net/bluetooth/rfcomm/core.c

   1 /*
   2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License version 2 as
   8    published by the Free Software Foundation;
   9
  10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21    SOFTWARE IS DISCLAIMED.
  22 */
  23
  24 /*
  25  * Bluetooth RFCOMM core.
  26  */
  27
  28 #include <linux/module.h>
  29 #include <linux/errno.h>
  30 #include <linux/kernel.h>
  31 #include <linux/sched.h>
  32 #include <linux/signal.h>
  33 #include <linux/init.h>
  34 #include <linux/wait.h>
  35 #include <linux/device.h>
  36 #include <linux/debugfs.h>
  37 #include <linux/seq_file.h>
  38 #include <linux/net.h>
  39 #include <linux/mutex.h>
  40 #include <linux/kthread.h>
  41 #include <linux/slab.h>
  42
  43 #include <net/sock.h>
  44 #include <linux/uaccess.h>
  45 #include <asm/unaligned.h>
  46
  47 #include <net/bluetooth/bluetooth.h>
  48 #include <net/bluetooth/hci_core.h>
  49 #include <net/bluetooth/l2cap.h>
  50 #include <net/bluetooth/rfcomm.h>
  51
  52 #define VERSION "1.11"
  53
  54 static int disable_cfc;
  55 static int l2cap_ertm;
  56 static int channel_mtu = -1;
  57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
  58
  59 static struct task_struct *rfcomm_thread;
  60
  61 static DEFINE_MUTEX(rfcomm_mutex);
  62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
  63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
  64
  65
  66 static LIST_HEAD(session_list);
  67
  68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
  69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
  70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
  71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
  72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
  73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
  74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
  75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
  76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
  77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
  78
  79 static void rfcomm_process_connect(struct rfcomm_session *s);
  80
  81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
  82                                                         bdaddr_t *dst,
  83                                                         u8 sec_level,
  84                                                         int *err);
  85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
  86 static void rfcomm_session_del(struct rfcomm_session *s);
  87
  88 /* ---- RFCOMM frame parsing macros ---- */
  89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
  90 #define __get_channel(b)  ((b & 0xf8) >> 3)
  91 #define __get_dir(b)      ((b & 0x04) >> 2)
  92 #define __get_type(b)     ((b & 0xef))
  93
  94 #define __test_ea(b)      ((b & 0x01))
  95 #define __test_cr(b)      ((b & 0x02))
  96 #define __test_pf(b)      ((b & 0x10))
  97
  98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
  99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
 100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
 101 #define __srv_channel(dlci)    (dlci >> 1)
 102 #define __dir(dlci)            (dlci & 0x01)
 103
 104 #define __len8(len)       (((len) << 1) | 1)
 105 #define __len16(len)      ((len) << 1)
 106
 107 /* MCC macros */
 108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
 109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
 110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
 111
 112 /* RPN macros */
 113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
 114 #define __get_rpn_data_bits(line) ((line) & 0x3)
 115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
 116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
 117
 118 static inline void rfcomm_schedule(void)
 119 {
 120         if (!rfcomm_thread)
 121                 return;
 122         wake_up_process(rfcomm_thread);
 123 }
 124
 125 static inline void rfcomm_session_put(struct rfcomm_session *s)
 126 {
 127         if (atomic_dec_and_test(&s->refcnt))
 128                 rfcomm_session_del(s);
 129 }
 130
 131 /* ---- RFCOMM FCS computation ---- */
 132
 133 /* reversed, 8-bit, poly=0x07 */
 134 static unsigned char rfcomm_crc_table[256] = {
 135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
 136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
 137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
 138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
 139
 140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
 141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
 142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
 143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
 144
 145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
 146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
 147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
 148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
 149
 150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
 151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
 152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
 153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
 154
 155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
 156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
 157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
 158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
 159
 160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
 161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
 162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
 163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
 164
 165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
 166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
 167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
 168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
 169
 170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
 171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
 172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
 173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
 174 };
 175
 176 /* CRC on 2 bytes */
 177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
 178
 179 /* FCS on 2 bytes */
 180 static inline u8 __fcs(u8 *data)
 181 {
 182         return 0xff - __crc(data);
 183 }
 184
 185 /* FCS on 3 bytes */
 186 static inline u8 __fcs2(u8 *data)
 187 {
 188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
 189 }
 190
 191 /* Check FCS */
 192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
 193 {
 194         u8 f = __crc(data);
 195
 196         if (type != RFCOMM_UIH)
 197                 f = rfcomm_crc_table[f ^ data[2]];
 198
 199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
 200 }
 201
 202 /* ---- L2CAP callbacks ---- */
 203 static void rfcomm_l2state_change(struct sock *sk)
 204 {
 205         BT_DBG("%p state %d", sk, sk->sk_state);
 206         rfcomm_schedule();
 207 }
 208
 209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
 210 {
 211         BT_DBG("%p bytes %d", sk, bytes);
 212         rfcomm_schedule();
 213 }
 214
 215 static int rfcomm_l2sock_create(struct socket **sock)
 216 {
 217         int err;
 218
 219         BT_DBG("");
 220
 221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
 222         if (!err) {
 223                 struct sock *sk = (*sock)->sk;
 224                 sk->sk_data_ready   = rfcomm_l2data_ready;
 225                 sk->sk_state_change = rfcomm_l2state_change;
 226         }
 227         return err;
 228 }
 229
 230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 231 {
 232         struct sock *sk = d->session->sock->sk;
 233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
 234
 235         __u8 auth_type;
 236
 237         switch (d->sec_level) {
 238         case BT_SECURITY_HIGH:
 239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
 240                 break;
 241         case BT_SECURITY_MEDIUM:
 242                 auth_type = HCI_AT_GENERAL_BONDING;
 243                 break;
 244         default:
 245                 auth_type = HCI_AT_NO_BONDING;
 246                 break;
 247         }
 248
 249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
 250 }
 251
 252 static void rfcomm_session_timeout(unsigned long arg)
 253 {
 254         struct rfcomm_session *s = (void *) arg;
 255
 256         BT_DBG("session %p state %ld", s, s->state);
 257
 258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
 259         rfcomm_schedule();
 260 }
 261
 262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
 263 {
 264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
 265
 266         if (!mod_timer(&s->timer, jiffies + timeout))
 267                 rfcomm_session_hold(s);
 268 }
 269
 270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
 271 {
 272         BT_DBG("session %p state %ld", s, s->state);
 273
 274         if (timer_pending(&s->timer) && del_timer(&s->timer))
 275                 rfcomm_session_put(s);
 276 }
 277
 278 /* ---- RFCOMM DLCs ---- */
 279 static void rfcomm_dlc_timeout(unsigned long arg)
 280 {
 281         struct rfcomm_dlc *d = (void *) arg;
 282
 283         BT_DBG("dlc %p state %ld", d, d->state);
 284
 285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
 286         rfcomm_dlc_put(d);
 287         rfcomm_schedule();
 288 }
 289
 290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
 291 {
 292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
 293
 294         if (!mod_timer(&d->timer, jiffies + timeout))
 295                 rfcomm_dlc_hold(d);
 296 }
 297
 298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
 299 {
 300         BT_DBG("dlc %p state %ld", d, d->state);
 301
 302         if (timer_pending(&d->timer) && del_timer(&d->timer))
 303                 rfcomm_dlc_put(d);
 304 }
 305
 306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 307 {
 308         BT_DBG("%p", d);
 309
 310         d->state      = BT_OPEN;
 311         d->flags      = 0;
 312         d->mscex      = 0;
 313         d->sec_level  = BT_SECURITY_LOW;
 314         d->mtu        = RFCOMM_DEFAULT_MTU;
 315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
 316
 317         d->cfc        = RFCOMM_CFC_DISABLED;
 318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
 319 }
 320
 321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 322 {
 323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
 324
 325         if (!d)
 326                 return NULL;
 327
 328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
 329
 330         skb_queue_head_init(&d->tx_queue);
 331         spin_lock_init(&d->lock);
 332         atomic_set(&d->refcnt, 1);
 333
 334         rfcomm_dlc_clear_state(d);
 335
 336         BT_DBG("%p", d);
 337
 338         return d;
 339 }
 340
 341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
 342 {
 343         BT_DBG("%p", d);
 344
 345         skb_queue_purge(&d->tx_queue);
 346         kfree(d);
 347 }
 348
 349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
 350 {
 351         BT_DBG("dlc %p session %p", d, s);
 352
 353         rfcomm_session_hold(s);
 354
 355         rfcomm_session_clear_timer(s);
 356         rfcomm_dlc_hold(d);
 357         list_add(&d->list, &s->dlcs);
 358         d->session = s;
 359 }
 360
 361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
 362 {
 363         struct rfcomm_session *s = d->session;
 364
 365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
 366
 367         list_del(&d->list);
 368         d->session = NULL;
 369         rfcomm_dlc_put(d);
 370
 371         if (list_empty(&s->dlcs))
 372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
 373
 374         rfcomm_session_put(s);
 375 }
 376
 377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
 378 {
 379         struct rfcomm_dlc *d;
 380         struct list_head *p;
 381
 382         list_for_each(p, &s->dlcs) {
 383                 d = list_entry(p, struct rfcomm_dlc, list);
 384                 if (d->dlci == dlci)
 385                         return d;
 386         }
 387         return NULL;
 388 }
 389
 390 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 391 {
 392         struct rfcomm_session *s;
 393         int err = 0;
 394         u8 dlci;
 395
 396         BT_DBG("dlc %p state %ld %s %s channel %d",
 397                         d, d->state, batostr(src), batostr(dst), channel);
 398
 399         if (channel < 1 || channel > 30)
 400                 return -EINVAL;
 401
 402         if (d->state != BT_OPEN && d->state != BT_CLOSED)
 403                 return 0;
 404
 405         s = rfcomm_session_get(src, dst);
 406         if (!s) {
 407                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
 408                 if (!s)
 409                         return err;
 410         }
 411
 412         /* After L2sock created, increase refcnt immediately
 413         * It can make connection drop in rfcomm_security_cfm because of refcnt.
 414         */
 415         rfcomm_session_hold(s);
 416
 417         dlci = __dlci(!s->initiator, channel);
 418
 419         /* Check if DLCI already exists */
 420         if (rfcomm_dlc_get(s, dlci)) {
 421                 /* decrement refcnt */
 422                 rfcomm_session_put(s);
 423                 return -EBUSY;
 424         }
 425
 426         rfcomm_dlc_clear_state(d);
 427
 428         d->dlci     = dlci;
 429         d->addr     = __addr(s->initiator, dlci);
 430         d->priority = 7;
 431
 432         d->state = BT_CONFIG;
 433         rfcomm_dlc_link(s, d);
 434
 435         d->out = 1;
 436
 437         d->mtu = s->mtu;
 438         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
 439
 440         /* decrement refcnt */
 441         rfcomm_session_put(s);
 442
 443         if (s->state == BT_CONNECTED) {
 444                 if (rfcomm_check_security(d))
 445                         rfcomm_send_pn(s, 1, d);
 446                 else
 447                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
 448         }
 449
 450         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
 451
 452         return 0;
 453 }
 454
 455 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
 456 {
 457         int r;
 458
 459         rfcomm_lock();
 460
 461         r = __rfcomm_dlc_open(d, src, dst, channel);
 462
 463         rfcomm_unlock();
 464         return r;
 465 }
 466
 467 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 468 {
 469         struct rfcomm_session *s = d->session;
 470         if (!s)
 471                 return 0;
 472
 473         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
 474                         d, d->state, d->dlci, err, s);
 475
 476         switch (d->state) {
 477         case BT_CONNECT:
 478                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 479                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 480                         rfcomm_schedule();
 481                         break;
 482                 }
 483                 /* Fall through */
 484
 485         case BT_CONNECTED:
 486                 d->state = BT_DISCONN;
 487                 if (skb_queue_empty(&d->tx_queue)) {
 488                         rfcomm_send_disc(s, d->dlci);
 489                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
 490                 } else {
 491                         rfcomm_queue_disc(d);
 492                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
 493                 }
 494                 break;
 495
 496         case BT_OPEN:
 497         case BT_CONNECT2:
 498                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 499                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
 500                         rfcomm_schedule();
 501                         break;
 502                 }
 503                 /* Fall through */
 504
 505         default:
 506                 rfcomm_dlc_clear_timer(d);
 507
 508                 rfcomm_dlc_lock(d);
 509                 d->state = BT_CLOSED;
 510                 d->state_change(d, err);
 511                 rfcomm_dlc_unlock(d);
 512
 513                 skb_queue_purge(&d->tx_queue);
 514                 rfcomm_dlc_unlink(d);
 515         }
 516
 517         return 0;
 518 }
 519
 520 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
 521 {
 522         int r;
 523
 524         rfcomm_lock();
 525
 526         r = __rfcomm_dlc_close(d, err);
 527
 528         rfcomm_unlock();
 529         return r;
 530 }
 531
 532 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
 533 {
 534         int len = skb->len;
 535
 536         if (d->state != BT_CONNECTED)
 537                 return -ENOTCONN;
 538
 539         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
 540
 541         if (len > d->mtu)
 542                 return -EINVAL;
 543
 544         rfcomm_make_uih(skb, d->addr);
 545         skb_queue_tail(&d->tx_queue, skb);
 546
 547         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
 548                 rfcomm_schedule();
 549         return len;
 550 }
 551
 552 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
 553 {
 554         BT_DBG("dlc %p state %ld", d, d->state);
 555
 556         if (!d->cfc) {
 557                 d->v24_sig |= RFCOMM_V24_FC;
 558                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 559         }
 560         rfcomm_schedule();
 561 }
 562
 563 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
 564 {
 565         BT_DBG("dlc %p state %ld", d, d->state);
 566
 567         if (!d->cfc) {
 568                 d->v24_sig &= ~RFCOMM_V24_FC;
 569                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
 570         }
 571         rfcomm_schedule();
 572 }
 573
 574 /*
 575    Set/get modem status functions use _local_ status i.e. what we report
 576    to the other side.
 577    Remote status is provided by dlc->modem_status() callback.
 578  */
 579 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
 580 {
 581         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 582                         d, d->state, v24_sig);
 583
 584         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
 585                 v24_sig |= RFCOMM_V24_FC;
 586         else
 587                 v24_sig &= ~RFCOMM_V24_FC;
 588
 589         d->v24_sig = v24_sig;
 590
 591         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
 592                 rfcomm_schedule();
 593
 594         return 0;
 595 }
 596
 597 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 598 {
 599         BT_DBG("dlc %p state %ld v24_sig 0x%x",
 600                         d, d->state, d->v24_sig);
 601
 602         *v24_sig = d->v24_sig;
 603         return 0;
 604 }
 605
 606 /* ---- RFCOMM sessions ---- */
 607 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 608 {
 609         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
 610
 611         if (!s)
 612                 return NULL;
 613
 614         BT_DBG("session %p sock %p", s, sock);
 615
 616         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
 617
 618         INIT_LIST_HEAD(&s->dlcs);
 619         s->state = state;
 620         s->sock  = sock;
 621
 622         s->mtu = RFCOMM_DEFAULT_MTU;
 623         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
 624
 625         /* Do not increment module usage count for listening sessions.
 626          * Otherwise we won't be able to unload the module. */
 627         if (state != BT_LISTEN)
 628                 if (!try_module_get(THIS_MODULE)) {
 629                         kfree(s);
 630                         return NULL;
 631                 }
 632
 633         list_add(&s->list, &session_list);
 634
 635         return s;
 636 }
 637
 638 static void rfcomm_session_del(struct rfcomm_session *s)
 639 {
 640         int state = s->state;
 641
 642         BT_DBG("session %p state %ld", s, s->state);
 643
 644         list_del(&s->list);
 645
 646         if (state == BT_CONNECTED)
 647                 rfcomm_send_disc(s, 0);
 648
 649         rfcomm_session_clear_timer(s);
 650         sock_release(s->sock);
 651         kfree(s);
 652
 653         if (state != BT_LISTEN)
 654                 module_put(THIS_MODULE);
 655 }
 656
 657 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
 658 {
 659         struct rfcomm_session *s;
 660         struct list_head *p, *n;
 661         struct bt_sock *sk;
 662         list_for_each_safe(p, n, &session_list) {
 663                 s = list_entry(p, struct rfcomm_session, list);
 664                 sk = bt_sk(s->sock->sk);
 665
 666                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
 667                                 !bacmp(&sk->dst, dst))
 668                         return s;
 669         }
 670         return NULL;
 671 }
 672
 673 static void rfcomm_session_close(struct rfcomm_session *s, int err)
 674 {
 675         struct rfcomm_dlc *d;
 676         struct list_head *p, *n;
 677
 678         BT_DBG("session %p state %ld err %d", s, s->state, err);
 679
 680         rfcomm_session_hold(s);
 681
 682         s->state = BT_CLOSED;
 683
 684         /* Close all dlcs */
 685         list_for_each_safe(p, n, &s->dlcs) {
 686                 d = list_entry(p, struct rfcomm_dlc, list);
 687                 d->state = BT_CLOSED;
 688                 __rfcomm_dlc_close(d, err);
 689         }
 690
 691         rfcomm_session_clear_timer(s);
 692         rfcomm_session_put(s);
 693 }
 694
 695 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 696                                                         bdaddr_t *dst,
 697                                                         u8 sec_level,
 698                                                         int *err)
 699 {
 700         struct rfcomm_session *s = NULL;
 701         struct sockaddr_l2 addr;
 702         struct socket *sock;
 703         struct sock *sk;
 704
 705         BT_DBG("%s %s", batostr(src), batostr(dst));
 706
 707         *err = rfcomm_l2sock_create(&sock);
 708         if (*err < 0)
 709                 return NULL;
 710
 711         bacpy(&addr.l2_bdaddr, src);
 712         addr.l2_family = AF_BLUETOOTH;
 713         addr.l2_psm    = 0;
 714         addr.l2_cid    = 0;
 715         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 716         if (*err < 0)
 717                 goto failed;
 718
 719         /* Set L2CAP options */
 720         sk = sock->sk;
 721         lock_sock(sk);
 722         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
 723         l2cap_pi(sk)->chan->sec_level = sec_level;
 724         if (l2cap_ertm)
 725                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
 726         release_sock(sk);
 727
 728         s = rfcomm_session_add(sock, BT_BOUND);
 729         if (!s) {
 730                 *err = -ENOMEM;
 731                 goto failed;
 732         }
 733
 734         s->initiator = 1;
 735
 736         bacpy(&addr.l2_bdaddr, dst);
 737         addr.l2_family = AF_BLUETOOTH;
 738         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
 739         addr.l2_cid    = 0;
 740         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
 741         if (*err == 0 || *err == -EINPROGRESS)
 742                 return s;
 743
 744         rfcomm_session_del(s);
 745         return NULL;
 746
 747 failed:
 748         sock_release(sock);
 749         return NULL;
 750 }
 751
 752 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
 753 {
 754         struct sock *sk = s->sock->sk;
 755         if (src)
 756                 bacpy(src, &bt_sk(sk)->src);
 757         if (dst)
 758                 bacpy(dst, &bt_sk(sk)->dst);
 759 }
 760
 761 /* ---- RFCOMM frame sending ---- */
 762 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
 763 {
 764         struct socket *sock = s->sock;
 765         struct kvec iv = { data, len };
 766         struct msghdr msg;
 767
 768         BT_DBG("session %p len %d", s, len);
 769
 770         memset(&msg, 0, sizeof(msg));
 771
 772         return kernel_sendmsg(sock, &msg, &iv, 1, len);
 773 }
 774
 775 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
 776 {
 777         struct rfcomm_cmd cmd;
 778
 779         BT_DBG("%p dlci %d", s, dlci);
 780
 781         cmd.addr = __addr(s->initiator, dlci);
 782         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
 783         cmd.len  = __len8(0);
 784         cmd.fcs  = __fcs2((u8 *) &cmd);
 785
 786         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 787 }
 788
 789 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
 790 {
 791         struct rfcomm_cmd cmd;
 792
 793         BT_DBG("%p dlci %d", s, dlci);
 794
 795         cmd.addr = __addr(!s->initiator, dlci);
 796         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
 797         cmd.len  = __len8(0);
 798         cmd.fcs  = __fcs2((u8 *) &cmd);
 799
 800         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 801 }
 802
 803 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
 804 {
 805         struct rfcomm_cmd cmd;
 806
 807         BT_DBG("%p dlci %d", s, dlci);
 808
 809         cmd.addr = __addr(s->initiator, dlci);
 810         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
 811         cmd.len  = __len8(0);
 812         cmd.fcs  = __fcs2((u8 *) &cmd);
 813
 814         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 815 }
 816
 817 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
 818 {
 819         struct rfcomm_cmd *cmd;
 820         struct sk_buff *skb;
 821
 822         BT_DBG("dlc %p dlci %d", d, d->dlci);
 823
 824         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
 825         if (!skb)
 826                 return -ENOMEM;
 827
 828         cmd = (void *) __skb_put(skb, sizeof(*cmd));
 829         cmd->addr = d->addr;
 830         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
 831         cmd->len  = __len8(0);
 832         cmd->fcs  = __fcs2((u8 *) cmd);
 833
 834         skb_queue_tail(&d->tx_queue, skb);
 835         rfcomm_schedule();
 836         return 0;
 837 }
 838
 839 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
 840 {
 841         struct rfcomm_cmd cmd;
 842
 843         BT_DBG("%p dlci %d", s, dlci);
 844
 845         cmd.addr = __addr(!s->initiator, dlci);
 846         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
 847         cmd.len  = __len8(0);
 848         cmd.fcs  = __fcs2((u8 *) &cmd);
 849
 850         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
 851 }
 852
 853 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
 854 {
 855         struct rfcomm_hdr *hdr;
 856         struct rfcomm_mcc *mcc;
 857         u8 buf[16], *ptr = buf;
 858
 859         BT_DBG("%p cr %d type %d", s, cr, type);
 860
 861         hdr = (void *) ptr; ptr += sizeof(*hdr);
 862         hdr->addr = __addr(s->initiator, 0);
 863         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 864         hdr->len  = __len8(sizeof(*mcc) + 1);
 865
 866         mcc = (void *) ptr; ptr += sizeof(*mcc);
 867         mcc->type = __mcc_type(cr, RFCOMM_NSC);
 868         mcc->len  = __len8(1);
 869
 870         /* Type that we didn't like */
 871         *ptr = __mcc_type(cr, type); ptr++;
 872
 873         *ptr = __fcs(buf); ptr++;
 874
 875         return rfcomm_send_frame(s, buf, ptr - buf);
 876 }
 877
 878 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
 879 {
 880         struct rfcomm_hdr *hdr;
 881         struct rfcomm_mcc *mcc;
 882         struct rfcomm_pn  *pn;
 883         u8 buf[16], *ptr = buf;
 884
 885         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
 886
 887         hdr = (void *) ptr; ptr += sizeof(*hdr);
 888         hdr->addr = __addr(s->initiator, 0);
 889         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 890         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
 891
 892         mcc = (void *) ptr; ptr += sizeof(*mcc);
 893         mcc->type = __mcc_type(cr, RFCOMM_PN);
 894         mcc->len  = __len8(sizeof(*pn));
 895
 896         pn = (void *) ptr; ptr += sizeof(*pn);
 897         pn->dlci        = d->dlci;
 898         pn->priority    = d->priority;
 899         pn->ack_timer   = 0;
 900         pn->max_retrans = 0;
 901
 902         if (s->cfc) {
 903                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
 904                 pn->credits = RFCOMM_DEFAULT_CREDITS;
 905         } else {
 906                 pn->flow_ctrl = 0;
 907                 pn->credits   = 0;
 908         }
 909
 910         if (cr && channel_mtu >= 0)
 911                 pn->mtu = cpu_to_le16(channel_mtu);
 912         else
 913                 pn->mtu = cpu_to_le16(d->mtu);
 914
 915         *ptr = __fcs(buf); ptr++;
 916
 917         return rfcomm_send_frame(s, buf, ptr - buf);
 918 }
 919
 920 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
 921                         u8 bit_rate, u8 data_bits, u8 stop_bits,
 922                         u8 parity, u8 flow_ctrl_settings,
 923                         u8 xon_char, u8 xoff_char, u16 param_mask)
 924 {
 925         struct rfcomm_hdr *hdr;
 926         struct rfcomm_mcc *mcc;
 927         struct rfcomm_rpn *rpn;
 928         u8 buf[16], *ptr = buf;
 929
 930         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
 931                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
 932                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
 933                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
 934
 935         hdr = (void *) ptr; ptr += sizeof(*hdr);
 936         hdr->addr = __addr(s->initiator, 0);
 937         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 938         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
 939
 940         mcc = (void *) ptr; ptr += sizeof(*mcc);
 941         mcc->type = __mcc_type(cr, RFCOMM_RPN);
 942         mcc->len  = __len8(sizeof(*rpn));
 943
 944         rpn = (void *) ptr; ptr += sizeof(*rpn);
 945         rpn->dlci          = __addr(1, dlci);
 946         rpn->bit_rate      = bit_rate;
 947         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
 948         rpn->flow_ctrl     = flow_ctrl_settings;
 949         rpn->xon_char      = xon_char;
 950         rpn->xoff_char     = xoff_char;
 951         rpn->param_mask    = cpu_to_le16(param_mask);
 952
 953         *ptr = __fcs(buf); ptr++;
 954
 955         return rfcomm_send_frame(s, buf, ptr - buf);
 956 }
 957
 958 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
 959 {
 960         struct rfcomm_hdr *hdr;
 961         struct rfcomm_mcc *mcc;
 962         struct rfcomm_rls *rls;
 963         u8 buf[16], *ptr = buf;
 964
 965         BT_DBG("%p cr %d status 0x%x", s, cr, status);
 966
 967         hdr = (void *) ptr; ptr += sizeof(*hdr);
 968         hdr->addr = __addr(s->initiator, 0);
 969         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 970         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
 971
 972         mcc = (void *) ptr; ptr += sizeof(*mcc);
 973         mcc->type = __mcc_type(cr, RFCOMM_RLS);
 974         mcc->len  = __len8(sizeof(*rls));
 975
 976         rls = (void *) ptr; ptr += sizeof(*rls);
 977         rls->dlci   = __addr(1, dlci);
 978         rls->status = status;
 979
 980         *ptr = __fcs(buf); ptr++;
 981
 982         return rfcomm_send_frame(s, buf, ptr - buf);
 983 }
 984
 985 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
 986 {
 987         struct rfcomm_hdr *hdr;
 988         struct rfcomm_mcc *mcc;
 989         struct rfcomm_msc *msc;
 990         u8 buf[16], *ptr = buf;
 991
 992         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
 993
 994         hdr = (void *) ptr; ptr += sizeof(*hdr);
 995         hdr->addr = __addr(s->initiator, 0);
 996         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
 997         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
 998
 999         mcc = (void *) ptr; ptr += sizeof(*mcc);
1000         mcc->type = __mcc_type(cr, RFCOMM_MSC);
1001         mcc->len  = __len8(sizeof(*msc));
1002
1003         msc = (void *) ptr; ptr += sizeof(*msc);
1004         msc->dlci    = __addr(1, dlci);
1005         msc->v24_sig = v24_sig | 0x01;
1006
1007         *ptr = __fcs(buf); ptr++;
1008
1009         return rfcomm_send_frame(s, buf, ptr - buf);
1010 }
1011
1012 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1013 {
1014         struct rfcomm_hdr *hdr;
1015         struct rfcomm_mcc *mcc;
1016         u8 buf[16], *ptr = buf;
1017
1018         BT_DBG("%p cr %d", s, cr);
1019
1020         hdr = (void *) ptr; ptr += sizeof(*hdr);
1021         hdr->addr = __addr(s->initiator, 0);
1022         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1023         hdr->len  = __len8(sizeof(*mcc));
1024
1025         mcc = (void *) ptr; ptr += sizeof(*mcc);
1026         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1027         mcc->len  = __len8(0);
1028
1029         *ptr = __fcs(buf); ptr++;
1030
1031         return rfcomm_send_frame(s, buf, ptr - buf);
1032 }
1033
1034 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1035 {
1036         struct rfcomm_hdr *hdr;
1037         struct rfcomm_mcc *mcc;
1038         u8 buf[16], *ptr = buf;
1039
1040         BT_DBG("%p cr %d", s, cr);
1041
1042         hdr = (void *) ptr; ptr += sizeof(*hdr);
1043         hdr->addr = __addr(s->initiator, 0);
1044         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1045         hdr->len  = __len8(sizeof(*mcc));
1046
1047         mcc = (void *) ptr; ptr += sizeof(*mcc);
1048         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1049         mcc->len  = __len8(0);
1050
1051         *ptr = __fcs(buf); ptr++;
1052
1053         return rfcomm_send_frame(s, buf, ptr - buf);
1054 }
1055
1056 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1057 {
1058         struct socket *sock = s->sock;
1059         struct kvec iv[3];
1060         struct msghdr msg;
1061         unsigned char hdr[5], crc[1];
1062
1063         if (len > 125)
1064                 return -EINVAL;
1065
1066         BT_DBG("%p cr %d", s, cr);
1067
1068         hdr[0] = __addr(s->initiator, 0);
1069         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1070         hdr[2] = 0x01 | ((len + 2) << 1);
1071         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1072         hdr[4] = 0x01 | (len << 1);
1073
1074         crc[0] = __fcs(hdr);
1075
1076         iv[0].iov_base = hdr;
1077         iv[0].iov_len  = 5;
1078         iv[1].iov_base = pattern;
1079         iv[1].iov_len  = len;
1080         iv[2].iov_base = crc;
1081         iv[2].iov_len  = 1;
1082
1083         memset(&msg, 0, sizeof(msg));
1084
1085         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1086 }
1087
1088 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1089 {
1090         struct rfcomm_hdr *hdr;
1091         u8 buf[16], *ptr = buf;
1092
1093         BT_DBG("%p addr %d credits %d", s, addr, credits);
1094
1095         hdr = (void *) ptr; ptr += sizeof(*hdr);
1096         hdr->addr = addr;
1097         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1098         hdr->len  = __len8(0);
1099
1100         *ptr = credits; ptr++;
1101
1102         *ptr = __fcs(buf); ptr++;
1103
1104         return rfcomm_send_frame(s, buf, ptr - buf);
1105 }
1106
1107 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1108 {
1109         struct rfcomm_hdr *hdr;
1110         int len = skb->len;
1111         u8 *crc;
1112
1113         if (len > 127) {
1114                 hdr = (void *) skb_push(skb, 4);
1115                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1116         } else {
1117                 hdr = (void *) skb_push(skb, 3);
1118                 hdr->len = __len8(len);
1119         }
1120         hdr->addr = addr;
1121         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1122
1123         crc = skb_put(skb, 1);
1124         *crc = __fcs((void *) hdr);
1125 }
1126
1127 /* ---- RFCOMM frame reception ---- */
1128 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1129 {
1130         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1131
1132         if (dlci) {
1133                 /* Data channel */
1134                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1135                 if (!d) {
1136                         rfcomm_send_dm(s, dlci);
1137                         return 0;
1138                 }
1139
1140                 switch (d->state) {
1141                 case BT_CONNECT:
1142                         rfcomm_dlc_clear_timer(d);
1143
1144                         rfcomm_dlc_lock(d);
1145                         d->state = BT_CONNECTED;
1146                         d->state_change(d, 0);
1147                         rfcomm_dlc_unlock(d);
1148
1149                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1150                         break;
1151
1152                 case BT_DISCONN:
1153                         d->state = BT_CLOSED;
1154                         __rfcomm_dlc_close(d, 0);
1155
1156                         if (list_empty(&s->dlcs)) {
1157                                 s->state = BT_DISCONN;
1158                                 rfcomm_send_disc(s, 0);
1159                                 rfcomm_session_clear_timer(s);
1160                         }
1161
1162                         break;
1163                 }
1164         } else {
1165                 /* Control channel */
1166                 switch (s->state) {
1167                 case BT_CONNECT:
1168                         s->state = BT_CONNECTED;
1169                         rfcomm_process_connect(s);
1170                         break;
1171
1172                 case BT_DISCONN:
1173                         /* When socket is closed and we are not RFCOMM
1174                          * initiator rfcomm_process_rx already calls
1175                          * rfcomm_session_put() */
1176                         if (s->sock->sk->sk_state != BT_CLOSED && !s->initiator)
1177                                 if (list_empty(&s->dlcs))
1178                                         rfcomm_session_put(s);
1179                         break;
1180                 }
1181         }
1182         return 0;
1183 }
1184
1185 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1186 {
1187         int err = 0;
1188
1189         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1190
1191         if (dlci) {
1192                 /* Data DLC */
1193                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1194                 if (d) {
1195                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1196                                 err = ECONNREFUSED;
1197                         else
1198                                 err = ECONNRESET;
1199
1200                         d->state = BT_CLOSED;
1201                         __rfcomm_dlc_close(d, err);
1202                 }
1203         } else {
1204                 if (s->state == BT_CONNECT)
1205                         err = ECONNREFUSED;
1206                 else
1207                         err = ECONNRESET;
1208
1209                 s->state = BT_CLOSED;
1210                 rfcomm_session_close(s, err);
1211         }
1212         return 0;
1213 }
1214
1215 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1216 {
1217         int err = 0;
1218
1219         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1220
1221         if (dlci) {
1222                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1223                 if (d) {
1224                         rfcomm_send_ua(s, dlci);
1225
1226                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1227                                 err = ECONNREFUSED;
1228                         else
1229                                 err = ECONNRESET;
1230
1231                         d->state = BT_CLOSED;
1232                         __rfcomm_dlc_close(d, err);
1233                 } else
1234                         rfcomm_send_dm(s, dlci);
1235
1236         } else {
1237                 rfcomm_send_ua(s, 0);
1238
1239                 if (s->state == BT_CONNECT)
1240                         err = ECONNREFUSED;
1241                 else
1242                         err = ECONNRESET;
1243
1244                 s->state = BT_CLOSED;
1245                 rfcomm_session_close(s, err);
1246         }
1247
1248         return 0;
1249 }
1250
1251 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1252 {
1253         struct sock *sk = d->session->sock->sk;
1254         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1255
1256         BT_DBG("dlc %p", d);
1257
1258         rfcomm_send_ua(d->session, d->dlci);
1259
1260         rfcomm_dlc_clear_timer(d);
1261
1262         rfcomm_dlc_lock(d);
1263         d->state = BT_CONNECTED;
1264         d->state_change(d, 0);
1265         rfcomm_dlc_unlock(d);
1266
1267         if (d->role_switch)
1268                 hci_conn_switch_role(conn->hcon, 0x00);
1269
1270         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1271 }
1272
1273 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1274 {
1275         if (rfcomm_check_security(d)) {
1276                 if (d->defer_setup) {
1277                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1278                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1279
1280                         rfcomm_dlc_lock(d);
1281                         d->state = BT_CONNECT2;
1282                         d->state_change(d, 0);
1283                         rfcomm_dlc_unlock(d);
1284                 } else
1285                         rfcomm_dlc_accept(d);
1286         } else {
1287                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1288                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1289         }
1290 }
1291
1292 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1293 {
1294         struct rfcomm_dlc *d;
1295         u8 channel;
1296
1297         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1298
1299         if (!dlci) {
1300                 rfcomm_send_ua(s, 0);
1301
1302                 if (s->state == BT_OPEN) {
1303                         s->state = BT_CONNECTED;
1304                         rfcomm_process_connect(s);
1305                 }
1306                 return 0;
1307         }
1308
1309         /* Check if DLC exists */
1310         d = rfcomm_dlc_get(s, dlci);
1311         if (d) {
1312                 if (d->state == BT_OPEN) {
1313                         /* DLC was previously opened by PN request */
1314                         rfcomm_check_accept(d);
1315                 }
1316                 return 0;
1317         }
1318
1319         /* Notify socket layer about incoming connection */
1320         channel = __srv_channel(dlci);
1321         if (rfcomm_connect_ind(s, channel, &d)) {
1322                 d->dlci = dlci;
1323                 d->addr = __addr(s->initiator, dlci);
1324                 rfcomm_dlc_link(s, d);
1325
1326                 rfcomm_check_accept(d);
1327         } else {
1328                 rfcomm_send_dm(s, dlci);
1329         }
1330
1331         return 0;
1332 }
1333
1334 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1335 {
1336         struct rfcomm_session *s = d->session;
1337
1338         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1339                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1340
1341         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1342                                                 pn->flow_ctrl == 0xe0) {
1343                 d->cfc = RFCOMM_CFC_ENABLED;
1344                 d->tx_credits = pn->credits;
1345         } else {
1346                 d->cfc = RFCOMM_CFC_DISABLED;
1347                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1348         }
1349
1350         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1351                 s->cfc = d->cfc;
1352
1353         d->priority = pn->priority;
1354
1355         d->mtu = __le16_to_cpu(pn->mtu);
1356
1357         if (cr && d->mtu > s->mtu)
1358                 d->mtu = s->mtu;
1359
1360         return 0;
1361 }
1362
1363 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1364 {
1365         struct rfcomm_pn *pn = (void *) skb->data;
1366         struct rfcomm_dlc *d;
1367         u8 dlci = pn->dlci;
1368
1369         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1370
1371         if (!dlci)
1372                 return 0;
1373
1374         d = rfcomm_dlc_get(s, dlci);
1375         if (d) {
1376                 if (cr) {
1377                         /* PN request */
1378                         rfcomm_apply_pn(d, cr, pn);
1379                         rfcomm_send_pn(s, 0, d);
1380                 } else {
1381                         /* PN response */
1382                         switch (d->state) {
1383                         case BT_CONFIG:
1384                                 rfcomm_apply_pn(d, cr, pn);
1385
1386                                 d->state = BT_CONNECT;
1387                                 rfcomm_send_sabm(s, d->dlci);
1388                                 break;
1389                         }
1390                 }
1391         } else {
1392                 u8 channel = __srv_channel(dlci);
1393
1394                 if (!cr)
1395                         return 0;
1396
1397                 /* PN request for non existing DLC.
1398                  * Assume incoming connection. */
1399                 if (rfcomm_connect_ind(s, channel, &d)) {
1400                         d->dlci = dlci;
1401                         d->addr = __addr(s->initiator, dlci);
1402                         rfcomm_dlc_link(s, d);
1403
1404                         rfcomm_apply_pn(d, cr, pn);
1405
1406                         d->state = BT_OPEN;
1407                         rfcomm_send_pn(s, 0, d);
1408                 } else {
1409                         rfcomm_send_dm(s, dlci);
1410                 }
1411         }
1412         return 0;
1413 }
1414
1415 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1416 {
1417         struct rfcomm_rpn *rpn = (void *) skb->data;
1418         u8 dlci = __get_dlci(rpn->dlci);
1419
1420         u8 bit_rate  = 0;
1421         u8 data_bits = 0;
1422         u8 stop_bits = 0;
1423         u8 parity    = 0;
1424         u8 flow_ctrl = 0;
1425         u8 xon_char  = 0;
1426         u8 xoff_char = 0;
1427         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1428
1429         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1430                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1431                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1432
1433         if (!cr)
1434                 return 0;
1435
1436         if (len == 1) {
1437                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1438                 bit_rate  = RFCOMM_RPN_BR_9600;
1439                 data_bits = RFCOMM_RPN_DATA_8;
1440                 stop_bits = RFCOMM_RPN_STOP_1;
1441                 parity    = RFCOMM_RPN_PARITY_NONE;
1442                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1443                 xon_char  = RFCOMM_RPN_XON_CHAR;
1444                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1445                 goto rpn_out;
1446         }
1447
1448         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1449          * no parity, no flow control lines, normal XON/XOFF chars */
1450
1451         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1452                 bit_rate = rpn->bit_rate;
1453                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1454                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1455                         bit_rate = RFCOMM_RPN_BR_9600;
1456                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1457                 }
1458         }
1459
1460         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1461                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1462                 if (data_bits != RFCOMM_RPN_DATA_8) {
1463                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1464                         data_bits = RFCOMM_RPN_DATA_8;
1465                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1466                 }
1467         }
1468
1469         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1470                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1471                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1472                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1473                         stop_bits = RFCOMM_RPN_STOP_1;
1474                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1475                 }
1476         }
1477
1478         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1479                 parity = __get_rpn_parity(rpn->line_settings);
1480                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1481                         BT_DBG("RPN parity mismatch 0x%x", parity);
1482                         parity = RFCOMM_RPN_PARITY_NONE;
1483                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1484                 }
1485         }
1486
1487         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1488                 flow_ctrl = rpn->flow_ctrl;
1489                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1490                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1491                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1492                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1493                 }
1494         }
1495
1496         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1497                 xon_char = rpn->xon_char;
1498                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1499                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1500                         xon_char = RFCOMM_RPN_XON_CHAR;
1501                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1502                 }
1503         }
1504
1505         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1506                 xoff_char = rpn->xoff_char;
1507                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1508                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1509                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1510                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1511                 }
1512         }
1513
1514 rpn_out:
1515         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1516                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1517
1518         return 0;
1519 }
1520
1521 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1522 {
1523         struct rfcomm_rls *rls = (void *) skb->data;
1524         u8 dlci = __get_dlci(rls->dlci);
1525
1526         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1527
1528         if (!cr)
1529                 return 0;
1530
1531         /* We should probably do something with this information here. But
1532          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1533          * mandatory to recognise and respond to RLS */
1534
1535         rfcomm_send_rls(s, 0, dlci, rls->status);
1536
1537         return 0;
1538 }
1539
1540 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1541 {
1542         struct rfcomm_msc *msc = (void *) skb->data;
1543         struct rfcomm_dlc *d;
1544         u8 dlci = __get_dlci(msc->dlci);
1545
1546         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1547
1548         d = rfcomm_dlc_get(s, dlci);
1549         if (!d)
1550                 return 0;
1551
1552         if (cr) {
1553                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1554                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1555                 else
1556                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1557
1558                 rfcomm_dlc_lock(d);
1559
1560                 d->remote_v24_sig = msc->v24_sig;
1561
1562                 if (d->modem_status)
1563                         d->modem_status(d, msc->v24_sig);
1564
1565                 rfcomm_dlc_unlock(d);
1566
1567                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1568
1569                 d->mscex |= RFCOMM_MSCEX_RX;
1570         } else
1571                 d->mscex |= RFCOMM_MSCEX_TX;
1572
1573         return 0;
1574 }
1575
1576 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1577 {
1578         struct rfcomm_mcc *mcc = (void *) skb->data;
1579         u8 type, cr, len;
1580
1581         cr   = __test_cr(mcc->type);
1582         type = __get_mcc_type(mcc->type);
1583         len  = __get_mcc_len(mcc->len);
1584
1585         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1586
1587         skb_pull(skb, 2);
1588
1589         switch (type) {
1590         case RFCOMM_PN:
1591                 rfcomm_recv_pn(s, cr, skb);
1592                 break;
1593
1594         case RFCOMM_RPN:
1595                 rfcomm_recv_rpn(s, cr, len, skb);
1596                 break;
1597
1598         case RFCOMM_RLS:
1599                 rfcomm_recv_rls(s, cr, skb);
1600                 break;
1601
1602         case RFCOMM_MSC:
1603                 rfcomm_recv_msc(s, cr, skb);
1604                 break;
1605
1606         case RFCOMM_FCOFF:
1607                 if (cr) {
1608                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1609                         rfcomm_send_fcoff(s, 0);
1610                 }
1611                 break;
1612
1613         case RFCOMM_FCON:
1614                 if (cr) {
1615                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1616                         rfcomm_send_fcon(s, 0);
1617                 }
1618                 break;
1619
1620         case RFCOMM_TEST:
1621                 if (cr)
1622                         rfcomm_send_test(s, 0, skb->data, skb->len);
1623                 break;
1624
1625         case RFCOMM_NSC:
1626                 break;
1627
1628         default:
1629                 BT_ERR("Unknown control type 0x%02x", type);
1630                 rfcomm_send_nsc(s, cr, type);
1631                 break;
1632         }
1633         return 0;
1634 }
1635
1636 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1637 {
1638         struct rfcomm_dlc *d;
1639
1640         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1641
1642         d = rfcomm_dlc_get(s, dlci);
1643         if (!d) {
1644                 rfcomm_send_dm(s, dlci);
1645                 goto drop;
1646         }
1647
1648         if (pf && d->cfc) {
1649                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1650
1651                 d->tx_credits += credits;
1652                 if (d->tx_credits)
1653                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1654         }
1655
1656         if (skb->len && d->state == BT_CONNECTED) {
1657                 rfcomm_dlc_lock(d);
1658                 d->rx_credits--;
1659                 d->data_ready(d, skb);
1660                 rfcomm_dlc_unlock(d);
1661                 return 0;
1662         }
1663
1664 drop:
1665         kfree_skb(skb);
1666         return 0;
1667 }
1668
1669 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1670 {
1671         struct rfcomm_hdr *hdr = (void *) skb->data;
1672         u8 type, dlci, fcs;
1673
1674         dlci = __get_dlci(hdr->addr);
1675         type = __get_type(hdr->ctrl);
1676
1677         /* Trim FCS */
1678         skb->len--; skb->tail--;
1679         fcs = *(u8 *)skb_tail_pointer(skb);
1680
1681         if (__check_fcs(skb->data, type, fcs)) {
1682                 BT_ERR("bad checksum in packet");
1683                 kfree_skb(skb);
1684                 return -EILSEQ;
1685         }
1686
1687         if (__test_ea(hdr->len))
1688                 skb_pull(skb, 3);
1689         else
1690                 skb_pull(skb, 4);
1691
1692         switch (type) {
1693         case RFCOMM_SABM:
1694                 if (__test_pf(hdr->ctrl))
1695                         rfcomm_recv_sabm(s, dlci);
1696                 break;
1697
1698         case RFCOMM_DISC:
1699                 if (__test_pf(hdr->ctrl))
1700                         rfcomm_recv_disc(s, dlci);
1701                 break;
1702
1703         case RFCOMM_UA:
1704                 if (__test_pf(hdr->ctrl))
1705                         rfcomm_recv_ua(s, dlci);
1706                 break;
1707
1708         case RFCOMM_DM:
1709                 rfcomm_recv_dm(s, dlci);
1710                 break;
1711
1712         case RFCOMM_UIH:
1713                 if (dlci)
1714                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1715
1716                 rfcomm_recv_mcc(s, skb);
1717                 break;
1718
1719         default:
1720                 BT_ERR("Unknown packet type 0x%02x", type);
1721                 break;
1722         }
1723         kfree_skb(skb);
1724         return 0;
1725 }
1726
1727 /* ---- Connection and data processing ---- */
1728
1729 static void rfcomm_process_connect(struct rfcomm_session *s)
1730 {
1731         struct rfcomm_dlc *d;
1732         struct list_head *p, *n;
1733
1734         BT_DBG("session %p state %ld", s, s->state);
1735
1736         list_for_each_safe(p, n, &s->dlcs) {
1737                 d = list_entry(p, struct rfcomm_dlc, list);
1738                 if (d->state == BT_CONFIG) {
1739                         d->mtu = s->mtu;
1740                         if (rfcomm_check_security(d)) {
1741                                 rfcomm_send_pn(s, 1, d);
1742                         } else {
1743                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1744                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1745                         }
1746                 }
1747         }
1748 }
1749
1750 /* Send data queued for the DLC.
1751  * Return number of frames left in the queue.
1752  */
1753 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1754 {
1755         struct sk_buff *skb;
1756         int err;
1757
1758         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1759                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1760
1761         /* Send pending MSC */
1762         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1763                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1764
1765         if (d->cfc) {
1766                 /* CFC enabled.
1767                  * Give them some credits */
1768                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1769                                 d->rx_credits <= (d->cfc >> 2)) {
1770                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1771                         d->rx_credits = d->cfc;
1772                 }
1773         } else {
1774                 /* CFC disabled.
1775                  * Give ourselves some credits */
1776                 d->tx_credits = 5;
1777         }
1778
1779         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1780                 return skb_queue_len(&d->tx_queue);
1781
1782         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1783                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1784                 if (err < 0) {
1785                         skb_queue_head(&d->tx_queue, skb);
1786                         break;
1787                 }
1788                 kfree_skb(skb);
1789                 d->tx_credits--;
1790         }
1791
1792         if (d->cfc && !d->tx_credits) {
1793                 /* We're out of TX credits.
1794                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1795                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1796         }
1797
1798         return skb_queue_len(&d->tx_queue);
1799 }
1800
1801 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1802 {
1803         struct rfcomm_dlc *d;
1804         struct list_head *p, *n;
1805
1806         BT_DBG("session %p state %ld", s, s->state);
1807
1808         list_for_each_safe(p, n, &s->dlcs) {
1809                 d = list_entry(p, struct rfcomm_dlc, list);
1810
1811                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1812                         __rfcomm_dlc_close(d, ETIMEDOUT);
1813                         continue;
1814                 }
1815
1816                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1817                         rfcomm_dlc_clear_timer(d);
1818                         if (d->out) {
1819                                 rfcomm_send_pn(s, 1, d);
1820                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1821                         } else {
1822                                 if (d->defer_setup) {
1823                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1824                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1825
1826                                         rfcomm_dlc_lock(d);
1827                                         d->state = BT_CONNECT2;
1828                                         d->state_change(d, 0);
1829                                         rfcomm_dlc_unlock(d);
1830                                 } else
1831                                         rfcomm_dlc_accept(d);
1832                         }
1833                         continue;
1834                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1835                         rfcomm_dlc_clear_timer(d);
1836                         if (!d->out)
1837                                 rfcomm_send_dm(s, d->dlci);
1838                         else
1839                                 d->state = BT_CLOSED;
1840                         __rfcomm_dlc_close(d, ECONNREFUSED);
1841                         continue;
1842                 }
1843
1844                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1845                         continue;
1846
1847                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1848                         continue;
1849
1850                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1851                                                 d->mscex == RFCOMM_MSCEX_OK)
1852                         rfcomm_process_tx(d);
1853         }
1854 }
1855
1856 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1857 {
1858         struct socket *sock = s->sock;
1859         struct sock *sk = sock->sk;
1860         struct sk_buff *skb;
1861
1862         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1863
1864         /* Get data directly from socket receive queue without copying it. */
1865         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1866                 skb_orphan(skb);
1867                 if (!skb_linearize(skb))
1868                         rfcomm_recv_frame(s, skb);
1869                 else
1870                         kfree_skb(skb);
1871         }
1872
1873         if (sk->sk_state == BT_CLOSED) {
1874                 if (!s->initiator)
1875                         rfcomm_session_put(s);
1876
1877                 rfcomm_session_close(s, sk->sk_err);
1878         }
1879 }
1880
1881 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1882 {
1883         struct socket *sock = s->sock, *nsock;
1884         int err;
1885
1886         /* Fast check for a new connection.
1887          * Avoids unnesesary socket allocations. */
1888         if (list_empty(&bt_sk(sock->sk)->accept_q))
1889                 return;
1890
1891         BT_DBG("session %p", s);
1892
1893         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1894         if (err < 0)
1895                 return;
1896
1897         /* Set our callbacks */
1898         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1899         nsock->sk->sk_state_change = rfcomm_l2state_change;
1900
1901         s = rfcomm_session_add(nsock, BT_OPEN);
1902         if (s) {
1903                 rfcomm_session_hold(s);
1904
1905                 /* We should adjust MTU on incoming sessions.
1906                  * L2CAP MTU minus UIH header and FCS. */
1907                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1908                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1909
1910                 rfcomm_schedule();
1911         } else
1912                 sock_release(nsock);
1913 }
1914
1915 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1916 {
1917         struct sock *sk = s->sock->sk;
1918
1919         BT_DBG("%p state %ld", s, s->state);
1920
1921         switch (sk->sk_state) {
1922         case BT_CONNECTED:
1923                 s->state = BT_CONNECT;
1924
1925                 /* We can adjust MTU on outgoing sessions.
1926                  * L2CAP MTU minus UIH header and FCS. */
1927                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1928
1929                 rfcomm_send_sabm(s, 0);
1930                 break;
1931
1932         case BT_CLOSED:
1933                 s->state = BT_CLOSED;
1934                 rfcomm_session_close(s, sk->sk_err);
1935                 break;
1936         }
1937 }
1938
1939 static inline void rfcomm_process_sessions(void)
1940 {
1941         struct list_head *p, *n;
1942
1943         rfcomm_lock();
1944
1945         list_for_each_safe(p, n, &session_list) {
1946                 struct rfcomm_session *s;
1947                 s = list_entry(p, struct rfcomm_session, list);
1948
1949                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1950                         s->state = BT_DISCONN;
1951                         rfcomm_send_disc(s, 0);
1952                         rfcomm_session_put(s);
1953                         continue;
1954                 }
1955
1956                 if (s->state == BT_LISTEN) {
1957                         rfcomm_accept_connection(s);
1958                         continue;
1959                 }
1960
1961                 rfcomm_session_hold(s);
1962
1963                 switch (s->state) {
1964                 case BT_BOUND:
1965                         rfcomm_check_connection(s);
1966                         break;
1967
1968                 default:
1969                         rfcomm_process_rx(s);
1970                         break;
1971                 }
1972
1973                 rfcomm_process_dlcs(s);
1974
1975                 rfcomm_session_put(s);
1976         }
1977
1978         rfcomm_unlock();
1979 }
1980
1981 static int rfcomm_add_listener(bdaddr_t *ba)
1982 {
1983         struct sockaddr_l2 addr;
1984         struct socket *sock;
1985         struct sock *sk;
1986         struct rfcomm_session *s;
1987         int    err = 0;
1988
1989         /* Create socket */
1990         err = rfcomm_l2sock_create(&sock);
1991         if (err < 0) {
1992                 BT_ERR("Create socket failed %d", err);
1993                 return err;
1994         }
1995
1996         /* Bind socket */
1997         bacpy(&addr.l2_bdaddr, ba);
1998         addr.l2_family = AF_BLUETOOTH;
1999         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
2000         addr.l2_cid    = 0;
2001         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
2002         if (err < 0) {
2003                 BT_ERR("Bind failed %d", err);
2004                 goto failed;
2005         }
2006
2007         /* Set L2CAP options */
2008         sk = sock->sk;
2009         lock_sock(sk);
2010         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
2011         release_sock(sk);
2012
2013         /* Start listening on the socket */
2014         err = kernel_listen(sock, 10);
2015         if (err) {
2016                 BT_ERR("Listen failed %d", err);
2017                 goto failed;
2018         }
2019
2020         /* Add listening session */
2021         s = rfcomm_session_add(sock, BT_LISTEN);
2022         if (!s)
2023                 goto failed;
2024
2025         rfcomm_session_hold(s);
2026         return 0;
2027 failed:
2028         sock_release(sock);
2029         return err;
2030 }
2031
2032 static void rfcomm_kill_listener(void)
2033 {
2034         struct rfcomm_session *s;
2035         struct list_head *p, *n;
2036
2037         BT_DBG("");
2038
2039         list_for_each_safe(p, n, &session_list) {
2040                 s = list_entry(p, struct rfcomm_session, list);
2041                 rfcomm_session_del(s);
2042         }
2043 }
2044
2045 static int rfcomm_run(void *unused)
2046 {
2047         BT_DBG("");
2048
2049         set_user_nice(current, -10);
2050
2051         rfcomm_add_listener(BDADDR_ANY);
2052
2053         while (1) {
2054                 set_current_state(TASK_INTERRUPTIBLE);
2055
2056                 if (kthread_should_stop())
2057                         break;
2058
2059                 /* Process stuff */
2060                 rfcomm_process_sessions();
2061
2062                 schedule();
2063         }
2064         __set_current_state(TASK_RUNNING);
2065
2066         rfcomm_kill_listener();
2067
2068         return 0;
2069 }
2070
2071 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2072 {
2073         struct rfcomm_session *s;
2074         struct rfcomm_dlc *d;
2075         struct list_head *p, *n;
2076
2077         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2078
2079         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2080         if (!s)
2081                 return;
2082
2083         rfcomm_session_hold(s);
2084
2085         list_for_each_safe(p, n, &s->dlcs) {
2086                 d = list_entry(p, struct rfcomm_dlc, list);
2087
2088                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2089                         rfcomm_dlc_clear_timer(d);
2090                         if (status || encrypt == 0x00) {
2091                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2092                                 continue;
2093                         }
2094                 }
2095
2096                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2097                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2098                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2099                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2100                                 continue;
2101                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2102                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2103                                 continue;
2104                         }
2105                 }
2106
2107                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2108                         continue;
2109
2110                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2111                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2112                 else
2113                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2114         }
2115
2116         rfcomm_session_put(s);
2117
2118         rfcomm_schedule();
2119 }
2120
2121 static struct hci_cb rfcomm_cb = {
2122         .name           = "RFCOMM",
2123         .security_cfm   = rfcomm_security_cfm
2124 };
2125
2126 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2127 {
2128         struct rfcomm_session *s;
2129         struct list_head *pp, *p;
2130
2131         rfcomm_lock();
2132
2133         list_for_each(p, &session_list) {
2134                 s = list_entry(p, struct rfcomm_session, list);
2135                 list_for_each(pp, &s->dlcs) {
2136                         struct sock *sk = s->sock->sk;
2137                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2138
2139                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2140                                                 batostr(&bt_sk(sk)->src),
2141                                                 batostr(&bt_sk(sk)->dst),
2142                                                 d->state, d->dlci, d->mtu,
2143                                                 d->rx_credits, d->tx_credits);
2144                 }
2145         }
2146
2147         rfcomm_unlock();
2148
2149         return 0;
2150 }
2151
2152 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2153 {
2154         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2155 }
2156
2157 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2158         .open           = rfcomm_dlc_debugfs_open,
2159         .read           = seq_read,
2160         .llseek         = seq_lseek,
2161         .release        = single_release,
2162 };
2163
2164 static struct dentry *rfcomm_dlc_debugfs;
2165
2166 /* ---- Initialization ---- */
2167 static int __init rfcomm_init(void)
2168 {
2169         int err;
2170
2171         hci_register_cb(&rfcomm_cb);
2172
2173         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2174         if (IS_ERR(rfcomm_thread)) {
2175                 err = PTR_ERR(rfcomm_thread);
2176                 goto unregister;
2177         }
2178
2179         if (bt_debugfs) {
2180                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2181                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2182                 if (!rfcomm_dlc_debugfs)
2183                         BT_ERR("Failed to create RFCOMM debug file");
2184         }
2185
2186         err = rfcomm_init_ttys();
2187         if (err < 0)
2188                 goto stop;
2189
2190         err = rfcomm_init_sockets();
2191         if (err < 0)
2192                 goto cleanup;
2193
2194         BT_INFO("RFCOMM ver %s", VERSION);
2195
2196         return 0;
2197
2198 cleanup:
2199         rfcomm_cleanup_ttys();
2200
2201 stop:
2202         kthread_stop(rfcomm_thread);
2203
2204 unregister:
2205         hci_unregister_cb(&rfcomm_cb);
2206
2207         return err;
2208 }
2209
2210 static void __exit rfcomm_exit(void)
2211 {
2212         debugfs_remove(rfcomm_dlc_debugfs);
2213
2214         hci_unregister_cb(&rfcomm_cb);
2215
2216         kthread_stop(rfcomm_thread);
2217
2218         rfcomm_cleanup_ttys();
2219
2220         rfcomm_cleanup_sockets();
2221 }
2222
2223 module_init(rfcomm_init);
2224 module_exit(rfcomm_exit);
2225
2226 module_param(disable_cfc, bool, 0644);
2227 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2228
2229 module_param(channel_mtu, int, 0644);
2230 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2231
2232 module_param(l2cap_mtu, uint, 0644);
2233 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2234
2235 module_param(l2cap_ertm, bool, 0644);
2236 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2237
2238 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2239 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2240 MODULE_VERSION(VERSION);
2241 MODULE_LICENSE("GPL");
2242 MODULE_ALIAS("bt-proto-3");