1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/net.h>
37 #include <linux/mutex.h>
38 #include <linux/kthread.h>
39
40 #include <net/sock.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43
44 #include <net/bluetooth/bluetooth.h>
45 #include <net/bluetooth/hci_core.h>
46 #include <net/bluetooth/l2cap.h>
47 #include <net/bluetooth/rfcomm.h>
48
49 #define VERSION "1.11"
50
51 static int disable_cfc = 0;
52 static int channel_mtu = -1;
53 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
54
55 static struct task_struct *rfcomm_thread;
56
57 static DEFINE_MUTEX(rfcomm_mutex);
58 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
59 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
60
61 static unsigned long rfcomm_event;
62
63 static LIST_HEAD(session_list);
64
65 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
66 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
67 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
68 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
69 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
70 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
71 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
72 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
73 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
74 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
75
76 static void rfcomm_process_connect(struct rfcomm_session *s);
77
78 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err);
79 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
80 static void rfcomm_session_del(struct rfcomm_session *s);
81
82 /* ---- RFCOMM frame parsing macros ---- */
83 #define __get_dlci(b) ((b & 0xfc) >> 2)
84 #define __get_channel(b) ((b & 0xf8) >> 3)
85 #define __get_dir(b) ((b & 0x04) >> 2)
86 #define __get_type(b) ((b & 0xef))
87
88 #define __test_ea(b) ((b & 0x01))
89 #define __test_cr(b) ((b & 0x02))
90 #define __test_pf(b) ((b & 0x10))
91
92 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
93 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
94 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
95 #define __srv_channel(dlci) (dlci >> 1)
96 #define __dir(dlci) (dlci & 0x01)
97
98 #define __len8(len) (((len) << 1) | 1)
99 #define __len16(len) ((len) << 1)
100
101 /* MCC macros */
102 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
103 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
104 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
105
106 /* RPN macros */
107 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
108 #define __get_rpn_data_bits(line) ((line) & 0x3)
109 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
110 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
111
rfcomm_schedule(uint event)112 static inline void rfcomm_schedule(uint event)
113 {
114 if (!rfcomm_thread)
115 return;
116 //set_bit(event, &rfcomm_event);
117 set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
118 wake_up_process(rfcomm_thread);
119 }
120
rfcomm_session_put(struct rfcomm_session * s)121 static inline void rfcomm_session_put(struct rfcomm_session *s)
122 {
123 if (atomic_dec_and_test(&s->refcnt))
124 rfcomm_session_del(s);
125 }
126
127 /* ---- RFCOMM FCS computation ---- */
128
129 /* reversed, 8-bit, poly=0x07 */
130 static unsigned char rfcomm_crc_table[256] = {
131 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
132 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
133 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
134 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
135
136 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
137 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
138 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
139 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
140
141 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
142 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
143 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
144 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
145
146 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
147 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
148 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
149 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
150
151 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
152 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
153 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
154 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
155
156 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
157 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
158 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
159 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
160
161 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
162 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
163 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
164 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
165
166 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
167 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
168 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
169 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
170 };
171
172 /* CRC on 2 bytes */
173 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
174
175 /* FCS on 2 bytes */
__fcs(u8 * data)176 static inline u8 __fcs(u8 *data)
177 {
178 return (0xff - __crc(data));
179 }
180
181 /* FCS on 3 bytes */
__fcs2(u8 * data)182 static inline u8 __fcs2(u8 *data)
183 {
184 return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]);
185 }
186
187 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)188 static inline int __check_fcs(u8 *data, int type, u8 fcs)
189 {
190 u8 f = __crc(data);
191
192 if (type != RFCOMM_UIH)
193 f = rfcomm_crc_table[f ^ data[2]];
194
195 return rfcomm_crc_table[f ^ fcs] != 0xcf;
196 }
197
198 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)199 static void rfcomm_l2state_change(struct sock *sk)
200 {
201 BT_DBG("%p state %d", sk, sk->sk_state);
202 rfcomm_schedule(RFCOMM_SCHED_STATE);
203 }
204
rfcomm_l2data_ready(struct sock * sk,int bytes)205 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
206 {
207 BT_DBG("%p bytes %d", sk, bytes);
208 rfcomm_schedule(RFCOMM_SCHED_RX);
209 }
210
rfcomm_l2sock_create(struct socket ** sock)211 static int rfcomm_l2sock_create(struct socket **sock)
212 {
213 int err;
214
215 BT_DBG("");
216
217 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
218 if (!err) {
219 struct sock *sk = (*sock)->sk;
220 sk->sk_data_ready = rfcomm_l2data_ready;
221 sk->sk_state_change = rfcomm_l2state_change;
222 }
223 return err;
224 }
225
rfcomm_check_security(struct rfcomm_dlc * d)226 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
227 {
228 struct sock *sk = d->session->sock->sk;
229 __u8 auth_type;
230
231 switch (d->sec_level) {
232 case BT_SECURITY_HIGH:
233 auth_type = HCI_AT_GENERAL_BONDING_MITM;
234 break;
235 case BT_SECURITY_MEDIUM:
236 auth_type = HCI_AT_GENERAL_BONDING;
237 break;
238 default:
239 auth_type = HCI_AT_NO_BONDING;
240 break;
241 }
242
243 return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
244 auth_type);
245 }
246
247 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(unsigned long arg)248 static void rfcomm_dlc_timeout(unsigned long arg)
249 {
250 struct rfcomm_dlc *d = (void *) arg;
251
252 BT_DBG("dlc %p state %ld", d, d->state);
253
254 set_bit(RFCOMM_TIMED_OUT, &d->flags);
255 rfcomm_dlc_put(d);
256 rfcomm_schedule(RFCOMM_SCHED_TIMEO);
257 }
258
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)259 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
260 {
261 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
262
263 if (!mod_timer(&d->timer, jiffies + timeout))
264 rfcomm_dlc_hold(d);
265 }
266
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)267 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
268 {
269 BT_DBG("dlc %p state %ld", d, d->state);
270
271 if (timer_pending(&d->timer) && del_timer(&d->timer))
272 rfcomm_dlc_put(d);
273 }
274
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)275 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
276 {
277 BT_DBG("%p", d);
278
279 d->state = BT_OPEN;
280 d->flags = 0;
281 d->mscex = 0;
282 d->mtu = RFCOMM_DEFAULT_MTU;
283 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
284
285 d->cfc = RFCOMM_CFC_DISABLED;
286 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
287 }
288
rfcomm_dlc_alloc(gfp_t prio)289 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
290 {
291 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
292
293 if (!d)
294 return NULL;
295
296 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
297
298 skb_queue_head_init(&d->tx_queue);
299 spin_lock_init(&d->lock);
300 atomic_set(&d->refcnt, 1);
301
302 rfcomm_dlc_clear_state(d);
303
304 BT_DBG("%p", d);
305
306 return d;
307 }
308
rfcomm_dlc_free(struct rfcomm_dlc * d)309 void rfcomm_dlc_free(struct rfcomm_dlc *d)
310 {
311 BT_DBG("%p", d);
312
313 skb_queue_purge(&d->tx_queue);
314 kfree(d);
315 }
316
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)317 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
318 {
319 BT_DBG("dlc %p session %p", d, s);
320
321 rfcomm_session_hold(s);
322
323 rfcomm_dlc_hold(d);
324 list_add(&d->list, &s->dlcs);
325 d->session = s;
326 }
327
rfcomm_dlc_unlink(struct rfcomm_dlc * d)328 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
329 {
330 struct rfcomm_session *s = d->session;
331
332 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
333
334 list_del(&d->list);
335 d->session = NULL;
336 rfcomm_dlc_put(d);
337
338 rfcomm_session_put(s);
339 }
340
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)341 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
342 {
343 struct rfcomm_dlc *d;
344 struct list_head *p;
345
346 list_for_each(p, &s->dlcs) {
347 d = list_entry(p, struct rfcomm_dlc, list);
348 if (d->dlci == dlci)
349 return d;
350 }
351 return NULL;
352 }
353
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)354 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
355 {
356 struct rfcomm_session *s;
357 int err = 0;
358 u8 dlci;
359
360 BT_DBG("dlc %p state %ld %s %s channel %d",
361 d, d->state, batostr(src), batostr(dst), channel);
362
363 if (channel < 1 || channel > 30)
364 return -EINVAL;
365
366 if (d->state != BT_OPEN && d->state != BT_CLOSED)
367 return 0;
368
369 s = rfcomm_session_get(src, dst);
370 if (!s) {
371 s = rfcomm_session_create(src, dst, &err);
372 if (!s)
373 return err;
374 }
375
376 dlci = __dlci(!s->initiator, channel);
377
378 /* Check if DLCI already exists */
379 if (rfcomm_dlc_get(s, dlci))
380 return -EBUSY;
381
382 rfcomm_dlc_clear_state(d);
383
384 d->dlci = dlci;
385 d->addr = __addr(s->initiator, dlci);
386 d->priority = 7;
387
388 d->state = BT_CONFIG;
389 rfcomm_dlc_link(s, d);
390
391 d->out = 1;
392
393 d->mtu = s->mtu;
394 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
395
396 if (s->state == BT_CONNECTED) {
397 if (rfcomm_check_security(d))
398 rfcomm_send_pn(s, 1, d);
399 else
400 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
401 }
402
403 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
404
405 return 0;
406 }
407
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)408 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
409 {
410 int r;
411
412 rfcomm_lock();
413
414 r = __rfcomm_dlc_open(d, src, dst, channel);
415
416 rfcomm_unlock();
417 return r;
418 }
419
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)420 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
421 {
422 struct rfcomm_session *s = d->session;
423 if (!s)
424 return 0;
425
426 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
427 d, d->state, d->dlci, err, s);
428
429 switch (d->state) {
430 case BT_CONNECT:
431 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
432 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
433 rfcomm_schedule(RFCOMM_SCHED_AUTH);
434 break;
435 }
436 /* Fall through */
437
438 case BT_CONNECTED:
439 d->state = BT_DISCONN;
440 if (skb_queue_empty(&d->tx_queue)) {
441 rfcomm_send_disc(s, d->dlci);
442 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
443 } else {
444 rfcomm_queue_disc(d);
445 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
446 }
447 break;
448
449 case BT_OPEN:
450 case BT_CONNECT2:
451 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
452 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
453 rfcomm_schedule(RFCOMM_SCHED_AUTH);
454 break;
455 }
456 /* Fall through */
457
458 default:
459 rfcomm_dlc_clear_timer(d);
460
461 rfcomm_dlc_lock(d);
462 d->state = BT_CLOSED;
463 d->state_change(d, err);
464 rfcomm_dlc_unlock(d);
465
466 skb_queue_purge(&d->tx_queue);
467 rfcomm_dlc_unlink(d);
468 }
469
470 return 0;
471 }
472
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)473 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
474 {
475 int r;
476
477 rfcomm_lock();
478
479 r = __rfcomm_dlc_close(d, err);
480
481 rfcomm_unlock();
482 return r;
483 }
484
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)485 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
486 {
487 int len = skb->len;
488
489 if (d->state != BT_CONNECTED)
490 return -ENOTCONN;
491
492 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
493
494 if (len > d->mtu)
495 return -EINVAL;
496
497 rfcomm_make_uih(skb, d->addr);
498 skb_queue_tail(&d->tx_queue, skb);
499
500 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
501 rfcomm_schedule(RFCOMM_SCHED_TX);
502 return len;
503 }
504
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)505 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
506 {
507 BT_DBG("dlc %p state %ld", d, d->state);
508
509 if (!d->cfc) {
510 d->v24_sig |= RFCOMM_V24_FC;
511 set_bit(RFCOMM_MSC_PENDING, &d->flags);
512 }
513 rfcomm_schedule(RFCOMM_SCHED_TX);
514 }
515
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)516 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
517 {
518 BT_DBG("dlc %p state %ld", d, d->state);
519
520 if (!d->cfc) {
521 d->v24_sig &= ~RFCOMM_V24_FC;
522 set_bit(RFCOMM_MSC_PENDING, &d->flags);
523 }
524 rfcomm_schedule(RFCOMM_SCHED_TX);
525 }
526
527 /*
528 Set/get modem status functions use _local_ status i.e. what we report
529 to the other side.
530 Remote status is provided by dlc->modem_status() callback.
531 */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)532 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
533 {
534 BT_DBG("dlc %p state %ld v24_sig 0x%x",
535 d, d->state, v24_sig);
536
537 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
538 v24_sig |= RFCOMM_V24_FC;
539 else
540 v24_sig &= ~RFCOMM_V24_FC;
541
542 d->v24_sig = v24_sig;
543
544 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
545 rfcomm_schedule(RFCOMM_SCHED_TX);
546
547 return 0;
548 }
549
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)550 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
551 {
552 BT_DBG("dlc %p state %ld v24_sig 0x%x",
553 d, d->state, d->v24_sig);
554
555 *v24_sig = d->v24_sig;
556 return 0;
557 }
558
559 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)560 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
561 {
562 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
563
564 if (!s)
565 return NULL;
566
567 BT_DBG("session %p sock %p", s, sock);
568
569 INIT_LIST_HEAD(&s->dlcs);
570 s->state = state;
571 s->sock = sock;
572
573 s->mtu = RFCOMM_DEFAULT_MTU;
574 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
575
576 /* Do not increment module usage count for listening sessions.
577 * Otherwise we won't be able to unload the module. */
578 if (state != BT_LISTEN)
579 if (!try_module_get(THIS_MODULE)) {
580 kfree(s);
581 return NULL;
582 }
583
584 list_add(&s->list, &session_list);
585
586 return s;
587 }
588
rfcomm_session_del(struct rfcomm_session * s)589 static void rfcomm_session_del(struct rfcomm_session *s)
590 {
591 int state = s->state;
592
593 BT_DBG("session %p state %ld", s, s->state);
594
595 list_del(&s->list);
596
597 if (state == BT_CONNECTED)
598 rfcomm_send_disc(s, 0);
599
600 sock_release(s->sock);
601 kfree(s);
602
603 if (state != BT_LISTEN)
604 module_put(THIS_MODULE);
605 }
606
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)607 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
608 {
609 struct rfcomm_session *s;
610 struct list_head *p, *n;
611 struct bt_sock *sk;
612 list_for_each_safe(p, n, &session_list) {
613 s = list_entry(p, struct rfcomm_session, list);
614 sk = bt_sk(s->sock->sk);
615
616 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
617 !bacmp(&sk->dst, dst))
618 return s;
619 }
620 return NULL;
621 }
622
rfcomm_session_close(struct rfcomm_session * s,int err)623 static void rfcomm_session_close(struct rfcomm_session *s, int err)
624 {
625 struct rfcomm_dlc *d;
626 struct list_head *p, *n;
627
628 BT_DBG("session %p state %ld err %d", s, s->state, err);
629
630 rfcomm_session_hold(s);
631
632 s->state = BT_CLOSED;
633
634 /* Close all dlcs */
635 list_for_each_safe(p, n, &s->dlcs) {
636 d = list_entry(p, struct rfcomm_dlc, list);
637 d->state = BT_CLOSED;
638 __rfcomm_dlc_close(d, err);
639 }
640
641 rfcomm_session_put(s);
642 }
643
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,int * err)644 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err)
645 {
646 struct rfcomm_session *s = NULL;
647 struct sockaddr_l2 addr;
648 struct socket *sock;
649 struct sock *sk;
650
651 BT_DBG("%s %s", batostr(src), batostr(dst));
652
653 *err = rfcomm_l2sock_create(&sock);
654 if (*err < 0)
655 return NULL;
656
657 bacpy(&addr.l2_bdaddr, src);
658 addr.l2_family = AF_BLUETOOTH;
659 addr.l2_psm = 0;
660 addr.l2_cid = 0;
661 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
662 if (*err < 0)
663 goto failed;
664
665 /* Set L2CAP options */
666 sk = sock->sk;
667 lock_sock(sk);
668 l2cap_pi(sk)->imtu = l2cap_mtu;
669 release_sock(sk);
670
671 s = rfcomm_session_add(sock, BT_BOUND);
672 if (!s) {
673 *err = -ENOMEM;
674 goto failed;
675 }
676
677 s->initiator = 1;
678
679 bacpy(&addr.l2_bdaddr, dst);
680 addr.l2_family = AF_BLUETOOTH;
681 addr.l2_psm = htobs(RFCOMM_PSM);
682 addr.l2_cid = 0;
683 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
684 if (*err == 0 || *err == -EINPROGRESS)
685 return s;
686
687 rfcomm_session_del(s);
688 return NULL;
689
690 failed:
691 sock_release(sock);
692 return NULL;
693 }
694
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)695 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
696 {
697 struct sock *sk = s->sock->sk;
698 if (src)
699 bacpy(src, &bt_sk(sk)->src);
700 if (dst)
701 bacpy(dst, &bt_sk(sk)->dst);
702 }
703
704 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)705 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
706 {
707 struct socket *sock = s->sock;
708 struct kvec iv = { data, len };
709 struct msghdr msg;
710
711 BT_DBG("session %p len %d", s, len);
712
713 memset(&msg, 0, sizeof(msg));
714
715 return kernel_sendmsg(sock, &msg, &iv, 1, len);
716 }
717
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)718 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
719 {
720 struct rfcomm_cmd cmd;
721
722 BT_DBG("%p dlci %d", s, dlci);
723
724 cmd.addr = __addr(s->initiator, dlci);
725 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
726 cmd.len = __len8(0);
727 cmd.fcs = __fcs2((u8 *) &cmd);
728
729 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
730 }
731
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)732 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
733 {
734 struct rfcomm_cmd cmd;
735
736 BT_DBG("%p dlci %d", s, dlci);
737
738 cmd.addr = __addr(!s->initiator, dlci);
739 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
740 cmd.len = __len8(0);
741 cmd.fcs = __fcs2((u8 *) &cmd);
742
743 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
744 }
745
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)746 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
747 {
748 struct rfcomm_cmd cmd;
749
750 BT_DBG("%p dlci %d", s, dlci);
751
752 cmd.addr = __addr(s->initiator, dlci);
753 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
754 cmd.len = __len8(0);
755 cmd.fcs = __fcs2((u8 *) &cmd);
756
757 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
758 }
759
rfcomm_queue_disc(struct rfcomm_dlc * d)760 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
761 {
762 struct rfcomm_cmd *cmd;
763 struct sk_buff *skb;
764
765 BT_DBG("dlc %p dlci %d", d, d->dlci);
766
767 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
768 if (!skb)
769 return -ENOMEM;
770
771 cmd = (void *) __skb_put(skb, sizeof(*cmd));
772 cmd->addr = d->addr;
773 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
774 cmd->len = __len8(0);
775 cmd->fcs = __fcs2((u8 *) cmd);
776
777 skb_queue_tail(&d->tx_queue, skb);
778 rfcomm_schedule(RFCOMM_SCHED_TX);
779 return 0;
780 }
781
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)782 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
783 {
784 struct rfcomm_cmd cmd;
785
786 BT_DBG("%p dlci %d", s, dlci);
787
788 cmd.addr = __addr(!s->initiator, dlci);
789 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
790 cmd.len = __len8(0);
791 cmd.fcs = __fcs2((u8 *) &cmd);
792
793 return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
794 }
795
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)796 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
797 {
798 struct rfcomm_hdr *hdr;
799 struct rfcomm_mcc *mcc;
800 u8 buf[16], *ptr = buf;
801
802 BT_DBG("%p cr %d type %d", s, cr, type);
803
804 hdr = (void *) ptr; ptr += sizeof(*hdr);
805 hdr->addr = __addr(s->initiator, 0);
806 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
807 hdr->len = __len8(sizeof(*mcc) + 1);
808
809 mcc = (void *) ptr; ptr += sizeof(*mcc);
810 mcc->type = __mcc_type(cr, RFCOMM_NSC);
811 mcc->len = __len8(1);
812
813 /* Type that we didn't like */
814 *ptr = __mcc_type(cr, type); ptr++;
815
816 *ptr = __fcs(buf); ptr++;
817
818 return rfcomm_send_frame(s, buf, ptr - buf);
819 }
820
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)821 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
822 {
823 struct rfcomm_hdr *hdr;
824 struct rfcomm_mcc *mcc;
825 struct rfcomm_pn *pn;
826 u8 buf[16], *ptr = buf;
827
828 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
829
830 hdr = (void *) ptr; ptr += sizeof(*hdr);
831 hdr->addr = __addr(s->initiator, 0);
832 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
833 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
834
835 mcc = (void *) ptr; ptr += sizeof(*mcc);
836 mcc->type = __mcc_type(cr, RFCOMM_PN);
837 mcc->len = __len8(sizeof(*pn));
838
839 pn = (void *) ptr; ptr += sizeof(*pn);
840 pn->dlci = d->dlci;
841 pn->priority = d->priority;
842 pn->ack_timer = 0;
843 pn->max_retrans = 0;
844
845 if (s->cfc) {
846 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
847 pn->credits = RFCOMM_DEFAULT_CREDITS;
848 } else {
849 pn->flow_ctrl = 0;
850 pn->credits = 0;
851 }
852
853 if (cr && channel_mtu >= 0)
854 pn->mtu = htobs(channel_mtu);
855 else
856 pn->mtu = htobs(d->mtu);
857
858 *ptr = __fcs(buf); ptr++;
859
860 return rfcomm_send_frame(s, buf, ptr - buf);
861 }
862
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)863 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
864 u8 bit_rate, u8 data_bits, u8 stop_bits,
865 u8 parity, u8 flow_ctrl_settings,
866 u8 xon_char, u8 xoff_char, u16 param_mask)
867 {
868 struct rfcomm_hdr *hdr;
869 struct rfcomm_mcc *mcc;
870 struct rfcomm_rpn *rpn;
871 u8 buf[16], *ptr = buf;
872
873 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
874 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
875 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
876 flow_ctrl_settings, xon_char, xoff_char, param_mask);
877
878 hdr = (void *) ptr; ptr += sizeof(*hdr);
879 hdr->addr = __addr(s->initiator, 0);
880 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
881 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
882
883 mcc = (void *) ptr; ptr += sizeof(*mcc);
884 mcc->type = __mcc_type(cr, RFCOMM_RPN);
885 mcc->len = __len8(sizeof(*rpn));
886
887 rpn = (void *) ptr; ptr += sizeof(*rpn);
888 rpn->dlci = __addr(1, dlci);
889 rpn->bit_rate = bit_rate;
890 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
891 rpn->flow_ctrl = flow_ctrl_settings;
892 rpn->xon_char = xon_char;
893 rpn->xoff_char = xoff_char;
894 rpn->param_mask = cpu_to_le16(param_mask);
895
896 *ptr = __fcs(buf); ptr++;
897
898 return rfcomm_send_frame(s, buf, ptr - buf);
899 }
900
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)901 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
902 {
903 struct rfcomm_hdr *hdr;
904 struct rfcomm_mcc *mcc;
905 struct rfcomm_rls *rls;
906 u8 buf[16], *ptr = buf;
907
908 BT_DBG("%p cr %d status 0x%x", s, cr, status);
909
910 hdr = (void *) ptr; ptr += sizeof(*hdr);
911 hdr->addr = __addr(s->initiator, 0);
912 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
913 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
914
915 mcc = (void *) ptr; ptr += sizeof(*mcc);
916 mcc->type = __mcc_type(cr, RFCOMM_RLS);
917 mcc->len = __len8(sizeof(*rls));
918
919 rls = (void *) ptr; ptr += sizeof(*rls);
920 rls->dlci = __addr(1, dlci);
921 rls->status = status;
922
923 *ptr = __fcs(buf); ptr++;
924
925 return rfcomm_send_frame(s, buf, ptr - buf);
926 }
927
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)928 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
929 {
930 struct rfcomm_hdr *hdr;
931 struct rfcomm_mcc *mcc;
932 struct rfcomm_msc *msc;
933 u8 buf[16], *ptr = buf;
934
935 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
936
937 hdr = (void *) ptr; ptr += sizeof(*hdr);
938 hdr->addr = __addr(s->initiator, 0);
939 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
940 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
941
942 mcc = (void *) ptr; ptr += sizeof(*mcc);
943 mcc->type = __mcc_type(cr, RFCOMM_MSC);
944 mcc->len = __len8(sizeof(*msc));
945
946 msc = (void *) ptr; ptr += sizeof(*msc);
947 msc->dlci = __addr(1, dlci);
948 msc->v24_sig = v24_sig | 0x01;
949
950 *ptr = __fcs(buf); ptr++;
951
952 return rfcomm_send_frame(s, buf, ptr - buf);
953 }
954
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)955 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
956 {
957 struct rfcomm_hdr *hdr;
958 struct rfcomm_mcc *mcc;
959 u8 buf[16], *ptr = buf;
960
961 BT_DBG("%p cr %d", s, cr);
962
963 hdr = (void *) ptr; ptr += sizeof(*hdr);
964 hdr->addr = __addr(s->initiator, 0);
965 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
966 hdr->len = __len8(sizeof(*mcc));
967
968 mcc = (void *) ptr; ptr += sizeof(*mcc);
969 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
970 mcc->len = __len8(0);
971
972 *ptr = __fcs(buf); ptr++;
973
974 return rfcomm_send_frame(s, buf, ptr - buf);
975 }
976
rfcomm_send_fcon(struct rfcomm_session * s,int cr)977 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
978 {
979 struct rfcomm_hdr *hdr;
980 struct rfcomm_mcc *mcc;
981 u8 buf[16], *ptr = buf;
982
983 BT_DBG("%p cr %d", s, cr);
984
985 hdr = (void *) ptr; ptr += sizeof(*hdr);
986 hdr->addr = __addr(s->initiator, 0);
987 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
988 hdr->len = __len8(sizeof(*mcc));
989
990 mcc = (void *) ptr; ptr += sizeof(*mcc);
991 mcc->type = __mcc_type(cr, RFCOMM_FCON);
992 mcc->len = __len8(0);
993
994 *ptr = __fcs(buf); ptr++;
995
996 return rfcomm_send_frame(s, buf, ptr - buf);
997 }
998
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)999 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1000 {
1001 struct socket *sock = s->sock;
1002 struct kvec iv[3];
1003 struct msghdr msg;
1004 unsigned char hdr[5], crc[1];
1005
1006 if (len > 125)
1007 return -EINVAL;
1008
1009 BT_DBG("%p cr %d", s, cr);
1010
1011 hdr[0] = __addr(s->initiator, 0);
1012 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1013 hdr[2] = 0x01 | ((len + 2) << 1);
1014 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1015 hdr[4] = 0x01 | (len << 1);
1016
1017 crc[0] = __fcs(hdr);
1018
1019 iv[0].iov_base = hdr;
1020 iv[0].iov_len = 5;
1021 iv[1].iov_base = pattern;
1022 iv[1].iov_len = len;
1023 iv[2].iov_base = crc;
1024 iv[2].iov_len = 1;
1025
1026 memset(&msg, 0, sizeof(msg));
1027
1028 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1029 }
1030
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1031 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1032 {
1033 struct rfcomm_hdr *hdr;
1034 u8 buf[16], *ptr = buf;
1035
1036 BT_DBG("%p addr %d credits %d", s, addr, credits);
1037
1038 hdr = (void *) ptr; ptr += sizeof(*hdr);
1039 hdr->addr = addr;
1040 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1041 hdr->len = __len8(0);
1042
1043 *ptr = credits; ptr++;
1044
1045 *ptr = __fcs(buf); ptr++;
1046
1047 return rfcomm_send_frame(s, buf, ptr - buf);
1048 }
1049
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1050 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1051 {
1052 struct rfcomm_hdr *hdr;
1053 int len = skb->len;
1054 u8 *crc;
1055
1056 if (len > 127) {
1057 hdr = (void *) skb_push(skb, 4);
1058 put_unaligned(htobs(__len16(len)), (__le16 *) &hdr->len);
1059 } else {
1060 hdr = (void *) skb_push(skb, 3);
1061 hdr->len = __len8(len);
1062 }
1063 hdr->addr = addr;
1064 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1065
1066 crc = skb_put(skb, 1);
1067 *crc = __fcs((void *) hdr);
1068 }
1069
1070 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1071 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1072 {
1073 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1074
1075 if (dlci) {
1076 /* Data channel */
1077 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1078 if (!d) {
1079 rfcomm_send_dm(s, dlci);
1080 return 0;
1081 }
1082
1083 switch (d->state) {
1084 case BT_CONNECT:
1085 rfcomm_dlc_clear_timer(d);
1086
1087 rfcomm_dlc_lock(d);
1088 d->state = BT_CONNECTED;
1089 d->state_change(d, 0);
1090 rfcomm_dlc_unlock(d);
1091
1092 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1093 break;
1094
1095 case BT_DISCONN:
1096 d->state = BT_CLOSED;
1097 __rfcomm_dlc_close(d, 0);
1098
1099 if (list_empty(&s->dlcs)) {
1100 s->state = BT_DISCONN;
1101 rfcomm_send_disc(s, 0);
1102 }
1103
1104 break;
1105 }
1106 } else {
1107 /* Control channel */
1108 switch (s->state) {
1109 case BT_CONNECT:
1110 s->state = BT_CONNECTED;
1111 rfcomm_process_connect(s);
1112 break;
1113
1114 case BT_DISCONN:
1115 if (s->sock->sk->sk_state != BT_CLOSED)
1116 rfcomm_session_put(s);
1117 break;
1118 }
1119 }
1120 return 0;
1121 }
1122
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1123 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1124 {
1125 int err = 0;
1126
1127 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1128
1129 if (dlci) {
1130 /* Data DLC */
1131 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1132 if (d) {
1133 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1134 err = ECONNREFUSED;
1135 else
1136 err = ECONNRESET;
1137
1138 d->state = BT_CLOSED;
1139 __rfcomm_dlc_close(d, err);
1140 }
1141 } else {
1142 if (s->state == BT_CONNECT)
1143 err = ECONNREFUSED;
1144 else
1145 err = ECONNRESET;
1146
1147 s->state = BT_CLOSED;
1148 rfcomm_session_close(s, err);
1149 }
1150 return 0;
1151 }
1152
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1153 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1154 {
1155 int err = 0;
1156
1157 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1158
1159 if (dlci) {
1160 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1161 if (d) {
1162 rfcomm_send_ua(s, dlci);
1163
1164 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1165 err = ECONNREFUSED;
1166 else
1167 err = ECONNRESET;
1168
1169 d->state = BT_CLOSED;
1170 __rfcomm_dlc_close(d, err);
1171 } else
1172 rfcomm_send_dm(s, dlci);
1173
1174 } else {
1175 rfcomm_send_ua(s, 0);
1176
1177 if (s->state == BT_CONNECT)
1178 err = ECONNREFUSED;
1179 else
1180 err = ECONNRESET;
1181
1182 s->state = BT_CLOSED;
1183 rfcomm_session_close(s, err);
1184 }
1185
1186 return 0;
1187 }
1188
rfcomm_dlc_accept(struct rfcomm_dlc * d)1189 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1190 {
1191 struct sock *sk = d->session->sock->sk;
1192
1193 BT_DBG("dlc %p", d);
1194
1195 rfcomm_send_ua(d->session, d->dlci);
1196
1197 rfcomm_dlc_lock(d);
1198 d->state = BT_CONNECTED;
1199 d->state_change(d, 0);
1200 rfcomm_dlc_unlock(d);
1201
1202 if (d->role_switch)
1203 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1204
1205 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1206 }
1207
rfcomm_check_accept(struct rfcomm_dlc * d)1208 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1209 {
1210 if (rfcomm_check_security(d)) {
1211 if (d->defer_setup) {
1212 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1213 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1214
1215 rfcomm_dlc_lock(d);
1216 d->state = BT_CONNECT2;
1217 d->state_change(d, 0);
1218 rfcomm_dlc_unlock(d);
1219 } else
1220 rfcomm_dlc_accept(d);
1221 } else {
1222 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1223 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1224 }
1225 }
1226
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1227 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1228 {
1229 struct rfcomm_dlc *d;
1230 u8 channel;
1231
1232 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1233
1234 if (!dlci) {
1235 rfcomm_send_ua(s, 0);
1236
1237 if (s->state == BT_OPEN) {
1238 s->state = BT_CONNECTED;
1239 rfcomm_process_connect(s);
1240 }
1241 return 0;
1242 }
1243
1244 /* Check if DLC exists */
1245 d = rfcomm_dlc_get(s, dlci);
1246 if (d) {
1247 if (d->state == BT_OPEN) {
1248 /* DLC was previously opened by PN request */
1249 rfcomm_check_accept(d);
1250 }
1251 return 0;
1252 }
1253
1254 /* Notify socket layer about incoming connection */
1255 channel = __srv_channel(dlci);
1256 if (rfcomm_connect_ind(s, channel, &d)) {
1257 d->dlci = dlci;
1258 d->addr = __addr(s->initiator, dlci);
1259 rfcomm_dlc_link(s, d);
1260
1261 rfcomm_check_accept(d);
1262 } else {
1263 rfcomm_send_dm(s, dlci);
1264 }
1265
1266 return 0;
1267 }
1268
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1269 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1270 {
1271 struct rfcomm_session *s = d->session;
1272
1273 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1274 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1275
1276 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1277 pn->flow_ctrl == 0xe0) {
1278 d->cfc = RFCOMM_CFC_ENABLED;
1279 d->tx_credits = pn->credits;
1280 } else {
1281 d->cfc = RFCOMM_CFC_DISABLED;
1282 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1283 }
1284
1285 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1286 s->cfc = d->cfc;
1287
1288 d->priority = pn->priority;
1289
1290 d->mtu = btohs(pn->mtu);
1291
1292 if (cr && d->mtu > s->mtu)
1293 d->mtu = s->mtu;
1294
1295 return 0;
1296 }
1297
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1298 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1299 {
1300 struct rfcomm_pn *pn = (void *) skb->data;
1301 struct rfcomm_dlc *d;
1302 u8 dlci = pn->dlci;
1303
1304 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1305
1306 if (!dlci)
1307 return 0;
1308
1309 d = rfcomm_dlc_get(s, dlci);
1310 if (d) {
1311 if (cr) {
1312 /* PN request */
1313 rfcomm_apply_pn(d, cr, pn);
1314 rfcomm_send_pn(s, 0, d);
1315 } else {
1316 /* PN response */
1317 switch (d->state) {
1318 case BT_CONFIG:
1319 rfcomm_apply_pn(d, cr, pn);
1320
1321 d->state = BT_CONNECT;
1322 rfcomm_send_sabm(s, d->dlci);
1323 break;
1324 }
1325 }
1326 } else {
1327 u8 channel = __srv_channel(dlci);
1328
1329 if (!cr)
1330 return 0;
1331
1332 /* PN request for non existing DLC.
1333 * Assume incoming connection. */
1334 if (rfcomm_connect_ind(s, channel, &d)) {
1335 d->dlci = dlci;
1336 d->addr = __addr(s->initiator, dlci);
1337 rfcomm_dlc_link(s, d);
1338
1339 rfcomm_apply_pn(d, cr, pn);
1340
1341 d->state = BT_OPEN;
1342 rfcomm_send_pn(s, 0, d);
1343 } else {
1344 rfcomm_send_dm(s, dlci);
1345 }
1346 }
1347 return 0;
1348 }
1349
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1350 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1351 {
1352 struct rfcomm_rpn *rpn = (void *) skb->data;
1353 u8 dlci = __get_dlci(rpn->dlci);
1354
1355 u8 bit_rate = 0;
1356 u8 data_bits = 0;
1357 u8 stop_bits = 0;
1358 u8 parity = 0;
1359 u8 flow_ctrl = 0;
1360 u8 xon_char = 0;
1361 u8 xoff_char = 0;
1362 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1363
1364 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1365 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1366 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1367
1368 if (!cr)
1369 return 0;
1370
1371 if (len == 1) {
1372 /* This is a request, return default settings */
1373 bit_rate = RFCOMM_RPN_BR_115200;
1374 data_bits = RFCOMM_RPN_DATA_8;
1375 stop_bits = RFCOMM_RPN_STOP_1;
1376 parity = RFCOMM_RPN_PARITY_NONE;
1377 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1378 xon_char = RFCOMM_RPN_XON_CHAR;
1379 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1380 goto rpn_out;
1381 }
1382
1383 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1384 * no parity, no flow control lines, normal XON/XOFF chars */
1385
1386 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1387 bit_rate = rpn->bit_rate;
1388 if (bit_rate != RFCOMM_RPN_BR_115200) {
1389 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1390 bit_rate = RFCOMM_RPN_BR_115200;
1391 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1392 }
1393 }
1394
1395 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1396 data_bits = __get_rpn_data_bits(rpn->line_settings);
1397 if (data_bits != RFCOMM_RPN_DATA_8) {
1398 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1399 data_bits = RFCOMM_RPN_DATA_8;
1400 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1401 }
1402 }
1403
1404 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1405 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1406 if (stop_bits != RFCOMM_RPN_STOP_1) {
1407 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1408 stop_bits = RFCOMM_RPN_STOP_1;
1409 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1410 }
1411 }
1412
1413 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1414 parity = __get_rpn_parity(rpn->line_settings);
1415 if (parity != RFCOMM_RPN_PARITY_NONE) {
1416 BT_DBG("RPN parity mismatch 0x%x", parity);
1417 parity = RFCOMM_RPN_PARITY_NONE;
1418 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1419 }
1420 }
1421
1422 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1423 flow_ctrl = rpn->flow_ctrl;
1424 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1425 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1426 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1427 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1428 }
1429 }
1430
1431 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1432 xon_char = rpn->xon_char;
1433 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1434 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1435 xon_char = RFCOMM_RPN_XON_CHAR;
1436 rpn_mask ^= RFCOMM_RPN_PM_XON;
1437 }
1438 }
1439
1440 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1441 xoff_char = rpn->xoff_char;
1442 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1443 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1444 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1446 }
1447 }
1448
1449 rpn_out:
1450 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1451 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1452
1453 return 0;
1454 }
1455
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1456 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1457 {
1458 struct rfcomm_rls *rls = (void *) skb->data;
1459 u8 dlci = __get_dlci(rls->dlci);
1460
1461 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1462
1463 if (!cr)
1464 return 0;
1465
1466 /* We should probably do something with this information here. But
1467 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1468 * mandatory to recognise and respond to RLS */
1469
1470 rfcomm_send_rls(s, 0, dlci, rls->status);
1471
1472 return 0;
1473 }
1474
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1475 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1476 {
1477 struct rfcomm_msc *msc = (void *) skb->data;
1478 struct rfcomm_dlc *d;
1479 u8 dlci = __get_dlci(msc->dlci);
1480
1481 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1482
1483 d = rfcomm_dlc_get(s, dlci);
1484 if (!d)
1485 return 0;
1486
1487 if (cr) {
1488 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1489 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1490 else
1491 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1492
1493 rfcomm_dlc_lock(d);
1494
1495 d->remote_v24_sig = msc->v24_sig;
1496
1497 if (d->modem_status)
1498 d->modem_status(d, msc->v24_sig);
1499
1500 rfcomm_dlc_unlock(d);
1501
1502 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1503
1504 d->mscex |= RFCOMM_MSCEX_RX;
1505 } else
1506 d->mscex |= RFCOMM_MSCEX_TX;
1507
1508 return 0;
1509 }
1510
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1511 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1512 {
1513 struct rfcomm_mcc *mcc = (void *) skb->data;
1514 u8 type, cr, len;
1515
1516 cr = __test_cr(mcc->type);
1517 type = __get_mcc_type(mcc->type);
1518 len = __get_mcc_len(mcc->len);
1519
1520 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1521
1522 skb_pull(skb, 2);
1523
1524 switch (type) {
1525 case RFCOMM_PN:
1526 rfcomm_recv_pn(s, cr, skb);
1527 break;
1528
1529 case RFCOMM_RPN:
1530 rfcomm_recv_rpn(s, cr, len, skb);
1531 break;
1532
1533 case RFCOMM_RLS:
1534 rfcomm_recv_rls(s, cr, skb);
1535 break;
1536
1537 case RFCOMM_MSC:
1538 rfcomm_recv_msc(s, cr, skb);
1539 break;
1540
1541 case RFCOMM_FCOFF:
1542 if (cr) {
1543 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1544 rfcomm_send_fcoff(s, 0);
1545 }
1546 break;
1547
1548 case RFCOMM_FCON:
1549 if (cr) {
1550 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1551 rfcomm_send_fcon(s, 0);
1552 }
1553 break;
1554
1555 case RFCOMM_TEST:
1556 if (cr)
1557 rfcomm_send_test(s, 0, skb->data, skb->len);
1558 break;
1559
1560 case RFCOMM_NSC:
1561 break;
1562
1563 default:
1564 BT_ERR("Unknown control type 0x%02x", type);
1565 rfcomm_send_nsc(s, cr, type);
1566 break;
1567 }
1568 return 0;
1569 }
1570
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1571 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1572 {
1573 struct rfcomm_dlc *d;
1574
1575 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1576
1577 d = rfcomm_dlc_get(s, dlci);
1578 if (!d) {
1579 rfcomm_send_dm(s, dlci);
1580 goto drop;
1581 }
1582
1583 if (pf && d->cfc) {
1584 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1585
1586 d->tx_credits += credits;
1587 if (d->tx_credits)
1588 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1589 }
1590
1591 if (skb->len && d->state == BT_CONNECTED) {
1592 rfcomm_dlc_lock(d);
1593 d->rx_credits--;
1594 d->data_ready(d, skb);
1595 rfcomm_dlc_unlock(d);
1596 return 0;
1597 }
1598
1599 drop:
1600 kfree_skb(skb);
1601 return 0;
1602 }
1603
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1604 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1605 {
1606 struct rfcomm_hdr *hdr = (void *) skb->data;
1607 u8 type, dlci, fcs;
1608
1609 dlci = __get_dlci(hdr->addr);
1610 type = __get_type(hdr->ctrl);
1611
1612 /* Trim FCS */
1613 skb->len--; skb->tail--;
1614 fcs = *(u8 *)skb_tail_pointer(skb);
1615
1616 if (__check_fcs(skb->data, type, fcs)) {
1617 BT_ERR("bad checksum in packet");
1618 kfree_skb(skb);
1619 return -EILSEQ;
1620 }
1621
1622 if (__test_ea(hdr->len))
1623 skb_pull(skb, 3);
1624 else
1625 skb_pull(skb, 4);
1626
1627 switch (type) {
1628 case RFCOMM_SABM:
1629 if (__test_pf(hdr->ctrl))
1630 rfcomm_recv_sabm(s, dlci);
1631 break;
1632
1633 case RFCOMM_DISC:
1634 if (__test_pf(hdr->ctrl))
1635 rfcomm_recv_disc(s, dlci);
1636 break;
1637
1638 case RFCOMM_UA:
1639 if (__test_pf(hdr->ctrl))
1640 rfcomm_recv_ua(s, dlci);
1641 break;
1642
1643 case RFCOMM_DM:
1644 rfcomm_recv_dm(s, dlci);
1645 break;
1646
1647 case RFCOMM_UIH:
1648 if (dlci)
1649 return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1650
1651 rfcomm_recv_mcc(s, skb);
1652 break;
1653
1654 default:
1655 BT_ERR("Unknown packet type 0x%02x\n", type);
1656 break;
1657 }
1658 kfree_skb(skb);
1659 return 0;
1660 }
1661
1662 /* ---- Connection and data processing ---- */
1663
rfcomm_process_connect(struct rfcomm_session * s)1664 static void rfcomm_process_connect(struct rfcomm_session *s)
1665 {
1666 struct rfcomm_dlc *d;
1667 struct list_head *p, *n;
1668
1669 BT_DBG("session %p state %ld", s, s->state);
1670
1671 list_for_each_safe(p, n, &s->dlcs) {
1672 d = list_entry(p, struct rfcomm_dlc, list);
1673 if (d->state == BT_CONFIG) {
1674 d->mtu = s->mtu;
1675 if (rfcomm_check_security(d)) {
1676 rfcomm_send_pn(s, 1, d);
1677 } else {
1678 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1679 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1680 }
1681 }
1682 }
1683 }
1684
1685 /* Send data queued for the DLC.
1686 * Return number of frames left in the queue.
1687 */
rfcomm_process_tx(struct rfcomm_dlc * d)1688 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1689 {
1690 struct sk_buff *skb;
1691 int err;
1692
1693 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1694 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1695
1696 /* Send pending MSC */
1697 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1698 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1699
1700 if (d->cfc) {
1701 /* CFC enabled.
1702 * Give them some credits */
1703 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1704 d->rx_credits <= (d->cfc >> 2)) {
1705 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1706 d->rx_credits = d->cfc;
1707 }
1708 } else {
1709 /* CFC disabled.
1710 * Give ourselves some credits */
1711 d->tx_credits = 5;
1712 }
1713
1714 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1715 return skb_queue_len(&d->tx_queue);
1716
1717 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1718 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1719 if (err < 0) {
1720 skb_queue_head(&d->tx_queue, skb);
1721 break;
1722 }
1723 kfree_skb(skb);
1724 d->tx_credits--;
1725 }
1726
1727 if (d->cfc && !d->tx_credits) {
1728 /* We're out of TX credits.
1729 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1730 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1731 }
1732
1733 return skb_queue_len(&d->tx_queue);
1734 }
1735
rfcomm_process_dlcs(struct rfcomm_session * s)1736 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1737 {
1738 struct rfcomm_dlc *d;
1739 struct list_head *p, *n;
1740
1741 BT_DBG("session %p state %ld", s, s->state);
1742
1743 list_for_each_safe(p, n, &s->dlcs) {
1744 d = list_entry(p, struct rfcomm_dlc, list);
1745
1746 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1747 __rfcomm_dlc_close(d, ETIMEDOUT);
1748 continue;
1749 }
1750
1751 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1752 rfcomm_dlc_clear_timer(d);
1753 if (d->out) {
1754 rfcomm_send_pn(s, 1, d);
1755 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1756 } else {
1757 if (d->defer_setup) {
1758 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1759 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1760
1761 rfcomm_dlc_lock(d);
1762 d->state = BT_CONNECT2;
1763 d->state_change(d, 0);
1764 rfcomm_dlc_unlock(d);
1765 } else
1766 rfcomm_dlc_accept(d);
1767 }
1768 continue;
1769 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1770 rfcomm_dlc_clear_timer(d);
1771 if (!d->out)
1772 rfcomm_send_dm(s, d->dlci);
1773 else
1774 d->state = BT_CLOSED;
1775 __rfcomm_dlc_close(d, ECONNREFUSED);
1776 continue;
1777 }
1778
1779 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1780 continue;
1781
1782 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1783 continue;
1784
1785 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1786 d->mscex == RFCOMM_MSCEX_OK)
1787 rfcomm_process_tx(d);
1788 }
1789 }
1790
rfcomm_process_rx(struct rfcomm_session * s)1791 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1792 {
1793 struct socket *sock = s->sock;
1794 struct sock *sk = sock->sk;
1795 struct sk_buff *skb;
1796
1797 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1798
1799 /* Get data directly from socket receive queue without copying it. */
1800 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1801 skb_orphan(skb);
1802 rfcomm_recv_frame(s, skb);
1803 }
1804
1805 if (sk->sk_state == BT_CLOSED) {
1806 if (!s->initiator)
1807 rfcomm_session_put(s);
1808
1809 rfcomm_session_close(s, sk->sk_err);
1810 }
1811 }
1812
rfcomm_accept_connection(struct rfcomm_session * s)1813 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1814 {
1815 struct socket *sock = s->sock, *nsock;
1816 int err;
1817
1818 /* Fast check for a new connection.
1819 * Avoids unnesesary socket allocations. */
1820 if (list_empty(&bt_sk(sock->sk)->accept_q))
1821 return;
1822
1823 BT_DBG("session %p", s);
1824
1825 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1826 if (err < 0)
1827 return;
1828
1829 /* Set our callbacks */
1830 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1831 nsock->sk->sk_state_change = rfcomm_l2state_change;
1832
1833 s = rfcomm_session_add(nsock, BT_OPEN);
1834 if (s) {
1835 rfcomm_session_hold(s);
1836
1837 /* We should adjust MTU on incoming sessions.
1838 * L2CAP MTU minus UIH header and FCS. */
1839 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1840
1841 rfcomm_schedule(RFCOMM_SCHED_RX);
1842 } else
1843 sock_release(nsock);
1844 }
1845
rfcomm_check_connection(struct rfcomm_session * s)1846 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1847 {
1848 struct sock *sk = s->sock->sk;
1849
1850 BT_DBG("%p state %ld", s, s->state);
1851
1852 switch(sk->sk_state) {
1853 case BT_CONNECTED:
1854 s->state = BT_CONNECT;
1855
1856 /* We can adjust MTU on outgoing sessions.
1857 * L2CAP MTU minus UIH header and FCS. */
1858 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1859
1860 rfcomm_send_sabm(s, 0);
1861 break;
1862
1863 case BT_CLOSED:
1864 s->state = BT_CLOSED;
1865 rfcomm_session_close(s, sk->sk_err);
1866 break;
1867 }
1868 }
1869
rfcomm_process_sessions(void)1870 static inline void rfcomm_process_sessions(void)
1871 {
1872 struct list_head *p, *n;
1873
1874 rfcomm_lock();
1875
1876 list_for_each_safe(p, n, &session_list) {
1877 struct rfcomm_session *s;
1878 s = list_entry(p, struct rfcomm_session, list);
1879
1880 if (s->state == BT_LISTEN) {
1881 rfcomm_accept_connection(s);
1882 continue;
1883 }
1884
1885 rfcomm_session_hold(s);
1886
1887 switch (s->state) {
1888 case BT_BOUND:
1889 rfcomm_check_connection(s);
1890 break;
1891
1892 default:
1893 rfcomm_process_rx(s);
1894 break;
1895 }
1896
1897 rfcomm_process_dlcs(s);
1898
1899 rfcomm_session_put(s);
1900 }
1901
1902 rfcomm_unlock();
1903 }
1904
rfcomm_add_listener(bdaddr_t * ba)1905 static int rfcomm_add_listener(bdaddr_t *ba)
1906 {
1907 struct sockaddr_l2 addr;
1908 struct socket *sock;
1909 struct sock *sk;
1910 struct rfcomm_session *s;
1911 int err = 0;
1912
1913 /* Create socket */
1914 err = rfcomm_l2sock_create(&sock);
1915 if (err < 0) {
1916 BT_ERR("Create socket failed %d", err);
1917 return err;
1918 }
1919
1920 /* Bind socket */
1921 bacpy(&addr.l2_bdaddr, ba);
1922 addr.l2_family = AF_BLUETOOTH;
1923 addr.l2_psm = htobs(RFCOMM_PSM);
1924 addr.l2_cid = 0;
1925 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1926 if (err < 0) {
1927 BT_ERR("Bind failed %d", err);
1928 goto failed;
1929 }
1930
1931 /* Set L2CAP options */
1932 sk = sock->sk;
1933 lock_sock(sk);
1934 l2cap_pi(sk)->imtu = l2cap_mtu;
1935 release_sock(sk);
1936
1937 /* Start listening on the socket */
1938 err = kernel_listen(sock, 10);
1939 if (err) {
1940 BT_ERR("Listen failed %d", err);
1941 goto failed;
1942 }
1943
1944 /* Add listening session */
1945 s = rfcomm_session_add(sock, BT_LISTEN);
1946 if (!s)
1947 goto failed;
1948
1949 rfcomm_session_hold(s);
1950 return 0;
1951 failed:
1952 sock_release(sock);
1953 return err;
1954 }
1955
rfcomm_kill_listener(void)1956 static void rfcomm_kill_listener(void)
1957 {
1958 struct rfcomm_session *s;
1959 struct list_head *p, *n;
1960
1961 BT_DBG("");
1962
1963 list_for_each_safe(p, n, &session_list) {
1964 s = list_entry(p, struct rfcomm_session, list);
1965 rfcomm_session_del(s);
1966 }
1967 }
1968
rfcomm_run(void * unused)1969 static int rfcomm_run(void *unused)
1970 {
1971 BT_DBG("");
1972
1973 set_user_nice(current, -10);
1974
1975 rfcomm_add_listener(BDADDR_ANY);
1976
1977 while (!kthread_should_stop()) {
1978 set_current_state(TASK_INTERRUPTIBLE);
1979 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
1980 /* No pending events. Let's sleep.
1981 * Incoming connections and data will wake us up. */
1982 schedule();
1983 }
1984 set_current_state(TASK_RUNNING);
1985
1986 /* Process stuff */
1987 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
1988 rfcomm_process_sessions();
1989 }
1990
1991 rfcomm_kill_listener();
1992
1993 return 0;
1994 }
1995
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)1996 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1997 {
1998 struct rfcomm_session *s;
1999 struct rfcomm_dlc *d;
2000 struct list_head *p, *n;
2001
2002 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2003
2004 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2005 if (!s)
2006 return;
2007
2008 rfcomm_session_hold(s);
2009
2010 list_for_each_safe(p, n, &s->dlcs) {
2011 d = list_entry(p, struct rfcomm_dlc, list);
2012
2013 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2014 rfcomm_dlc_clear_timer(d);
2015 if (status || encrypt == 0x00) {
2016 __rfcomm_dlc_close(d, ECONNREFUSED);
2017 continue;
2018 }
2019 }
2020
2021 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2022 if (d->sec_level == BT_SECURITY_MEDIUM) {
2023 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2024 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2025 continue;
2026 } else if (d->sec_level == BT_SECURITY_HIGH) {
2027 __rfcomm_dlc_close(d, ECONNREFUSED);
2028 continue;
2029 }
2030 }
2031
2032 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2033 continue;
2034
2035 if (!status)
2036 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2037 else
2038 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2039 }
2040
2041 rfcomm_session_put(s);
2042
2043 rfcomm_schedule(RFCOMM_SCHED_AUTH);
2044 }
2045
2046 static struct hci_cb rfcomm_cb = {
2047 .name = "RFCOMM",
2048 .security_cfm = rfcomm_security_cfm
2049 };
2050
rfcomm_dlc_sysfs_show(struct class * dev,char * buf)2051 static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
2052 {
2053 struct rfcomm_session *s;
2054 struct list_head *pp, *p;
2055 char *str = buf;
2056
2057 rfcomm_lock();
2058
2059 list_for_each(p, &session_list) {
2060 s = list_entry(p, struct rfcomm_session, list);
2061 list_for_each(pp, &s->dlcs) {
2062 struct sock *sk = s->sock->sk;
2063 struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2064
2065 str += sprintf(str, "%s %s %ld %d %d %d %d\n",
2066 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2067 d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
2068 }
2069 }
2070
2071 rfcomm_unlock();
2072
2073 return (str - buf);
2074 }
2075
2076 static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL);
2077
2078 /* ---- Initialization ---- */
rfcomm_init(void)2079 static int __init rfcomm_init(void)
2080 {
2081 l2cap_load();
2082
2083 hci_register_cb(&rfcomm_cb);
2084
2085 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2086 if (IS_ERR(rfcomm_thread)) {
2087 hci_unregister_cb(&rfcomm_cb);
2088 return PTR_ERR(rfcomm_thread);
2089 }
2090
2091 if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0)
2092 BT_ERR("Failed to create RFCOMM info file");
2093
2094 rfcomm_init_sockets();
2095
2096 #ifdef CONFIG_BT_RFCOMM_TTY
2097 rfcomm_init_ttys();
2098 #endif
2099
2100 BT_INFO("RFCOMM ver %s", VERSION);
2101
2102 return 0;
2103 }
2104
rfcomm_exit(void)2105 static void __exit rfcomm_exit(void)
2106 {
2107 class_remove_file(bt_class, &class_attr_rfcomm_dlc);
2108
2109 hci_unregister_cb(&rfcomm_cb);
2110
2111 kthread_stop(rfcomm_thread);
2112
2113 #ifdef CONFIG_BT_RFCOMM_TTY
2114 rfcomm_cleanup_ttys();
2115 #endif
2116
2117 rfcomm_cleanup_sockets();
2118 }
2119
2120 module_init(rfcomm_init);
2121 module_exit(rfcomm_exit);
2122
2123 module_param(disable_cfc, bool, 0644);
2124 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2125
2126 module_param(channel_mtu, int, 0644);
2127 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2128
2129 module_param(l2cap_mtu, uint, 0644);
2130 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2131
2132 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2133 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2134 MODULE_VERSION(VERSION);
2135 MODULE_LICENSE("GPL");
2136 MODULE_ALIAS("bt-proto-3");
2137