xref: /openbmc/linux/net/bluetooth/rfcomm/core.c (revision 4f727ecefefbd180de10e25b3e74c03dce3f1e75)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define VERSION "1.11"
39 
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44 
45 static struct task_struct *rfcomm_thread;
46 
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
50 
51 
52 static LIST_HEAD(session_list);
53 
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64 
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66 
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 							bdaddr_t *dst,
69 							u8 sec_level,
70 							int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73 
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
76 #define __get_channel(b)  ((b & 0xf8) >> 3)
77 #define __get_dir(b)      ((b & 0x04) >> 2)
78 #define __get_type(b)     ((b & 0xef))
79 
80 #define __test_ea(b)      ((b & 0x01))
81 #define __test_cr(b)      (!!(b & 0x02))
82 #define __test_pf(b)      (!!(b & 0x10))
83 
84 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
85 
86 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
87 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
88 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
89 #define __srv_channel(dlci)    (dlci >> 1)
90 #define __dir(dlci)            (dlci & 0x01)
91 
92 #define __len8(len)       (((len) << 1) | 1)
93 #define __len16(len)      ((len) << 1)
94 
95 /* MCC macros */
96 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
97 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
98 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
99 
100 /* RPN macros */
101 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102 #define __get_rpn_data_bits(line) ((line) & 0x3)
103 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
105 
106 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107 
108 static void rfcomm_schedule(void)
109 {
110 	wake_up_all(&rfcomm_wq);
111 }
112 
113 /* ---- RFCOMM FCS computation ---- */
114 
115 /* reversed, 8-bit, poly=0x07 */
116 static unsigned char rfcomm_crc_table[256] = {
117 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121 
122 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126 
127 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131 
132 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136 
137 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141 
142 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146 
147 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151 
152 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156 };
157 
158 /* CRC on 2 bytes */
159 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160 
161 /* FCS on 2 bytes */
162 static inline u8 __fcs(u8 *data)
163 {
164 	return 0xff - __crc(data);
165 }
166 
167 /* FCS on 3 bytes */
168 static inline u8 __fcs2(u8 *data)
169 {
170 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171 }
172 
173 /* Check FCS */
174 static inline int __check_fcs(u8 *data, int type, u8 fcs)
175 {
176 	u8 f = __crc(data);
177 
178 	if (type != RFCOMM_UIH)
179 		f = rfcomm_crc_table[f ^ data[2]];
180 
181 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
182 }
183 
184 /* ---- L2CAP callbacks ---- */
185 static void rfcomm_l2state_change(struct sock *sk)
186 {
187 	BT_DBG("%p state %d", sk, sk->sk_state);
188 	rfcomm_schedule();
189 }
190 
191 static void rfcomm_l2data_ready(struct sock *sk)
192 {
193 	BT_DBG("%p", sk);
194 	rfcomm_schedule();
195 }
196 
197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 	int err;
200 
201 	BT_DBG("");
202 
203 	err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 	if (!err) {
205 		struct sock *sk = (*sock)->sk;
206 		sk->sk_data_ready   = rfcomm_l2data_ready;
207 		sk->sk_state_change = rfcomm_l2state_change;
208 	}
209 	return err;
210 }
211 
212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 	struct sock *sk = d->session->sock->sk;
215 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216 
217 	__u8 auth_type;
218 
219 	switch (d->sec_level) {
220 	case BT_SECURITY_HIGH:
221 	case BT_SECURITY_FIPS:
222 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 		break;
224 	case BT_SECURITY_MEDIUM:
225 		auth_type = HCI_AT_GENERAL_BONDING;
226 		break;
227 	default:
228 		auth_type = HCI_AT_NO_BONDING;
229 		break;
230 	}
231 
232 	return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 				 d->out);
234 }
235 
236 static void rfcomm_session_timeout(struct timer_list *t)
237 {
238 	struct rfcomm_session *s = from_timer(s, t, timer);
239 
240 	BT_DBG("session %p state %ld", s, s->state);
241 
242 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 	rfcomm_schedule();
244 }
245 
246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249 
250 	mod_timer(&s->timer, jiffies + timeout);
251 }
252 
253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 	BT_DBG("session %p state %ld", s, s->state);
256 
257 	del_timer_sync(&s->timer);
258 }
259 
260 /* ---- RFCOMM DLCs ---- */
261 static void rfcomm_dlc_timeout(struct timer_list *t)
262 {
263 	struct rfcomm_dlc *d = from_timer(d, t, timer);
264 
265 	BT_DBG("dlc %p state %ld", d, d->state);
266 
267 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 	rfcomm_dlc_put(d);
269 	rfcomm_schedule();
270 }
271 
272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275 
276 	if (!mod_timer(&d->timer, jiffies + timeout))
277 		rfcomm_dlc_hold(d);
278 }
279 
280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 	BT_DBG("dlc %p state %ld", d, d->state);
283 
284 	if (del_timer(&d->timer))
285 		rfcomm_dlc_put(d);
286 }
287 
288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 	BT_DBG("%p", d);
291 
292 	d->state      = BT_OPEN;
293 	d->flags      = 0;
294 	d->mscex      = 0;
295 	d->sec_level  = BT_SECURITY_LOW;
296 	d->mtu        = RFCOMM_DEFAULT_MTU;
297 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298 
299 	d->cfc        = RFCOMM_CFC_DISABLED;
300 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302 
303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306 
307 	if (!d)
308 		return NULL;
309 
310 	timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
311 
312 	skb_queue_head_init(&d->tx_queue);
313 	mutex_init(&d->lock);
314 	refcount_set(&d->refcnt, 1);
315 
316 	rfcomm_dlc_clear_state(d);
317 
318 	BT_DBG("%p", d);
319 
320 	return d;
321 }
322 
323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 	BT_DBG("%p", d);
326 
327 	skb_queue_purge(&d->tx_queue);
328 	kfree(d);
329 }
330 
331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 	BT_DBG("dlc %p session %p", d, s);
334 
335 	rfcomm_session_clear_timer(s);
336 	rfcomm_dlc_hold(d);
337 	list_add(&d->list, &s->dlcs);
338 	d->session = s;
339 }
340 
341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 	struct rfcomm_session *s = d->session;
344 
345 	BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
346 
347 	list_del(&d->list);
348 	d->session = NULL;
349 	rfcomm_dlc_put(d);
350 
351 	if (list_empty(&s->dlcs))
352 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354 
355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 	struct rfcomm_dlc *d;
358 
359 	list_for_each_entry(d, &s->dlcs, list)
360 		if (d->dlci == dlci)
361 			return d;
362 
363 	return NULL;
364 }
365 
366 static int rfcomm_check_channel(u8 channel)
367 {
368 	return channel < 1 || channel > 30;
369 }
370 
371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 	struct rfcomm_session *s;
374 	int err = 0;
375 	u8 dlci;
376 
377 	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 	       d, d->state, src, dst, channel);
379 
380 	if (rfcomm_check_channel(channel))
381 		return -EINVAL;
382 
383 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 		return 0;
385 
386 	s = rfcomm_session_get(src, dst);
387 	if (!s) {
388 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 		if (!s)
390 			return err;
391 	}
392 
393 	dlci = __dlci(__session_dir(s), channel);
394 
395 	/* Check if DLCI already exists */
396 	if (rfcomm_dlc_get(s, dlci))
397 		return -EBUSY;
398 
399 	rfcomm_dlc_clear_state(d);
400 
401 	d->dlci     = dlci;
402 	d->addr     = __addr(s->initiator, dlci);
403 	d->priority = 7;
404 
405 	d->state = BT_CONFIG;
406 	rfcomm_dlc_link(s, d);
407 
408 	d->out = 1;
409 
410 	d->mtu = s->mtu;
411 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412 
413 	if (s->state == BT_CONNECTED) {
414 		if (rfcomm_check_security(d))
415 			rfcomm_send_pn(s, 1, d);
416 		else
417 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 	}
419 
420 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421 
422 	return 0;
423 }
424 
425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 	int r;
428 
429 	rfcomm_lock();
430 
431 	r = __rfcomm_dlc_open(d, src, dst, channel);
432 
433 	rfcomm_unlock();
434 	return r;
435 }
436 
437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 	struct rfcomm_session *s = d->session;
440 
441 	d->state = BT_DISCONN;
442 	if (skb_queue_empty(&d->tx_queue)) {
443 		rfcomm_send_disc(s, d->dlci);
444 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 	} else {
446 		rfcomm_queue_disc(d);
447 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 	}
449 }
450 
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 	struct rfcomm_session *s = d->session;
454 	if (!s)
455 		return 0;
456 
457 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 			d, d->state, d->dlci, err, s);
459 
460 	switch (d->state) {
461 	case BT_CONNECT:
462 	case BT_CONFIG:
463 	case BT_OPEN:
464 	case BT_CONNECT2:
465 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 			rfcomm_schedule();
468 			return 0;
469 		}
470 	}
471 
472 	switch (d->state) {
473 	case BT_CONNECT:
474 	case BT_CONNECTED:
475 		__rfcomm_dlc_disconn(d);
476 		break;
477 
478 	case BT_CONFIG:
479 		if (s->state != BT_BOUND) {
480 			__rfcomm_dlc_disconn(d);
481 			break;
482 		}
483 		/* if closing a dlc in a session that hasn't been started,
484 		 * just close and unlink the dlc
485 		 */
486 		/* fall through */
487 
488 	default:
489 		rfcomm_dlc_clear_timer(d);
490 
491 		rfcomm_dlc_lock(d);
492 		d->state = BT_CLOSED;
493 		d->state_change(d, err);
494 		rfcomm_dlc_unlock(d);
495 
496 		skb_queue_purge(&d->tx_queue);
497 		rfcomm_dlc_unlink(d);
498 	}
499 
500 	return 0;
501 }
502 
503 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
504 {
505 	int r = 0;
506 	struct rfcomm_dlc *d_list;
507 	struct rfcomm_session *s, *s_list;
508 
509 	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
510 
511 	rfcomm_lock();
512 
513 	s = d->session;
514 	if (!s)
515 		goto no_session;
516 
517 	/* after waiting on the mutex check the session still exists
518 	 * then check the dlc still exists
519 	 */
520 	list_for_each_entry(s_list, &session_list, list) {
521 		if (s_list == s) {
522 			list_for_each_entry(d_list, &s->dlcs, list) {
523 				if (d_list == d) {
524 					r = __rfcomm_dlc_close(d, err);
525 					break;
526 				}
527 			}
528 			break;
529 		}
530 	}
531 
532 no_session:
533 	rfcomm_unlock();
534 	return r;
535 }
536 
537 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
538 {
539 	struct rfcomm_session *s;
540 	struct rfcomm_dlc *dlc = NULL;
541 	u8 dlci;
542 
543 	if (rfcomm_check_channel(channel))
544 		return ERR_PTR(-EINVAL);
545 
546 	rfcomm_lock();
547 	s = rfcomm_session_get(src, dst);
548 	if (s) {
549 		dlci = __dlci(__session_dir(s), channel);
550 		dlc = rfcomm_dlc_get(s, dlci);
551 	}
552 	rfcomm_unlock();
553 	return dlc;
554 }
555 
556 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
557 {
558 	int len = skb->len;
559 
560 	if (d->state != BT_CONNECTED)
561 		return -ENOTCONN;
562 
563 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
564 
565 	if (len > d->mtu)
566 		return -EINVAL;
567 
568 	rfcomm_make_uih(skb, d->addr);
569 	skb_queue_tail(&d->tx_queue, skb);
570 
571 	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
572 		rfcomm_schedule();
573 	return len;
574 }
575 
576 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
577 {
578 	int len = skb->len;
579 
580 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
581 
582 	rfcomm_make_uih(skb, d->addr);
583 	skb_queue_tail(&d->tx_queue, skb);
584 
585 	if (d->state == BT_CONNECTED &&
586 	    !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
587 		rfcomm_schedule();
588 }
589 
590 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
591 {
592 	BT_DBG("dlc %p state %ld", d, d->state);
593 
594 	if (!d->cfc) {
595 		d->v24_sig |= RFCOMM_V24_FC;
596 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
597 	}
598 	rfcomm_schedule();
599 }
600 
601 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
602 {
603 	BT_DBG("dlc %p state %ld", d, d->state);
604 
605 	if (!d->cfc) {
606 		d->v24_sig &= ~RFCOMM_V24_FC;
607 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
608 	}
609 	rfcomm_schedule();
610 }
611 
612 /*
613    Set/get modem status functions use _local_ status i.e. what we report
614    to the other side.
615    Remote status is provided by dlc->modem_status() callback.
616  */
617 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
618 {
619 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
620 			d, d->state, v24_sig);
621 
622 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
623 		v24_sig |= RFCOMM_V24_FC;
624 	else
625 		v24_sig &= ~RFCOMM_V24_FC;
626 
627 	d->v24_sig = v24_sig;
628 
629 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
630 		rfcomm_schedule();
631 
632 	return 0;
633 }
634 
635 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
636 {
637 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
638 			d, d->state, d->v24_sig);
639 
640 	*v24_sig = d->v24_sig;
641 	return 0;
642 }
643 
644 /* ---- RFCOMM sessions ---- */
645 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
646 {
647 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
648 
649 	if (!s)
650 		return NULL;
651 
652 	BT_DBG("session %p sock %p", s, sock);
653 
654 	timer_setup(&s->timer, rfcomm_session_timeout, 0);
655 
656 	INIT_LIST_HEAD(&s->dlcs);
657 	s->state = state;
658 	s->sock  = sock;
659 
660 	s->mtu = RFCOMM_DEFAULT_MTU;
661 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
662 
663 	/* Do not increment module usage count for listening sessions.
664 	 * Otherwise we won't be able to unload the module. */
665 	if (state != BT_LISTEN)
666 		if (!try_module_get(THIS_MODULE)) {
667 			kfree(s);
668 			return NULL;
669 		}
670 
671 	list_add(&s->list, &session_list);
672 
673 	return s;
674 }
675 
676 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
677 {
678 	int state = s->state;
679 
680 	BT_DBG("session %p state %ld", s, s->state);
681 
682 	list_del(&s->list);
683 
684 	rfcomm_session_clear_timer(s);
685 	sock_release(s->sock);
686 	kfree(s);
687 
688 	if (state != BT_LISTEN)
689 		module_put(THIS_MODULE);
690 
691 	return NULL;
692 }
693 
694 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
695 {
696 	struct rfcomm_session *s, *n;
697 	struct l2cap_chan *chan;
698 	list_for_each_entry_safe(s, n, &session_list, list) {
699 		chan = l2cap_pi(s->sock->sk)->chan;
700 
701 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
702 		    !bacmp(&chan->dst, dst))
703 			return s;
704 	}
705 	return NULL;
706 }
707 
708 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
709 						   int err)
710 {
711 	struct rfcomm_dlc *d, *n;
712 
713 	s->state = BT_CLOSED;
714 
715 	BT_DBG("session %p state %ld err %d", s, s->state, err);
716 
717 	/* Close all dlcs */
718 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
719 		d->state = BT_CLOSED;
720 		__rfcomm_dlc_close(d, err);
721 	}
722 
723 	rfcomm_session_clear_timer(s);
724 	return rfcomm_session_del(s);
725 }
726 
727 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
728 							bdaddr_t *dst,
729 							u8 sec_level,
730 							int *err)
731 {
732 	struct rfcomm_session *s = NULL;
733 	struct sockaddr_l2 addr;
734 	struct socket *sock;
735 	struct sock *sk;
736 
737 	BT_DBG("%pMR -> %pMR", src, dst);
738 
739 	*err = rfcomm_l2sock_create(&sock);
740 	if (*err < 0)
741 		return NULL;
742 
743 	bacpy(&addr.l2_bdaddr, src);
744 	addr.l2_family = AF_BLUETOOTH;
745 	addr.l2_psm    = 0;
746 	addr.l2_cid    = 0;
747 	addr.l2_bdaddr_type = BDADDR_BREDR;
748 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
749 	if (*err < 0)
750 		goto failed;
751 
752 	/* Set L2CAP options */
753 	sk = sock->sk;
754 	lock_sock(sk);
755 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
756 	l2cap_pi(sk)->chan->sec_level = sec_level;
757 	if (l2cap_ertm)
758 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
759 	release_sock(sk);
760 
761 	s = rfcomm_session_add(sock, BT_BOUND);
762 	if (!s) {
763 		*err = -ENOMEM;
764 		goto failed;
765 	}
766 
767 	s->initiator = 1;
768 
769 	bacpy(&addr.l2_bdaddr, dst);
770 	addr.l2_family = AF_BLUETOOTH;
771 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
772 	addr.l2_cid    = 0;
773 	addr.l2_bdaddr_type = BDADDR_BREDR;
774 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
775 	if (*err == 0 || *err == -EINPROGRESS)
776 		return s;
777 
778 	return rfcomm_session_del(s);
779 
780 failed:
781 	sock_release(sock);
782 	return NULL;
783 }
784 
785 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
786 {
787 	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
788 	if (src)
789 		bacpy(src, &chan->src);
790 	if (dst)
791 		bacpy(dst, &chan->dst);
792 }
793 
794 /* ---- RFCOMM frame sending ---- */
795 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
796 {
797 	struct kvec iv = { data, len };
798 	struct msghdr msg;
799 
800 	BT_DBG("session %p len %d", s, len);
801 
802 	memset(&msg, 0, sizeof(msg));
803 
804 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
805 }
806 
807 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
808 {
809 	BT_DBG("%p cmd %u", s, cmd->ctrl);
810 
811 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
812 }
813 
814 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
815 {
816 	struct rfcomm_cmd cmd;
817 
818 	BT_DBG("%p dlci %d", s, dlci);
819 
820 	cmd.addr = __addr(s->initiator, dlci);
821 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
822 	cmd.len  = __len8(0);
823 	cmd.fcs  = __fcs2((u8 *) &cmd);
824 
825 	return rfcomm_send_cmd(s, &cmd);
826 }
827 
828 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
829 {
830 	struct rfcomm_cmd cmd;
831 
832 	BT_DBG("%p dlci %d", s, dlci);
833 
834 	cmd.addr = __addr(!s->initiator, dlci);
835 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
836 	cmd.len  = __len8(0);
837 	cmd.fcs  = __fcs2((u8 *) &cmd);
838 
839 	return rfcomm_send_cmd(s, &cmd);
840 }
841 
842 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
843 {
844 	struct rfcomm_cmd cmd;
845 
846 	BT_DBG("%p dlci %d", s, dlci);
847 
848 	cmd.addr = __addr(s->initiator, dlci);
849 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
850 	cmd.len  = __len8(0);
851 	cmd.fcs  = __fcs2((u8 *) &cmd);
852 
853 	return rfcomm_send_cmd(s, &cmd);
854 }
855 
856 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
857 {
858 	struct rfcomm_cmd *cmd;
859 	struct sk_buff *skb;
860 
861 	BT_DBG("dlc %p dlci %d", d, d->dlci);
862 
863 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
864 	if (!skb)
865 		return -ENOMEM;
866 
867 	cmd = __skb_put(skb, sizeof(*cmd));
868 	cmd->addr = d->addr;
869 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
870 	cmd->len  = __len8(0);
871 	cmd->fcs  = __fcs2((u8 *) cmd);
872 
873 	skb_queue_tail(&d->tx_queue, skb);
874 	rfcomm_schedule();
875 	return 0;
876 }
877 
878 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
879 {
880 	struct rfcomm_cmd cmd;
881 
882 	BT_DBG("%p dlci %d", s, dlci);
883 
884 	cmd.addr = __addr(!s->initiator, dlci);
885 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
886 	cmd.len  = __len8(0);
887 	cmd.fcs  = __fcs2((u8 *) &cmd);
888 
889 	return rfcomm_send_cmd(s, &cmd);
890 }
891 
892 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
893 {
894 	struct rfcomm_hdr *hdr;
895 	struct rfcomm_mcc *mcc;
896 	u8 buf[16], *ptr = buf;
897 
898 	BT_DBG("%p cr %d type %d", s, cr, type);
899 
900 	hdr = (void *) ptr; ptr += sizeof(*hdr);
901 	hdr->addr = __addr(s->initiator, 0);
902 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
903 	hdr->len  = __len8(sizeof(*mcc) + 1);
904 
905 	mcc = (void *) ptr; ptr += sizeof(*mcc);
906 	mcc->type = __mcc_type(0, RFCOMM_NSC);
907 	mcc->len  = __len8(1);
908 
909 	/* Type that we didn't like */
910 	*ptr = __mcc_type(cr, type); ptr++;
911 
912 	*ptr = __fcs(buf); ptr++;
913 
914 	return rfcomm_send_frame(s, buf, ptr - buf);
915 }
916 
917 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
918 {
919 	struct rfcomm_hdr *hdr;
920 	struct rfcomm_mcc *mcc;
921 	struct rfcomm_pn  *pn;
922 	u8 buf[16], *ptr = buf;
923 
924 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
925 
926 	hdr = (void *) ptr; ptr += sizeof(*hdr);
927 	hdr->addr = __addr(s->initiator, 0);
928 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
929 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
930 
931 	mcc = (void *) ptr; ptr += sizeof(*mcc);
932 	mcc->type = __mcc_type(cr, RFCOMM_PN);
933 	mcc->len  = __len8(sizeof(*pn));
934 
935 	pn = (void *) ptr; ptr += sizeof(*pn);
936 	pn->dlci        = d->dlci;
937 	pn->priority    = d->priority;
938 	pn->ack_timer   = 0;
939 	pn->max_retrans = 0;
940 
941 	if (s->cfc) {
942 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
943 		pn->credits = RFCOMM_DEFAULT_CREDITS;
944 	} else {
945 		pn->flow_ctrl = 0;
946 		pn->credits   = 0;
947 	}
948 
949 	if (cr && channel_mtu >= 0)
950 		pn->mtu = cpu_to_le16(channel_mtu);
951 	else
952 		pn->mtu = cpu_to_le16(d->mtu);
953 
954 	*ptr = __fcs(buf); ptr++;
955 
956 	return rfcomm_send_frame(s, buf, ptr - buf);
957 }
958 
959 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
960 			u8 bit_rate, u8 data_bits, u8 stop_bits,
961 			u8 parity, u8 flow_ctrl_settings,
962 			u8 xon_char, u8 xoff_char, u16 param_mask)
963 {
964 	struct rfcomm_hdr *hdr;
965 	struct rfcomm_mcc *mcc;
966 	struct rfcomm_rpn *rpn;
967 	u8 buf[16], *ptr = buf;
968 
969 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
970 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
971 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
972 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
973 
974 	hdr = (void *) ptr; ptr += sizeof(*hdr);
975 	hdr->addr = __addr(s->initiator, 0);
976 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
977 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
978 
979 	mcc = (void *) ptr; ptr += sizeof(*mcc);
980 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
981 	mcc->len  = __len8(sizeof(*rpn));
982 
983 	rpn = (void *) ptr; ptr += sizeof(*rpn);
984 	rpn->dlci          = __addr(1, dlci);
985 	rpn->bit_rate      = bit_rate;
986 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
987 	rpn->flow_ctrl     = flow_ctrl_settings;
988 	rpn->xon_char      = xon_char;
989 	rpn->xoff_char     = xoff_char;
990 	rpn->param_mask    = cpu_to_le16(param_mask);
991 
992 	*ptr = __fcs(buf); ptr++;
993 
994 	return rfcomm_send_frame(s, buf, ptr - buf);
995 }
996 
997 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
998 {
999 	struct rfcomm_hdr *hdr;
1000 	struct rfcomm_mcc *mcc;
1001 	struct rfcomm_rls *rls;
1002 	u8 buf[16], *ptr = buf;
1003 
1004 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
1005 
1006 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1007 	hdr->addr = __addr(s->initiator, 0);
1008 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1009 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1010 
1011 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1012 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
1013 	mcc->len  = __len8(sizeof(*rls));
1014 
1015 	rls = (void *) ptr; ptr += sizeof(*rls);
1016 	rls->dlci   = __addr(1, dlci);
1017 	rls->status = status;
1018 
1019 	*ptr = __fcs(buf); ptr++;
1020 
1021 	return rfcomm_send_frame(s, buf, ptr - buf);
1022 }
1023 
1024 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1025 {
1026 	struct rfcomm_hdr *hdr;
1027 	struct rfcomm_mcc *mcc;
1028 	struct rfcomm_msc *msc;
1029 	u8 buf[16], *ptr = buf;
1030 
1031 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1032 
1033 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1034 	hdr->addr = __addr(s->initiator, 0);
1035 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1036 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1037 
1038 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1039 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
1040 	mcc->len  = __len8(sizeof(*msc));
1041 
1042 	msc = (void *) ptr; ptr += sizeof(*msc);
1043 	msc->dlci    = __addr(1, dlci);
1044 	msc->v24_sig = v24_sig | 0x01;
1045 
1046 	*ptr = __fcs(buf); ptr++;
1047 
1048 	return rfcomm_send_frame(s, buf, ptr - buf);
1049 }
1050 
1051 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1052 {
1053 	struct rfcomm_hdr *hdr;
1054 	struct rfcomm_mcc *mcc;
1055 	u8 buf[16], *ptr = buf;
1056 
1057 	BT_DBG("%p cr %d", s, cr);
1058 
1059 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1060 	hdr->addr = __addr(s->initiator, 0);
1061 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1062 	hdr->len  = __len8(sizeof(*mcc));
1063 
1064 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1065 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1066 	mcc->len  = __len8(0);
1067 
1068 	*ptr = __fcs(buf); ptr++;
1069 
1070 	return rfcomm_send_frame(s, buf, ptr - buf);
1071 }
1072 
1073 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1074 {
1075 	struct rfcomm_hdr *hdr;
1076 	struct rfcomm_mcc *mcc;
1077 	u8 buf[16], *ptr = buf;
1078 
1079 	BT_DBG("%p cr %d", s, cr);
1080 
1081 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1082 	hdr->addr = __addr(s->initiator, 0);
1083 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1084 	hdr->len  = __len8(sizeof(*mcc));
1085 
1086 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1087 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1088 	mcc->len  = __len8(0);
1089 
1090 	*ptr = __fcs(buf); ptr++;
1091 
1092 	return rfcomm_send_frame(s, buf, ptr - buf);
1093 }
1094 
1095 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1096 {
1097 	struct socket *sock = s->sock;
1098 	struct kvec iv[3];
1099 	struct msghdr msg;
1100 	unsigned char hdr[5], crc[1];
1101 
1102 	if (len > 125)
1103 		return -EINVAL;
1104 
1105 	BT_DBG("%p cr %d", s, cr);
1106 
1107 	hdr[0] = __addr(s->initiator, 0);
1108 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1109 	hdr[2] = 0x01 | ((len + 2) << 1);
1110 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1111 	hdr[4] = 0x01 | (len << 1);
1112 
1113 	crc[0] = __fcs(hdr);
1114 
1115 	iv[0].iov_base = hdr;
1116 	iv[0].iov_len  = 5;
1117 	iv[1].iov_base = pattern;
1118 	iv[1].iov_len  = len;
1119 	iv[2].iov_base = crc;
1120 	iv[2].iov_len  = 1;
1121 
1122 	memset(&msg, 0, sizeof(msg));
1123 
1124 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1125 }
1126 
1127 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1128 {
1129 	struct rfcomm_hdr *hdr;
1130 	u8 buf[16], *ptr = buf;
1131 
1132 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1133 
1134 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1135 	hdr->addr = addr;
1136 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1137 	hdr->len  = __len8(0);
1138 
1139 	*ptr = credits; ptr++;
1140 
1141 	*ptr = __fcs(buf); ptr++;
1142 
1143 	return rfcomm_send_frame(s, buf, ptr - buf);
1144 }
1145 
1146 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1147 {
1148 	struct rfcomm_hdr *hdr;
1149 	int len = skb->len;
1150 	u8 *crc;
1151 
1152 	if (len > 127) {
1153 		hdr = skb_push(skb, 4);
1154 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1155 	} else {
1156 		hdr = skb_push(skb, 3);
1157 		hdr->len = __len8(len);
1158 	}
1159 	hdr->addr = addr;
1160 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1161 
1162 	crc = skb_put(skb, 1);
1163 	*crc = __fcs((void *) hdr);
1164 }
1165 
1166 /* ---- RFCOMM frame reception ---- */
1167 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1168 {
1169 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1170 
1171 	if (dlci) {
1172 		/* Data channel */
1173 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1174 		if (!d) {
1175 			rfcomm_send_dm(s, dlci);
1176 			return s;
1177 		}
1178 
1179 		switch (d->state) {
1180 		case BT_CONNECT:
1181 			rfcomm_dlc_clear_timer(d);
1182 
1183 			rfcomm_dlc_lock(d);
1184 			d->state = BT_CONNECTED;
1185 			d->state_change(d, 0);
1186 			rfcomm_dlc_unlock(d);
1187 
1188 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1189 			break;
1190 
1191 		case BT_DISCONN:
1192 			d->state = BT_CLOSED;
1193 			__rfcomm_dlc_close(d, 0);
1194 
1195 			if (list_empty(&s->dlcs)) {
1196 				s->state = BT_DISCONN;
1197 				rfcomm_send_disc(s, 0);
1198 				rfcomm_session_clear_timer(s);
1199 			}
1200 
1201 			break;
1202 		}
1203 	} else {
1204 		/* Control channel */
1205 		switch (s->state) {
1206 		case BT_CONNECT:
1207 			s->state = BT_CONNECTED;
1208 			rfcomm_process_connect(s);
1209 			break;
1210 
1211 		case BT_DISCONN:
1212 			s = rfcomm_session_close(s, ECONNRESET);
1213 			break;
1214 		}
1215 	}
1216 	return s;
1217 }
1218 
1219 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1220 {
1221 	int err = 0;
1222 
1223 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1224 
1225 	if (dlci) {
1226 		/* Data DLC */
1227 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1228 		if (d) {
1229 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1230 				err = ECONNREFUSED;
1231 			else
1232 				err = ECONNRESET;
1233 
1234 			d->state = BT_CLOSED;
1235 			__rfcomm_dlc_close(d, err);
1236 		}
1237 	} else {
1238 		if (s->state == BT_CONNECT)
1239 			err = ECONNREFUSED;
1240 		else
1241 			err = ECONNRESET;
1242 
1243 		s = rfcomm_session_close(s, err);
1244 	}
1245 	return s;
1246 }
1247 
1248 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1249 					       u8 dlci)
1250 {
1251 	int err = 0;
1252 
1253 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1254 
1255 	if (dlci) {
1256 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1257 		if (d) {
1258 			rfcomm_send_ua(s, dlci);
1259 
1260 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1261 				err = ECONNREFUSED;
1262 			else
1263 				err = ECONNRESET;
1264 
1265 			d->state = BT_CLOSED;
1266 			__rfcomm_dlc_close(d, err);
1267 		} else
1268 			rfcomm_send_dm(s, dlci);
1269 
1270 	} else {
1271 		rfcomm_send_ua(s, 0);
1272 
1273 		if (s->state == BT_CONNECT)
1274 			err = ECONNREFUSED;
1275 		else
1276 			err = ECONNRESET;
1277 
1278 		s = rfcomm_session_close(s, err);
1279 	}
1280 	return s;
1281 }
1282 
1283 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1284 {
1285 	struct sock *sk = d->session->sock->sk;
1286 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1287 
1288 	BT_DBG("dlc %p", d);
1289 
1290 	rfcomm_send_ua(d->session, d->dlci);
1291 
1292 	rfcomm_dlc_clear_timer(d);
1293 
1294 	rfcomm_dlc_lock(d);
1295 	d->state = BT_CONNECTED;
1296 	d->state_change(d, 0);
1297 	rfcomm_dlc_unlock(d);
1298 
1299 	if (d->role_switch)
1300 		hci_conn_switch_role(conn->hcon, 0x00);
1301 
1302 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1303 }
1304 
1305 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1306 {
1307 	if (rfcomm_check_security(d)) {
1308 		if (d->defer_setup) {
1309 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1310 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1311 
1312 			rfcomm_dlc_lock(d);
1313 			d->state = BT_CONNECT2;
1314 			d->state_change(d, 0);
1315 			rfcomm_dlc_unlock(d);
1316 		} else
1317 			rfcomm_dlc_accept(d);
1318 	} else {
1319 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1320 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1321 	}
1322 }
1323 
1324 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1325 {
1326 	struct rfcomm_dlc *d;
1327 	u8 channel;
1328 
1329 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1330 
1331 	if (!dlci) {
1332 		rfcomm_send_ua(s, 0);
1333 
1334 		if (s->state == BT_OPEN) {
1335 			s->state = BT_CONNECTED;
1336 			rfcomm_process_connect(s);
1337 		}
1338 		return 0;
1339 	}
1340 
1341 	/* Check if DLC exists */
1342 	d = rfcomm_dlc_get(s, dlci);
1343 	if (d) {
1344 		if (d->state == BT_OPEN) {
1345 			/* DLC was previously opened by PN request */
1346 			rfcomm_check_accept(d);
1347 		}
1348 		return 0;
1349 	}
1350 
1351 	/* Notify socket layer about incoming connection */
1352 	channel = __srv_channel(dlci);
1353 	if (rfcomm_connect_ind(s, channel, &d)) {
1354 		d->dlci = dlci;
1355 		d->addr = __addr(s->initiator, dlci);
1356 		rfcomm_dlc_link(s, d);
1357 
1358 		rfcomm_check_accept(d);
1359 	} else {
1360 		rfcomm_send_dm(s, dlci);
1361 	}
1362 
1363 	return 0;
1364 }
1365 
1366 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1367 {
1368 	struct rfcomm_session *s = d->session;
1369 
1370 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1371 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1372 
1373 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1374 						pn->flow_ctrl == 0xe0) {
1375 		d->cfc = RFCOMM_CFC_ENABLED;
1376 		d->tx_credits = pn->credits;
1377 	} else {
1378 		d->cfc = RFCOMM_CFC_DISABLED;
1379 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1380 	}
1381 
1382 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1383 		s->cfc = d->cfc;
1384 
1385 	d->priority = pn->priority;
1386 
1387 	d->mtu = __le16_to_cpu(pn->mtu);
1388 
1389 	if (cr && d->mtu > s->mtu)
1390 		d->mtu = s->mtu;
1391 
1392 	return 0;
1393 }
1394 
1395 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1396 {
1397 	struct rfcomm_pn *pn = (void *) skb->data;
1398 	struct rfcomm_dlc *d;
1399 	u8 dlci = pn->dlci;
1400 
1401 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1402 
1403 	if (!dlci)
1404 		return 0;
1405 
1406 	d = rfcomm_dlc_get(s, dlci);
1407 	if (d) {
1408 		if (cr) {
1409 			/* PN request */
1410 			rfcomm_apply_pn(d, cr, pn);
1411 			rfcomm_send_pn(s, 0, d);
1412 		} else {
1413 			/* PN response */
1414 			switch (d->state) {
1415 			case BT_CONFIG:
1416 				rfcomm_apply_pn(d, cr, pn);
1417 
1418 				d->state = BT_CONNECT;
1419 				rfcomm_send_sabm(s, d->dlci);
1420 				break;
1421 			}
1422 		}
1423 	} else {
1424 		u8 channel = __srv_channel(dlci);
1425 
1426 		if (!cr)
1427 			return 0;
1428 
1429 		/* PN request for non existing DLC.
1430 		 * Assume incoming connection. */
1431 		if (rfcomm_connect_ind(s, channel, &d)) {
1432 			d->dlci = dlci;
1433 			d->addr = __addr(s->initiator, dlci);
1434 			rfcomm_dlc_link(s, d);
1435 
1436 			rfcomm_apply_pn(d, cr, pn);
1437 
1438 			d->state = BT_OPEN;
1439 			rfcomm_send_pn(s, 0, d);
1440 		} else {
1441 			rfcomm_send_dm(s, dlci);
1442 		}
1443 	}
1444 	return 0;
1445 }
1446 
1447 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1448 {
1449 	struct rfcomm_rpn *rpn = (void *) skb->data;
1450 	u8 dlci = __get_dlci(rpn->dlci);
1451 
1452 	u8 bit_rate  = 0;
1453 	u8 data_bits = 0;
1454 	u8 stop_bits = 0;
1455 	u8 parity    = 0;
1456 	u8 flow_ctrl = 0;
1457 	u8 xon_char  = 0;
1458 	u8 xoff_char = 0;
1459 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1460 
1461 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1462 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1463 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1464 
1465 	if (!cr)
1466 		return 0;
1467 
1468 	if (len == 1) {
1469 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1470 		bit_rate  = RFCOMM_RPN_BR_9600;
1471 		data_bits = RFCOMM_RPN_DATA_8;
1472 		stop_bits = RFCOMM_RPN_STOP_1;
1473 		parity    = RFCOMM_RPN_PARITY_NONE;
1474 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1475 		xon_char  = RFCOMM_RPN_XON_CHAR;
1476 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1477 		goto rpn_out;
1478 	}
1479 
1480 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1481 	 * no parity, no flow control lines, normal XON/XOFF chars */
1482 
1483 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1484 		bit_rate = rpn->bit_rate;
1485 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1486 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1487 			bit_rate = RFCOMM_RPN_BR_9600;
1488 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1489 		}
1490 	}
1491 
1492 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1493 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1494 		if (data_bits != RFCOMM_RPN_DATA_8) {
1495 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1496 			data_bits = RFCOMM_RPN_DATA_8;
1497 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1498 		}
1499 	}
1500 
1501 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1502 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1503 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1504 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1505 			stop_bits = RFCOMM_RPN_STOP_1;
1506 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1507 		}
1508 	}
1509 
1510 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1511 		parity = __get_rpn_parity(rpn->line_settings);
1512 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1513 			BT_DBG("RPN parity mismatch 0x%x", parity);
1514 			parity = RFCOMM_RPN_PARITY_NONE;
1515 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1516 		}
1517 	}
1518 
1519 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1520 		flow_ctrl = rpn->flow_ctrl;
1521 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1522 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1523 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1524 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1525 		}
1526 	}
1527 
1528 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1529 		xon_char = rpn->xon_char;
1530 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1531 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1532 			xon_char = RFCOMM_RPN_XON_CHAR;
1533 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1534 		}
1535 	}
1536 
1537 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1538 		xoff_char = rpn->xoff_char;
1539 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1540 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1541 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1542 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1543 		}
1544 	}
1545 
1546 rpn_out:
1547 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1548 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1549 
1550 	return 0;
1551 }
1552 
1553 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1554 {
1555 	struct rfcomm_rls *rls = (void *) skb->data;
1556 	u8 dlci = __get_dlci(rls->dlci);
1557 
1558 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1559 
1560 	if (!cr)
1561 		return 0;
1562 
1563 	/* We should probably do something with this information here. But
1564 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1565 	 * mandatory to recognise and respond to RLS */
1566 
1567 	rfcomm_send_rls(s, 0, dlci, rls->status);
1568 
1569 	return 0;
1570 }
1571 
1572 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1573 {
1574 	struct rfcomm_msc *msc = (void *) skb->data;
1575 	struct rfcomm_dlc *d;
1576 	u8 dlci = __get_dlci(msc->dlci);
1577 
1578 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1579 
1580 	d = rfcomm_dlc_get(s, dlci);
1581 	if (!d)
1582 		return 0;
1583 
1584 	if (cr) {
1585 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1586 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1587 		else
1588 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1589 
1590 		rfcomm_dlc_lock(d);
1591 
1592 		d->remote_v24_sig = msc->v24_sig;
1593 
1594 		if (d->modem_status)
1595 			d->modem_status(d, msc->v24_sig);
1596 
1597 		rfcomm_dlc_unlock(d);
1598 
1599 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1600 
1601 		d->mscex |= RFCOMM_MSCEX_RX;
1602 	} else
1603 		d->mscex |= RFCOMM_MSCEX_TX;
1604 
1605 	return 0;
1606 }
1607 
1608 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1609 {
1610 	struct rfcomm_mcc *mcc = (void *) skb->data;
1611 	u8 type, cr, len;
1612 
1613 	cr   = __test_cr(mcc->type);
1614 	type = __get_mcc_type(mcc->type);
1615 	len  = __get_mcc_len(mcc->len);
1616 
1617 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1618 
1619 	skb_pull(skb, 2);
1620 
1621 	switch (type) {
1622 	case RFCOMM_PN:
1623 		rfcomm_recv_pn(s, cr, skb);
1624 		break;
1625 
1626 	case RFCOMM_RPN:
1627 		rfcomm_recv_rpn(s, cr, len, skb);
1628 		break;
1629 
1630 	case RFCOMM_RLS:
1631 		rfcomm_recv_rls(s, cr, skb);
1632 		break;
1633 
1634 	case RFCOMM_MSC:
1635 		rfcomm_recv_msc(s, cr, skb);
1636 		break;
1637 
1638 	case RFCOMM_FCOFF:
1639 		if (cr) {
1640 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1641 			rfcomm_send_fcoff(s, 0);
1642 		}
1643 		break;
1644 
1645 	case RFCOMM_FCON:
1646 		if (cr) {
1647 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1648 			rfcomm_send_fcon(s, 0);
1649 		}
1650 		break;
1651 
1652 	case RFCOMM_TEST:
1653 		if (cr)
1654 			rfcomm_send_test(s, 0, skb->data, skb->len);
1655 		break;
1656 
1657 	case RFCOMM_NSC:
1658 		break;
1659 
1660 	default:
1661 		BT_ERR("Unknown control type 0x%02x", type);
1662 		rfcomm_send_nsc(s, cr, type);
1663 		break;
1664 	}
1665 	return 0;
1666 }
1667 
1668 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1669 {
1670 	struct rfcomm_dlc *d;
1671 
1672 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1673 
1674 	d = rfcomm_dlc_get(s, dlci);
1675 	if (!d) {
1676 		rfcomm_send_dm(s, dlci);
1677 		goto drop;
1678 	}
1679 
1680 	if (pf && d->cfc) {
1681 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1682 
1683 		d->tx_credits += credits;
1684 		if (d->tx_credits)
1685 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1686 	}
1687 
1688 	if (skb->len && d->state == BT_CONNECTED) {
1689 		rfcomm_dlc_lock(d);
1690 		d->rx_credits--;
1691 		d->data_ready(d, skb);
1692 		rfcomm_dlc_unlock(d);
1693 		return 0;
1694 	}
1695 
1696 drop:
1697 	kfree_skb(skb);
1698 	return 0;
1699 }
1700 
1701 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1702 						struct sk_buff *skb)
1703 {
1704 	struct rfcomm_hdr *hdr = (void *) skb->data;
1705 	u8 type, dlci, fcs;
1706 
1707 	if (!s) {
1708 		/* no session, so free socket data */
1709 		kfree_skb(skb);
1710 		return s;
1711 	}
1712 
1713 	dlci = __get_dlci(hdr->addr);
1714 	type = __get_type(hdr->ctrl);
1715 
1716 	/* Trim FCS */
1717 	skb->len--; skb->tail--;
1718 	fcs = *(u8 *)skb_tail_pointer(skb);
1719 
1720 	if (__check_fcs(skb->data, type, fcs)) {
1721 		BT_ERR("bad checksum in packet");
1722 		kfree_skb(skb);
1723 		return s;
1724 	}
1725 
1726 	if (__test_ea(hdr->len))
1727 		skb_pull(skb, 3);
1728 	else
1729 		skb_pull(skb, 4);
1730 
1731 	switch (type) {
1732 	case RFCOMM_SABM:
1733 		if (__test_pf(hdr->ctrl))
1734 			rfcomm_recv_sabm(s, dlci);
1735 		break;
1736 
1737 	case RFCOMM_DISC:
1738 		if (__test_pf(hdr->ctrl))
1739 			s = rfcomm_recv_disc(s, dlci);
1740 		break;
1741 
1742 	case RFCOMM_UA:
1743 		if (__test_pf(hdr->ctrl))
1744 			s = rfcomm_recv_ua(s, dlci);
1745 		break;
1746 
1747 	case RFCOMM_DM:
1748 		s = rfcomm_recv_dm(s, dlci);
1749 		break;
1750 
1751 	case RFCOMM_UIH:
1752 		if (dlci) {
1753 			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1754 			return s;
1755 		}
1756 		rfcomm_recv_mcc(s, skb);
1757 		break;
1758 
1759 	default:
1760 		BT_ERR("Unknown packet type 0x%02x", type);
1761 		break;
1762 	}
1763 	kfree_skb(skb);
1764 	return s;
1765 }
1766 
1767 /* ---- Connection and data processing ---- */
1768 
1769 static void rfcomm_process_connect(struct rfcomm_session *s)
1770 {
1771 	struct rfcomm_dlc *d, *n;
1772 
1773 	BT_DBG("session %p state %ld", s, s->state);
1774 
1775 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1776 		if (d->state == BT_CONFIG) {
1777 			d->mtu = s->mtu;
1778 			if (rfcomm_check_security(d)) {
1779 				rfcomm_send_pn(s, 1, d);
1780 			} else {
1781 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1782 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1783 			}
1784 		}
1785 	}
1786 }
1787 
1788 /* Send data queued for the DLC.
1789  * Return number of frames left in the queue.
1790  */
1791 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1792 {
1793 	struct sk_buff *skb;
1794 	int err;
1795 
1796 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1797 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1798 
1799 	/* Send pending MSC */
1800 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1801 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1802 
1803 	if (d->cfc) {
1804 		/* CFC enabled.
1805 		 * Give them some credits */
1806 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1807 				d->rx_credits <= (d->cfc >> 2)) {
1808 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1809 			d->rx_credits = d->cfc;
1810 		}
1811 	} else {
1812 		/* CFC disabled.
1813 		 * Give ourselves some credits */
1814 		d->tx_credits = 5;
1815 	}
1816 
1817 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1818 		return skb_queue_len(&d->tx_queue);
1819 
1820 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1821 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1822 		if (err < 0) {
1823 			skb_queue_head(&d->tx_queue, skb);
1824 			break;
1825 		}
1826 		kfree_skb(skb);
1827 		d->tx_credits--;
1828 	}
1829 
1830 	if (d->cfc && !d->tx_credits) {
1831 		/* We're out of TX credits.
1832 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1833 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1834 	}
1835 
1836 	return skb_queue_len(&d->tx_queue);
1837 }
1838 
1839 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1840 {
1841 	struct rfcomm_dlc *d, *n;
1842 
1843 	BT_DBG("session %p state %ld", s, s->state);
1844 
1845 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
1846 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1847 			__rfcomm_dlc_close(d, ETIMEDOUT);
1848 			continue;
1849 		}
1850 
1851 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1852 			__rfcomm_dlc_close(d, ECONNREFUSED);
1853 			continue;
1854 		}
1855 
1856 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1857 			rfcomm_dlc_clear_timer(d);
1858 			if (d->out) {
1859 				rfcomm_send_pn(s, 1, d);
1860 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1861 			} else {
1862 				if (d->defer_setup) {
1863 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1864 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1865 
1866 					rfcomm_dlc_lock(d);
1867 					d->state = BT_CONNECT2;
1868 					d->state_change(d, 0);
1869 					rfcomm_dlc_unlock(d);
1870 				} else
1871 					rfcomm_dlc_accept(d);
1872 			}
1873 			continue;
1874 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1875 			rfcomm_dlc_clear_timer(d);
1876 			if (!d->out)
1877 				rfcomm_send_dm(s, d->dlci);
1878 			else
1879 				d->state = BT_CLOSED;
1880 			__rfcomm_dlc_close(d, ECONNREFUSED);
1881 			continue;
1882 		}
1883 
1884 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1885 			continue;
1886 
1887 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1888 			continue;
1889 
1890 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1891 						d->mscex == RFCOMM_MSCEX_OK)
1892 			rfcomm_process_tx(d);
1893 	}
1894 }
1895 
1896 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1897 {
1898 	struct socket *sock = s->sock;
1899 	struct sock *sk = sock->sk;
1900 	struct sk_buff *skb;
1901 
1902 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1903 
1904 	/* Get data directly from socket receive queue without copying it. */
1905 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1906 		skb_orphan(skb);
1907 		if (!skb_linearize(skb)) {
1908 			s = rfcomm_recv_frame(s, skb);
1909 			if (!s)
1910 				break;
1911 		} else {
1912 			kfree_skb(skb);
1913 		}
1914 	}
1915 
1916 	if (s && (sk->sk_state == BT_CLOSED))
1917 		s = rfcomm_session_close(s, sk->sk_err);
1918 
1919 	return s;
1920 }
1921 
1922 static void rfcomm_accept_connection(struct rfcomm_session *s)
1923 {
1924 	struct socket *sock = s->sock, *nsock;
1925 	int err;
1926 
1927 	/* Fast check for a new connection.
1928 	 * Avoids unnesesary socket allocations. */
1929 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1930 		return;
1931 
1932 	BT_DBG("session %p", s);
1933 
1934 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1935 	if (err < 0)
1936 		return;
1937 
1938 	/* Set our callbacks */
1939 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1940 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1941 
1942 	s = rfcomm_session_add(nsock, BT_OPEN);
1943 	if (s) {
1944 		/* We should adjust MTU on incoming sessions.
1945 		 * L2CAP MTU minus UIH header and FCS. */
1946 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1947 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1948 
1949 		rfcomm_schedule();
1950 	} else
1951 		sock_release(nsock);
1952 }
1953 
1954 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1955 {
1956 	struct sock *sk = s->sock->sk;
1957 
1958 	BT_DBG("%p state %ld", s, s->state);
1959 
1960 	switch (sk->sk_state) {
1961 	case BT_CONNECTED:
1962 		s->state = BT_CONNECT;
1963 
1964 		/* We can adjust MTU on outgoing sessions.
1965 		 * L2CAP MTU minus UIH header and FCS. */
1966 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1967 
1968 		rfcomm_send_sabm(s, 0);
1969 		break;
1970 
1971 	case BT_CLOSED:
1972 		s = rfcomm_session_close(s, sk->sk_err);
1973 		break;
1974 	}
1975 	return s;
1976 }
1977 
1978 static void rfcomm_process_sessions(void)
1979 {
1980 	struct rfcomm_session *s, *n;
1981 
1982 	rfcomm_lock();
1983 
1984 	list_for_each_entry_safe(s, n, &session_list, list) {
1985 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1986 			s->state = BT_DISCONN;
1987 			rfcomm_send_disc(s, 0);
1988 			continue;
1989 		}
1990 
1991 		switch (s->state) {
1992 		case BT_LISTEN:
1993 			rfcomm_accept_connection(s);
1994 			continue;
1995 
1996 		case BT_BOUND:
1997 			s = rfcomm_check_connection(s);
1998 			break;
1999 
2000 		default:
2001 			s = rfcomm_process_rx(s);
2002 			break;
2003 		}
2004 
2005 		if (s)
2006 			rfcomm_process_dlcs(s);
2007 	}
2008 
2009 	rfcomm_unlock();
2010 }
2011 
2012 static int rfcomm_add_listener(bdaddr_t *ba)
2013 {
2014 	struct sockaddr_l2 addr;
2015 	struct socket *sock;
2016 	struct sock *sk;
2017 	struct rfcomm_session *s;
2018 	int    err = 0;
2019 
2020 	/* Create socket */
2021 	err = rfcomm_l2sock_create(&sock);
2022 	if (err < 0) {
2023 		BT_ERR("Create socket failed %d", err);
2024 		return err;
2025 	}
2026 
2027 	/* Bind socket */
2028 	bacpy(&addr.l2_bdaddr, ba);
2029 	addr.l2_family = AF_BLUETOOTH;
2030 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2031 	addr.l2_cid    = 0;
2032 	addr.l2_bdaddr_type = BDADDR_BREDR;
2033 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2034 	if (err < 0) {
2035 		BT_ERR("Bind failed %d", err);
2036 		goto failed;
2037 	}
2038 
2039 	/* Set L2CAP options */
2040 	sk = sock->sk;
2041 	lock_sock(sk);
2042 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2043 	release_sock(sk);
2044 
2045 	/* Start listening on the socket */
2046 	err = kernel_listen(sock, 10);
2047 	if (err) {
2048 		BT_ERR("Listen failed %d", err);
2049 		goto failed;
2050 	}
2051 
2052 	/* Add listening session */
2053 	s = rfcomm_session_add(sock, BT_LISTEN);
2054 	if (!s) {
2055 		err = -ENOMEM;
2056 		goto failed;
2057 	}
2058 
2059 	return 0;
2060 failed:
2061 	sock_release(sock);
2062 	return err;
2063 }
2064 
2065 static void rfcomm_kill_listener(void)
2066 {
2067 	struct rfcomm_session *s, *n;
2068 
2069 	BT_DBG("");
2070 
2071 	list_for_each_entry_safe(s, n, &session_list, list)
2072 		rfcomm_session_del(s);
2073 }
2074 
2075 static int rfcomm_run(void *unused)
2076 {
2077 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
2078 	BT_DBG("");
2079 
2080 	set_user_nice(current, -10);
2081 
2082 	rfcomm_add_listener(BDADDR_ANY);
2083 
2084 	add_wait_queue(&rfcomm_wq, &wait);
2085 	while (!kthread_should_stop()) {
2086 
2087 		/* Process stuff */
2088 		rfcomm_process_sessions();
2089 
2090 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2091 	}
2092 	remove_wait_queue(&rfcomm_wq, &wait);
2093 
2094 	rfcomm_kill_listener();
2095 
2096 	return 0;
2097 }
2098 
2099 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2100 {
2101 	struct rfcomm_session *s;
2102 	struct rfcomm_dlc *d, *n;
2103 
2104 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2105 
2106 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2107 	if (!s)
2108 		return;
2109 
2110 	list_for_each_entry_safe(d, n, &s->dlcs, list) {
2111 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2112 			rfcomm_dlc_clear_timer(d);
2113 			if (status || encrypt == 0x00) {
2114 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2115 				continue;
2116 			}
2117 		}
2118 
2119 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2120 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2121 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2122 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2123 				continue;
2124 			} else if (d->sec_level == BT_SECURITY_HIGH ||
2125 				   d->sec_level == BT_SECURITY_FIPS) {
2126 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2127 				continue;
2128 			}
2129 		}
2130 
2131 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2132 			continue;
2133 
2134 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2135 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2136 		else
2137 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2138 	}
2139 
2140 	rfcomm_schedule();
2141 }
2142 
2143 static struct hci_cb rfcomm_cb = {
2144 	.name		= "RFCOMM",
2145 	.security_cfm	= rfcomm_security_cfm
2146 };
2147 
2148 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2149 {
2150 	struct rfcomm_session *s;
2151 
2152 	rfcomm_lock();
2153 
2154 	list_for_each_entry(s, &session_list, list) {
2155 		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2156 		struct rfcomm_dlc *d;
2157 		list_for_each_entry(d, &s->dlcs, list) {
2158 			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2159 				   &chan->src, &chan->dst,
2160 				   d->state, d->dlci, d->mtu,
2161 				   d->rx_credits, d->tx_credits);
2162 		}
2163 	}
2164 
2165 	rfcomm_unlock();
2166 
2167 	return 0;
2168 }
2169 
2170 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2171 
2172 static struct dentry *rfcomm_dlc_debugfs;
2173 
2174 /* ---- Initialization ---- */
2175 static int __init rfcomm_init(void)
2176 {
2177 	int err;
2178 
2179 	hci_register_cb(&rfcomm_cb);
2180 
2181 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2182 	if (IS_ERR(rfcomm_thread)) {
2183 		err = PTR_ERR(rfcomm_thread);
2184 		goto unregister;
2185 	}
2186 
2187 	err = rfcomm_init_ttys();
2188 	if (err < 0)
2189 		goto stop;
2190 
2191 	err = rfcomm_init_sockets();
2192 	if (err < 0)
2193 		goto cleanup;
2194 
2195 	BT_INFO("RFCOMM ver %s", VERSION);
2196 
2197 	if (IS_ERR_OR_NULL(bt_debugfs))
2198 		return 0;
2199 
2200 	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2201 						 bt_debugfs, NULL,
2202 						 &rfcomm_dlc_debugfs_fops);
2203 
2204 	return 0;
2205 
2206 cleanup:
2207 	rfcomm_cleanup_ttys();
2208 
2209 stop:
2210 	kthread_stop(rfcomm_thread);
2211 
2212 unregister:
2213 	hci_unregister_cb(&rfcomm_cb);
2214 
2215 	return err;
2216 }
2217 
2218 static void __exit rfcomm_exit(void)
2219 {
2220 	debugfs_remove(rfcomm_dlc_debugfs);
2221 
2222 	hci_unregister_cb(&rfcomm_cb);
2223 
2224 	kthread_stop(rfcomm_thread);
2225 
2226 	rfcomm_cleanup_ttys();
2227 
2228 	rfcomm_cleanup_sockets();
2229 }
2230 
2231 module_init(rfcomm_init);
2232 module_exit(rfcomm_exit);
2233 
2234 module_param(disable_cfc, bool, 0644);
2235 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2236 
2237 module_param(channel_mtu, int, 0644);
2238 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2239 
2240 module_param(l2cap_mtu, uint, 0644);
2241 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2242 
2243 module_param(l2cap_ertm, bool, 0644);
2244 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2245 
2246 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2247 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2248 MODULE_VERSION(VERSION);
2249 MODULE_LICENSE("GPL");
2250 MODULE_ALIAS("bt-proto-3");
2251