); 1776 1777 list_for_each_safe(p, n, &s->dlcs) { 1778 d = list_entry(p, struct rfcomm_dlc, list); 1779 if (d->state == BT_CONFIG) { 1780 d->mtu = s->mtu; 1781 if (rfcomm_check_security(d)) { 1782 rfcomm_send_pn(s, 1, d); 1783 } else { 1784 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1785 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1786 } 1787 } 1788 } 1789 } 1790 1791 /* Send data queued for the DLC. 1792 * Return number of frames left in the queue. 1793 */ 1794 static int rfcomm_process_tx(struct rfcomm_dlc *d) 1795 { 1796 struct sk_buff *skb; 1797 int err; 1798 1799 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1800 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1801 1802 /* Send pending MSC */ 1803 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1804 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1805 1806 if (d->cfc) { 1807 /* CFC enabled. 1808 * Give them some credits */ 1809 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1810 d->rx_credits <= (d->cfc >> 2)) { 1811 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1812 d->rx_credits = d->cfc; 1813 } 1814 } else { 1815 /* CFC disabled. 1816 * Give ourselves some credits */ 1817 d->tx_credits = 5; 1818 } 1819 1820 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1821 return skb_queue_len(&d->tx_queue); 1822 1823 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1824 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1825 if (err < 0) { 1826 skb_queue_head(&d->tx_queue, skb); 1827 break; 1828 } 1829 kfree_skb(skb); 1830 d->tx_credits--; 1831 } 1832 1833 if (d->cfc && !d->tx_credits) { 1834 /* We're out of TX credits. 1835 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1836 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1837 } 1838 1839 return skb_queue_len(&d->tx_queue); 1840 } 1841 1842 static void rfcomm_process_dlcs(struct rfcomm_session *s) 1843 { 1844 struct rfcomm_dlc *d; 1845 struct list_head *p, *n; 1846 1847 BT_DBG("session %p state %ld", s, s->state); 1848 1849 list_for_each_safe(p, n, &s->dlcs) { 1850 d = list_entry(p, struct rfcomm_dlc, list); 1851 1852 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1853 __rfcomm_dlc_close(d, ETIMEDOUT); 1854 continue; 1855 } 1856 1857 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1858 __rfcomm_dlc_close(d, ECONNREFUSED); 1859 continue; 1860 } 1861 1862 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1863 rfcomm_dlc_clear_timer(d); 1864 if (d->out) { 1865 rfcomm_send_pn(s, 1, d); 1866 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1867 } else { 1868 if (d->defer_setup) { 1869 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1870 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1871 1872 rfcomm_dlc_lock(d); 1873 d->state = BT_CONNECT2; 1874 d->state_change(d, 0); 1875 rfcomm_dlc_unlock(d); 1876 } else 1877 rfcomm_dlc_accept(d); 1878 } 1879 continue; 1880 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1881 rfcomm_dlc_clear_timer(d); 1882 if (!d->out) 1883 rfcomm_send_dm(s, d->dlci); 1884 else 1885 d->state = BT_CLOSED; 1886 __rfcomm_dlc_close(d, ECONNREFUSED); 1887 continue; 1888 } 1889 1890 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1891 continue; 1892 1893 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1894 continue; 1895 1896 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1897 d->mscex == RFCOMM_MSCEX_OK) 1898 rfcomm_process_tx(d); 1899 } 1900 } 1901 1902 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1903 { 1904 struct socket *sock = s->sock; 1905 struct sock *sk = sock->sk; 1906 struct sk_buff *skb; 1907 1908 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1909 1910 /* Get data directly from socket receive queue without copying it. */ 1911 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1912 skb_orphan(skb); 1913 if (!skb_linearize(skb)) { 1914 s = rfcomm_recv_frame(s, skb); 1915 if (!s) 1916 break; 1917 } else { 1918 kfree_skb(skb); 1919 } 1920 } 1921 1922 if (s && (sk->sk_state == BT_CLOSED)) 1923 s = rfcomm_session_close(s, sk->sk_err); 1924 1925 return s; 1926 } 1927 1928 static void rfcomm_accept_connection(struct rfcomm_session *s) 1929 { 1930 struct socket *sock = s->sock, *nsock; 1931 int err; 1932 1933 /* Fast check for a new connection. 1934 * Avoids unnesesary socket allocations. */ 1935 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1936 return; 1937 1938 BT_DBG("session %p", s); 1939 1940 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1941 if (err < 0) 1942 return; 1943 1944 /* Set our callbacks */ 1945 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1946 nsock->sk->sk_state_change = rfcomm_l2state_change; 1947 1948 s = rfcomm_session_add(nsock, BT_OPEN); 1949 if (s) { 1950 /* We should adjust MTU on incoming sessions. 1951 * L2CAP MTU minus UIH header and FCS. */ 1952 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1953 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1954 1955 rfcomm_schedule(); 1956 } else 1957 sock_release(nsock); 1958 } 1959 1960 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 1961 { 1962 struct sock *sk = s->sock->sk; 1963 1964 BT_DBG("%p state %ld", s, s->state); 1965 1966 switch (sk->sk_state) { 1967 case BT_CONNECTED: 1968 s->state = BT_CONNECT; 1969 1970 /* We can adjust MTU on outgoing sessions. 1971 * L2CAP MTU minus UIH header and FCS. */ 1972 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1973 1974 rfcomm_send_sabm(s, 0); 1975 break; 1976 1977 case BT_CLOSED: 1978 s = rfcomm_session_close(s, sk->sk_err); 1979 break; 1980 } 1981 return s; 1982 } 1983 1984 static void rfcomm_process_sessions(void) 1985 { 1986 struct list_head *p, *n; 1987 1988 rfcomm_lock(); 1989 1990 list_for_each_safe(p, n, &session_list) { 1991 struct rfcomm_session *s; 1992 s = list_entry(p, struct rfcomm_session, list); 1993 1994 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1995 s->state = BT_DISCONN; 1996 rfcomm_send_disc(s, 0); 1997 continue; 1998 } 1999 2000 switch (s->state) { 2001 case BT_LISTEN: 2002 rfcomm_accept_connection(s); 2003 continue; 2004 2005 case BT_BOUND: 2006 s = rfcomm_check_connection(s); 2007 break; 2008 2009 default: 2010 s = rfcomm_process_rx(s); 2011 break; 2012 } 2013 2014 if (s) 2015 rfcomm_process_dlcs(s); 2016 } 2017 2018 rfcomm_unlock(); 2019 } 2020 2021 static int rfcomm_add_listener(bdaddr_t *ba) 2022 { 2023 struct sockaddr_l2 addr; 2024 struct socket *sock; 2025 struct sock *sk; 2026 struct rfcomm_session *s; 2027 int err = 0; 2028 2029 /* Create socket */ 2030 err = rfcomm_l2sock_create(&sock); 2031 if (err < 0) { 2032 BT_ERR("Create socket failed %d", err); 2033 return err; 2034 } 2035 2036 /* Bind socket */ 2037 bacpy(&addr.l2_bdaddr, ba); 2038 addr.l2_family = AF_BLUETOOTH; 2039 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 2040 addr.l2_cid = 0; 2041 addr.l2_bdaddr_type = BDADDR_BREDR; 2042 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2043 if (err < 0) { 2044 BT_ERR("Bind failed %d", err); 2045 goto failed; 2046 } 2047 2048 /* Set L2CAP options */ 2049 sk = sock->sk; 2050 lock_sock(sk); 2051 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2052 release_sock(sk); 2053 2054 /* Start listening on the socket */ 2055 err = kernel_listen(sock, 10); 2056 if (err) { 2057 BT_ERR("Listen failed %d", err); 2058 goto failed; 2059 } 2060 2061 /* Add listening session */ 2062 s = rfcomm_session_add(sock, BT_LISTEN); 2063 if (!s) { 2064 err = -ENOMEM; 2065 goto failed; 2066 } 2067 2068 return 0; 2069 failed: 2070 sock_release(sock); 2071 return err; 2072 } 2073 2074 static void rfcomm_kill_listener(void) 2075 { 2076 struct rfcomm_session *s; 2077 struct list_head *p, *n; 2078 2079 BT_DBG(""); 2080 2081 list_for_each_safe(p, n, &session_list) { 2082 s = list_entry(p, struct rfcomm_session, list); 2083 rfcomm_session_del(s); 2084 } 2085 } 2086 2087 static int rfcomm_run(void *unused) 2088 { 2089 BT_DBG(""); 2090 2091 set_user_nice(current, -10); 2092 2093 rfcomm_add_listener(BDADDR_ANY); 2094 2095 while (1) { 2096 set_current_state(TASK_INTERRUPTIBLE); 2097 2098 if (kthread_should_stop()) 2099 break; 2100 2101 /* Process stuff */ 2102 rfcomm_process_sessions(); 2103 2104 schedule(); 2105 } 2106 __set_current_state(TASK_RUNNING); 2107 2108 rfcomm_kill_listener(); 2109 2110 return 0; 2111 } 2112 2113 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2114 { 2115 struct rfcomm_session *s; 2116 struct rfcomm_dlc *d; 2117 struct list_head *p, *n; 2118 2119 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2120 2121 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2122 if (!s) 2123 return; 2124 2125 list_for_each_safe(p, n, &s->dlcs) { 2126 d = list_entry(p, struct rfcomm_dlc, list); 2127 2128 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2129 rfcomm_dlc_clear_timer(d); 2130 if (status || encrypt == 0x00) { 2131 set_bit(RFCOMM_ENC_DROP, &d->flags); 2132 continue; 2133 } 2134 } 2135 2136 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2137 if (d->sec_level == BT_SECURITY_MEDIUM) { 2138 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2139 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2140 continue; 2141 } else if (d->sec_level == BT_SECURITY_HIGH || 2142 d->sec_level == BT_SECURITY_FIPS) { 2143 set_bit(RFCOMM_ENC_DROP, &d->flags); 2144 continue; 2145 } 2146 } 2147 2148 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2149 continue; 2150 2151 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2152 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2153 else 2154 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2155 } 2156 2157 rfcomm_schedule(); 2158 } 2159 2160 static struct hci_cb rfcomm_cb = { 2161 .name = "RFCOMM", 2162 .security_cfm = rfcomm_security_cfm 2163 }; 2164 2165 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2166 { 2167 struct rfcomm_session *s; 2168 2169 rfcomm_lock(); 2170 2171 list_for_each_entry(s, &session_list, list) { 2172 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2173 struct rfcomm_dlc *d; 2174 list_for_each_entry(d, &s->dlcs, list) { 2175 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2176 &chan->src, &chan->dst, 2177 d->state, d->dlci, d->mtu, 2178 d->rx_credits, d->tx_credits); 2179 } 2180 } 2181 2182 rfcomm_unlock(); 2183 2184 return 0; 2185 } 2186 2187 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2188 { 2189 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2190 } 2191 2192 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2193 .open = rfcomm_dlc_debugfs_open, 2194 .read = seq_read, 2195 .llseek = seq_lseek, 2196 .release = single_release, 2197 }; 2198 2199 static struct dentry *rfcomm_dlc_debugfs; 2200 2201 /* ---- Initialization ---- */ 2202 static int __init rfcomm_init(void) 2203 { 2204 int err; 2205 2206 hci_register_cb(&rfcomm_cb); 2207 2208 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2209 if (IS_ERR(rfcomm_thread)) { 2210 err = PTR_ERR(rfcomm_thread); 2211 goto unregister; 2212 } 2213 2214 err = rfcomm_init_ttys(); 2215 if (err < 0) 2216 goto stop; 2217 2218 err = rfcomm_init_sockets(); 2219 if (err < 0) 2220 goto cleanup; 2221 2222 BT_INFO("RFCOMM ver %s", VERSION); 2223 2224 if (IS_ERR_OR_NULL(bt_debugfs)) 2225 return 0; 2226 2227 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2228 bt_debugfs, NULL, 2229 &rfcomm_dlc_debugfs_fops); 2230 2231 return 0; 2232 2233 cleanup: 2234 rfcomm_cleanup_ttys(); 2235 2236 stop: 2237 kthread_stop(rfcomm_thread); 2238 2239 unregister: 2240 hci_unregister_cb(&rfcomm_cb); 2241 2242 return err; 2243 } 2244 2245 static void __exit rfcomm_exit(void) 2246 { 2247 debugfs_remove(rfcomm_dlc_debugfs); 2248 2249 hci_unregister_cb(&rfcomm_cb); 2250 2251 kthread_stop(rfcomm_thread); 2252 2253 rfcomm_cleanup_ttys(); 2254 2255 rfcomm_cleanup_sockets(); 2256 } 2257 2258 module_init(rfcomm_init); 2259 module_exit(rfcomm_exit); 2260 2261 module_param(disable_cfc, bool, 0644); 2262 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2263 2264 module_param(channel_mtu, int, 0644); 2265 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2266 2267 module_param(l2cap_mtu, uint, 0644); 2268 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2269 2270 module_param(l2cap_ertm, bool, 0644); 2271 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2272 2273 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2274 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2275 MODULE_VERSION(VERSION); 2276 MODULE_LICENSE("GPL"); 2277 MODULE_ALIAS("bt-proto-3"); 2278