xref: /openbmc/linux/net/bluetooth/rfcomm/core.c (revision ca55b2fe)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * Bluetooth RFCOMM core.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32 
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define VERSION "1.11"
39 
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44 
45 static struct task_struct *rfcomm_thread;
46 
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock()	mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock()	mutex_unlock(&rfcomm_mutex)
50 
51 
52 static LIST_HEAD(session_list);
53 
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64 
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66 
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 							bdaddr_t *dst,
69 							u8 sec_level,
70 							int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73 
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b)     ((b & 0xfc) >> 2)
76 #define __get_channel(b)  ((b & 0xf8) >> 3)
77 #define __get_dir(b)      ((b & 0x04) >> 2)
78 #define __get_type(b)     ((b & 0xef))
79 
80 #define __test_ea(b)      ((b & 0x01))
81 #define __test_cr(b)      (!!(b & 0x02))
82 #define __test_pf(b)      (!!(b & 0x10))
83 
84 #define __session_dir(s)  ((s)->initiator ? 0x00 : 0x01)
85 
86 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
87 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
88 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
89 #define __srv_channel(dlci)    (dlci >> 1)
90 #define __dir(dlci)            (dlci & 0x01)
91 
92 #define __len8(len)       (((len) << 1) | 1)
93 #define __len16(len)      ((len) << 1)
94 
95 /* MCC macros */
96 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
97 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
98 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
99 
100 /* RPN macros */
101 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102 #define __get_rpn_data_bits(line) ((line) & 0x3)
103 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
105 
106 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107 
108 static void rfcomm_schedule(void)
109 {
110 	wake_up_all(&rfcomm_wq);
111 }
112 
113 /* ---- RFCOMM FCS computation ---- */
114 
115 /* reversed, 8-bit, poly=0x07 */
116 static unsigned char rfcomm_crc_table[256] = {
117 	0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118 	0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119 	0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120 	0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121 
122 	0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123 	0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124 	0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125 	0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126 
127 	0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128 	0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129 	0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130 	0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131 
132 	0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133 	0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134 	0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135 	0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136 
137 	0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138 	0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139 	0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140 	0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141 
142 	0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143 	0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144 	0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145 	0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146 
147 	0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148 	0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149 	0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150 	0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151 
152 	0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153 	0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154 	0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155 	0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156 };
157 
158 /* CRC on 2 bytes */
159 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160 
161 /* FCS on 2 bytes */
162 static inline u8 __fcs(u8 *data)
163 {
164 	return 0xff - __crc(data);
165 }
166 
167 /* FCS on 3 bytes */
168 static inline u8 __fcs2(u8 *data)
169 {
170 	return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171 }
172 
173 /* Check FCS */
174 static inline int __check_fcs(u8 *data, int type, u8 fcs)
175 {
176 	u8 f = __crc(data);
177 
178 	if (type != RFCOMM_UIH)
179 		f = rfcomm_crc_table[f ^ data[2]];
180 
181 	return rfcomm_crc_table[f ^ fcs] != 0xcf;
182 }
183 
184 /* ---- L2CAP callbacks ---- */
185 static void rfcomm_l2state_change(struct sock *sk)
186 {
187 	BT_DBG("%p state %d", sk, sk->sk_state);
188 	rfcomm_schedule();
189 }
190 
191 static void rfcomm_l2data_ready(struct sock *sk)
192 {
193 	BT_DBG("%p", sk);
194 	rfcomm_schedule();
195 }
196 
197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 	int err;
200 
201 	BT_DBG("");
202 
203 	err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 	if (!err) {
205 		struct sock *sk = (*sock)->sk;
206 		sk->sk_data_ready   = rfcomm_l2data_ready;
207 		sk->sk_state_change = rfcomm_l2state_change;
208 	}
209 	return err;
210 }
211 
212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 	struct sock *sk = d->session->sock->sk;
215 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216 
217 	__u8 auth_type;
218 
219 	switch (d->sec_level) {
220 	case BT_SECURITY_HIGH:
221 	case BT_SECURITY_FIPS:
222 		auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 		break;
224 	case BT_SECURITY_MEDIUM:
225 		auth_type = HCI_AT_GENERAL_BONDING;
226 		break;
227 	default:
228 		auth_type = HCI_AT_NO_BONDING;
229 		break;
230 	}
231 
232 	return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 				 d->out);
234 }
235 
236 static void rfcomm_session_timeout(unsigned long arg)
237 {
238 	struct rfcomm_session *s = (void *) arg;
239 
240 	BT_DBG("session %p state %ld", s, s->state);
241 
242 	set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 	rfcomm_schedule();
244 }
245 
246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 	BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249 
250 	mod_timer(&s->timer, jiffies + timeout);
251 }
252 
253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 	BT_DBG("session %p state %ld", s, s->state);
256 
257 	del_timer_sync(&s->timer);
258 }
259 
260 /* ---- RFCOMM DLCs ---- */
261 static void rfcomm_dlc_timeout(unsigned long arg)
262 {
263 	struct rfcomm_dlc *d = (void *) arg;
264 
265 	BT_DBG("dlc %p state %ld", d, d->state);
266 
267 	set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 	rfcomm_dlc_put(d);
269 	rfcomm_schedule();
270 }
271 
272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 	BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275 
276 	if (!mod_timer(&d->timer, jiffies + timeout))
277 		rfcomm_dlc_hold(d);
278 }
279 
280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 	BT_DBG("dlc %p state %ld", d, d->state);
283 
284 	if (del_timer(&d->timer))
285 		rfcomm_dlc_put(d);
286 }
287 
288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 	BT_DBG("%p", d);
291 
292 	d->state      = BT_OPEN;
293 	d->flags      = 0;
294 	d->mscex      = 0;
295 	d->sec_level  = BT_SECURITY_LOW;
296 	d->mtu        = RFCOMM_DEFAULT_MTU;
297 	d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298 
299 	d->cfc        = RFCOMM_CFC_DISABLED;
300 	d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302 
303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 	struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306 
307 	if (!d)
308 		return NULL;
309 
310 	setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
311 
312 	skb_queue_head_init(&d->tx_queue);
313 	mutex_init(&d->lock);
314 	atomic_set(&d->refcnt, 1);
315 
316 	rfcomm_dlc_clear_state(d);
317 
318 	BT_DBG("%p", d);
319 
320 	return d;
321 }
322 
323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 	BT_DBG("%p", d);
326 
327 	skb_queue_purge(&d->tx_queue);
328 	kfree(d);
329 }
330 
331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 	BT_DBG("dlc %p session %p", d, s);
334 
335 	rfcomm_session_clear_timer(s);
336 	rfcomm_dlc_hold(d);
337 	list_add(&d->list, &s->dlcs);
338 	d->session = s;
339 }
340 
341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 	struct rfcomm_session *s = d->session;
344 
345 	BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
346 
347 	list_del(&d->list);
348 	d->session = NULL;
349 	rfcomm_dlc_put(d);
350 
351 	if (list_empty(&s->dlcs))
352 		rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354 
355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 	struct rfcomm_dlc *d;
358 
359 	list_for_each_entry(d, &s->dlcs, list)
360 		if (d->dlci == dlci)
361 			return d;
362 
363 	return NULL;
364 }
365 
366 static int rfcomm_check_channel(u8 channel)
367 {
368 	return channel < 1 || channel > 30;
369 }
370 
371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 	struct rfcomm_session *s;
374 	int err = 0;
375 	u8 dlci;
376 
377 	BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 	       d, d->state, src, dst, channel);
379 
380 	if (rfcomm_check_channel(channel))
381 		return -EINVAL;
382 
383 	if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 		return 0;
385 
386 	s = rfcomm_session_get(src, dst);
387 	if (!s) {
388 		s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 		if (!s)
390 			return err;
391 	}
392 
393 	dlci = __dlci(__session_dir(s), channel);
394 
395 	/* Check if DLCI already exists */
396 	if (rfcomm_dlc_get(s, dlci))
397 		return -EBUSY;
398 
399 	rfcomm_dlc_clear_state(d);
400 
401 	d->dlci     = dlci;
402 	d->addr     = __addr(s->initiator, dlci);
403 	d->priority = 7;
404 
405 	d->state = BT_CONFIG;
406 	rfcomm_dlc_link(s, d);
407 
408 	d->out = 1;
409 
410 	d->mtu = s->mtu;
411 	d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412 
413 	if (s->state == BT_CONNECTED) {
414 		if (rfcomm_check_security(d))
415 			rfcomm_send_pn(s, 1, d);
416 		else
417 			set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 	}
419 
420 	rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421 
422 	return 0;
423 }
424 
425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 	int r;
428 
429 	rfcomm_lock();
430 
431 	r = __rfcomm_dlc_open(d, src, dst, channel);
432 
433 	rfcomm_unlock();
434 	return r;
435 }
436 
437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 	struct rfcomm_session *s = d->session;
440 
441 	d->state = BT_DISCONN;
442 	if (skb_queue_empty(&d->tx_queue)) {
443 		rfcomm_send_disc(s, d->dlci);
444 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 	} else {
446 		rfcomm_queue_disc(d);
447 		rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 	}
449 }
450 
451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 	struct rfcomm_session *s = d->session;
454 	if (!s)
455 		return 0;
456 
457 	BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 			d, d->state, d->dlci, err, s);
459 
460 	switch (d->state) {
461 	case BT_CONNECT:
462 	case BT_CONFIG:
463 	case BT_OPEN:
464 	case BT_CONNECT2:
465 		if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 			rfcomm_schedule();
468 			return 0;
469 		}
470 	}
471 
472 	switch (d->state) {
473 	case BT_CONNECT:
474 	case BT_CONNECTED:
475 		__rfcomm_dlc_disconn(d);
476 		break;
477 
478 	case BT_CONFIG:
479 		if (s->state != BT_BOUND) {
480 			__rfcomm_dlc_disconn(d);
481 			break;
482 		}
483 		/* if closing a dlc in a session that hasn't been started,
484 		 * just close and unlink the dlc
485 		 */
486 
487 	default:
488 		rfcomm_dlc_clear_timer(d);
489 
490 		rfcomm_dlc_lock(d);
491 		d->state = BT_CLOSED;
492 		d->state_change(d, err);
493 		rfcomm_dlc_unlock(d);
494 
495 		skb_queue_purge(&d->tx_queue);
496 		rfcomm_dlc_unlink(d);
497 	}
498 
499 	return 0;
500 }
501 
502 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
503 {
504 	int r = 0;
505 	struct rfcomm_dlc *d_list;
506 	struct rfcomm_session *s, *s_list;
507 
508 	BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
509 
510 	rfcomm_lock();
511 
512 	s = d->session;
513 	if (!s)
514 		goto no_session;
515 
516 	/* after waiting on the mutex check the session still exists
517 	 * then check the dlc still exists
518 	 */
519 	list_for_each_entry(s_list, &session_list, list) {
520 		if (s_list == s) {
521 			list_for_each_entry(d_list, &s->dlcs, list) {
522 				if (d_list == d) {
523 					r = __rfcomm_dlc_close(d, err);
524 					break;
525 				}
526 			}
527 			break;
528 		}
529 	}
530 
531 no_session:
532 	rfcomm_unlock();
533 	return r;
534 }
535 
536 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
537 {
538 	struct rfcomm_session *s;
539 	struct rfcomm_dlc *dlc = NULL;
540 	u8 dlci;
541 
542 	if (rfcomm_check_channel(channel))
543 		return ERR_PTR(-EINVAL);
544 
545 	rfcomm_lock();
546 	s = rfcomm_session_get(src, dst);
547 	if (s) {
548 		dlci = __dlci(__session_dir(s), channel);
549 		dlc = rfcomm_dlc_get(s, dlci);
550 	}
551 	rfcomm_unlock();
552 	return dlc;
553 }
554 
555 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
556 {
557 	int len = skb->len;
558 
559 	if (d->state != BT_CONNECTED)
560 		return -ENOTCONN;
561 
562 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
563 
564 	if (len > d->mtu)
565 		return -EINVAL;
566 
567 	rfcomm_make_uih(skb, d->addr);
568 	skb_queue_tail(&d->tx_queue, skb);
569 
570 	if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
571 		rfcomm_schedule();
572 	return len;
573 }
574 
575 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
576 {
577 	int len = skb->len;
578 
579 	BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
580 
581 	rfcomm_make_uih(skb, d->addr);
582 	skb_queue_tail(&d->tx_queue, skb);
583 
584 	if (d->state == BT_CONNECTED &&
585 	    !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
586 		rfcomm_schedule();
587 }
588 
589 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
590 {
591 	BT_DBG("dlc %p state %ld", d, d->state);
592 
593 	if (!d->cfc) {
594 		d->v24_sig |= RFCOMM_V24_FC;
595 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
596 	}
597 	rfcomm_schedule();
598 }
599 
600 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
601 {
602 	BT_DBG("dlc %p state %ld", d, d->state);
603 
604 	if (!d->cfc) {
605 		d->v24_sig &= ~RFCOMM_V24_FC;
606 		set_bit(RFCOMM_MSC_PENDING, &d->flags);
607 	}
608 	rfcomm_schedule();
609 }
610 
611 /*
612    Set/get modem status functions use _local_ status i.e. what we report
613    to the other side.
614    Remote status is provided by dlc->modem_status() callback.
615  */
616 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
617 {
618 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
619 			d, d->state, v24_sig);
620 
621 	if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
622 		v24_sig |= RFCOMM_V24_FC;
623 	else
624 		v24_sig &= ~RFCOMM_V24_FC;
625 
626 	d->v24_sig = v24_sig;
627 
628 	if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
629 		rfcomm_schedule();
630 
631 	return 0;
632 }
633 
634 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
635 {
636 	BT_DBG("dlc %p state %ld v24_sig 0x%x",
637 			d, d->state, d->v24_sig);
638 
639 	*v24_sig = d->v24_sig;
640 	return 0;
641 }
642 
643 /* ---- RFCOMM sessions ---- */
644 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
645 {
646 	struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
647 
648 	if (!s)
649 		return NULL;
650 
651 	BT_DBG("session %p sock %p", s, sock);
652 
653 	setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
654 
655 	INIT_LIST_HEAD(&s->dlcs);
656 	s->state = state;
657 	s->sock  = sock;
658 
659 	s->mtu = RFCOMM_DEFAULT_MTU;
660 	s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
661 
662 	/* Do not increment module usage count for listening sessions.
663 	 * Otherwise we won't be able to unload the module. */
664 	if (state != BT_LISTEN)
665 		if (!try_module_get(THIS_MODULE)) {
666 			kfree(s);
667 			return NULL;
668 		}
669 
670 	list_add(&s->list, &session_list);
671 
672 	return s;
673 }
674 
675 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
676 {
677 	int state = s->state;
678 
679 	BT_DBG("session %p state %ld", s, s->state);
680 
681 	list_del(&s->list);
682 
683 	rfcomm_session_clear_timer(s);
684 	sock_release(s->sock);
685 	kfree(s);
686 
687 	if (state != BT_LISTEN)
688 		module_put(THIS_MODULE);
689 
690 	return NULL;
691 }
692 
693 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
694 {
695 	struct rfcomm_session *s;
696 	struct list_head *p, *n;
697 	struct l2cap_chan *chan;
698 	list_for_each_safe(p, n, &session_list) {
699 		s = list_entry(p, struct rfcomm_session, list);
700 		chan = l2cap_pi(s->sock->sk)->chan;
701 
702 		if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
703 		    !bacmp(&chan->dst, dst))
704 			return s;
705 	}
706 	return NULL;
707 }
708 
709 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
710 						   int err)
711 {
712 	struct rfcomm_dlc *d;
713 	struct list_head *p, *n;
714 
715 	s->state = BT_CLOSED;
716 
717 	BT_DBG("session %p state %ld err %d", s, s->state, err);
718 
719 	/* Close all dlcs */
720 	list_for_each_safe(p, n, &s->dlcs) {
721 		d = list_entry(p, struct rfcomm_dlc, list);
722 		d->state = BT_CLOSED;
723 		__rfcomm_dlc_close(d, err);
724 	}
725 
726 	rfcomm_session_clear_timer(s);
727 	return rfcomm_session_del(s);
728 }
729 
730 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
731 							bdaddr_t *dst,
732 							u8 sec_level,
733 							int *err)
734 {
735 	struct rfcomm_session *s = NULL;
736 	struct sockaddr_l2 addr;
737 	struct socket *sock;
738 	struct sock *sk;
739 
740 	BT_DBG("%pMR -> %pMR", src, dst);
741 
742 	*err = rfcomm_l2sock_create(&sock);
743 	if (*err < 0)
744 		return NULL;
745 
746 	bacpy(&addr.l2_bdaddr, src);
747 	addr.l2_family = AF_BLUETOOTH;
748 	addr.l2_psm    = 0;
749 	addr.l2_cid    = 0;
750 	addr.l2_bdaddr_type = BDADDR_BREDR;
751 	*err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
752 	if (*err < 0)
753 		goto failed;
754 
755 	/* Set L2CAP options */
756 	sk = sock->sk;
757 	lock_sock(sk);
758 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
759 	l2cap_pi(sk)->chan->sec_level = sec_level;
760 	if (l2cap_ertm)
761 		l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
762 	release_sock(sk);
763 
764 	s = rfcomm_session_add(sock, BT_BOUND);
765 	if (!s) {
766 		*err = -ENOMEM;
767 		goto failed;
768 	}
769 
770 	s->initiator = 1;
771 
772 	bacpy(&addr.l2_bdaddr, dst);
773 	addr.l2_family = AF_BLUETOOTH;
774 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
775 	addr.l2_cid    = 0;
776 	addr.l2_bdaddr_type = BDADDR_BREDR;
777 	*err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
778 	if (*err == 0 || *err == -EINPROGRESS)
779 		return s;
780 
781 	return rfcomm_session_del(s);
782 
783 failed:
784 	sock_release(sock);
785 	return NULL;
786 }
787 
788 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
789 {
790 	struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
791 	if (src)
792 		bacpy(src, &chan->src);
793 	if (dst)
794 		bacpy(dst, &chan->dst);
795 }
796 
797 /* ---- RFCOMM frame sending ---- */
798 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
799 {
800 	struct kvec iv = { data, len };
801 	struct msghdr msg;
802 
803 	BT_DBG("session %p len %d", s, len);
804 
805 	memset(&msg, 0, sizeof(msg));
806 
807 	return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
808 }
809 
810 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
811 {
812 	BT_DBG("%p cmd %u", s, cmd->ctrl);
813 
814 	return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
815 }
816 
817 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
818 {
819 	struct rfcomm_cmd cmd;
820 
821 	BT_DBG("%p dlci %d", s, dlci);
822 
823 	cmd.addr = __addr(s->initiator, dlci);
824 	cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
825 	cmd.len  = __len8(0);
826 	cmd.fcs  = __fcs2((u8 *) &cmd);
827 
828 	return rfcomm_send_cmd(s, &cmd);
829 }
830 
831 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
832 {
833 	struct rfcomm_cmd cmd;
834 
835 	BT_DBG("%p dlci %d", s, dlci);
836 
837 	cmd.addr = __addr(!s->initiator, dlci);
838 	cmd.ctrl = __ctrl(RFCOMM_UA, 1);
839 	cmd.len  = __len8(0);
840 	cmd.fcs  = __fcs2((u8 *) &cmd);
841 
842 	return rfcomm_send_cmd(s, &cmd);
843 }
844 
845 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
846 {
847 	struct rfcomm_cmd cmd;
848 
849 	BT_DBG("%p dlci %d", s, dlci);
850 
851 	cmd.addr = __addr(s->initiator, dlci);
852 	cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
853 	cmd.len  = __len8(0);
854 	cmd.fcs  = __fcs2((u8 *) &cmd);
855 
856 	return rfcomm_send_cmd(s, &cmd);
857 }
858 
859 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
860 {
861 	struct rfcomm_cmd *cmd;
862 	struct sk_buff *skb;
863 
864 	BT_DBG("dlc %p dlci %d", d, d->dlci);
865 
866 	skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
867 	if (!skb)
868 		return -ENOMEM;
869 
870 	cmd = (void *) __skb_put(skb, sizeof(*cmd));
871 	cmd->addr = d->addr;
872 	cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
873 	cmd->len  = __len8(0);
874 	cmd->fcs  = __fcs2((u8 *) cmd);
875 
876 	skb_queue_tail(&d->tx_queue, skb);
877 	rfcomm_schedule();
878 	return 0;
879 }
880 
881 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
882 {
883 	struct rfcomm_cmd cmd;
884 
885 	BT_DBG("%p dlci %d", s, dlci);
886 
887 	cmd.addr = __addr(!s->initiator, dlci);
888 	cmd.ctrl = __ctrl(RFCOMM_DM, 1);
889 	cmd.len  = __len8(0);
890 	cmd.fcs  = __fcs2((u8 *) &cmd);
891 
892 	return rfcomm_send_cmd(s, &cmd);
893 }
894 
895 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
896 {
897 	struct rfcomm_hdr *hdr;
898 	struct rfcomm_mcc *mcc;
899 	u8 buf[16], *ptr = buf;
900 
901 	BT_DBG("%p cr %d type %d", s, cr, type);
902 
903 	hdr = (void *) ptr; ptr += sizeof(*hdr);
904 	hdr->addr = __addr(s->initiator, 0);
905 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
906 	hdr->len  = __len8(sizeof(*mcc) + 1);
907 
908 	mcc = (void *) ptr; ptr += sizeof(*mcc);
909 	mcc->type = __mcc_type(0, RFCOMM_NSC);
910 	mcc->len  = __len8(1);
911 
912 	/* Type that we didn't like */
913 	*ptr = __mcc_type(cr, type); ptr++;
914 
915 	*ptr = __fcs(buf); ptr++;
916 
917 	return rfcomm_send_frame(s, buf, ptr - buf);
918 }
919 
920 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
921 {
922 	struct rfcomm_hdr *hdr;
923 	struct rfcomm_mcc *mcc;
924 	struct rfcomm_pn  *pn;
925 	u8 buf[16], *ptr = buf;
926 
927 	BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
928 
929 	hdr = (void *) ptr; ptr += sizeof(*hdr);
930 	hdr->addr = __addr(s->initiator, 0);
931 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
932 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
933 
934 	mcc = (void *) ptr; ptr += sizeof(*mcc);
935 	mcc->type = __mcc_type(cr, RFCOMM_PN);
936 	mcc->len  = __len8(sizeof(*pn));
937 
938 	pn = (void *) ptr; ptr += sizeof(*pn);
939 	pn->dlci        = d->dlci;
940 	pn->priority    = d->priority;
941 	pn->ack_timer   = 0;
942 	pn->max_retrans = 0;
943 
944 	if (s->cfc) {
945 		pn->flow_ctrl = cr ? 0xf0 : 0xe0;
946 		pn->credits = RFCOMM_DEFAULT_CREDITS;
947 	} else {
948 		pn->flow_ctrl = 0;
949 		pn->credits   = 0;
950 	}
951 
952 	if (cr && channel_mtu >= 0)
953 		pn->mtu = cpu_to_le16(channel_mtu);
954 	else
955 		pn->mtu = cpu_to_le16(d->mtu);
956 
957 	*ptr = __fcs(buf); ptr++;
958 
959 	return rfcomm_send_frame(s, buf, ptr - buf);
960 }
961 
962 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
963 			u8 bit_rate, u8 data_bits, u8 stop_bits,
964 			u8 parity, u8 flow_ctrl_settings,
965 			u8 xon_char, u8 xoff_char, u16 param_mask)
966 {
967 	struct rfcomm_hdr *hdr;
968 	struct rfcomm_mcc *mcc;
969 	struct rfcomm_rpn *rpn;
970 	u8 buf[16], *ptr = buf;
971 
972 	BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
973 			" flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
974 		s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
975 		flow_ctrl_settings, xon_char, xoff_char, param_mask);
976 
977 	hdr = (void *) ptr; ptr += sizeof(*hdr);
978 	hdr->addr = __addr(s->initiator, 0);
979 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
980 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
981 
982 	mcc = (void *) ptr; ptr += sizeof(*mcc);
983 	mcc->type = __mcc_type(cr, RFCOMM_RPN);
984 	mcc->len  = __len8(sizeof(*rpn));
985 
986 	rpn = (void *) ptr; ptr += sizeof(*rpn);
987 	rpn->dlci          = __addr(1, dlci);
988 	rpn->bit_rate      = bit_rate;
989 	rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
990 	rpn->flow_ctrl     = flow_ctrl_settings;
991 	rpn->xon_char      = xon_char;
992 	rpn->xoff_char     = xoff_char;
993 	rpn->param_mask    = cpu_to_le16(param_mask);
994 
995 	*ptr = __fcs(buf); ptr++;
996 
997 	return rfcomm_send_frame(s, buf, ptr - buf);
998 }
999 
1000 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
1001 {
1002 	struct rfcomm_hdr *hdr;
1003 	struct rfcomm_mcc *mcc;
1004 	struct rfcomm_rls *rls;
1005 	u8 buf[16], *ptr = buf;
1006 
1007 	BT_DBG("%p cr %d status 0x%x", s, cr, status);
1008 
1009 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1010 	hdr->addr = __addr(s->initiator, 0);
1011 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1012 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
1013 
1014 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1015 	mcc->type = __mcc_type(cr, RFCOMM_RLS);
1016 	mcc->len  = __len8(sizeof(*rls));
1017 
1018 	rls = (void *) ptr; ptr += sizeof(*rls);
1019 	rls->dlci   = __addr(1, dlci);
1020 	rls->status = status;
1021 
1022 	*ptr = __fcs(buf); ptr++;
1023 
1024 	return rfcomm_send_frame(s, buf, ptr - buf);
1025 }
1026 
1027 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1028 {
1029 	struct rfcomm_hdr *hdr;
1030 	struct rfcomm_mcc *mcc;
1031 	struct rfcomm_msc *msc;
1032 	u8 buf[16], *ptr = buf;
1033 
1034 	BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1035 
1036 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1037 	hdr->addr = __addr(s->initiator, 0);
1038 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1039 	hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
1040 
1041 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1042 	mcc->type = __mcc_type(cr, RFCOMM_MSC);
1043 	mcc->len  = __len8(sizeof(*msc));
1044 
1045 	msc = (void *) ptr; ptr += sizeof(*msc);
1046 	msc->dlci    = __addr(1, dlci);
1047 	msc->v24_sig = v24_sig | 0x01;
1048 
1049 	*ptr = __fcs(buf); ptr++;
1050 
1051 	return rfcomm_send_frame(s, buf, ptr - buf);
1052 }
1053 
1054 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1055 {
1056 	struct rfcomm_hdr *hdr;
1057 	struct rfcomm_mcc *mcc;
1058 	u8 buf[16], *ptr = buf;
1059 
1060 	BT_DBG("%p cr %d", s, cr);
1061 
1062 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1063 	hdr->addr = __addr(s->initiator, 0);
1064 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1065 	hdr->len  = __len8(sizeof(*mcc));
1066 
1067 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1068 	mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1069 	mcc->len  = __len8(0);
1070 
1071 	*ptr = __fcs(buf); ptr++;
1072 
1073 	return rfcomm_send_frame(s, buf, ptr - buf);
1074 }
1075 
1076 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1077 {
1078 	struct rfcomm_hdr *hdr;
1079 	struct rfcomm_mcc *mcc;
1080 	u8 buf[16], *ptr = buf;
1081 
1082 	BT_DBG("%p cr %d", s, cr);
1083 
1084 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1085 	hdr->addr = __addr(s->initiator, 0);
1086 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1087 	hdr->len  = __len8(sizeof(*mcc));
1088 
1089 	mcc = (void *) ptr; ptr += sizeof(*mcc);
1090 	mcc->type = __mcc_type(cr, RFCOMM_FCON);
1091 	mcc->len  = __len8(0);
1092 
1093 	*ptr = __fcs(buf); ptr++;
1094 
1095 	return rfcomm_send_frame(s, buf, ptr - buf);
1096 }
1097 
1098 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1099 {
1100 	struct socket *sock = s->sock;
1101 	struct kvec iv[3];
1102 	struct msghdr msg;
1103 	unsigned char hdr[5], crc[1];
1104 
1105 	if (len > 125)
1106 		return -EINVAL;
1107 
1108 	BT_DBG("%p cr %d", s, cr);
1109 
1110 	hdr[0] = __addr(s->initiator, 0);
1111 	hdr[1] = __ctrl(RFCOMM_UIH, 0);
1112 	hdr[2] = 0x01 | ((len + 2) << 1);
1113 	hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1114 	hdr[4] = 0x01 | (len << 1);
1115 
1116 	crc[0] = __fcs(hdr);
1117 
1118 	iv[0].iov_base = hdr;
1119 	iv[0].iov_len  = 5;
1120 	iv[1].iov_base = pattern;
1121 	iv[1].iov_len  = len;
1122 	iv[2].iov_base = crc;
1123 	iv[2].iov_len  = 1;
1124 
1125 	memset(&msg, 0, sizeof(msg));
1126 
1127 	return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1128 }
1129 
1130 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1131 {
1132 	struct rfcomm_hdr *hdr;
1133 	u8 buf[16], *ptr = buf;
1134 
1135 	BT_DBG("%p addr %d credits %d", s, addr, credits);
1136 
1137 	hdr = (void *) ptr; ptr += sizeof(*hdr);
1138 	hdr->addr = addr;
1139 	hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1140 	hdr->len  = __len8(0);
1141 
1142 	*ptr = credits; ptr++;
1143 
1144 	*ptr = __fcs(buf); ptr++;
1145 
1146 	return rfcomm_send_frame(s, buf, ptr - buf);
1147 }
1148 
1149 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1150 {
1151 	struct rfcomm_hdr *hdr;
1152 	int len = skb->len;
1153 	u8 *crc;
1154 
1155 	if (len > 127) {
1156 		hdr = (void *) skb_push(skb, 4);
1157 		put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1158 	} else {
1159 		hdr = (void *) skb_push(skb, 3);
1160 		hdr->len = __len8(len);
1161 	}
1162 	hdr->addr = addr;
1163 	hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1164 
1165 	crc = skb_put(skb, 1);
1166 	*crc = __fcs((void *) hdr);
1167 }
1168 
1169 /* ---- RFCOMM frame reception ---- */
1170 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1171 {
1172 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1173 
1174 	if (dlci) {
1175 		/* Data channel */
1176 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1177 		if (!d) {
1178 			rfcomm_send_dm(s, dlci);
1179 			return s;
1180 		}
1181 
1182 		switch (d->state) {
1183 		case BT_CONNECT:
1184 			rfcomm_dlc_clear_timer(d);
1185 
1186 			rfcomm_dlc_lock(d);
1187 			d->state = BT_CONNECTED;
1188 			d->state_change(d, 0);
1189 			rfcomm_dlc_unlock(d);
1190 
1191 			rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1192 			break;
1193 
1194 		case BT_DISCONN:
1195 			d->state = BT_CLOSED;
1196 			__rfcomm_dlc_close(d, 0);
1197 
1198 			if (list_empty(&s->dlcs)) {
1199 				s->state = BT_DISCONN;
1200 				rfcomm_send_disc(s, 0);
1201 				rfcomm_session_clear_timer(s);
1202 			}
1203 
1204 			break;
1205 		}
1206 	} else {
1207 		/* Control channel */
1208 		switch (s->state) {
1209 		case BT_CONNECT:
1210 			s->state = BT_CONNECTED;
1211 			rfcomm_process_connect(s);
1212 			break;
1213 
1214 		case BT_DISCONN:
1215 			s = rfcomm_session_close(s, ECONNRESET);
1216 			break;
1217 		}
1218 	}
1219 	return s;
1220 }
1221 
1222 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1223 {
1224 	int err = 0;
1225 
1226 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1227 
1228 	if (dlci) {
1229 		/* Data DLC */
1230 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1231 		if (d) {
1232 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1233 				err = ECONNREFUSED;
1234 			else
1235 				err = ECONNRESET;
1236 
1237 			d->state = BT_CLOSED;
1238 			__rfcomm_dlc_close(d, err);
1239 		}
1240 	} else {
1241 		if (s->state == BT_CONNECT)
1242 			err = ECONNREFUSED;
1243 		else
1244 			err = ECONNRESET;
1245 
1246 		s = rfcomm_session_close(s, err);
1247 	}
1248 	return s;
1249 }
1250 
1251 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1252 					       u8 dlci)
1253 {
1254 	int err = 0;
1255 
1256 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1257 
1258 	if (dlci) {
1259 		struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1260 		if (d) {
1261 			rfcomm_send_ua(s, dlci);
1262 
1263 			if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1264 				err = ECONNREFUSED;
1265 			else
1266 				err = ECONNRESET;
1267 
1268 			d->state = BT_CLOSED;
1269 			__rfcomm_dlc_close(d, err);
1270 		} else
1271 			rfcomm_send_dm(s, dlci);
1272 
1273 	} else {
1274 		rfcomm_send_ua(s, 0);
1275 
1276 		if (s->state == BT_CONNECT)
1277 			err = ECONNREFUSED;
1278 		else
1279 			err = ECONNRESET;
1280 
1281 		s = rfcomm_session_close(s, err);
1282 	}
1283 	return s;
1284 }
1285 
1286 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1287 {
1288 	struct sock *sk = d->session->sock->sk;
1289 	struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1290 
1291 	BT_DBG("dlc %p", d);
1292 
1293 	rfcomm_send_ua(d->session, d->dlci);
1294 
1295 	rfcomm_dlc_clear_timer(d);
1296 
1297 	rfcomm_dlc_lock(d);
1298 	d->state = BT_CONNECTED;
1299 	d->state_change(d, 0);
1300 	rfcomm_dlc_unlock(d);
1301 
1302 	if (d->role_switch)
1303 		hci_conn_switch_role(conn->hcon, 0x00);
1304 
1305 	rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1306 }
1307 
1308 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1309 {
1310 	if (rfcomm_check_security(d)) {
1311 		if (d->defer_setup) {
1312 			set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1313 			rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1314 
1315 			rfcomm_dlc_lock(d);
1316 			d->state = BT_CONNECT2;
1317 			d->state_change(d, 0);
1318 			rfcomm_dlc_unlock(d);
1319 		} else
1320 			rfcomm_dlc_accept(d);
1321 	} else {
1322 		set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1323 		rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1324 	}
1325 }
1326 
1327 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1328 {
1329 	struct rfcomm_dlc *d;
1330 	u8 channel;
1331 
1332 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1333 
1334 	if (!dlci) {
1335 		rfcomm_send_ua(s, 0);
1336 
1337 		if (s->state == BT_OPEN) {
1338 			s->state = BT_CONNECTED;
1339 			rfcomm_process_connect(s);
1340 		}
1341 		return 0;
1342 	}
1343 
1344 	/* Check if DLC exists */
1345 	d = rfcomm_dlc_get(s, dlci);
1346 	if (d) {
1347 		if (d->state == BT_OPEN) {
1348 			/* DLC was previously opened by PN request */
1349 			rfcomm_check_accept(d);
1350 		}
1351 		return 0;
1352 	}
1353 
1354 	/* Notify socket layer about incoming connection */
1355 	channel = __srv_channel(dlci);
1356 	if (rfcomm_connect_ind(s, channel, &d)) {
1357 		d->dlci = dlci;
1358 		d->addr = __addr(s->initiator, dlci);
1359 		rfcomm_dlc_link(s, d);
1360 
1361 		rfcomm_check_accept(d);
1362 	} else {
1363 		rfcomm_send_dm(s, dlci);
1364 	}
1365 
1366 	return 0;
1367 }
1368 
1369 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1370 {
1371 	struct rfcomm_session *s = d->session;
1372 
1373 	BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1374 			d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1375 
1376 	if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1377 						pn->flow_ctrl == 0xe0) {
1378 		d->cfc = RFCOMM_CFC_ENABLED;
1379 		d->tx_credits = pn->credits;
1380 	} else {
1381 		d->cfc = RFCOMM_CFC_DISABLED;
1382 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1383 	}
1384 
1385 	if (s->cfc == RFCOMM_CFC_UNKNOWN)
1386 		s->cfc = d->cfc;
1387 
1388 	d->priority = pn->priority;
1389 
1390 	d->mtu = __le16_to_cpu(pn->mtu);
1391 
1392 	if (cr && d->mtu > s->mtu)
1393 		d->mtu = s->mtu;
1394 
1395 	return 0;
1396 }
1397 
1398 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1399 {
1400 	struct rfcomm_pn *pn = (void *) skb->data;
1401 	struct rfcomm_dlc *d;
1402 	u8 dlci = pn->dlci;
1403 
1404 	BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1405 
1406 	if (!dlci)
1407 		return 0;
1408 
1409 	d = rfcomm_dlc_get(s, dlci);
1410 	if (d) {
1411 		if (cr) {
1412 			/* PN request */
1413 			rfcomm_apply_pn(d, cr, pn);
1414 			rfcomm_send_pn(s, 0, d);
1415 		} else {
1416 			/* PN response */
1417 			switch (d->state) {
1418 			case BT_CONFIG:
1419 				rfcomm_apply_pn(d, cr, pn);
1420 
1421 				d->state = BT_CONNECT;
1422 				rfcomm_send_sabm(s, d->dlci);
1423 				break;
1424 			}
1425 		}
1426 	} else {
1427 		u8 channel = __srv_channel(dlci);
1428 
1429 		if (!cr)
1430 			return 0;
1431 
1432 		/* PN request for non existing DLC.
1433 		 * Assume incoming connection. */
1434 		if (rfcomm_connect_ind(s, channel, &d)) {
1435 			d->dlci = dlci;
1436 			d->addr = __addr(s->initiator, dlci);
1437 			rfcomm_dlc_link(s, d);
1438 
1439 			rfcomm_apply_pn(d, cr, pn);
1440 
1441 			d->state = BT_OPEN;
1442 			rfcomm_send_pn(s, 0, d);
1443 		} else {
1444 			rfcomm_send_dm(s, dlci);
1445 		}
1446 	}
1447 	return 0;
1448 }
1449 
1450 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1451 {
1452 	struct rfcomm_rpn *rpn = (void *) skb->data;
1453 	u8 dlci = __get_dlci(rpn->dlci);
1454 
1455 	u8 bit_rate  = 0;
1456 	u8 data_bits = 0;
1457 	u8 stop_bits = 0;
1458 	u8 parity    = 0;
1459 	u8 flow_ctrl = 0;
1460 	u8 xon_char  = 0;
1461 	u8 xoff_char = 0;
1462 	u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1463 
1464 	BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1465 		dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1466 		rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1467 
1468 	if (!cr)
1469 		return 0;
1470 
1471 	if (len == 1) {
1472 		/* This is a request, return default (according to ETSI TS 07.10) settings */
1473 		bit_rate  = RFCOMM_RPN_BR_9600;
1474 		data_bits = RFCOMM_RPN_DATA_8;
1475 		stop_bits = RFCOMM_RPN_STOP_1;
1476 		parity    = RFCOMM_RPN_PARITY_NONE;
1477 		flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1478 		xon_char  = RFCOMM_RPN_XON_CHAR;
1479 		xoff_char = RFCOMM_RPN_XOFF_CHAR;
1480 		goto rpn_out;
1481 	}
1482 
1483 	/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1484 	 * no parity, no flow control lines, normal XON/XOFF chars */
1485 
1486 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1487 		bit_rate = rpn->bit_rate;
1488 		if (bit_rate > RFCOMM_RPN_BR_230400) {
1489 			BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1490 			bit_rate = RFCOMM_RPN_BR_9600;
1491 			rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1492 		}
1493 	}
1494 
1495 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1496 		data_bits = __get_rpn_data_bits(rpn->line_settings);
1497 		if (data_bits != RFCOMM_RPN_DATA_8) {
1498 			BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1499 			data_bits = RFCOMM_RPN_DATA_8;
1500 			rpn_mask ^= RFCOMM_RPN_PM_DATA;
1501 		}
1502 	}
1503 
1504 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1505 		stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1506 		if (stop_bits != RFCOMM_RPN_STOP_1) {
1507 			BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1508 			stop_bits = RFCOMM_RPN_STOP_1;
1509 			rpn_mask ^= RFCOMM_RPN_PM_STOP;
1510 		}
1511 	}
1512 
1513 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1514 		parity = __get_rpn_parity(rpn->line_settings);
1515 		if (parity != RFCOMM_RPN_PARITY_NONE) {
1516 			BT_DBG("RPN parity mismatch 0x%x", parity);
1517 			parity = RFCOMM_RPN_PARITY_NONE;
1518 			rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1519 		}
1520 	}
1521 
1522 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1523 		flow_ctrl = rpn->flow_ctrl;
1524 		if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1525 			BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1526 			flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1527 			rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1528 		}
1529 	}
1530 
1531 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1532 		xon_char = rpn->xon_char;
1533 		if (xon_char != RFCOMM_RPN_XON_CHAR) {
1534 			BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1535 			xon_char = RFCOMM_RPN_XON_CHAR;
1536 			rpn_mask ^= RFCOMM_RPN_PM_XON;
1537 		}
1538 	}
1539 
1540 	if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1541 		xoff_char = rpn->xoff_char;
1542 		if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1543 			BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1544 			xoff_char = RFCOMM_RPN_XOFF_CHAR;
1545 			rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1546 		}
1547 	}
1548 
1549 rpn_out:
1550 	rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1551 			parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1552 
1553 	return 0;
1554 }
1555 
1556 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1557 {
1558 	struct rfcomm_rls *rls = (void *) skb->data;
1559 	u8 dlci = __get_dlci(rls->dlci);
1560 
1561 	BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1562 
1563 	if (!cr)
1564 		return 0;
1565 
1566 	/* We should probably do something with this information here. But
1567 	 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1568 	 * mandatory to recognise and respond to RLS */
1569 
1570 	rfcomm_send_rls(s, 0, dlci, rls->status);
1571 
1572 	return 0;
1573 }
1574 
1575 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1576 {
1577 	struct rfcomm_msc *msc = (void *) skb->data;
1578 	struct rfcomm_dlc *d;
1579 	u8 dlci = __get_dlci(msc->dlci);
1580 
1581 	BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1582 
1583 	d = rfcomm_dlc_get(s, dlci);
1584 	if (!d)
1585 		return 0;
1586 
1587 	if (cr) {
1588 		if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1589 			set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1590 		else
1591 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1592 
1593 		rfcomm_dlc_lock(d);
1594 
1595 		d->remote_v24_sig = msc->v24_sig;
1596 
1597 		if (d->modem_status)
1598 			d->modem_status(d, msc->v24_sig);
1599 
1600 		rfcomm_dlc_unlock(d);
1601 
1602 		rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1603 
1604 		d->mscex |= RFCOMM_MSCEX_RX;
1605 	} else
1606 		d->mscex |= RFCOMM_MSCEX_TX;
1607 
1608 	return 0;
1609 }
1610 
1611 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1612 {
1613 	struct rfcomm_mcc *mcc = (void *) skb->data;
1614 	u8 type, cr, len;
1615 
1616 	cr   = __test_cr(mcc->type);
1617 	type = __get_mcc_type(mcc->type);
1618 	len  = __get_mcc_len(mcc->len);
1619 
1620 	BT_DBG("%p type 0x%x cr %d", s, type, cr);
1621 
1622 	skb_pull(skb, 2);
1623 
1624 	switch (type) {
1625 	case RFCOMM_PN:
1626 		rfcomm_recv_pn(s, cr, skb);
1627 		break;
1628 
1629 	case RFCOMM_RPN:
1630 		rfcomm_recv_rpn(s, cr, len, skb);
1631 		break;
1632 
1633 	case RFCOMM_RLS:
1634 		rfcomm_recv_rls(s, cr, skb);
1635 		break;
1636 
1637 	case RFCOMM_MSC:
1638 		rfcomm_recv_msc(s, cr, skb);
1639 		break;
1640 
1641 	case RFCOMM_FCOFF:
1642 		if (cr) {
1643 			set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1644 			rfcomm_send_fcoff(s, 0);
1645 		}
1646 		break;
1647 
1648 	case RFCOMM_FCON:
1649 		if (cr) {
1650 			clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1651 			rfcomm_send_fcon(s, 0);
1652 		}
1653 		break;
1654 
1655 	case RFCOMM_TEST:
1656 		if (cr)
1657 			rfcomm_send_test(s, 0, skb->data, skb->len);
1658 		break;
1659 
1660 	case RFCOMM_NSC:
1661 		break;
1662 
1663 	default:
1664 		BT_ERR("Unknown control type 0x%02x", type);
1665 		rfcomm_send_nsc(s, cr, type);
1666 		break;
1667 	}
1668 	return 0;
1669 }
1670 
1671 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1672 {
1673 	struct rfcomm_dlc *d;
1674 
1675 	BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1676 
1677 	d = rfcomm_dlc_get(s, dlci);
1678 	if (!d) {
1679 		rfcomm_send_dm(s, dlci);
1680 		goto drop;
1681 	}
1682 
1683 	if (pf && d->cfc) {
1684 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1685 
1686 		d->tx_credits += credits;
1687 		if (d->tx_credits)
1688 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1689 	}
1690 
1691 	if (skb->len && d->state == BT_CONNECTED) {
1692 		rfcomm_dlc_lock(d);
1693 		d->rx_credits--;
1694 		d->data_ready(d, skb);
1695 		rfcomm_dlc_unlock(d);
1696 		return 0;
1697 	}
1698 
1699 drop:
1700 	kfree_skb(skb);
1701 	return 0;
1702 }
1703 
1704 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1705 						struct sk_buff *skb)
1706 {
1707 	struct rfcomm_hdr *hdr = (void *) skb->data;
1708 	u8 type, dlci, fcs;
1709 
1710 	if (!s) {
1711 		/* no session, so free socket data */
1712 		kfree_skb(skb);
1713 		return s;
1714 	}
1715 
1716 	dlci = __get_dlci(hdr->addr);
1717 	type = __get_type(hdr->ctrl);
1718 
1719 	/* Trim FCS */
1720 	skb->len--; skb->tail--;
1721 	fcs = *(u8 *)skb_tail_pointer(skb);
1722 
1723 	if (__check_fcs(skb->data, type, fcs)) {
1724 		BT_ERR("bad checksum in packet");
1725 		kfree_skb(skb);
1726 		return s;
1727 	}
1728 
1729 	if (__test_ea(hdr->len))
1730 		skb_pull(skb, 3);
1731 	else
1732 		skb_pull(skb, 4);
1733 
1734 	switch (type) {
1735 	case RFCOMM_SABM:
1736 		if (__test_pf(hdr->ctrl))
1737 			rfcomm_recv_sabm(s, dlci);
1738 		break;
1739 
1740 	case RFCOMM_DISC:
1741 		if (__test_pf(hdr->ctrl))
1742 			s = rfcomm_recv_disc(s, dlci);
1743 		break;
1744 
1745 	case RFCOMM_UA:
1746 		if (__test_pf(hdr->ctrl))
1747 			s = rfcomm_recv_ua(s, dlci);
1748 		break;
1749 
1750 	case RFCOMM_DM:
1751 		s = rfcomm_recv_dm(s, dlci);
1752 		break;
1753 
1754 	case RFCOMM_UIH:
1755 		if (dlci) {
1756 			rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1757 			return s;
1758 		}
1759 		rfcomm_recv_mcc(s, skb);
1760 		break;
1761 
1762 	default:
1763 		BT_ERR("Unknown packet type 0x%02x", type);
1764 		break;
1765 	}
1766 	kfree_skb(skb);
1767 	return s;
1768 }
1769 
1770 /* ---- Connection and data processing ---- */
1771 
1772 static void rfcomm_process_connect(struct rfcomm_session *s)
1773 {
1774 	struct rfcomm_dlc *d;
1775 	struct list_head *p, *n;
1776 
1777 	BT_DBG("session %p state %ld", s, s->state);
1778 
1779 	list_for_each_safe(p, n, &s->dlcs) {
1780 		d = list_entry(p, struct rfcomm_dlc, list);
1781 		if (d->state == BT_CONFIG) {
1782 			d->mtu = s->mtu;
1783 			if (rfcomm_check_security(d)) {
1784 				rfcomm_send_pn(s, 1, d);
1785 			} else {
1786 				set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1787 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1788 			}
1789 		}
1790 	}
1791 }
1792 
1793 /* Send data queued for the DLC.
1794  * Return number of frames left in the queue.
1795  */
1796 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1797 {
1798 	struct sk_buff *skb;
1799 	int err;
1800 
1801 	BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1802 			d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1803 
1804 	/* Send pending MSC */
1805 	if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1806 		rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1807 
1808 	if (d->cfc) {
1809 		/* CFC enabled.
1810 		 * Give them some credits */
1811 		if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1812 				d->rx_credits <= (d->cfc >> 2)) {
1813 			rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1814 			d->rx_credits = d->cfc;
1815 		}
1816 	} else {
1817 		/* CFC disabled.
1818 		 * Give ourselves some credits */
1819 		d->tx_credits = 5;
1820 	}
1821 
1822 	if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1823 		return skb_queue_len(&d->tx_queue);
1824 
1825 	while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1826 		err = rfcomm_send_frame(d->session, skb->data, skb->len);
1827 		if (err < 0) {
1828 			skb_queue_head(&d->tx_queue, skb);
1829 			break;
1830 		}
1831 		kfree_skb(skb);
1832 		d->tx_credits--;
1833 	}
1834 
1835 	if (d->cfc && !d->tx_credits) {
1836 		/* We're out of TX credits.
1837 		 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1838 		set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1839 	}
1840 
1841 	return skb_queue_len(&d->tx_queue);
1842 }
1843 
1844 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1845 {
1846 	struct rfcomm_dlc *d;
1847 	struct list_head *p, *n;
1848 
1849 	BT_DBG("session %p state %ld", s, s->state);
1850 
1851 	list_for_each_safe(p, n, &s->dlcs) {
1852 		d = list_entry(p, struct rfcomm_dlc, list);
1853 
1854 		if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1855 			__rfcomm_dlc_close(d, ETIMEDOUT);
1856 			continue;
1857 		}
1858 
1859 		if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1860 			__rfcomm_dlc_close(d, ECONNREFUSED);
1861 			continue;
1862 		}
1863 
1864 		if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1865 			rfcomm_dlc_clear_timer(d);
1866 			if (d->out) {
1867 				rfcomm_send_pn(s, 1, d);
1868 				rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1869 			} else {
1870 				if (d->defer_setup) {
1871 					set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1872 					rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1873 
1874 					rfcomm_dlc_lock(d);
1875 					d->state = BT_CONNECT2;
1876 					d->state_change(d, 0);
1877 					rfcomm_dlc_unlock(d);
1878 				} else
1879 					rfcomm_dlc_accept(d);
1880 			}
1881 			continue;
1882 		} else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1883 			rfcomm_dlc_clear_timer(d);
1884 			if (!d->out)
1885 				rfcomm_send_dm(s, d->dlci);
1886 			else
1887 				d->state = BT_CLOSED;
1888 			__rfcomm_dlc_close(d, ECONNREFUSED);
1889 			continue;
1890 		}
1891 
1892 		if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1893 			continue;
1894 
1895 		if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1896 			continue;
1897 
1898 		if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1899 						d->mscex == RFCOMM_MSCEX_OK)
1900 			rfcomm_process_tx(d);
1901 	}
1902 }
1903 
1904 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1905 {
1906 	struct socket *sock = s->sock;
1907 	struct sock *sk = sock->sk;
1908 	struct sk_buff *skb;
1909 
1910 	BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1911 
1912 	/* Get data directly from socket receive queue without copying it. */
1913 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1914 		skb_orphan(skb);
1915 		if (!skb_linearize(skb)) {
1916 			s = rfcomm_recv_frame(s, skb);
1917 			if (!s)
1918 				break;
1919 		} else {
1920 			kfree_skb(skb);
1921 		}
1922 	}
1923 
1924 	if (s && (sk->sk_state == BT_CLOSED))
1925 		s = rfcomm_session_close(s, sk->sk_err);
1926 
1927 	return s;
1928 }
1929 
1930 static void rfcomm_accept_connection(struct rfcomm_session *s)
1931 {
1932 	struct socket *sock = s->sock, *nsock;
1933 	int err;
1934 
1935 	/* Fast check for a new connection.
1936 	 * Avoids unnesesary socket allocations. */
1937 	if (list_empty(&bt_sk(sock->sk)->accept_q))
1938 		return;
1939 
1940 	BT_DBG("session %p", s);
1941 
1942 	err = kernel_accept(sock, &nsock, O_NONBLOCK);
1943 	if (err < 0)
1944 		return;
1945 
1946 	/* Set our callbacks */
1947 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1948 	nsock->sk->sk_state_change = rfcomm_l2state_change;
1949 
1950 	s = rfcomm_session_add(nsock, BT_OPEN);
1951 	if (s) {
1952 		/* We should adjust MTU on incoming sessions.
1953 		 * L2CAP MTU minus UIH header and FCS. */
1954 		s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1955 				l2cap_pi(nsock->sk)->chan->imtu) - 5;
1956 
1957 		rfcomm_schedule();
1958 	} else
1959 		sock_release(nsock);
1960 }
1961 
1962 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1963 {
1964 	struct sock *sk = s->sock->sk;
1965 
1966 	BT_DBG("%p state %ld", s, s->state);
1967 
1968 	switch (sk->sk_state) {
1969 	case BT_CONNECTED:
1970 		s->state = BT_CONNECT;
1971 
1972 		/* We can adjust MTU on outgoing sessions.
1973 		 * L2CAP MTU minus UIH header and FCS. */
1974 		s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1975 
1976 		rfcomm_send_sabm(s, 0);
1977 		break;
1978 
1979 	case BT_CLOSED:
1980 		s = rfcomm_session_close(s, sk->sk_err);
1981 		break;
1982 	}
1983 	return s;
1984 }
1985 
1986 static void rfcomm_process_sessions(void)
1987 {
1988 	struct list_head *p, *n;
1989 
1990 	rfcomm_lock();
1991 
1992 	list_for_each_safe(p, n, &session_list) {
1993 		struct rfcomm_session *s;
1994 		s = list_entry(p, struct rfcomm_session, list);
1995 
1996 		if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1997 			s->state = BT_DISCONN;
1998 			rfcomm_send_disc(s, 0);
1999 			continue;
2000 		}
2001 
2002 		switch (s->state) {
2003 		case BT_LISTEN:
2004 			rfcomm_accept_connection(s);
2005 			continue;
2006 
2007 		case BT_BOUND:
2008 			s = rfcomm_check_connection(s);
2009 			break;
2010 
2011 		default:
2012 			s = rfcomm_process_rx(s);
2013 			break;
2014 		}
2015 
2016 		if (s)
2017 			rfcomm_process_dlcs(s);
2018 	}
2019 
2020 	rfcomm_unlock();
2021 }
2022 
2023 static int rfcomm_add_listener(bdaddr_t *ba)
2024 {
2025 	struct sockaddr_l2 addr;
2026 	struct socket *sock;
2027 	struct sock *sk;
2028 	struct rfcomm_session *s;
2029 	int    err = 0;
2030 
2031 	/* Create socket */
2032 	err = rfcomm_l2sock_create(&sock);
2033 	if (err < 0) {
2034 		BT_ERR("Create socket failed %d", err);
2035 		return err;
2036 	}
2037 
2038 	/* Bind socket */
2039 	bacpy(&addr.l2_bdaddr, ba);
2040 	addr.l2_family = AF_BLUETOOTH;
2041 	addr.l2_psm    = cpu_to_le16(L2CAP_PSM_RFCOMM);
2042 	addr.l2_cid    = 0;
2043 	addr.l2_bdaddr_type = BDADDR_BREDR;
2044 	err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2045 	if (err < 0) {
2046 		BT_ERR("Bind failed %d", err);
2047 		goto failed;
2048 	}
2049 
2050 	/* Set L2CAP options */
2051 	sk = sock->sk;
2052 	lock_sock(sk);
2053 	l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2054 	release_sock(sk);
2055 
2056 	/* Start listening on the socket */
2057 	err = kernel_listen(sock, 10);
2058 	if (err) {
2059 		BT_ERR("Listen failed %d", err);
2060 		goto failed;
2061 	}
2062 
2063 	/* Add listening session */
2064 	s = rfcomm_session_add(sock, BT_LISTEN);
2065 	if (!s) {
2066 		err = -ENOMEM;
2067 		goto failed;
2068 	}
2069 
2070 	return 0;
2071 failed:
2072 	sock_release(sock);
2073 	return err;
2074 }
2075 
2076 static void rfcomm_kill_listener(void)
2077 {
2078 	struct rfcomm_session *s;
2079 	struct list_head *p, *n;
2080 
2081 	BT_DBG("");
2082 
2083 	list_for_each_safe(p, n, &session_list) {
2084 		s = list_entry(p, struct rfcomm_session, list);
2085 		rfcomm_session_del(s);
2086 	}
2087 }
2088 
2089 static int rfcomm_run(void *unused)
2090 {
2091 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
2092 	BT_DBG("");
2093 
2094 	set_user_nice(current, -10);
2095 
2096 	rfcomm_add_listener(BDADDR_ANY);
2097 
2098 	add_wait_queue(&rfcomm_wq, &wait);
2099 	while (!kthread_should_stop()) {
2100 
2101 		/* Process stuff */
2102 		rfcomm_process_sessions();
2103 
2104 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2105 	}
2106 	remove_wait_queue(&rfcomm_wq, &wait);
2107 
2108 	rfcomm_kill_listener();
2109 
2110 	return 0;
2111 }
2112 
2113 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2114 {
2115 	struct rfcomm_session *s;
2116 	struct rfcomm_dlc *d;
2117 	struct list_head *p, *n;
2118 
2119 	BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2120 
2121 	s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2122 	if (!s)
2123 		return;
2124 
2125 	list_for_each_safe(p, n, &s->dlcs) {
2126 		d = list_entry(p, struct rfcomm_dlc, list);
2127 
2128 		if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2129 			rfcomm_dlc_clear_timer(d);
2130 			if (status || encrypt == 0x00) {
2131 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2132 				continue;
2133 			}
2134 		}
2135 
2136 		if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2137 			if (d->sec_level == BT_SECURITY_MEDIUM) {
2138 				set_bit(RFCOMM_SEC_PENDING, &d->flags);
2139 				rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2140 				continue;
2141 			} else if (d->sec_level == BT_SECURITY_HIGH ||
2142 				   d->sec_level == BT_SECURITY_FIPS) {
2143 				set_bit(RFCOMM_ENC_DROP, &d->flags);
2144 				continue;
2145 			}
2146 		}
2147 
2148 		if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2149 			continue;
2150 
2151 		if (!status && hci_conn_check_secure(conn, d->sec_level))
2152 			set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2153 		else
2154 			set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2155 	}
2156 
2157 	rfcomm_schedule();
2158 }
2159 
2160 static struct hci_cb rfcomm_cb = {
2161 	.name		= "RFCOMM",
2162 	.security_cfm	= rfcomm_security_cfm
2163 };
2164 
2165 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2166 {
2167 	struct rfcomm_session *s;
2168 
2169 	rfcomm_lock();
2170 
2171 	list_for_each_entry(s, &session_list, list) {
2172 		struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2173 		struct rfcomm_dlc *d;
2174 		list_for_each_entry(d, &s->dlcs, list) {
2175 			seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2176 				   &chan->src, &chan->dst,
2177 				   d->state, d->dlci, d->mtu,
2178 				   d->rx_credits, d->tx_credits);
2179 		}
2180 	}
2181 
2182 	rfcomm_unlock();
2183 
2184 	return 0;
2185 }
2186 
2187 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2188 {
2189 	return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2190 }
2191 
2192 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2193 	.open		= rfcomm_dlc_debugfs_open,
2194 	.read		= seq_read,
2195 	.llseek		= seq_lseek,
2196 	.release	= single_release,
2197 };
2198 
2199 static struct dentry *rfcomm_dlc_debugfs;
2200 
2201 /* ---- Initialization ---- */
2202 static int __init rfcomm_init(void)
2203 {
2204 	int err;
2205 
2206 	hci_register_cb(&rfcomm_cb);
2207 
2208 	rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2209 	if (IS_ERR(rfcomm_thread)) {
2210 		err = PTR_ERR(rfcomm_thread);
2211 		goto unregister;
2212 	}
2213 
2214 	err = rfcomm_init_ttys();
2215 	if (err < 0)
2216 		goto stop;
2217 
2218 	err = rfcomm_init_sockets();
2219 	if (err < 0)
2220 		goto cleanup;
2221 
2222 	BT_INFO("RFCOMM ver %s", VERSION);
2223 
2224 	if (IS_ERR_OR_NULL(bt_debugfs))
2225 		return 0;
2226 
2227 	rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2228 						 bt_debugfs, NULL,
2229 						 &rfcomm_dlc_debugfs_fops);
2230 
2231 	return 0;
2232 
2233 cleanup:
2234 	rfcomm_cleanup_ttys();
2235 
2236 stop:
2237 	kthread_stop(rfcomm_thread);
2238 
2239 unregister:
2240 	hci_unregister_cb(&rfcomm_cb);
2241 
2242 	return err;
2243 }
2244 
2245 static void __exit rfcomm_exit(void)
2246 {
2247 	debugfs_remove(rfcomm_dlc_debugfs);
2248 
2249 	hci_unregister_cb(&rfcomm_cb);
2250 
2251 	kthread_stop(rfcomm_thread);
2252 
2253 	rfcomm_cleanup_ttys();
2254 
2255 	rfcomm_cleanup_sockets();
2256 }
2257 
2258 module_init(rfcomm_init);
2259 module_exit(rfcomm_exit);
2260 
2261 module_param(disable_cfc, bool, 0644);
2262 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2263 
2264 module_param(channel_mtu, int, 0644);
2265 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2266 
2267 module_param(l2cap_mtu, uint, 0644);
2268 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2269 
2270 module_param(l2cap_ertm, bool, 0644);
2271 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2272 
2273 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2274 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2275 MODULE_VERSION(VERSION);
2276 MODULE_LICENSE("GPL");
2277 MODULE_ALIAS("bt-proto-3");
2278