1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37
38 #define VERSION "1.11"
39
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45 static struct task_struct *rfcomm_thread;
46
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50
51
52 static LIST_HEAD(session_list);
53
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b) ((b & 0xfc) >> 2)
76 #define __get_channel(b) ((b & 0xf8) >> 3)
77 #define __get_dir(b) ((b & 0x04) >> 2)
78 #define __get_type(b) ((b & 0xef))
79
80 #define __test_ea(b) ((b & 0x01))
81 #define __test_cr(b) ((b & 0x02))
82 #define __test_pf(b) ((b & 0x10))
83
84 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
85 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
86 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
87 #define __srv_channel(dlci) (dlci >> 1)
88 #define __dir(dlci) (dlci & 0x01)
89
90 #define __len8(len) (((len) << 1) | 1)
91 #define __len16(len) ((len) << 1)
92
93 /* MCC macros */
94 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
95 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
96 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
97
98 /* RPN macros */
99 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
100 #define __get_rpn_data_bits(line) ((line) & 0x3)
101 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
102 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
103
rfcomm_schedule(void)104 static void rfcomm_schedule(void)
105 {
106 if (!rfcomm_thread)
107 return;
108 wake_up_process(rfcomm_thread);
109 }
110
111 /* ---- RFCOMM FCS computation ---- */
112
113 /* reversed, 8-bit, poly=0x07 */
114 static unsigned char rfcomm_crc_table[256] = {
115 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
116 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
117 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
118 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
119
120 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
121 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
122 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
123 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
124
125 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
126 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
127 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
128 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
129
130 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
131 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
132 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
133 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
134
135 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
136 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
137 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
138 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
139
140 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
141 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
142 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
143 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
144
145 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
146 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
147 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
148 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
149
150 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
151 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
152 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
153 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
154 };
155
156 /* CRC on 2 bytes */
157 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
158
159 /* FCS on 2 bytes */
__fcs(u8 * data)160 static inline u8 __fcs(u8 *data)
161 {
162 return 0xff - __crc(data);
163 }
164
165 /* FCS on 3 bytes */
__fcs2(u8 * data)166 static inline u8 __fcs2(u8 *data)
167 {
168 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
169 }
170
171 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)172 static inline int __check_fcs(u8 *data, int type, u8 fcs)
173 {
174 u8 f = __crc(data);
175
176 if (type != RFCOMM_UIH)
177 f = rfcomm_crc_table[f ^ data[2]];
178
179 return rfcomm_crc_table[f ^ fcs] != 0xcf;
180 }
181
182 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)183 static void rfcomm_l2state_change(struct sock *sk)
184 {
185 BT_DBG("%p state %d", sk, sk->sk_state);
186 rfcomm_schedule();
187 }
188
rfcomm_l2data_ready(struct sock * sk,int bytes)189 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
190 {
191 BT_DBG("%p bytes %d", sk, bytes);
192 rfcomm_schedule();
193 }
194
rfcomm_l2sock_create(struct socket ** sock)195 static int rfcomm_l2sock_create(struct socket **sock)
196 {
197 int err;
198
199 BT_DBG("");
200
201 err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
202 if (!err) {
203 struct sock *sk = (*sock)->sk;
204 sk->sk_data_ready = rfcomm_l2data_ready;
205 sk->sk_state_change = rfcomm_l2state_change;
206 }
207 return err;
208 }
209
rfcomm_check_security(struct rfcomm_dlc * d)210 static int rfcomm_check_security(struct rfcomm_dlc *d)
211 {
212 struct sock *sk = d->session->sock->sk;
213 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
214
215 __u8 auth_type;
216
217 switch (d->sec_level) {
218 case BT_SECURITY_HIGH:
219 auth_type = HCI_AT_GENERAL_BONDING_MITM;
220 break;
221 case BT_SECURITY_MEDIUM:
222 auth_type = HCI_AT_GENERAL_BONDING;
223 break;
224 default:
225 auth_type = HCI_AT_NO_BONDING;
226 break;
227 }
228
229 return hci_conn_security(conn->hcon, d->sec_level, auth_type);
230 }
231
rfcomm_session_timeout(unsigned long arg)232 static void rfcomm_session_timeout(unsigned long arg)
233 {
234 struct rfcomm_session *s = (void *) arg;
235
236 BT_DBG("session %p state %ld", s, s->state);
237
238 set_bit(RFCOMM_TIMED_OUT, &s->flags);
239 rfcomm_schedule();
240 }
241
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)242 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
243 {
244 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
245
246 mod_timer(&s->timer, jiffies + timeout);
247 }
248
rfcomm_session_clear_timer(struct rfcomm_session * s)249 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
250 {
251 BT_DBG("session %p state %ld", s, s->state);
252
253 del_timer_sync(&s->timer);
254 }
255
256 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(unsigned long arg)257 static void rfcomm_dlc_timeout(unsigned long arg)
258 {
259 struct rfcomm_dlc *d = (void *) arg;
260
261 BT_DBG("dlc %p state %ld", d, d->state);
262
263 set_bit(RFCOMM_TIMED_OUT, &d->flags);
264 rfcomm_dlc_put(d);
265 rfcomm_schedule();
266 }
267
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)268 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
269 {
270 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
271
272 if (!mod_timer(&d->timer, jiffies + timeout))
273 rfcomm_dlc_hold(d);
274 }
275
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)276 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
277 {
278 BT_DBG("dlc %p state %ld", d, d->state);
279
280 if (del_timer(&d->timer))
281 rfcomm_dlc_put(d);
282 }
283
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)284 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
285 {
286 BT_DBG("%p", d);
287
288 d->state = BT_OPEN;
289 d->flags = 0;
290 d->mscex = 0;
291 d->sec_level = BT_SECURITY_LOW;
292 d->mtu = RFCOMM_DEFAULT_MTU;
293 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
294
295 d->cfc = RFCOMM_CFC_DISABLED;
296 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
297 }
298
rfcomm_dlc_alloc(gfp_t prio)299 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
300 {
301 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
302
303 if (!d)
304 return NULL;
305
306 setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
307
308 skb_queue_head_init(&d->tx_queue);
309 spin_lock_init(&d->lock);
310 atomic_set(&d->refcnt, 1);
311
312 rfcomm_dlc_clear_state(d);
313
314 BT_DBG("%p", d);
315
316 return d;
317 }
318
rfcomm_dlc_free(struct rfcomm_dlc * d)319 void rfcomm_dlc_free(struct rfcomm_dlc *d)
320 {
321 BT_DBG("%p", d);
322
323 skb_queue_purge(&d->tx_queue);
324 kfree(d);
325 }
326
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)327 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
328 {
329 BT_DBG("dlc %p session %p", d, s);
330
331 rfcomm_session_clear_timer(s);
332 rfcomm_dlc_hold(d);
333 list_add(&d->list, &s->dlcs);
334 d->session = s;
335 }
336
rfcomm_dlc_unlink(struct rfcomm_dlc * d)337 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
338 {
339 struct rfcomm_session *s = d->session;
340
341 BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
342
343 list_del(&d->list);
344 d->session = NULL;
345 rfcomm_dlc_put(d);
346
347 if (list_empty(&s->dlcs))
348 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
349 }
350
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)351 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
352 {
353 struct rfcomm_dlc *d;
354
355 list_for_each_entry(d, &s->dlcs, list)
356 if (d->dlci == dlci)
357 return d;
358
359 return NULL;
360 }
361
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)362 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
363 {
364 struct rfcomm_session *s;
365 int err = 0;
366 u8 dlci;
367
368 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
369 d, d->state, src, dst, channel);
370
371 if (channel < 1 || channel > 30)
372 return -EINVAL;
373
374 if (d->state != BT_OPEN && d->state != BT_CLOSED)
375 return 0;
376
377 s = rfcomm_session_get(src, dst);
378 if (!s) {
379 s = rfcomm_session_create(src, dst, d->sec_level, &err);
380 if (!s)
381 return err;
382 }
383
384 dlci = __dlci(!s->initiator, channel);
385
386 /* Check if DLCI already exists */
387 if (rfcomm_dlc_get(s, dlci))
388 return -EBUSY;
389
390 rfcomm_dlc_clear_state(d);
391
392 d->dlci = dlci;
393 d->addr = __addr(s->initiator, dlci);
394 d->priority = 7;
395
396 d->state = BT_CONFIG;
397 rfcomm_dlc_link(s, d);
398
399 d->out = 1;
400
401 d->mtu = s->mtu;
402 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
403
404 if (s->state == BT_CONNECTED) {
405 if (rfcomm_check_security(d))
406 rfcomm_send_pn(s, 1, d);
407 else
408 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
409 }
410
411 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
412
413 return 0;
414 }
415
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)416 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
417 {
418 int r;
419
420 rfcomm_lock();
421
422 r = __rfcomm_dlc_open(d, src, dst, channel);
423
424 rfcomm_unlock();
425 return r;
426 }
427
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)428 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
429 {
430 struct rfcomm_session *s = d->session;
431 if (!s)
432 return 0;
433
434 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
435 d, d->state, d->dlci, err, s);
436
437 switch (d->state) {
438 case BT_CONNECT:
439 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
440 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
441 rfcomm_schedule();
442 break;
443 }
444 /* Fall through */
445
446 case BT_CONNECTED:
447 d->state = BT_DISCONN;
448 if (skb_queue_empty(&d->tx_queue)) {
449 rfcomm_send_disc(s, d->dlci);
450 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
451 } else {
452 rfcomm_queue_disc(d);
453 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
454 }
455 break;
456
457 case BT_OPEN:
458 case BT_CONNECT2:
459 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
460 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
461 rfcomm_schedule();
462 break;
463 }
464 /* Fall through */
465
466 default:
467 rfcomm_dlc_clear_timer(d);
468
469 rfcomm_dlc_lock(d);
470 d->state = BT_CLOSED;
471 d->state_change(d, err);
472 rfcomm_dlc_unlock(d);
473
474 skb_queue_purge(&d->tx_queue);
475 rfcomm_dlc_unlink(d);
476 }
477
478 return 0;
479 }
480
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)481 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
482 {
483 int r = 0;
484 struct rfcomm_dlc *d_list;
485 struct rfcomm_session *s, *s_list;
486
487 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
488
489 rfcomm_lock();
490
491 s = d->session;
492 if (!s)
493 goto no_session;
494
495 /* after waiting on the mutex check the session still exists
496 * then check the dlc still exists
497 */
498 list_for_each_entry(s_list, &session_list, list) {
499 if (s_list == s) {
500 list_for_each_entry(d_list, &s->dlcs, list) {
501 if (d_list == d) {
502 r = __rfcomm_dlc_close(d, err);
503 break;
504 }
505 }
506 break;
507 }
508 }
509
510 no_session:
511 rfcomm_unlock();
512 return r;
513 }
514
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)515 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
516 {
517 int len = skb->len;
518
519 if (d->state != BT_CONNECTED)
520 return -ENOTCONN;
521
522 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
523
524 if (len > d->mtu)
525 return -EINVAL;
526
527 rfcomm_make_uih(skb, d->addr);
528 skb_queue_tail(&d->tx_queue, skb);
529
530 if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
531 rfcomm_schedule();
532 return len;
533 }
534
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)535 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
536 {
537 BT_DBG("dlc %p state %ld", d, d->state);
538
539 if (!d->cfc) {
540 d->v24_sig |= RFCOMM_V24_FC;
541 set_bit(RFCOMM_MSC_PENDING, &d->flags);
542 }
543 rfcomm_schedule();
544 }
545
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)546 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
547 {
548 BT_DBG("dlc %p state %ld", d, d->state);
549
550 if (!d->cfc) {
551 d->v24_sig &= ~RFCOMM_V24_FC;
552 set_bit(RFCOMM_MSC_PENDING, &d->flags);
553 }
554 rfcomm_schedule();
555 }
556
557 /*
558 Set/get modem status functions use _local_ status i.e. what we report
559 to the other side.
560 Remote status is provided by dlc->modem_status() callback.
561 */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)562 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
563 {
564 BT_DBG("dlc %p state %ld v24_sig 0x%x",
565 d, d->state, v24_sig);
566
567 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
568 v24_sig |= RFCOMM_V24_FC;
569 else
570 v24_sig &= ~RFCOMM_V24_FC;
571
572 d->v24_sig = v24_sig;
573
574 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
575 rfcomm_schedule();
576
577 return 0;
578 }
579
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)580 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
581 {
582 BT_DBG("dlc %p state %ld v24_sig 0x%x",
583 d, d->state, d->v24_sig);
584
585 *v24_sig = d->v24_sig;
586 return 0;
587 }
588
589 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)590 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
591 {
592 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
593
594 if (!s)
595 return NULL;
596
597 BT_DBG("session %p sock %p", s, sock);
598
599 setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
600
601 INIT_LIST_HEAD(&s->dlcs);
602 s->state = state;
603 s->sock = sock;
604
605 s->mtu = RFCOMM_DEFAULT_MTU;
606 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
607
608 /* Do not increment module usage count for listening sessions.
609 * Otherwise we won't be able to unload the module. */
610 if (state != BT_LISTEN)
611 if (!try_module_get(THIS_MODULE)) {
612 kfree(s);
613 return NULL;
614 }
615
616 list_add(&s->list, &session_list);
617
618 return s;
619 }
620
rfcomm_session_del(struct rfcomm_session * s)621 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
622 {
623 int state = s->state;
624
625 BT_DBG("session %p state %ld", s, s->state);
626
627 list_del(&s->list);
628
629 rfcomm_session_clear_timer(s);
630 sock_release(s->sock);
631 kfree(s);
632
633 if (state != BT_LISTEN)
634 module_put(THIS_MODULE);
635
636 return NULL;
637 }
638
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)639 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
640 {
641 struct rfcomm_session *s;
642 struct list_head *p, *n;
643 struct bt_sock *sk;
644 list_for_each_safe(p, n, &session_list) {
645 s = list_entry(p, struct rfcomm_session, list);
646 sk = bt_sk(s->sock->sk);
647
648 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
649 !bacmp(&sk->dst, dst))
650 return s;
651 }
652 return NULL;
653 }
654
rfcomm_session_close(struct rfcomm_session * s,int err)655 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
656 int err)
657 {
658 struct rfcomm_dlc *d;
659 struct list_head *p, *n;
660
661 s->state = BT_CLOSED;
662
663 BT_DBG("session %p state %ld err %d", s, s->state, err);
664
665 /* Close all dlcs */
666 list_for_each_safe(p, n, &s->dlcs) {
667 d = list_entry(p, struct rfcomm_dlc, list);
668 d->state = BT_CLOSED;
669 __rfcomm_dlc_close(d, err);
670 }
671
672 rfcomm_session_clear_timer(s);
673 return rfcomm_session_del(s);
674 }
675
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)676 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
677 bdaddr_t *dst,
678 u8 sec_level,
679 int *err)
680 {
681 struct rfcomm_session *s = NULL;
682 struct sockaddr_l2 addr;
683 struct socket *sock;
684 struct sock *sk;
685
686 BT_DBG("%pMR -> %pMR", src, dst);
687
688 *err = rfcomm_l2sock_create(&sock);
689 if (*err < 0)
690 return NULL;
691
692 bacpy(&addr.l2_bdaddr, src);
693 addr.l2_family = AF_BLUETOOTH;
694 addr.l2_psm = 0;
695 addr.l2_cid = 0;
696 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
697 if (*err < 0)
698 goto failed;
699
700 /* Set L2CAP options */
701 sk = sock->sk;
702 lock_sock(sk);
703 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
704 l2cap_pi(sk)->chan->sec_level = sec_level;
705 if (l2cap_ertm)
706 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
707 release_sock(sk);
708
709 s = rfcomm_session_add(sock, BT_BOUND);
710 if (!s) {
711 *err = -ENOMEM;
712 goto failed;
713 }
714
715 s->initiator = 1;
716
717 bacpy(&addr.l2_bdaddr, dst);
718 addr.l2_family = AF_BLUETOOTH;
719 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
720 addr.l2_cid = 0;
721 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
722 if (*err == 0 || *err == -EINPROGRESS)
723 return s;
724
725 return rfcomm_session_del(s);
726
727 failed:
728 sock_release(sock);
729 return NULL;
730 }
731
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)732 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
733 {
734 struct sock *sk = s->sock->sk;
735 if (src)
736 bacpy(src, &bt_sk(sk)->src);
737 if (dst)
738 bacpy(dst, &bt_sk(sk)->dst);
739 }
740
741 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)742 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
743 {
744 struct kvec iv = { data, len };
745 struct msghdr msg;
746
747 BT_DBG("session %p len %d", s, len);
748
749 memset(&msg, 0, sizeof(msg));
750
751 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
752 }
753
rfcomm_send_cmd(struct rfcomm_session * s,struct rfcomm_cmd * cmd)754 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
755 {
756 BT_DBG("%p cmd %u", s, cmd->ctrl);
757
758 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
759 }
760
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)761 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
762 {
763 struct rfcomm_cmd cmd;
764
765 BT_DBG("%p dlci %d", s, dlci);
766
767 cmd.addr = __addr(s->initiator, dlci);
768 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
769 cmd.len = __len8(0);
770 cmd.fcs = __fcs2((u8 *) &cmd);
771
772 return rfcomm_send_cmd(s, &cmd);
773 }
774
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)775 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
776 {
777 struct rfcomm_cmd cmd;
778
779 BT_DBG("%p dlci %d", s, dlci);
780
781 cmd.addr = __addr(!s->initiator, dlci);
782 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
783 cmd.len = __len8(0);
784 cmd.fcs = __fcs2((u8 *) &cmd);
785
786 return rfcomm_send_cmd(s, &cmd);
787 }
788
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)789 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
790 {
791 struct rfcomm_cmd cmd;
792
793 BT_DBG("%p dlci %d", s, dlci);
794
795 cmd.addr = __addr(s->initiator, dlci);
796 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
797 cmd.len = __len8(0);
798 cmd.fcs = __fcs2((u8 *) &cmd);
799
800 return rfcomm_send_cmd(s, &cmd);
801 }
802
rfcomm_queue_disc(struct rfcomm_dlc * d)803 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
804 {
805 struct rfcomm_cmd *cmd;
806 struct sk_buff *skb;
807
808 BT_DBG("dlc %p dlci %d", d, d->dlci);
809
810 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
811 if (!skb)
812 return -ENOMEM;
813
814 cmd = (void *) __skb_put(skb, sizeof(*cmd));
815 cmd->addr = d->addr;
816 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
817 cmd->len = __len8(0);
818 cmd->fcs = __fcs2((u8 *) cmd);
819
820 skb_queue_tail(&d->tx_queue, skb);
821 rfcomm_schedule();
822 return 0;
823 }
824
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)825 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
826 {
827 struct rfcomm_cmd cmd;
828
829 BT_DBG("%p dlci %d", s, dlci);
830
831 cmd.addr = __addr(!s->initiator, dlci);
832 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
833 cmd.len = __len8(0);
834 cmd.fcs = __fcs2((u8 *) &cmd);
835
836 return rfcomm_send_cmd(s, &cmd);
837 }
838
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)839 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
840 {
841 struct rfcomm_hdr *hdr;
842 struct rfcomm_mcc *mcc;
843 u8 buf[16], *ptr = buf;
844
845 BT_DBG("%p cr %d type %d", s, cr, type);
846
847 hdr = (void *) ptr; ptr += sizeof(*hdr);
848 hdr->addr = __addr(s->initiator, 0);
849 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
850 hdr->len = __len8(sizeof(*mcc) + 1);
851
852 mcc = (void *) ptr; ptr += sizeof(*mcc);
853 mcc->type = __mcc_type(cr, RFCOMM_NSC);
854 mcc->len = __len8(1);
855
856 /* Type that we didn't like */
857 *ptr = __mcc_type(cr, type); ptr++;
858
859 *ptr = __fcs(buf); ptr++;
860
861 return rfcomm_send_frame(s, buf, ptr - buf);
862 }
863
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)864 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
865 {
866 struct rfcomm_hdr *hdr;
867 struct rfcomm_mcc *mcc;
868 struct rfcomm_pn *pn;
869 u8 buf[16], *ptr = buf;
870
871 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
872
873 hdr = (void *) ptr; ptr += sizeof(*hdr);
874 hdr->addr = __addr(s->initiator, 0);
875 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
876 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
877
878 mcc = (void *) ptr; ptr += sizeof(*mcc);
879 mcc->type = __mcc_type(cr, RFCOMM_PN);
880 mcc->len = __len8(sizeof(*pn));
881
882 pn = (void *) ptr; ptr += sizeof(*pn);
883 pn->dlci = d->dlci;
884 pn->priority = d->priority;
885 pn->ack_timer = 0;
886 pn->max_retrans = 0;
887
888 if (s->cfc) {
889 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
890 pn->credits = RFCOMM_DEFAULT_CREDITS;
891 } else {
892 pn->flow_ctrl = 0;
893 pn->credits = 0;
894 }
895
896 if (cr && channel_mtu >= 0)
897 pn->mtu = cpu_to_le16(channel_mtu);
898 else
899 pn->mtu = cpu_to_le16(d->mtu);
900
901 *ptr = __fcs(buf); ptr++;
902
903 return rfcomm_send_frame(s, buf, ptr - buf);
904 }
905
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)906 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
907 u8 bit_rate, u8 data_bits, u8 stop_bits,
908 u8 parity, u8 flow_ctrl_settings,
909 u8 xon_char, u8 xoff_char, u16 param_mask)
910 {
911 struct rfcomm_hdr *hdr;
912 struct rfcomm_mcc *mcc;
913 struct rfcomm_rpn *rpn;
914 u8 buf[16], *ptr = buf;
915
916 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
917 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
918 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
919 flow_ctrl_settings, xon_char, xoff_char, param_mask);
920
921 hdr = (void *) ptr; ptr += sizeof(*hdr);
922 hdr->addr = __addr(s->initiator, 0);
923 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
924 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
925
926 mcc = (void *) ptr; ptr += sizeof(*mcc);
927 mcc->type = __mcc_type(cr, RFCOMM_RPN);
928 mcc->len = __len8(sizeof(*rpn));
929
930 rpn = (void *) ptr; ptr += sizeof(*rpn);
931 rpn->dlci = __addr(1, dlci);
932 rpn->bit_rate = bit_rate;
933 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
934 rpn->flow_ctrl = flow_ctrl_settings;
935 rpn->xon_char = xon_char;
936 rpn->xoff_char = xoff_char;
937 rpn->param_mask = cpu_to_le16(param_mask);
938
939 *ptr = __fcs(buf); ptr++;
940
941 return rfcomm_send_frame(s, buf, ptr - buf);
942 }
943
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)944 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
945 {
946 struct rfcomm_hdr *hdr;
947 struct rfcomm_mcc *mcc;
948 struct rfcomm_rls *rls;
949 u8 buf[16], *ptr = buf;
950
951 BT_DBG("%p cr %d status 0x%x", s, cr, status);
952
953 hdr = (void *) ptr; ptr += sizeof(*hdr);
954 hdr->addr = __addr(s->initiator, 0);
955 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
956 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
957
958 mcc = (void *) ptr; ptr += sizeof(*mcc);
959 mcc->type = __mcc_type(cr, RFCOMM_RLS);
960 mcc->len = __len8(sizeof(*rls));
961
962 rls = (void *) ptr; ptr += sizeof(*rls);
963 rls->dlci = __addr(1, dlci);
964 rls->status = status;
965
966 *ptr = __fcs(buf); ptr++;
967
968 return rfcomm_send_frame(s, buf, ptr - buf);
969 }
970
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)971 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
972 {
973 struct rfcomm_hdr *hdr;
974 struct rfcomm_mcc *mcc;
975 struct rfcomm_msc *msc;
976 u8 buf[16], *ptr = buf;
977
978 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
979
980 hdr = (void *) ptr; ptr += sizeof(*hdr);
981 hdr->addr = __addr(s->initiator, 0);
982 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
983 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
984
985 mcc = (void *) ptr; ptr += sizeof(*mcc);
986 mcc->type = __mcc_type(cr, RFCOMM_MSC);
987 mcc->len = __len8(sizeof(*msc));
988
989 msc = (void *) ptr; ptr += sizeof(*msc);
990 msc->dlci = __addr(1, dlci);
991 msc->v24_sig = v24_sig | 0x01;
992
993 *ptr = __fcs(buf); ptr++;
994
995 return rfcomm_send_frame(s, buf, ptr - buf);
996 }
997
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)998 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
999 {
1000 struct rfcomm_hdr *hdr;
1001 struct rfcomm_mcc *mcc;
1002 u8 buf[16], *ptr = buf;
1003
1004 BT_DBG("%p cr %d", s, cr);
1005
1006 hdr = (void *) ptr; ptr += sizeof(*hdr);
1007 hdr->addr = __addr(s->initiator, 0);
1008 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1009 hdr->len = __len8(sizeof(*mcc));
1010
1011 mcc = (void *) ptr; ptr += sizeof(*mcc);
1012 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1013 mcc->len = __len8(0);
1014
1015 *ptr = __fcs(buf); ptr++;
1016
1017 return rfcomm_send_frame(s, buf, ptr - buf);
1018 }
1019
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1020 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1021 {
1022 struct rfcomm_hdr *hdr;
1023 struct rfcomm_mcc *mcc;
1024 u8 buf[16], *ptr = buf;
1025
1026 BT_DBG("%p cr %d", s, cr);
1027
1028 hdr = (void *) ptr; ptr += sizeof(*hdr);
1029 hdr->addr = __addr(s->initiator, 0);
1030 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1031 hdr->len = __len8(sizeof(*mcc));
1032
1033 mcc = (void *) ptr; ptr += sizeof(*mcc);
1034 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1035 mcc->len = __len8(0);
1036
1037 *ptr = __fcs(buf); ptr++;
1038
1039 return rfcomm_send_frame(s, buf, ptr - buf);
1040 }
1041
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1042 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1043 {
1044 struct socket *sock = s->sock;
1045 struct kvec iv[3];
1046 struct msghdr msg;
1047 unsigned char hdr[5], crc[1];
1048
1049 if (len > 125)
1050 return -EINVAL;
1051
1052 BT_DBG("%p cr %d", s, cr);
1053
1054 hdr[0] = __addr(s->initiator, 0);
1055 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1056 hdr[2] = 0x01 | ((len + 2) << 1);
1057 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1058 hdr[4] = 0x01 | (len << 1);
1059
1060 crc[0] = __fcs(hdr);
1061
1062 iv[0].iov_base = hdr;
1063 iv[0].iov_len = 5;
1064 iv[1].iov_base = pattern;
1065 iv[1].iov_len = len;
1066 iv[2].iov_base = crc;
1067 iv[2].iov_len = 1;
1068
1069 memset(&msg, 0, sizeof(msg));
1070
1071 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1072 }
1073
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1074 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1075 {
1076 struct rfcomm_hdr *hdr;
1077 u8 buf[16], *ptr = buf;
1078
1079 BT_DBG("%p addr %d credits %d", s, addr, credits);
1080
1081 hdr = (void *) ptr; ptr += sizeof(*hdr);
1082 hdr->addr = addr;
1083 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1084 hdr->len = __len8(0);
1085
1086 *ptr = credits; ptr++;
1087
1088 *ptr = __fcs(buf); ptr++;
1089
1090 return rfcomm_send_frame(s, buf, ptr - buf);
1091 }
1092
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1093 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1094 {
1095 struct rfcomm_hdr *hdr;
1096 int len = skb->len;
1097 u8 *crc;
1098
1099 if (len > 127) {
1100 hdr = (void *) skb_push(skb, 4);
1101 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1102 } else {
1103 hdr = (void *) skb_push(skb, 3);
1104 hdr->len = __len8(len);
1105 }
1106 hdr->addr = addr;
1107 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1108
1109 crc = skb_put(skb, 1);
1110 *crc = __fcs((void *) hdr);
1111 }
1112
1113 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1114 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1115 {
1116 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1117
1118 if (dlci) {
1119 /* Data channel */
1120 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1121 if (!d) {
1122 rfcomm_send_dm(s, dlci);
1123 return s;
1124 }
1125
1126 switch (d->state) {
1127 case BT_CONNECT:
1128 rfcomm_dlc_clear_timer(d);
1129
1130 rfcomm_dlc_lock(d);
1131 d->state = BT_CONNECTED;
1132 d->state_change(d, 0);
1133 rfcomm_dlc_unlock(d);
1134
1135 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1136 break;
1137
1138 case BT_DISCONN:
1139 d->state = BT_CLOSED;
1140 __rfcomm_dlc_close(d, 0);
1141
1142 if (list_empty(&s->dlcs)) {
1143 s->state = BT_DISCONN;
1144 rfcomm_send_disc(s, 0);
1145 rfcomm_session_clear_timer(s);
1146 }
1147
1148 break;
1149 }
1150 } else {
1151 /* Control channel */
1152 switch (s->state) {
1153 case BT_CONNECT:
1154 s->state = BT_CONNECTED;
1155 rfcomm_process_connect(s);
1156 break;
1157
1158 case BT_DISCONN:
1159 s = rfcomm_session_close(s, ECONNRESET);
1160 break;
1161 }
1162 }
1163 return s;
1164 }
1165
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1166 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1167 {
1168 int err = 0;
1169
1170 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1171
1172 if (dlci) {
1173 /* Data DLC */
1174 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1175 if (d) {
1176 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1177 err = ECONNREFUSED;
1178 else
1179 err = ECONNRESET;
1180
1181 d->state = BT_CLOSED;
1182 __rfcomm_dlc_close(d, err);
1183 }
1184 } else {
1185 if (s->state == BT_CONNECT)
1186 err = ECONNREFUSED;
1187 else
1188 err = ECONNRESET;
1189
1190 s = rfcomm_session_close(s, err);
1191 }
1192 return s;
1193 }
1194
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1195 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1196 u8 dlci)
1197 {
1198 int err = 0;
1199
1200 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1201
1202 if (dlci) {
1203 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1204 if (d) {
1205 rfcomm_send_ua(s, dlci);
1206
1207 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1208 err = ECONNREFUSED;
1209 else
1210 err = ECONNRESET;
1211
1212 d->state = BT_CLOSED;
1213 __rfcomm_dlc_close(d, err);
1214 } else
1215 rfcomm_send_dm(s, dlci);
1216
1217 } else {
1218 rfcomm_send_ua(s, 0);
1219
1220 if (s->state == BT_CONNECT)
1221 err = ECONNREFUSED;
1222 else
1223 err = ECONNRESET;
1224
1225 s = rfcomm_session_close(s, err);
1226 }
1227 return s;
1228 }
1229
rfcomm_dlc_accept(struct rfcomm_dlc * d)1230 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1231 {
1232 struct sock *sk = d->session->sock->sk;
1233 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1234
1235 BT_DBG("dlc %p", d);
1236
1237 rfcomm_send_ua(d->session, d->dlci);
1238
1239 rfcomm_dlc_clear_timer(d);
1240
1241 rfcomm_dlc_lock(d);
1242 d->state = BT_CONNECTED;
1243 d->state_change(d, 0);
1244 rfcomm_dlc_unlock(d);
1245
1246 if (d->role_switch)
1247 hci_conn_switch_role(conn->hcon, 0x00);
1248
1249 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1250 }
1251
rfcomm_check_accept(struct rfcomm_dlc * d)1252 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1253 {
1254 if (rfcomm_check_security(d)) {
1255 if (d->defer_setup) {
1256 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1257 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1258
1259 rfcomm_dlc_lock(d);
1260 d->state = BT_CONNECT2;
1261 d->state_change(d, 0);
1262 rfcomm_dlc_unlock(d);
1263 } else
1264 rfcomm_dlc_accept(d);
1265 } else {
1266 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1267 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1268 }
1269 }
1270
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1271 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1272 {
1273 struct rfcomm_dlc *d;
1274 u8 channel;
1275
1276 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1277
1278 if (!dlci) {
1279 rfcomm_send_ua(s, 0);
1280
1281 if (s->state == BT_OPEN) {
1282 s->state = BT_CONNECTED;
1283 rfcomm_process_connect(s);
1284 }
1285 return 0;
1286 }
1287
1288 /* Check if DLC exists */
1289 d = rfcomm_dlc_get(s, dlci);
1290 if (d) {
1291 if (d->state == BT_OPEN) {
1292 /* DLC was previously opened by PN request */
1293 rfcomm_check_accept(d);
1294 }
1295 return 0;
1296 }
1297
1298 /* Notify socket layer about incoming connection */
1299 channel = __srv_channel(dlci);
1300 if (rfcomm_connect_ind(s, channel, &d)) {
1301 d->dlci = dlci;
1302 d->addr = __addr(s->initiator, dlci);
1303 rfcomm_dlc_link(s, d);
1304
1305 rfcomm_check_accept(d);
1306 } else {
1307 rfcomm_send_dm(s, dlci);
1308 }
1309
1310 return 0;
1311 }
1312
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1313 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1314 {
1315 struct rfcomm_session *s = d->session;
1316
1317 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1318 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1319
1320 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1321 pn->flow_ctrl == 0xe0) {
1322 d->cfc = RFCOMM_CFC_ENABLED;
1323 d->tx_credits = pn->credits;
1324 } else {
1325 d->cfc = RFCOMM_CFC_DISABLED;
1326 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1327 }
1328
1329 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1330 s->cfc = d->cfc;
1331
1332 d->priority = pn->priority;
1333
1334 d->mtu = __le16_to_cpu(pn->mtu);
1335
1336 if (cr && d->mtu > s->mtu)
1337 d->mtu = s->mtu;
1338
1339 return 0;
1340 }
1341
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1342 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1343 {
1344 struct rfcomm_pn *pn = (void *) skb->data;
1345 struct rfcomm_dlc *d;
1346 u8 dlci = pn->dlci;
1347
1348 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1349
1350 if (!dlci)
1351 return 0;
1352
1353 d = rfcomm_dlc_get(s, dlci);
1354 if (d) {
1355 if (cr) {
1356 /* PN request */
1357 rfcomm_apply_pn(d, cr, pn);
1358 rfcomm_send_pn(s, 0, d);
1359 } else {
1360 /* PN response */
1361 switch (d->state) {
1362 case BT_CONFIG:
1363 rfcomm_apply_pn(d, cr, pn);
1364
1365 d->state = BT_CONNECT;
1366 rfcomm_send_sabm(s, d->dlci);
1367 break;
1368 }
1369 }
1370 } else {
1371 u8 channel = __srv_channel(dlci);
1372
1373 if (!cr)
1374 return 0;
1375
1376 /* PN request for non existing DLC.
1377 * Assume incoming connection. */
1378 if (rfcomm_connect_ind(s, channel, &d)) {
1379 d->dlci = dlci;
1380 d->addr = __addr(s->initiator, dlci);
1381 rfcomm_dlc_link(s, d);
1382
1383 rfcomm_apply_pn(d, cr, pn);
1384
1385 d->state = BT_OPEN;
1386 rfcomm_send_pn(s, 0, d);
1387 } else {
1388 rfcomm_send_dm(s, dlci);
1389 }
1390 }
1391 return 0;
1392 }
1393
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1394 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1395 {
1396 struct rfcomm_rpn *rpn = (void *) skb->data;
1397 u8 dlci = __get_dlci(rpn->dlci);
1398
1399 u8 bit_rate = 0;
1400 u8 data_bits = 0;
1401 u8 stop_bits = 0;
1402 u8 parity = 0;
1403 u8 flow_ctrl = 0;
1404 u8 xon_char = 0;
1405 u8 xoff_char = 0;
1406 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1407
1408 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1409 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1410 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1411
1412 if (!cr)
1413 return 0;
1414
1415 if (len == 1) {
1416 /* This is a request, return default (according to ETSI TS 07.10) settings */
1417 bit_rate = RFCOMM_RPN_BR_9600;
1418 data_bits = RFCOMM_RPN_DATA_8;
1419 stop_bits = RFCOMM_RPN_STOP_1;
1420 parity = RFCOMM_RPN_PARITY_NONE;
1421 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1422 xon_char = RFCOMM_RPN_XON_CHAR;
1423 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1424 goto rpn_out;
1425 }
1426
1427 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1428 * no parity, no flow control lines, normal XON/XOFF chars */
1429
1430 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1431 bit_rate = rpn->bit_rate;
1432 if (bit_rate > RFCOMM_RPN_BR_230400) {
1433 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1434 bit_rate = RFCOMM_RPN_BR_9600;
1435 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1436 }
1437 }
1438
1439 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1440 data_bits = __get_rpn_data_bits(rpn->line_settings);
1441 if (data_bits != RFCOMM_RPN_DATA_8) {
1442 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1443 data_bits = RFCOMM_RPN_DATA_8;
1444 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1445 }
1446 }
1447
1448 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1449 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1450 if (stop_bits != RFCOMM_RPN_STOP_1) {
1451 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1452 stop_bits = RFCOMM_RPN_STOP_1;
1453 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1454 }
1455 }
1456
1457 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1458 parity = __get_rpn_parity(rpn->line_settings);
1459 if (parity != RFCOMM_RPN_PARITY_NONE) {
1460 BT_DBG("RPN parity mismatch 0x%x", parity);
1461 parity = RFCOMM_RPN_PARITY_NONE;
1462 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1463 }
1464 }
1465
1466 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1467 flow_ctrl = rpn->flow_ctrl;
1468 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1469 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1470 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1471 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1472 }
1473 }
1474
1475 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1476 xon_char = rpn->xon_char;
1477 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1478 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1479 xon_char = RFCOMM_RPN_XON_CHAR;
1480 rpn_mask ^= RFCOMM_RPN_PM_XON;
1481 }
1482 }
1483
1484 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1485 xoff_char = rpn->xoff_char;
1486 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1487 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1488 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1489 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1490 }
1491 }
1492
1493 rpn_out:
1494 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1495 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1496
1497 return 0;
1498 }
1499
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1500 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1501 {
1502 struct rfcomm_rls *rls = (void *) skb->data;
1503 u8 dlci = __get_dlci(rls->dlci);
1504
1505 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1506
1507 if (!cr)
1508 return 0;
1509
1510 /* We should probably do something with this information here. But
1511 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1512 * mandatory to recognise and respond to RLS */
1513
1514 rfcomm_send_rls(s, 0, dlci, rls->status);
1515
1516 return 0;
1517 }
1518
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1519 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1520 {
1521 struct rfcomm_msc *msc = (void *) skb->data;
1522 struct rfcomm_dlc *d;
1523 u8 dlci = __get_dlci(msc->dlci);
1524
1525 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1526
1527 d = rfcomm_dlc_get(s, dlci);
1528 if (!d)
1529 return 0;
1530
1531 if (cr) {
1532 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1533 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1534 else
1535 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1536
1537 rfcomm_dlc_lock(d);
1538
1539 d->remote_v24_sig = msc->v24_sig;
1540
1541 if (d->modem_status)
1542 d->modem_status(d, msc->v24_sig);
1543
1544 rfcomm_dlc_unlock(d);
1545
1546 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1547
1548 d->mscex |= RFCOMM_MSCEX_RX;
1549 } else
1550 d->mscex |= RFCOMM_MSCEX_TX;
1551
1552 return 0;
1553 }
1554
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1555 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1556 {
1557 struct rfcomm_mcc *mcc = (void *) skb->data;
1558 u8 type, cr, len;
1559
1560 cr = __test_cr(mcc->type);
1561 type = __get_mcc_type(mcc->type);
1562 len = __get_mcc_len(mcc->len);
1563
1564 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1565
1566 skb_pull(skb, 2);
1567
1568 switch (type) {
1569 case RFCOMM_PN:
1570 rfcomm_recv_pn(s, cr, skb);
1571 break;
1572
1573 case RFCOMM_RPN:
1574 rfcomm_recv_rpn(s, cr, len, skb);
1575 break;
1576
1577 case RFCOMM_RLS:
1578 rfcomm_recv_rls(s, cr, skb);
1579 break;
1580
1581 case RFCOMM_MSC:
1582 rfcomm_recv_msc(s, cr, skb);
1583 break;
1584
1585 case RFCOMM_FCOFF:
1586 if (cr) {
1587 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1588 rfcomm_send_fcoff(s, 0);
1589 }
1590 break;
1591
1592 case RFCOMM_FCON:
1593 if (cr) {
1594 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1595 rfcomm_send_fcon(s, 0);
1596 }
1597 break;
1598
1599 case RFCOMM_TEST:
1600 if (cr)
1601 rfcomm_send_test(s, 0, skb->data, skb->len);
1602 break;
1603
1604 case RFCOMM_NSC:
1605 break;
1606
1607 default:
1608 BT_ERR("Unknown control type 0x%02x", type);
1609 rfcomm_send_nsc(s, cr, type);
1610 break;
1611 }
1612 return 0;
1613 }
1614
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1615 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1616 {
1617 struct rfcomm_dlc *d;
1618
1619 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1620
1621 d = rfcomm_dlc_get(s, dlci);
1622 if (!d) {
1623 rfcomm_send_dm(s, dlci);
1624 goto drop;
1625 }
1626
1627 if (pf && d->cfc) {
1628 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1629
1630 d->tx_credits += credits;
1631 if (d->tx_credits)
1632 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1633 }
1634
1635 if (skb->len && d->state == BT_CONNECTED) {
1636 rfcomm_dlc_lock(d);
1637 d->rx_credits--;
1638 d->data_ready(d, skb);
1639 rfcomm_dlc_unlock(d);
1640 return 0;
1641 }
1642
1643 drop:
1644 kfree_skb(skb);
1645 return 0;
1646 }
1647
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1648 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1649 struct sk_buff *skb)
1650 {
1651 struct rfcomm_hdr *hdr = (void *) skb->data;
1652 u8 type, dlci, fcs;
1653
1654 if (!s) {
1655 /* no session, so free socket data */
1656 kfree_skb(skb);
1657 return s;
1658 }
1659
1660 dlci = __get_dlci(hdr->addr);
1661 type = __get_type(hdr->ctrl);
1662
1663 /* Trim FCS */
1664 skb->len--; skb->tail--;
1665 fcs = *(u8 *)skb_tail_pointer(skb);
1666
1667 if (__check_fcs(skb->data, type, fcs)) {
1668 BT_ERR("bad checksum in packet");
1669 kfree_skb(skb);
1670 return s;
1671 }
1672
1673 if (__test_ea(hdr->len))
1674 skb_pull(skb, 3);
1675 else
1676 skb_pull(skb, 4);
1677
1678 switch (type) {
1679 case RFCOMM_SABM:
1680 if (__test_pf(hdr->ctrl))
1681 rfcomm_recv_sabm(s, dlci);
1682 break;
1683
1684 case RFCOMM_DISC:
1685 if (__test_pf(hdr->ctrl))
1686 s = rfcomm_recv_disc(s, dlci);
1687 break;
1688
1689 case RFCOMM_UA:
1690 if (__test_pf(hdr->ctrl))
1691 s = rfcomm_recv_ua(s, dlci);
1692 break;
1693
1694 case RFCOMM_DM:
1695 s = rfcomm_recv_dm(s, dlci);
1696 break;
1697
1698 case RFCOMM_UIH:
1699 if (dlci) {
1700 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1701 return s;
1702 }
1703 rfcomm_recv_mcc(s, skb);
1704 break;
1705
1706 default:
1707 BT_ERR("Unknown packet type 0x%02x", type);
1708 break;
1709 }
1710 kfree_skb(skb);
1711 return s;
1712 }
1713
1714 /* ---- Connection and data processing ---- */
1715
rfcomm_process_connect(struct rfcomm_session * s)1716 static void rfcomm_process_connect(struct rfcomm_session *s)
1717 {
1718 struct rfcomm_dlc *d;
1719 struct list_head *p, *n;
1720
1721 BT_DBG("session %p state %ld", s, s->state);
1722
1723 list_for_each_safe(p, n, &s->dlcs) {
1724 d = list_entry(p, struct rfcomm_dlc, list);
1725 if (d->state == BT_CONFIG) {
1726 d->mtu = s->mtu;
1727 if (rfcomm_check_security(d)) {
1728 rfcomm_send_pn(s, 1, d);
1729 } else {
1730 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1731 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1732 }
1733 }
1734 }
1735 }
1736
1737 /* Send data queued for the DLC.
1738 * Return number of frames left in the queue.
1739 */
rfcomm_process_tx(struct rfcomm_dlc * d)1740 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1741 {
1742 struct sk_buff *skb;
1743 int err;
1744
1745 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1746 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1747
1748 /* Send pending MSC */
1749 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1750 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1751
1752 if (d->cfc) {
1753 /* CFC enabled.
1754 * Give them some credits */
1755 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1756 d->rx_credits <= (d->cfc >> 2)) {
1757 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1758 d->rx_credits = d->cfc;
1759 }
1760 } else {
1761 /* CFC disabled.
1762 * Give ourselves some credits */
1763 d->tx_credits = 5;
1764 }
1765
1766 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1767 return skb_queue_len(&d->tx_queue);
1768
1769 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1770 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1771 if (err < 0) {
1772 skb_queue_head(&d->tx_queue, skb);
1773 break;
1774 }
1775 kfree_skb(skb);
1776 d->tx_credits--;
1777 }
1778
1779 if (d->cfc && !d->tx_credits) {
1780 /* We're out of TX credits.
1781 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1782 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1783 }
1784
1785 return skb_queue_len(&d->tx_queue);
1786 }
1787
rfcomm_process_dlcs(struct rfcomm_session * s)1788 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1789 {
1790 struct rfcomm_dlc *d;
1791 struct list_head *p, *n;
1792
1793 BT_DBG("session %p state %ld", s, s->state);
1794
1795 list_for_each_safe(p, n, &s->dlcs) {
1796 d = list_entry(p, struct rfcomm_dlc, list);
1797
1798 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1799 __rfcomm_dlc_close(d, ETIMEDOUT);
1800 continue;
1801 }
1802
1803 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1804 __rfcomm_dlc_close(d, ECONNREFUSED);
1805 continue;
1806 }
1807
1808 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1809 rfcomm_dlc_clear_timer(d);
1810 if (d->out) {
1811 rfcomm_send_pn(s, 1, d);
1812 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1813 } else {
1814 if (d->defer_setup) {
1815 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1816 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1817
1818 rfcomm_dlc_lock(d);
1819 d->state = BT_CONNECT2;
1820 d->state_change(d, 0);
1821 rfcomm_dlc_unlock(d);
1822 } else
1823 rfcomm_dlc_accept(d);
1824 }
1825 continue;
1826 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1827 rfcomm_dlc_clear_timer(d);
1828 if (!d->out)
1829 rfcomm_send_dm(s, d->dlci);
1830 else
1831 d->state = BT_CLOSED;
1832 __rfcomm_dlc_close(d, ECONNREFUSED);
1833 continue;
1834 }
1835
1836 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1837 continue;
1838
1839 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1840 continue;
1841
1842 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1843 d->mscex == RFCOMM_MSCEX_OK)
1844 rfcomm_process_tx(d);
1845 }
1846 }
1847
rfcomm_process_rx(struct rfcomm_session * s)1848 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1849 {
1850 struct socket *sock = s->sock;
1851 struct sock *sk = sock->sk;
1852 struct sk_buff *skb;
1853
1854 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1855
1856 /* Get data directly from socket receive queue without copying it. */
1857 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1858 skb_orphan(skb);
1859 if (!skb_linearize(skb))
1860 s = rfcomm_recv_frame(s, skb);
1861 else
1862 kfree_skb(skb);
1863 }
1864
1865 if (s && (sk->sk_state == BT_CLOSED))
1866 s = rfcomm_session_close(s, sk->sk_err);
1867
1868 return s;
1869 }
1870
rfcomm_accept_connection(struct rfcomm_session * s)1871 static void rfcomm_accept_connection(struct rfcomm_session *s)
1872 {
1873 struct socket *sock = s->sock, *nsock;
1874 int err;
1875
1876 /* Fast check for a new connection.
1877 * Avoids unnesesary socket allocations. */
1878 if (list_empty(&bt_sk(sock->sk)->accept_q))
1879 return;
1880
1881 BT_DBG("session %p", s);
1882
1883 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1884 if (err < 0)
1885 return;
1886
1887 /* Set our callbacks */
1888 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1889 nsock->sk->sk_state_change = rfcomm_l2state_change;
1890
1891 s = rfcomm_session_add(nsock, BT_OPEN);
1892 if (s) {
1893 /* We should adjust MTU on incoming sessions.
1894 * L2CAP MTU minus UIH header and FCS. */
1895 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1896 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1897
1898 rfcomm_schedule();
1899 } else
1900 sock_release(nsock);
1901 }
1902
rfcomm_check_connection(struct rfcomm_session * s)1903 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1904 {
1905 struct sock *sk = s->sock->sk;
1906
1907 BT_DBG("%p state %ld", s, s->state);
1908
1909 switch (sk->sk_state) {
1910 case BT_CONNECTED:
1911 s->state = BT_CONNECT;
1912
1913 /* We can adjust MTU on outgoing sessions.
1914 * L2CAP MTU minus UIH header and FCS. */
1915 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1916
1917 rfcomm_send_sabm(s, 0);
1918 break;
1919
1920 case BT_CLOSED:
1921 s = rfcomm_session_close(s, sk->sk_err);
1922 break;
1923 }
1924 return s;
1925 }
1926
rfcomm_process_sessions(void)1927 static void rfcomm_process_sessions(void)
1928 {
1929 struct list_head *p, *n;
1930
1931 rfcomm_lock();
1932
1933 list_for_each_safe(p, n, &session_list) {
1934 struct rfcomm_session *s;
1935 s = list_entry(p, struct rfcomm_session, list);
1936
1937 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1938 s->state = BT_DISCONN;
1939 rfcomm_send_disc(s, 0);
1940 continue;
1941 }
1942
1943 if (s->state == BT_LISTEN) {
1944 rfcomm_accept_connection(s);
1945 continue;
1946 }
1947
1948 switch (s->state) {
1949 case BT_BOUND:
1950 s = rfcomm_check_connection(s);
1951 break;
1952
1953 default:
1954 s = rfcomm_process_rx(s);
1955 break;
1956 }
1957
1958 if (s)
1959 rfcomm_process_dlcs(s);
1960 }
1961
1962 rfcomm_unlock();
1963 }
1964
rfcomm_add_listener(bdaddr_t * ba)1965 static int rfcomm_add_listener(bdaddr_t *ba)
1966 {
1967 struct sockaddr_l2 addr;
1968 struct socket *sock;
1969 struct sock *sk;
1970 struct rfcomm_session *s;
1971 int err = 0;
1972
1973 /* Create socket */
1974 err = rfcomm_l2sock_create(&sock);
1975 if (err < 0) {
1976 BT_ERR("Create socket failed %d", err);
1977 return err;
1978 }
1979
1980 /* Bind socket */
1981 bacpy(&addr.l2_bdaddr, ba);
1982 addr.l2_family = AF_BLUETOOTH;
1983 addr.l2_psm = __constant_cpu_to_le16(RFCOMM_PSM);
1984 addr.l2_cid = 0;
1985 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1986 if (err < 0) {
1987 BT_ERR("Bind failed %d", err);
1988 goto failed;
1989 }
1990
1991 /* Set L2CAP options */
1992 sk = sock->sk;
1993 lock_sock(sk);
1994 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1995 release_sock(sk);
1996
1997 /* Start listening on the socket */
1998 err = kernel_listen(sock, 10);
1999 if (err) {
2000 BT_ERR("Listen failed %d", err);
2001 goto failed;
2002 }
2003
2004 /* Add listening session */
2005 s = rfcomm_session_add(sock, BT_LISTEN);
2006 if (!s) {
2007 err = -ENOMEM;
2008 goto failed;
2009 }
2010
2011 return 0;
2012 failed:
2013 sock_release(sock);
2014 return err;
2015 }
2016
rfcomm_kill_listener(void)2017 static void rfcomm_kill_listener(void)
2018 {
2019 struct rfcomm_session *s;
2020 struct list_head *p, *n;
2021
2022 BT_DBG("");
2023
2024 list_for_each_safe(p, n, &session_list) {
2025 s = list_entry(p, struct rfcomm_session, list);
2026 rfcomm_session_del(s);
2027 }
2028 }
2029
rfcomm_run(void * unused)2030 static int rfcomm_run(void *unused)
2031 {
2032 BT_DBG("");
2033
2034 set_user_nice(current, -10);
2035
2036 rfcomm_add_listener(BDADDR_ANY);
2037
2038 while (1) {
2039 set_current_state(TASK_INTERRUPTIBLE);
2040
2041 if (kthread_should_stop())
2042 break;
2043
2044 /* Process stuff */
2045 rfcomm_process_sessions();
2046
2047 schedule();
2048 }
2049 __set_current_state(TASK_RUNNING);
2050
2051 rfcomm_kill_listener();
2052
2053 return 0;
2054 }
2055
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2056 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2057 {
2058 struct rfcomm_session *s;
2059 struct rfcomm_dlc *d;
2060 struct list_head *p, *n;
2061
2062 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2063
2064 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2065 if (!s)
2066 return;
2067
2068 list_for_each_safe(p, n, &s->dlcs) {
2069 d = list_entry(p, struct rfcomm_dlc, list);
2070
2071 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2072 rfcomm_dlc_clear_timer(d);
2073 if (status || encrypt == 0x00) {
2074 set_bit(RFCOMM_ENC_DROP, &d->flags);
2075 continue;
2076 }
2077 }
2078
2079 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2080 if (d->sec_level == BT_SECURITY_MEDIUM) {
2081 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2082 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2083 continue;
2084 } else if (d->sec_level == BT_SECURITY_HIGH) {
2085 set_bit(RFCOMM_ENC_DROP, &d->flags);
2086 continue;
2087 }
2088 }
2089
2090 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2091 continue;
2092
2093 if (!status && hci_conn_check_secure(conn, d->sec_level))
2094 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2095 else
2096 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2097 }
2098
2099 rfcomm_schedule();
2100 }
2101
2102 static struct hci_cb rfcomm_cb = {
2103 .name = "RFCOMM",
2104 .security_cfm = rfcomm_security_cfm
2105 };
2106
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2107 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2108 {
2109 struct rfcomm_session *s;
2110
2111 rfcomm_lock();
2112
2113 list_for_each_entry(s, &session_list, list) {
2114 struct rfcomm_dlc *d;
2115 list_for_each_entry(d, &s->dlcs, list) {
2116 struct sock *sk = s->sock->sk;
2117
2118 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2119 &bt_sk(sk)->src, &bt_sk(sk)->dst,
2120 d->state, d->dlci, d->mtu,
2121 d->rx_credits, d->tx_credits);
2122 }
2123 }
2124
2125 rfcomm_unlock();
2126
2127 return 0;
2128 }
2129
rfcomm_dlc_debugfs_open(struct inode * inode,struct file * file)2130 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2131 {
2132 return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2133 }
2134
2135 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2136 .open = rfcomm_dlc_debugfs_open,
2137 .read = seq_read,
2138 .llseek = seq_lseek,
2139 .release = single_release,
2140 };
2141
2142 static struct dentry *rfcomm_dlc_debugfs;
2143
2144 /* ---- Initialization ---- */
rfcomm_init(void)2145 static int __init rfcomm_init(void)
2146 {
2147 int err;
2148
2149 hci_register_cb(&rfcomm_cb);
2150
2151 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2152 if (IS_ERR(rfcomm_thread)) {
2153 err = PTR_ERR(rfcomm_thread);
2154 goto unregister;
2155 }
2156
2157 if (bt_debugfs) {
2158 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2159 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2160 if (!rfcomm_dlc_debugfs)
2161 BT_ERR("Failed to create RFCOMM debug file");
2162 }
2163
2164 err = rfcomm_init_ttys();
2165 if (err < 0)
2166 goto stop;
2167
2168 err = rfcomm_init_sockets();
2169 if (err < 0)
2170 goto cleanup;
2171
2172 BT_INFO("RFCOMM ver %s", VERSION);
2173
2174 return 0;
2175
2176 cleanup:
2177 rfcomm_cleanup_ttys();
2178
2179 stop:
2180 kthread_stop(rfcomm_thread);
2181
2182 unregister:
2183 hci_unregister_cb(&rfcomm_cb);
2184
2185 return err;
2186 }
2187
rfcomm_exit(void)2188 static void __exit rfcomm_exit(void)
2189 {
2190 debugfs_remove(rfcomm_dlc_debugfs);
2191
2192 hci_unregister_cb(&rfcomm_cb);
2193
2194 kthread_stop(rfcomm_thread);
2195
2196 rfcomm_cleanup_ttys();
2197
2198 rfcomm_cleanup_sockets();
2199 }
2200
2201 module_init(rfcomm_init);
2202 module_exit(rfcomm_exit);
2203
2204 module_param(disable_cfc, bool, 0644);
2205 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2206
2207 module_param(channel_mtu, int, 0644);
2208 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2209
2210 module_param(l2cap_mtu, uint, 0644);
2211 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2212
2213 module_param(l2cap_ertm, bool, 0644);
2214 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2215
2216 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2217 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2218 MODULE_VERSION(VERSION);
2219 MODULE_LICENSE("GPL");
2220 MODULE_ALIAS("bt-proto-3");
2221