1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
9
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25 * Bluetooth RFCOMM core.
26 */
27
28 #include <linux/module.h>
29 #include <linux/debugfs.h>
30 #include <linux/kthread.h>
31 #include <asm/unaligned.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35 #include <net/bluetooth/l2cap.h>
36 #include <net/bluetooth/rfcomm.h>
37
38 #define VERSION "1.11"
39
40 static bool disable_cfc;
41 static bool l2cap_ertm;
42 static int channel_mtu = -1;
43 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
44
45 static struct task_struct *rfcomm_thread;
46
47 static DEFINE_MUTEX(rfcomm_mutex);
48 #define rfcomm_lock() mutex_lock(&rfcomm_mutex)
49 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
50
51
52 static LIST_HEAD(session_list);
53
54 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
55 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
56 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
57 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
58 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
59 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
60 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
61 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
62 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
63 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
64
65 static void rfcomm_process_connect(struct rfcomm_session *s);
66
67 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
68 bdaddr_t *dst,
69 u8 sec_level,
70 int *err);
71 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
72 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s);
73
74 /* ---- RFCOMM frame parsing macros ---- */
75 #define __get_dlci(b) ((b & 0xfc) >> 2)
76 #define __get_channel(b) ((b & 0xf8) >> 3)
77 #define __get_dir(b) ((b & 0x04) >> 2)
78 #define __get_type(b) ((b & 0xef))
79
80 #define __test_ea(b) ((b & 0x01))
81 #define __test_cr(b) (!!(b & 0x02))
82 #define __test_pf(b) (!!(b & 0x10))
83
84 #define __session_dir(s) ((s)->initiator ? 0x00 : 0x01)
85
86 #define __addr(cr, dlci) (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
87 #define __ctrl(type, pf) (((type & 0xef) | (pf << 4)))
88 #define __dlci(dir, chn) (((chn & 0x1f) << 1) | dir)
89 #define __srv_channel(dlci) (dlci >> 1)
90 #define __dir(dlci) (dlci & 0x01)
91
92 #define __len8(len) (((len) << 1) | 1)
93 #define __len16(len) ((len) << 1)
94
95 /* MCC macros */
96 #define __mcc_type(cr, type) (((type << 2) | (cr << 1) | 0x01))
97 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
98 #define __get_mcc_len(b) ((b & 0xfe) >> 1)
99
100 /* RPN macros */
101 #define __rpn_line_settings(data, stop, parity) ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
102 #define __get_rpn_data_bits(line) ((line) & 0x3)
103 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
104 #define __get_rpn_parity(line) (((line) >> 3) & 0x7)
105
106 static DECLARE_WAIT_QUEUE_HEAD(rfcomm_wq);
107
rfcomm_schedule(void)108 static void rfcomm_schedule(void)
109 {
110 wake_up_all(&rfcomm_wq);
111 }
112
113 /* ---- RFCOMM FCS computation ---- */
114
115 /* reversed, 8-bit, poly=0x07 */
116 static unsigned char rfcomm_crc_table[256] = {
117 0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
118 0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
119 0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
120 0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
121
122 0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
123 0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
124 0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
125 0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
126
127 0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
128 0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
129 0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
130 0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
131
132 0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
133 0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
134 0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
135 0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
136
137 0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
138 0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
139 0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
140 0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
141
142 0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
143 0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
144 0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
145 0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
146
147 0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
148 0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
149 0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
150 0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
151
152 0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
153 0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
154 0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
155 0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
156 };
157
158 /* CRC on 2 bytes */
159 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
160
161 /* FCS on 2 bytes */
__fcs(u8 * data)162 static inline u8 __fcs(u8 *data)
163 {
164 return 0xff - __crc(data);
165 }
166
167 /* FCS on 3 bytes */
__fcs2(u8 * data)168 static inline u8 __fcs2(u8 *data)
169 {
170 return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
171 }
172
173 /* Check FCS */
__check_fcs(u8 * data,int type,u8 fcs)174 static inline int __check_fcs(u8 *data, int type, u8 fcs)
175 {
176 u8 f = __crc(data);
177
178 if (type != RFCOMM_UIH)
179 f = rfcomm_crc_table[f ^ data[2]];
180
181 return rfcomm_crc_table[f ^ fcs] != 0xcf;
182 }
183
184 /* ---- L2CAP callbacks ---- */
rfcomm_l2state_change(struct sock * sk)185 static void rfcomm_l2state_change(struct sock *sk)
186 {
187 BT_DBG("%p state %d", sk, sk->sk_state);
188 rfcomm_schedule();
189 }
190
rfcomm_l2data_ready(struct sock * sk)191 static void rfcomm_l2data_ready(struct sock *sk)
192 {
193 BT_DBG("%p", sk);
194 rfcomm_schedule();
195 }
196
rfcomm_l2sock_create(struct socket ** sock)197 static int rfcomm_l2sock_create(struct socket **sock)
198 {
199 int err;
200
201 BT_DBG("");
202
203 err = sock_create_kern(&init_net, PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
204 if (!err) {
205 struct sock *sk = (*sock)->sk;
206 sk->sk_data_ready = rfcomm_l2data_ready;
207 sk->sk_state_change = rfcomm_l2state_change;
208 }
209 return err;
210 }
211
rfcomm_check_security(struct rfcomm_dlc * d)212 static int rfcomm_check_security(struct rfcomm_dlc *d)
213 {
214 struct sock *sk = d->session->sock->sk;
215 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
216
217 __u8 auth_type;
218
219 switch (d->sec_level) {
220 case BT_SECURITY_HIGH:
221 case BT_SECURITY_FIPS:
222 auth_type = HCI_AT_GENERAL_BONDING_MITM;
223 break;
224 case BT_SECURITY_MEDIUM:
225 auth_type = HCI_AT_GENERAL_BONDING;
226 break;
227 default:
228 auth_type = HCI_AT_NO_BONDING;
229 break;
230 }
231
232 return hci_conn_security(conn->hcon, d->sec_level, auth_type,
233 d->out);
234 }
235
rfcomm_session_timeout(struct timer_list * t)236 static void rfcomm_session_timeout(struct timer_list *t)
237 {
238 struct rfcomm_session *s = from_timer(s, t, timer);
239
240 BT_DBG("session %p state %ld", s, s->state);
241
242 set_bit(RFCOMM_TIMED_OUT, &s->flags);
243 rfcomm_schedule();
244 }
245
rfcomm_session_set_timer(struct rfcomm_session * s,long timeout)246 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
247 {
248 BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
249
250 mod_timer(&s->timer, jiffies + timeout);
251 }
252
rfcomm_session_clear_timer(struct rfcomm_session * s)253 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
254 {
255 BT_DBG("session %p state %ld", s, s->state);
256
257 del_timer_sync(&s->timer);
258 }
259
260 /* ---- RFCOMM DLCs ---- */
rfcomm_dlc_timeout(struct timer_list * t)261 static void rfcomm_dlc_timeout(struct timer_list *t)
262 {
263 struct rfcomm_dlc *d = from_timer(d, t, timer);
264
265 BT_DBG("dlc %p state %ld", d, d->state);
266
267 set_bit(RFCOMM_TIMED_OUT, &d->flags);
268 rfcomm_dlc_put(d);
269 rfcomm_schedule();
270 }
271
rfcomm_dlc_set_timer(struct rfcomm_dlc * d,long timeout)272 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
273 {
274 BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
275
276 if (!mod_timer(&d->timer, jiffies + timeout))
277 rfcomm_dlc_hold(d);
278 }
279
rfcomm_dlc_clear_timer(struct rfcomm_dlc * d)280 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
281 {
282 BT_DBG("dlc %p state %ld", d, d->state);
283
284 if (del_timer(&d->timer))
285 rfcomm_dlc_put(d);
286 }
287
rfcomm_dlc_clear_state(struct rfcomm_dlc * d)288 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
289 {
290 BT_DBG("%p", d);
291
292 d->state = BT_OPEN;
293 d->flags = 0;
294 d->mscex = 0;
295 d->sec_level = BT_SECURITY_LOW;
296 d->mtu = RFCOMM_DEFAULT_MTU;
297 d->v24_sig = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
298
299 d->cfc = RFCOMM_CFC_DISABLED;
300 d->rx_credits = RFCOMM_DEFAULT_CREDITS;
301 }
302
rfcomm_dlc_alloc(gfp_t prio)303 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
304 {
305 struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
306
307 if (!d)
308 return NULL;
309
310 timer_setup(&d->timer, rfcomm_dlc_timeout, 0);
311
312 skb_queue_head_init(&d->tx_queue);
313 mutex_init(&d->lock);
314 refcount_set(&d->refcnt, 1);
315
316 rfcomm_dlc_clear_state(d);
317
318 BT_DBG("%p", d);
319
320 return d;
321 }
322
rfcomm_dlc_free(struct rfcomm_dlc * d)323 void rfcomm_dlc_free(struct rfcomm_dlc *d)
324 {
325 BT_DBG("%p", d);
326
327 skb_queue_purge(&d->tx_queue);
328 kfree(d);
329 }
330
rfcomm_dlc_link(struct rfcomm_session * s,struct rfcomm_dlc * d)331 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
332 {
333 BT_DBG("dlc %p session %p", d, s);
334
335 rfcomm_session_clear_timer(s);
336 rfcomm_dlc_hold(d);
337 list_add(&d->list, &s->dlcs);
338 d->session = s;
339 }
340
rfcomm_dlc_unlink(struct rfcomm_dlc * d)341 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
342 {
343 struct rfcomm_session *s = d->session;
344
345 BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s);
346
347 list_del(&d->list);
348 d->session = NULL;
349 rfcomm_dlc_put(d);
350
351 if (list_empty(&s->dlcs))
352 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
353 }
354
rfcomm_dlc_get(struct rfcomm_session * s,u8 dlci)355 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
356 {
357 struct rfcomm_dlc *d;
358
359 list_for_each_entry(d, &s->dlcs, list)
360 if (d->dlci == dlci)
361 return d;
362
363 return NULL;
364 }
365
rfcomm_check_channel(u8 channel)366 static int rfcomm_check_channel(u8 channel)
367 {
368 return channel < 1 || channel > 30;
369 }
370
__rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)371 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
372 {
373 struct rfcomm_session *s;
374 int err = 0;
375 u8 dlci;
376
377 BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
378 d, d->state, src, dst, channel);
379
380 if (rfcomm_check_channel(channel))
381 return -EINVAL;
382
383 if (d->state != BT_OPEN && d->state != BT_CLOSED)
384 return 0;
385
386 s = rfcomm_session_get(src, dst);
387 if (!s) {
388 s = rfcomm_session_create(src, dst, d->sec_level, &err);
389 if (!s)
390 return err;
391 }
392
393 dlci = __dlci(__session_dir(s), channel);
394
395 /* Check if DLCI already exists */
396 if (rfcomm_dlc_get(s, dlci))
397 return -EBUSY;
398
399 rfcomm_dlc_clear_state(d);
400
401 d->dlci = dlci;
402 d->addr = __addr(s->initiator, dlci);
403 d->priority = 7;
404
405 d->state = BT_CONFIG;
406 rfcomm_dlc_link(s, d);
407
408 d->out = 1;
409
410 d->mtu = s->mtu;
411 d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
412
413 if (s->state == BT_CONNECTED) {
414 if (rfcomm_check_security(d))
415 rfcomm_send_pn(s, 1, d);
416 else
417 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
418 }
419
420 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
421
422 return 0;
423 }
424
rfcomm_dlc_open(struct rfcomm_dlc * d,bdaddr_t * src,bdaddr_t * dst,u8 channel)425 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
426 {
427 int r;
428
429 rfcomm_lock();
430
431 r = __rfcomm_dlc_open(d, src, dst, channel);
432
433 rfcomm_unlock();
434 return r;
435 }
436
__rfcomm_dlc_disconn(struct rfcomm_dlc * d)437 static void __rfcomm_dlc_disconn(struct rfcomm_dlc *d)
438 {
439 struct rfcomm_session *s = d->session;
440
441 d->state = BT_DISCONN;
442 if (skb_queue_empty(&d->tx_queue)) {
443 rfcomm_send_disc(s, d->dlci);
444 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
445 } else {
446 rfcomm_queue_disc(d);
447 rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
448 }
449 }
450
__rfcomm_dlc_close(struct rfcomm_dlc * d,int err)451 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
452 {
453 struct rfcomm_session *s = d->session;
454 if (!s)
455 return 0;
456
457 BT_DBG("dlc %p state %ld dlci %d err %d session %p",
458 d, d->state, d->dlci, err, s);
459
460 switch (d->state) {
461 case BT_CONNECT:
462 case BT_CONFIG:
463 case BT_OPEN:
464 case BT_CONNECT2:
465 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
466 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
467 rfcomm_schedule();
468 return 0;
469 }
470 }
471
472 switch (d->state) {
473 case BT_CONNECT:
474 case BT_CONNECTED:
475 __rfcomm_dlc_disconn(d);
476 break;
477
478 case BT_CONFIG:
479 if (s->state != BT_BOUND) {
480 __rfcomm_dlc_disconn(d);
481 break;
482 }
483 /* if closing a dlc in a session that hasn't been started,
484 * just close and unlink the dlc
485 */
486 /* fall through */
487
488 default:
489 rfcomm_dlc_clear_timer(d);
490
491 rfcomm_dlc_lock(d);
492 d->state = BT_CLOSED;
493 d->state_change(d, err);
494 rfcomm_dlc_unlock(d);
495
496 skb_queue_purge(&d->tx_queue);
497 rfcomm_dlc_unlink(d);
498 }
499
500 return 0;
501 }
502
rfcomm_dlc_close(struct rfcomm_dlc * d,int err)503 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
504 {
505 int r = 0;
506 struct rfcomm_dlc *d_list;
507 struct rfcomm_session *s, *s_list;
508
509 BT_DBG("dlc %p state %ld dlci %d err %d", d, d->state, d->dlci, err);
510
511 rfcomm_lock();
512
513 s = d->session;
514 if (!s)
515 goto no_session;
516
517 /* after waiting on the mutex check the session still exists
518 * then check the dlc still exists
519 */
520 list_for_each_entry(s_list, &session_list, list) {
521 if (s_list == s) {
522 list_for_each_entry(d_list, &s->dlcs, list) {
523 if (d_list == d) {
524 r = __rfcomm_dlc_close(d, err);
525 break;
526 }
527 }
528 break;
529 }
530 }
531
532 no_session:
533 rfcomm_unlock();
534 return r;
535 }
536
rfcomm_dlc_exists(bdaddr_t * src,bdaddr_t * dst,u8 channel)537 struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
538 {
539 struct rfcomm_session *s;
540 struct rfcomm_dlc *dlc = NULL;
541 u8 dlci;
542
543 if (rfcomm_check_channel(channel))
544 return ERR_PTR(-EINVAL);
545
546 rfcomm_lock();
547 s = rfcomm_session_get(src, dst);
548 if (s) {
549 dlci = __dlci(__session_dir(s), channel);
550 dlc = rfcomm_dlc_get(s, dlci);
551 }
552 rfcomm_unlock();
553 return dlc;
554 }
555
rfcomm_dlc_send_frag(struct rfcomm_dlc * d,struct sk_buff * frag)556 static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
557 {
558 int len = frag->len;
559
560 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
561
562 if (len > d->mtu)
563 return -EINVAL;
564
565 rfcomm_make_uih(frag, d->addr);
566 __skb_queue_tail(&d->tx_queue, frag);
567
568 return len;
569 }
570
rfcomm_dlc_send(struct rfcomm_dlc * d,struct sk_buff * skb)571 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
572 {
573 unsigned long flags;
574 struct sk_buff *frag, *next;
575 int len;
576
577 if (d->state != BT_CONNECTED)
578 return -ENOTCONN;
579
580 frag = skb_shinfo(skb)->frag_list;
581 skb_shinfo(skb)->frag_list = NULL;
582
583 /* Queue all fragments atomically. */
584 spin_lock_irqsave(&d->tx_queue.lock, flags);
585
586 len = rfcomm_dlc_send_frag(d, skb);
587 if (len < 0 || !frag)
588 goto unlock;
589
590 for (; frag; frag = next) {
591 int ret;
592
593 next = frag->next;
594
595 ret = rfcomm_dlc_send_frag(d, frag);
596 if (ret < 0) {
597 dev_kfree_skb_irq(frag);
598 goto unlock;
599 }
600
601 len += ret;
602 }
603
604 unlock:
605 spin_unlock_irqrestore(&d->tx_queue.lock, flags);
606
607 if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
608 rfcomm_schedule();
609 return len;
610 }
611
rfcomm_dlc_send_noerror(struct rfcomm_dlc * d,struct sk_buff * skb)612 void rfcomm_dlc_send_noerror(struct rfcomm_dlc *d, struct sk_buff *skb)
613 {
614 int len = skb->len;
615
616 BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
617
618 rfcomm_make_uih(skb, d->addr);
619 skb_queue_tail(&d->tx_queue, skb);
620
621 if (d->state == BT_CONNECTED &&
622 !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
623 rfcomm_schedule();
624 }
625
__rfcomm_dlc_throttle(struct rfcomm_dlc * d)626 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
627 {
628 BT_DBG("dlc %p state %ld", d, d->state);
629
630 if (!d->cfc) {
631 d->v24_sig |= RFCOMM_V24_FC;
632 set_bit(RFCOMM_MSC_PENDING, &d->flags);
633 }
634 rfcomm_schedule();
635 }
636
__rfcomm_dlc_unthrottle(struct rfcomm_dlc * d)637 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
638 {
639 BT_DBG("dlc %p state %ld", d, d->state);
640
641 if (!d->cfc) {
642 d->v24_sig &= ~RFCOMM_V24_FC;
643 set_bit(RFCOMM_MSC_PENDING, &d->flags);
644 }
645 rfcomm_schedule();
646 }
647
648 /*
649 Set/get modem status functions use _local_ status i.e. what we report
650 to the other side.
651 Remote status is provided by dlc->modem_status() callback.
652 */
rfcomm_dlc_set_modem_status(struct rfcomm_dlc * d,u8 v24_sig)653 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
654 {
655 BT_DBG("dlc %p state %ld v24_sig 0x%x",
656 d, d->state, v24_sig);
657
658 if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
659 v24_sig |= RFCOMM_V24_FC;
660 else
661 v24_sig &= ~RFCOMM_V24_FC;
662
663 d->v24_sig = v24_sig;
664
665 if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
666 rfcomm_schedule();
667
668 return 0;
669 }
670
rfcomm_dlc_get_modem_status(struct rfcomm_dlc * d,u8 * v24_sig)671 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
672 {
673 BT_DBG("dlc %p state %ld v24_sig 0x%x",
674 d, d->state, d->v24_sig);
675
676 *v24_sig = d->v24_sig;
677 return 0;
678 }
679
680 /* ---- RFCOMM sessions ---- */
rfcomm_session_add(struct socket * sock,int state)681 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
682 {
683 struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
684
685 if (!s)
686 return NULL;
687
688 BT_DBG("session %p sock %p", s, sock);
689
690 timer_setup(&s->timer, rfcomm_session_timeout, 0);
691
692 INIT_LIST_HEAD(&s->dlcs);
693 s->state = state;
694 s->sock = sock;
695
696 s->mtu = RFCOMM_DEFAULT_MTU;
697 s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
698
699 /* Do not increment module usage count for listening sessions.
700 * Otherwise we won't be able to unload the module. */
701 if (state != BT_LISTEN)
702 if (!try_module_get(THIS_MODULE)) {
703 kfree(s);
704 return NULL;
705 }
706
707 list_add(&s->list, &session_list);
708
709 return s;
710 }
711
rfcomm_session_del(struct rfcomm_session * s)712 static struct rfcomm_session *rfcomm_session_del(struct rfcomm_session *s)
713 {
714 int state = s->state;
715
716 BT_DBG("session %p state %ld", s, s->state);
717
718 list_del(&s->list);
719
720 rfcomm_session_clear_timer(s);
721 sock_release(s->sock);
722 kfree(s);
723
724 if (state != BT_LISTEN)
725 module_put(THIS_MODULE);
726
727 return NULL;
728 }
729
rfcomm_session_get(bdaddr_t * src,bdaddr_t * dst)730 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
731 {
732 struct rfcomm_session *s, *n;
733 struct l2cap_chan *chan;
734 list_for_each_entry_safe(s, n, &session_list, list) {
735 chan = l2cap_pi(s->sock->sk)->chan;
736
737 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&chan->src, src)) &&
738 !bacmp(&chan->dst, dst))
739 return s;
740 }
741 return NULL;
742 }
743
rfcomm_session_close(struct rfcomm_session * s,int err)744 static struct rfcomm_session *rfcomm_session_close(struct rfcomm_session *s,
745 int err)
746 {
747 struct rfcomm_dlc *d, *n;
748
749 s->state = BT_CLOSED;
750
751 BT_DBG("session %p state %ld err %d", s, s->state, err);
752
753 /* Close all dlcs */
754 list_for_each_entry_safe(d, n, &s->dlcs, list) {
755 d->state = BT_CLOSED;
756 __rfcomm_dlc_close(d, err);
757 }
758
759 rfcomm_session_clear_timer(s);
760 return rfcomm_session_del(s);
761 }
762
rfcomm_session_create(bdaddr_t * src,bdaddr_t * dst,u8 sec_level,int * err)763 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
764 bdaddr_t *dst,
765 u8 sec_level,
766 int *err)
767 {
768 struct rfcomm_session *s = NULL;
769 struct sockaddr_l2 addr;
770 struct socket *sock;
771 struct sock *sk;
772
773 BT_DBG("%pMR -> %pMR", src, dst);
774
775 *err = rfcomm_l2sock_create(&sock);
776 if (*err < 0)
777 return NULL;
778
779 bacpy(&addr.l2_bdaddr, src);
780 addr.l2_family = AF_BLUETOOTH;
781 addr.l2_psm = 0;
782 addr.l2_cid = 0;
783 addr.l2_bdaddr_type = BDADDR_BREDR;
784 *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
785 if (*err < 0)
786 goto failed;
787
788 /* Set L2CAP options */
789 sk = sock->sk;
790 lock_sock(sk);
791 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
792 l2cap_pi(sk)->chan->sec_level = sec_level;
793 if (l2cap_ertm)
794 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
795 release_sock(sk);
796
797 s = rfcomm_session_add(sock, BT_BOUND);
798 if (!s) {
799 *err = -ENOMEM;
800 goto failed;
801 }
802
803 s->initiator = 1;
804
805 bacpy(&addr.l2_bdaddr, dst);
806 addr.l2_family = AF_BLUETOOTH;
807 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
808 addr.l2_cid = 0;
809 addr.l2_bdaddr_type = BDADDR_BREDR;
810 *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
811 if (*err == 0 || *err == -EINPROGRESS)
812 return s;
813
814 return rfcomm_session_del(s);
815
816 failed:
817 sock_release(sock);
818 return NULL;
819 }
820
rfcomm_session_getaddr(struct rfcomm_session * s,bdaddr_t * src,bdaddr_t * dst)821 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
822 {
823 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
824 if (src)
825 bacpy(src, &chan->src);
826 if (dst)
827 bacpy(dst, &chan->dst);
828 }
829
830 /* ---- RFCOMM frame sending ---- */
rfcomm_send_frame(struct rfcomm_session * s,u8 * data,int len)831 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
832 {
833 struct kvec iv = { data, len };
834 struct msghdr msg;
835
836 BT_DBG("session %p len %d", s, len);
837
838 memset(&msg, 0, sizeof(msg));
839
840 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
841 }
842
rfcomm_send_cmd(struct rfcomm_session * s,struct rfcomm_cmd * cmd)843 static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
844 {
845 BT_DBG("%p cmd %u", s, cmd->ctrl);
846
847 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
848 }
849
rfcomm_send_sabm(struct rfcomm_session * s,u8 dlci)850 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
851 {
852 struct rfcomm_cmd cmd;
853
854 BT_DBG("%p dlci %d", s, dlci);
855
856 cmd.addr = __addr(s->initiator, dlci);
857 cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
858 cmd.len = __len8(0);
859 cmd.fcs = __fcs2((u8 *) &cmd);
860
861 return rfcomm_send_cmd(s, &cmd);
862 }
863
rfcomm_send_ua(struct rfcomm_session * s,u8 dlci)864 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
865 {
866 struct rfcomm_cmd cmd;
867
868 BT_DBG("%p dlci %d", s, dlci);
869
870 cmd.addr = __addr(!s->initiator, dlci);
871 cmd.ctrl = __ctrl(RFCOMM_UA, 1);
872 cmd.len = __len8(0);
873 cmd.fcs = __fcs2((u8 *) &cmd);
874
875 return rfcomm_send_cmd(s, &cmd);
876 }
877
rfcomm_send_disc(struct rfcomm_session * s,u8 dlci)878 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
879 {
880 struct rfcomm_cmd cmd;
881
882 BT_DBG("%p dlci %d", s, dlci);
883
884 cmd.addr = __addr(s->initiator, dlci);
885 cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
886 cmd.len = __len8(0);
887 cmd.fcs = __fcs2((u8 *) &cmd);
888
889 return rfcomm_send_cmd(s, &cmd);
890 }
891
rfcomm_queue_disc(struct rfcomm_dlc * d)892 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
893 {
894 struct rfcomm_cmd *cmd;
895 struct sk_buff *skb;
896
897 BT_DBG("dlc %p dlci %d", d, d->dlci);
898
899 skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
900 if (!skb)
901 return -ENOMEM;
902
903 cmd = __skb_put(skb, sizeof(*cmd));
904 cmd->addr = d->addr;
905 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
906 cmd->len = __len8(0);
907 cmd->fcs = __fcs2((u8 *) cmd);
908
909 skb_queue_tail(&d->tx_queue, skb);
910 rfcomm_schedule();
911 return 0;
912 }
913
rfcomm_send_dm(struct rfcomm_session * s,u8 dlci)914 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
915 {
916 struct rfcomm_cmd cmd;
917
918 BT_DBG("%p dlci %d", s, dlci);
919
920 cmd.addr = __addr(!s->initiator, dlci);
921 cmd.ctrl = __ctrl(RFCOMM_DM, 1);
922 cmd.len = __len8(0);
923 cmd.fcs = __fcs2((u8 *) &cmd);
924
925 return rfcomm_send_cmd(s, &cmd);
926 }
927
rfcomm_send_nsc(struct rfcomm_session * s,int cr,u8 type)928 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
929 {
930 struct rfcomm_hdr *hdr;
931 struct rfcomm_mcc *mcc;
932 u8 buf[16], *ptr = buf;
933
934 BT_DBG("%p cr %d type %d", s, cr, type);
935
936 hdr = (void *) ptr; ptr += sizeof(*hdr);
937 hdr->addr = __addr(s->initiator, 0);
938 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
939 hdr->len = __len8(sizeof(*mcc) + 1);
940
941 mcc = (void *) ptr; ptr += sizeof(*mcc);
942 mcc->type = __mcc_type(0, RFCOMM_NSC);
943 mcc->len = __len8(1);
944
945 /* Type that we didn't like */
946 *ptr = __mcc_type(cr, type); ptr++;
947
948 *ptr = __fcs(buf); ptr++;
949
950 return rfcomm_send_frame(s, buf, ptr - buf);
951 }
952
rfcomm_send_pn(struct rfcomm_session * s,int cr,struct rfcomm_dlc * d)953 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
954 {
955 struct rfcomm_hdr *hdr;
956 struct rfcomm_mcc *mcc;
957 struct rfcomm_pn *pn;
958 u8 buf[16], *ptr = buf;
959
960 BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
961
962 hdr = (void *) ptr; ptr += sizeof(*hdr);
963 hdr->addr = __addr(s->initiator, 0);
964 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
965 hdr->len = __len8(sizeof(*mcc) + sizeof(*pn));
966
967 mcc = (void *) ptr; ptr += sizeof(*mcc);
968 mcc->type = __mcc_type(cr, RFCOMM_PN);
969 mcc->len = __len8(sizeof(*pn));
970
971 pn = (void *) ptr; ptr += sizeof(*pn);
972 pn->dlci = d->dlci;
973 pn->priority = d->priority;
974 pn->ack_timer = 0;
975 pn->max_retrans = 0;
976
977 if (s->cfc) {
978 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
979 pn->credits = RFCOMM_DEFAULT_CREDITS;
980 } else {
981 pn->flow_ctrl = 0;
982 pn->credits = 0;
983 }
984
985 if (cr && channel_mtu >= 0)
986 pn->mtu = cpu_to_le16(channel_mtu);
987 else
988 pn->mtu = cpu_to_le16(d->mtu);
989
990 *ptr = __fcs(buf); ptr++;
991
992 return rfcomm_send_frame(s, buf, ptr - buf);
993 }
994
rfcomm_send_rpn(struct rfcomm_session * s,int cr,u8 dlci,u8 bit_rate,u8 data_bits,u8 stop_bits,u8 parity,u8 flow_ctrl_settings,u8 xon_char,u8 xoff_char,u16 param_mask)995 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
996 u8 bit_rate, u8 data_bits, u8 stop_bits,
997 u8 parity, u8 flow_ctrl_settings,
998 u8 xon_char, u8 xoff_char, u16 param_mask)
999 {
1000 struct rfcomm_hdr *hdr;
1001 struct rfcomm_mcc *mcc;
1002 struct rfcomm_rpn *rpn;
1003 u8 buf[16], *ptr = buf;
1004
1005 BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
1006 " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
1007 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
1008 flow_ctrl_settings, xon_char, xoff_char, param_mask);
1009
1010 hdr = (void *) ptr; ptr += sizeof(*hdr);
1011 hdr->addr = __addr(s->initiator, 0);
1012 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1013 hdr->len = __len8(sizeof(*mcc) + sizeof(*rpn));
1014
1015 mcc = (void *) ptr; ptr += sizeof(*mcc);
1016 mcc->type = __mcc_type(cr, RFCOMM_RPN);
1017 mcc->len = __len8(sizeof(*rpn));
1018
1019 rpn = (void *) ptr; ptr += sizeof(*rpn);
1020 rpn->dlci = __addr(1, dlci);
1021 rpn->bit_rate = bit_rate;
1022 rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
1023 rpn->flow_ctrl = flow_ctrl_settings;
1024 rpn->xon_char = xon_char;
1025 rpn->xoff_char = xoff_char;
1026 rpn->param_mask = cpu_to_le16(param_mask);
1027
1028 *ptr = __fcs(buf); ptr++;
1029
1030 return rfcomm_send_frame(s, buf, ptr - buf);
1031 }
1032
rfcomm_send_rls(struct rfcomm_session * s,int cr,u8 dlci,u8 status)1033 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
1034 {
1035 struct rfcomm_hdr *hdr;
1036 struct rfcomm_mcc *mcc;
1037 struct rfcomm_rls *rls;
1038 u8 buf[16], *ptr = buf;
1039
1040 BT_DBG("%p cr %d status 0x%x", s, cr, status);
1041
1042 hdr = (void *) ptr; ptr += sizeof(*hdr);
1043 hdr->addr = __addr(s->initiator, 0);
1044 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1045 hdr->len = __len8(sizeof(*mcc) + sizeof(*rls));
1046
1047 mcc = (void *) ptr; ptr += sizeof(*mcc);
1048 mcc->type = __mcc_type(cr, RFCOMM_RLS);
1049 mcc->len = __len8(sizeof(*rls));
1050
1051 rls = (void *) ptr; ptr += sizeof(*rls);
1052 rls->dlci = __addr(1, dlci);
1053 rls->status = status;
1054
1055 *ptr = __fcs(buf); ptr++;
1056
1057 return rfcomm_send_frame(s, buf, ptr - buf);
1058 }
1059
rfcomm_send_msc(struct rfcomm_session * s,int cr,u8 dlci,u8 v24_sig)1060 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
1061 {
1062 struct rfcomm_hdr *hdr;
1063 struct rfcomm_mcc *mcc;
1064 struct rfcomm_msc *msc;
1065 u8 buf[16], *ptr = buf;
1066
1067 BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
1068
1069 hdr = (void *) ptr; ptr += sizeof(*hdr);
1070 hdr->addr = __addr(s->initiator, 0);
1071 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1072 hdr->len = __len8(sizeof(*mcc) + sizeof(*msc));
1073
1074 mcc = (void *) ptr; ptr += sizeof(*mcc);
1075 mcc->type = __mcc_type(cr, RFCOMM_MSC);
1076 mcc->len = __len8(sizeof(*msc));
1077
1078 msc = (void *) ptr; ptr += sizeof(*msc);
1079 msc->dlci = __addr(1, dlci);
1080 msc->v24_sig = v24_sig | 0x01;
1081
1082 *ptr = __fcs(buf); ptr++;
1083
1084 return rfcomm_send_frame(s, buf, ptr - buf);
1085 }
1086
rfcomm_send_fcoff(struct rfcomm_session * s,int cr)1087 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1088 {
1089 struct rfcomm_hdr *hdr;
1090 struct rfcomm_mcc *mcc;
1091 u8 buf[16], *ptr = buf;
1092
1093 BT_DBG("%p cr %d", s, cr);
1094
1095 hdr = (void *) ptr; ptr += sizeof(*hdr);
1096 hdr->addr = __addr(s->initiator, 0);
1097 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1098 hdr->len = __len8(sizeof(*mcc));
1099
1100 mcc = (void *) ptr; ptr += sizeof(*mcc);
1101 mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1102 mcc->len = __len8(0);
1103
1104 *ptr = __fcs(buf); ptr++;
1105
1106 return rfcomm_send_frame(s, buf, ptr - buf);
1107 }
1108
rfcomm_send_fcon(struct rfcomm_session * s,int cr)1109 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1110 {
1111 struct rfcomm_hdr *hdr;
1112 struct rfcomm_mcc *mcc;
1113 u8 buf[16], *ptr = buf;
1114
1115 BT_DBG("%p cr %d", s, cr);
1116
1117 hdr = (void *) ptr; ptr += sizeof(*hdr);
1118 hdr->addr = __addr(s->initiator, 0);
1119 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1120 hdr->len = __len8(sizeof(*mcc));
1121
1122 mcc = (void *) ptr; ptr += sizeof(*mcc);
1123 mcc->type = __mcc_type(cr, RFCOMM_FCON);
1124 mcc->len = __len8(0);
1125
1126 *ptr = __fcs(buf); ptr++;
1127
1128 return rfcomm_send_frame(s, buf, ptr - buf);
1129 }
1130
rfcomm_send_test(struct rfcomm_session * s,int cr,u8 * pattern,int len)1131 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1132 {
1133 struct socket *sock = s->sock;
1134 struct kvec iv[3];
1135 struct msghdr msg;
1136 unsigned char hdr[5], crc[1];
1137
1138 if (len > 125)
1139 return -EINVAL;
1140
1141 BT_DBG("%p cr %d", s, cr);
1142
1143 hdr[0] = __addr(s->initiator, 0);
1144 hdr[1] = __ctrl(RFCOMM_UIH, 0);
1145 hdr[2] = 0x01 | ((len + 2) << 1);
1146 hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1147 hdr[4] = 0x01 | (len << 1);
1148
1149 crc[0] = __fcs(hdr);
1150
1151 iv[0].iov_base = hdr;
1152 iv[0].iov_len = 5;
1153 iv[1].iov_base = pattern;
1154 iv[1].iov_len = len;
1155 iv[2].iov_base = crc;
1156 iv[2].iov_len = 1;
1157
1158 memset(&msg, 0, sizeof(msg));
1159
1160 return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1161 }
1162
rfcomm_send_credits(struct rfcomm_session * s,u8 addr,u8 credits)1163 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1164 {
1165 struct rfcomm_hdr *hdr;
1166 u8 buf[16], *ptr = buf;
1167
1168 BT_DBG("%p addr %d credits %d", s, addr, credits);
1169
1170 hdr = (void *) ptr; ptr += sizeof(*hdr);
1171 hdr->addr = addr;
1172 hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1173 hdr->len = __len8(0);
1174
1175 *ptr = credits; ptr++;
1176
1177 *ptr = __fcs(buf); ptr++;
1178
1179 return rfcomm_send_frame(s, buf, ptr - buf);
1180 }
1181
rfcomm_make_uih(struct sk_buff * skb,u8 addr)1182 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1183 {
1184 struct rfcomm_hdr *hdr;
1185 int len = skb->len;
1186 u8 *crc;
1187
1188 if (len > 127) {
1189 hdr = skb_push(skb, 4);
1190 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1191 } else {
1192 hdr = skb_push(skb, 3);
1193 hdr->len = __len8(len);
1194 }
1195 hdr->addr = addr;
1196 hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1197
1198 crc = skb_put(skb, 1);
1199 *crc = __fcs((void *) hdr);
1200 }
1201
1202 /* ---- RFCOMM frame reception ---- */
rfcomm_recv_ua(struct rfcomm_session * s,u8 dlci)1203 static struct rfcomm_session *rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1204 {
1205 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1206
1207 if (dlci) {
1208 /* Data channel */
1209 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1210 if (!d) {
1211 rfcomm_send_dm(s, dlci);
1212 return s;
1213 }
1214
1215 switch (d->state) {
1216 case BT_CONNECT:
1217 rfcomm_dlc_clear_timer(d);
1218
1219 rfcomm_dlc_lock(d);
1220 d->state = BT_CONNECTED;
1221 d->state_change(d, 0);
1222 rfcomm_dlc_unlock(d);
1223
1224 rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1225 break;
1226
1227 case BT_DISCONN:
1228 d->state = BT_CLOSED;
1229 __rfcomm_dlc_close(d, 0);
1230
1231 if (list_empty(&s->dlcs)) {
1232 s->state = BT_DISCONN;
1233 rfcomm_send_disc(s, 0);
1234 rfcomm_session_clear_timer(s);
1235 }
1236
1237 break;
1238 }
1239 } else {
1240 /* Control channel */
1241 switch (s->state) {
1242 case BT_CONNECT:
1243 s->state = BT_CONNECTED;
1244 rfcomm_process_connect(s);
1245 break;
1246
1247 case BT_DISCONN:
1248 s = rfcomm_session_close(s, ECONNRESET);
1249 break;
1250 }
1251 }
1252 return s;
1253 }
1254
rfcomm_recv_dm(struct rfcomm_session * s,u8 dlci)1255 static struct rfcomm_session *rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1256 {
1257 int err = 0;
1258
1259 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1260
1261 if (dlci) {
1262 /* Data DLC */
1263 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1264 if (d) {
1265 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1266 err = ECONNREFUSED;
1267 else
1268 err = ECONNRESET;
1269
1270 d->state = BT_CLOSED;
1271 __rfcomm_dlc_close(d, err);
1272 }
1273 } else {
1274 if (s->state == BT_CONNECT)
1275 err = ECONNREFUSED;
1276 else
1277 err = ECONNRESET;
1278
1279 s = rfcomm_session_close(s, err);
1280 }
1281 return s;
1282 }
1283
rfcomm_recv_disc(struct rfcomm_session * s,u8 dlci)1284 static struct rfcomm_session *rfcomm_recv_disc(struct rfcomm_session *s,
1285 u8 dlci)
1286 {
1287 int err = 0;
1288
1289 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1290
1291 if (dlci) {
1292 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1293 if (d) {
1294 rfcomm_send_ua(s, dlci);
1295
1296 if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1297 err = ECONNREFUSED;
1298 else
1299 err = ECONNRESET;
1300
1301 d->state = BT_CLOSED;
1302 __rfcomm_dlc_close(d, err);
1303 } else
1304 rfcomm_send_dm(s, dlci);
1305
1306 } else {
1307 rfcomm_send_ua(s, 0);
1308
1309 if (s->state == BT_CONNECT)
1310 err = ECONNREFUSED;
1311 else
1312 err = ECONNRESET;
1313
1314 s = rfcomm_session_close(s, err);
1315 }
1316 return s;
1317 }
1318
rfcomm_dlc_accept(struct rfcomm_dlc * d)1319 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1320 {
1321 struct sock *sk = d->session->sock->sk;
1322 struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1323
1324 BT_DBG("dlc %p", d);
1325
1326 rfcomm_send_ua(d->session, d->dlci);
1327
1328 rfcomm_dlc_clear_timer(d);
1329
1330 rfcomm_dlc_lock(d);
1331 d->state = BT_CONNECTED;
1332 d->state_change(d, 0);
1333 rfcomm_dlc_unlock(d);
1334
1335 if (d->role_switch)
1336 hci_conn_switch_role(conn->hcon, 0x00);
1337
1338 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1339 }
1340
rfcomm_check_accept(struct rfcomm_dlc * d)1341 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1342 {
1343 if (rfcomm_check_security(d)) {
1344 if (d->defer_setup) {
1345 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1346 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1347
1348 rfcomm_dlc_lock(d);
1349 d->state = BT_CONNECT2;
1350 d->state_change(d, 0);
1351 rfcomm_dlc_unlock(d);
1352 } else
1353 rfcomm_dlc_accept(d);
1354 } else {
1355 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1356 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1357 }
1358 }
1359
rfcomm_recv_sabm(struct rfcomm_session * s,u8 dlci)1360 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1361 {
1362 struct rfcomm_dlc *d;
1363 u8 channel;
1364
1365 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1366
1367 if (!dlci) {
1368 rfcomm_send_ua(s, 0);
1369
1370 if (s->state == BT_OPEN) {
1371 s->state = BT_CONNECTED;
1372 rfcomm_process_connect(s);
1373 }
1374 return 0;
1375 }
1376
1377 /* Check if DLC exists */
1378 d = rfcomm_dlc_get(s, dlci);
1379 if (d) {
1380 if (d->state == BT_OPEN) {
1381 /* DLC was previously opened by PN request */
1382 rfcomm_check_accept(d);
1383 }
1384 return 0;
1385 }
1386
1387 /* Notify socket layer about incoming connection */
1388 channel = __srv_channel(dlci);
1389 if (rfcomm_connect_ind(s, channel, &d)) {
1390 d->dlci = dlci;
1391 d->addr = __addr(s->initiator, dlci);
1392 rfcomm_dlc_link(s, d);
1393
1394 rfcomm_check_accept(d);
1395 } else {
1396 rfcomm_send_dm(s, dlci);
1397 }
1398
1399 return 0;
1400 }
1401
rfcomm_apply_pn(struct rfcomm_dlc * d,int cr,struct rfcomm_pn * pn)1402 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1403 {
1404 struct rfcomm_session *s = d->session;
1405
1406 BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1407 d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1408
1409 if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1410 pn->flow_ctrl == 0xe0) {
1411 d->cfc = RFCOMM_CFC_ENABLED;
1412 d->tx_credits = pn->credits;
1413 } else {
1414 d->cfc = RFCOMM_CFC_DISABLED;
1415 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1416 }
1417
1418 if (s->cfc == RFCOMM_CFC_UNKNOWN)
1419 s->cfc = d->cfc;
1420
1421 d->priority = pn->priority;
1422
1423 d->mtu = __le16_to_cpu(pn->mtu);
1424
1425 if (cr && d->mtu > s->mtu)
1426 d->mtu = s->mtu;
1427
1428 return 0;
1429 }
1430
rfcomm_recv_pn(struct rfcomm_session * s,int cr,struct sk_buff * skb)1431 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1432 {
1433 struct rfcomm_pn *pn = (void *) skb->data;
1434 struct rfcomm_dlc *d;
1435 u8 dlci = pn->dlci;
1436
1437 BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1438
1439 if (!dlci)
1440 return 0;
1441
1442 d = rfcomm_dlc_get(s, dlci);
1443 if (d) {
1444 if (cr) {
1445 /* PN request */
1446 rfcomm_apply_pn(d, cr, pn);
1447 rfcomm_send_pn(s, 0, d);
1448 } else {
1449 /* PN response */
1450 switch (d->state) {
1451 case BT_CONFIG:
1452 rfcomm_apply_pn(d, cr, pn);
1453
1454 d->state = BT_CONNECT;
1455 rfcomm_send_sabm(s, d->dlci);
1456 break;
1457 }
1458 }
1459 } else {
1460 u8 channel = __srv_channel(dlci);
1461
1462 if (!cr)
1463 return 0;
1464
1465 /* PN request for non existing DLC.
1466 * Assume incoming connection. */
1467 if (rfcomm_connect_ind(s, channel, &d)) {
1468 d->dlci = dlci;
1469 d->addr = __addr(s->initiator, dlci);
1470 rfcomm_dlc_link(s, d);
1471
1472 rfcomm_apply_pn(d, cr, pn);
1473
1474 d->state = BT_OPEN;
1475 rfcomm_send_pn(s, 0, d);
1476 } else {
1477 rfcomm_send_dm(s, dlci);
1478 }
1479 }
1480 return 0;
1481 }
1482
rfcomm_recv_rpn(struct rfcomm_session * s,int cr,int len,struct sk_buff * skb)1483 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1484 {
1485 struct rfcomm_rpn *rpn = (void *) skb->data;
1486 u8 dlci = __get_dlci(rpn->dlci);
1487
1488 u8 bit_rate = 0;
1489 u8 data_bits = 0;
1490 u8 stop_bits = 0;
1491 u8 parity = 0;
1492 u8 flow_ctrl = 0;
1493 u8 xon_char = 0;
1494 u8 xoff_char = 0;
1495 u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1496
1497 BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1498 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1499 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1500
1501 if (!cr)
1502 return 0;
1503
1504 if (len == 1) {
1505 /* This is a request, return default (according to ETSI TS 07.10) settings */
1506 bit_rate = RFCOMM_RPN_BR_9600;
1507 data_bits = RFCOMM_RPN_DATA_8;
1508 stop_bits = RFCOMM_RPN_STOP_1;
1509 parity = RFCOMM_RPN_PARITY_NONE;
1510 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1511 xon_char = RFCOMM_RPN_XON_CHAR;
1512 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1513 goto rpn_out;
1514 }
1515
1516 /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1517 * no parity, no flow control lines, normal XON/XOFF chars */
1518
1519 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1520 bit_rate = rpn->bit_rate;
1521 if (bit_rate > RFCOMM_RPN_BR_230400) {
1522 BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1523 bit_rate = RFCOMM_RPN_BR_9600;
1524 rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1525 }
1526 }
1527
1528 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1529 data_bits = __get_rpn_data_bits(rpn->line_settings);
1530 if (data_bits != RFCOMM_RPN_DATA_8) {
1531 BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1532 data_bits = RFCOMM_RPN_DATA_8;
1533 rpn_mask ^= RFCOMM_RPN_PM_DATA;
1534 }
1535 }
1536
1537 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1538 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1539 if (stop_bits != RFCOMM_RPN_STOP_1) {
1540 BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1541 stop_bits = RFCOMM_RPN_STOP_1;
1542 rpn_mask ^= RFCOMM_RPN_PM_STOP;
1543 }
1544 }
1545
1546 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1547 parity = __get_rpn_parity(rpn->line_settings);
1548 if (parity != RFCOMM_RPN_PARITY_NONE) {
1549 BT_DBG("RPN parity mismatch 0x%x", parity);
1550 parity = RFCOMM_RPN_PARITY_NONE;
1551 rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1552 }
1553 }
1554
1555 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1556 flow_ctrl = rpn->flow_ctrl;
1557 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1558 BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1559 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1560 rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1561 }
1562 }
1563
1564 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1565 xon_char = rpn->xon_char;
1566 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1567 BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1568 xon_char = RFCOMM_RPN_XON_CHAR;
1569 rpn_mask ^= RFCOMM_RPN_PM_XON;
1570 }
1571 }
1572
1573 if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1574 xoff_char = rpn->xoff_char;
1575 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1576 BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1577 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1578 rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1579 }
1580 }
1581
1582 rpn_out:
1583 rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1584 parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1585
1586 return 0;
1587 }
1588
rfcomm_recv_rls(struct rfcomm_session * s,int cr,struct sk_buff * skb)1589 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1590 {
1591 struct rfcomm_rls *rls = (void *) skb->data;
1592 u8 dlci = __get_dlci(rls->dlci);
1593
1594 BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1595
1596 if (!cr)
1597 return 0;
1598
1599 /* We should probably do something with this information here. But
1600 * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1601 * mandatory to recognise and respond to RLS */
1602
1603 rfcomm_send_rls(s, 0, dlci, rls->status);
1604
1605 return 0;
1606 }
1607
rfcomm_recv_msc(struct rfcomm_session * s,int cr,struct sk_buff * skb)1608 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1609 {
1610 struct rfcomm_msc *msc = (void *) skb->data;
1611 struct rfcomm_dlc *d;
1612 u8 dlci = __get_dlci(msc->dlci);
1613
1614 BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1615
1616 d = rfcomm_dlc_get(s, dlci);
1617 if (!d)
1618 return 0;
1619
1620 if (cr) {
1621 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1622 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1623 else
1624 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1625
1626 rfcomm_dlc_lock(d);
1627
1628 d->remote_v24_sig = msc->v24_sig;
1629
1630 if (d->modem_status)
1631 d->modem_status(d, msc->v24_sig);
1632
1633 rfcomm_dlc_unlock(d);
1634
1635 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1636
1637 d->mscex |= RFCOMM_MSCEX_RX;
1638 } else
1639 d->mscex |= RFCOMM_MSCEX_TX;
1640
1641 return 0;
1642 }
1643
rfcomm_recv_mcc(struct rfcomm_session * s,struct sk_buff * skb)1644 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1645 {
1646 struct rfcomm_mcc *mcc = (void *) skb->data;
1647 u8 type, cr, len;
1648
1649 cr = __test_cr(mcc->type);
1650 type = __get_mcc_type(mcc->type);
1651 len = __get_mcc_len(mcc->len);
1652
1653 BT_DBG("%p type 0x%x cr %d", s, type, cr);
1654
1655 skb_pull(skb, 2);
1656
1657 switch (type) {
1658 case RFCOMM_PN:
1659 rfcomm_recv_pn(s, cr, skb);
1660 break;
1661
1662 case RFCOMM_RPN:
1663 rfcomm_recv_rpn(s, cr, len, skb);
1664 break;
1665
1666 case RFCOMM_RLS:
1667 rfcomm_recv_rls(s, cr, skb);
1668 break;
1669
1670 case RFCOMM_MSC:
1671 rfcomm_recv_msc(s, cr, skb);
1672 break;
1673
1674 case RFCOMM_FCOFF:
1675 if (cr) {
1676 set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1677 rfcomm_send_fcoff(s, 0);
1678 }
1679 break;
1680
1681 case RFCOMM_FCON:
1682 if (cr) {
1683 clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1684 rfcomm_send_fcon(s, 0);
1685 }
1686 break;
1687
1688 case RFCOMM_TEST:
1689 if (cr)
1690 rfcomm_send_test(s, 0, skb->data, skb->len);
1691 break;
1692
1693 case RFCOMM_NSC:
1694 break;
1695
1696 default:
1697 BT_ERR("Unknown control type 0x%02x", type);
1698 rfcomm_send_nsc(s, cr, type);
1699 break;
1700 }
1701 return 0;
1702 }
1703
rfcomm_recv_data(struct rfcomm_session * s,u8 dlci,int pf,struct sk_buff * skb)1704 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1705 {
1706 struct rfcomm_dlc *d;
1707
1708 BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1709
1710 d = rfcomm_dlc_get(s, dlci);
1711 if (!d) {
1712 rfcomm_send_dm(s, dlci);
1713 goto drop;
1714 }
1715
1716 if (pf && d->cfc) {
1717 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1718
1719 d->tx_credits += credits;
1720 if (d->tx_credits)
1721 clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1722 }
1723
1724 if (skb->len && d->state == BT_CONNECTED) {
1725 rfcomm_dlc_lock(d);
1726 d->rx_credits--;
1727 d->data_ready(d, skb);
1728 rfcomm_dlc_unlock(d);
1729 return 0;
1730 }
1731
1732 drop:
1733 kfree_skb(skb);
1734 return 0;
1735 }
1736
rfcomm_recv_frame(struct rfcomm_session * s,struct sk_buff * skb)1737 static struct rfcomm_session *rfcomm_recv_frame(struct rfcomm_session *s,
1738 struct sk_buff *skb)
1739 {
1740 struct rfcomm_hdr *hdr = (void *) skb->data;
1741 u8 type, dlci, fcs;
1742
1743 if (!s) {
1744 /* no session, so free socket data */
1745 kfree_skb(skb);
1746 return s;
1747 }
1748
1749 dlci = __get_dlci(hdr->addr);
1750 type = __get_type(hdr->ctrl);
1751
1752 /* Trim FCS */
1753 skb->len--; skb->tail--;
1754 fcs = *(u8 *)skb_tail_pointer(skb);
1755
1756 if (__check_fcs(skb->data, type, fcs)) {
1757 BT_ERR("bad checksum in packet");
1758 kfree_skb(skb);
1759 return s;
1760 }
1761
1762 if (__test_ea(hdr->len))
1763 skb_pull(skb, 3);
1764 else
1765 skb_pull(skb, 4);
1766
1767 switch (type) {
1768 case RFCOMM_SABM:
1769 if (__test_pf(hdr->ctrl))
1770 rfcomm_recv_sabm(s, dlci);
1771 break;
1772
1773 case RFCOMM_DISC:
1774 if (__test_pf(hdr->ctrl))
1775 s = rfcomm_recv_disc(s, dlci);
1776 break;
1777
1778 case RFCOMM_UA:
1779 if (__test_pf(hdr->ctrl))
1780 s = rfcomm_recv_ua(s, dlci);
1781 break;
1782
1783 case RFCOMM_DM:
1784 s = rfcomm_recv_dm(s, dlci);
1785 break;
1786
1787 case RFCOMM_UIH:
1788 if (dlci) {
1789 rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1790 return s;
1791 }
1792 rfcomm_recv_mcc(s, skb);
1793 break;
1794
1795 default:
1796 BT_ERR("Unknown packet type 0x%02x", type);
1797 break;
1798 }
1799 kfree_skb(skb);
1800 return s;
1801 }
1802
1803 /* ---- Connection and data processing ---- */
1804
rfcomm_process_connect(struct rfcomm_session * s)1805 static void rfcomm_process_connect(struct rfcomm_session *s)
1806 {
1807 struct rfcomm_dlc *d, *n;
1808
1809 BT_DBG("session %p state %ld", s, s->state);
1810
1811 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1812 if (d->state == BT_CONFIG) {
1813 d->mtu = s->mtu;
1814 if (rfcomm_check_security(d)) {
1815 rfcomm_send_pn(s, 1, d);
1816 } else {
1817 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1818 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1819 }
1820 }
1821 }
1822 }
1823
1824 /* Send data queued for the DLC.
1825 * Return number of frames left in the queue.
1826 */
rfcomm_process_tx(struct rfcomm_dlc * d)1827 static int rfcomm_process_tx(struct rfcomm_dlc *d)
1828 {
1829 struct sk_buff *skb;
1830 int err;
1831
1832 BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1833 d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1834
1835 /* Send pending MSC */
1836 if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1837 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1838
1839 if (d->cfc) {
1840 /* CFC enabled.
1841 * Give them some credits */
1842 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1843 d->rx_credits <= (d->cfc >> 2)) {
1844 rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1845 d->rx_credits = d->cfc;
1846 }
1847 } else {
1848 /* CFC disabled.
1849 * Give ourselves some credits */
1850 d->tx_credits = 5;
1851 }
1852
1853 if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1854 return skb_queue_len(&d->tx_queue);
1855
1856 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1857 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1858 if (err < 0) {
1859 skb_queue_head(&d->tx_queue, skb);
1860 break;
1861 }
1862 kfree_skb(skb);
1863 d->tx_credits--;
1864 }
1865
1866 if (d->cfc && !d->tx_credits) {
1867 /* We're out of TX credits.
1868 * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1869 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1870 }
1871
1872 return skb_queue_len(&d->tx_queue);
1873 }
1874
rfcomm_process_dlcs(struct rfcomm_session * s)1875 static void rfcomm_process_dlcs(struct rfcomm_session *s)
1876 {
1877 struct rfcomm_dlc *d, *n;
1878
1879 BT_DBG("session %p state %ld", s, s->state);
1880
1881 list_for_each_entry_safe(d, n, &s->dlcs, list) {
1882 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1883 __rfcomm_dlc_close(d, ETIMEDOUT);
1884 continue;
1885 }
1886
1887 if (test_bit(RFCOMM_ENC_DROP, &d->flags)) {
1888 __rfcomm_dlc_close(d, ECONNREFUSED);
1889 continue;
1890 }
1891
1892 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1893 rfcomm_dlc_clear_timer(d);
1894 if (d->out) {
1895 rfcomm_send_pn(s, 1, d);
1896 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1897 } else {
1898 if (d->defer_setup) {
1899 set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1900 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1901
1902 rfcomm_dlc_lock(d);
1903 d->state = BT_CONNECT2;
1904 d->state_change(d, 0);
1905 rfcomm_dlc_unlock(d);
1906 } else
1907 rfcomm_dlc_accept(d);
1908 }
1909 continue;
1910 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1911 rfcomm_dlc_clear_timer(d);
1912 if (!d->out)
1913 rfcomm_send_dm(s, d->dlci);
1914 else
1915 d->state = BT_CLOSED;
1916 __rfcomm_dlc_close(d, ECONNREFUSED);
1917 continue;
1918 }
1919
1920 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1921 continue;
1922
1923 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1924 continue;
1925
1926 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1927 d->mscex == RFCOMM_MSCEX_OK)
1928 rfcomm_process_tx(d);
1929 }
1930 }
1931
rfcomm_process_rx(struct rfcomm_session * s)1932 static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
1933 {
1934 struct socket *sock = s->sock;
1935 struct sock *sk = sock->sk;
1936 struct sk_buff *skb;
1937
1938 BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1939
1940 /* Get data directly from socket receive queue without copying it. */
1941 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1942 skb_orphan(skb);
1943 if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
1944 s = rfcomm_recv_frame(s, skb);
1945 if (!s)
1946 break;
1947 } else {
1948 kfree_skb(skb);
1949 }
1950 }
1951
1952 if (s && (sk->sk_state == BT_CLOSED))
1953 s = rfcomm_session_close(s, sk->sk_err);
1954
1955 return s;
1956 }
1957
rfcomm_accept_connection(struct rfcomm_session * s)1958 static void rfcomm_accept_connection(struct rfcomm_session *s)
1959 {
1960 struct socket *sock = s->sock, *nsock;
1961 int err;
1962
1963 /* Fast check for a new connection.
1964 * Avoids unnesesary socket allocations. */
1965 if (list_empty(&bt_sk(sock->sk)->accept_q))
1966 return;
1967
1968 BT_DBG("session %p", s);
1969
1970 err = kernel_accept(sock, &nsock, O_NONBLOCK);
1971 if (err < 0)
1972 return;
1973
1974 /* Set our callbacks */
1975 nsock->sk->sk_data_ready = rfcomm_l2data_ready;
1976 nsock->sk->sk_state_change = rfcomm_l2state_change;
1977
1978 s = rfcomm_session_add(nsock, BT_OPEN);
1979 if (s) {
1980 /* We should adjust MTU on incoming sessions.
1981 * L2CAP MTU minus UIH header and FCS. */
1982 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1983 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1984
1985 rfcomm_schedule();
1986 } else
1987 sock_release(nsock);
1988 }
1989
rfcomm_check_connection(struct rfcomm_session * s)1990 static struct rfcomm_session *rfcomm_check_connection(struct rfcomm_session *s)
1991 {
1992 struct sock *sk = s->sock->sk;
1993
1994 BT_DBG("%p state %ld", s, s->state);
1995
1996 switch (sk->sk_state) {
1997 case BT_CONNECTED:
1998 s->state = BT_CONNECT;
1999
2000 /* We can adjust MTU on outgoing sessions.
2001 * L2CAP MTU minus UIH header and FCS. */
2002 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
2003
2004 rfcomm_send_sabm(s, 0);
2005 break;
2006
2007 case BT_CLOSED:
2008 s = rfcomm_session_close(s, sk->sk_err);
2009 break;
2010 }
2011 return s;
2012 }
2013
rfcomm_process_sessions(void)2014 static void rfcomm_process_sessions(void)
2015 {
2016 struct rfcomm_session *s, *n;
2017
2018 rfcomm_lock();
2019
2020 list_for_each_entry_safe(s, n, &session_list, list) {
2021 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
2022 s->state = BT_DISCONN;
2023 rfcomm_send_disc(s, 0);
2024 continue;
2025 }
2026
2027 switch (s->state) {
2028 case BT_LISTEN:
2029 rfcomm_accept_connection(s);
2030 continue;
2031
2032 case BT_BOUND:
2033 s = rfcomm_check_connection(s);
2034 break;
2035
2036 default:
2037 s = rfcomm_process_rx(s);
2038 break;
2039 }
2040
2041 if (s)
2042 rfcomm_process_dlcs(s);
2043 }
2044
2045 rfcomm_unlock();
2046 }
2047
rfcomm_add_listener(bdaddr_t * ba)2048 static int rfcomm_add_listener(bdaddr_t *ba)
2049 {
2050 struct sockaddr_l2 addr;
2051 struct socket *sock;
2052 struct sock *sk;
2053 struct rfcomm_session *s;
2054 int err = 0;
2055
2056 /* Create socket */
2057 err = rfcomm_l2sock_create(&sock);
2058 if (err < 0) {
2059 BT_ERR("Create socket failed %d", err);
2060 return err;
2061 }
2062
2063 /* Bind socket */
2064 bacpy(&addr.l2_bdaddr, ba);
2065 addr.l2_family = AF_BLUETOOTH;
2066 addr.l2_psm = cpu_to_le16(L2CAP_PSM_RFCOMM);
2067 addr.l2_cid = 0;
2068 addr.l2_bdaddr_type = BDADDR_BREDR;
2069 err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2070 if (err < 0) {
2071 BT_ERR("Bind failed %d", err);
2072 goto failed;
2073 }
2074
2075 /* Set L2CAP options */
2076 sk = sock->sk;
2077 lock_sock(sk);
2078 l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2079 release_sock(sk);
2080
2081 /* Start listening on the socket */
2082 err = kernel_listen(sock, 10);
2083 if (err) {
2084 BT_ERR("Listen failed %d", err);
2085 goto failed;
2086 }
2087
2088 /* Add listening session */
2089 s = rfcomm_session_add(sock, BT_LISTEN);
2090 if (!s) {
2091 err = -ENOMEM;
2092 goto failed;
2093 }
2094
2095 return 0;
2096 failed:
2097 sock_release(sock);
2098 return err;
2099 }
2100
rfcomm_kill_listener(void)2101 static void rfcomm_kill_listener(void)
2102 {
2103 struct rfcomm_session *s, *n;
2104
2105 BT_DBG("");
2106
2107 list_for_each_entry_safe(s, n, &session_list, list)
2108 rfcomm_session_del(s);
2109 }
2110
rfcomm_run(void * unused)2111 static int rfcomm_run(void *unused)
2112 {
2113 DEFINE_WAIT_FUNC(wait, woken_wake_function);
2114 BT_DBG("");
2115
2116 set_user_nice(current, -10);
2117
2118 rfcomm_add_listener(BDADDR_ANY);
2119
2120 add_wait_queue(&rfcomm_wq, &wait);
2121 while (!kthread_should_stop()) {
2122
2123 /* Process stuff */
2124 rfcomm_process_sessions();
2125
2126 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
2127 }
2128 remove_wait_queue(&rfcomm_wq, &wait);
2129
2130 rfcomm_kill_listener();
2131
2132 return 0;
2133 }
2134
rfcomm_security_cfm(struct hci_conn * conn,u8 status,u8 encrypt)2135 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2136 {
2137 struct rfcomm_session *s;
2138 struct rfcomm_dlc *d, *n;
2139
2140 BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2141
2142 s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2143 if (!s)
2144 return;
2145
2146 list_for_each_entry_safe(d, n, &s->dlcs, list) {
2147 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2148 rfcomm_dlc_clear_timer(d);
2149 if (status || encrypt == 0x00) {
2150 set_bit(RFCOMM_ENC_DROP, &d->flags);
2151 continue;
2152 }
2153 }
2154
2155 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2156 if (d->sec_level == BT_SECURITY_MEDIUM) {
2157 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2158 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2159 continue;
2160 } else if (d->sec_level == BT_SECURITY_HIGH ||
2161 d->sec_level == BT_SECURITY_FIPS) {
2162 set_bit(RFCOMM_ENC_DROP, &d->flags);
2163 continue;
2164 }
2165 }
2166
2167 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2168 continue;
2169
2170 if (!status && hci_conn_check_secure(conn, d->sec_level))
2171 set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2172 else
2173 set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2174 }
2175
2176 rfcomm_schedule();
2177 }
2178
2179 static struct hci_cb rfcomm_cb = {
2180 .name = "RFCOMM",
2181 .security_cfm = rfcomm_security_cfm
2182 };
2183
rfcomm_dlc_debugfs_show(struct seq_file * f,void * x)2184 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2185 {
2186 struct rfcomm_session *s;
2187
2188 rfcomm_lock();
2189
2190 list_for_each_entry(s, &session_list, list) {
2191 struct l2cap_chan *chan = l2cap_pi(s->sock->sk)->chan;
2192 struct rfcomm_dlc *d;
2193 list_for_each_entry(d, &s->dlcs, list) {
2194 seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
2195 &chan->src, &chan->dst,
2196 d->state, d->dlci, d->mtu,
2197 d->rx_credits, d->tx_credits);
2198 }
2199 }
2200
2201 rfcomm_unlock();
2202
2203 return 0;
2204 }
2205
2206 DEFINE_SHOW_ATTRIBUTE(rfcomm_dlc_debugfs);
2207
2208 static struct dentry *rfcomm_dlc_debugfs;
2209
2210 /* ---- Initialization ---- */
rfcomm_init(void)2211 static int __init rfcomm_init(void)
2212 {
2213 int err;
2214
2215 hci_register_cb(&rfcomm_cb);
2216
2217 rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2218 if (IS_ERR(rfcomm_thread)) {
2219 err = PTR_ERR(rfcomm_thread);
2220 goto unregister;
2221 }
2222
2223 err = rfcomm_init_ttys();
2224 if (err < 0)
2225 goto stop;
2226
2227 err = rfcomm_init_sockets();
2228 if (err < 0)
2229 goto cleanup;
2230
2231 BT_INFO("RFCOMM ver %s", VERSION);
2232
2233 if (IS_ERR_OR_NULL(bt_debugfs))
2234 return 0;
2235
2236 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2237 bt_debugfs, NULL,
2238 &rfcomm_dlc_debugfs_fops);
2239
2240 return 0;
2241
2242 cleanup:
2243 rfcomm_cleanup_ttys();
2244
2245 stop:
2246 kthread_stop(rfcomm_thread);
2247
2248 unregister:
2249 hci_unregister_cb(&rfcomm_cb);
2250
2251 return err;
2252 }
2253
rfcomm_exit(void)2254 static void __exit rfcomm_exit(void)
2255 {
2256 debugfs_remove(rfcomm_dlc_debugfs);
2257
2258 hci_unregister_cb(&rfcomm_cb);
2259
2260 kthread_stop(rfcomm_thread);
2261
2262 rfcomm_cleanup_ttys();
2263
2264 rfcomm_cleanup_sockets();
2265 }
2266
2267 module_init(rfcomm_init);
2268 module_exit(rfcomm_exit);
2269
2270 module_param(disable_cfc, bool, 0644);
2271 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2272
2273 module_param(channel_mtu, int, 0644);
2274 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2275
2276 module_param(l2cap_mtu, uint, 0644);
2277 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2278
2279 module_param(l2cap_ertm, bool, 0644);
2280 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2281
2282 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2283 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2284 MODULE_VERSION(VERSION);
2285 MODULE_LICENSE("GPL");
2286 MODULE_ALIAS("bt-proto-3");
2287