1 /* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22 */ 23 24 /* 25 * Bluetooth RFCOMM core. 26 */ 27 28 #include <linux/module.h> 29 #include <linux/debugfs.h> 30 #include <linux/kthread.h> 31 #include <asm/unaligned.h> 32 33 #include <net/bluetooth/bluetooth.h> 34 #include <net/bluetooth/hci_core.h> 35 #include <net/bluetooth/l2cap.h> 36 #include <net/bluetooth/rfcomm.h> 37 38 #define VERSION "1.11" 39 40 static bool disable_cfc; 41 static bool l2cap_ertm; 42 static int channel_mtu = -1; 43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 44 45 static struct task_struct *rfcomm_thread; 46 47 static DEFINE_MUTEX(rfcomm_mutex); 48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex) 49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 50 51 52 static LIST_HEAD(session_list); 53 54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 57 static int rfcomm_queue_disc(struct rfcomm_dlc *d); 58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 64 65 static void rfcomm_process_connect(struct rfcomm_session *s); 66 67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 68 bdaddr_t *dst, 69 u8 sec_level, 70 int *err); 71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 73 74 /* ---- RFCOMM frame parsing macros ---- */ 75 #define __get_dlci(b) ((b & 0xfc) >> 2) 76 #define __get_channel(b) ((b & 0xf8) >> 3) 77 #define __get_dir(b) ((b & 0x04) >> 2) 78 #define __get_type(b) ((b & 0xef)) 79 80 #define __test_ea(b) ((b & 0x01)) 81 #define __test_cr(b) ((b & 0x02)) 82 #define __test_pf(b) ((b & 0x10)) 83 84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 87 #define __srv_channel(dlci) (dlci >> 1) 88 #define __dir(dlci) (dlci & 0x01) 89 90 #define __len8(len) (((len) << 1) | 1) 91 #define __len16(len) ((len) << 1) 92 93 /* MCC macros */ 94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 95 #define __get_mcc_type(b) ((b & 0xfc) >> 2) 96 #define __get_mcc_len(b) ((b & 0xfe) >> 1) 97 98 /* RPN macros */ 99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 100 #define __get_rpn_data_bits(line) ((line) & 0x3) 101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7) 103 104 static void rfcomm_schedule(void) 105 { 106 if (!rfcomm_thread) 107 return; 108 wake_up_process(rfcomm_thread); 109 } 110 111 /* ---- RFCOMM FCS computation ---- */ 112 113 /* reversed, 8-bit, poly=0x07 */ 114 static unsigned char rfcomm_crc_table[256] = { 115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 119 120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 124 125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 129 130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 134 135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 139 140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 144 145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 149 150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 154 }; 155 156 /* CRC on 2 bytes */ 157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 158 159 /* FCS on 2 bytes */ 160 static inline u8 __fcs(u8 *data) 161 { 162 return 0xff - __crc(data); 163 } 164 165 /* FCS on 3 bytes */ 166 static inline u8 __fcs2(u8 *data) 167 { 168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 169 } 170 171 /* Check FCS */ 172 static inline int __check_fcs(u8 *data, int type, u8 fcs) 173 { 174 u8 f = __crc(data); 175 176 if (type != RFCOMM_UIH) 177 f = rfcomm_crc_table[f ^ data[2]]; 178 179 return rfcomm_crc_table[f ^ fcs] != 0xcf; 180 } 181 182 /* ---- L2CAP callbacks ---- */ 183 static void rfcomm_l2state_change(struct sock *sk) 184 { 185 BT_DBG("%p state %d", sk, sk->sk_state); 186 rfcomm_schedule(); 187 } 188 189 static void rfcomm_l2data_ready(struct sock *sk) 190 { 191 BT_DBG("%p", sk); 192 rfcomm_schedule(); 193 } 194 195 static int rfcomm_l2sock_create(struct socket **sock) 196 { 197 int err; 198 199 BT_DBG(""); 200 201 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 202 if (!err) { 203 struct sock *sk = (*sock)->sk; 204 sk->sk_data_ready = rfcomm_l2data_ready; 205 sk->sk_state_change = rfcomm_l2state_change; 206 } 207 return err; 208 } 209 210 static int rfcomm_check_security(struct rfcomm_dlc *d) 211 { 212 struct sock *sk = d->session->sock->sk; 213 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 214 215 __u8 auth_type; 216 217 switch (d->sec_level) { 218 case BT_SECURITY_HIGH: 219 case BT_SECURITY_FIPS: 220 auth_type = HCI_AT_GENERAL_BONDING_MITM; 221 break; 222 case BT_SECURITY_MEDIUM: 223 auth_type = HCI_AT_GENERAL_BONDING; 224 break; 225 default: 226 auth_type = HCI_AT_NO_BONDING; 227 break; 228 } 229 230 return hci_conn_security(conn->hcon, d->sec_level, auth_type); 231 } 232 233 static void rfcomm_session_timeout(unsigned long arg) 234 { 235 struct rfcomm_session *s = (void *) arg; 236 237 BT_DBG("session %p state %ld", s, s->state); 238 239 set_bit(RFCOMM_TIMED_OUT, &s->flags); 240 rfcomm_schedule(); 241 } 242 243 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 244 { 245 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 246 247 mod_timer(&s->timer, jiffies + timeout); 248 } 249 250 static void rfcomm_session_clear_timer(struct rfcomm_session *s) 251 { 252 BT_DBG("session %p state %ld", s, s->state); 253 254 del_timer_sync(&s->timer); 255 } 256 257 /* ---- RFCOMM DLCs ---- */ 258 static void rfcomm_dlc_timeout(unsigned long arg) 259 { 260 struct rfcomm_dlc *d = (void *) arg; 261 262 BT_DBG("dlc %p state %ld", d, d->state); 263 264 set_bit(RFCOMM_TIMED_OUT, &d->flags); 265 rfcomm_dlc_put(d); 266 rfcomm_schedule(); 267 } 268 269 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 270 { 271 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 272 273 if (!mod_timer(&d->timer, jiffies + timeout)) 274 rfcomm_dlc_hold(d); 275 } 276 277 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 278 { 279 BT_DBG("dlc %p state %ld", d, d->state); 280 281 if (del_timer(&d->timer)) 282 rfcomm_dlc_put(d); 283 } 284 285 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 286 { 287 BT_DBG("%p", d); 288 289 d->state = BT_OPEN; 290 d->flags = 0; 291 d->mscex = 0; 292 d->sec_level = BT_SECURITY_LOW; 293 d->mtu = RFCOMM_DEFAULT_MTU; 294 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 295 296 d->cfc = RFCOMM_CFC_DISABLED; 297 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 298 } 299 300 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 301 { 302 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 303 304 if (!d) 305 return NULL; 306 307 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 308 309 skb_queue_head_init(&d->tx_queue); 310 spin_lock_init(&d->lock); 311 atomic_set(&d->refcnt, 1); 312 313 rfcomm_dlc_clear_state(d); 314 315 BT_DBG("%p", d); 316 317 return d; 318 } 319 320 void rfcomm_dlc_free(struct rfcomm_dlc *d) 321 { 322 BT_DBG("%p", d); 323 324 skb_queue_purge(&d->tx_queue); 325 kfree(d); 326 } 327 328 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 329 { 330 BT_DBG("dlc %p session %p", d, s); 331 332 rfcomm_session_clear_timer(s); 333 rfcomm_dlc_hold(d); 334 list_add(&d->list, &s->dlcs); 335 d->session = s; 336 } 337 338 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 339 { 340 struct rfcomm_session *s = d->session; 341 342 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 343 344 list_del(&d->list); 345 d->session = NULL; 346 rfcomm_dlc_put(d); 347 348 if (list_empty(&s->dlcs)) 349 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 350 } 351 352 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 353 { 354 struct rfcomm_dlc *d; 355 356 list_for_each_entry(d, &s->dlcs, list) 357 if (d->dlci == dlci) 358 return d; 359 360 return NULL; 361 } 362 363 static int rfcomm_check_channel(u8 channel) 364 { 365 return channel < 1 || channel > 30; 366 } 367 368 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 369 { 370 struct rfcomm_session *s; 371 int err = 0; 372 u8 dlci; 373 374 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 375 d, d->state, src, dst, channel); 376 377 if (rfcomm_check_channel(channel)) 378 return -EINVAL; 379 380 if (d->state != BT_OPEN && d->state != BT_CLOSED) 381 return 0; 382 383 s = rfcomm_session_get(src, dst); 384 if (!s) { 385 s = rfcomm_session_create(src, dst, d->sec_level, &err); 386 if (!s) 387 return err; 388 } 389 390 dlci = __dlci(!s->initiator, channel); 391 392 /* Check if DLCI already exists */ 393 if (rfcomm_dlc_get(s, dlci)) 394 return -EBUSY; 395 396 rfcomm_dlc_clear_state(d); 397 398 d->dlci = dlci; 399 d->addr = __addr(s->initiator, dlci); 400 d->priority = 7; 401 402 d->state = BT_CONFIG; 403 rfcomm_dlc_link(s, d); 404 405 d->out = 1; 406 407 d->mtu = s->mtu; 408 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 409 410 if (s->state == BT_CONNECTED) { 411 if (rfcomm_check_security(d)) 412 rfcomm_send_pn(s, 1, d); 413 else 414 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 415 } 416 417 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 418 419 return 0; 420 } 421 422 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 423 { 424 int r; 425 426 rfcomm_lock(); 427 428 r = __rfcomm_dlc_open(d, src, dst, channel); 429 430 rfcomm_unlock(); 431 return r; 432 } 433 434 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 435 { 436 struct rfcomm_session *s = d->session; 437 438 d->state = BT_DISCONN; 439 if (skb_queue_empty(&d->tx_queue)) { 440 rfcomm_send_disc(s, d->dlci); 441 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 442 } else { 443 rfcomm_queue_disc(d); 444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 445 } 446 } 447 448 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 449 { 450 struct rfcomm_session *s = d->session; 451 if (!s) 452 return 0; 453 454 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 455 d, d->state, d->dlci, err, s); 456 457 switch (d->state) { 458 case BT_CONNECT: 459 case BT_CONFIG: 460 case BT_OPEN: 461 case BT_CONNECT2: 462 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 463 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 464 rfcomm_schedule(); 465 return 0; 466 } 467 } 468 469 switch (d->state) { 470 case BT_CONNECT: 471 case BT_CONNECTED: 472 __rfcomm_dlc_disconn(d); 473 break; 474 475 case BT_CONFIG: 476 if (s->state != BT_BOUND) { 477 __rfcomm_dlc_disconn(d); 478 break; 479 } 480 /* if closing a dlc in a session that hasn't been started, 481 * just close and unlink the dlc 482 */ 483 484 default: 485 rfcomm_dlc_clear_timer(d); 486 487 rfcomm_dlc_lock(d); 488 d->state = BT_CLOSED; 489 d->state_change(d, err); 490 rfcomm_dlc_unlock(d); 491 492 skb_queue_purge(&d->tx_queue); 493 rfcomm_dlc_unlink(d); 494 } 495 496 return 0; 497 } 498 499 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 500 { 501 int r = 0; 502 struct rfcomm_dlc *d_list; 503 struct rfcomm_session *s, *s_list; 504 505 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 506 507 rfcomm_lock(); 508 509 s = d->session; 510 if (!s) 511 goto no_session; 512 513 /* after waiting on the mutex check the session still exists 514 * then check the dlc still exists 515 */ 516 list_for_each_entry(s_list, &session_list, list) { 517 if (s_list == s) { 518 list_for_each_entry(d_list, &s->dlcs, list) { 519 if (d_list == d) { 520 r = __rfcomm_dlc_close(d, err); 521 break; 522 } 523 } 524 break; 525 } 526 } 527 528 no_session: 529 rfcomm_unlock(); 530 return r; 531 } 532 533 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 534 { 535 struct rfcomm_session *s; 536 struct rfcomm_dlc *dlc = NULL; 537 u8 dlci; 538 539 if (rfcomm_check_channel(channel)) 540 return ERR_PTR(-EINVAL); 541 542 rfcomm_lock(); 543 s = rfcomm_session_get(src, dst); 544 if (s) { 545 dlci = __dlci(!s->initiator, channel); 546 dlc = rfcomm_dlc_get(s, dlci); 547 } 548 rfcomm_unlock(); 549 return dlc; 550 } 551 552 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 553 { 554 int len = skb->len; 555 556 if (d->state != BT_CONNECTED) 557 return -ENOTCONN; 558 559 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 560 561 if (len > d->mtu) 562 return -EINVAL; 563 564 rfcomm_make_uih(skb, d->addr); 565 skb_queue_tail(&d->tx_queue, skb); 566 567 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 568 rfcomm_schedule(); 569 return len; 570 } 571 572 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 573 { 574 int len = skb->len; 575 576 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 577 578 rfcomm_make_uih(skb, d->addr); 579 skb_queue_tail(&d->tx_queue, skb); 580 581 if (d->state == BT_CONNECTED && 582 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 583 rfcomm_schedule(); 584 } 585 586 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 587 { 588 BT_DBG("dlc %p state %ld", d, d->state); 589 590 if (!d->cfc) { 591 d->v24_sig |= RFCOMM_V24_FC; 592 set_bit(RFCOMM_MSC_PENDING, &d->flags); 593 } 594 rfcomm_schedule(); 595 } 596 597 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 598 { 599 BT_DBG("dlc %p state %ld", d, d->state); 600 601 if (!d->cfc) { 602 d->v24_sig &= ~RFCOMM_V24_FC; 603 set_bit(RFCOMM_MSC_PENDING, &d->flags); 604 } 605 rfcomm_schedule(); 606 } 607 608 /* 609 Set/get modem status functions use _local_ status i.e. what we report 610 to the other side. 611 Remote status is provided by dlc->modem_status() callback. 612 */ 613 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 614 { 615 BT_DBG("dlc %p state %ld v24_sig 0x%x", 616 d, d->state, v24_sig); 617 618 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 619 v24_sig |= RFCOMM_V24_FC; 620 else 621 v24_sig &= ~RFCOMM_V24_FC; 622 623 d->v24_sig = v24_sig; 624 625 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 626 rfcomm_schedule(); 627 628 return 0; 629 } 630 631 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 632 { 633 BT_DBG("dlc %p state %ld v24_sig 0x%x", 634 d, d->state, d->v24_sig); 635 636 *v24_sig = d->v24_sig; 637 return 0; 638 } 639 640 /* ---- RFCOMM sessions ---- */ 641 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 642 { 643 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 644 645 if (!s) 646 return NULL; 647 648 BT_DBG("session %p sock %p", s, sock); 649 650 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 651 652 INIT_LIST_HEAD(&s->dlcs); 653 s->state = state; 654 s->sock = sock; 655 656 s->mtu = RFCOMM_DEFAULT_MTU; 657 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 658 659 /* Do not increment module usage count for listening sessions. 660 * Otherwise we won't be able to unload the module. */ 661 if (state != BT_LISTEN) 662 if (!try_module_get(THIS_MODULE)) { 663 kfree(s); 664 return NULL; 665 } 666 667 list_add(&s->list, &session_list); 668 669 return s; 670 } 671 672 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 673 { 674 int state = s->state; 675 676 BT_DBG("session %p state %ld", s, s->state); 677 678 list_del(&s->list); 679 680 rfcomm_session_clear_timer(s); 681 sock_release(s->sock); 682 kfree(s); 683 684 if (state != BT_LISTEN) 685 module_put(THIS_MODULE); 686 687 return NULL; 688 } 689 690 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 691 { 692 struct rfcomm_session *s; 693 struct list_head *p, *n; 694 struct l2cap_chan *chan; 695 list_for_each_safe(p, n, &session_list) { 696 s = list_entry(p, struct rfcomm_session, list); 697 chan = l2cap_pi(s->sock->sk)->chan; 698 699 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 700 !bacmp(&chan->dst, dst)) 701 return s; 702 } 703 return NULL; 704 } 705 706 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 707 int err) 708 { 709 struct rfcomm_dlc *d; 710 struct list_head *p, *n; 711 712 s->state = BT_CLOSED; 713 714 BT_DBG("session %p state %ld err %d", s, s->state, err); 715 716 /* Close all dlcs */ 717 list_for_each_safe(p, n, &s->dlcs) { 718 d = list_entry(p, struct rfcomm_dlc, list); 719 d->state = BT_CLOSED; 720 __rfcomm_dlc_close(d, err); 721 } 722 723 rfcomm_session_clear_timer(s); 724 return rfcomm_session_del(s); 725 } 726 727 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 728 bdaddr_t *dst, 729 u8 sec_level, 730 int *err) 731 { 732 struct rfcomm_session *s = NULL; 733 struct sockaddr_l2 addr; 734 struct socket *sock; 735 struct sock *sk; 736 737 BT_DBG("%pMR -> %pMR", src, dst); 738 739 *err = rfcomm_l2sock_create(&sock); 740 if (*err < 0) 741 return NULL; 742 743 bacpy(&addr.l2_bdaddr, src); 744 addr.l2_family = AF_BLUETOOTH; 745 addr.l2_psm = 0; 746 addr.l2_cid = 0; 747 addr.l2_bdaddr_type = BDADDR_BREDR; 748 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 749 if (*err < 0) 750 goto failed; 751 752 /* Set L2CAP options */ 753 sk = sock->sk; 754 lock_sock(sk); 755 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 756 l2cap_pi(sk)->chan->sec_level = sec_level; 757 if (l2cap_ertm) 758 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 759 release_sock(sk); 760 761 s = rfcomm_session_add(sock, BT_BOUND); 762 if (!s) { 763 *err = -ENOMEM; 764 goto failed; 765 } 766 767 s->initiator = 1; 768 769 bacpy(&addr.l2_bdaddr, dst); 770 addr.l2_family = AF_BLUETOOTH; 771 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 772 addr.l2_cid = 0; 773 addr.l2_bdaddr_type = BDADDR_BREDR; 774 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 775 if (*err == 0 || *err == -EINPROGRESS) 776 return s; 777 778 return rfcomm_session_del(s); 779 780 failed: 781 sock_release(sock); 782 return NULL; 783 } 784 785 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 786 { 787 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 788 if (src) 789 bacpy(src, &chan->src); 790 if (dst) 791 bacpy(dst, &chan->dst); 792 } 793 794 /* ---- RFCOMM frame sending ---- */ 795 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 796 { 797 struct kvec iv = { data, len }; 798 struct msghdr msg; 799 800 BT_DBG("session %p len %d", s, len); 801 802 memset(&msg, 0, sizeof(msg)); 803 804 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 805 } 806 807 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 808 { 809 BT_DBG("%p cmd %u", s, cmd->ctrl); 810 811 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 812 } 813 814 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 815 { 816 struct rfcomm_cmd cmd; 817 818 BT_DBG("%p dlci %d", s, dlci); 819 820 cmd.addr = __addr(s->initiator, dlci); 821 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 822 cmd.len = __len8(0); 823 cmd.fcs = __fcs2((u8 *) &cmd); 824 825 return rfcomm_send_cmd(s, &cmd); 826 } 827 828 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 829 { 830 struct rfcomm_cmd cmd; 831 832 BT_DBG("%p dlci %d", s, dlci); 833 834 cmd.addr = __addr(!s->initiator, dlci); 835 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 836 cmd.len = __len8(0); 837 cmd.fcs = __fcs2((u8 *) &cmd); 838 839 return rfcomm_send_cmd(s, &cmd); 840 } 841 842 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 843 { 844 struct rfcomm_cmd cmd; 845 846 BT_DBG("%p dlci %d", s, dlci); 847 848 cmd.addr = __addr(s->initiator, dlci); 849 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 850 cmd.len = __len8(0); 851 cmd.fcs = __fcs2((u8 *) &cmd); 852 853 return rfcomm_send_cmd(s, &cmd); 854 } 855 856 static int rfcomm_queue_disc(struct rfcomm_dlc *d) 857 { 858 struct rfcomm_cmd *cmd; 859 struct sk_buff *skb; 860 861 BT_DBG("dlc %p dlci %d", d, d->dlci); 862 863 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 864 if (!skb) 865 return -ENOMEM; 866 867 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 868 cmd->addr = d->addr; 869 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 870 cmd->len = __len8(0); 871 cmd->fcs = __fcs2((u8 *) cmd); 872 873 skb_queue_tail(&d->tx_queue, skb); 874 rfcomm_schedule(); 875 return 0; 876 } 877 878 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 879 { 880 struct rfcomm_cmd cmd; 881 882 BT_DBG("%p dlci %d", s, dlci); 883 884 cmd.addr = __addr(!s->initiator, dlci); 885 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 886 cmd.len = __len8(0); 887 cmd.fcs = __fcs2((u8 *) &cmd); 888 889 return rfcomm_send_cmd(s, &cmd); 890 } 891 892 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 893 { 894 struct rfcomm_hdr *hdr; 895 struct rfcomm_mcc *mcc; 896 u8 buf[16], *ptr = buf; 897 898 BT_DBG("%p cr %d type %d", s, cr, type); 899 900 hdr = (void *) ptr; ptr += sizeof(*hdr); 901 hdr->addr = __addr(s->initiator, 0); 902 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 903 hdr->len = __len8(sizeof(*mcc) + 1); 904 905 mcc = (void *) ptr; ptr += sizeof(*mcc); 906 mcc->type = __mcc_type(cr, RFCOMM_NSC); 907 mcc->len = __len8(1); 908 909 /* Type that we didn't like */ 910 *ptr = __mcc_type(cr, type); ptr++; 911 912 *ptr = __fcs(buf); ptr++; 913 914 return rfcomm_send_frame(s, buf, ptr - buf); 915 } 916 917 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 918 { 919 struct rfcomm_hdr *hdr; 920 struct rfcomm_mcc *mcc; 921 struct rfcomm_pn *pn; 922 u8 buf[16], *ptr = buf; 923 924 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 925 926 hdr = (void *) ptr; ptr += sizeof(*hdr); 927 hdr->addr = __addr(s->initiator, 0); 928 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 929 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 930 931 mcc = (void *) ptr; ptr += sizeof(*mcc); 932 mcc->type = __mcc_type(cr, RFCOMM_PN); 933 mcc->len = __len8(sizeof(*pn)); 934 935 pn = (void *) ptr; ptr += sizeof(*pn); 936 pn->dlci = d->dlci; 937 pn->priority = d->priority; 938 pn->ack_timer = 0; 939 pn->max_retrans = 0; 940 941 if (s->cfc) { 942 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 943 pn->credits = RFCOMM_DEFAULT_CREDITS; 944 } else { 945 pn->flow_ctrl = 0; 946 pn->credits = 0; 947 } 948 949 if (cr && channel_mtu >= 0) 950 pn->mtu = cpu_to_le16(channel_mtu); 951 else 952 pn->mtu = cpu_to_le16(d->mtu); 953 954 *ptr = __fcs(buf); ptr++; 955 956 return rfcomm_send_frame(s, buf, ptr - buf); 957 } 958 959 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 960 u8 bit_rate, u8 data_bits, u8 stop_bits, 961 u8 parity, u8 flow_ctrl_settings, 962 u8 xon_char, u8 xoff_char, u16 param_mask) 963 { 964 struct rfcomm_hdr *hdr; 965 struct rfcomm_mcc *mcc; 966 struct rfcomm_rpn *rpn; 967 u8 buf[16], *ptr = buf; 968 969 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 970 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 971 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 972 flow_ctrl_settings, xon_char, xoff_char, param_mask); 973 974 hdr = (void *) ptr; ptr += sizeof(*hdr); 975 hdr->addr = __addr(s->initiator, 0); 976 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 977 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 978 979 mcc = (void *) ptr; ptr += sizeof(*mcc); 980 mcc->type = __mcc_type(cr, RFCOMM_RPN); 981 mcc->len = __len8(sizeof(*rpn)); 982 983 rpn = (void *) ptr; ptr += sizeof(*rpn); 984 rpn->dlci = __addr(1, dlci); 985 rpn->bit_rate = bit_rate; 986 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 987 rpn->flow_ctrl = flow_ctrl_settings; 988 rpn->xon_char = xon_char; 989 rpn->xoff_char = xoff_char; 990 rpn->param_mask = cpu_to_le16(param_mask); 991 992 *ptr = __fcs(buf); ptr++; 993 994 return rfcomm_send_frame(s, buf, ptr - buf); 995 } 996 997 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 998 { 999 struct rfcomm_hdr *hdr; 1000 struct rfcomm_mcc *mcc; 1001 struct rfcomm_rls *rls; 1002 u8 buf[16], *ptr = buf; 1003 1004 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1005 1006 hdr = (void *) ptr; ptr += sizeof(*hdr); 1007 hdr->addr = __addr(s->initiator, 0); 1008 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1009 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1010 1011 mcc = (void *) ptr; ptr += sizeof(*mcc); 1012 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1013 mcc->len = __len8(sizeof(*rls)); 1014 1015 rls = (void *) ptr; ptr += sizeof(*rls); 1016 rls->dlci = __addr(1, dlci); 1017 rls->status = status; 1018 1019 *ptr = __fcs(buf); ptr++; 1020 1021 return rfcomm_send_frame(s, buf, ptr - buf); 1022 } 1023 1024 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1025 { 1026 struct rfcomm_hdr *hdr; 1027 struct rfcomm_mcc *mcc; 1028 struct rfcomm_msc *msc; 1029 u8 buf[16], *ptr = buf; 1030 1031 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1032 1033 hdr = (void *) ptr; ptr += sizeof(*hdr); 1034 hdr->addr = __addr(s->initiator, 0); 1035 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1036 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1037 1038 mcc = (void *) ptr; ptr += sizeof(*mcc); 1039 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1040 mcc->len = __len8(sizeof(*msc)); 1041 1042 msc = (void *) ptr; ptr += sizeof(*msc); 1043 msc->dlci = __addr(1, dlci); 1044 msc->v24_sig = v24_sig | 0x01; 1045 1046 *ptr = __fcs(buf); ptr++; 1047 1048 return rfcomm_send_frame(s, buf, ptr - buf); 1049 } 1050 1051 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1052 { 1053 struct rfcomm_hdr *hdr; 1054 struct rfcomm_mcc *mcc; 1055 u8 buf[16], *ptr = buf; 1056 1057 BT_DBG("%p cr %d", s, cr); 1058 1059 hdr = (void *) ptr; ptr += sizeof(*hdr); 1060 hdr->addr = __addr(s->initiator, 0); 1061 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1062 hdr->len = __len8(sizeof(*mcc)); 1063 1064 mcc = (void *) ptr; ptr += sizeof(*mcc); 1065 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1066 mcc->len = __len8(0); 1067 1068 *ptr = __fcs(buf); ptr++; 1069 1070 return rfcomm_send_frame(s, buf, ptr - buf); 1071 } 1072 1073 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1074 { 1075 struct rfcomm_hdr *hdr; 1076 struct rfcomm_mcc *mcc; 1077 u8 buf[16], *ptr = buf; 1078 1079 BT_DBG("%p cr %d", s, cr); 1080 1081 hdr = (void *) ptr; ptr += sizeof(*hdr); 1082 hdr->addr = __addr(s->initiator, 0); 1083 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1084 hdr->len = __len8(sizeof(*mcc)); 1085 1086 mcc = (void *) ptr; ptr += sizeof(*mcc); 1087 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1088 mcc->len = __len8(0); 1089 1090 *ptr = __fcs(buf); ptr++; 1091 1092 return rfcomm_send_frame(s, buf, ptr - buf); 1093 } 1094 1095 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1096 { 1097 struct socket *sock = s->sock; 1098 struct kvec iv[3]; 1099 struct msghdr msg; 1100 unsigned char hdr[5], crc[1]; 1101 1102 if (len > 125) 1103 return -EINVAL; 1104 1105 BT_DBG("%p cr %d", s, cr); 1106 1107 hdr[0] = __addr(s->initiator, 0); 1108 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1109 hdr[2] = 0x01 | ((len + 2) << 1); 1110 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1111 hdr[4] = 0x01 | (len << 1); 1112 1113 crc[0] = __fcs(hdr); 1114 1115 iv[0].iov_base = hdr; 1116 iv[0].iov_len = 5; 1117 iv[1].iov_base = pattern; 1118 iv[1].iov_len = len; 1119 iv[2].iov_base = crc; 1120 iv[2].iov_len = 1; 1121 1122 memset(&msg, 0, sizeof(msg)); 1123 1124 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1125 } 1126 1127 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1128 { 1129 struct rfcomm_hdr *hdr; 1130 u8 buf[16], *ptr = buf; 1131 1132 BT_DBG("%p addr %d credits %d", s, addr, credits); 1133 1134 hdr = (void *) ptr; ptr += sizeof(*hdr); 1135 hdr->addr = addr; 1136 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1137 hdr->len = __len8(0); 1138 1139 *ptr = credits; ptr++; 1140 1141 *ptr = __fcs(buf); ptr++; 1142 1143 return rfcomm_send_frame(s, buf, ptr - buf); 1144 } 1145 1146 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1147 { 1148 struct rfcomm_hdr *hdr; 1149 int len = skb->len; 1150 u8 *crc; 1151 1152 if (len > 127) { 1153 hdr = (void *) skb_push(skb, 4); 1154 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1155 } else { 1156 hdr = (void *) skb_push(skb, 3); 1157 hdr->len = __len8(len); 1158 } 1159 hdr->addr = addr; 1160 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1161 1162 crc = skb_put(skb, 1); 1163 *crc = __fcs((void *) hdr); 1164 } 1165 1166 /* ---- RFCOMM frame reception ---- */ 1167 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1168 { 1169 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1170 1171 if (dlci) { 1172 /* Data channel */ 1173 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1174 if (!d) { 1175 rfcomm_send_dm(s, dlci); 1176 return s; 1177 } 1178 1179 switch (d->state) { 1180 case BT_CONNECT: 1181 rfcomm_dlc_clear_timer(d); 1182 1183 rfcomm_dlc_lock(d); 1184 d->state = BT_CONNECTED; 1185 d->state_change(d, 0); 1186 rfcomm_dlc_unlock(d); 1187 1188 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1189 break; 1190 1191 case BT_DISCONN: 1192 d->state = BT_CLOSED; 1193 __rfcomm_dlc_close(d, 0); 1194 1195 if (list_empty(&s->dlcs)) { 1196 s->state = BT_DISCONN; 1197 rfcomm_send_disc(s, 0); 1198 rfcomm_session_clear_timer(s); 1199 } 1200 1201 break; 1202 } 1203 } else { 1204 /* Control channel */ 1205 switch (s->state) { 1206 case BT_CONNECT: 1207 s->state = BT_CONNECTED; 1208 rfcomm_process_connect(s); 1209 break; 1210 1211 case BT_DISCONN: 1212 s = rfcomm_session_close(s, ECONNRESET); 1213 break; 1214 } 1215 } 1216 return s; 1217 } 1218 1219 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1220 { 1221 int err = 0; 1222 1223 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1224 1225 if (dlci) { 1226 /* Data DLC */ 1227 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1228 if (d) { 1229 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1230 err = ECONNREFUSED; 1231 else 1232 err = ECONNRESET; 1233 1234 d->state = BT_CLOSED; 1235 __rfcomm_dlc_close(d, err); 1236 } 1237 } else { 1238 if (s->state == BT_CONNECT) 1239 err = ECONNREFUSED; 1240 else 1241 err = ECONNRESET; 1242 1243 s = rfcomm_session_close(s, err); 1244 } 1245 return s; 1246 } 1247 1248 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1249 u8 dlci) 1250 { 1251 int err = 0; 1252 1253 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1254 1255 if (dlci) { 1256 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1257 if (d) { 1258 rfcomm_send_ua(s, dlci); 1259 1260 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1261 err = ECONNREFUSED; 1262 else 1263 err = ECONNRESET; 1264 1265 d->state = BT_CLOSED; 1266 __rfcomm_dlc_close(d, err); 1267 } else 1268 rfcomm_send_dm(s, dlci); 1269 1270 } else { 1271 rfcomm_send_ua(s, 0); 1272 1273 if (s->state == BT_CONNECT) 1274 err = ECONNREFUSED; 1275 else 1276 err = ECONNRESET; 1277 1278 s = rfcomm_session_close(s, err); 1279 } 1280 return s; 1281 } 1282 1283 void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1284 { 1285 struct sock *sk = d->session->sock->sk; 1286 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1287 1288 BT_DBG("dlc %p", d); 1289 1290 rfcomm_send_ua(d->session, d->dlci); 1291 1292 rfcomm_dlc_clear_timer(d); 1293 1294 rfcomm_dlc_lock(d); 1295 d->state = BT_CONNECTED; 1296 d->state_change(d, 0); 1297 rfcomm_dlc_unlock(d); 1298 1299 if (d->role_switch) 1300 hci_conn_switch_role(conn->hcon, 0x00); 1301 1302 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1303 } 1304 1305 static void rfcomm_check_accept(struct rfcomm_dlc *d) 1306 { 1307 if (rfcomm_check_security(d)) { 1308 if (d->defer_setup) { 1309 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1310 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1311 1312 rfcomm_dlc_lock(d); 1313 d->state = BT_CONNECT2; 1314 d->state_change(d, 0); 1315 rfcomm_dlc_unlock(d); 1316 } else 1317 rfcomm_dlc_accept(d); 1318 } else { 1319 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1320 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1321 } 1322 } 1323 1324 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1325 { 1326 struct rfcomm_dlc *d; 1327 u8 channel; 1328 1329 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1330 1331 if (!dlci) { 1332 rfcomm_send_ua(s, 0); 1333 1334 if (s->state == BT_OPEN) { 1335 s->state = BT_CONNECTED; 1336 rfcomm_process_connect(s); 1337 } 1338 return 0; 1339 } 1340 1341 /* Check if DLC exists */ 1342 d = rfcomm_dlc_get(s, dlci); 1343 if (d) { 1344 if (d->state == BT_OPEN) { 1345 /* DLC was previously opened by PN request */ 1346 rfcomm_check_accept(d); 1347 } 1348 return 0; 1349 } 1350 1351 /* Notify socket layer about incoming connection */ 1352 channel = __srv_channel(dlci); 1353 if (rfcomm_connect_ind(s, channel, &d)) { 1354 d->dlci = dlci; 1355 d->addr = __addr(s->initiator, dlci); 1356 rfcomm_dlc_link(s, d); 1357 1358 rfcomm_check_accept(d); 1359 } else { 1360 rfcomm_send_dm(s, dlci); 1361 } 1362 1363 return 0; 1364 } 1365 1366 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1367 { 1368 struct rfcomm_session *s = d->session; 1369 1370 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1371 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1372 1373 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1374 pn->flow_ctrl == 0xe0) { 1375 d->cfc = RFCOMM_CFC_ENABLED; 1376 d->tx_credits = pn->credits; 1377 } else { 1378 d->cfc = RFCOMM_CFC_DISABLED; 1379 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1380 } 1381 1382 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1383 s->cfc = d->cfc; 1384 1385 d->priority = pn->priority; 1386 1387 d->mtu = __le16_to_cpu(pn->mtu); 1388 1389 if (cr && d->mtu > s->mtu) 1390 d->mtu = s->mtu; 1391 1392 return 0; 1393 } 1394 1395 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1396 { 1397 struct rfcomm_pn *pn = (void *) skb->data; 1398 struct rfcomm_dlc *d; 1399 u8 dlci = pn->dlci; 1400 1401 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1402 1403 if (!dlci) 1404 return 0; 1405 1406 d = rfcomm_dlc_get(s, dlci); 1407 if (d) { 1408 if (cr) { 1409 /* PN request */ 1410 rfcomm_apply_pn(d, cr, pn); 1411 rfcomm_send_pn(s, 0, d); 1412 } else { 1413 /* PN response */ 1414 switch (d->state) { 1415 case BT_CONFIG: 1416 rfcomm_apply_pn(d, cr, pn); 1417 1418 d->state = BT_CONNECT; 1419 rfcomm_send_sabm(s, d->dlci); 1420 break; 1421 } 1422 } 1423 } else { 1424 u8 channel = __srv_channel(dlci); 1425 1426 if (!cr) 1427 return 0; 1428 1429 /* PN request for non existing DLC. 1430 * Assume incoming connection. */ 1431 if (rfcomm_connect_ind(s, channel, &d)) { 1432 d->dlci = dlci; 1433 d->addr = __addr(s->initiator, dlci); 1434 rfcomm_dlc_link(s, d); 1435 1436 rfcomm_apply_pn(d, cr, pn); 1437 1438 d->state = BT_OPEN; 1439 rfcomm_send_pn(s, 0, d); 1440 } else { 1441 rfcomm_send_dm(s, dlci); 1442 } 1443 } 1444 return 0; 1445 } 1446 1447 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1448 { 1449 struct rfcomm_rpn *rpn = (void *) skb->data; 1450 u8 dlci = __get_dlci(rpn->dlci); 1451 1452 u8 bit_rate = 0; 1453 u8 data_bits = 0; 1454 u8 stop_bits = 0; 1455 u8 parity = 0; 1456 u8 flow_ctrl = 0; 1457 u8 xon_char = 0; 1458 u8 xoff_char = 0; 1459 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1460 1461 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1462 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1463 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1464 1465 if (!cr) 1466 return 0; 1467 1468 if (len == 1) { 1469 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1470 bit_rate = RFCOMM_RPN_BR_9600; 1471 data_bits = RFCOMM_RPN_DATA_8; 1472 stop_bits = RFCOMM_RPN_STOP_1; 1473 parity = RFCOMM_RPN_PARITY_NONE; 1474 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1475 xon_char = RFCOMM_RPN_XON_CHAR; 1476 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1477 goto rpn_out; 1478 } 1479 1480 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1481 * no parity, no flow control lines, normal XON/XOFF chars */ 1482 1483 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1484 bit_rate = rpn->bit_rate; 1485 if (bit_rate > RFCOMM_RPN_BR_230400) { 1486 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1487 bit_rate = RFCOMM_RPN_BR_9600; 1488 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1489 } 1490 } 1491 1492 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1493 data_bits = __get_rpn_data_bits(rpn->line_settings); 1494 if (data_bits != RFCOMM_RPN_DATA_8) { 1495 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1496 data_bits = RFCOMM_RPN_DATA_8; 1497 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1498 } 1499 } 1500 1501 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1502 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1503 if (stop_bits != RFCOMM_RPN_STOP_1) { 1504 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1505 stop_bits = RFCOMM_RPN_STOP_1; 1506 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1507 } 1508 } 1509 1510 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1511 parity = __get_rpn_parity(rpn->line_settings); 1512 if (parity != RFCOMM_RPN_PARITY_NONE) { 1513 BT_DBG("RPN parity mismatch 0x%x", parity); 1514 parity = RFCOMM_RPN_PARITY_NONE; 1515 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1516 } 1517 } 1518 1519 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1520 flow_ctrl = rpn->flow_ctrl; 1521 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1522 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1523 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1524 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1525 } 1526 } 1527 1528 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1529 xon_char = rpn->xon_char; 1530 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1531 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1532 xon_char = RFCOMM_RPN_XON_CHAR; 1533 rpn_mask ^= RFCOMM_RPN_PM_XON; 1534 } 1535 } 1536 1537 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1538 xoff_char = rpn->xoff_char; 1539 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1540 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1541 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1542 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1543 } 1544 } 1545 1546 rpn_out: 1547 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1548 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1549 1550 return 0; 1551 } 1552 1553 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1554 { 1555 struct rfcomm_rls *rls = (void *) skb->data; 1556 u8 dlci = __get_dlci(rls->dlci); 1557 1558 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1559 1560 if (!cr) 1561 return 0; 1562 1563 /* We should probably do something with this information here. But 1564 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1565 * mandatory to recognise and respond to RLS */ 1566 1567 rfcomm_send_rls(s, 0, dlci, rls->status); 1568 1569 return 0; 1570 } 1571 1572 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1573 { 1574 struct rfcomm_msc *msc = (void *) skb->data; 1575 struct rfcomm_dlc *d; 1576 u8 dlci = __get_dlci(msc->dlci); 1577 1578 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1579 1580 d = rfcomm_dlc_get(s, dlci); 1581 if (!d) 1582 return 0; 1583 1584 if (cr) { 1585 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1586 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1587 else 1588 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1589 1590 rfcomm_dlc_lock(d); 1591 1592 d->remote_v24_sig = msc->v24_sig; 1593 1594 if (d->modem_status) 1595 d->modem_status(d, msc->v24_sig); 1596 1597 rfcomm_dlc_unlock(d); 1598 1599 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1600 1601 d->mscex |= RFCOMM_MSCEX_RX; 1602 } else 1603 d->mscex |= RFCOMM_MSCEX_TX; 1604 1605 return 0; 1606 } 1607 1608 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1609 { 1610 struct rfcomm_mcc *mcc = (void *) skb->data; 1611 u8 type, cr, len; 1612 1613 cr = __test_cr(mcc->type); 1614 type = __get_mcc_type(mcc->type); 1615 len = __get_mcc_len(mcc->len); 1616 1617 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1618 1619 skb_pull(skb, 2); 1620 1621 switch (type) { 1622 case RFCOMM_PN: 1623 rfcomm_recv_pn(s, cr, skb); 1624 break; 1625 1626 case RFCOMM_RPN: 1627 rfcomm_recv_rpn(s, cr, len, skb); 1628 break; 1629 1630 case RFCOMM_RLS: 1631 rfcomm_recv_rls(s, cr, skb); 1632 break; 1633 1634 case RFCOMM_MSC: 1635 rfcomm_recv_msc(s, cr, skb); 1636 break; 1637 1638 case RFCOMM_FCOFF: 1639 if (cr) { 1640 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1641 rfcomm_send_fcoff(s, 0); 1642 } 1643 break; 1644 1645 case RFCOMM_FCON: 1646 if (cr) { 1647 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1648 rfcomm_send_fcon(s, 0); 1649 } 1650 break; 1651 1652 case RFCOMM_TEST: 1653 if (cr) 1654 rfcomm_send_test(s, 0, skb->data, skb->len); 1655 break; 1656 1657 case RFCOMM_NSC: 1658 break; 1659 1660 default: 1661 BT_ERR("Unknown control type 0x%02x", type); 1662 rfcomm_send_nsc(s, cr, type); 1663 break; 1664 } 1665 return 0; 1666 } 1667 1668 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1669 { 1670 struct rfcomm_dlc *d; 1671 1672 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1673 1674 d = rfcomm_dlc_get(s, dlci); 1675 if (!d) { 1676 rfcomm_send_dm(s, dlci); 1677 goto drop; 1678 } 1679 1680 if (pf && d->cfc) { 1681 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1682 1683 d->tx_credits += credits; 1684 if (d->tx_credits) 1685 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1686 } 1687 1688 if (skb->len && d->state == BT_CONNECTED) { 1689 rfcomm_dlc_lock(d); 1690 d->rx_credits--; 1691 d->data_ready(d, skb); 1692 rfcomm_dlc_unlock(d); 1693 return 0; 1694 } 1695 1696 drop: 1697 kfree_skb(skb); 1698 return 0; 1699 } 1700 1701 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1702 struct sk_buff *skb) 1703 { 1704 struct rfcomm_hdr *hdr = (void *) skb->data; 1705 u8 type, dlci, fcs; 1706 1707 if (!s) { 1708 /* no session, so free socket data */ 1709 kfree_skb(skb); 1710 return s; 1711 } 1712 1713 dlci = __get_dlci(hdr->addr); 1714 type = __get_type(hdr->ctrl); 1715 1716 /* Trim FCS */ 1717 skb->len--; skb->tail--; 1718 fcs = *(u8 *)skb_tail_pointer(skb); 1719 1720 if (__check_fcs(skb->data, type, fcs)) { 1721 BT_ERR("bad checksum in packet"); 1722 kfree_skb(skb); 1723 return s; 1724 } 1725 1726 if (__test_ea(hdr->len)) 1727 skb_pull(skb, 3); 1728 else 1729 skb_pull(skb, 4); 1730 1731 switch (type) { 1732 case RFCOMM_SABM: 1733 if (__test_pf(hdr->ctrl)) 1734 rfcomm_recv_sabm(s, dlci); 1735 break; 1736 1737 case RFCOMM_DISC: 1738 if (__test_pf(hdr->ctrl)) 1739 s = rfcomm_recv_disc(s, dlci); 1740 break; 1741 1742 case RFCOMM_UA: 1743 if (__test_pf(hdr->ctrl)) 1744 s = rfcomm_recv_ua(s, dlci); 1745 break; 1746 1747 case RFCOMM_DM: 1748 s = rfcomm_recv_dm(s, dlci); 1749 break; 1750 1751 case RFCOMM_UIH: 1752 if (dlci) { 1753 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1754 return s; 1755 } 1756 rfcomm_recv_mcc(s, skb); 1757 break; 1758 1759 default: 1760 BT_ERR("Unknown packet type 0x%02x", type); 1761 break; 1762 } 1763 kfree_skb(skb); 1764 return s; 1765 } 1766 1767 /* ---- Connection and data processing ---- */ 1768 1769 static void rfcomm_process_connect(struct rfcomm_session *s) 1770 { 1771 struct rfcomm_dlc *d; 1772 struct list_head *p, *n; 1773 1774 BT_DBG("session %p state %ld", s, s->state); 1775 1776 list_for_each_safe(p, n, &s->dlcs) { 1777 d = list_entry(p, struct rfcomm_dlc, list); 1778 if (d->state == BT_CONFIG) { 1779 d->mtu = s->mtu; 1780 if (rfcomm_check_security(d)) { 1781 rfcomm_send_pn(s, 1, d); 1782 } else { 1783 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1784 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1785 } 1786 } 1787 } 1788 } 1789 1790 /* Send data queued for the DLC. 1791 * Return number of frames left in the queue. 1792 */ 1793 static int rfcomm_process_tx(struct rfcomm_dlc *d) 1794 { 1795 struct sk_buff *skb; 1796 int err; 1797 1798 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1799 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1800 1801 /* Send pending MSC */ 1802 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1803 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1804 1805 if (d->cfc) { 1806 /* CFC enabled. 1807 * Give them some credits */ 1808 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1809 d->rx_credits <= (d->cfc >> 2)) { 1810 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1811 d->rx_credits = d->cfc; 1812 } 1813 } else { 1814 /* CFC disabled. 1815 * Give ourselves some credits */ 1816 d->tx_credits = 5; 1817 } 1818 1819 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1820 return skb_queue_len(&d->tx_queue); 1821 1822 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1823 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1824 if (err < 0) { 1825 skb_queue_head(&d->tx_queue, skb); 1826 break; 1827 } 1828 kfree_skb(skb); 1829 d->tx_credits--; 1830 } 1831 1832 if (d->cfc && !d->tx_credits) { 1833 /* We're out of TX credits. 1834 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1835 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1836 } 1837 1838 return skb_queue_len(&d->tx_queue); 1839 } 1840 1841 static void rfcomm_process_dlcs(struct rfcomm_session *s) 1842 { 1843 struct rfcomm_dlc *d; 1844 struct list_head *p, *n; 1845 1846 BT_DBG("session %p state %ld", s, s->state); 1847 1848 list_for_each_safe(p, n, &s->dlcs) { 1849 d = list_entry(p, struct rfcomm_dlc, list); 1850 1851 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1852 __rfcomm_dlc_close(d, ETIMEDOUT); 1853 continue; 1854 } 1855 1856 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1857 __rfcomm_dlc_close(d, ECONNREFUSED); 1858 continue; 1859 } 1860 1861 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1862 rfcomm_dlc_clear_timer(d); 1863 if (d->out) { 1864 rfcomm_send_pn(s, 1, d); 1865 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1866 } else { 1867 if (d->defer_setup) { 1868 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1869 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1870 1871 rfcomm_dlc_lock(d); 1872 d->state = BT_CONNECT2; 1873 d->state_change(d, 0); 1874 rfcomm_dlc_unlock(d); 1875 } else 1876 rfcomm_dlc_accept(d); 1877 } 1878 continue; 1879 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1880 rfcomm_dlc_clear_timer(d); 1881 if (!d->out) 1882 rfcomm_send_dm(s, d->dlci); 1883 else 1884 d->state = BT_CLOSED; 1885 __rfcomm_dlc_close(d, ECONNREFUSED); 1886 continue; 1887 } 1888 1889 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1890 continue; 1891 1892 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1893 continue; 1894 1895 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1896 d->mscex == RFCOMM_MSCEX_OK) 1897 rfcomm_process_tx(d); 1898 } 1899 } 1900 1901 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1902 { 1903 struct socket *sock = s->sock; 1904 struct sock *sk = sock->sk; 1905 struct sk_buff *skb; 1906 1907 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1908 1909 /* Get data directly from socket receive queue without copying it. */ 1910 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1911 skb_orphan(skb); 1912 if (!skb_linearize(skb)) 1913 s = rfcomm_recv_frame(s, skb); 1914 else 1915 kfree_skb(skb); 1916 } 1917 1918 if (s && (sk->sk_state == BT_CLOSED)) 1919 s = rfcomm_session_close(s, sk->sk_err); 1920 1921 return s; 1922 } 1923 1924 static void rfcomm_accept_connection(struct rfcomm_session *s) 1925 { 1926 struct socket *sock = s->sock, *nsock; 1927 int err; 1928 1929 /* Fast check for a new connection. 1930 * Avoids unnesesary socket allocations. */ 1931 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1932 return; 1933 1934 BT_DBG("session %p", s); 1935 1936 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1937 if (err < 0) 1938 return; 1939 1940 /* Set our callbacks */ 1941 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1942 nsock->sk->sk_state_change = rfcomm_l2state_change; 1943 1944 s = rfcomm_session_add(nsock, BT_OPEN); 1945 if (s) { 1946 /* We should adjust MTU on incoming sessions. 1947 * L2CAP MTU minus UIH header and FCS. */ 1948 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1949 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1950 1951 rfcomm_schedule(); 1952 } else 1953 sock_release(nsock); 1954 } 1955 1956 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 1957 { 1958 struct sock *sk = s->sock->sk; 1959 1960 BT_DBG("%p state %ld", s, s->state); 1961 1962 switch (sk->sk_state) { 1963 case BT_CONNECTED: 1964 s->state = BT_CONNECT; 1965 1966 /* We can adjust MTU on outgoing sessions. 1967 * L2CAP MTU minus UIH header and FCS. */ 1968 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1969 1970 rfcomm_send_sabm(s, 0); 1971 break; 1972 1973 case BT_CLOSED: 1974 s = rfcomm_session_close(s, sk->sk_err); 1975 break; 1976 } 1977 return s; 1978 } 1979 1980 static void rfcomm_process_sessions(void) 1981 { 1982 struct list_head *p, *n; 1983 1984 rfcomm_lock(); 1985 1986 list_for_each_safe(p, n, &session_list) { 1987 struct rfcomm_session *s; 1988 s = list_entry(p, struct rfcomm_session, list); 1989 1990 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1991 s->state = BT_DISCONN; 1992 rfcomm_send_disc(s, 0); 1993 continue; 1994 } 1995 1996 switch (s->state) { 1997 case BT_LISTEN: 1998 rfcomm_accept_connection(s); 1999 continue; 2000 2001 case BT_BOUND: 2002 s = rfcomm_check_connection(s); 2003 break; 2004 2005 default: 2006 s = rfcomm_process_rx(s); 2007 break; 2008 } 2009 2010 if (s) 2011 rfcomm_process_dlcs(s); 2012 } 2013 2014 rfcomm_unlock(); 2015 } 2016 2017 static int rfcomm_add_listener(bdaddr_t *ba) 2018 { 2019 struct sockaddr_l2 addr; 2020 struct socket *sock; 2021 struct sock *sk; 2022 struct rfcomm_session *s; 2023 int err = 0; 2024 2025 /* Create socket */ 2026 err = rfcomm_l2sock_create(&sock); 2027 if (err < 0) { 2028 BT_ERR("Create socket failed %d", err); 2029 return err; 2030 } 2031 2032 /* Bind socket */ 2033 bacpy(&addr.l2_bdaddr, ba); 2034 addr.l2_family = AF_BLUETOOTH; 2035 addr.l2_psm = cpu_to_le16(RFCOMM_PSM); 2036 addr.l2_cid = 0; 2037 addr.l2_bdaddr_type = BDADDR_BREDR; 2038 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2039 if (err < 0) { 2040 BT_ERR("Bind failed %d", err); 2041 goto failed; 2042 } 2043 2044 /* Set L2CAP options */ 2045 sk = sock->sk; 2046 lock_sock(sk); 2047 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2048 release_sock(sk); 2049 2050 /* Start listening on the socket */ 2051 err = kernel_listen(sock, 10); 2052 if (err) { 2053 BT_ERR("Listen failed %d", err); 2054 goto failed; 2055 } 2056 2057 /* Add listening session */ 2058 s = rfcomm_session_add(sock, BT_LISTEN); 2059 if (!s) { 2060 err = -ENOMEM; 2061 goto failed; 2062 } 2063 2064 return 0; 2065 failed: 2066 sock_release(sock); 2067 return err; 2068 } 2069 2070 static void rfcomm_kill_listener(void) 2071 { 2072 struct rfcomm_session *s; 2073 struct list_head *p, *n; 2074 2075 BT_DBG(""); 2076 2077 list_for_each_safe(p, n, &session_list) { 2078 s = list_entry(p, struct rfcomm_session, list); 2079 rfcomm_session_del(s); 2080 } 2081 } 2082 2083 static int rfcomm_run(void *unused) 2084 { 2085 BT_DBG(""); 2086 2087 set_user_nice(current, -10); 2088 2089 rfcomm_add_listener(BDADDR_ANY); 2090 2091 while (1) { 2092 set_current_state(TASK_INTERRUPTIBLE); 2093 2094 if (kthread_should_stop()) 2095 break; 2096 2097 /* Process stuff */ 2098 rfcomm_process_sessions(); 2099 2100 schedule(); 2101 } 2102 __set_current_state(TASK_RUNNING); 2103 2104 rfcomm_kill_listener(); 2105 2106 return 0; 2107 } 2108 2109 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2110 { 2111 struct rfcomm_session *s; 2112 struct rfcomm_dlc *d; 2113 struct list_head *p, *n; 2114 2115 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2116 2117 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2118 if (!s) 2119 return; 2120 2121 list_for_each_safe(p, n, &s->dlcs) { 2122 d = list_entry(p, struct rfcomm_dlc, list); 2123 2124 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2125 rfcomm_dlc_clear_timer(d); 2126 if (status || encrypt == 0x00) { 2127 set_bit(RFCOMM_ENC_DROP, &d->flags); 2128 continue; 2129 } 2130 } 2131 2132 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2133 if (d->sec_level == BT_SECURITY_MEDIUM) { 2134 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2135 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2136 continue; 2137 } else if (d->sec_level == BT_SECURITY_HIGH || 2138 d->sec_level == BT_SECURITY_FIPS) { 2139 set_bit(RFCOMM_ENC_DROP, &d->flags); 2140 continue; 2141 } 2142 } 2143 2144 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2145 continue; 2146 2147 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2148 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2149 else 2150 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2151 } 2152 2153 rfcomm_schedule(); 2154 } 2155 2156 static struct hci_cb rfcomm_cb = { 2157 .name = "RFCOMM", 2158 .security_cfm = rfcomm_security_cfm 2159 }; 2160 2161 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2162 { 2163 struct rfcomm_session *s; 2164 2165 rfcomm_lock(); 2166 2167 list_for_each_entry(s, &session_list, list) { 2168 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2169 struct rfcomm_dlc *d; 2170 list_for_each_entry(d, &s->dlcs, list) { 2171 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2172 &chan->src, &chan->dst, 2173 d->state, d->dlci, d->mtu, 2174 d->rx_credits, d->tx_credits); 2175 } 2176 } 2177 2178 rfcomm_unlock(); 2179 2180 return 0; 2181 } 2182 2183 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2184 { 2185 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2186 } 2187 2188 static const struct file_operations rfcomm_dlc_debugfs_fops = { 2189 .open = rfcomm_dlc_debugfs_open, 2190 .read = seq_read, 2191 .llseek = seq_lseek, 2192 .release = single_release, 2193 }; 2194 2195 static struct dentry *rfcomm_dlc_debugfs; 2196 2197 /* ---- Initialization ---- */ 2198 static int __init rfcomm_init(void) 2199 { 2200 int err; 2201 2202 hci_register_cb(&rfcomm_cb); 2203 2204 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2205 if (IS_ERR(rfcomm_thread)) { 2206 err = PTR_ERR(rfcomm_thread); 2207 goto unregister; 2208 } 2209 2210 err = rfcomm_init_ttys(); 2211 if (err < 0) 2212 goto stop; 2213 2214 err = rfcomm_init_sockets(); 2215 if (err < 0) 2216 goto cleanup; 2217 2218 BT_INFO("RFCOMM ver %s", VERSION); 2219 2220 if (IS_ERR_OR_NULL(bt_debugfs)) 2221 return 0; 2222 2223 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2224 bt_debugfs, NULL, 2225 &rfcomm_dlc_debugfs_fops); 2226 2227 return 0; 2228 2229 cleanup: 2230 rfcomm_cleanup_ttys(); 2231 2232 stop: 2233 kthread_stop(rfcomm_thread); 2234 2235 unregister: 2236 hci_unregister_cb(&rfcomm_cb); 2237 2238 return err; 2239 } 2240 2241 static void __exit rfcomm_exit(void) 2242 { 2243 debugfs_remove(rfcomm_dlc_debugfs); 2244 2245 hci_unregister_cb(&rfcomm_cb); 2246 2247 kthread_stop(rfcomm_thread); 2248 2249 rfcomm_cleanup_ttys(); 2250 2251 rfcomm_cleanup_sockets(); 2252 } 2253 2254 module_init(rfcomm_init); 2255 module_exit(rfcomm_exit); 2256 2257 module_param(disable_cfc, bool, 0644); 2258 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2259 2260 module_param(channel_mtu, int, 0644); 2261 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2262 2263 module_param(l2cap_mtu, uint, 0644); 2264 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2265 2266 module_param(l2cap_ertm, bool, 0644); 2267 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2268 2269 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2270 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2271 MODULE_VERSION(VERSION); 2272 MODULE_LICENSE("GPL"); 2273 MODULE_ALIAS("bt-proto-3"); 2274