projects / firefly-linux-kernel-4.4.55.git / blob
? search:


c2486a53714e17d73174ebbfcf1130e136ec3622
[firefly-linux-kernel-4.4.55.git] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/debugfs.h>
37 #include <linux/seq_file.h>
38 #include <linux/net.h>
39 #include <linux/mutex.h>
40 #include <linux/kthread.h>
41 #include <linux/slab.h>
42
43 #include <net/sock.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46
47 #include <net/bluetooth/bluetooth.h>
48 #include <net/bluetooth/hci_core.h>
49 #include <net/bluetooth/l2cap.h>
50 #include <net/bluetooth/rfcomm.h>
51
52 #define VERSION "1.11"
53
54 static int disable_cfc;
55 static int l2cap_ertm;
56 static int channel_mtu = -1;
57 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
58
59 static struct task_struct *rfcomm_thread;
60
61 static DEFINE_MUTEX(rfcomm_mutex);
62 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
63 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
64
65
66 static LIST_HEAD(session_list);
67
68 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
70 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
71 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
72 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
73 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
74 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
75 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
76 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
77 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
78
79 static void rfcomm_process_connect(struct rfcomm_session *s);
80
81 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
82                                                         bdaddr_t *dst,
83                                                         u8 sec_level,
84                                                         int *err);
85 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
86 static void rfcomm_session_del(struct rfcomm_session *s);
87
88 /* ---- RFCOMM frame parsing macros ---- */
89 #define __get_dlci(b)     ((b & 0xfc) >> 2)
90 #define __get_channel(b)  ((b & 0xf8) >> 3)
91 #define __get_dir(b)      ((b & 0x04) >> 2)
92 #define __get_type(b)     ((b & 0xef))
93
94 #define __test_ea(b)      ((b & 0x01))
95 #define __test_cr(b)      ((b & 0x02))
96 #define __test_pf(b)      ((b & 0x10))
97
98 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
99 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
100 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
101 #define __srv_channel(dlci)    (dlci >> 1)
102 #define __dir(dlci)            (dlci & 0x01)
103
104 #define __len8(len)       (((len) << 1) | 1)
105 #define __len16(len)      ((len) << 1)
106
107 /* MCC macros */
108 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
109 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
110 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
111
112 /* RPN macros */
113 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
114 #define __get_rpn_data_bits(line) ((line) & 0x3)
115 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
116 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
117
118 static inline void rfcomm_schedule(void)
119 {
120         if (!rfcomm_thread)
121                 return;
122         wake_up_process(rfcomm_thread);
123 }
124
125 static inline void rfcomm_session_put(struct rfcomm_session *s)
126 {
127         if (atomic_dec_and_test(&s->refcnt))
128                 rfcomm_session_del(s);
129 }
130
131 /* ---- RFCOMM FCS computation ---- */
132
133 /* reversed, 8-bit, poly=0x07 */
134 static unsigned char rfcomm_crc_table[256] = {
135         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
136         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
137         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
138         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
139
140         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
141         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
142         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
143         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
144
145         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
146         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
147         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
148         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
149
150         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
151         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
152         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
153         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
154
155         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
156         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
157         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
158         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
159
160         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
161         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
162         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
163         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
164
165         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
166         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
167         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
168         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
169
170         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
171         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
172         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
173         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
174 };
175
176 /* CRC on 2 bytes */
177 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
178
179 /* FCS on 2 bytes */
180 static inline u8 __fcs(u8 *data)
181 {
182         return 0xff - __crc(data);
183 }
184
185 /* FCS on 3 bytes */
186 static inline u8 __fcs2(u8 *data)
187 {
188         return 0xff - rfcomm_crc_table[__crc(data) ^ data[2]];
189 }
190
191 /* Check FCS */
192 static inline int __check_fcs(u8 *data, int type, u8 fcs)
193 {
194         u8 f = __crc(data);
195
196         if (type != RFCOMM_UIH)
197                 f = rfcomm_crc_table[f ^ data[2]];
198
199         return rfcomm_crc_table[f ^ fcs] != 0xcf;
200 }
201
202 /* ---- L2CAP callbacks ---- */
203 static void rfcomm_l2state_change(struct sock *sk)
204 {
205         BT_DBG("%p state %d", sk, sk->sk_state);
206         rfcomm_schedule();
207 }
208
209 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
210 {
211         BT_DBG("%p bytes %d", sk, bytes);
212         rfcomm_schedule();
213 }
214
215 static int rfcomm_l2sock_create(struct socket **sock)
216 {
217         int err;
218
219         BT_DBG("");
220
221         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
222         if (!err) {
223                 struct sock *sk = (*sock)->sk;
224                 sk->sk_data_ready   = rfcomm_l2data_ready;
225                 sk->sk_state_change = rfcomm_l2state_change;
226         }
227         return err;
228 }
229
230 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
231 {
232         struct sock *sk = d->session->sock->sk;
233         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
234
235         __u8 auth_type;
236
237         switch (d->sec_level) {
238         case BT_SECURITY_HIGH:
239                 auth_type = HCI_AT_GENERAL_BONDING_MITM;
240                 break;
241         case BT_SECURITY_MEDIUM:
242                 auth_type = HCI_AT_GENERAL_BONDING;
243                 break;
244         default:
245                 auth_type = HCI_AT_NO_BONDING;
246                 break;
247         }
248
249         return hci_conn_security(conn->hcon, d->sec_level, auth_type);
250 }
251
252 static void rfcomm_session_timeout(unsigned long arg)
253 {
254         struct rfcomm_session *s = (void *) arg;
255
256         BT_DBG("session %p state %ld", s, s->state);
257
258         set_bit(RFCOMM_TIMED_OUT, &s->flags);
259         rfcomm_schedule();
260 }
261
262 static void rfcomm_session_set_timer(struct rfcomm_session *s, long timeout)
263 {
264         BT_DBG("session %p state %ld timeout %ld", s, s->state, timeout);
265
266         if (!mod_timer(&s->timer, jiffies + timeout))
267                 rfcomm_session_hold(s);
268 }
269
270 static void rfcomm_session_clear_timer(struct rfcomm_session *s)
271 {
272         BT_DBG("session %p state %ld", s, s->state);
273
274         if (timer_pending(&s->timer) && del_timer(&s->timer))
275                 rfcomm_session_put(s);
276 }
277
278 /* ---- RFCOMM DLCs ---- */
279 static void rfcomm_dlc_timeout(unsigned long arg)
280 {
281         struct rfcomm_dlc *d = (void *) arg;
282
283         BT_DBG("dlc %p state %ld", d, d->state);
284
285         set_bit(RFCOMM_TIMED_OUT, &d->flags);
286         rfcomm_dlc_put(d);
287         rfcomm_schedule();
288 }
289
290 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
291 {
292         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
293
294         if (!mod_timer(&d->timer, jiffies + timeout))
295                 rfcomm_dlc_hold(d);
296 }
297
298 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
299 {
300         BT_DBG("dlc %p state %ld", d, d->state);
301
302         if (timer_pending(&d->timer) && del_timer(&d->timer))
303                 rfcomm_dlc_put(d);
304 }
305
306 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
307 {
308         BT_DBG("%p", d);
309
310         d->state      = BT_OPEN;
311         d->flags      = 0;
312         d->mscex      = 0;
313         d->sec_level  = BT_SECURITY_LOW;
314         d->mtu        = RFCOMM_DEFAULT_MTU;
315         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
316
317         d->cfc        = RFCOMM_CFC_DISABLED;
318         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
319 }
320
321 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
322 {
323         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
324
325         if (!d)
326                 return NULL;
327
328         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
329
330         skb_queue_head_init(&d->tx_queue);
331         spin_lock_init(&d->lock);
332         atomic_set(&d->refcnt, 1);
333
334         rfcomm_dlc_clear_state(d);
335
336         BT_DBG("%p", d);
337
338         return d;
339 }
340
341 void rfcomm_dlc_free(struct rfcomm_dlc *d)
342 {
343         BT_DBG("%p", d);
344
345         skb_queue_purge(&d->tx_queue);
346         kfree(d);
347 }
348
349 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
350 {
351         BT_DBG("dlc %p session %p", d, s);
352
353         rfcomm_session_hold(s);
354
355         rfcomm_session_clear_timer(s);
356         rfcomm_dlc_hold(d);
357         list_add(&d->list, &s->dlcs);
358         d->session = s;
359 }
360
361 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
362 {
363         struct rfcomm_session *s = d->session;
364
365         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
366
367         list_del(&d->list);
368         d->session = NULL;
369         rfcomm_dlc_put(d);
370
371         if (list_empty(&s->dlcs))
372                 rfcomm_session_set_timer(s, RFCOMM_IDLE_TIMEOUT);
373
374         rfcomm_session_put(s);
375 }
376
377 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
378 {
379         struct rfcomm_dlc *d;
380         struct list_head *p;
381
382         list_for_each(p, &s->dlcs) {
383                 d = list_entry(p, struct rfcomm_dlc, list);
384                 if (d->dlci == dlci)
385                         return d;
386         }
387         return NULL;
388 }
389
390 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
391 {
392         struct rfcomm_session *s;
393         int err = 0;
394         u8 dlci;
395
396         BT_DBG("dlc %p state %ld %s %s channel %d",
397                         d, d->state, batostr(src), batostr(dst), channel);
398
399         if (channel < 1 || channel > 30)
400                 return -EINVAL;
401
402         if (d->state != BT_OPEN && d->state != BT_CLOSED)
403                 return 0;
404
405         s = rfcomm_session_get(src, dst);
406         if (!s) {
407                 s = rfcomm_session_create(src, dst, d->sec_level, &err);
408                 if (!s)
409                         return err;
410         }
411
412         dlci = __dlci(!s->initiator, channel);
413
414         /* Check if DLCI already exists */
415         if (rfcomm_dlc_get(s, dlci))
416                 return -EBUSY;
417
418         rfcomm_dlc_clear_state(d);
419
420         d->dlci     = dlci;
421         d->addr     = __addr(s->initiator, dlci);
422         d->priority = 7;
423
424         d->state = BT_CONFIG;
425         rfcomm_dlc_link(s, d);
426
427         d->out = 1;
428
429         d->mtu = s->mtu;
430         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
431
432         if (s->state == BT_CONNECTED) {
433                 if (rfcomm_check_security(d))
434                         rfcomm_send_pn(s, 1, d);
435                 else
436                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
437         }
438
439         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
440
441         return 0;
442 }
443
444 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
445 {
446         int r;
447
448         rfcomm_lock();
449
450         r = __rfcomm_dlc_open(d, src, dst, channel);
451
452         rfcomm_unlock();
453         return r;
454 }
455
456 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
457 {
458         struct rfcomm_session *s = d->session;
459         if (!s)
460                 return 0;
461
462         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
463                         d, d->state, d->dlci, err, s);
464
465         switch (d->state) {
466         case BT_CONNECT:
467                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
468                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
469                         rfcomm_schedule();
470                         break;
471                 }
472                 /* Fall through */
473
474         case BT_CONNECTED:
475                 d->state = BT_DISCONN;
476                 if (skb_queue_empty(&d->tx_queue)) {
477                         rfcomm_send_disc(s, d->dlci);
478                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
479                 } else {
480                         rfcomm_queue_disc(d);
481                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
482                 }
483                 break;
484
485         case BT_OPEN:
486         case BT_CONNECT2:
487                 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
488                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
489                         rfcomm_schedule();
490                         break;
491                 }
492                 /* Fall through */
493
494         default:
495                 rfcomm_dlc_clear_timer(d);
496
497                 rfcomm_dlc_lock(d);
498                 d->state = BT_CLOSED;
499                 d->state_change(d, err);
500                 rfcomm_dlc_unlock(d);
501
502                 skb_queue_purge(&d->tx_queue);
503                 rfcomm_dlc_unlink(d);
504         }
505
506         return 0;
507 }
508
509 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
510 {
511         int r;
512
513         rfcomm_lock();
514
515         r = __rfcomm_dlc_close(d, err);
516
517         rfcomm_unlock();
518         return r;
519 }
520
521 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
522 {
523         int len = skb->len;
524
525         if (d->state != BT_CONNECTED)
526                 return -ENOTCONN;
527
528         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
529
530         if (len > d->mtu)
531                 return -EINVAL;
532
533         rfcomm_make_uih(skb, d->addr);
534         skb_queue_tail(&d->tx_queue, skb);
535
536         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
537                 rfcomm_schedule();
538         return len;
539 }
540
541 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
542 {
543         BT_DBG("dlc %p state %ld", d, d->state);
544
545         if (!d->cfc) {
546                 d->v24_sig |= RFCOMM_V24_FC;
547                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
548         }
549         rfcomm_schedule();
550 }
551
552 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
553 {
554         BT_DBG("dlc %p state %ld", d, d->state);
555
556         if (!d->cfc) {
557                 d->v24_sig &= ~RFCOMM_V24_FC;
558                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
559         }
560         rfcomm_schedule();
561 }
562
563 /*
564    Set/get modem status functions use _local_ status i.e. what we report
565    to the other side.
566    Remote status is provided by dlc->modem_status() callback.
567  */
568 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
569 {
570         BT_DBG("dlc %p state %ld v24_sig 0x%x",
571                         d, d->state, v24_sig);
572
573         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
574                 v24_sig |= RFCOMM_V24_FC;
575         else
576                 v24_sig &= ~RFCOMM_V24_FC;
577
578         d->v24_sig = v24_sig;
579
580         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
581                 rfcomm_schedule();
582
583         return 0;
584 }
585
586 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
587 {
588         BT_DBG("dlc %p state %ld v24_sig 0x%x",
589                         d, d->state, d->v24_sig);
590
591         *v24_sig = d->v24_sig;
592         return 0;
593 }
594
595 /* ---- RFCOMM sessions ---- */
596 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
597 {
598         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
599
600         if (!s)
601                 return NULL;
602
603         BT_DBG("session %p sock %p", s, sock);
604
605         setup_timer(&s->timer, rfcomm_session_timeout, (unsigned long) s);
606
607         INIT_LIST_HEAD(&s->dlcs);
608         s->state = state;
609         s->sock  = sock;
610
611         s->mtu = RFCOMM_DEFAULT_MTU;
612         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
613
614         /* Do not increment module usage count for listening sessions.
615          * Otherwise we won't be able to unload the module. */
616         if (state != BT_LISTEN)
617                 if (!try_module_get(THIS_MODULE)) {
618                         kfree(s);
619                         return NULL;
620                 }
621
622         list_add(&s->list, &session_list);
623
624         return s;
625 }
626
627 static void rfcomm_session_del(struct rfcomm_session *s)
628 {
629         int state = s->state;
630
631         BT_DBG("session %p state %ld", s, s->state);
632
633         list_del(&s->list);
634
635         if (state == BT_CONNECTED)
636                 rfcomm_send_disc(s, 0);
637
638         rfcomm_session_clear_timer(s);
639         sock_release(s->sock);
640         kfree(s);
641
642         if (state != BT_LISTEN)
643                 module_put(THIS_MODULE);
644 }
645
646 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
647 {
648         struct rfcomm_session *s;
649         struct list_head *p, *n;
650         struct bt_sock *sk;
651         list_for_each_safe(p, n, &session_list) {
652                 s = list_entry(p, struct rfcomm_session, list);
653                 sk = bt_sk(s->sock->sk);
654
655                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
656                                 !bacmp(&sk->dst, dst))
657                         return s;
658         }
659         return NULL;
660 }
661
662 static void rfcomm_session_close(struct rfcomm_session *s, int err)
663 {
664         struct rfcomm_dlc *d;
665         struct list_head *p, *n;
666
667         BT_DBG("session %p state %ld err %d", s, s->state, err);
668
669         rfcomm_session_hold(s);
670
671         s->state = BT_CLOSED;
672
673         /* Close all dlcs */
674         list_for_each_safe(p, n, &s->dlcs) {
675                 d = list_entry(p, struct rfcomm_dlc, list);
676                 d->state = BT_CLOSED;
677                 __rfcomm_dlc_close(d, err);
678         }
679
680         rfcomm_session_clear_timer(s);
681         rfcomm_session_put(s);
682 }
683
684 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
685                                                         bdaddr_t *dst,
686                                                         u8 sec_level,
687                                                         int *err)
688 {
689         struct rfcomm_session *s = NULL;
690         struct sockaddr_l2 addr;
691         struct socket *sock;
692         struct sock *sk;
693
694         BT_DBG("%s %s", batostr(src), batostr(dst));
695
696         *err = rfcomm_l2sock_create(&sock);
697         if (*err < 0)
698                 return NULL;
699
700         bacpy(&addr.l2_bdaddr, src);
701         addr.l2_family = AF_BLUETOOTH;
702         addr.l2_psm    = 0;
703         addr.l2_cid    = 0;
704         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
705         if (*err < 0)
706                 goto failed;
707
708         /* Set L2CAP options */
709         sk = sock->sk;
710         lock_sock(sk);
711         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
712         l2cap_pi(sk)->chan->sec_level = sec_level;
713         if (l2cap_ertm)
714                 l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
715         release_sock(sk);
716
717         s = rfcomm_session_add(sock, BT_BOUND);
718         if (!s) {
719                 *err = -ENOMEM;
720                 goto failed;
721         }
722
723         s->initiator = 1;
724
725         bacpy(&addr.l2_bdaddr, dst);
726         addr.l2_family = AF_BLUETOOTH;
727         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
728         addr.l2_cid    = 0;
729         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
730         if (*err == 0 || *err == -EINPROGRESS)
731                 return s;
732
733         rfcomm_session_del(s);
734         return NULL;
735
736 failed:
737         sock_release(sock);
738         return NULL;
739 }
740
741 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
742 {
743         struct sock *sk = s->sock->sk;
744         if (src)
745                 bacpy(src, &bt_sk(sk)->src);
746         if (dst)
747                 bacpy(dst, &bt_sk(sk)->dst);
748 }
749
750 /* ---- RFCOMM frame sending ---- */
751 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
752 {
753         struct socket *sock = s->sock;
754         struct kvec iv = { data, len };
755         struct msghdr msg;
756
757         BT_DBG("session %p len %d", s, len);
758
759         memset(&msg, 0, sizeof(msg));
760
761         return kernel_sendmsg(sock, &msg, &iv, 1, len);
762 }
763
764 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
765 {
766         struct rfcomm_cmd cmd;
767
768         BT_DBG("%p dlci %d", s, dlci);
769
770         cmd.addr = __addr(s->initiator, dlci);
771         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
772         cmd.len  = __len8(0);
773         cmd.fcs  = __fcs2((u8 *) &cmd);
774
775         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
776 }
777
778 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
779 {
780         struct rfcomm_cmd cmd;
781
782         BT_DBG("%p dlci %d", s, dlci);
783
784         cmd.addr = __addr(!s->initiator, dlci);
785         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
786         cmd.len  = __len8(0);
787         cmd.fcs  = __fcs2((u8 *) &cmd);
788
789         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
790 }
791
792 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
793 {
794         struct rfcomm_cmd cmd;
795
796         BT_DBG("%p dlci %d", s, dlci);
797
798         cmd.addr = __addr(s->initiator, dlci);
799         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
800         cmd.len  = __len8(0);
801         cmd.fcs  = __fcs2((u8 *) &cmd);
802
803         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
804 }
805
806 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
807 {
808         struct rfcomm_cmd *cmd;
809         struct sk_buff *skb;
810
811         BT_DBG("dlc %p dlci %d", d, d->dlci);
812
813         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
814         if (!skb)
815                 return -ENOMEM;
816
817         cmd = (void *) __skb_put(skb, sizeof(*cmd));
818         cmd->addr = d->addr;
819         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
820         cmd->len  = __len8(0);
821         cmd->fcs  = __fcs2((u8 *) cmd);
822
823         skb_queue_tail(&d->tx_queue, skb);
824         rfcomm_schedule();
825         return 0;
826 }
827
828 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
829 {
830         struct rfcomm_cmd cmd;
831
832         BT_DBG("%p dlci %d", s, dlci);
833
834         cmd.addr = __addr(!s->initiator, dlci);
835         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
836         cmd.len  = __len8(0);
837         cmd.fcs  = __fcs2((u8 *) &cmd);
838
839         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
840 }
841
842 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
843 {
844         struct rfcomm_hdr *hdr;
845         struct rfcomm_mcc *mcc;
846         u8 buf[16], *ptr = buf;
847
848         BT_DBG("%p cr %d type %d", s, cr, type);
849
850         hdr = (void *) ptr; ptr += sizeof(*hdr);
851         hdr->addr = __addr(s->initiator, 0);
852         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
853         hdr->len  = __len8(sizeof(*mcc) + 1);
854
855         mcc = (void *) ptr; ptr += sizeof(*mcc);
856         mcc->type = __mcc_type(cr, RFCOMM_NSC);
857         mcc->len  = __len8(1);
858
859         /* Type that we didn't like */
860         *ptr = __mcc_type(cr, type); ptr++;
861
862         *ptr = __fcs(buf); ptr++;
863
864         return rfcomm_send_frame(s, buf, ptr - buf);
865 }
866
867 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
868 {
869         struct rfcomm_hdr *hdr;
870         struct rfcomm_mcc *mcc;
871         struct rfcomm_pn  *pn;
872         u8 buf[16], *ptr = buf;
873
874         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
875
876         hdr = (void *) ptr; ptr += sizeof(*hdr);
877         hdr->addr = __addr(s->initiator, 0);
878         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
879         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
880
881         mcc = (void *) ptr; ptr += sizeof(*mcc);
882         mcc->type = __mcc_type(cr, RFCOMM_PN);
883         mcc->len  = __len8(sizeof(*pn));
884
885         pn = (void *) ptr; ptr += sizeof(*pn);
886         pn->dlci        = d->dlci;
887         pn->priority    = d->priority;
888         pn->ack_timer   = 0;
889         pn->max_retrans = 0;
890
891         if (s->cfc) {
892                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
893                 pn->credits = RFCOMM_DEFAULT_CREDITS;
894         } else {
895                 pn->flow_ctrl = 0;
896                 pn->credits   = 0;
897         }
898
899         if (cr && channel_mtu >= 0)
900                 pn->mtu = cpu_to_le16(channel_mtu);
901         else
902                 pn->mtu = cpu_to_le16(d->mtu);
903
904         *ptr = __fcs(buf); ptr++;
905
906         return rfcomm_send_frame(s, buf, ptr - buf);
907 }
908
909 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
910                         u8 bit_rate, u8 data_bits, u8 stop_bits,
911                         u8 parity, u8 flow_ctrl_settings,
912                         u8 xon_char, u8 xoff_char, u16 param_mask)
913 {
914         struct rfcomm_hdr *hdr;
915         struct rfcomm_mcc *mcc;
916         struct rfcomm_rpn *rpn;
917         u8 buf[16], *ptr = buf;
918
919         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
920                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
921                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
922                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
923
924         hdr = (void *) ptr; ptr += sizeof(*hdr);
925         hdr->addr = __addr(s->initiator, 0);
926         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
927         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
928
929         mcc = (void *) ptr; ptr += sizeof(*mcc);
930         mcc->type = __mcc_type(cr, RFCOMM_RPN);
931         mcc->len  = __len8(sizeof(*rpn));
932
933         rpn = (void *) ptr; ptr += sizeof(*rpn);
934         rpn->dlci          = __addr(1, dlci);
935         rpn->bit_rate      = bit_rate;
936         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
937         rpn->flow_ctrl     = flow_ctrl_settings;
938         rpn->xon_char      = xon_char;
939         rpn->xoff_char     = xoff_char;
940         rpn->param_mask    = cpu_to_le16(param_mask);
941
942         *ptr = __fcs(buf); ptr++;
943
944         return rfcomm_send_frame(s, buf, ptr - buf);
945 }
946
947 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
948 {
949         struct rfcomm_hdr *hdr;
950         struct rfcomm_mcc *mcc;
951         struct rfcomm_rls *rls;
952         u8 buf[16], *ptr = buf;
953
954         BT_DBG("%p cr %d status 0x%x", s, cr, status);
955
956         hdr = (void *) ptr; ptr += sizeof(*hdr);
957         hdr->addr = __addr(s->initiator, 0);
958         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
959         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
960
961         mcc = (void *) ptr; ptr += sizeof(*mcc);
962         mcc->type = __mcc_type(cr, RFCOMM_RLS);
963         mcc->len  = __len8(sizeof(*rls));
964
965         rls = (void *) ptr; ptr += sizeof(*rls);
966         rls->dlci   = __addr(1, dlci);
967         rls->status = status;
968
969         *ptr = __fcs(buf); ptr++;
970
971         return rfcomm_send_frame(s, buf, ptr - buf);
972 }
973
974 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
975 {
976         struct rfcomm_hdr *hdr;
977         struct rfcomm_mcc *mcc;
978         struct rfcomm_msc *msc;
979         u8 buf[16], *ptr = buf;
980
981         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
982
983         hdr = (void *) ptr; ptr += sizeof(*hdr);
984         hdr->addr = __addr(s->initiator, 0);
985         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
986         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
987
988         mcc = (void *) ptr; ptr += sizeof(*mcc);
989         mcc->type = __mcc_type(cr, RFCOMM_MSC);
990         mcc->len  = __len8(sizeof(*msc));
991
992         msc = (void *) ptr; ptr += sizeof(*msc);
993         msc->dlci    = __addr(1, dlci);
994         msc->v24_sig = v24_sig | 0x01;
995
996         *ptr = __fcs(buf); ptr++;
997
998         return rfcomm_send_frame(s, buf, ptr - buf);
999 }
1000
1001 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1002 {
1003         struct rfcomm_hdr *hdr;
1004         struct rfcomm_mcc *mcc;
1005         u8 buf[16], *ptr = buf;
1006
1007         BT_DBG("%p cr %d", s, cr);
1008
1009         hdr = (void *) ptr; ptr += sizeof(*hdr);
1010         hdr->addr = __addr(s->initiator, 0);
1011         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1012         hdr->len  = __len8(sizeof(*mcc));
1013
1014         mcc = (void *) ptr; ptr += sizeof(*mcc);
1015         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
1016         mcc->len  = __len8(0);
1017
1018         *ptr = __fcs(buf); ptr++;
1019
1020         return rfcomm_send_frame(s, buf, ptr - buf);
1021 }
1022
1023 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1024 {
1025         struct rfcomm_hdr *hdr;
1026         struct rfcomm_mcc *mcc;
1027         u8 buf[16], *ptr = buf;
1028
1029         BT_DBG("%p cr %d", s, cr);
1030
1031         hdr = (void *) ptr; ptr += sizeof(*hdr);
1032         hdr->addr = __addr(s->initiator, 0);
1033         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1034         hdr->len  = __len8(sizeof(*mcc));
1035
1036         mcc = (void *) ptr; ptr += sizeof(*mcc);
1037         mcc->type = __mcc_type(cr, RFCOMM_FCON);
1038         mcc->len  = __len8(0);
1039
1040         *ptr = __fcs(buf); ptr++;
1041
1042         return rfcomm_send_frame(s, buf, ptr - buf);
1043 }
1044
1045 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
1046 {
1047         struct socket *sock = s->sock;
1048         struct kvec iv[3];
1049         struct msghdr msg;
1050         unsigned char hdr[5], crc[1];
1051
1052         if (len > 125)
1053                 return -EINVAL;
1054
1055         BT_DBG("%p cr %d", s, cr);
1056
1057         hdr[0] = __addr(s->initiator, 0);
1058         hdr[1] = __ctrl(RFCOMM_UIH, 0);
1059         hdr[2] = 0x01 | ((len + 2) << 1);
1060         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
1061         hdr[4] = 0x01 | (len << 1);
1062
1063         crc[0] = __fcs(hdr);
1064
1065         iv[0].iov_base = hdr;
1066         iv[0].iov_len  = 5;
1067         iv[1].iov_base = pattern;
1068         iv[1].iov_len  = len;
1069         iv[2].iov_base = crc;
1070         iv[2].iov_len  = 1;
1071
1072         memset(&msg, 0, sizeof(msg));
1073
1074         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1075 }
1076
1077 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1078 {
1079         struct rfcomm_hdr *hdr;
1080         u8 buf[16], *ptr = buf;
1081
1082         BT_DBG("%p addr %d credits %d", s, addr, credits);
1083
1084         hdr = (void *) ptr; ptr += sizeof(*hdr);
1085         hdr->addr = addr;
1086         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1087         hdr->len  = __len8(0);
1088
1089         *ptr = credits; ptr++;
1090
1091         *ptr = __fcs(buf); ptr++;
1092
1093         return rfcomm_send_frame(s, buf, ptr - buf);
1094 }
1095
1096 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1097 {
1098         struct rfcomm_hdr *hdr;
1099         int len = skb->len;
1100         u8 *crc;
1101
1102         if (len > 127) {
1103                 hdr = (void *) skb_push(skb, 4);
1104                 put_unaligned(cpu_to_le16(__len16(len)), (__le16 *) &hdr->len);
1105         } else {
1106                 hdr = (void *) skb_push(skb, 3);
1107                 hdr->len = __len8(len);
1108         }
1109         hdr->addr = addr;
1110         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1111
1112         crc = skb_put(skb, 1);
1113         *crc = __fcs((void *) hdr);
1114 }
1115
1116 /* ---- RFCOMM frame reception ---- */
1117 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1118 {
1119         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1120
1121         if (dlci) {
1122                 /* Data channel */
1123                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1124                 if (!d) {
1125                         rfcomm_send_dm(s, dlci);
1126                         return 0;
1127                 }
1128
1129                 switch (d->state) {
1130                 case BT_CONNECT:
1131                         rfcomm_dlc_clear_timer(d);
1132
1133                         rfcomm_dlc_lock(d);
1134                         d->state = BT_CONNECTED;
1135                         d->state_change(d, 0);
1136                         rfcomm_dlc_unlock(d);
1137
1138                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1139                         break;
1140
1141                 case BT_DISCONN:
1142                         d->state = BT_CLOSED;
1143                         __rfcomm_dlc_close(d, 0);
1144
1145                         if (list_empty(&s->dlcs)) {
1146                                 s->state = BT_DISCONN;
1147                                 rfcomm_send_disc(s, 0);
1148                         }
1149
1150                         break;
1151                 }
1152         } else {
1153                 /* Control channel */
1154                 switch (s->state) {
1155                 case BT_CONNECT:
1156                         s->state = BT_CONNECTED;
1157                         rfcomm_process_connect(s);
1158                         break;
1159
1160                 case BT_DISCONN:
1161                         /* When socket is closed and we are not RFCOMM
1162                          * initiator rfcomm_process_rx already calls
1163                          * rfcomm_session_put() */
1164                         if (s->sock->sk->sk_state != BT_CLOSED)
1165                                 if (list_empty(&s->dlcs))
1166                                         rfcomm_session_put(s);
1167                         break;
1168                 }
1169         }
1170         return 0;
1171 }
1172
1173 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1174 {
1175         int err = 0;
1176
1177         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1178
1179         if (dlci) {
1180                 /* Data DLC */
1181                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1182                 if (d) {
1183                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1184                                 err = ECONNREFUSED;
1185                         else
1186                                 err = ECONNRESET;
1187
1188                         d->state = BT_CLOSED;
1189                         __rfcomm_dlc_close(d, err);
1190                 }
1191         } else {
1192                 if (s->state == BT_CONNECT)
1193                         err = ECONNREFUSED;
1194                 else
1195                         err = ECONNRESET;
1196
1197                 s->state = BT_CLOSED;
1198                 rfcomm_session_close(s, err);
1199         }
1200         return 0;
1201 }
1202
1203 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1204 {
1205         int err = 0;
1206
1207         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1208
1209         if (dlci) {
1210                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1211                 if (d) {
1212                         rfcomm_send_ua(s, dlci);
1213
1214                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1215                                 err = ECONNREFUSED;
1216                         else
1217                                 err = ECONNRESET;
1218
1219                         d->state = BT_CLOSED;
1220                         __rfcomm_dlc_close(d, err);
1221                 } else
1222                         rfcomm_send_dm(s, dlci);
1223
1224         } else {
1225                 rfcomm_send_ua(s, 0);
1226
1227                 if (s->state == BT_CONNECT)
1228                         err = ECONNREFUSED;
1229                 else
1230                         err = ECONNRESET;
1231
1232                 s->state = BT_CLOSED;
1233                 rfcomm_session_close(s, err);
1234         }
1235
1236         return 0;
1237 }
1238
1239 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1240 {
1241         struct sock *sk = d->session->sock->sk;
1242         struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
1243
1244         BT_DBG("dlc %p", d);
1245
1246         rfcomm_send_ua(d->session, d->dlci);
1247
1248         rfcomm_dlc_clear_timer(d);
1249
1250         rfcomm_dlc_lock(d);
1251         d->state = BT_CONNECTED;
1252         d->state_change(d, 0);
1253         rfcomm_dlc_unlock(d);
1254
1255         if (d->role_switch)
1256                 hci_conn_switch_role(conn->hcon, 0x00);
1257
1258         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1259 }
1260
1261 static void rfcomm_check_accept(struct rfcomm_dlc *d)
1262 {
1263         if (rfcomm_check_security(d)) {
1264                 if (d->defer_setup) {
1265                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1266                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1267
1268                         rfcomm_dlc_lock(d);
1269                         d->state = BT_CONNECT2;
1270                         d->state_change(d, 0);
1271                         rfcomm_dlc_unlock(d);
1272                 } else
1273                         rfcomm_dlc_accept(d);
1274         } else {
1275                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1276                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1277         }
1278 }
1279
1280 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1281 {
1282         struct rfcomm_dlc *d;
1283         u8 channel;
1284
1285         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1286
1287         if (!dlci) {
1288                 rfcomm_send_ua(s, 0);
1289
1290                 if (s->state == BT_OPEN) {
1291                         s->state = BT_CONNECTED;
1292                         rfcomm_process_connect(s);
1293                 }
1294                 return 0;
1295         }
1296
1297         /* Check if DLC exists */
1298         d = rfcomm_dlc_get(s, dlci);
1299         if (d) {
1300                 if (d->state == BT_OPEN) {
1301                         /* DLC was previously opened by PN request */
1302                         rfcomm_check_accept(d);
1303                 }
1304                 return 0;
1305         }
1306
1307         /* Notify socket layer about incoming connection */
1308         channel = __srv_channel(dlci);
1309         if (rfcomm_connect_ind(s, channel, &d)) {
1310                 d->dlci = dlci;
1311                 d->addr = __addr(s->initiator, dlci);
1312                 rfcomm_dlc_link(s, d);
1313
1314                 rfcomm_check_accept(d);
1315         } else {
1316                 rfcomm_send_dm(s, dlci);
1317         }
1318
1319         return 0;
1320 }
1321
1322 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1323 {
1324         struct rfcomm_session *s = d->session;
1325
1326         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1327                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1328
1329         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1330                                                 pn->flow_ctrl == 0xe0) {
1331                 d->cfc = RFCOMM_CFC_ENABLED;
1332                 d->tx_credits = pn->credits;
1333         } else {
1334                 d->cfc = RFCOMM_CFC_DISABLED;
1335                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1336         }
1337
1338         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1339                 s->cfc = d->cfc;
1340
1341         d->priority = pn->priority;
1342
1343         d->mtu = __le16_to_cpu(pn->mtu);
1344
1345         if (cr && d->mtu > s->mtu)
1346                 d->mtu = s->mtu;
1347
1348         return 0;
1349 }
1350
1351 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1352 {
1353         struct rfcomm_pn *pn = (void *) skb->data;
1354         struct rfcomm_dlc *d;
1355         u8 dlci = pn->dlci;
1356
1357         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1358
1359         if (!dlci)
1360                 return 0;
1361
1362         d = rfcomm_dlc_get(s, dlci);
1363         if (d) {
1364                 if (cr) {
1365                         /* PN request */
1366                         rfcomm_apply_pn(d, cr, pn);
1367                         rfcomm_send_pn(s, 0, d);
1368                 } else {
1369                         /* PN response */
1370                         switch (d->state) {
1371                         case BT_CONFIG:
1372                                 rfcomm_apply_pn(d, cr, pn);
1373
1374                                 d->state = BT_CONNECT;
1375                                 rfcomm_send_sabm(s, d->dlci);
1376                                 break;
1377                         }
1378                 }
1379         } else {
1380                 u8 channel = __srv_channel(dlci);
1381
1382                 if (!cr)
1383                         return 0;
1384
1385                 /* PN request for non existing DLC.
1386                  * Assume incoming connection. */
1387                 if (rfcomm_connect_ind(s, channel, &d)) {
1388                         d->dlci = dlci;
1389                         d->addr = __addr(s->initiator, dlci);
1390                         rfcomm_dlc_link(s, d);
1391
1392                         rfcomm_apply_pn(d, cr, pn);
1393
1394                         d->state = BT_OPEN;
1395                         rfcomm_send_pn(s, 0, d);
1396                 } else {
1397                         rfcomm_send_dm(s, dlci);
1398                 }
1399         }
1400         return 0;
1401 }
1402
1403 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1404 {
1405         struct rfcomm_rpn *rpn = (void *) skb->data;
1406         u8 dlci = __get_dlci(rpn->dlci);
1407
1408         u8 bit_rate  = 0;
1409         u8 data_bits = 0;
1410         u8 stop_bits = 0;
1411         u8 parity    = 0;
1412         u8 flow_ctrl = 0;
1413         u8 xon_char  = 0;
1414         u8 xoff_char = 0;
1415         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1416
1417         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1418                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1419                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1420
1421         if (!cr)
1422                 return 0;
1423
1424         if (len == 1) {
1425                 /* This is a request, return default (according to ETSI TS 07.10) settings */
1426                 bit_rate  = RFCOMM_RPN_BR_9600;
1427                 data_bits = RFCOMM_RPN_DATA_8;
1428                 stop_bits = RFCOMM_RPN_STOP_1;
1429                 parity    = RFCOMM_RPN_PARITY_NONE;
1430                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1431                 xon_char  = RFCOMM_RPN_XON_CHAR;
1432                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1433                 goto rpn_out;
1434         }
1435
1436         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1437          * no parity, no flow control lines, normal XON/XOFF chars */
1438
1439         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1440                 bit_rate = rpn->bit_rate;
1441                 if (bit_rate > RFCOMM_RPN_BR_230400) {
1442                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1443                         bit_rate = RFCOMM_RPN_BR_9600;
1444                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1445                 }
1446         }
1447
1448         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1449                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1450                 if (data_bits != RFCOMM_RPN_DATA_8) {
1451                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1452                         data_bits = RFCOMM_RPN_DATA_8;
1453                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1454                 }
1455         }
1456
1457         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1458                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1459                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1460                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1461                         stop_bits = RFCOMM_RPN_STOP_1;
1462                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1463                 }
1464         }
1465
1466         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1467                 parity = __get_rpn_parity(rpn->line_settings);
1468                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1469                         BT_DBG("RPN parity mismatch 0x%x", parity);
1470                         parity = RFCOMM_RPN_PARITY_NONE;
1471                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1472                 }
1473         }
1474
1475         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1476                 flow_ctrl = rpn->flow_ctrl;
1477                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1478                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1479                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1480                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1481                 }
1482         }
1483
1484         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1485                 xon_char = rpn->xon_char;
1486                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1487                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1488                         xon_char = RFCOMM_RPN_XON_CHAR;
1489                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1490                 }
1491         }
1492
1493         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1494                 xoff_char = rpn->xoff_char;
1495                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1496                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1497                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1498                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1499                 }
1500         }
1501
1502 rpn_out:
1503         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1504                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1505
1506         return 0;
1507 }
1508
1509 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1510 {
1511         struct rfcomm_rls *rls = (void *) skb->data;
1512         u8 dlci = __get_dlci(rls->dlci);
1513
1514         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1515
1516         if (!cr)
1517                 return 0;
1518
1519         /* We should probably do something with this information here. But
1520          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1521          * mandatory to recognise and respond to RLS */
1522
1523         rfcomm_send_rls(s, 0, dlci, rls->status);
1524
1525         return 0;
1526 }
1527
1528 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1529 {
1530         struct rfcomm_msc *msc = (void *) skb->data;
1531         struct rfcomm_dlc *d;
1532         u8 dlci = __get_dlci(msc->dlci);
1533
1534         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1535
1536         d = rfcomm_dlc_get(s, dlci);
1537         if (!d)
1538                 return 0;
1539
1540         if (cr) {
1541                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1542                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1543                 else
1544                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1545
1546                 rfcomm_dlc_lock(d);
1547
1548                 d->remote_v24_sig = msc->v24_sig;
1549
1550                 if (d->modem_status)
1551                         d->modem_status(d, msc->v24_sig);
1552
1553                 rfcomm_dlc_unlock(d);
1554
1555                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1556
1557                 d->mscex |= RFCOMM_MSCEX_RX;
1558         } else
1559                 d->mscex |= RFCOMM_MSCEX_TX;
1560
1561         return 0;
1562 }
1563
1564 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1565 {
1566         struct rfcomm_mcc *mcc = (void *) skb->data;
1567         u8 type, cr, len;
1568
1569         cr   = __test_cr(mcc->type);
1570         type = __get_mcc_type(mcc->type);
1571         len  = __get_mcc_len(mcc->len);
1572
1573         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1574
1575         skb_pull(skb, 2);
1576
1577         switch (type) {
1578         case RFCOMM_PN:
1579                 rfcomm_recv_pn(s, cr, skb);
1580                 break;
1581
1582         case RFCOMM_RPN:
1583                 rfcomm_recv_rpn(s, cr, len, skb);
1584                 break;
1585
1586         case RFCOMM_RLS:
1587                 rfcomm_recv_rls(s, cr, skb);
1588                 break;
1589
1590         case RFCOMM_MSC:
1591                 rfcomm_recv_msc(s, cr, skb);
1592                 break;
1593
1594         case RFCOMM_FCOFF:
1595                 if (cr) {
1596                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1597                         rfcomm_send_fcoff(s, 0);
1598                 }
1599                 break;
1600
1601         case RFCOMM_FCON:
1602                 if (cr) {
1603                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1604                         rfcomm_send_fcon(s, 0);
1605                 }
1606                 break;
1607
1608         case RFCOMM_TEST:
1609                 if (cr)
1610                         rfcomm_send_test(s, 0, skb->data, skb->len);
1611                 break;
1612
1613         case RFCOMM_NSC:
1614                 break;
1615
1616         default:
1617                 BT_ERR("Unknown control type 0x%02x", type);
1618                 rfcomm_send_nsc(s, cr, type);
1619                 break;
1620         }
1621         return 0;
1622 }
1623
1624 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1625 {
1626         struct rfcomm_dlc *d;
1627
1628         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1629
1630         d = rfcomm_dlc_get(s, dlci);
1631         if (!d) {
1632                 rfcomm_send_dm(s, dlci);
1633                 goto drop;
1634         }
1635
1636         if (pf && d->cfc) {
1637                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1638
1639                 d->tx_credits += credits;
1640                 if (d->tx_credits)
1641                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1642         }
1643
1644         if (skb->len && d->state == BT_CONNECTED) {
1645                 rfcomm_dlc_lock(d);
1646                 d->rx_credits--;
1647                 d->data_ready(d, skb);
1648                 rfcomm_dlc_unlock(d);
1649                 return 0;
1650         }
1651
1652 drop:
1653         kfree_skb(skb);
1654         return 0;
1655 }
1656
1657 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1658 {
1659         struct rfcomm_hdr *hdr = (void *) skb->data;
1660         u8 type, dlci, fcs;
1661
1662         dlci = __get_dlci(hdr->addr);
1663         type = __get_type(hdr->ctrl);
1664
1665         /* Trim FCS */
1666         skb->len--; skb->tail--;
1667         fcs = *(u8 *)skb_tail_pointer(skb);
1668
1669         if (__check_fcs(skb->data, type, fcs)) {
1670                 BT_ERR("bad checksum in packet");
1671                 kfree_skb(skb);
1672                 return -EILSEQ;
1673         }
1674
1675         if (__test_ea(hdr->len))
1676                 skb_pull(skb, 3);
1677         else
1678                 skb_pull(skb, 4);
1679
1680         switch (type) {
1681         case RFCOMM_SABM:
1682                 if (__test_pf(hdr->ctrl))
1683                         rfcomm_recv_sabm(s, dlci);
1684                 break;
1685
1686         case RFCOMM_DISC:
1687                 if (__test_pf(hdr->ctrl))
1688                         rfcomm_recv_disc(s, dlci);
1689                 break;
1690
1691         case RFCOMM_UA:
1692                 if (__test_pf(hdr->ctrl))
1693                         rfcomm_recv_ua(s, dlci);
1694                 break;
1695
1696         case RFCOMM_DM:
1697                 rfcomm_recv_dm(s, dlci);
1698                 break;
1699
1700         case RFCOMM_UIH:
1701                 if (dlci)
1702                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1703
1704                 rfcomm_recv_mcc(s, skb);
1705                 break;
1706
1707         default:
1708                 BT_ERR("Unknown packet type 0x%02x", type);
1709                 break;
1710         }
1711         kfree_skb(skb);
1712         return 0;
1713 }
1714
1715 /* ---- Connection and data processing ---- */
1716
1717 static void rfcomm_process_connect(struct rfcomm_session *s)
1718 {
1719         struct rfcomm_dlc *d;
1720         struct list_head *p, *n;
1721
1722         BT_DBG("session %p state %ld", s, s->state);
1723
1724         list_for_each_safe(p, n, &s->dlcs) {
1725                 d = list_entry(p, struct rfcomm_dlc, list);
1726                 if (d->state == BT_CONFIG) {
1727                         d->mtu = s->mtu;
1728                         if (rfcomm_check_security(d)) {
1729                                 rfcomm_send_pn(s, 1, d);
1730                         } else {
1731                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1732                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1733                         }
1734                 }
1735         }
1736 }
1737
1738 /* Send data queued for the DLC.
1739  * Return number of frames left in the queue.
1740  */
1741 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1742 {
1743         struct sk_buff *skb;
1744         int err;
1745
1746         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1747                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1748
1749         /* Send pending MSC */
1750         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1751                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1752
1753         if (d->cfc) {
1754                 /* CFC enabled.
1755                  * Give them some credits */
1756                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1757                                 d->rx_credits <= (d->cfc >> 2)) {
1758                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1759                         d->rx_credits = d->cfc;
1760                 }
1761         } else {
1762                 /* CFC disabled.
1763                  * Give ourselves some credits */
1764                 d->tx_credits = 5;
1765         }
1766
1767         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1768                 return skb_queue_len(&d->tx_queue);
1769
1770         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1771                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1772                 if (err < 0) {
1773                         skb_queue_head(&d->tx_queue, skb);
1774                         break;
1775                 }
1776                 kfree_skb(skb);
1777                 d->tx_credits--;
1778         }
1779
1780         if (d->cfc && !d->tx_credits) {
1781                 /* We're out of TX credits.
1782                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1783                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1784         }
1785
1786         return skb_queue_len(&d->tx_queue);
1787 }
1788
1789 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1790 {
1791         struct rfcomm_dlc *d;
1792         struct list_head *p, *n;
1793
1794         BT_DBG("session %p state %ld", s, s->state);
1795
1796         list_for_each_safe(p, n, &s->dlcs) {
1797                 d = list_entry(p, struct rfcomm_dlc, list);
1798
1799                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1800                         __rfcomm_dlc_close(d, ETIMEDOUT);
1801                         continue;
1802                 }
1803
1804                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1805                         rfcomm_dlc_clear_timer(d);
1806                         if (d->out) {
1807                                 rfcomm_send_pn(s, 1, d);
1808                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1809                         } else {
1810                                 if (d->defer_setup) {
1811                                         set_bit(RFCOMM_DEFER_SETUP, &d->flags);
1812                                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1813
1814                                         rfcomm_dlc_lock(d);
1815                                         d->state = BT_CONNECT2;
1816                                         d->state_change(d, 0);
1817                                         rfcomm_dlc_unlock(d);
1818                                 } else
1819                                         rfcomm_dlc_accept(d);
1820                         }
1821                         continue;
1822                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1823                         rfcomm_dlc_clear_timer(d);
1824                         if (!d->out)
1825                                 rfcomm_send_dm(s, d->dlci);
1826                         else
1827                                 d->state = BT_CLOSED;
1828                         __rfcomm_dlc_close(d, ECONNREFUSED);
1829                         continue;
1830                 }
1831
1832                 if (test_bit(RFCOMM_SEC_PENDING, &d->flags))
1833                         continue;
1834
1835                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1836                         continue;
1837
1838                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1839                                                 d->mscex == RFCOMM_MSCEX_OK)
1840                         rfcomm_process_tx(d);
1841         }
1842 }
1843
1844 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1845 {
1846         struct socket *sock = s->sock;
1847         struct sock *sk = sock->sk;
1848         struct sk_buff *skb;
1849
1850         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1851
1852         /* Get data directly from socket receive queue without copying it. */
1853         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1854                 skb_orphan(skb);
1855                 rfcomm_recv_frame(s, skb);
1856         }
1857
1858         if (sk->sk_state == BT_CLOSED) {
1859                 if (!s->initiator)
1860                         rfcomm_session_put(s);
1861
1862                 rfcomm_session_close(s, sk->sk_err);
1863         }
1864 }
1865
1866 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1867 {
1868         struct socket *sock = s->sock, *nsock;
1869         int err;
1870
1871         /* Fast check for a new connection.
1872          * Avoids unnesesary socket allocations. */
1873         if (list_empty(&bt_sk(sock->sk)->accept_q))
1874                 return;
1875
1876         BT_DBG("session %p", s);
1877
1878         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1879         if (err < 0)
1880                 return;
1881
1882         /* Set our callbacks */
1883         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1884         nsock->sk->sk_state_change = rfcomm_l2state_change;
1885
1886         s = rfcomm_session_add(nsock, BT_OPEN);
1887         if (s) {
1888                 rfcomm_session_hold(s);
1889
1890                 /* We should adjust MTU on incoming sessions.
1891                  * L2CAP MTU minus UIH header and FCS. */
1892                 s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
1893                                 l2cap_pi(nsock->sk)->chan->imtu) - 5;
1894
1895                 rfcomm_schedule();
1896         } else
1897                 sock_release(nsock);
1898 }
1899
1900 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1901 {
1902         struct sock *sk = s->sock->sk;
1903
1904         BT_DBG("%p state %ld", s, s->state);
1905
1906         switch (sk->sk_state) {
1907         case BT_CONNECTED:
1908                 s->state = BT_CONNECT;
1909
1910                 /* We can adjust MTU on outgoing sessions.
1911                  * L2CAP MTU minus UIH header and FCS. */
1912                 s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
1913
1914                 rfcomm_send_sabm(s, 0);
1915                 break;
1916
1917         case BT_CLOSED:
1918                 s->state = BT_CLOSED;
1919                 rfcomm_session_close(s, sk->sk_err);
1920                 break;
1921         }
1922 }
1923
1924 static inline void rfcomm_process_sessions(void)
1925 {
1926         struct list_head *p, *n;
1927
1928         rfcomm_lock();
1929
1930         list_for_each_safe(p, n, &session_list) {
1931                 struct rfcomm_session *s;
1932                 s = list_entry(p, struct rfcomm_session, list);
1933
1934                 if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1935                         s->state = BT_DISCONN;
1936                         rfcomm_send_disc(s, 0);
1937                         rfcomm_session_put(s);
1938                         continue;
1939                 }
1940
1941                 if (s->state == BT_LISTEN) {
1942                         rfcomm_accept_connection(s);
1943                         continue;
1944                 }
1945
1946                 rfcomm_session_hold(s);
1947
1948                 switch (s->state) {
1949                 case BT_BOUND:
1950                         rfcomm_check_connection(s);
1951                         break;
1952
1953                 default:
1954                         rfcomm_process_rx(s);
1955                         break;
1956                 }
1957
1958                 rfcomm_process_dlcs(s);
1959
1960                 rfcomm_session_put(s);
1961         }
1962
1963         rfcomm_unlock();
1964 }
1965
1966 static int rfcomm_add_listener(bdaddr_t *ba)
1967 {
1968         struct sockaddr_l2 addr;
1969         struct socket *sock;
1970         struct sock *sk;
1971         struct rfcomm_session *s;
1972         int    err = 0;
1973
1974         /* Create socket */
1975         err = rfcomm_l2sock_create(&sock);
1976         if (err < 0) {
1977                 BT_ERR("Create socket failed %d", err);
1978                 return err;
1979         }
1980
1981         /* Bind socket */
1982         bacpy(&addr.l2_bdaddr, ba);
1983         addr.l2_family = AF_BLUETOOTH;
1984         addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
1985         addr.l2_cid    = 0;
1986         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1987         if (err < 0) {
1988                 BT_ERR("Bind failed %d", err);
1989                 goto failed;
1990         }
1991
1992         /* Set L2CAP options */
1993         sk = sock->sk;
1994         lock_sock(sk);
1995         l2cap_pi(sk)->chan->imtu = l2cap_mtu;
1996         release_sock(sk);
1997
1998         /* Start listening on the socket */
1999         err = kernel_listen(sock, 10);
2000         if (err) {
2001                 BT_ERR("Listen failed %d", err);
2002                 goto failed;
2003         }
2004
2005         /* Add listening session */
2006         s = rfcomm_session_add(sock, BT_LISTEN);
2007         if (!s)
2008                 goto failed;
2009
2010         rfcomm_session_hold(s);
2011         return 0;
2012 failed:
2013         sock_release(sock);
2014         return err;
2015 }
2016
2017 static void rfcomm_kill_listener(void)
2018 {
2019         struct rfcomm_session *s;
2020         struct list_head *p, *n;
2021
2022         BT_DBG("");
2023
2024         list_for_each_safe(p, n, &session_list) {
2025                 s = list_entry(p, struct rfcomm_session, list);
2026                 rfcomm_session_del(s);
2027         }
2028 }
2029
2030 static int rfcomm_run(void *unused)
2031 {
2032         BT_DBG("");
2033
2034         set_user_nice(current, -10);
2035
2036         rfcomm_add_listener(BDADDR_ANY);
2037
2038         while (1) {
2039                 set_current_state(TASK_INTERRUPTIBLE);
2040
2041                 if (kthread_should_stop())
2042                         break;
2043
2044                 /* Process stuff */
2045                 rfcomm_process_sessions();
2046
2047                 schedule();
2048         }
2049         __set_current_state(TASK_RUNNING);
2050
2051         rfcomm_kill_listener();
2052
2053         return 0;
2054 }
2055
2056 static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
2057 {
2058         struct rfcomm_session *s;
2059         struct rfcomm_dlc *d;
2060         struct list_head *p, *n;
2061
2062         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
2063
2064         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2065         if (!s)
2066                 return;
2067
2068         rfcomm_session_hold(s);
2069
2070         list_for_each_safe(p, n, &s->dlcs) {
2071                 d = list_entry(p, struct rfcomm_dlc, list);
2072
2073                 if (test_and_clear_bit(RFCOMM_SEC_PENDING, &d->flags)) {
2074                         rfcomm_dlc_clear_timer(d);
2075                         if (status || encrypt == 0x00) {
2076                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2077                                 continue;
2078                         }
2079                 }
2080
2081                 if (d->state == BT_CONNECTED && !status && encrypt == 0x00) {
2082                         if (d->sec_level == BT_SECURITY_MEDIUM) {
2083                                 set_bit(RFCOMM_SEC_PENDING, &d->flags);
2084                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
2085                                 continue;
2086                         } else if (d->sec_level == BT_SECURITY_HIGH) {
2087                                 __rfcomm_dlc_close(d, ECONNREFUSED);
2088                                 continue;
2089                         }
2090                 }
2091
2092                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2093                         continue;
2094
2095                 if (!status && hci_conn_check_secure(conn, d->sec_level))
2096                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2097                 else
2098                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2099         }
2100
2101         rfcomm_session_put(s);
2102
2103         rfcomm_schedule();
2104 }
2105
2106 static struct hci_cb rfcomm_cb = {
2107         .name           = "RFCOMM",
2108         .security_cfm   = rfcomm_security_cfm
2109 };
2110
2111 static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
2112 {
2113         struct rfcomm_session *s;
2114         struct list_head *pp, *p;
2115
2116         rfcomm_lock();
2117
2118         list_for_each(p, &session_list) {
2119                 s = list_entry(p, struct rfcomm_session, list);
2120                 list_for_each(pp, &s->dlcs) {
2121                         struct sock *sk = s->sock->sk;
2122                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2123
2124                         seq_printf(f, "%s %s %ld %d %d %d %d\n",
2125                                                 batostr(&bt_sk(sk)->src),
2126                                                 batostr(&bt_sk(sk)->dst),
2127                                                 d->state, d->dlci, d->mtu,
2128                                                 d->rx_credits, d->tx_credits);
2129                 }
2130         }
2131
2132         rfcomm_unlock();
2133
2134         return 0;
2135 }
2136
2137 static int rfcomm_dlc_debugfs_open(struct inode *inode, struct file *file)
2138 {
2139         return single_open(file, rfcomm_dlc_debugfs_show, inode->i_private);
2140 }
2141
2142 static const struct file_operations rfcomm_dlc_debugfs_fops = {
2143         .open           = rfcomm_dlc_debugfs_open,
2144         .read           = seq_read,
2145         .llseek         = seq_lseek,
2146         .release        = single_release,
2147 };
2148
2149 static struct dentry *rfcomm_dlc_debugfs;
2150
2151 /* ---- Initialization ---- */
2152 static int __init rfcomm_init(void)
2153 {
2154         int err;
2155
2156         hci_register_cb(&rfcomm_cb);
2157
2158         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2159         if (IS_ERR(rfcomm_thread)) {
2160                 err = PTR_ERR(rfcomm_thread);
2161                 goto unregister;
2162         }
2163
2164         if (bt_debugfs) {
2165                 rfcomm_dlc_debugfs = debugfs_create_file("rfcomm_dlc", 0444,
2166                                 bt_debugfs, NULL, &rfcomm_dlc_debugfs_fops);
2167                 if (!rfcomm_dlc_debugfs)
2168                         BT_ERR("Failed to create RFCOMM debug file");
2169         }
2170
2171         err = rfcomm_init_ttys();
2172         if (err < 0)
2173                 goto stop;
2174
2175         err = rfcomm_init_sockets();
2176         if (err < 0)
2177                 goto cleanup;
2178
2179         BT_INFO("RFCOMM ver %s", VERSION);
2180
2181         return 0;
2182
2183 cleanup:
2184         rfcomm_cleanup_ttys();
2185
2186 stop:
2187         kthread_stop(rfcomm_thread);
2188
2189 unregister:
2190         hci_unregister_cb(&rfcomm_cb);
2191
2192         return err;
2193 }
2194
2195 static void __exit rfcomm_exit(void)
2196 {
2197         debugfs_remove(rfcomm_dlc_debugfs);
2198
2199         hci_unregister_cb(&rfcomm_cb);
2200
2201         kthread_stop(rfcomm_thread);
2202
2203         rfcomm_cleanup_ttys();
2204
2205         rfcomm_cleanup_sockets();
2206 }
2207
2208 module_init(rfcomm_init);
2209 module_exit(rfcomm_exit);
2210
2211 module_param(disable_cfc, bool, 0644);
2212 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2213
2214 module_param(channel_mtu, int, 0644);
2215 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2216
2217 module_param(l2cap_mtu, uint, 0644);
2218 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2219
2220 module_param(l2cap_ertm, bool, 0644);
2221 MODULE_PARM_DESC(l2cap_ertm, "Use L2CAP ERTM mode for connection");
2222
2223 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2224 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2225 MODULE_VERSION(VERSION);
2226 MODULE_LICENSE("GPL");
2227 MODULE_ALIAS("bt-proto-3");
Unnamed repository; edit this file 'description' to name the repository.