1/* 2 RFCOMM implementation for Linux Bluetooth stack (BlueZ). 3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com> 4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org> 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License version 2 as 8 published by the Free Software Foundation; 9 10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 21 SOFTWARE IS DISCLAIMED. 22*/ 23 24/* 25 * Bluetooth RFCOMM core. 26 */ 27 28#include <linux/module.h> 29#include <linux/debugfs.h> 30#include <linux/kthread.h> 31#include <asm/unaligned.h> 32 33#include <net/bluetooth/bluetooth.h> 34#include <net/bluetooth/hci_core.h> 35#include <net/bluetooth/l2cap.h> 36#include <net/bluetooth/rfcomm.h> 37 38#define VERSION "1.11" 39 40static bool disable_cfc; 41static bool l2cap_ertm; 42static int channel_mtu = -1; 43static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU; 44 45static struct task_struct *rfcomm_thread; 46 47static DEFINE_MUTEX(rfcomm_mutex); 48#define rfcomm_lock() mutex_lock(&rfcomm_mutex) 49#define rfcomm_unlock() mutex_unlock(&rfcomm_mutex) 50 51 52static LIST_HEAD(session_list); 53 54static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len); 55static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 56static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 57static int rfcomm_queue_disc(struct rfcomm_dlc *d); 58static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type); 59static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d); 60static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig); 61static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len); 62static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits); 63static void rfcomm_make_uih(struct sk_buff *skb, u8 addr); 64 65static void rfcomm_process_connect(struct rfcomm_session *s); 66 67static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 68 bdaddr_t *dst, 69 u8 sec_level, 70 int *err); 71static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst); 72static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s); 73 74/* ---- RFCOMM frame parsing macros ---- */ 75#define __get_dlci(b) ((b & 0xfc) >> 2) 76#define __get_channel(b) ((b & 0xf8) >> 3) 77#define __get_dir(b) ((b & 0x04) >> 2) 78#define __get_type(b) ((b & 0xef)) 79 80#define __test_ea(b) ((b & 0x01)) 81#define __test_cr(b) (!!(b & 0x02)) 82#define __test_pf(b) (!!(b & 0x10)) 83 84#define __session_dir(s) ((s)->initiator ? 0x00 : 0x01) 85 86#define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01) 87#define __ctrl(type, pf) (((type & 0xef) | (pf << 4))) 88#define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir) 89#define __srv_channel(dlci) (dlci >> 1) 90#define __dir(dlci) (dlci & 0x01) 91 92#define __len8(len) (((len) << 1) | 1) 93#define __len16(len) ((len) << 1) 94 95/* MCC macros */ 96#define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01)) 97#define __get_mcc_type(b) ((b & 0xfc) >> 2) 98#define __get_mcc_len(b) ((b & 0xfe) >> 1) 99 100/* RPN macros */ 101#define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3)) 102#define __get_rpn_data_bits(line) ((line) & 0x3) 103#define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1) 104#define __get_rpn_parity(line) (((line) >> 3) & 0x7) 105 106static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq); 107 108static void rfcomm_schedule(void) 109{ 110 wake_up_all(&rfcomm_wq); 111} 112 113/* ---- RFCOMM FCS computation ---- */ 114 115/* reversed, 8-bit, poly=0x07 */ 116static unsigned char rfcomm_crc_table[256] = { 117 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75, 118 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b, 119 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69, 120 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67, 121 122 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d, 123 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43, 124 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51, 125 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f, 126 127 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05, 128 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b, 129 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19, 130 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17, 131 132 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d, 133 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33, 134 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21, 135 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f, 136 137 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95, 138 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b, 139 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89, 140 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87, 141 142 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad, 143 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3, 144 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1, 145 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf, 146 147 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5, 148 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb, 149 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9, 150 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7, 151 152 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd, 153 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3, 154 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1, 155 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf 156}; 157 158/* CRC on 2 bytes */ 159#define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]]) 160 161/* FCS on 2 bytes */ 162static inline u8 __fcs(u8 *data) 163{ 164 return 0xff - __crc(data); 165} 166 167/* FCS on 3 bytes */ 168static inline u8 __fcs2(u8 *data) 169{ 170 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]]; 171} 172 173/* Check FCS */ 174static inline int __check_fcs(u8 *data, int type, u8 fcs) 175{ 176 u8 f = __crc(data); 177 178 if (type != RFCOMM_UIH) 179 f = rfcomm_crc_table[f ^ data[2]]; 180 181 return rfcomm_crc_table[f ^ fcs] != 0xcf; 182} 183 184/* ---- L2CAP callbacks ---- */ 185static void rfcomm_l2state_change(struct sock *sk) 186{ 187 BT_DBG("%p state %d", sk, sk->sk_state); 188 rfcomm_schedule(); 189} 190 191static void rfcomm_l2data_ready(struct sock *sk) 192{ 193 BT_DBG("%p", sk); 194 rfcomm_schedule(); 195} 196 197static int rfcomm_l2sock_create(struct socket **sock) 198{ 199 int err; 200 201 BT_DBG(""); 202 203 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock); 204 if (!err) { 205 struct sock *sk = (*sock)->sk; 206 sk->sk_data_ready = rfcomm_l2data_ready; 207 sk->sk_state_change = rfcomm_l2state_change; 208 } 209 return err; 210} 211 212static int rfcomm_check_security(struct rfcomm_dlc *d) 213{ 214 struct sock *sk = d->session->sock->sk; 215 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 216 217 __u8 auth_type; 218 219 switch (d->sec_level) { 220 case BT_SECURITY_HIGH: 221 case BT_SECURITY_FIPS: 222 auth_type = HCI_AT_GENERAL_BONDING_MITM; 223 break; 224 case BT_SECURITY_MEDIUM: 225 auth_type = HCI_AT_GENERAL_BONDING; 226 break; 227 default: 228 auth_type = HCI_AT_NO_BONDING; 229 break; 230 } 231 232 return hci_conn_security(conn->hcon, d->sec_level, auth_type, 233 d->out); 234} 235 236static void rfcomm_session_timeout(unsigned long arg) 237{ 238 struct rfcomm_session *s = (void *) arg; 239 240 BT_DBG("session %p state %ld", s, s->state); 241 242 set_bit(RFCOMM_TIMED_OUT, &s->flags); 243 rfcomm_schedule(); 244} 245 246static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout) 247{ 248 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout); 249 250 mod_timer(&s->timer, jiffies + timeout); 251} 252 253static void rfcomm_session_clear_timer(struct rfcomm_session *s) 254{ 255 BT_DBG("session %p state %ld", s, s->state); 256 257 del_timer_sync(&s->timer); 258} 259 260/* ---- RFCOMM DLCs ---- */ 261static void rfcomm_dlc_timeout(unsigned long arg) 262{ 263 struct rfcomm_dlc *d = (void *) arg; 264 265 BT_DBG("dlc %p state %ld", d, d->state); 266 267 set_bit(RFCOMM_TIMED_OUT, &d->flags); 268 rfcomm_dlc_put(d); 269 rfcomm_schedule(); 270} 271 272static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout) 273{ 274 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout); 275 276 if (!mod_timer(&d->timer, jiffies + timeout)) 277 rfcomm_dlc_hold(d); 278} 279 280static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d) 281{ 282 BT_DBG("dlc %p state %ld", d, d->state); 283 284 if (del_timer(&d->timer)) 285 rfcomm_dlc_put(d); 286} 287 288static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d) 289{ 290 BT_DBG("%p", d); 291 292 d->state = BT_OPEN; 293 d->flags = 0; 294 d->mscex = 0; 295 d->sec_level = BT_SECURITY_LOW; 296 d->mtu = RFCOMM_DEFAULT_MTU; 297 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV; 298 299 d->cfc = RFCOMM_CFC_DISABLED; 300 d->rx_credits = RFCOMM_DEFAULT_CREDITS; 301} 302 303struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio) 304{ 305 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio); 306 307 if (!d) 308 return NULL; 309 310 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d); 311 312 skb_queue_head_init(&d->tx_queue); 313 mutex_init(&d->lock); 314 atomic_set(&d->refcnt, 1); 315 316 rfcomm_dlc_clear_state(d); 317 318 BT_DBG("%p", d); 319 320 return d; 321} 322 323void rfcomm_dlc_free(struct rfcomm_dlc *d) 324{ 325 BT_DBG("%p", d); 326 327 skb_queue_purge(&d->tx_queue); 328 kfree(d); 329} 330 331static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d) 332{ 333 BT_DBG("dlc %p session %p", d, s); 334 335 rfcomm_session_clear_timer(s); 336 rfcomm_dlc_hold(d); 337 list_add(&d->list, &s->dlcs); 338 d->session = s; 339} 340 341static void rfcomm_dlc_unlink(struct rfcomm_dlc *d) 342{ 343 struct rfcomm_session *s = d->session; 344 345 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 346 347 list_del(&d->list); 348 d->session = NULL; 349 rfcomm_dlc_put(d); 350 351 if (list_empty(&s->dlcs)) 352 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT); 353} 354 355static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci) 356{ 357 struct rfcomm_dlc *d; 358 359 list_for_each_entry(d, &s->dlcs, list) 360 if (d->dlci == dlci) 361 return d; 362 363 return NULL; 364} 365 366static int rfcomm_check_channel(u8 channel) 367{ 368 return channel < 1 || channel > 30; 369} 370 371static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 372{ 373 struct rfcomm_session *s; 374 int err = 0; 375 u8 dlci; 376 377 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d", 378 d, d->state, src, dst, channel); 379 380 if (rfcomm_check_channel(channel)) 381 return -EINVAL; 382 383 if (d->state != BT_OPEN && d->state != BT_CLOSED) 384 return 0; 385 386 s = rfcomm_session_get(src, dst); 387 if (!s) { 388 s = rfcomm_session_create(src, dst, d->sec_level, &err); 389 if (!s) 390 return err; 391 } 392 393 dlci = __dlci(__session_dir(s), channel); 394 395 /* Check if DLCI already exists */ 396 if (rfcomm_dlc_get(s, dlci)) 397 return -EBUSY; 398 399 rfcomm_dlc_clear_state(d); 400 401 d->dlci = dlci; 402 d->addr = __addr(s->initiator, dlci); 403 d->priority = 7; 404 405 d->state = BT_CONFIG; 406 rfcomm_dlc_link(s, d); 407 408 d->out = 1; 409 410 d->mtu = s->mtu; 411 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc; 412 413 if (s->state == BT_CONNECTED) { 414 if (rfcomm_check_security(d)) 415 rfcomm_send_pn(s, 1, d); 416 else 417 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 418 } 419 420 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 421 422 return 0; 423} 424 425int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel) 426{ 427 int r; 428 429 rfcomm_lock(); 430 431 r = __rfcomm_dlc_open(d, src, dst, channel); 432 433 rfcomm_unlock(); 434 return r; 435} 436 437static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d) 438{ 439 struct rfcomm_session *s = d->session; 440 441 d->state = BT_DISCONN; 442 if (skb_queue_empty(&d->tx_queue)) { 443 rfcomm_send_disc(s, d->dlci); 444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT); 445 } else { 446 rfcomm_queue_disc(d); 447 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2); 448 } 449} 450 451static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 452{ 453 struct rfcomm_session *s = d->session; 454 if (!s) 455 return 0; 456 457 BT_DBG("dlc %p state %ld dlci %d err %d session %p", 458 d, d->state, d->dlci, err, s); 459 460 switch (d->state) { 461 case BT_CONNECT: 462 case BT_CONFIG: 463 case BT_OPEN: 464 case BT_CONNECT2: 465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 466 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 467 rfcomm_schedule(); 468 return 0; 469 } 470 } 471 472 switch (d->state) { 473 case BT_CONNECT: 474 case BT_CONNECTED: 475 __rfcomm_dlc_disconn(d); 476 break; 477 478 case BT_CONFIG: 479 if (s->state != BT_BOUND) { 480 __rfcomm_dlc_disconn(d); 481 break; 482 } 483 /* if closing a dlc in a session that hasn't been started, 484 * just close and unlink the dlc 485 */ 486 487 default: 488 rfcomm_dlc_clear_timer(d); 489 490 rfcomm_dlc_lock(d); 491 d->state = BT_CLOSED; 492 d->state_change(d, err); 493 rfcomm_dlc_unlock(d); 494 495 skb_queue_purge(&d->tx_queue); 496 rfcomm_dlc_unlink(d); 497 } 498 499 return 0; 500} 501 502int rfcomm_dlc_close(struct rfcomm_dlc *d, int err) 503{ 504 int r = 0; 505 struct rfcomm_dlc *d_list; 506 struct rfcomm_session *s, *s_list; 507 508 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err); 509 510 rfcomm_lock(); 511 512 s = d->session; 513 if (!s) 514 goto no_session; 515 516 /* after waiting on the mutex check the session still exists 517 * then check the dlc still exists 518 */ 519 list_for_each_entry(s_list, &session_list, list) { 520 if (s_list == s) { 521 list_for_each_entry(d_list, &s->dlcs, list) { 522 if (d_list == d) { 523 r = __rfcomm_dlc_close(d, err); 524 break; 525 } 526 } 527 break; 528 } 529 } 530 531no_session: 532 rfcomm_unlock(); 533 return r; 534} 535 536struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel) 537{ 538 struct rfcomm_session *s; 539 struct rfcomm_dlc *dlc = NULL; 540 u8 dlci; 541 542 if (rfcomm_check_channel(channel)) 543 return ERR_PTR(-EINVAL); 544 545 rfcomm_lock(); 546 s = rfcomm_session_get(src, dst); 547 if (s) { 548 dlci = __dlci(__session_dir(s), channel); 549 dlc = rfcomm_dlc_get(s, dlci); 550 } 551 rfcomm_unlock(); 552 return dlc; 553} 554 555int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb) 556{ 557 int len = skb->len; 558 559 if (d->state != BT_CONNECTED) 560 return -ENOTCONN; 561 562 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 563 564 if (len > d->mtu) 565 return -EINVAL; 566 567 rfcomm_make_uih(skb, d->addr); 568 skb_queue_tail(&d->tx_queue, skb); 569 570 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 571 rfcomm_schedule(); 572 return len; 573} 574 575void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb) 576{ 577 int len = skb->len; 578 579 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len); 580 581 rfcomm_make_uih(skb, d->addr); 582 skb_queue_tail(&d->tx_queue, skb); 583 584 if (d->state == BT_CONNECTED && 585 !test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 586 rfcomm_schedule(); 587} 588 589void __rfcomm_dlc_throttle(struct rfcomm_dlc *d) 590{ 591 BT_DBG("dlc %p state %ld", d, d->state); 592 593 if (!d->cfc) { 594 d->v24_sig |= RFCOMM_V24_FC; 595 set_bit(RFCOMM_MSC_PENDING, &d->flags); 596 } 597 rfcomm_schedule(); 598} 599 600void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d) 601{ 602 BT_DBG("dlc %p state %ld", d, d->state); 603 604 if (!d->cfc) { 605 d->v24_sig &= ~RFCOMM_V24_FC; 606 set_bit(RFCOMM_MSC_PENDING, &d->flags); 607 } 608 rfcomm_schedule(); 609} 610 611/* 612 Set/get modem status functions use _local_ status i.e. what we report 613 to the other side. 614 Remote status is provided by dlc->modem_status() callback. 615 */ 616int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig) 617{ 618 BT_DBG("dlc %p state %ld v24_sig 0x%x", 619 d, d->state, v24_sig); 620 621 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags)) 622 v24_sig |= RFCOMM_V24_FC; 623 else 624 v24_sig &= ~RFCOMM_V24_FC; 625 626 d->v24_sig = v24_sig; 627 628 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags)) 629 rfcomm_schedule(); 630 631 return 0; 632} 633 634int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig) 635{ 636 BT_DBG("dlc %p state %ld v24_sig 0x%x", 637 d, d->state, d->v24_sig); 638 639 *v24_sig = d->v24_sig; 640 return 0; 641} 642 643/* ---- RFCOMM sessions ---- */ 644static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state) 645{ 646 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL); 647 648 if (!s) 649 return NULL; 650 651 BT_DBG("session %p sock %p", s, sock); 652 653 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s); 654 655 INIT_LIST_HEAD(&s->dlcs); 656 s->state = state; 657 s->sock = sock; 658 659 s->mtu = RFCOMM_DEFAULT_MTU; 660 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN; 661 662 /* Do not increment module usage count for listening sessions. 663 * Otherwise we won't be able to unload the module. */ 664 if (state != BT_LISTEN) 665 if (!try_module_get(THIS_MODULE)) { 666 kfree(s); 667 return NULL; 668 } 669 670 list_add(&s->list, &session_list); 671 672 return s; 673} 674 675static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s) 676{ 677 int state = s->state; 678 679 BT_DBG("session %p state %ld", s, s->state); 680 681 list_del(&s->list); 682 683 rfcomm_session_clear_timer(s); 684 sock_release(s->sock); 685 kfree(s); 686 687 if (state != BT_LISTEN) 688 module_put(THIS_MODULE); 689 690 return NULL; 691} 692 693static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst) 694{ 695 struct rfcomm_session *s; 696 struct list_head *p, *n; 697 struct l2cap_chan *chan; 698 list_for_each_safe(p, n, &session_list) { 699 s = list_entry(p, struct rfcomm_session, list); 700 chan = l2cap_pi(s->sock->sk)->chan; 701 702 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) && 703 !bacmp(&chan->dst, dst)) 704 return s; 705 } 706 return NULL; 707} 708 709static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s, 710 int err) 711{ 712 struct rfcomm_dlc *d; 713 struct list_head *p, *n; 714 715 s->state = BT_CLOSED; 716 717 BT_DBG("session %p state %ld err %d", s, s->state, err); 718 719 /* Close all dlcs */ 720 list_for_each_safe(p, n, &s->dlcs) { 721 d = list_entry(p, struct rfcomm_dlc, list); 722 d->state = BT_CLOSED; 723 __rfcomm_dlc_close(d, err); 724 } 725 726 rfcomm_session_clear_timer(s); 727 return rfcomm_session_del(s); 728} 729 730static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, 731 bdaddr_t *dst, 732 u8 sec_level, 733 int *err) 734{ 735 struct rfcomm_session *s = NULL; 736 struct sockaddr_l2 addr; 737 struct socket *sock; 738 struct sock *sk; 739 740 BT_DBG("%pMR -> %pMR", src, dst); 741 742 *err = rfcomm_l2sock_create(&sock); 743 if (*err < 0) 744 return NULL; 745 746 bacpy(&addr.l2_bdaddr, src); 747 addr.l2_family = AF_BLUETOOTH; 748 addr.l2_psm = 0; 749 addr.l2_cid = 0; 750 addr.l2_bdaddr_type = BDADDR_BREDR; 751 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 752 if (*err < 0) 753 goto failed; 754 755 /* Set L2CAP options */ 756 sk = sock->sk; 757 lock_sock(sk); 758 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 759 l2cap_pi(sk)->chan->sec_level = sec_level; 760 if (l2cap_ertm) 761 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM; 762 release_sock(sk); 763 764 s = rfcomm_session_add(sock, BT_BOUND); 765 if (!s) { 766 *err = -ENOMEM; 767 goto failed; 768 } 769 770 s->initiator = 1; 771 772 bacpy(&addr.l2_bdaddr, dst); 773 addr.l2_family = AF_BLUETOOTH; 774 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 775 addr.l2_cid = 0; 776 addr.l2_bdaddr_type = BDADDR_BREDR; 777 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK); 778 if (*err == 0 || *err == -EINPROGRESS) 779 return s; 780 781 return rfcomm_session_del(s); 782 783failed: 784 sock_release(sock); 785 return NULL; 786} 787 788void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst) 789{ 790 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 791 if (src) 792 bacpy(src, &chan->src); 793 if (dst) 794 bacpy(dst, &chan->dst); 795} 796 797/* ---- RFCOMM frame sending ---- */ 798static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len) 799{ 800 struct kvec iv = { data, len }; 801 struct msghdr msg; 802 803 BT_DBG("session %p len %d", s, len); 804 805 memset(&msg, 0, sizeof(msg)); 806 807 return kernel_sendmsg(s->sock, &msg, &iv, 1, len); 808} 809 810static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 811{ 812 BT_DBG("%p cmd %u", s, cmd->ctrl); 813 814 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd)); 815} 816 817static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 818{ 819 struct rfcomm_cmd cmd; 820 821 BT_DBG("%p dlci %d", s, dlci); 822 823 cmd.addr = __addr(s->initiator, dlci); 824 cmd.ctrl = __ctrl(RFCOMM_SABM, 1); 825 cmd.len = __len8(0); 826 cmd.fcs = __fcs2((u8 *) &cmd); 827 828 return rfcomm_send_cmd(s, &cmd); 829} 830 831static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci) 832{ 833 struct rfcomm_cmd cmd; 834 835 BT_DBG("%p dlci %d", s, dlci); 836 837 cmd.addr = __addr(!s->initiator, dlci); 838 cmd.ctrl = __ctrl(RFCOMM_UA, 1); 839 cmd.len = __len8(0); 840 cmd.fcs = __fcs2((u8 *) &cmd); 841 842 return rfcomm_send_cmd(s, &cmd); 843} 844 845static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci) 846{ 847 struct rfcomm_cmd cmd; 848 849 BT_DBG("%p dlci %d", s, dlci); 850 851 cmd.addr = __addr(s->initiator, dlci); 852 cmd.ctrl = __ctrl(RFCOMM_DISC, 1); 853 cmd.len = __len8(0); 854 cmd.fcs = __fcs2((u8 *) &cmd); 855 856 return rfcomm_send_cmd(s, &cmd); 857} 858 859static int rfcomm_queue_disc(struct rfcomm_dlc *d) 860{ 861 struct rfcomm_cmd *cmd; 862 struct sk_buff *skb; 863 864 BT_DBG("dlc %p dlci %d", d, d->dlci); 865 866 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL); 867 if (!skb) 868 return -ENOMEM; 869 870 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 871 cmd->addr = d->addr; 872 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 873 cmd->len = __len8(0); 874 cmd->fcs = __fcs2((u8 *) cmd); 875 876 skb_queue_tail(&d->tx_queue, skb); 877 rfcomm_schedule(); 878 return 0; 879} 880 881static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci) 882{ 883 struct rfcomm_cmd cmd; 884 885 BT_DBG("%p dlci %d", s, dlci); 886 887 cmd.addr = __addr(!s->initiator, dlci); 888 cmd.ctrl = __ctrl(RFCOMM_DM, 1); 889 cmd.len = __len8(0); 890 cmd.fcs = __fcs2((u8 *) &cmd); 891 892 return rfcomm_send_cmd(s, &cmd); 893} 894 895static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type) 896{ 897 struct rfcomm_hdr *hdr; 898 struct rfcomm_mcc *mcc; 899 u8 buf[16], *ptr = buf; 900 901 BT_DBG("%p cr %d type %d", s, cr, type); 902 903 hdr = (void *) ptr; ptr += sizeof(*hdr); 904 hdr->addr = __addr(s->initiator, 0); 905 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 906 hdr->len = __len8(sizeof(*mcc) + 1); 907 908 mcc = (void *) ptr; ptr += sizeof(*mcc); 909 mcc->type = __mcc_type(0, RFCOMM_NSC); 910 mcc->len = __len8(1); 911 912 /* Type that we didn't like */ 913 *ptr = __mcc_type(cr, type); ptr++; 914 915 *ptr = __fcs(buf); ptr++; 916 917 return rfcomm_send_frame(s, buf, ptr - buf); 918} 919 920static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 921{ 922 struct rfcomm_hdr *hdr; 923 struct rfcomm_mcc *mcc; 924 struct rfcomm_pn *pn; 925 u8 buf[16], *ptr = buf; 926 927 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu); 928 929 hdr = (void *) ptr; ptr += sizeof(*hdr); 930 hdr->addr = __addr(s->initiator, 0); 931 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 932 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn)); 933 934 mcc = (void *) ptr; ptr += sizeof(*mcc); 935 mcc->type = __mcc_type(cr, RFCOMM_PN); 936 mcc->len = __len8(sizeof(*pn)); 937 938 pn = (void *) ptr; ptr += sizeof(*pn); 939 pn->dlci = d->dlci; 940 pn->priority = d->priority; 941 pn->ack_timer = 0; 942 pn->max_retrans = 0; 943 944 if (s->cfc) { 945 pn->flow_ctrl = cr ? 0xf0 : 0xe0; 946 pn->credits = RFCOMM_DEFAULT_CREDITS; 947 } else { 948 pn->flow_ctrl = 0; 949 pn->credits = 0; 950 } 951 952 if (cr && channel_mtu >= 0) 953 pn->mtu = cpu_to_le16(channel_mtu); 954 else 955 pn->mtu = cpu_to_le16(d->mtu); 956 957 *ptr = __fcs(buf); ptr++; 958 959 return rfcomm_send_frame(s, buf, ptr - buf); 960} 961 962int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 963 u8 bit_rate, u8 data_bits, u8 stop_bits, 964 u8 parity, u8 flow_ctrl_settings, 965 u8 xon_char, u8 xoff_char, u16 param_mask) 966{ 967 struct rfcomm_hdr *hdr; 968 struct rfcomm_mcc *mcc; 969 struct rfcomm_rpn *rpn; 970 u8 buf[16], *ptr = buf; 971 972 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x" 973 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 974 s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 975 flow_ctrl_settings, xon_char, xoff_char, param_mask); 976 977 hdr = (void *) ptr; ptr += sizeof(*hdr); 978 hdr->addr = __addr(s->initiator, 0); 979 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 980 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn)); 981 982 mcc = (void *) ptr; ptr += sizeof(*mcc); 983 mcc->type = __mcc_type(cr, RFCOMM_RPN); 984 mcc->len = __len8(sizeof(*rpn)); 985 986 rpn = (void *) ptr; ptr += sizeof(*rpn); 987 rpn->dlci = __addr(1, dlci); 988 rpn->bit_rate = bit_rate; 989 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity); 990 rpn->flow_ctrl = flow_ctrl_settings; 991 rpn->xon_char = xon_char; 992 rpn->xoff_char = xoff_char; 993 rpn->param_mask = cpu_to_le16(param_mask); 994 995 *ptr = __fcs(buf); ptr++; 996 997 return rfcomm_send_frame(s, buf, ptr - buf); 998} 999 1000static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 1001{ 1002 struct rfcomm_hdr *hdr; 1003 struct rfcomm_mcc *mcc; 1004 struct rfcomm_rls *rls; 1005 u8 buf[16], *ptr = buf; 1006 1007 BT_DBG("%p cr %d status 0x%x", s, cr, status); 1008 1009 hdr = (void *) ptr; ptr += sizeof(*hdr); 1010 hdr->addr = __addr(s->initiator, 0); 1011 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1012 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls)); 1013 1014 mcc = (void *) ptr; ptr += sizeof(*mcc); 1015 mcc->type = __mcc_type(cr, RFCOMM_RLS); 1016 mcc->len = __len8(sizeof(*rls)); 1017 1018 rls = (void *) ptr; ptr += sizeof(*rls); 1019 rls->dlci = __addr(1, dlci); 1020 rls->status = status; 1021 1022 *ptr = __fcs(buf); ptr++; 1023 1024 return rfcomm_send_frame(s, buf, ptr - buf); 1025} 1026 1027static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 1028{ 1029 struct rfcomm_hdr *hdr; 1030 struct rfcomm_mcc *mcc; 1031 struct rfcomm_msc *msc; 1032 u8 buf[16], *ptr = buf; 1033 1034 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig); 1035 1036 hdr = (void *) ptr; ptr += sizeof(*hdr); 1037 hdr->addr = __addr(s->initiator, 0); 1038 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1039 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc)); 1040 1041 mcc = (void *) ptr; ptr += sizeof(*mcc); 1042 mcc->type = __mcc_type(cr, RFCOMM_MSC); 1043 mcc->len = __len8(sizeof(*msc)); 1044 1045 msc = (void *) ptr; ptr += sizeof(*msc); 1046 msc->dlci = __addr(1, dlci); 1047 msc->v24_sig = v24_sig | 0x01; 1048 1049 *ptr = __fcs(buf); ptr++; 1050 1051 return rfcomm_send_frame(s, buf, ptr - buf); 1052} 1053 1054static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1055{ 1056 struct rfcomm_hdr *hdr; 1057 struct rfcomm_mcc *mcc; 1058 u8 buf[16], *ptr = buf; 1059 1060 BT_DBG("%p cr %d", s, cr); 1061 1062 hdr = (void *) ptr; ptr += sizeof(*hdr); 1063 hdr->addr = __addr(s->initiator, 0); 1064 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1065 hdr->len = __len8(sizeof(*mcc)); 1066 1067 mcc = (void *) ptr; ptr += sizeof(*mcc); 1068 mcc->type = __mcc_type(cr, RFCOMM_FCOFF); 1069 mcc->len = __len8(0); 1070 1071 *ptr = __fcs(buf); ptr++; 1072 1073 return rfcomm_send_frame(s, buf, ptr - buf); 1074} 1075 1076static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1077{ 1078 struct rfcomm_hdr *hdr; 1079 struct rfcomm_mcc *mcc; 1080 u8 buf[16], *ptr = buf; 1081 1082 BT_DBG("%p cr %d", s, cr); 1083 1084 hdr = (void *) ptr; ptr += sizeof(*hdr); 1085 hdr->addr = __addr(s->initiator, 0); 1086 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1087 hdr->len = __len8(sizeof(*mcc)); 1088 1089 mcc = (void *) ptr; ptr += sizeof(*mcc); 1090 mcc->type = __mcc_type(cr, RFCOMM_FCON); 1091 mcc->len = __len8(0); 1092 1093 *ptr = __fcs(buf); ptr++; 1094 1095 return rfcomm_send_frame(s, buf, ptr - buf); 1096} 1097 1098static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1099{ 1100 struct socket *sock = s->sock; 1101 struct kvec iv[3]; 1102 struct msghdr msg; 1103 unsigned char hdr[5], crc[1]; 1104 1105 if (len > 125) 1106 return -EINVAL; 1107 1108 BT_DBG("%p cr %d", s, cr); 1109 1110 hdr[0] = __addr(s->initiator, 0); 1111 hdr[1] = __ctrl(RFCOMM_UIH, 0); 1112 hdr[2] = 0x01 | ((len + 2) << 1); 1113 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2); 1114 hdr[4] = 0x01 | (len << 1); 1115 1116 crc[0] = __fcs(hdr); 1117 1118 iv[0].iov_base = hdr; 1119 iv[0].iov_len = 5; 1120 iv[1].iov_base = pattern; 1121 iv[1].iov_len = len; 1122 iv[2].iov_base = crc; 1123 iv[2].iov_len = 1; 1124 1125 memset(&msg, 0, sizeof(msg)); 1126 1127 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len); 1128} 1129 1130static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits) 1131{ 1132 struct rfcomm_hdr *hdr; 1133 u8 buf[16], *ptr = buf; 1134 1135 BT_DBG("%p addr %d credits %d", s, addr, credits); 1136 1137 hdr = (void *) ptr; ptr += sizeof(*hdr); 1138 hdr->addr = addr; 1139 hdr->ctrl = __ctrl(RFCOMM_UIH, 1); 1140 hdr->len = __len8(0); 1141 1142 *ptr = credits; ptr++; 1143 1144 *ptr = __fcs(buf); ptr++; 1145 1146 return rfcomm_send_frame(s, buf, ptr - buf); 1147} 1148 1149static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1150{ 1151 struct rfcomm_hdr *hdr; 1152 int len = skb->len; 1153 u8 *crc; 1154 1155 if (len > 127) { 1156 hdr = (void *) skb_push(skb, 4); 1157 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len); 1158 } else { 1159 hdr = (void *) skb_push(skb, 3); 1160 hdr->len = __len8(len); 1161 } 1162 hdr->addr = addr; 1163 hdr->ctrl = __ctrl(RFCOMM_UIH, 0); 1164 1165 crc = skb_put(skb, 1); 1166 *crc = __fcs((void *) hdr); 1167} 1168 1169/* ---- RFCOMM frame reception ---- */ 1170static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci) 1171{ 1172 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1173 1174 if (dlci) { 1175 /* Data channel */ 1176 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1177 if (!d) { 1178 rfcomm_send_dm(s, dlci); 1179 return s; 1180 } 1181 1182 switch (d->state) { 1183 case BT_CONNECT: 1184 rfcomm_dlc_clear_timer(d); 1185 1186 rfcomm_dlc_lock(d); 1187 d->state = BT_CONNECTED; 1188 d->state_change(d, 0); 1189 rfcomm_dlc_unlock(d); 1190 1191 rfcomm_send_msc(s, 1, dlci, d->v24_sig); 1192 break; 1193 1194 case BT_DISCONN: 1195 d->state = BT_CLOSED; 1196 __rfcomm_dlc_close(d, 0); 1197 1198 if (list_empty(&s->dlcs)) { 1199 s->state = BT_DISCONN; 1200 rfcomm_send_disc(s, 0); 1201 rfcomm_session_clear_timer(s); 1202 } 1203 1204 break; 1205 } 1206 } else { 1207 /* Control channel */ 1208 switch (s->state) { 1209 case BT_CONNECT: 1210 s->state = BT_CONNECTED; 1211 rfcomm_process_connect(s); 1212 break; 1213 1214 case BT_DISCONN: 1215 s = rfcomm_session_close(s, ECONNRESET); 1216 break; 1217 } 1218 } 1219 return s; 1220} 1221 1222static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci) 1223{ 1224 int err = 0; 1225 1226 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1227 1228 if (dlci) { 1229 /* Data DLC */ 1230 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1231 if (d) { 1232 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1233 err = ECONNREFUSED; 1234 else 1235 err = ECONNRESET; 1236 1237 d->state = BT_CLOSED; 1238 __rfcomm_dlc_close(d, err); 1239 } 1240 } else { 1241 if (s->state == BT_CONNECT) 1242 err = ECONNREFUSED; 1243 else 1244 err = ECONNRESET; 1245 1246 s = rfcomm_session_close(s, err); 1247 } 1248 return s; 1249} 1250 1251static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s, 1252 u8 dlci) 1253{ 1254 int err = 0; 1255 1256 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1257 1258 if (dlci) { 1259 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci); 1260 if (d) { 1261 rfcomm_send_ua(s, dlci); 1262 1263 if (d->state == BT_CONNECT || d->state == BT_CONFIG) 1264 err = ECONNREFUSED; 1265 else 1266 err = ECONNRESET; 1267 1268 d->state = BT_CLOSED; 1269 __rfcomm_dlc_close(d, err); 1270 } else 1271 rfcomm_send_dm(s, dlci); 1272 1273 } else { 1274 rfcomm_send_ua(s, 0); 1275 1276 if (s->state == BT_CONNECT) 1277 err = ECONNREFUSED; 1278 else 1279 err = ECONNRESET; 1280 1281 s = rfcomm_session_close(s, err); 1282 } 1283 return s; 1284} 1285 1286void rfcomm_dlc_accept(struct rfcomm_dlc *d) 1287{ 1288 struct sock *sk = d->session->sock->sk; 1289 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn; 1290 1291 BT_DBG("dlc %p", d); 1292 1293 rfcomm_send_ua(d->session, d->dlci); 1294 1295 rfcomm_dlc_clear_timer(d); 1296 1297 rfcomm_dlc_lock(d); 1298 d->state = BT_CONNECTED; 1299 d->state_change(d, 0); 1300 rfcomm_dlc_unlock(d); 1301 1302 if (d->role_switch) 1303 hci_conn_switch_role(conn->hcon, 0x00); 1304 1305 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1306} 1307 1308static void rfcomm_check_accept(struct rfcomm_dlc *d) 1309{ 1310 if (rfcomm_check_security(d)) { 1311 if (d->defer_setup) { 1312 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1313 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1314 1315 rfcomm_dlc_lock(d); 1316 d->state = BT_CONNECT2; 1317 d->state_change(d, 0); 1318 rfcomm_dlc_unlock(d); 1319 } else 1320 rfcomm_dlc_accept(d); 1321 } else { 1322 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1323 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1324 } 1325} 1326 1327static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci) 1328{ 1329 struct rfcomm_dlc *d; 1330 u8 channel; 1331 1332 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1333 1334 if (!dlci) { 1335 rfcomm_send_ua(s, 0); 1336 1337 if (s->state == BT_OPEN) { 1338 s->state = BT_CONNECTED; 1339 rfcomm_process_connect(s); 1340 } 1341 return 0; 1342 } 1343 1344 /* Check if DLC exists */ 1345 d = rfcomm_dlc_get(s, dlci); 1346 if (d) { 1347 if (d->state == BT_OPEN) { 1348 /* DLC was previously opened by PN request */ 1349 rfcomm_check_accept(d); 1350 } 1351 return 0; 1352 } 1353 1354 /* Notify socket layer about incoming connection */ 1355 channel = __srv_channel(dlci); 1356 if (rfcomm_connect_ind(s, channel, &d)) { 1357 d->dlci = dlci; 1358 d->addr = __addr(s->initiator, dlci); 1359 rfcomm_dlc_link(s, d); 1360 1361 rfcomm_check_accept(d); 1362 } else { 1363 rfcomm_send_dm(s, dlci); 1364 } 1365 1366 return 0; 1367} 1368 1369static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn) 1370{ 1371 struct rfcomm_session *s = d->session; 1372 1373 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d", 1374 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits); 1375 1376 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) || 1377 pn->flow_ctrl == 0xe0) { 1378 d->cfc = RFCOMM_CFC_ENABLED; 1379 d->tx_credits = pn->credits; 1380 } else { 1381 d->cfc = RFCOMM_CFC_DISABLED; 1382 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1383 } 1384 1385 if (s->cfc == RFCOMM_CFC_UNKNOWN) 1386 s->cfc = d->cfc; 1387 1388 d->priority = pn->priority; 1389 1390 d->mtu = __le16_to_cpu(pn->mtu); 1391 1392 if (cr && d->mtu > s->mtu) 1393 d->mtu = s->mtu; 1394 1395 return 0; 1396} 1397 1398static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1399{ 1400 struct rfcomm_pn *pn = (void *) skb->data; 1401 struct rfcomm_dlc *d; 1402 u8 dlci = pn->dlci; 1403 1404 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci); 1405 1406 if (!dlci) 1407 return 0; 1408 1409 d = rfcomm_dlc_get(s, dlci); 1410 if (d) { 1411 if (cr) { 1412 /* PN request */ 1413 rfcomm_apply_pn(d, cr, pn); 1414 rfcomm_send_pn(s, 0, d); 1415 } else { 1416 /* PN response */ 1417 switch (d->state) { 1418 case BT_CONFIG: 1419 rfcomm_apply_pn(d, cr, pn); 1420 1421 d->state = BT_CONNECT; 1422 rfcomm_send_sabm(s, d->dlci); 1423 break; 1424 } 1425 } 1426 } else { 1427 u8 channel = __srv_channel(dlci); 1428 1429 if (!cr) 1430 return 0; 1431 1432 /* PN request for non existing DLC. 1433 * Assume incoming connection. */ 1434 if (rfcomm_connect_ind(s, channel, &d)) { 1435 d->dlci = dlci; 1436 d->addr = __addr(s->initiator, dlci); 1437 rfcomm_dlc_link(s, d); 1438 1439 rfcomm_apply_pn(d, cr, pn); 1440 1441 d->state = BT_OPEN; 1442 rfcomm_send_pn(s, 0, d); 1443 } else { 1444 rfcomm_send_dm(s, dlci); 1445 } 1446 } 1447 return 0; 1448} 1449 1450static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb) 1451{ 1452 struct rfcomm_rpn *rpn = (void *) skb->data; 1453 u8 dlci = __get_dlci(rpn->dlci); 1454 1455 u8 bit_rate = 0; 1456 u8 data_bits = 0; 1457 u8 stop_bits = 0; 1458 u8 parity = 0; 1459 u8 flow_ctrl = 0; 1460 u8 xon_char = 0; 1461 u8 xoff_char = 0; 1462 u16 rpn_mask = RFCOMM_RPN_PM_ALL; 1463 1464 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x", 1465 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl, 1466 rpn->xon_char, rpn->xoff_char, rpn->param_mask); 1467 1468 if (!cr) 1469 return 0; 1470 1471 if (len == 1) { 1472 /* This is a request, return default (according to ETSI TS 07.10) settings */ 1473 bit_rate = RFCOMM_RPN_BR_9600; 1474 data_bits = RFCOMM_RPN_DATA_8; 1475 stop_bits = RFCOMM_RPN_STOP_1; 1476 parity = RFCOMM_RPN_PARITY_NONE; 1477 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1478 xon_char = RFCOMM_RPN_XON_CHAR; 1479 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1480 goto rpn_out; 1481 } 1482 1483 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit, 1484 * no parity, no flow control lines, normal XON/XOFF chars */ 1485 1486 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) { 1487 bit_rate = rpn->bit_rate; 1488 if (bit_rate > RFCOMM_RPN_BR_230400) { 1489 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate); 1490 bit_rate = RFCOMM_RPN_BR_9600; 1491 rpn_mask ^= RFCOMM_RPN_PM_BITRATE; 1492 } 1493 } 1494 1495 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) { 1496 data_bits = __get_rpn_data_bits(rpn->line_settings); 1497 if (data_bits != RFCOMM_RPN_DATA_8) { 1498 BT_DBG("RPN data bits mismatch 0x%x", data_bits); 1499 data_bits = RFCOMM_RPN_DATA_8; 1500 rpn_mask ^= RFCOMM_RPN_PM_DATA; 1501 } 1502 } 1503 1504 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) { 1505 stop_bits = __get_rpn_stop_bits(rpn->line_settings); 1506 if (stop_bits != RFCOMM_RPN_STOP_1) { 1507 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits); 1508 stop_bits = RFCOMM_RPN_STOP_1; 1509 rpn_mask ^= RFCOMM_RPN_PM_STOP; 1510 } 1511 } 1512 1513 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) { 1514 parity = __get_rpn_parity(rpn->line_settings); 1515 if (parity != RFCOMM_RPN_PARITY_NONE) { 1516 BT_DBG("RPN parity mismatch 0x%x", parity); 1517 parity = RFCOMM_RPN_PARITY_NONE; 1518 rpn_mask ^= RFCOMM_RPN_PM_PARITY; 1519 } 1520 } 1521 1522 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) { 1523 flow_ctrl = rpn->flow_ctrl; 1524 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) { 1525 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl); 1526 flow_ctrl = RFCOMM_RPN_FLOW_NONE; 1527 rpn_mask ^= RFCOMM_RPN_PM_FLOW; 1528 } 1529 } 1530 1531 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) { 1532 xon_char = rpn->xon_char; 1533 if (xon_char != RFCOMM_RPN_XON_CHAR) { 1534 BT_DBG("RPN XON char mismatch 0x%x", xon_char); 1535 xon_char = RFCOMM_RPN_XON_CHAR; 1536 rpn_mask ^= RFCOMM_RPN_PM_XON; 1537 } 1538 } 1539 1540 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) { 1541 xoff_char = rpn->xoff_char; 1542 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) { 1543 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char); 1544 xoff_char = RFCOMM_RPN_XOFF_CHAR; 1545 rpn_mask ^= RFCOMM_RPN_PM_XOFF; 1546 } 1547 } 1548 1549rpn_out: 1550 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits, 1551 parity, flow_ctrl, xon_char, xoff_char, rpn_mask); 1552 1553 return 0; 1554} 1555 1556static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1557{ 1558 struct rfcomm_rls *rls = (void *) skb->data; 1559 u8 dlci = __get_dlci(rls->dlci); 1560 1561 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status); 1562 1563 if (!cr) 1564 return 0; 1565 1566 /* We should probably do something with this information here. But 1567 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's 1568 * mandatory to recognise and respond to RLS */ 1569 1570 rfcomm_send_rls(s, 0, dlci, rls->status); 1571 1572 return 0; 1573} 1574 1575static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb) 1576{ 1577 struct rfcomm_msc *msc = (void *) skb->data; 1578 struct rfcomm_dlc *d; 1579 u8 dlci = __get_dlci(msc->dlci); 1580 1581 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig); 1582 1583 d = rfcomm_dlc_get(s, dlci); 1584 if (!d) 1585 return 0; 1586 1587 if (cr) { 1588 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc) 1589 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1590 else 1591 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1592 1593 rfcomm_dlc_lock(d); 1594 1595 d->remote_v24_sig = msc->v24_sig; 1596 1597 if (d->modem_status) 1598 d->modem_status(d, msc->v24_sig); 1599 1600 rfcomm_dlc_unlock(d); 1601 1602 rfcomm_send_msc(s, 0, dlci, msc->v24_sig); 1603 1604 d->mscex |= RFCOMM_MSCEX_RX; 1605 } else 1606 d->mscex |= RFCOMM_MSCEX_TX; 1607 1608 return 0; 1609} 1610 1611static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb) 1612{ 1613 struct rfcomm_mcc *mcc = (void *) skb->data; 1614 u8 type, cr, len; 1615 1616 cr = __test_cr(mcc->type); 1617 type = __get_mcc_type(mcc->type); 1618 len = __get_mcc_len(mcc->len); 1619 1620 BT_DBG("%p type 0x%x cr %d", s, type, cr); 1621 1622 skb_pull(skb, 2); 1623 1624 switch (type) { 1625 case RFCOMM_PN: 1626 rfcomm_recv_pn(s, cr, skb); 1627 break; 1628 1629 case RFCOMM_RPN: 1630 rfcomm_recv_rpn(s, cr, len, skb); 1631 break; 1632 1633 case RFCOMM_RLS: 1634 rfcomm_recv_rls(s, cr, skb); 1635 break; 1636 1637 case RFCOMM_MSC: 1638 rfcomm_recv_msc(s, cr, skb); 1639 break; 1640 1641 case RFCOMM_FCOFF: 1642 if (cr) { 1643 set_bit(RFCOMM_TX_THROTTLED, &s->flags); 1644 rfcomm_send_fcoff(s, 0); 1645 } 1646 break; 1647 1648 case RFCOMM_FCON: 1649 if (cr) { 1650 clear_bit(RFCOMM_TX_THROTTLED, &s->flags); 1651 rfcomm_send_fcon(s, 0); 1652 } 1653 break; 1654 1655 case RFCOMM_TEST: 1656 if (cr) 1657 rfcomm_send_test(s, 0, skb->data, skb->len); 1658 break; 1659 1660 case RFCOMM_NSC: 1661 break; 1662 1663 default: 1664 BT_ERR("Unknown control type 0x%02x", type); 1665 rfcomm_send_nsc(s, cr, type); 1666 break; 1667 } 1668 return 0; 1669} 1670 1671static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb) 1672{ 1673 struct rfcomm_dlc *d; 1674 1675 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf); 1676 1677 d = rfcomm_dlc_get(s, dlci); 1678 if (!d) { 1679 rfcomm_send_dm(s, dlci); 1680 goto drop; 1681 } 1682 1683 if (pf && d->cfc) { 1684 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1); 1685 1686 d->tx_credits += credits; 1687 if (d->tx_credits) 1688 clear_bit(RFCOMM_TX_THROTTLED, &d->flags); 1689 } 1690 1691 if (skb->len && d->state == BT_CONNECTED) { 1692 rfcomm_dlc_lock(d); 1693 d->rx_credits--; 1694 d->data_ready(d, skb); 1695 rfcomm_dlc_unlock(d); 1696 return 0; 1697 } 1698 1699drop: 1700 kfree_skb(skb); 1701 return 0; 1702} 1703 1704static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s, 1705 struct sk_buff *skb) 1706{ 1707 struct rfcomm_hdr *hdr = (void *) skb->data; 1708 u8 type, dlci, fcs; 1709 1710 if (!s) { 1711 /* no session, so free socket data */ 1712 kfree_skb(skb); 1713 return s; 1714 } 1715 1716 dlci = __get_dlci(hdr->addr); 1717 type = __get_type(hdr->ctrl); 1718 1719 /* Trim FCS */ 1720 skb->len--; skb->tail--; 1721 fcs = *(u8 *)skb_tail_pointer(skb); 1722 1723 if (__check_fcs(skb->data, type, fcs)) { 1724 BT_ERR("bad checksum in packet"); 1725 kfree_skb(skb); 1726 return s; 1727 } 1728 1729 if (__test_ea(hdr->len)) 1730 skb_pull(skb, 3); 1731 else 1732 skb_pull(skb, 4); 1733 1734 switch (type) { 1735 case RFCOMM_SABM: 1736 if (__test_pf(hdr->ctrl)) 1737 rfcomm_recv_sabm(s, dlci); 1738 break; 1739 1740 case RFCOMM_DISC: 1741 if (__test_pf(hdr->ctrl)) 1742 s = rfcomm_recv_disc(s, dlci); 1743 break; 1744 1745 case RFCOMM_UA: 1746 if (__test_pf(hdr->ctrl)) 1747 s = rfcomm_recv_ua(s, dlci); 1748 break; 1749 1750 case RFCOMM_DM: 1751 s = rfcomm_recv_dm(s, dlci); 1752 break; 1753 1754 case RFCOMM_UIH: 1755 if (dlci) { 1756 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb); 1757 return s; 1758 } 1759 rfcomm_recv_mcc(s, skb); 1760 break; 1761 1762 default: 1763 BT_ERR("Unknown packet type 0x%02x", type); 1764 break; 1765 } 1766 kfree_skb(skb); 1767 return s; 1768} 1769 1770/* ---- Connection and data processing ---- */ 1771 1772static void rfcomm_process_connect(struct rfcomm_session *s) 1773{ 1774 struct rfcomm_dlc *d; 1775 struct list_head *p, *n; 1776 1777 BT_DBG("session %p state %ld", s, s->state); 1778 1779 list_for_each_safe(p, n, &s->dlcs) { 1780 d = list_entry(p, struct rfcomm_dlc, list); 1781 if (d->state == BT_CONFIG) { 1782 d->mtu = s->mtu; 1783 if (rfcomm_check_security(d)) { 1784 rfcomm_send_pn(s, 1, d); 1785 } else { 1786 set_bit(RFCOMM_AUTH_PENDING, &d->flags); 1787 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1788 } 1789 } 1790 } 1791} 1792 1793/* Send data queued for the DLC. 1794 * Return number of frames left in the queue. 1795 */ 1796static int rfcomm_process_tx(struct rfcomm_dlc *d) 1797{ 1798 struct sk_buff *skb; 1799 int err; 1800 1801 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d", 1802 d, d->state, d->cfc, d->rx_credits, d->tx_credits); 1803 1804 /* Send pending MSC */ 1805 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags)) 1806 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig); 1807 1808 if (d->cfc) { 1809 /* CFC enabled. 1810 * Give them some credits */ 1811 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) && 1812 d->rx_credits <= (d->cfc >> 2)) { 1813 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits); 1814 d->rx_credits = d->cfc; 1815 } 1816 } else { 1817 /* CFC disabled. 1818 * Give ourselves some credits */ 1819 d->tx_credits = 5; 1820 } 1821 1822 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags)) 1823 return skb_queue_len(&d->tx_queue); 1824 1825 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1826 err = rfcomm_send_frame(d->session, skb->data, skb->len); 1827 if (err < 0) { 1828 skb_queue_head(&d->tx_queue, skb); 1829 break; 1830 } 1831 kfree_skb(skb); 1832 d->tx_credits--; 1833 } 1834 1835 if (d->cfc && !d->tx_credits) { 1836 /* We're out of TX credits. 1837 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */ 1838 set_bit(RFCOMM_TX_THROTTLED, &d->flags); 1839 } 1840 1841 return skb_queue_len(&d->tx_queue); 1842} 1843 1844static void rfcomm_process_dlcs(struct rfcomm_session *s) 1845{ 1846 struct rfcomm_dlc *d; 1847 struct list_head *p, *n; 1848 1849 BT_DBG("session %p state %ld", s, s->state); 1850 1851 list_for_each_safe(p, n, &s->dlcs) { 1852 d = list_entry(p, struct rfcomm_dlc, list); 1853 1854 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) { 1855 __rfcomm_dlc_close(d, ETIMEDOUT); 1856 continue; 1857 } 1858 1859 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) { 1860 __rfcomm_dlc_close(d, ECONNREFUSED); 1861 continue; 1862 } 1863 1864 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) { 1865 rfcomm_dlc_clear_timer(d); 1866 if (d->out) { 1867 rfcomm_send_pn(s, 1, d); 1868 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT); 1869 } else { 1870 if (d->defer_setup) { 1871 set_bit(RFCOMM_DEFER_SETUP, &d->flags); 1872 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 1873 1874 rfcomm_dlc_lock(d); 1875 d->state = BT_CONNECT2; 1876 d->state_change(d, 0); 1877 rfcomm_dlc_unlock(d); 1878 } else 1879 rfcomm_dlc_accept(d); 1880 } 1881 continue; 1882 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) { 1883 rfcomm_dlc_clear_timer(d); 1884 if (!d->out) 1885 rfcomm_send_dm(s, d->dlci); 1886 else 1887 d->state = BT_CLOSED; 1888 __rfcomm_dlc_close(d, ECONNREFUSED); 1889 continue; 1890 } 1891 1892 if (test_bit(RFCOMM_SEC_PENDING, &d->flags)) 1893 continue; 1894 1895 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags)) 1896 continue; 1897 1898 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) && 1899 d->mscex == RFCOMM_MSCEX_OK) 1900 rfcomm_process_tx(d); 1901 } 1902} 1903 1904static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) 1905{ 1906 struct socket *sock = s->sock; 1907 struct sock *sk = sock->sk; 1908 struct sk_buff *skb; 1909 1910 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue)); 1911 1912 /* Get data directly from socket receive queue without copying it. */ 1913 while ((skb = skb_dequeue(&sk->sk_receive_queue))) { 1914 skb_orphan(skb); 1915 if (!skb_linearize(skb)) { 1916 s = rfcomm_recv_frame(s, skb); 1917 if (!s) 1918 break; 1919 } else { 1920 kfree_skb(skb); 1921 } 1922 } 1923 1924 if (s && (sk->sk_state == BT_CLOSED)) 1925 s = rfcomm_session_close(s, sk->sk_err); 1926 1927 return s; 1928} 1929 1930static void rfcomm_accept_connection(struct rfcomm_session *s) 1931{ 1932 struct socket *sock = s->sock, *nsock; 1933 int err; 1934 1935 /* Fast check for a new connection. 1936 * Avoids unnesesary socket allocations. */ 1937 if (list_empty(&bt_sk(sock->sk)->accept_q)) 1938 return; 1939 1940 BT_DBG("session %p", s); 1941 1942 err = kernel_accept(sock, &nsock, O_NONBLOCK); 1943 if (err < 0) 1944 return; 1945 1946 /* Set our callbacks */ 1947 nsock->sk->sk_data_ready = rfcomm_l2data_ready; 1948 nsock->sk->sk_state_change = rfcomm_l2state_change; 1949 1950 s = rfcomm_session_add(nsock, BT_OPEN); 1951 if (s) { 1952 /* We should adjust MTU on incoming sessions. 1953 * L2CAP MTU minus UIH header and FCS. */ 1954 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu, 1955 l2cap_pi(nsock->sk)->chan->imtu) - 5; 1956 1957 rfcomm_schedule(); 1958 } else 1959 sock_release(nsock); 1960} 1961 1962static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s) 1963{ 1964 struct sock *sk = s->sock->sk; 1965 1966 BT_DBG("%p state %ld", s, s->state); 1967 1968 switch (sk->sk_state) { 1969 case BT_CONNECTED: 1970 s->state = BT_CONNECT; 1971 1972 /* We can adjust MTU on outgoing sessions. 1973 * L2CAP MTU minus UIH header and FCS. */ 1974 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5; 1975 1976 rfcomm_send_sabm(s, 0); 1977 break; 1978 1979 case BT_CLOSED: 1980 s = rfcomm_session_close(s, sk->sk_err); 1981 break; 1982 } 1983 return s; 1984} 1985 1986static void rfcomm_process_sessions(void) 1987{ 1988 struct list_head *p, *n; 1989 1990 rfcomm_lock(); 1991 1992 list_for_each_safe(p, n, &session_list) { 1993 struct rfcomm_session *s; 1994 s = list_entry(p, struct rfcomm_session, list); 1995 1996 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { 1997 s->state = BT_DISCONN; 1998 rfcomm_send_disc(s, 0); 1999 continue; 2000 } 2001 2002 switch (s->state) { 2003 case BT_LISTEN: 2004 rfcomm_accept_connection(s); 2005 continue; 2006 2007 case BT_BOUND: 2008 s = rfcomm_check_connection(s); 2009 break; 2010 2011 default: 2012 s = rfcomm_process_rx(s); 2013 break; 2014 } 2015 2016 if (s) 2017 rfcomm_process_dlcs(s); 2018 } 2019 2020 rfcomm_unlock(); 2021} 2022 2023static int rfcomm_add_listener(bdaddr_t *ba) 2024{ 2025 struct sockaddr_l2 addr; 2026 struct socket *sock; 2027 struct sock *sk; 2028 struct rfcomm_session *s; 2029 int err = 0; 2030 2031 /* Create socket */ 2032 err = rfcomm_l2sock_create(&sock); 2033 if (err < 0) { 2034 BT_ERR("Create socket failed %d", err); 2035 return err; 2036 } 2037 2038 /* Bind socket */ 2039 bacpy(&addr.l2_bdaddr, ba); 2040 addr.l2_family = AF_BLUETOOTH; 2041 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM); 2042 addr.l2_cid = 0; 2043 addr.l2_bdaddr_type = BDADDR_BREDR; 2044 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr)); 2045 if (err < 0) { 2046 BT_ERR("Bind failed %d", err); 2047 goto failed; 2048 } 2049 2050 /* Set L2CAP options */ 2051 sk = sock->sk; 2052 lock_sock(sk); 2053 l2cap_pi(sk)->chan->imtu = l2cap_mtu; 2054 release_sock(sk); 2055 2056 /* Start listening on the socket */ 2057 err = kernel_listen(sock, 10); 2058 if (err) { 2059 BT_ERR("Listen failed %d", err); 2060 goto failed; 2061 } 2062 2063 /* Add listening session */ 2064 s = rfcomm_session_add(sock, BT_LISTEN); 2065 if (!s) { 2066 err = -ENOMEM; 2067 goto failed; 2068 } 2069 2070 return 0; 2071failed: 2072 sock_release(sock); 2073 return err; 2074} 2075 2076static void rfcomm_kill_listener(void) 2077{ 2078 struct rfcomm_session *s; 2079 struct list_head *p, *n; 2080 2081 BT_DBG(""); 2082 2083 list_for_each_safe(p, n, &session_list) { 2084 s = list_entry(p, struct rfcomm_session, list); 2085 rfcomm_session_del(s); 2086 } 2087} 2088 2089static int rfcomm_run(void *unused) 2090{ 2091 DEFINE_WAIT_FUNC(wait, woken_wake_function); 2092 BT_DBG(""); 2093 2094 set_user_nice(current, -10); 2095 2096 rfcomm_add_listener(BDADDR_ANY); 2097 2098 add_wait_queue(&rfcomm_wq, &wait); 2099 while (!kthread_should_stop()) { 2100 2101 /* Process stuff */ 2102 rfcomm_process_sessions(); 2103 2104 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT); 2105 } 2106 remove_wait_queue(&rfcomm_wq, &wait); 2107 2108 rfcomm_kill_listener(); 2109 2110 return 0; 2111} 2112 2113static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt) 2114{ 2115 struct rfcomm_session *s; 2116 struct rfcomm_dlc *d; 2117 struct list_head *p, *n; 2118 2119 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt); 2120 2121 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst); 2122 if (!s) 2123 return; 2124 2125 list_for_each_safe(p, n, &s->dlcs) { 2126 d = list_entry(p, struct rfcomm_dlc, list); 2127 2128 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) { 2129 rfcomm_dlc_clear_timer(d); 2130 if (status || encrypt == 0x00) { 2131 set_bit(RFCOMM_ENC_DROP, &d->flags); 2132 continue; 2133 } 2134 } 2135 2136 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) { 2137 if (d->sec_level == BT_SECURITY_MEDIUM) { 2138 set_bit(RFCOMM_SEC_PENDING, &d->flags); 2139 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT); 2140 continue; 2141 } else if (d->sec_level == BT_SECURITY_HIGH || 2142 d->sec_level == BT_SECURITY_FIPS) { 2143 set_bit(RFCOMM_ENC_DROP, &d->flags); 2144 continue; 2145 } 2146 } 2147 2148 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags)) 2149 continue; 2150 2151 if (!status && hci_conn_check_secure(conn, d->sec_level)) 2152 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags); 2153 else 2154 set_bit(RFCOMM_AUTH_REJECT, &d->flags); 2155 } 2156 2157 rfcomm_schedule(); 2158} 2159 2160static struct hci_cb rfcomm_cb = { 2161 .name = "RFCOMM", 2162 .security_cfm = rfcomm_security_cfm 2163}; 2164 2165static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x) 2166{ 2167 struct rfcomm_session *s; 2168 2169 rfcomm_lock(); 2170 2171 list_for_each_entry(s, &session_list, list) { 2172 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan; 2173 struct rfcomm_dlc *d; 2174 list_for_each_entry(d, &s->dlcs, list) { 2175 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n", 2176 &chan->src, &chan->dst, 2177 d->state, d->dlci, d->mtu, 2178 d->rx_credits, d->tx_credits); 2179 } 2180 } 2181 2182 rfcomm_unlock(); 2183 2184 return 0; 2185} 2186 2187static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file) 2188{ 2189 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private); 2190} 2191 2192static const struct file_operations rfcomm_dlc_debugfs_fops = { 2193 .open = rfcomm_dlc_debugfs_open, 2194 .read = seq_read, 2195 .llseek = seq_lseek, 2196 .release = single_release, 2197}; 2198 2199static struct dentry *rfcomm_dlc_debugfs; 2200 2201/* ---- Initialization ---- */ 2202static int __init rfcomm_init(void) 2203{ 2204 int err; 2205 2206 hci_register_cb(&rfcomm_cb); 2207 2208 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd"); 2209 if (IS_ERR(rfcomm_thread)) { 2210 err = PTR_ERR(rfcomm_thread); 2211 goto unregister; 2212 } 2213 2214 err = rfcomm_init_ttys(); 2215 if (err < 0) 2216 goto stop; 2217 2218 err = rfcomm_init_sockets(); 2219 if (err < 0) 2220 goto cleanup; 2221 2222 BT_INFO("RFCOMM ver %s", VERSION); 2223 2224 if (IS_ERR_OR_NULL(bt_debugfs)) 2225 return 0; 2226 2227 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444, 2228 bt_debugfs, NULL, 2229 &rfcomm_dlc_debugfs_fops); 2230 2231 return 0; 2232 2233cleanup: 2234 rfcomm_cleanup_ttys(); 2235 2236stop: 2237 kthread_stop(rfcomm_thread); 2238 2239unregister: 2240 hci_unregister_cb(&rfcomm_cb); 2241 2242 return err; 2243} 2244 2245static void __exit rfcomm_exit(void) 2246{ 2247 debugfs_remove(rfcomm_dlc_debugfs); 2248 2249 hci_unregister_cb(&rfcomm_cb); 2250 2251 kthread_stop(rfcomm_thread); 2252 2253 rfcomm_cleanup_ttys(); 2254 2255 rfcomm_cleanup_sockets(); 2256} 2257 2258module_init(rfcomm_init); 2259module_exit(rfcomm_exit); 2260 2261module_param(disable_cfc, bool, 0644); 2262MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control"); 2263 2264module_param(channel_mtu, int, 0644); 2265MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel"); 2266 2267module_param(l2cap_mtu, uint, 0644); 2268MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection"); 2269 2270module_param(l2cap_ertm, bool, 0644); 2271MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection"); 2272 2273MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2274MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION); 2275MODULE_VERSION(VERSION); 2276MODULE_LICENSE("GPL"); 2277MODULE_ALIAS("bt-proto-3"); 2278