Merge commit 'v2.6.27-rc8' into oprofile
[linux-2.6] / net / bluetooth / rfcomm / core.c
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23
24 /*
25  * Bluetooth RFCOMM core.
26  */
27
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/device.h>
36 #include <linux/net.h>
37 #include <linux/mutex.h>
38 #include <linux/kthread.h>
39
40 #include <net/sock.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43
44 #include <net/bluetooth/bluetooth.h>
45 #include <net/bluetooth/hci_core.h>
46 #include <net/bluetooth/l2cap.h>
47 #include <net/bluetooth/rfcomm.h>
48
49 #ifndef CONFIG_BT_RFCOMM_DEBUG
50 #undef  BT_DBG
51 #define BT_DBG(D...)
52 #endif
53
54 #define VERSION "1.10"
55
56 static int disable_cfc = 0;
57 static int channel_mtu = -1;
58 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
59
60 static struct task_struct *rfcomm_thread;
61
62 static DEFINE_MUTEX(rfcomm_mutex);
63 #define rfcomm_lock()   mutex_lock(&rfcomm_mutex)
64 #define rfcomm_unlock() mutex_unlock(&rfcomm_mutex)
65
66 static unsigned long rfcomm_event;
67
68 static LIST_HEAD(session_list);
69
70 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
71 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
72 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
73 static int rfcomm_queue_disc(struct rfcomm_dlc *d);
74 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type);
75 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d);
76 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig);
77 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len);
78 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits);
79 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr);
80
81 static void rfcomm_process_connect(struct rfcomm_session *s);
82
83 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err);
84 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst);
85 static void rfcomm_session_del(struct rfcomm_session *s);
86
87 /* ---- RFCOMM frame parsing macros ---- */
88 #define __get_dlci(b)     ((b & 0xfc) >> 2)
89 #define __get_channel(b)  ((b & 0xf8) >> 3)
90 #define __get_dir(b)      ((b & 0x04) >> 2)
91 #define __get_type(b)     ((b & 0xef))
92
93 #define __test_ea(b)      ((b & 0x01))
94 #define __test_cr(b)      ((b & 0x02))
95 #define __test_pf(b)      ((b & 0x10))
96
97 #define __addr(cr, dlci)       (((dlci & 0x3f) << 2) | (cr << 1) | 0x01)
98 #define __ctrl(type, pf)       (((type & 0xef) | (pf << 4)))
99 #define __dlci(dir, chn)       (((chn & 0x1f) << 1) | dir)
100 #define __srv_channel(dlci)    (dlci >> 1)
101 #define __dir(dlci)            (dlci & 0x01)
102
103 #define __len8(len)       (((len) << 1) | 1)
104 #define __len16(len)      ((len) << 1)
105
106 /* MCC macros */
107 #define __mcc_type(cr, type)   (((type << 2) | (cr << 1) | 0x01))
108 #define __get_mcc_type(b) ((b & 0xfc) >> 2)
109 #define __get_mcc_len(b)  ((b & 0xfe) >> 1)
110
111 /* RPN macros */
112 #define __rpn_line_settings(data, stop, parity)  ((data & 0x3) | ((stop & 0x1) << 2) | ((parity & 0x7) << 3))
113 #define __get_rpn_data_bits(line) ((line) & 0x3)
114 #define __get_rpn_stop_bits(line) (((line) >> 2) & 0x1)
115 #define __get_rpn_parity(line)    (((line) >> 3) & 0x7)
116
117 static inline void rfcomm_schedule(uint event)
118 {
119         if (!rfcomm_thread)
120                 return;
121         //set_bit(event, &rfcomm_event);
122         set_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
123         wake_up_process(rfcomm_thread);
124 }
125
126 static inline void rfcomm_session_put(struct rfcomm_session *s)
127 {
128         if (atomic_dec_and_test(&s->refcnt))
129                 rfcomm_session_del(s);
130 }
131
132 /* ---- RFCOMM FCS computation ---- */
133
134 /* reversed, 8-bit, poly=0x07 */
135 static unsigned char rfcomm_crc_table[256] = {
136         0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
137         0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
138         0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
139         0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
140
141         0x38, 0xa9, 0xdb, 0x4a, 0x3f, 0xae, 0xdc, 0x4d,
142         0x36, 0xa7, 0xd5, 0x44, 0x31, 0xa0, 0xd2, 0x43,
143         0x24, 0xb5, 0xc7, 0x56, 0x23, 0xb2, 0xc0, 0x51,
144         0x2a, 0xbb, 0xc9, 0x58, 0x2d, 0xbc, 0xce, 0x5f,
145
146         0x70, 0xe1, 0x93, 0x02, 0x77, 0xe6, 0x94, 0x05,
147         0x7e, 0xef, 0x9d, 0x0c, 0x79, 0xe8, 0x9a, 0x0b,
148         0x6c, 0xfd, 0x8f, 0x1e, 0x6b, 0xfa, 0x88, 0x19,
149         0x62, 0xf3, 0x81, 0x10, 0x65, 0xf4, 0x86, 0x17,
150
151         0x48, 0xd9, 0xab, 0x3a, 0x4f, 0xde, 0xac, 0x3d,
152         0x46, 0xd7, 0xa5, 0x34, 0x41, 0xd0, 0xa2, 0x33,
153         0x54, 0xc5, 0xb7, 0x26, 0x53, 0xc2, 0xb0, 0x21,
154         0x5a, 0xcb, 0xb9, 0x28, 0x5d, 0xcc, 0xbe, 0x2f,
155
156         0xe0, 0x71, 0x03, 0x92, 0xe7, 0x76, 0x04, 0x95,
157         0xee, 0x7f, 0x0d, 0x9c, 0xe9, 0x78, 0x0a, 0x9b,
158         0xfc, 0x6d, 0x1f, 0x8e, 0xfb, 0x6a, 0x18, 0x89,
159         0xf2, 0x63, 0x11, 0x80, 0xf5, 0x64, 0x16, 0x87,
160
161         0xd8, 0x49, 0x3b, 0xaa, 0xdf, 0x4e, 0x3c, 0xad,
162         0xd6, 0x47, 0x35, 0xa4, 0xd1, 0x40, 0x32, 0xa3,
163         0xc4, 0x55, 0x27, 0xb6, 0xc3, 0x52, 0x20, 0xb1,
164         0xca, 0x5b, 0x29, 0xb8, 0xcd, 0x5c, 0x2e, 0xbf,
165
166         0x90, 0x01, 0x73, 0xe2, 0x97, 0x06, 0x74, 0xe5,
167         0x9e, 0x0f, 0x7d, 0xec, 0x99, 0x08, 0x7a, 0xeb,
168         0x8c, 0x1d, 0x6f, 0xfe, 0x8b, 0x1a, 0x68, 0xf9,
169         0x82, 0x13, 0x61, 0xf0, 0x85, 0x14, 0x66, 0xf7,
170
171         0xa8, 0x39, 0x4b, 0xda, 0xaf, 0x3e, 0x4c, 0xdd,
172         0xa6, 0x37, 0x45, 0xd4, 0xa1, 0x30, 0x42, 0xd3,
173         0xb4, 0x25, 0x57, 0xc6, 0xb3, 0x22, 0x50, 0xc1,
174         0xba, 0x2b, 0x59, 0xc8, 0xbd, 0x2c, 0x5e, 0xcf
175 };
176
177 /* CRC on 2 bytes */
178 #define __crc(data) (rfcomm_crc_table[rfcomm_crc_table[0xff ^ data[0]] ^ data[1]])
179
180 /* FCS on 2 bytes */
181 static inline u8 __fcs(u8 *data)
182 {
183         return (0xff - __crc(data));
184 }
185
186 /* FCS on 3 bytes */
187 static inline u8 __fcs2(u8 *data)
188 {
189         return (0xff - rfcomm_crc_table[__crc(data) ^ data[2]]);
190 }
191
192 /* Check FCS */
193 static inline int __check_fcs(u8 *data, int type, u8 fcs)
194 {
195         u8 f = __crc(data);
196
197         if (type != RFCOMM_UIH)
198                 f = rfcomm_crc_table[f ^ data[2]];
199
200         return rfcomm_crc_table[f ^ fcs] != 0xcf;
201 }
202
203 /* ---- L2CAP callbacks ---- */
204 static void rfcomm_l2state_change(struct sock *sk)
205 {
206         BT_DBG("%p state %d", sk, sk->sk_state);
207         rfcomm_schedule(RFCOMM_SCHED_STATE);
208 }
209
210 static void rfcomm_l2data_ready(struct sock *sk, int bytes)
211 {
212         BT_DBG("%p bytes %d", sk, bytes);
213         rfcomm_schedule(RFCOMM_SCHED_RX);
214 }
215
216 static int rfcomm_l2sock_create(struct socket **sock)
217 {
218         int err;
219
220         BT_DBG("");
221
222         err = sock_create_kern(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_L2CAP, sock);
223         if (!err) {
224                 struct sock *sk = (*sock)->sk;
225                 sk->sk_data_ready   = rfcomm_l2data_ready;
226                 sk->sk_state_change = rfcomm_l2state_change;
227         }
228         return err;
229 }
230
231 static inline int rfcomm_check_link_mode(struct rfcomm_dlc *d)
232 {
233         struct sock *sk = d->session->sock->sk;
234
235         if (d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) {
236                 if (!hci_conn_encrypt(l2cap_pi(sk)->conn->hcon))
237                         return 1;
238         } else if (d->link_mode & RFCOMM_LM_AUTH) {
239                 if (!hci_conn_auth(l2cap_pi(sk)->conn->hcon))
240                         return 1;
241         }
242
243         return 0;
244 }
245
246 /* ---- RFCOMM DLCs ---- */
247 static void rfcomm_dlc_timeout(unsigned long arg)
248 {
249         struct rfcomm_dlc *d = (void *) arg;
250
251         BT_DBG("dlc %p state %ld", d, d->state);
252
253         set_bit(RFCOMM_TIMED_OUT, &d->flags);
254         rfcomm_dlc_put(d);
255         rfcomm_schedule(RFCOMM_SCHED_TIMEO);
256 }
257
258 static void rfcomm_dlc_set_timer(struct rfcomm_dlc *d, long timeout)
259 {
260         BT_DBG("dlc %p state %ld timeout %ld", d, d->state, timeout);
261
262         if (!mod_timer(&d->timer, jiffies + timeout))
263                 rfcomm_dlc_hold(d);
264 }
265
266 static void rfcomm_dlc_clear_timer(struct rfcomm_dlc *d)
267 {
268         BT_DBG("dlc %p state %ld", d, d->state);
269
270         if (timer_pending(&d->timer) && del_timer(&d->timer))
271                 rfcomm_dlc_put(d);
272 }
273
274 static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
275 {
276         BT_DBG("%p", d);
277
278         d->state      = BT_OPEN;
279         d->flags      = 0;
280         d->mscex      = 0;
281         d->mtu        = RFCOMM_DEFAULT_MTU;
282         d->v24_sig    = RFCOMM_V24_RTC | RFCOMM_V24_RTR | RFCOMM_V24_DV;
283
284         d->cfc        = RFCOMM_CFC_DISABLED;
285         d->rx_credits = RFCOMM_DEFAULT_CREDITS;
286 }
287
288 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
289 {
290         struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
291
292         if (!d)
293                 return NULL;
294
295         setup_timer(&d->timer, rfcomm_dlc_timeout, (unsigned long)d);
296
297         skb_queue_head_init(&d->tx_queue);
298         spin_lock_init(&d->lock);
299         atomic_set(&d->refcnt, 1);
300
301         rfcomm_dlc_clear_state(d);
302
303         BT_DBG("%p", d);
304
305         return d;
306 }
307
308 void rfcomm_dlc_free(struct rfcomm_dlc *d)
309 {
310         BT_DBG("%p", d);
311
312         skb_queue_purge(&d->tx_queue);
313         kfree(d);
314 }
315
316 static void rfcomm_dlc_link(struct rfcomm_session *s, struct rfcomm_dlc *d)
317 {
318         BT_DBG("dlc %p session %p", d, s);
319
320         rfcomm_session_hold(s);
321
322         rfcomm_dlc_hold(d);
323         list_add(&d->list, &s->dlcs);
324         d->session = s;
325 }
326
327 static void rfcomm_dlc_unlink(struct rfcomm_dlc *d)
328 {
329         struct rfcomm_session *s = d->session;
330
331         BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s);
332
333         list_del(&d->list);
334         d->session = NULL;
335         rfcomm_dlc_put(d);
336
337         rfcomm_session_put(s);
338 }
339
340 static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
341 {
342         struct rfcomm_dlc *d;
343         struct list_head *p;
344
345         list_for_each(p, &s->dlcs) {
346                 d = list_entry(p, struct rfcomm_dlc, list);
347                 if (d->dlci == dlci)
348                         return d;
349         }
350         return NULL;
351 }
352
353 static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
354 {
355         struct rfcomm_session *s;
356         int err = 0;
357         u8 dlci;
358
359         BT_DBG("dlc %p state %ld %s %s channel %d",
360                         d, d->state, batostr(src), batostr(dst), channel);
361
362         if (channel < 1 || channel > 30)
363                 return -EINVAL;
364
365         if (d->state != BT_OPEN && d->state != BT_CLOSED)
366                 return 0;
367
368         s = rfcomm_session_get(src, dst);
369         if (!s) {
370                 s = rfcomm_session_create(src, dst, &err);
371                 if (!s)
372                         return err;
373         }
374
375         dlci = __dlci(!s->initiator, channel);
376
377         /* Check if DLCI already exists */
378         if (rfcomm_dlc_get(s, dlci))
379                 return -EBUSY;
380
381         rfcomm_dlc_clear_state(d);
382
383         d->dlci     = dlci;
384         d->addr     = __addr(s->initiator, dlci);
385         d->priority = 7;
386
387         d->state = BT_CONFIG;
388         rfcomm_dlc_link(s, d);
389
390         d->out = 1;
391
392         d->mtu = s->mtu;
393         d->cfc = (s->cfc == RFCOMM_CFC_UNKNOWN) ? 0 : s->cfc;
394
395         if (s->state == BT_CONNECTED) {
396                 if (rfcomm_check_link_mode(d))
397                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
398                 else
399                         rfcomm_send_pn(s, 1, d);
400         }
401
402         rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
403
404         return 0;
405 }
406
407 int rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
408 {
409         int r;
410
411         rfcomm_lock();
412
413         r = __rfcomm_dlc_open(d, src, dst, channel);
414
415         rfcomm_unlock();
416         return r;
417 }
418
419 static int __rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
420 {
421         struct rfcomm_session *s = d->session;
422         if (!s)
423                 return 0;
424
425         BT_DBG("dlc %p state %ld dlci %d err %d session %p",
426                         d, d->state, d->dlci, err, s);
427
428         switch (d->state) {
429         case BT_CONNECTED:
430         case BT_CONFIG:
431         case BT_CONNECT:
432                 d->state = BT_DISCONN;
433                 if (skb_queue_empty(&d->tx_queue)) {
434                         rfcomm_send_disc(s, d->dlci);
435                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT);
436                 } else {
437                         rfcomm_queue_disc(d);
438                         rfcomm_dlc_set_timer(d, RFCOMM_DISC_TIMEOUT * 2);
439                 }
440                 break;
441
442         default:
443                 rfcomm_dlc_clear_timer(d);
444
445                 rfcomm_dlc_lock(d);
446                 d->state = BT_CLOSED;
447                 d->state_change(d, err);
448                 rfcomm_dlc_unlock(d);
449
450                 skb_queue_purge(&d->tx_queue);
451                 rfcomm_dlc_unlink(d);
452         }
453
454         return 0;
455 }
456
457 int rfcomm_dlc_close(struct rfcomm_dlc *d, int err)
458 {
459         int r;
460
461         rfcomm_lock();
462
463         r = __rfcomm_dlc_close(d, err);
464
465         rfcomm_unlock();
466         return r;
467 }
468
469 int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
470 {
471         int len = skb->len;
472
473         if (d->state != BT_CONNECTED)
474                 return -ENOTCONN;
475
476         BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
477
478         if (len > d->mtu)
479                 return -EINVAL;
480
481         rfcomm_make_uih(skb, d->addr);
482         skb_queue_tail(&d->tx_queue, skb);
483
484         if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
485                 rfcomm_schedule(RFCOMM_SCHED_TX);
486         return len;
487 }
488
489 void __rfcomm_dlc_throttle(struct rfcomm_dlc *d)
490 {
491         BT_DBG("dlc %p state %ld", d, d->state);
492
493         if (!d->cfc) {
494                 d->v24_sig |= RFCOMM_V24_FC;
495                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
496         }
497         rfcomm_schedule(RFCOMM_SCHED_TX);
498 }
499
500 void __rfcomm_dlc_unthrottle(struct rfcomm_dlc *d)
501 {
502         BT_DBG("dlc %p state %ld", d, d->state);
503
504         if (!d->cfc) {
505                 d->v24_sig &= ~RFCOMM_V24_FC;
506                 set_bit(RFCOMM_MSC_PENDING, &d->flags);
507         }
508         rfcomm_schedule(RFCOMM_SCHED_TX);
509 }
510
511 /*
512    Set/get modem status functions use _local_ status i.e. what we report
513    to the other side.
514    Remote status is provided by dlc->modem_status() callback.
515  */
516 int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig)
517 {
518         BT_DBG("dlc %p state %ld v24_sig 0x%x",
519                         d, d->state, v24_sig);
520
521         if (test_bit(RFCOMM_RX_THROTTLED, &d->flags))
522                 v24_sig |= RFCOMM_V24_FC;
523         else
524                 v24_sig &= ~RFCOMM_V24_FC;
525
526         d->v24_sig = v24_sig;
527
528         if (!test_and_set_bit(RFCOMM_MSC_PENDING, &d->flags))
529                 rfcomm_schedule(RFCOMM_SCHED_TX);
530
531         return 0;
532 }
533
534 int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
535 {
536         BT_DBG("dlc %p state %ld v24_sig 0x%x",
537                         d, d->state, d->v24_sig);
538
539         *v24_sig = d->v24_sig;
540         return 0;
541 }
542
543 /* ---- RFCOMM sessions ---- */
544 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
545 {
546         struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
547
548         if (!s)
549                 return NULL;
550
551         BT_DBG("session %p sock %p", s, sock);
552
553         INIT_LIST_HEAD(&s->dlcs);
554         s->state = state;
555         s->sock  = sock;
556
557         s->mtu = RFCOMM_DEFAULT_MTU;
558         s->cfc = disable_cfc ? RFCOMM_CFC_DISABLED : RFCOMM_CFC_UNKNOWN;
559
560         /* Do not increment module usage count for listening sessions.
561          * Otherwise we won't be able to unload the module. */
562         if (state != BT_LISTEN)
563                 if (!try_module_get(THIS_MODULE)) {
564                         kfree(s);
565                         return NULL;
566                 }
567
568         list_add(&s->list, &session_list);
569
570         return s;
571 }
572
573 static void rfcomm_session_del(struct rfcomm_session *s)
574 {
575         int state = s->state;
576
577         BT_DBG("session %p state %ld", s, s->state);
578
579         list_del(&s->list);
580
581         if (state == BT_CONNECTED)
582                 rfcomm_send_disc(s, 0);
583
584         sock_release(s->sock);
585         kfree(s);
586
587         if (state != BT_LISTEN)
588                 module_put(THIS_MODULE);
589 }
590
591 static struct rfcomm_session *rfcomm_session_get(bdaddr_t *src, bdaddr_t *dst)
592 {
593         struct rfcomm_session *s;
594         struct list_head *p, *n;
595         struct bt_sock *sk;
596         list_for_each_safe(p, n, &session_list) {
597                 s = list_entry(p, struct rfcomm_session, list);
598                 sk = bt_sk(s->sock->sk);
599
600                 if ((!bacmp(src, BDADDR_ANY) || !bacmp(&sk->src, src)) &&
601                                 !bacmp(&sk->dst, dst))
602                         return s;
603         }
604         return NULL;
605 }
606
607 static void rfcomm_session_close(struct rfcomm_session *s, int err)
608 {
609         struct rfcomm_dlc *d;
610         struct list_head *p, *n;
611
612         BT_DBG("session %p state %ld err %d", s, s->state, err);
613
614         rfcomm_session_hold(s);
615
616         s->state = BT_CLOSED;
617
618         /* Close all dlcs */
619         list_for_each_safe(p, n, &s->dlcs) {
620                 d = list_entry(p, struct rfcomm_dlc, list);
621                 d->state = BT_CLOSED;
622                 __rfcomm_dlc_close(d, err);
623         }
624
625         rfcomm_session_put(s);
626 }
627
628 static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src, bdaddr_t *dst, int *err)
629 {
630         struct rfcomm_session *s = NULL;
631         struct sockaddr_l2 addr;
632         struct socket *sock;
633         struct sock *sk;
634
635         BT_DBG("%s %s", batostr(src), batostr(dst));
636
637         *err = rfcomm_l2sock_create(&sock);
638         if (*err < 0)
639                 return NULL;
640
641         bacpy(&addr.l2_bdaddr, src);
642         addr.l2_family = AF_BLUETOOTH;
643         addr.l2_psm    = 0;
644         *err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
645         if (*err < 0)
646                 goto failed;
647
648         /* Set L2CAP options */
649         sk = sock->sk;
650         lock_sock(sk);
651         l2cap_pi(sk)->imtu = l2cap_mtu;
652         release_sock(sk);
653
654         s = rfcomm_session_add(sock, BT_BOUND);
655         if (!s) {
656                 *err = -ENOMEM;
657                 goto failed;
658         }
659
660         s->initiator = 1;
661
662         bacpy(&addr.l2_bdaddr, dst);
663         addr.l2_family = AF_BLUETOOTH;
664         addr.l2_psm    = htobs(RFCOMM_PSM);
665         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
666         if (*err == 0 || *err == -EINPROGRESS)
667                 return s;
668
669         rfcomm_session_del(s);
670         return NULL;
671
672 failed:
673         sock_release(sock);
674         return NULL;
675 }
676
677 void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *dst)
678 {
679         struct sock *sk = s->sock->sk;
680         if (src)
681                 bacpy(src, &bt_sk(sk)->src);
682         if (dst)
683                 bacpy(dst, &bt_sk(sk)->dst);
684 }
685
686 /* ---- RFCOMM frame sending ---- */
687 static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
688 {
689         struct socket *sock = s->sock;
690         struct kvec iv = { data, len };
691         struct msghdr msg;
692
693         BT_DBG("session %p len %d", s, len);
694
695         memset(&msg, 0, sizeof(msg));
696
697         return kernel_sendmsg(sock, &msg, &iv, 1, len);
698 }
699
700 static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
701 {
702         struct rfcomm_cmd cmd;
703
704         BT_DBG("%p dlci %d", s, dlci);
705
706         cmd.addr = __addr(s->initiator, dlci);
707         cmd.ctrl = __ctrl(RFCOMM_SABM, 1);
708         cmd.len  = __len8(0);
709         cmd.fcs  = __fcs2((u8 *) &cmd);
710
711         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
712 }
713
714 static int rfcomm_send_ua(struct rfcomm_session *s, u8 dlci)
715 {
716         struct rfcomm_cmd cmd;
717
718         BT_DBG("%p dlci %d", s, dlci);
719
720         cmd.addr = __addr(!s->initiator, dlci);
721         cmd.ctrl = __ctrl(RFCOMM_UA, 1);
722         cmd.len  = __len8(0);
723         cmd.fcs  = __fcs2((u8 *) &cmd);
724
725         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
726 }
727
728 static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci)
729 {
730         struct rfcomm_cmd cmd;
731
732         BT_DBG("%p dlci %d", s, dlci);
733
734         cmd.addr = __addr(s->initiator, dlci);
735         cmd.ctrl = __ctrl(RFCOMM_DISC, 1);
736         cmd.len  = __len8(0);
737         cmd.fcs  = __fcs2((u8 *) &cmd);
738
739         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
740 }
741
742 static int rfcomm_queue_disc(struct rfcomm_dlc *d)
743 {
744         struct rfcomm_cmd *cmd;
745         struct sk_buff *skb;
746
747         BT_DBG("dlc %p dlci %d", d, d->dlci);
748
749         skb = alloc_skb(sizeof(*cmd), GFP_KERNEL);
750         if (!skb)
751                 return -ENOMEM;
752
753         cmd = (void *) __skb_put(skb, sizeof(*cmd));
754         cmd->addr = d->addr;
755         cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
756         cmd->len  = __len8(0);
757         cmd->fcs  = __fcs2((u8 *) cmd);
758
759         skb_queue_tail(&d->tx_queue, skb);
760         rfcomm_schedule(RFCOMM_SCHED_TX);
761         return 0;
762 }
763
764 static int rfcomm_send_dm(struct rfcomm_session *s, u8 dlci)
765 {
766         struct rfcomm_cmd cmd;
767
768         BT_DBG("%p dlci %d", s, dlci);
769
770         cmd.addr = __addr(!s->initiator, dlci);
771         cmd.ctrl = __ctrl(RFCOMM_DM, 1);
772         cmd.len  = __len8(0);
773         cmd.fcs  = __fcs2((u8 *) &cmd);
774
775         return rfcomm_send_frame(s, (void *) &cmd, sizeof(cmd));
776 }
777
778 static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
779 {
780         struct rfcomm_hdr *hdr;
781         struct rfcomm_mcc *mcc;
782         u8 buf[16], *ptr = buf;
783
784         BT_DBG("%p cr %d type %d", s, cr, type);
785
786         hdr = (void *) ptr; ptr += sizeof(*hdr);
787         hdr->addr = __addr(s->initiator, 0);
788         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
789         hdr->len  = __len8(sizeof(*mcc) + 1);
790
791         mcc = (void *) ptr; ptr += sizeof(*mcc);
792         mcc->type = __mcc_type(cr, RFCOMM_NSC);
793         mcc->len  = __len8(1);
794
795         /* Type that we didn't like */
796         *ptr = __mcc_type(cr, type); ptr++;
797
798         *ptr = __fcs(buf); ptr++;
799
800         return rfcomm_send_frame(s, buf, ptr - buf);
801 }
802
803 static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
804 {
805         struct rfcomm_hdr *hdr;
806         struct rfcomm_mcc *mcc;
807         struct rfcomm_pn  *pn;
808         u8 buf[16], *ptr = buf;
809
810         BT_DBG("%p cr %d dlci %d mtu %d", s, cr, d->dlci, d->mtu);
811
812         hdr = (void *) ptr; ptr += sizeof(*hdr);
813         hdr->addr = __addr(s->initiator, 0);
814         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
815         hdr->len  = __len8(sizeof(*mcc) + sizeof(*pn));
816
817         mcc = (void *) ptr; ptr += sizeof(*mcc);
818         mcc->type = __mcc_type(cr, RFCOMM_PN);
819         mcc->len  = __len8(sizeof(*pn));
820
821         pn = (void *) ptr; ptr += sizeof(*pn);
822         pn->dlci        = d->dlci;
823         pn->priority    = d->priority;
824         pn->ack_timer   = 0;
825         pn->max_retrans = 0;
826
827         if (s->cfc) {
828                 pn->flow_ctrl = cr ? 0xf0 : 0xe0;
829                 pn->credits = RFCOMM_DEFAULT_CREDITS;
830         } else {
831                 pn->flow_ctrl = 0;
832                 pn->credits   = 0;
833         }
834
835         if (cr && channel_mtu >= 0)
836                 pn->mtu = htobs(channel_mtu);
837         else
838                 pn->mtu = htobs(d->mtu);
839
840         *ptr = __fcs(buf); ptr++;
841
842         return rfcomm_send_frame(s, buf, ptr - buf);
843 }
844
845 int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
846                         u8 bit_rate, u8 data_bits, u8 stop_bits,
847                         u8 parity, u8 flow_ctrl_settings,
848                         u8 xon_char, u8 xoff_char, u16 param_mask)
849 {
850         struct rfcomm_hdr *hdr;
851         struct rfcomm_mcc *mcc;
852         struct rfcomm_rpn *rpn;
853         u8 buf[16], *ptr = buf;
854
855         BT_DBG("%p cr %d dlci %d bit_r 0x%x data_b 0x%x stop_b 0x%x parity 0x%x"
856                         " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x",
857                 s, cr, dlci, bit_rate, data_bits, stop_bits, parity,
858                 flow_ctrl_settings, xon_char, xoff_char, param_mask);
859
860         hdr = (void *) ptr; ptr += sizeof(*hdr);
861         hdr->addr = __addr(s->initiator, 0);
862         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
863         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
864
865         mcc = (void *) ptr; ptr += sizeof(*mcc);
866         mcc->type = __mcc_type(cr, RFCOMM_RPN);
867         mcc->len  = __len8(sizeof(*rpn));
868
869         rpn = (void *) ptr; ptr += sizeof(*rpn);
870         rpn->dlci          = __addr(1, dlci);
871         rpn->bit_rate      = bit_rate;
872         rpn->line_settings = __rpn_line_settings(data_bits, stop_bits, parity);
873         rpn->flow_ctrl     = flow_ctrl_settings;
874         rpn->xon_char      = xon_char;
875         rpn->xoff_char     = xoff_char;
876         rpn->param_mask    = cpu_to_le16(param_mask);
877
878         *ptr = __fcs(buf); ptr++;
879
880         return rfcomm_send_frame(s, buf, ptr - buf);
881 }
882
883 static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
884 {
885         struct rfcomm_hdr *hdr;
886         struct rfcomm_mcc *mcc;
887         struct rfcomm_rls *rls;
888         u8 buf[16], *ptr = buf;
889
890         BT_DBG("%p cr %d status 0x%x", s, cr, status);
891
892         hdr = (void *) ptr; ptr += sizeof(*hdr);
893         hdr->addr = __addr(s->initiator, 0);
894         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
895         hdr->len  = __len8(sizeof(*mcc) + sizeof(*rls));
896
897         mcc = (void *) ptr; ptr += sizeof(*mcc);
898         mcc->type = __mcc_type(cr, RFCOMM_RLS);
899         mcc->len  = __len8(sizeof(*rls));
900
901         rls = (void *) ptr; ptr += sizeof(*rls);
902         rls->dlci   = __addr(1, dlci);
903         rls->status = status;
904
905         *ptr = __fcs(buf); ptr++;
906
907         return rfcomm_send_frame(s, buf, ptr - buf);
908 }
909
910 static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
911 {
912         struct rfcomm_hdr *hdr;
913         struct rfcomm_mcc *mcc;
914         struct rfcomm_msc *msc;
915         u8 buf[16], *ptr = buf;
916
917         BT_DBG("%p cr %d v24 0x%x", s, cr, v24_sig);
918
919         hdr = (void *) ptr; ptr += sizeof(*hdr);
920         hdr->addr = __addr(s->initiator, 0);
921         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
922         hdr->len  = __len8(sizeof(*mcc) + sizeof(*msc));
923
924         mcc = (void *) ptr; ptr += sizeof(*mcc);
925         mcc->type = __mcc_type(cr, RFCOMM_MSC);
926         mcc->len  = __len8(sizeof(*msc));
927
928         msc = (void *) ptr; ptr += sizeof(*msc);
929         msc->dlci    = __addr(1, dlci);
930         msc->v24_sig = v24_sig | 0x01;
931
932         *ptr = __fcs(buf); ptr++;
933
934         return rfcomm_send_frame(s, buf, ptr - buf);
935 }
936
937 static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
938 {
939         struct rfcomm_hdr *hdr;
940         struct rfcomm_mcc *mcc;
941         u8 buf[16], *ptr = buf;
942
943         BT_DBG("%p cr %d", s, cr);
944
945         hdr = (void *) ptr; ptr += sizeof(*hdr);
946         hdr->addr = __addr(s->initiator, 0);
947         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
948         hdr->len  = __len8(sizeof(*mcc));
949
950         mcc = (void *) ptr; ptr += sizeof(*mcc);
951         mcc->type = __mcc_type(cr, RFCOMM_FCOFF);
952         mcc->len  = __len8(0);
953
954         *ptr = __fcs(buf); ptr++;
955
956         return rfcomm_send_frame(s, buf, ptr - buf);
957 }
958
959 static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
960 {
961         struct rfcomm_hdr *hdr;
962         struct rfcomm_mcc *mcc;
963         u8 buf[16], *ptr = buf;
964
965         BT_DBG("%p cr %d", s, cr);
966
967         hdr = (void *) ptr; ptr += sizeof(*hdr);
968         hdr->addr = __addr(s->initiator, 0);
969         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
970         hdr->len  = __len8(sizeof(*mcc));
971
972         mcc = (void *) ptr; ptr += sizeof(*mcc);
973         mcc->type = __mcc_type(cr, RFCOMM_FCON);
974         mcc->len  = __len8(0);
975
976         *ptr = __fcs(buf); ptr++;
977
978         return rfcomm_send_frame(s, buf, ptr - buf);
979 }
980
981 static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
982 {
983         struct socket *sock = s->sock;
984         struct kvec iv[3];
985         struct msghdr msg;
986         unsigned char hdr[5], crc[1];
987
988         if (len > 125)
989                 return -EINVAL;
990
991         BT_DBG("%p cr %d", s, cr);
992
993         hdr[0] = __addr(s->initiator, 0);
994         hdr[1] = __ctrl(RFCOMM_UIH, 0);
995         hdr[2] = 0x01 | ((len + 2) << 1);
996         hdr[3] = 0x01 | ((cr & 0x01) << 1) | (RFCOMM_TEST << 2);
997         hdr[4] = 0x01 | (len << 1);
998
999         crc[0] = __fcs(hdr);
1000
1001         iv[0].iov_base = hdr;
1002         iv[0].iov_len  = 5;
1003         iv[1].iov_base = pattern;
1004         iv[1].iov_len  = len;
1005         iv[2].iov_base = crc;
1006         iv[2].iov_len  = 1;
1007
1008         memset(&msg, 0, sizeof(msg));
1009
1010         return kernel_sendmsg(sock, &msg, iv, 3, 6 + len);
1011 }
1012
1013 static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1014 {
1015         struct rfcomm_hdr *hdr;
1016         u8 buf[16], *ptr = buf;
1017
1018         BT_DBG("%p addr %d credits %d", s, addr, credits);
1019
1020         hdr = (void *) ptr; ptr += sizeof(*hdr);
1021         hdr->addr = addr;
1022         hdr->ctrl = __ctrl(RFCOMM_UIH, 1);
1023         hdr->len  = __len8(0);
1024
1025         *ptr = credits; ptr++;
1026
1027         *ptr = __fcs(buf); ptr++;
1028
1029         return rfcomm_send_frame(s, buf, ptr - buf);
1030 }
1031
1032 static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
1033 {
1034         struct rfcomm_hdr *hdr;
1035         int len = skb->len;
1036         u8 *crc;
1037
1038         if (len > 127) {
1039                 hdr = (void *) skb_push(skb, 4);
1040                 put_unaligned(htobs(__len16(len)), (__le16 *) &hdr->len);
1041         } else {
1042                 hdr = (void *) skb_push(skb, 3);
1043                 hdr->len = __len8(len);
1044         }
1045         hdr->addr = addr;
1046         hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
1047
1048         crc = skb_put(skb, 1);
1049         *crc = __fcs((void *) hdr);
1050 }
1051
1052 /* ---- RFCOMM frame reception ---- */
1053 static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1054 {
1055         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1056
1057         if (dlci) {
1058                 /* Data channel */
1059                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1060                 if (!d) {
1061                         rfcomm_send_dm(s, dlci);
1062                         return 0;
1063                 }
1064
1065                 switch (d->state) {
1066                 case BT_CONNECT:
1067                         rfcomm_dlc_clear_timer(d);
1068
1069                         rfcomm_dlc_lock(d);
1070                         d->state = BT_CONNECTED;
1071                         d->state_change(d, 0);
1072                         rfcomm_dlc_unlock(d);
1073
1074                         rfcomm_send_msc(s, 1, dlci, d->v24_sig);
1075                         break;
1076
1077                 case BT_DISCONN:
1078                         d->state = BT_CLOSED;
1079                         __rfcomm_dlc_close(d, 0);
1080
1081                         if (list_empty(&s->dlcs)) {
1082                                 s->state = BT_DISCONN;
1083                                 rfcomm_send_disc(s, 0);
1084                         }
1085
1086                         break;
1087                 }
1088         } else {
1089                 /* Control channel */
1090                 switch (s->state) {
1091                 case BT_CONNECT:
1092                         s->state = BT_CONNECTED;
1093                         rfcomm_process_connect(s);
1094                         break;
1095
1096                 case BT_DISCONN:
1097                         rfcomm_session_put(s);
1098                         break;
1099                 }
1100         }
1101         return 0;
1102 }
1103
1104 static int rfcomm_recv_dm(struct rfcomm_session *s, u8 dlci)
1105 {
1106         int err = 0;
1107
1108         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1109
1110         if (dlci) {
1111                 /* Data DLC */
1112                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1113                 if (d) {
1114                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1115                                 err = ECONNREFUSED;
1116                         else
1117                                 err = ECONNRESET;
1118
1119                         d->state = BT_CLOSED;
1120                         __rfcomm_dlc_close(d, err);
1121                 }
1122         } else {
1123                 if (s->state == BT_CONNECT)
1124                         err = ECONNREFUSED;
1125                 else
1126                         err = ECONNRESET;
1127
1128                 s->state = BT_CLOSED;
1129                 rfcomm_session_close(s, err);
1130         }
1131         return 0;
1132 }
1133
1134 static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
1135 {
1136         int err = 0;
1137
1138         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1139
1140         if (dlci) {
1141                 struct rfcomm_dlc *d = rfcomm_dlc_get(s, dlci);
1142                 if (d) {
1143                         rfcomm_send_ua(s, dlci);
1144
1145                         if (d->state == BT_CONNECT || d->state == BT_CONFIG)
1146                                 err = ECONNREFUSED;
1147                         else
1148                                 err = ECONNRESET;
1149
1150                         d->state = BT_CLOSED;
1151                         __rfcomm_dlc_close(d, err);
1152                 } else
1153                         rfcomm_send_dm(s, dlci);
1154
1155         } else {
1156                 rfcomm_send_ua(s, 0);
1157
1158                 if (s->state == BT_CONNECT)
1159                         err = ECONNREFUSED;
1160                 else
1161                         err = ECONNRESET;
1162
1163                 s->state = BT_CLOSED;
1164                 rfcomm_session_close(s, err);
1165         }
1166
1167         return 0;
1168 }
1169
1170 static void rfcomm_dlc_accept(struct rfcomm_dlc *d)
1171 {
1172         struct sock *sk = d->session->sock->sk;
1173
1174         BT_DBG("dlc %p", d);
1175
1176         rfcomm_send_ua(d->session, d->dlci);
1177
1178         rfcomm_dlc_lock(d);
1179         d->state = BT_CONNECTED;
1180         d->state_change(d, 0);
1181         rfcomm_dlc_unlock(d);
1182
1183         if (d->link_mode & RFCOMM_LM_MASTER)
1184                 hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
1185
1186         rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1187 }
1188
1189 static int rfcomm_recv_sabm(struct rfcomm_session *s, u8 dlci)
1190 {
1191         struct rfcomm_dlc *d;
1192         u8 channel;
1193
1194         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1195
1196         if (!dlci) {
1197                 rfcomm_send_ua(s, 0);
1198
1199                 if (s->state == BT_OPEN) {
1200                         s->state = BT_CONNECTED;
1201                         rfcomm_process_connect(s);
1202                 }
1203                 return 0;
1204         }
1205
1206         /* Check if DLC exists */
1207         d = rfcomm_dlc_get(s, dlci);
1208         if (d) {
1209                 if (d->state == BT_OPEN) {
1210                         /* DLC was previously opened by PN request */
1211                         if (rfcomm_check_link_mode(d)) {
1212                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1213                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1214                         } else
1215                                 rfcomm_dlc_accept(d);
1216                 }
1217                 return 0;
1218         }
1219
1220         /* Notify socket layer about incoming connection */
1221         channel = __srv_channel(dlci);
1222         if (rfcomm_connect_ind(s, channel, &d)) {
1223                 d->dlci = dlci;
1224                 d->addr = __addr(s->initiator, dlci);
1225                 rfcomm_dlc_link(s, d);
1226
1227                 if (rfcomm_check_link_mode(d)) {
1228                         set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1229                         rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1230                 } else
1231                         rfcomm_dlc_accept(d);
1232         } else {
1233                 rfcomm_send_dm(s, dlci);
1234         }
1235
1236         return 0;
1237 }
1238
1239 static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
1240 {
1241         struct rfcomm_session *s = d->session;
1242
1243         BT_DBG("dlc %p state %ld dlci %d mtu %d fc 0x%x credits %d",
1244                         d, d->state, d->dlci, pn->mtu, pn->flow_ctrl, pn->credits);
1245
1246         if ((pn->flow_ctrl == 0xf0 && s->cfc != RFCOMM_CFC_DISABLED) ||
1247                                                 pn->flow_ctrl == 0xe0) {
1248                 d->cfc = RFCOMM_CFC_ENABLED;
1249                 d->tx_credits = pn->credits;
1250         } else {
1251                 d->cfc = RFCOMM_CFC_DISABLED;
1252                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1253         }
1254
1255         if (s->cfc == RFCOMM_CFC_UNKNOWN)
1256                 s->cfc = d->cfc;
1257
1258         d->priority = pn->priority;
1259
1260         d->mtu = btohs(pn->mtu);
1261
1262         if (cr && d->mtu > s->mtu)
1263                 d->mtu = s->mtu;
1264
1265         return 0;
1266 }
1267
1268 static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1269 {
1270         struct rfcomm_pn *pn = (void *) skb->data;
1271         struct rfcomm_dlc *d;
1272         u8 dlci = pn->dlci;
1273
1274         BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
1275
1276         if (!dlci)
1277                 return 0;
1278
1279         d = rfcomm_dlc_get(s, dlci);
1280         if (d) {
1281                 if (cr) {
1282                         /* PN request */
1283                         rfcomm_apply_pn(d, cr, pn);
1284                         rfcomm_send_pn(s, 0, d);
1285                 } else {
1286                         /* PN response */
1287                         switch (d->state) {
1288                         case BT_CONFIG:
1289                                 rfcomm_apply_pn(d, cr, pn);
1290
1291                                 d->state = BT_CONNECT;
1292                                 rfcomm_send_sabm(s, d->dlci);
1293                                 break;
1294                         }
1295                 }
1296         } else {
1297                 u8 channel = __srv_channel(dlci);
1298
1299                 if (!cr)
1300                         return 0;
1301
1302                 /* PN request for non existing DLC.
1303                  * Assume incoming connection. */
1304                 if (rfcomm_connect_ind(s, channel, &d)) {
1305                         d->dlci = dlci;
1306                         d->addr = __addr(s->initiator, dlci);
1307                         rfcomm_dlc_link(s, d);
1308
1309                         rfcomm_apply_pn(d, cr, pn);
1310
1311                         d->state = BT_OPEN;
1312                         rfcomm_send_pn(s, 0, d);
1313                 } else {
1314                         rfcomm_send_dm(s, dlci);
1315                 }
1316         }
1317         return 0;
1318 }
1319
1320 static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
1321 {
1322         struct rfcomm_rpn *rpn = (void *) skb->data;
1323         u8 dlci = __get_dlci(rpn->dlci);
1324
1325         u8 bit_rate  = 0;
1326         u8 data_bits = 0;
1327         u8 stop_bits = 0;
1328         u8 parity    = 0;
1329         u8 flow_ctrl = 0;
1330         u8 xon_char  = 0;
1331         u8 xoff_char = 0;
1332         u16 rpn_mask = RFCOMM_RPN_PM_ALL;
1333
1334         BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
1335                 dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
1336                 rpn->xon_char, rpn->xoff_char, rpn->param_mask);
1337
1338         if (!cr)
1339                 return 0;
1340
1341         if (len == 1) {
1342                 /* This is a request, return default settings */
1343                 bit_rate  = RFCOMM_RPN_BR_115200;
1344                 data_bits = RFCOMM_RPN_DATA_8;
1345                 stop_bits = RFCOMM_RPN_STOP_1;
1346                 parity    = RFCOMM_RPN_PARITY_NONE;
1347                 flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1348                 xon_char  = RFCOMM_RPN_XON_CHAR;
1349                 xoff_char = RFCOMM_RPN_XOFF_CHAR;
1350                 goto rpn_out;
1351         }
1352
1353         /* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
1354          * no parity, no flow control lines, normal XON/XOFF chars */
1355
1356         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_BITRATE)) {
1357                 bit_rate = rpn->bit_rate;
1358                 if (bit_rate != RFCOMM_RPN_BR_115200) {
1359                         BT_DBG("RPN bit rate mismatch 0x%x", bit_rate);
1360                         bit_rate = RFCOMM_RPN_BR_115200;
1361                         rpn_mask ^= RFCOMM_RPN_PM_BITRATE;
1362                 }
1363         }
1364
1365         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_DATA)) {
1366                 data_bits = __get_rpn_data_bits(rpn->line_settings);
1367                 if (data_bits != RFCOMM_RPN_DATA_8) {
1368                         BT_DBG("RPN data bits mismatch 0x%x", data_bits);
1369                         data_bits = RFCOMM_RPN_DATA_8;
1370                         rpn_mask ^= RFCOMM_RPN_PM_DATA;
1371                 }
1372         }
1373
1374         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_STOP)) {
1375                 stop_bits = __get_rpn_stop_bits(rpn->line_settings);
1376                 if (stop_bits != RFCOMM_RPN_STOP_1) {
1377                         BT_DBG("RPN stop bits mismatch 0x%x", stop_bits);
1378                         stop_bits = RFCOMM_RPN_STOP_1;
1379                         rpn_mask ^= RFCOMM_RPN_PM_STOP;
1380                 }
1381         }
1382
1383         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_PARITY)) {
1384                 parity = __get_rpn_parity(rpn->line_settings);
1385                 if (parity != RFCOMM_RPN_PARITY_NONE) {
1386                         BT_DBG("RPN parity mismatch 0x%x", parity);
1387                         parity = RFCOMM_RPN_PARITY_NONE;
1388                         rpn_mask ^= RFCOMM_RPN_PM_PARITY;
1389                 }
1390         }
1391
1392         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_FLOW)) {
1393                 flow_ctrl = rpn->flow_ctrl;
1394                 if (flow_ctrl != RFCOMM_RPN_FLOW_NONE) {
1395                         BT_DBG("RPN flow ctrl mismatch 0x%x", flow_ctrl);
1396                         flow_ctrl = RFCOMM_RPN_FLOW_NONE;
1397                         rpn_mask ^= RFCOMM_RPN_PM_FLOW;
1398                 }
1399         }
1400
1401         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XON)) {
1402                 xon_char = rpn->xon_char;
1403                 if (xon_char != RFCOMM_RPN_XON_CHAR) {
1404                         BT_DBG("RPN XON char mismatch 0x%x", xon_char);
1405                         xon_char = RFCOMM_RPN_XON_CHAR;
1406                         rpn_mask ^= RFCOMM_RPN_PM_XON;
1407                 }
1408         }
1409
1410         if (rpn->param_mask & cpu_to_le16(RFCOMM_RPN_PM_XOFF)) {
1411                 xoff_char = rpn->xoff_char;
1412                 if (xoff_char != RFCOMM_RPN_XOFF_CHAR) {
1413                         BT_DBG("RPN XOFF char mismatch 0x%x", xoff_char);
1414                         xoff_char = RFCOMM_RPN_XOFF_CHAR;
1415                         rpn_mask ^= RFCOMM_RPN_PM_XOFF;
1416                 }
1417         }
1418
1419 rpn_out:
1420         rfcomm_send_rpn(s, 0, dlci, bit_rate, data_bits, stop_bits,
1421                         parity, flow_ctrl, xon_char, xoff_char, rpn_mask);
1422
1423         return 0;
1424 }
1425
1426 static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1427 {
1428         struct rfcomm_rls *rls = (void *) skb->data;
1429         u8 dlci = __get_dlci(rls->dlci);
1430
1431         BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
1432
1433         if (!cr)
1434                 return 0;
1435
1436         /* We should probably do something with this information here. But
1437          * for now it's sufficient just to reply -- Bluetooth 1.1 says it's
1438          * mandatory to recognise and respond to RLS */
1439
1440         rfcomm_send_rls(s, 0, dlci, rls->status);
1441
1442         return 0;
1443 }
1444
1445 static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
1446 {
1447         struct rfcomm_msc *msc = (void *) skb->data;
1448         struct rfcomm_dlc *d;
1449         u8 dlci = __get_dlci(msc->dlci);
1450
1451         BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
1452
1453         d = rfcomm_dlc_get(s, dlci);
1454         if (!d)
1455                 return 0;
1456
1457         if (cr) {
1458                 if (msc->v24_sig & RFCOMM_V24_FC && !d->cfc)
1459                         set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1460                 else
1461                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1462
1463                 rfcomm_dlc_lock(d);
1464
1465                 d->remote_v24_sig = msc->v24_sig;
1466
1467                 if (d->modem_status)
1468                         d->modem_status(d, msc->v24_sig);
1469
1470                 rfcomm_dlc_unlock(d);
1471
1472                 rfcomm_send_msc(s, 0, dlci, msc->v24_sig);
1473
1474                 d->mscex |= RFCOMM_MSCEX_RX;
1475         } else
1476                 d->mscex |= RFCOMM_MSCEX_TX;
1477
1478         return 0;
1479 }
1480
1481 static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
1482 {
1483         struct rfcomm_mcc *mcc = (void *) skb->data;
1484         u8 type, cr, len;
1485
1486         cr   = __test_cr(mcc->type);
1487         type = __get_mcc_type(mcc->type);
1488         len  = __get_mcc_len(mcc->len);
1489
1490         BT_DBG("%p type 0x%x cr %d", s, type, cr);
1491
1492         skb_pull(skb, 2);
1493
1494         switch (type) {
1495         case RFCOMM_PN:
1496                 rfcomm_recv_pn(s, cr, skb);
1497                 break;
1498
1499         case RFCOMM_RPN:
1500                 rfcomm_recv_rpn(s, cr, len, skb);
1501                 break;
1502
1503         case RFCOMM_RLS:
1504                 rfcomm_recv_rls(s, cr, skb);
1505                 break;
1506
1507         case RFCOMM_MSC:
1508                 rfcomm_recv_msc(s, cr, skb);
1509                 break;
1510
1511         case RFCOMM_FCOFF:
1512                 if (cr) {
1513                         set_bit(RFCOMM_TX_THROTTLED, &s->flags);
1514                         rfcomm_send_fcoff(s, 0);
1515                 }
1516                 break;
1517
1518         case RFCOMM_FCON:
1519                 if (cr) {
1520                         clear_bit(RFCOMM_TX_THROTTLED, &s->flags);
1521                         rfcomm_send_fcon(s, 0);
1522                 }
1523                 break;
1524
1525         case RFCOMM_TEST:
1526                 if (cr)
1527                         rfcomm_send_test(s, 0, skb->data, skb->len);
1528                 break;
1529
1530         case RFCOMM_NSC:
1531                 break;
1532
1533         default:
1534                 BT_ERR("Unknown control type 0x%02x", type);
1535                 rfcomm_send_nsc(s, cr, type);
1536                 break;
1537         }
1538         return 0;
1539 }
1540
1541 static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk_buff *skb)
1542 {
1543         struct rfcomm_dlc *d;
1544
1545         BT_DBG("session %p state %ld dlci %d pf %d", s, s->state, dlci, pf);
1546
1547         d = rfcomm_dlc_get(s, dlci);
1548         if (!d) {
1549                 rfcomm_send_dm(s, dlci);
1550                 goto drop;
1551         }
1552
1553         if (pf && d->cfc) {
1554                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
1555
1556                 d->tx_credits += credits;
1557                 if (d->tx_credits)
1558                         clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
1559         }
1560
1561         if (skb->len && d->state == BT_CONNECTED) {
1562                 rfcomm_dlc_lock(d);
1563                 d->rx_credits--;
1564                 d->data_ready(d, skb);
1565                 rfcomm_dlc_unlock(d);
1566                 return 0;
1567         }
1568
1569 drop:
1570         kfree_skb(skb);
1571         return 0;
1572 }
1573
1574 static int rfcomm_recv_frame(struct rfcomm_session *s, struct sk_buff *skb)
1575 {
1576         struct rfcomm_hdr *hdr = (void *) skb->data;
1577         u8 type, dlci, fcs;
1578
1579         dlci = __get_dlci(hdr->addr);
1580         type = __get_type(hdr->ctrl);
1581
1582         /* Trim FCS */
1583         skb->len--; skb->tail--;
1584         fcs = *(u8 *)skb_tail_pointer(skb);
1585
1586         if (__check_fcs(skb->data, type, fcs)) {
1587                 BT_ERR("bad checksum in packet");
1588                 kfree_skb(skb);
1589                 return -EILSEQ;
1590         }
1591
1592         if (__test_ea(hdr->len))
1593                 skb_pull(skb, 3);
1594         else
1595                 skb_pull(skb, 4);
1596
1597         switch (type) {
1598         case RFCOMM_SABM:
1599                 if (__test_pf(hdr->ctrl))
1600                         rfcomm_recv_sabm(s, dlci);
1601                 break;
1602
1603         case RFCOMM_DISC:
1604                 if (__test_pf(hdr->ctrl))
1605                         rfcomm_recv_disc(s, dlci);
1606                 break;
1607
1608         case RFCOMM_UA:
1609                 if (__test_pf(hdr->ctrl))
1610                         rfcomm_recv_ua(s, dlci);
1611                 break;
1612
1613         case RFCOMM_DM:
1614                 rfcomm_recv_dm(s, dlci);
1615                 break;
1616
1617         case RFCOMM_UIH:
1618                 if (dlci)
1619                         return rfcomm_recv_data(s, dlci, __test_pf(hdr->ctrl), skb);
1620
1621                 rfcomm_recv_mcc(s, skb);
1622                 break;
1623
1624         default:
1625                 BT_ERR("Unknown packet type 0x%02x\n", type);
1626                 break;
1627         }
1628         kfree_skb(skb);
1629         return 0;
1630 }
1631
1632 /* ---- Connection and data processing ---- */
1633
1634 static void rfcomm_process_connect(struct rfcomm_session *s)
1635 {
1636         struct rfcomm_dlc *d;
1637         struct list_head *p, *n;
1638
1639         BT_DBG("session %p state %ld", s, s->state);
1640
1641         list_for_each_safe(p, n, &s->dlcs) {
1642                 d = list_entry(p, struct rfcomm_dlc, list);
1643                 if (d->state == BT_CONFIG) {
1644                         d->mtu = s->mtu;
1645                         if (rfcomm_check_link_mode(d)) {
1646                                 set_bit(RFCOMM_AUTH_PENDING, &d->flags);
1647                                 rfcomm_dlc_set_timer(d, RFCOMM_AUTH_TIMEOUT);
1648                         } else
1649                                 rfcomm_send_pn(s, 1, d);
1650                 }
1651         }
1652 }
1653
1654 /* Send data queued for the DLC.
1655  * Return number of frames left in the queue.
1656  */
1657 static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1658 {
1659         struct sk_buff *skb;
1660         int err;
1661
1662         BT_DBG("dlc %p state %ld cfc %d rx_credits %d tx_credits %d",
1663                         d, d->state, d->cfc, d->rx_credits, d->tx_credits);
1664
1665         /* Send pending MSC */
1666         if (test_and_clear_bit(RFCOMM_MSC_PENDING, &d->flags))
1667                 rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
1668
1669         if (d->cfc) {
1670                 /* CFC enabled.
1671                  * Give them some credits */
1672                 if (!test_bit(RFCOMM_RX_THROTTLED, &d->flags) &&
1673                                 d->rx_credits <= (d->cfc >> 2)) {
1674                         rfcomm_send_credits(d->session, d->addr, d->cfc - d->rx_credits);
1675                         d->rx_credits = d->cfc;
1676                 }
1677         } else {
1678                 /* CFC disabled.
1679                  * Give ourselves some credits */
1680                 d->tx_credits = 5;
1681         }
1682
1683         if (test_bit(RFCOMM_TX_THROTTLED, &d->flags))
1684                 return skb_queue_len(&d->tx_queue);
1685
1686         while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1687                 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1688                 if (err < 0) {
1689                         skb_queue_head(&d->tx_queue, skb);
1690                         break;
1691                 }
1692                 kfree_skb(skb);
1693                 d->tx_credits--;
1694         }
1695
1696         if (d->cfc && !d->tx_credits) {
1697                 /* We're out of TX credits.
1698                  * Set TX_THROTTLED flag to avoid unnesary wakeups by dlc_send. */
1699                 set_bit(RFCOMM_TX_THROTTLED, &d->flags);
1700         }
1701
1702         return skb_queue_len(&d->tx_queue);
1703 }
1704
1705 static inline void rfcomm_process_dlcs(struct rfcomm_session *s)
1706 {
1707         struct rfcomm_dlc *d;
1708         struct list_head *p, *n;
1709
1710         BT_DBG("session %p state %ld", s, s->state);
1711
1712         list_for_each_safe(p, n, &s->dlcs) {
1713                 d = list_entry(p, struct rfcomm_dlc, list);
1714
1715                 if (test_bit(RFCOMM_TIMED_OUT, &d->flags)) {
1716                         __rfcomm_dlc_close(d, ETIMEDOUT);
1717                         continue;
1718                 }
1719
1720                 if (test_and_clear_bit(RFCOMM_AUTH_ACCEPT, &d->flags)) {
1721                         rfcomm_dlc_clear_timer(d);
1722                         if (d->out) {
1723                                 rfcomm_send_pn(s, 1, d);
1724                                 rfcomm_dlc_set_timer(d, RFCOMM_CONN_TIMEOUT);
1725                         } else
1726                                 rfcomm_dlc_accept(d);
1727                         if (d->link_mode & RFCOMM_LM_SECURE) {
1728                                 struct sock *sk = s->sock->sk;
1729                                 hci_conn_change_link_key(l2cap_pi(sk)->conn->hcon);
1730                         }
1731                         continue;
1732                 } else if (test_and_clear_bit(RFCOMM_AUTH_REJECT, &d->flags)) {
1733                         rfcomm_dlc_clear_timer(d);
1734                         if (!d->out)
1735                                 rfcomm_send_dm(s, d->dlci);
1736                         else
1737                                 d->state = BT_CLOSED;
1738                         __rfcomm_dlc_close(d, ECONNREFUSED);
1739                         continue;
1740                 }
1741
1742                 if (test_bit(RFCOMM_TX_THROTTLED, &s->flags))
1743                         continue;
1744
1745                 if ((d->state == BT_CONNECTED || d->state == BT_DISCONN) &&
1746                                                 d->mscex == RFCOMM_MSCEX_OK)
1747                         rfcomm_process_tx(d);
1748         }
1749 }
1750
1751 static inline void rfcomm_process_rx(struct rfcomm_session *s)
1752 {
1753         struct socket *sock = s->sock;
1754         struct sock *sk = sock->sk;
1755         struct sk_buff *skb;
1756
1757         BT_DBG("session %p state %ld qlen %d", s, s->state, skb_queue_len(&sk->sk_receive_queue));
1758
1759         /* Get data directly from socket receive queue without copying it. */
1760         while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
1761                 skb_orphan(skb);
1762                 rfcomm_recv_frame(s, skb);
1763         }
1764
1765         if (sk->sk_state == BT_CLOSED) {
1766                 if (!s->initiator)
1767                         rfcomm_session_put(s);
1768
1769                 rfcomm_session_close(s, sk->sk_err);
1770         }
1771 }
1772
1773 static inline void rfcomm_accept_connection(struct rfcomm_session *s)
1774 {
1775         struct socket *sock = s->sock, *nsock;
1776         int err;
1777
1778         /* Fast check for a new connection.
1779          * Avoids unnesesary socket allocations. */
1780         if (list_empty(&bt_sk(sock->sk)->accept_q))
1781                 return;
1782
1783         BT_DBG("session %p", s);
1784
1785         err = kernel_accept(sock, &nsock, O_NONBLOCK);
1786         if (err < 0)
1787                 return;
1788
1789         __module_get(nsock->ops->owner);
1790
1791         /* Set our callbacks */
1792         nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
1793         nsock->sk->sk_state_change = rfcomm_l2state_change;
1794
1795         s = rfcomm_session_add(nsock, BT_OPEN);
1796         if (s) {
1797                 rfcomm_session_hold(s);
1798
1799                 /* We should adjust MTU on incoming sessions.
1800                  * L2CAP MTU minus UIH header and FCS. */
1801                 s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
1802
1803                 rfcomm_schedule(RFCOMM_SCHED_RX);
1804         } else
1805                 sock_release(nsock);
1806 }
1807
1808 static inline void rfcomm_check_connection(struct rfcomm_session *s)
1809 {
1810         struct sock *sk = s->sock->sk;
1811
1812         BT_DBG("%p state %ld", s, s->state);
1813
1814         switch(sk->sk_state) {
1815         case BT_CONNECTED:
1816                 s->state = BT_CONNECT;
1817
1818                 /* We can adjust MTU on outgoing sessions.
1819                  * L2CAP MTU minus UIH header and FCS. */
1820                 s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
1821
1822                 rfcomm_send_sabm(s, 0);
1823                 break;
1824
1825         case BT_CLOSED:
1826                 s->state = BT_CLOSED;
1827                 rfcomm_session_close(s, sk->sk_err);
1828                 break;
1829         }
1830 }
1831
1832 static inline void rfcomm_process_sessions(void)
1833 {
1834         struct list_head *p, *n;
1835
1836         rfcomm_lock();
1837
1838         list_for_each_safe(p, n, &session_list) {
1839                 struct rfcomm_session *s;
1840                 s = list_entry(p, struct rfcomm_session, list);
1841
1842                 if (s->state == BT_LISTEN) {
1843                         rfcomm_accept_connection(s);
1844                         continue;
1845                 }
1846
1847                 rfcomm_session_hold(s);
1848
1849                 switch (s->state) {
1850                 case BT_BOUND:
1851                         rfcomm_check_connection(s);
1852                         break;
1853
1854                 default:
1855                         rfcomm_process_rx(s);
1856                         break;
1857                 }
1858
1859                 rfcomm_process_dlcs(s);
1860
1861                 rfcomm_session_put(s);
1862         }
1863
1864         rfcomm_unlock();
1865 }
1866
1867 static int rfcomm_add_listener(bdaddr_t *ba)
1868 {
1869         struct sockaddr_l2 addr;
1870         struct socket *sock;
1871         struct sock *sk;
1872         struct rfcomm_session *s;
1873         int    err = 0;
1874
1875         /* Create socket */
1876         err = rfcomm_l2sock_create(&sock);
1877         if (err < 0) {
1878                 BT_ERR("Create socket failed %d", err);
1879                 return err;
1880         }
1881
1882         /* Bind socket */
1883         bacpy(&addr.l2_bdaddr, ba);
1884         addr.l2_family = AF_BLUETOOTH;
1885         addr.l2_psm    = htobs(RFCOMM_PSM);
1886         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
1887         if (err < 0) {
1888                 BT_ERR("Bind failed %d", err);
1889                 goto failed;
1890         }
1891
1892         /* Set L2CAP options */
1893         sk = sock->sk;
1894         lock_sock(sk);
1895         l2cap_pi(sk)->imtu = l2cap_mtu;
1896         release_sock(sk);
1897
1898         /* Start listening on the socket */
1899         err = kernel_listen(sock, 10);
1900         if (err) {
1901                 BT_ERR("Listen failed %d", err);
1902                 goto failed;
1903         }
1904
1905         /* Add listening session */
1906         s = rfcomm_session_add(sock, BT_LISTEN);
1907         if (!s)
1908                 goto failed;
1909
1910         rfcomm_session_hold(s);
1911         return 0;
1912 failed:
1913         sock_release(sock);
1914         return err;
1915 }
1916
1917 static void rfcomm_kill_listener(void)
1918 {
1919         struct rfcomm_session *s;
1920         struct list_head *p, *n;
1921
1922         BT_DBG("");
1923
1924         list_for_each_safe(p, n, &session_list) {
1925                 s = list_entry(p, struct rfcomm_session, list);
1926                 rfcomm_session_del(s);
1927         }
1928 }
1929
1930 static int rfcomm_run(void *unused)
1931 {
1932         BT_DBG("");
1933
1934         set_user_nice(current, -10);
1935
1936         rfcomm_add_listener(BDADDR_ANY);
1937
1938         while (!kthread_should_stop()) {
1939                 set_current_state(TASK_INTERRUPTIBLE);
1940                 if (!test_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event)) {
1941                         /* No pending events. Let's sleep.
1942                          * Incoming connections and data will wake us up. */
1943                         schedule();
1944                 }
1945                 set_current_state(TASK_RUNNING);
1946
1947                 /* Process stuff */
1948                 clear_bit(RFCOMM_SCHED_WAKEUP, &rfcomm_event);
1949                 rfcomm_process_sessions();
1950         }
1951
1952         rfcomm_kill_listener();
1953
1954         return 0;
1955 }
1956
1957 static void rfcomm_auth_cfm(struct hci_conn *conn, u8 status)
1958 {
1959         struct rfcomm_session *s;
1960         struct rfcomm_dlc *d;
1961         struct list_head *p, *n;
1962
1963         BT_DBG("conn %p status 0x%02x", conn, status);
1964
1965         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
1966         if (!s)
1967                 return;
1968
1969         rfcomm_session_hold(s);
1970
1971         list_for_each_safe(p, n, &s->dlcs) {
1972                 d = list_entry(p, struct rfcomm_dlc, list);
1973
1974                 if ((d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) &&
1975                                 !(conn->link_mode & HCI_LM_ENCRYPT) && !status)
1976                         continue;
1977
1978                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
1979                         continue;
1980
1981                 if (!status)
1982                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
1983                 else
1984                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
1985         }
1986
1987         rfcomm_session_put(s);
1988
1989         rfcomm_schedule(RFCOMM_SCHED_AUTH);
1990 }
1991
1992 static void rfcomm_encrypt_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
1993 {
1994         struct rfcomm_session *s;
1995         struct rfcomm_dlc *d;
1996         struct list_head *p, *n;
1997
1998         BT_DBG("conn %p status 0x%02x encrypt 0x%02x", conn, status, encrypt);
1999
2000         s = rfcomm_session_get(&conn->hdev->bdaddr, &conn->dst);
2001         if (!s)
2002                 return;
2003
2004         rfcomm_session_hold(s);
2005
2006         list_for_each_safe(p, n, &s->dlcs) {
2007                 d = list_entry(p, struct rfcomm_dlc, list);
2008
2009                 if ((d->link_mode & (RFCOMM_LM_ENCRYPT | RFCOMM_LM_SECURE)) &&
2010                                         (d->state == BT_CONNECTED ||
2011                                                 d->state == BT_CONFIG) &&
2012                                                 !status && encrypt == 0x00) {
2013                         __rfcomm_dlc_close(d, ECONNREFUSED);
2014                         continue;
2015                 }
2016
2017                 if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
2018                         continue;
2019
2020                 if (!status && encrypt)
2021                         set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
2022                 else
2023                         set_bit(RFCOMM_AUTH_REJECT, &d->flags);
2024         }
2025
2026         rfcomm_session_put(s);
2027
2028         rfcomm_schedule(RFCOMM_SCHED_AUTH);
2029 }
2030
2031 static struct hci_cb rfcomm_cb = {
2032         .name           = "RFCOMM",
2033         .auth_cfm       = rfcomm_auth_cfm,
2034         .encrypt_cfm    = rfcomm_encrypt_cfm
2035 };
2036
2037 static ssize_t rfcomm_dlc_sysfs_show(struct class *dev, char *buf)
2038 {
2039         struct rfcomm_session *s;
2040         struct list_head *pp, *p;
2041         char *str = buf;
2042
2043         rfcomm_lock();
2044
2045         list_for_each(p, &session_list) {
2046                 s = list_entry(p, struct rfcomm_session, list);
2047                 list_for_each(pp, &s->dlcs) {
2048                         struct sock *sk = s->sock->sk;
2049                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
2050
2051                         str += sprintf(str, "%s %s %ld %d %d %d %d\n",
2052                                         batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
2053                                         d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
2054                 }
2055         }
2056
2057         rfcomm_unlock();
2058
2059         return (str - buf);
2060 }
2061
2062 static CLASS_ATTR(rfcomm_dlc, S_IRUGO, rfcomm_dlc_sysfs_show, NULL);
2063
2064 /* ---- Initialization ---- */
2065 static int __init rfcomm_init(void)
2066 {
2067         l2cap_load();
2068
2069         hci_register_cb(&rfcomm_cb);
2070
2071         rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
2072         if (IS_ERR(rfcomm_thread)) {
2073                 hci_unregister_cb(&rfcomm_cb);
2074                 return PTR_ERR(rfcomm_thread);
2075         }
2076
2077         if (class_create_file(bt_class, &class_attr_rfcomm_dlc) < 0)
2078                 BT_ERR("Failed to create RFCOMM info file");
2079
2080         rfcomm_init_sockets();
2081
2082 #ifdef CONFIG_BT_RFCOMM_TTY
2083         rfcomm_init_ttys();
2084 #endif
2085
2086         BT_INFO("RFCOMM ver %s", VERSION);
2087
2088         return 0;
2089 }
2090
2091 static void __exit rfcomm_exit(void)
2092 {
2093         class_remove_file(bt_class, &class_attr_rfcomm_dlc);
2094
2095         hci_unregister_cb(&rfcomm_cb);
2096
2097         kthread_stop(rfcomm_thread);
2098
2099 #ifdef CONFIG_BT_RFCOMM_TTY
2100         rfcomm_cleanup_ttys();
2101 #endif
2102
2103         rfcomm_cleanup_sockets();
2104 }
2105
2106 module_init(rfcomm_init);
2107 module_exit(rfcomm_exit);
2108
2109 module_param(disable_cfc, bool, 0644);
2110 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
2111
2112 module_param(channel_mtu, int, 0644);
2113 MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
2114
2115 module_param(l2cap_mtu, uint, 0644);
2116 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
2117
2118 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2119 MODULE_DESCRIPTION("Bluetooth RFCOMM ver " VERSION);
2120 MODULE_VERSION(VERSION);
2121 MODULE_LICENSE("GPL");
2122 MODULE_ALIAS("bt-proto-3");