xref: /openbmc/linux/net/bluetooth/rfcomm/core.c (revision 31b90347)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define VERSION "1.11"
39 
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44 
45 static struct task_struct *rfcomm_thread;
46 
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
50 
51 
52 static LIST_HEAD(session_list);
53 
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64 
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66 
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 							bdaddr_t *dst,
69 							u8 sec_level,
70 							int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73 
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
76 #define __get_channel(b)  ((b & 0xf8) >> 3)
77 #define __get_dir(b)      ((b & 0x04) >> 2)
78 #define __get_type(b)     ((b & 0xef))
79 
80 #define __test_ea(b)      ((b & 0x01))
81 #define __test_cr(b)      ((b & 0x02))
82 #define __test_pf(b)      ((b & 0x10))
83 
84 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
86 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
87 #define __srv_channel(dlci)    (dlci >> 1)
88 #define __dir(dlci)            (dlci & 0x01)
89 
90 #define __len8(len)       (((len) << 1) | 1)
91 #define __len16(len)      ((len) << 1)
92 
93 /* MCC macros */
94 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
97 
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
103 
104 static void rfcomm_schedule(void)
105 {
106 	if (!rfcomm_thread)
107 		return;
108 	wake_up_process(rfcomm_thread);
109 }
110 
111 /* ---- RFCOMM FCS computation ---- */
112 
113 /* reversed, 8-bit, poly=0x07 */
114 static unsigned char rfcomm_crc_table[256] = {
115 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119 
120 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124 
125 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129 
130 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134 
135 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139 
140 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144 
145 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149 
150 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154 };
155 
156 /* CRC on 2 bytes */
157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158 
159 /* FCS on 2 bytes */
160 static inline u8 __fcs(u8 *data)
161 {
162 	return 0xff - __crc(data);
163 }
164 
165 /* FCS on 3 bytes */
166 static inline u8 __fcs2(u8 *data)
167 {
168 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169 }
170 
171 /* Check FCS */
172 static inline int __check_fcs(u8 *data, int type, u8 fcs)
173 {
174 	u8 f = __crc(data);
175 
176 	if (type != RFCOMM_UIH)
177 		f = rfcomm_crc_table[f ^ data[2]];
178 
179 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
180 }
181 
182 /* ---- L2CAP callbacks ---- */
183 static void rfcomm_l2state_change(struct sock *sk)
184 {
185 	BT_DBG("%p state %d", sk, sk->sk_state);
186 	rfcomm_schedule();
187 }
188 
189 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
190 {
191 	BT_DBG("%p bytes %d", sk, bytes);
192 	rfcomm_schedule();
193 }
194 
195 static int rfcomm_l2sock_create(struct socket **sock)
196 {
197 	int err;
198 
199 	BT_DBG("");
200 
201 	err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
202 	if (!err) {
203 		struct sock *sk = (*sock)->sk;
204 		sk->sk_data_ready   = rfcomm_l2data_ready;
205 		sk->sk_state_change = rfcomm_l2state_change;
206 	}
207 	return err;
208 }
209 
210 static int rfcomm_check_security(struct rfcomm_dlc *d)
211 {
212 	struct sock *sk = d->session->sock->sk;
213 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
214 
215 	__u8 auth_type;
216 
217 	switch (d->sec_level) {
218 	case BT_SECURITY_HIGH:
219 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
220 		break;
221 	case BT_SECURITY_MEDIUM:
222 		auth_type = HCI_AT_GENERAL_BONDING;
223 		break;
224 	default:
225 		auth_type = HCI_AT_NO_BONDING;
226 		break;
227 	}
228 
229 	return hci_conn_security(conn->hcon, d->sec_level, auth_type);
230 }
231 
232 static void rfcomm_session_timeout(unsigned long arg)
233 {
234 	struct rfcomm_session *s = (void *) arg;
235 
236 	BT_DBG("session %p state %ld", s, s->state);
237 
238 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
239 	rfcomm_schedule();
240 }
241 
242 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
243 {
244 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
245 
246 	mod_timer(&s->timer, jiffies + timeout);
247 }
248 
249 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
250 {
251 	BT_DBG("session %p state %ld", s, s->state);
252 
253 	del_timer_sync(&s->timer);
254 }
255 
256 /* ---- RFCOMM DLCs ---- */
257 static void rfcomm_dlc_timeout(unsigned long arg)
258 {
259 	struct rfcomm_dlc *d = (void *) arg;
260 
261 	BT_DBG("dlc %p state %ld", d, d->state);
262 
263 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
264 	rfcomm_dlc_put(d);
265 	rfcomm_schedule();
266 }
267 
268 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
269 {
270 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
271 
272 	if (!mod_timer(&d->timer, jiffies + timeout))
273 		rfcomm_dlc_hold(d);
274 }
275 
276 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
277 {
278 	BT_DBG("dlc %p state %ld", d, d->state);
279 
280 	if (del_timer(&d->timer))
281 		rfcomm_dlc_put(d);
282 }
283 
284 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
285 {
286 	BT_DBG("%p", d);
287 
288 	d->state      = BT_OPEN;
289 	d->flags      = 0;
290 	d->mscex      = 0;
291 	d->sec_level  = BT_SECURITY_LOW;
292 	d->mtu        = RFCOMM_DEFAULT_MTU;
293 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
294 
295 	d->cfc        = RFCOMM_CFC_DISABLED;
296 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
297 }
298 
299 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
300 {
301 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
302 
303 	if (!d)
304 		return NULL;
305 
306 	setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
307 
308 	skb_queue_head_init(&d->tx_queue);
309 	spin_lock_init(&d->lock);
310 	atomic_set(&d->refcnt, 1);
311 
312 	rfcomm_dlc_clear_state(d);
313 
314 	BT_DBG("%p", d);
315 
316 	return d;
317 }
318 
319 void rfcomm_dlc_free(struct rfcomm_dlc *d)
320 {
321 	BT_DBG("%p", d);
322 
323 	skb_queue_purge(&d->tx_queue);
324 	kfree(d);
325 }
326 
327 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
328 {
329 	BT_DBG("dlc %p session %p", d, s);
330 
331 	rfcomm_session_clear_timer(s);
332 	rfcomm_dlc_hold(d);
333 	list_add(&d->list, &s->dlcs);
334 	d->session = s;
335 }
336 
337 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
338 {
339 	struct rfcomm_session *s = d->session;
340 
341 	BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
342 
343 	list_del(&d->list);
344 	d->session = NULL;
345 	rfcomm_dlc_put(d);
346 
347 	if (list_empty(&s->dlcs))
348 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
349 }
350 
351 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
352 {
353 	struct rfcomm_dlc *d;
354 
355 	list_for_each_entry(d, &s->dlcs, list)
356 		if (d->dlci == dlci)
357 			return d;
358 
359 	return NULL;
360 }
361 
362 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363 {
364 	struct rfcomm_session *s;
365 	int err = 0;
366 	u8 dlci;
367 
368 	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369 	       d, d->state, src, dst, channel);
370 
371 	if (channel < 1 || channel > 30)
372 		return -EINVAL;
373 
374 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
375 		return 0;
376 
377 	s = rfcomm_session_get(src, dst);
378 	if (!s) {
379 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
380 		if (!s)
381 			return err;
382 	}
383 
384 	dlci = __dlci(!s->initiator, channel);
385 
386 	/* Check if DLCI already exists */
387 	if (rfcomm_dlc_get(s, dlci))
388 		return -EBUSY;
389 
390 	rfcomm_dlc_clear_state(d);
391 
392 	d->dlci     = dlci;
393 	d->addr     = __addr(s->initiator, dlci);
394 	d->priority = 7;
395 
396 	d->state = BT_CONFIG;
397 	rfcomm_dlc_link(s, d);
398 
399 	d->out = 1;
400 
401 	d->mtu = s->mtu;
402 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
403 
404 	if (s->state == BT_CONNECTED) {
405 		if (rfcomm_check_security(d))
406 			rfcomm_send_pn(s, 1, d);
407 		else
408 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
409 	}
410 
411 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
412 
413 	return 0;
414 }
415 
416 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
417 {
418 	int r;
419 
420 	rfcomm_lock();
421 
422 	r = __rfcomm_dlc_open(d, src, dst, channel);
423 
424 	rfcomm_unlock();
425 	return r;
426 }
427 
428 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429 {
430 	struct rfcomm_session *s = d->session;
431 	if (!s)
432 		return 0;
433 
434 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
435 			d, d->state, d->dlci, err, s);
436 
437 	switch (d->state) {
438 	case BT_CONNECT:
439 	case BT_CONFIG:
440 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
441 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
442 			rfcomm_schedule();
443 			break;
444 		}
445 		/* Fall through */
446 
447 	case BT_CONNECTED:
448 		d->state = BT_DISCONN;
449 		if (skb_queue_empty(&d->tx_queue)) {
450 			rfcomm_send_disc(s, d->dlci);
451 			rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
452 		} else {
453 			rfcomm_queue_disc(d);
454 			rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
455 		}
456 		break;
457 
458 	case BT_OPEN:
459 	case BT_CONNECT2:
460 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
461 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
462 			rfcomm_schedule();
463 			break;
464 		}
465 		/* Fall through */
466 
467 	default:
468 		rfcomm_dlc_clear_timer(d);
469 
470 		rfcomm_dlc_lock(d);
471 		d->state = BT_CLOSED;
472 		d->state_change(d, err);
473 		rfcomm_dlc_unlock(d);
474 
475 		skb_queue_purge(&d->tx_queue);
476 		rfcomm_dlc_unlink(d);
477 	}
478 
479 	return 0;
480 }
481 
482 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
483 {
484 	int r = 0;
485 	struct rfcomm_dlc *d_list;
486 	struct rfcomm_session *s, *s_list;
487 
488 	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
489 
490 	rfcomm_lock();
491 
492 	s = d->session;
493 	if (!s)
494 		goto no_session;
495 
496 	/* after waiting on the mutex check the session still exists
497 	 * then check the dlc still exists
498 	 */
499 	list_for_each_entry(s_list, &session_list, list) {
500 		if (s_list == s) {
501 			list_for_each_entry(d_list, &s->dlcs, list) {
502 				if (d_list == d) {
503 					r = __rfcomm_dlc_close(d, err);
504 					break;
505 				}
506 			}
507 			break;
508 		}
509 	}
510 
511 no_session:
512 	rfcomm_unlock();
513 	return r;
514 }
515 
516 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
517 {
518 	int len = skb->len;
519 
520 	if (d->state != BT_CONNECTED)
521 		return -ENOTCONN;
522 
523 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
524 
525 	if (len > d->mtu)
526 		return -EINVAL;
527 
528 	rfcomm_make_uih(skb, d->addr);
529 	skb_queue_tail(&d->tx_queue, skb);
530 
531 	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
532 		rfcomm_schedule();
533 	return len;
534 }
535 
536 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
537 {
538 	BT_DBG("dlc %p state %ld", d, d->state);
539 
540 	if (!d->cfc) {
541 		d->v24_sig |= RFCOMM_V24_FC;
542 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
543 	}
544 	rfcomm_schedule();
545 }
546 
547 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
548 {
549 	BT_DBG("dlc %p state %ld", d, d->state);
550 
551 	if (!d->cfc) {
552 		d->v24_sig &= ~RFCOMM_V24_FC;
553 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
554 	}
555 	rfcomm_schedule();
556 }
557 
558 /*
559    Set/get modem status functions use _local_ status i.e. what we report
560    to the other side.
561    Remote status is provided by dlc->modem_status() callback.
562  */
563 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
564 {
565 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
566 			d, d->state, v24_sig);
567 
568 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
569 		v24_sig |= RFCOMM_V24_FC;
570 	else
571 		v24_sig &= ~RFCOMM_V24_FC;
572 
573 	d->v24_sig = v24_sig;
574 
575 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
576 		rfcomm_schedule();
577 
578 	return 0;
579 }
580 
581 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
582 {
583 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
584 			d, d->state, d->v24_sig);
585 
586 	*v24_sig = d->v24_sig;
587 	return 0;
588 }
589 
590 /* ---- RFCOMM sessions ---- */
591 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
592 {
593 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
594 
595 	if (!s)
596 		return NULL;
597 
598 	BT_DBG("session %p sock %p", s, sock);
599 
600 	setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
601 
602 	INIT_LIST_HEAD(&s->dlcs);
603 	s->state = state;
604 	s->sock  = sock;
605 
606 	s->mtu = RFCOMM_DEFAULT_MTU;
607 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
608 
609 	/* Do not increment module usage count for listening sessions.
610 	 * Otherwise we won't be able to unload the module. */
611 	if (state != BT_LISTEN)
612 		if (!try_module_get(THIS_MODULE)) {
613 			kfree(s);
614 			return NULL;
615 		}
616 
617 	list_add(&s->list, &session_list);
618 
619 	return s;
620 }
621 
622 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
623 {
624 	int state = s->state;
625 
626 	BT_DBG("session %p state %ld", s, s->state);
627 
628 	list_del(&s->list);
629 
630 	rfcomm_session_clear_timer(s);
631 	sock_release(s->sock);
632 	kfree(s);
633 
634 	if (state != BT_LISTEN)
635 		module_put(THIS_MODULE);
636 
637 	return NULL;
638 }
639 
640 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
641 {
642 	struct rfcomm_session *s;
643 	struct list_head *p, *n;
644 	struct l2cap_chan *chan;
645 	list_for_each_safe(p, n, &session_list) {
646 		s = list_entry(p, struct rfcomm_session, list);
647 		chan = l2cap_pi(s->sock->sk)->chan;
648 
649 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
650 		    !bacmp(&chan->dst, dst))
651 			return s;
652 	}
653 	return NULL;
654 }
655 
656 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
657 						   int err)
658 {
659 	struct rfcomm_dlc *d;
660 	struct list_head *p, *n;
661 
662 	s->state = BT_CLOSED;
663 
664 	BT_DBG("session %p state %ld err %d", s, s->state, err);
665 
666 	/* Close all dlcs */
667 	list_for_each_safe(p, n, &s->dlcs) {
668 		d = list_entry(p, struct rfcomm_dlc, list);
669 		d->state = BT_CLOSED;
670 		__rfcomm_dlc_close(d, err);
671 	}
672 
673 	rfcomm_session_clear_timer(s);
674 	return rfcomm_session_del(s);
675 }
676 
677 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
678 							bdaddr_t *dst,
679 							u8 sec_level,
680 							int *err)
681 {
682 	struct rfcomm_session *s = NULL;
683 	struct sockaddr_l2 addr;
684 	struct socket *sock;
685 	struct sock *sk;
686 
687 	BT_DBG("%pMR -> %pMR", src, dst);
688 
689 	*err = rfcomm_l2sock_create(&sock);
690 	if (*err < 0)
691 		return NULL;
692 
693 	bacpy(&addr.l2_bdaddr, src);
694 	addr.l2_family = AF_BLUETOOTH;
695 	addr.l2_psm    = 0;
696 	addr.l2_cid    = 0;
697 	addr.l2_bdaddr_type = BDADDR_BREDR;
698 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
699 	if (*err < 0)
700 		goto failed;
701 
702 	/* Set L2CAP options */
703 	sk = sock->sk;
704 	lock_sock(sk);
705 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
706 	l2cap_pi(sk)->chan->sec_level = sec_level;
707 	if (l2cap_ertm)
708 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
709 	release_sock(sk);
710 
711 	s = rfcomm_session_add(sock, BT_BOUND);
712 	if (!s) {
713 		*err = -ENOMEM;
714 		goto failed;
715 	}
716 
717 	s->initiator = 1;
718 
719 	bacpy(&addr.l2_bdaddr, dst);
720 	addr.l2_family = AF_BLUETOOTH;
721 	addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
722 	addr.l2_cid    = 0;
723 	addr.l2_bdaddr_type = BDADDR_BREDR;
724 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
725 	if (*err == 0 || *err == -EINPROGRESS)
726 		return s;
727 
728 	return rfcomm_session_del(s);
729 
730 failed:
731 	sock_release(sock);
732 	return NULL;
733 }
734 
735 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
736 {
737 	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
738 	if (src)
739 		bacpy(src, &chan->src);
740 	if (dst)
741 		bacpy(dst, &chan->dst);
742 }
743 
744 /* ---- RFCOMM frame sending ---- */
745 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
746 {
747 	struct kvec iv = { data, len };
748 	struct msghdr msg;
749 
750 	BT_DBG("session %p len %d", s, len);
751 
752 	memset(&msg, 0, sizeof(msg));
753 
754 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
755 }
756 
757 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
758 {
759 	BT_DBG("%p cmd %u", s, cmd->ctrl);
760 
761 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
762 }
763 
764 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
765 {
766 	struct rfcomm_cmd cmd;
767 
768 	BT_DBG("%p dlci %d", s, dlci);
769 
770 	cmd.addr = __addr(s->initiator, dlci);
771 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
772 	cmd.len  = __len8(0);
773 	cmd.fcs  = __fcs2((u8 *) &cmd);
774 
775 	return rfcomm_send_cmd(s, &cmd);
776 }
777 
778 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
779 {
780 	struct rfcomm_cmd cmd;
781 
782 	BT_DBG("%p dlci %d", s, dlci);
783 
784 	cmd.addr = __addr(!s->initiator, dlci);
785 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
786 	cmd.len  = __len8(0);
787 	cmd.fcs  = __fcs2((u8 *) &cmd);
788 
789 	return rfcomm_send_cmd(s, &cmd);
790 }
791 
792 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
793 {
794 	struct rfcomm_cmd cmd;
795 
796 	BT_DBG("%p dlci %d", s, dlci);
797 
798 	cmd.addr = __addr(s->initiator, dlci);
799 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
800 	cmd.len  = __len8(0);
801 	cmd.fcs  = __fcs2((u8 *) &cmd);
802 
803 	return rfcomm_send_cmd(s, &cmd);
804 }
805 
806 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
807 {
808 	struct rfcomm_cmd *cmd;
809 	struct sk_buff *skb;
810 
811 	BT_DBG("dlc %p dlci %d", d, d->dlci);
812 
813 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
814 	if (!skb)
815 		return -ENOMEM;
816 
817 	cmd = (void *) __skb_put(skb, sizeof(*cmd));
818 	cmd->addr = d->addr;
819 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
820 	cmd->len  = __len8(0);
821 	cmd->fcs  = __fcs2((u8 *) cmd);
822 
823 	skb_queue_tail(&d->tx_queue, skb);
824 	rfcomm_schedule();
825 	return 0;
826 }
827 
828 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
829 {
830 	struct rfcomm_cmd cmd;
831 
832 	BT_DBG("%p dlci %d", s, dlci);
833 
834 	cmd.addr = __addr(!s->initiator, dlci);
835 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
836 	cmd.len  = __len8(0);
837 	cmd.fcs  = __fcs2((u8 *) &cmd);
838 
839 	return rfcomm_send_cmd(s, &cmd);
840 }
841 
842 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
843 {
844 	struct rfcomm_hdr *hdr;
845 	struct rfcomm_mcc *mcc;
846 	u8 buf[16], *ptr = buf;
847 
848 	BT_DBG("%p cr %d type %d", s, cr, type);
849 
850 	hdr = (void *) ptr; ptr += sizeof(*hdr);
851 	hdr->addr = __addr(s->initiator, 0);
852 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
853 	hdr->len  = __len8(sizeof(*mcc) + 1);
854 
855 	mcc = (void *) ptr; ptr += sizeof(*mcc);
856 	mcc->type = __mcc_type(cr, RFCOMM_NSC);
857 	mcc->len  = __len8(1);
858 
859 	/* Type that we didn't like */
860 	*ptr = __mcc_type(cr, type); ptr++;
861 
862 	*ptr = __fcs(buf); ptr++;
863 
864 	return rfcomm_send_frame(s, buf, ptr - buf);
865 }
866 
867 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
868 {
869 	struct rfcomm_hdr *hdr;
870 	struct rfcomm_mcc *mcc;
871 	struct rfcomm_pn  *pn;
872 	u8 buf[16], *ptr = buf;
873 
874 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
875 
876 	hdr = (void *) ptr; ptr += sizeof(*hdr);
877 	hdr->addr = __addr(s->initiator, 0);
878 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
879 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
880 
881 	mcc = (void *) ptr; ptr += sizeof(*mcc);
882 	mcc->type = __mcc_type(cr, RFCOMM_PN);
883 	mcc->len  = __len8(sizeof(*pn));
884 
885 	pn = (void *) ptr; ptr += sizeof(*pn);
886 	pn->dlci        = d->dlci;
887 	pn->priority    = d->priority;
888 	pn->ack_timer   = 0;
889 	pn->max_retrans = 0;
890 
891 	if (s->cfc) {
892 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
893 		pn->credits = RFCOMM_DEFAULT_CREDITS;
894 	} else {
895 		pn->flow_ctrl = 0;
896 		pn->credits   = 0;
897 	}
898 
899 	if (cr && channel_mtu >= 0)
900 		pn->mtu = cpu_to_le16(channel_mtu);
901 	else
902 		pn->mtu = cpu_to_le16(d->mtu);
903 
904 	*ptr = __fcs(buf); ptr++;
905 
906 	return rfcomm_send_frame(s, buf, ptr - buf);
907 }
908 
909 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
910 			u8 bit_rate, u8 data_bits, u8 stop_bits,
911 			u8 parity, u8 flow_ctrl_settings,
912 			u8 xon_char, u8 xoff_char, u16 param_mask)
913 {
914 	struct rfcomm_hdr *hdr;
915 	struct rfcomm_mcc *mcc;
916 	struct rfcomm_rpn *rpn;
917 	u8 buf[16], *ptr = buf;
918 
919 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
920 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
921 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
922 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
923 
924 	hdr = (void *) ptr; ptr += sizeof(*hdr);
925 	hdr->addr = __addr(s->initiator, 0);
926 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
927 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
928 
929 	mcc = (void *) ptr; ptr += sizeof(*mcc);
930 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
931 	mcc->len  = __len8(sizeof(*rpn));
932 
933 	rpn = (void *) ptr; ptr += sizeof(*rpn);
934 	rpn->dlci          = __addr(1, dlci);
935 	rpn->bit_rate      = bit_rate;
936 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
937 	rpn->flow_ctrl     = flow_ctrl_settings;
938 	rpn->xon_char      = xon_char;
939 	rpn->xoff_char     = xoff_char;
940 	rpn->param_mask    = cpu_to_le16(param_mask);
941 
942 	*ptr = __fcs(buf); ptr++;
943 
944 	return rfcomm_send_frame(s, buf, ptr - buf);
945 }
946 
947 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
948 {
949 	struct rfcomm_hdr *hdr;
950 	struct rfcomm_mcc *mcc;
951 	struct rfcomm_rls *rls;
952 	u8 buf[16], *ptr = buf;
953 
954 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
955 
956 	hdr = (void *) ptr; ptr += sizeof(*hdr);
957 	hdr->addr = __addr(s->initiator, 0);
958 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
959 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
960 
961 	mcc = (void *) ptr; ptr += sizeof(*mcc);
962 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
963 	mcc->len  = __len8(sizeof(*rls));
964 
965 	rls = (void *) ptr; ptr += sizeof(*rls);
966 	rls->dlci   = __addr(1, dlci);
967 	rls->status = status;
968 
969 	*ptr = __fcs(buf); ptr++;
970 
971 	return rfcomm_send_frame(s, buf, ptr - buf);
972 }
973 
974 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
975 {
976 	struct rfcomm_hdr *hdr;
977 	struct rfcomm_mcc *mcc;
978 	struct rfcomm_msc *msc;
979 	u8 buf[16], *ptr = buf;
980 
981 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
982 
983 	hdr = (void *) ptr; ptr += sizeof(*hdr);
984 	hdr->addr = __addr(s->initiator, 0);
985 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
986 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
987 
988 	mcc = (void *) ptr; ptr += sizeof(*mcc);
989 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
990 	mcc->len  = __len8(sizeof(*msc));
991 
992 	msc = (void *) ptr; ptr += sizeof(*msc);
993 	msc->dlci    = __addr(1, dlci);
994 	msc->v24_sig = v24_sig | 0x01;
995 
996 	*ptr = __fcs(buf); ptr++;
997 
998 	return rfcomm_send_frame(s, buf, ptr - buf);
999 }
1000 
1001 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1002 {
1003 	struct rfcomm_hdr *hdr;
1004 	struct rfcomm_mcc *mcc;
1005 	u8 buf[16], *ptr = buf;
1006 
1007 	BT_DBG("%p cr %d", s, cr);
1008 
1009 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1010 	hdr->addr = __addr(s->initiator, 0);
1011 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1012 	hdr->len  = __len8(sizeof(*mcc));
1013 
1014 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1015 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1016 	mcc->len  = __len8(0);
1017 
1018 	*ptr = __fcs(buf); ptr++;
1019 
1020 	return rfcomm_send_frame(s, buf, ptr - buf);
1021 }
1022 
1023 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1024 {
1025 	struct rfcomm_hdr *hdr;
1026 	struct rfcomm_mcc *mcc;
1027 	u8 buf[16], *ptr = buf;
1028 
1029 	BT_DBG("%p cr %d", s, cr);
1030 
1031 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1032 	hdr->addr = __addr(s->initiator, 0);
1033 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1034 	hdr->len  = __len8(sizeof(*mcc));
1035 
1036 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1037 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1038 	mcc->len  = __len8(0);
1039 
1040 	*ptr = __fcs(buf); ptr++;
1041 
1042 	return rfcomm_send_frame(s, buf, ptr - buf);
1043 }
1044 
1045 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1046 {
1047 	struct socket *sock = s->sock;
1048 	struct kvec iv[3];
1049 	struct msghdr msg;
1050 	unsigned char hdr[5], crc[1];
1051 
1052 	if (len > 125)
1053 		return -EINVAL;
1054 
1055 	BT_DBG("%p cr %d", s, cr);
1056 
1057 	hdr[0] = __addr(s->initiator, 0);
1058 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1059 	hdr[2] = 0x01 | ((len + 2) << 1);
1060 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1061 	hdr[4] = 0x01 | (len << 1);
1062 
1063 	crc[0] = __fcs(hdr);
1064 
1065 	iv[0].iov_base = hdr;
1066 	iv[0].iov_len  = 5;
1067 	iv[1].iov_base = pattern;
1068 	iv[1].iov_len  = len;
1069 	iv[2].iov_base = crc;
1070 	iv[2].iov_len  = 1;
1071 
1072 	memset(&msg, 0, sizeof(msg));
1073 
1074 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1075 }
1076 
1077 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1078 {
1079 	struct rfcomm_hdr *hdr;
1080 	u8 buf[16], *ptr = buf;
1081 
1082 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1083 
1084 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1085 	hdr->addr = addr;
1086 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1087 	hdr->len  = __len8(0);
1088 
1089 	*ptr = credits; ptr++;
1090 
1091 	*ptr = __fcs(buf); ptr++;
1092 
1093 	return rfcomm_send_frame(s, buf, ptr - buf);
1094 }
1095 
1096 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1097 {
1098 	struct rfcomm_hdr *hdr;
1099 	int len = skb->len;
1100 	u8 *crc;
1101 
1102 	if (len > 127) {
1103 		hdr = (void *) skb_push(skb, 4);
1104 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1105 	} else {
1106 		hdr = (void *) skb_push(skb, 3);
1107 		hdr->len = __len8(len);
1108 	}
1109 	hdr->addr = addr;
1110 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1111 
1112 	crc = skb_put(skb, 1);
1113 	*crc = __fcs((void *) hdr);
1114 }
1115 
1116 /* ---- RFCOMM frame reception ---- */
1117 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1118 {
1119 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1120 
1121 	if (dlci) {
1122 		/* Data channel */
1123 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1124 		if (!d) {
1125 			rfcomm_send_dm(s, dlci);
1126 			return s;
1127 		}
1128 
1129 		switch (d->state) {
1130 		case BT_CONNECT:
1131 			rfcomm_dlc_clear_timer(d);
1132 
1133 			rfcomm_dlc_lock(d);
1134 			d->state = BT_CONNECTED;
1135 			d->state_change(d, 0);
1136 			rfcomm_dlc_unlock(d);
1137 
1138 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1139 			break;
1140 
1141 		case BT_DISCONN:
1142 			d->state = BT_CLOSED;
1143 			__rfcomm_dlc_close(d, 0);
1144 
1145 			if (list_empty(&s->dlcs)) {
1146 				s->state = BT_DISCONN;
1147 				rfcomm_send_disc(s, 0);
1148 				rfcomm_session_clear_timer(s);
1149 			}
1150 
1151 			break;
1152 		}
1153 	} else {
1154 		/* Control channel */
1155 		switch (s->state) {
1156 		case BT_CONNECT:
1157 			s->state = BT_CONNECTED;
1158 			rfcomm_process_connect(s);
1159 			break;
1160 
1161 		case BT_DISCONN:
1162 			s = rfcomm_session_close(s, ECONNRESET);
1163 			break;
1164 		}
1165 	}
1166 	return s;
1167 }
1168 
1169 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1170 {
1171 	int err = 0;
1172 
1173 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1174 
1175 	if (dlci) {
1176 		/* Data DLC */
1177 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1178 		if (d) {
1179 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1180 				err = ECONNREFUSED;
1181 			else
1182 				err = ECONNRESET;
1183 
1184 			d->state = BT_CLOSED;
1185 			__rfcomm_dlc_close(d, err);
1186 		}
1187 	} else {
1188 		if (s->state == BT_CONNECT)
1189 			err = ECONNREFUSED;
1190 		else
1191 			err = ECONNRESET;
1192 
1193 		s = rfcomm_session_close(s, err);
1194 	}
1195 	return s;
1196 }
1197 
1198 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1199 					       u8 dlci)
1200 {
1201 	int err = 0;
1202 
1203 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1204 
1205 	if (dlci) {
1206 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1207 		if (d) {
1208 			rfcomm_send_ua(s, dlci);
1209 
1210 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1211 				err = ECONNREFUSED;
1212 			else
1213 				err = ECONNRESET;
1214 
1215 			d->state = BT_CLOSED;
1216 			__rfcomm_dlc_close(d, err);
1217 		} else
1218 			rfcomm_send_dm(s, dlci);
1219 
1220 	} else {
1221 		rfcomm_send_ua(s, 0);
1222 
1223 		if (s->state == BT_CONNECT)
1224 			err = ECONNREFUSED;
1225 		else
1226 			err = ECONNRESET;
1227 
1228 		s = rfcomm_session_close(s, err);
1229 	}
1230 	return s;
1231 }
1232 
1233 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1234 {
1235 	struct sock *sk = d->session->sock->sk;
1236 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1237 
1238 	BT_DBG("dlc %p", d);
1239 
1240 	rfcomm_send_ua(d->session, d->dlci);
1241 
1242 	rfcomm_dlc_clear_timer(d);
1243 
1244 	rfcomm_dlc_lock(d);
1245 	d->state = BT_CONNECTED;
1246 	d->state_change(d, 0);
1247 	rfcomm_dlc_unlock(d);
1248 
1249 	if (d->role_switch)
1250 		hci_conn_switch_role(conn->hcon, 0x00);
1251 
1252 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1253 }
1254 
1255 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1256 {
1257 	if (rfcomm_check_security(d)) {
1258 		if (d->defer_setup) {
1259 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1260 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1261 
1262 			rfcomm_dlc_lock(d);
1263 			d->state = BT_CONNECT2;
1264 			d->state_change(d, 0);
1265 			rfcomm_dlc_unlock(d);
1266 		} else
1267 			rfcomm_dlc_accept(d);
1268 	} else {
1269 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1270 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1271 	}
1272 }
1273 
1274 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1275 {
1276 	struct rfcomm_dlc *d;
1277 	u8 channel;
1278 
1279 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1280 
1281 	if (!dlci) {
1282 		rfcomm_send_ua(s, 0);
1283 
1284 		if (s->state == BT_OPEN) {
1285 			s->state = BT_CONNECTED;
1286 			rfcomm_process_connect(s);
1287 		}
1288 		return 0;
1289 	}
1290 
1291 	/* Check if DLC exists */
1292 	d = rfcomm_dlc_get(s, dlci);
1293 	if (d) {
1294 		if (d->state == BT_OPEN) {
1295 			/* DLC was previously opened by PN request */
1296 			rfcomm_check_accept(d);
1297 		}
1298 		return 0;
1299 	}
1300 
1301 	/* Notify socket layer about incoming connection */
1302 	channel = __srv_channel(dlci);
1303 	if (rfcomm_connect_ind(s, channel, &d)) {
1304 		d->dlci = dlci;
1305 		d->addr = __addr(s->initiator, dlci);
1306 		rfcomm_dlc_link(s, d);
1307 
1308 		rfcomm_check_accept(d);
1309 	} else {
1310 		rfcomm_send_dm(s, dlci);
1311 	}
1312 
1313 	return 0;
1314 }
1315 
1316 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1317 {
1318 	struct rfcomm_session *s = d->session;
1319 
1320 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1321 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1322 
1323 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1324 						pn->flow_ctrl == 0xe0) {
1325 		d->cfc = RFCOMM_CFC_ENABLED;
1326 		d->tx_credits = pn->credits;
1327 	} else {
1328 		d->cfc = RFCOMM_CFC_DISABLED;
1329 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1330 	}
1331 
1332 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1333 		s->cfc = d->cfc;
1334 
1335 	d->priority = pn->priority;
1336 
1337 	d->mtu = __le16_to_cpu(pn->mtu);
1338 
1339 	if (cr && d->mtu > s->mtu)
1340 		d->mtu = s->mtu;
1341 
1342 	return 0;
1343 }
1344 
1345 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1346 {
1347 	struct rfcomm_pn *pn = (void *) skb->data;
1348 	struct rfcomm_dlc *d;
1349 	u8 dlci = pn->dlci;
1350 
1351 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1352 
1353 	if (!dlci)
1354 		return 0;
1355 
1356 	d = rfcomm_dlc_get(s, dlci);
1357 	if (d) {
1358 		if (cr) {
1359 			/* PN request */
1360 			rfcomm_apply_pn(d, cr, pn);
1361 			rfcomm_send_pn(s, 0, d);
1362 		} else {
1363 			/* PN response */
1364 			switch (d->state) {
1365 			case BT_CONFIG:
1366 				rfcomm_apply_pn(d, cr, pn);
1367 
1368 				d->state = BT_CONNECT;
1369 				rfcomm_send_sabm(s, d->dlci);
1370 				break;
1371 			}
1372 		}
1373 	} else {
1374 		u8 channel = __srv_channel(dlci);
1375 
1376 		if (!cr)
1377 			return 0;
1378 
1379 		/* PN request for non existing DLC.
1380 		 * Assume incoming connection. */
1381 		if (rfcomm_connect_ind(s, channel, &d)) {
1382 			d->dlci = dlci;
1383 			d->addr = __addr(s->initiator, dlci);
1384 			rfcomm_dlc_link(s, d);
1385 
1386 			rfcomm_apply_pn(d, cr, pn);
1387 
1388 			d->state = BT_OPEN;
1389 			rfcomm_send_pn(s, 0, d);
1390 		} else {
1391 			rfcomm_send_dm(s, dlci);
1392 		}
1393 	}
1394 	return 0;
1395 }
1396 
1397 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1398 {
1399 	struct rfcomm_rpn *rpn = (void *) skb->data;
1400 	u8 dlci = __get_dlci(rpn->dlci);
1401 
1402 	u8 bit_rate  = 0;
1403 	u8 data_bits = 0;
1404 	u8 stop_bits = 0;
1405 	u8 parity    = 0;
1406 	u8 flow_ctrl = 0;
1407 	u8 xon_char  = 0;
1408 	u8 xoff_char = 0;
1409 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1410 
1411 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1412 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1413 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1414 
1415 	if (!cr)
1416 		return 0;
1417 
1418 	if (len == 1) {
1419 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1420 		bit_rate  = RFCOMM_RPN_BR_9600;
1421 		data_bits = RFCOMM_RPN_DATA_8;
1422 		stop_bits = RFCOMM_RPN_STOP_1;
1423 		parity    = RFCOMM_RPN_PARITY_NONE;
1424 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1425 		xon_char  = RFCOMM_RPN_XON_CHAR;
1426 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1427 		goto rpn_out;
1428 	}
1429 
1430 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1431 	 * no parity, no flow control lines, normal XON/XOFF chars */
1432 
1433 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1434 		bit_rate = rpn->bit_rate;
1435 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1436 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1437 			bit_rate = RFCOMM_RPN_BR_9600;
1438 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1439 		}
1440 	}
1441 
1442 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1443 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1444 		if (data_bits != RFCOMM_RPN_DATA_8) {
1445 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1446 			data_bits = RFCOMM_RPN_DATA_8;
1447 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1448 		}
1449 	}
1450 
1451 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1452 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1453 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1454 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1455 			stop_bits = RFCOMM_RPN_STOP_1;
1456 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1457 		}
1458 	}
1459 
1460 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1461 		parity = __get_rpn_parity(rpn->line_settings);
1462 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1463 			BT_DBG("RPN parity mismatch 0x%x", parity);
1464 			parity = RFCOMM_RPN_PARITY_NONE;
1465 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1466 		}
1467 	}
1468 
1469 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1470 		flow_ctrl = rpn->flow_ctrl;
1471 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1472 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1473 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1474 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1475 		}
1476 	}
1477 
1478 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1479 		xon_char = rpn->xon_char;
1480 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1481 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1482 			xon_char = RFCOMM_RPN_XON_CHAR;
1483 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1484 		}
1485 	}
1486 
1487 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1488 		xoff_char = rpn->xoff_char;
1489 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1490 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1491 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1492 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1493 		}
1494 	}
1495 
1496 rpn_out:
1497 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1498 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1499 
1500 	return 0;
1501 }
1502 
1503 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1504 {
1505 	struct rfcomm_rls *rls = (void *) skb->data;
1506 	u8 dlci = __get_dlci(rls->dlci);
1507 
1508 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1509 
1510 	if (!cr)
1511 		return 0;
1512 
1513 	/* We should probably do something with this information here. But
1514 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1515 	 * mandatory to recognise and respond to RLS */
1516 
1517 	rfcomm_send_rls(s, 0, dlci, rls->status);
1518 
1519 	return 0;
1520 }
1521 
1522 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1523 {
1524 	struct rfcomm_msc *msc = (void *) skb->data;
1525 	struct rfcomm_dlc *d;
1526 	u8 dlci = __get_dlci(msc->dlci);
1527 
1528 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1529 
1530 	d = rfcomm_dlc_get(s, dlci);
1531 	if (!d)
1532 		return 0;
1533 
1534 	if (cr) {
1535 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1536 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1537 		else
1538 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1539 
1540 		rfcomm_dlc_lock(d);
1541 
1542 		d->remote_v24_sig = msc->v24_sig;
1543 
1544 		if (d->modem_status)
1545 			d->modem_status(d, msc->v24_sig);
1546 
1547 		rfcomm_dlc_unlock(d);
1548 
1549 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1550 
1551 		d->mscex |= RFCOMM_MSCEX_RX;
1552 	} else
1553 		d->mscex |= RFCOMM_MSCEX_TX;
1554 
1555 	return 0;
1556 }
1557 
1558 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1559 {
1560 	struct rfcomm_mcc *mcc = (void *) skb->data;
1561 	u8 type, cr, len;
1562 
1563 	cr   = __test_cr(mcc->type);
1564 	type = __get_mcc_type(mcc->type);
1565 	len  = __get_mcc_len(mcc->len);
1566 
1567 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1568 
1569 	skb_pull(skb, 2);
1570 
1571 	switch (type) {
1572 	case RFCOMM_PN:
1573 		rfcomm_recv_pn(s, cr, skb);
1574 		break;
1575 
1576 	case RFCOMM_RPN:
1577 		rfcomm_recv_rpn(s, cr, len, skb);
1578 		break;
1579 
1580 	case RFCOMM_RLS:
1581 		rfcomm_recv_rls(s, cr, skb);
1582 		break;
1583 
1584 	case RFCOMM_MSC:
1585 		rfcomm_recv_msc(s, cr, skb);
1586 		break;
1587 
1588 	case RFCOMM_FCOFF:
1589 		if (cr) {
1590 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1591 			rfcomm_send_fcoff(s, 0);
1592 		}
1593 		break;
1594 
1595 	case RFCOMM_FCON:
1596 		if (cr) {
1597 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1598 			rfcomm_send_fcon(s, 0);
1599 		}
1600 		break;
1601 
1602 	case RFCOMM_TEST:
1603 		if (cr)
1604 			rfcomm_send_test(s, 0, skb->data, skb->len);
1605 		break;
1606 
1607 	case RFCOMM_NSC:
1608 		break;
1609 
1610 	default:
1611 		BT_ERR("Unknown control type 0x%02x", type);
1612 		rfcomm_send_nsc(s, cr, type);
1613 		break;
1614 	}
1615 	return 0;
1616 }
1617 
1618 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1619 {
1620 	struct rfcomm_dlc *d;
1621 
1622 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1623 
1624 	d = rfcomm_dlc_get(s, dlci);
1625 	if (!d) {
1626 		rfcomm_send_dm(s, dlci);
1627 		goto drop;
1628 	}
1629 
1630 	if (pf && d->cfc) {
1631 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1632 
1633 		d->tx_credits += credits;
1634 		if (d->tx_credits)
1635 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1636 	}
1637 
1638 	if (skb->len && d->state == BT_CONNECTED) {
1639 		rfcomm_dlc_lock(d);
1640 		d->rx_credits--;
1641 		d->data_ready(d, skb);
1642 		rfcomm_dlc_unlock(d);
1643 		return 0;
1644 	}
1645 
1646 drop:
1647 	kfree_skb(skb);
1648 	return 0;
1649 }
1650 
1651 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1652 						struct sk_buff *skb)
1653 {
1654 	struct rfcomm_hdr *hdr = (void *) skb->data;
1655 	u8 type, dlci, fcs;
1656 
1657 	if (!s) {
1658 		/* no session, so free socket data */
1659 		kfree_skb(skb);
1660 		return s;
1661 	}
1662 
1663 	dlci = __get_dlci(hdr->addr);
1664 	type = __get_type(hdr->ctrl);
1665 
1666 	/* Trim FCS */
1667 	skb->len--; skb->tail--;
1668 	fcs = *(u8 *)skb_tail_pointer(skb);
1669 
1670 	if (__check_fcs(skb->data, type, fcs)) {
1671 		BT_ERR("bad checksum in packet");
1672 		kfree_skb(skb);
1673 		return s;
1674 	}
1675 
1676 	if (__test_ea(hdr->len))
1677 		skb_pull(skb, 3);
1678 	else
1679 		skb_pull(skb, 4);
1680 
1681 	switch (type) {
1682 	case RFCOMM_SABM:
1683 		if (__test_pf(hdr->ctrl))
1684 			rfcomm_recv_sabm(s, dlci);
1685 		break;
1686 
1687 	case RFCOMM_DISC:
1688 		if (__test_pf(hdr->ctrl))
1689 			s = rfcomm_recv_disc(s, dlci);
1690 		break;
1691 
1692 	case RFCOMM_UA:
1693 		if (__test_pf(hdr->ctrl))
1694 			s = rfcomm_recv_ua(s, dlci);
1695 		break;
1696 
1697 	case RFCOMM_DM:
1698 		s = rfcomm_recv_dm(s, dlci);
1699 		break;
1700 
1701 	case RFCOMM_UIH:
1702 		if (dlci) {
1703 			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1704 			return s;
1705 		}
1706 		rfcomm_recv_mcc(s, skb);
1707 		break;
1708 
1709 	default:
1710 		BT_ERR("Unknown packet type 0x%02x", type);
1711 		break;
1712 	}
1713 	kfree_skb(skb);
1714 	return s;
1715 }
1716 
1717 /* ---- Connection and data processing ---- */
1718 
1719 static void rfcomm_process_connect(struct rfcomm_session *s)
1720 {
1721 	struct rfcomm_dlc *d;
1722 	struct list_head *p, *n;
1723 
1724 	BT_DBG("session %p state %ld", s, s->state);
1725 
1726 	list_for_each_safe(p, n, &s->dlcs) {
1727 		d = list_entry(p, struct rfcomm_dlc, list);
1728 		if (d->state == BT_CONFIG) {
1729 			d->mtu = s->mtu;
1730 			if (rfcomm_check_security(d)) {
1731 				rfcomm_send_pn(s, 1, d);
1732 			} else {
1733 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1734 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1735 			}
1736 		}
1737 	}
1738 }
1739 
1740 /* Send data queued for the DLC.
1741  * Return number of frames left in the queue.
1742  */
1743 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1744 {
1745 	struct sk_buff *skb;
1746 	int err;
1747 
1748 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1749 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1750 
1751 	/* Send pending MSC */
1752 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1753 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1754 
1755 	if (d->cfc) {
1756 		/* CFC enabled.
1757 		 * Give them some credits */
1758 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1759 				d->rx_credits <= (d->cfc >> 2)) {
1760 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1761 			d->rx_credits = d->cfc;
1762 		}
1763 	} else {
1764 		/* CFC disabled.
1765 		 * Give ourselves some credits */
1766 		d->tx_credits = 5;
1767 	}
1768 
1769 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1770 		return skb_queue_len(&d->tx_queue);
1771 
1772 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1773 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1774 		if (err < 0) {
1775 			skb_queue_head(&d->tx_queue, skb);
1776 			break;
1777 		}
1778 		kfree_skb(skb);
1779 		d->tx_credits--;
1780 	}
1781 
1782 	if (d->cfc && !d->tx_credits) {
1783 		/* We're out of TX credits.
1784 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1785 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1786 	}
1787 
1788 	return skb_queue_len(&d->tx_queue);
1789 }
1790 
1791 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1792 {
1793 	struct rfcomm_dlc *d;
1794 	struct list_head *p, *n;
1795 
1796 	BT_DBG("session %p state %ld", s, s->state);
1797 
1798 	list_for_each_safe(p, n, &s->dlcs) {
1799 		d = list_entry(p, struct rfcomm_dlc, list);
1800 
1801 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1802 			__rfcomm_dlc_close(d, ETIMEDOUT);
1803 			continue;
1804 		}
1805 
1806 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1807 			__rfcomm_dlc_close(d, ECONNREFUSED);
1808 			continue;
1809 		}
1810 
1811 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1812 			rfcomm_dlc_clear_timer(d);
1813 			if (d->out) {
1814 				rfcomm_send_pn(s, 1, d);
1815 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1816 			} else {
1817 				if (d->defer_setup) {
1818 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1819 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1820 
1821 					rfcomm_dlc_lock(d);
1822 					d->state = BT_CONNECT2;
1823 					d->state_change(d, 0);
1824 					rfcomm_dlc_unlock(d);
1825 				} else
1826 					rfcomm_dlc_accept(d);
1827 			}
1828 			continue;
1829 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1830 			rfcomm_dlc_clear_timer(d);
1831 			if (!d->out)
1832 				rfcomm_send_dm(s, d->dlci);
1833 			else
1834 				d->state = BT_CLOSED;
1835 			__rfcomm_dlc_close(d, ECONNREFUSED);
1836 			continue;
1837 		}
1838 
1839 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1840 			continue;
1841 
1842 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1843 			continue;
1844 
1845 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1846 						d->mscex == RFCOMM_MSCEX_OK)
1847 			rfcomm_process_tx(d);
1848 	}
1849 }
1850 
1851 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1852 {
1853 	struct socket *sock = s->sock;
1854 	struct sock *sk = sock->sk;
1855 	struct sk_buff *skb;
1856 
1857 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1858 
1859 	/* Get data directly from socket receive queue without copying it. */
1860 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1861 		skb_orphan(skb);
1862 		if (!skb_linearize(skb))
1863 			s = rfcomm_recv_frame(s, skb);
1864 		else
1865 			kfree_skb(skb);
1866 	}
1867 
1868 	if (s && (sk->sk_state == BT_CLOSED))
1869 		s = rfcomm_session_close(s, sk->sk_err);
1870 
1871 	return s;
1872 }
1873 
1874 static void rfcomm_accept_connection(struct rfcomm_session *s)
1875 {
1876 	struct socket *sock = s->sock, *nsock;
1877 	int err;
1878 
1879 	/* Fast check for a new connection.
1880 	 * Avoids unnesesary socket allocations. */
1881 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1882 		return;
1883 
1884 	BT_DBG("session %p", s);
1885 
1886 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1887 	if (err < 0)
1888 		return;
1889 
1890 	/* Set our callbacks */
1891 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1892 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1893 
1894 	s = rfcomm_session_add(nsock, BT_OPEN);
1895 	if (s) {
1896 		/* We should adjust MTU on incoming sessions.
1897 		 * L2CAP MTU minus UIH header and FCS. */
1898 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1899 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1900 
1901 		rfcomm_schedule();
1902 	} else
1903 		sock_release(nsock);
1904 }
1905 
1906 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1907 {
1908 	struct sock *sk = s->sock->sk;
1909 
1910 	BT_DBG("%p state %ld", s, s->state);
1911 
1912 	switch (sk->sk_state) {
1913 	case BT_CONNECTED:
1914 		s->state = BT_CONNECT;
1915 
1916 		/* We can adjust MTU on outgoing sessions.
1917 		 * L2CAP MTU minus UIH header and FCS. */
1918 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1919 
1920 		rfcomm_send_sabm(s, 0);
1921 		break;
1922 
1923 	case BT_CLOSED:
1924 		s = rfcomm_session_close(s, sk->sk_err);
1925 		break;
1926 	}
1927 	return s;
1928 }
1929 
1930 static void rfcomm_process_sessions(void)
1931 {
1932 	struct list_head *p, *n;
1933 
1934 	rfcomm_lock();
1935 
1936 	list_for_each_safe(p, n, &session_list) {
1937 		struct rfcomm_session *s;
1938 		s = list_entry(p, struct rfcomm_session, list);
1939 
1940 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1941 			s->state = BT_DISCONN;
1942 			rfcomm_send_disc(s, 0);
1943 			continue;
1944 		}
1945 
1946 		if (s->state == BT_LISTEN) {
1947 			rfcomm_accept_connection(s);
1948 			continue;
1949 		}
1950 
1951 		switch (s->state) {
1952 		case BT_BOUND:
1953 			s = rfcomm_check_connection(s);
1954 			break;
1955 
1956 		default:
1957 			s = rfcomm_process_rx(s);
1958 			break;
1959 		}
1960 
1961 		if (s)
1962 			rfcomm_process_dlcs(s);
1963 	}
1964 
1965 	rfcomm_unlock();
1966 }
1967 
1968 static int rfcomm_add_listener(bdaddr_t *ba)
1969 {
1970 	struct sockaddr_l2 addr;
1971 	struct socket *sock;
1972 	struct sock *sk;
1973 	struct rfcomm_session *s;
1974 	int    err = 0;
1975 
1976 	/* Create socket */
1977 	err = rfcomm_l2sock_create(&sock);
1978 	if (err < 0) {
1979 		BT_ERR("Create socket failed %d", err);
1980 		return err;
1981 	}
1982 
1983 	/* Bind socket */
1984 	bacpy(&addr.l2_bdaddr, ba);
1985 	addr.l2_family = AF_BLUETOOTH;
1986 	addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
1987 	addr.l2_cid    = 0;
1988 	addr.l2_bdaddr_type = BDADDR_BREDR;
1989 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1990 	if (err < 0) {
1991 		BT_ERR("Bind failed %d", err);
1992 		goto failed;
1993 	}
1994 
1995 	/* Set L2CAP options */
1996 	sk = sock->sk;
1997 	lock_sock(sk);
1998 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1999 	release_sock(sk);
2000 
2001 	/* Start listening on the socket */
2002 	err = kernel_listen(sock, 10);
2003 	if (err) {
2004 		BT_ERR("Listen failed %d", err);
2005 		goto failed;
2006 	}
2007 
2008 	/* Add listening session */
2009 	s = rfcomm_session_add(sock, BT_LISTEN);
2010 	if (!s) {
2011 		err = -ENOMEM;
2012 		goto failed;
2013 	}
2014 
2015 	return 0;
2016 failed:
2017 	sock_release(sock);
2018 	return err;
2019 }
2020 
2021 static void rfcomm_kill_listener(void)
2022 {
2023 	struct rfcomm_session *s;
2024 	struct list_head *p, *n;
2025 
2026 	BT_DBG("");
2027 
2028 	list_for_each_safe(p, n, &session_list) {
2029 		s = list_entry(p, struct rfcomm_session, list);
2030 		rfcomm_session_del(s);
2031 	}
2032 }
2033 
2034 static int rfcomm_run(void *unused)
2035 {
2036 	BT_DBG("");
2037 
2038 	set_user_nice(current, -10);
2039 
2040 	rfcomm_add_listener(BDADDR_ANY);
2041 
2042 	while (1) {
2043 		set_current_state(TASK_INTERRUPTIBLE);
2044 
2045 		if (kthread_should_stop())
2046 			break;
2047 
2048 		/* Process stuff */
2049 		rfcomm_process_sessions();
2050 
2051 		schedule();
2052 	}
2053 	__set_current_state(TASK_RUNNING);
2054 
2055 	rfcomm_kill_listener();
2056 
2057 	return 0;
2058 }
2059 
2060 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2061 {
2062 	struct rfcomm_session *s;
2063 	struct rfcomm_dlc *d;
2064 	struct list_head *p, *n;
2065 
2066 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2067 
2068 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2069 	if (!s)
2070 		return;
2071 
2072 	list_for_each_safe(p, n, &s->dlcs) {
2073 		d = list_entry(p, struct rfcomm_dlc, list);
2074 
2075 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2076 			rfcomm_dlc_clear_timer(d);
2077 			if (status || encrypt == 0x00) {
2078 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2079 				continue;
2080 			}
2081 		}
2082 
2083 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2084 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2085 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2086 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2087 				continue;
2088 			} else if (d->sec_level == BT_SECURITY_HIGH) {
2089 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2090 				continue;
2091 			}
2092 		}
2093 
2094 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2095 			continue;
2096 
2097 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2098 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2099 		else
2100 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2101 	}
2102 
2103 	rfcomm_schedule();
2104 }
2105 
2106 static struct hci_cb rfcomm_cb = {
2107 	.name		= "RFCOMM",
2108 	.security_cfm	= rfcomm_security_cfm
2109 };
2110 
2111 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2112 {
2113 	struct rfcomm_session *s;
2114 
2115 	rfcomm_lock();
2116 
2117 	list_for_each_entry(s, &session_list, list) {
2118 		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2119 		struct rfcomm_dlc *d;
2120 		list_for_each_entry(d, &s->dlcs, list) {
2121 			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2122 				   &chan->src, &chan->dst,
2123 				   d->state, d->dlci, d->mtu,
2124 				   d->rx_credits, d->tx_credits);
2125 		}
2126 	}
2127 
2128 	rfcomm_unlock();
2129 
2130 	return 0;
2131 }
2132 
2133 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2134 {
2135 	return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2136 }
2137 
2138 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2139 	.open		= rfcomm_dlc_debugfs_open,
2140 	.read		= seq_read,
2141 	.llseek		= seq_lseek,
2142 	.release	= single_release,
2143 };
2144 
2145 static struct dentry *rfcomm_dlc_debugfs;
2146 
2147 /* ---- Initialization ---- */
2148 static int __init rfcomm_init(void)
2149 {
2150 	int err;
2151 
2152 	hci_register_cb(&rfcomm_cb);
2153 
2154 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2155 	if (IS_ERR(rfcomm_thread)) {
2156 		err = PTR_ERR(rfcomm_thread);
2157 		goto unregister;
2158 	}
2159 
2160 	err = rfcomm_init_ttys();
2161 	if (err < 0)
2162 		goto stop;
2163 
2164 	err = rfcomm_init_sockets();
2165 	if (err < 0)
2166 		goto cleanup;
2167 
2168 	BT_INFO("RFCOMM ver %s", VERSION);
2169 
2170 	if (IS_ERR_OR_NULL(bt_debugfs))
2171 		return 0;
2172 
2173 	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2174 						 bt_debugfs, NULL,
2175 						 &rfcomm_dlc_debugfs_fops);
2176 
2177 	return 0;
2178 
2179 cleanup:
2180 	rfcomm_cleanup_ttys();
2181 
2182 stop:
2183 	kthread_stop(rfcomm_thread);
2184 
2185 unregister:
2186 	hci_unregister_cb(&rfcomm_cb);
2187 
2188 	return err;
2189 }
2190 
2191 static void __exit rfcomm_exit(void)
2192 {
2193 	debugfs_remove(rfcomm_dlc_debugfs);
2194 
2195 	hci_unregister_cb(&rfcomm_cb);
2196 
2197 	kthread_stop(rfcomm_thread);
2198 
2199 	rfcomm_cleanup_ttys();
2200 
2201 	rfcomm_cleanup_sockets();
2202 }
2203 
2204 module_init(rfcomm_init);
2205 module_exit(rfcomm_exit);
2206 
2207 module_param(disable_cfc, bool, 0644);
2208 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2209 
2210 module_param(channel_mtu, int, 0644);
2211 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2212 
2213 module_param(l2cap_mtu, uint, 0644);
2214 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2215 
2216 module_param(l2cap_ertm, bool, 0644);
2217 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2218 
2219 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2220 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2221 MODULE_VERSION(VERSION);
2222 MODULE_LICENSE("GPL");
2223 MODULE_ALIAS("bt-proto-3");
2224