1
/*
2
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3
   Copyright (C) 2002 Maxim Krasnyansky <[email protected]>
4
   Copyright (C) 2002 Marcel Holtmann <[email protected]>
5

6
   This program is free software; you can redistribute it and/or modify
7
   it under the terms of the GNU General Public License version 2 as
8
   published by the Free Software Foundation;
9

10
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18

19
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21
   SOFTWARE IS DISCLAIMED.
22
*/
23

24
/*
25
 * RFCOMM TTY.
26
 */
27

28
#include <linux/module.h>
29

30
#include <linux/tty.h>
31
#include <linux/tty_driver.h>
32
#include <linux/tty_flip.h>
33

34
#include <linux/capability.h>
35
#include <linux/slab.h>
36
#include <linux/skbuff.h>
37

38
#include <net/bluetooth/bluetooth.h>
39
#include <net/bluetooth/hci_core.h>
40
#include <net/bluetooth/rfcomm.h>
41

42
#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
43
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
44
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
45
#define RFCOMM_TTY_MINOR 0
46

47
static struct tty_driver *rfcomm_tty_driver;
48

49
struct rfcomm_dev {
50
	struct list_head	list;
51
	atomic_t		refcnt;
52

53
	char			name[12];
54
	int			id;
55
	unsigned long		flags;
56
	atomic_t		opened;
57
	int			err;
58

59
	bdaddr_t		src;
60
	bdaddr_t		dst;
61
	u8			channel;
62

63
	uint			modem_status;
64

65
	struct rfcomm_dlc	*dlc;
66
	struct tty_struct	*tty;
67
	wait_queue_head_t       wait;
68
	struct tasklet_struct   wakeup_task;
69

70
	struct device		*tty_dev;
71

72
	atomic_t		wmem_alloc;
73

74
	struct sk_buff_head	pending;
75
};
76

77
static LIST_HEAD(rfcomm_dev_list);
78
static DEFINE_RWLOCK(rfcomm_dev_lock);
79

80
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
81
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
82
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
83

84
static void rfcomm_tty_wakeup(unsigned long arg);
85

86
/* ---- Device functions ---- */
87
static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
88
{
89
	struct rfcomm_dlc *dlc = dev->dlc;
90

91
	BT_DBG("dev %p dlc %p", dev, dlc);
92

93
	/* Refcount should only hit zero when called from rfcomm_dev_del()
94
	   which will have taken us off the list. Everything else are
95
	   refcounting bugs. */
96
	BUG_ON(!list_empty(&dev->list));
97

98
	rfcomm_dlc_lock(dlc);
99
	/* Detach DLC if it's owned by this dev */
100
	if (dlc->owner == dev)
101
		dlc->owner = NULL;
102
	rfcomm_dlc_unlock(dlc);
103

104
	rfcomm_dlc_put(dlc);
105

106
	tty_unregister_device(rfcomm_tty_driver, dev->id);
107

108
	kfree(dev);
109

110
	/* It's safe to call module_put() here because socket still
111
	   holds reference to this module. */
112
	module_put(THIS_MODULE);
113
}
114

115
static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
116
{
117
	atomic_inc(&dev->refcnt);
118
}
119

120
static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
121
{
122
	/* The reason this isn't actually a race, as you no
123
	   doubt have a little voice screaming at you in your
124
	   head, is that the refcount should never actually
125
	   reach zero unless the device has already been taken
126
	   off the list, in rfcomm_dev_del(). And if that's not
127
	   true, we'll hit the BUG() in rfcomm_dev_destruct()
128
	   anyway. */
129
	if (atomic_dec_and_test(&dev->refcnt))
130
		rfcomm_dev_destruct(dev);
131
}
132

133
static struct rfcomm_dev *__rfcomm_dev_get(int id)
134
{
135
	struct rfcomm_dev *dev;
136
	struct list_head  *p;
137

138
	list_for_each(p, &rfcomm_dev_list) {
139
		dev = list_entry(p, struct rfcomm_dev, list);
140
		if (dev->id == id)
141
			return dev;
142
	}
143

144
	return NULL;
145
}
146

147
static inline struct rfcomm_dev *rfcomm_dev_get(int id)
148
{
149
	struct rfcomm_dev *dev;
150

151
	read_lock(&rfcomm_dev_lock);
152

153
	dev = __rfcomm_dev_get(id);
154

155
	if (dev) {
156
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
157
			dev = NULL;
158
		else
159
			rfcomm_dev_hold(dev);
160
	}
161

162
	read_unlock(&rfcomm_dev_lock);
163

164
	return dev;
165
}
166

167
static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
168
{
169
	struct hci_dev *hdev;
170
	struct hci_conn *conn;
171

172
	hdev = hci_get_route(&dev->dst, &dev->src);
173
	if (!hdev)
174
		return NULL;
175

176
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
177

178
	hci_dev_put(hdev);
179

180
	return conn ? &conn->dev : NULL;
181
}
182

183
static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
184
{
185
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
186
	return sprintf(buf, "%s\n", batostr(&dev->dst));
187
}
188

189
static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
190
{
191
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
192
	return sprintf(buf, "%d\n", dev->channel);
193
}
194

195
static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
196
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
197

198
static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
199
{
200
	struct rfcomm_dev *dev;
201
	struct list_head *head = &rfcomm_dev_list, *p;
202
	int err = 0;
203

204
	BT_DBG("id %d channel %d", req->dev_id, req->channel);
205

206
	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
207
	if (!dev)
208
		return -ENOMEM;
209

210
	write_lock_bh(&rfcomm_dev_lock);
211

212
	if (req->dev_id < 0) {
213
		dev->id = 0;
214

215
		list_for_each(p, &rfcomm_dev_list) {
216
			if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
217
				break;
218

219
			dev->id++;
220
			head = p;
221
		}
222
	} else {
223
		dev->id = req->dev_id;
224

225
		list_for_each(p, &rfcomm_dev_list) {
226
			struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
227

228
			if (entry->id == dev->id) {
229
				err = -EADDRINUSE;
230
				goto out;
231
			}
232

233
			if (entry->id > dev->id - 1)
234
				break;
235

236
			head = p;
237
		}
238
	}
239

240
	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
241
		err = -ENFILE;
242
		goto out;
243
	}
244

245
	sprintf(dev->name, "rfcomm%d", dev->id);
246

247
	list_add(&dev->list, head);
248
	atomic_set(&dev->refcnt, 1);
249

250
	bacpy(&dev->src, &req->src);
251
	bacpy(&dev->dst, &req->dst);
252
	dev->channel = req->channel;
253

254
	dev->flags = req->flags &
255
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
256

257
	atomic_set(&dev->opened, 0);
258

259
	init_waitqueue_head(&dev->wait);
260
	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
261

262
	skb_queue_head_init(&dev->pending);
263

264
	rfcomm_dlc_lock(dlc);
265

266
	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
267
		struct sock *sk = dlc->owner;
268
		struct sk_buff *skb;
269

270
		BUG_ON(!sk);
271

272
		rfcomm_dlc_throttle(dlc);
273

274
		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
275
			skb_orphan(skb);
276
			skb_queue_tail(&dev->pending, skb);
277
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
278
		}
279
	}
280

281
	dlc->data_ready   = rfcomm_dev_data_ready;
282
	dlc->state_change = rfcomm_dev_state_change;
283
	dlc->modem_status = rfcomm_dev_modem_status;
284

285
	dlc->owner = dev;
286
	dev->dlc   = dlc;
287

288
	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
289

290
	rfcomm_dlc_unlock(dlc);
291

292
	/* It's safe to call __module_get() here because socket already
293
	   holds reference to this module. */
294
	__module_get(THIS_MODULE);
295

296
out:
297
	write_unlock_bh(&rfcomm_dev_lock);
298

299
	if (err < 0)
300
		goto free;
301

302
	dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
303

304
	if (IS_ERR(dev->tty_dev)) {
305
		err = PTR_ERR(dev->tty_dev);
306
		list_del(&dev->list);
307
		goto free;
308
	}
309

310
	dev_set_drvdata(dev->tty_dev, dev);
311

312
	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
313
		BT_ERR("Failed to create address attribute");
314

315
	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
316
		BT_ERR("Failed to create channel attribute");
317

318
	return dev->id;
319

320
free:
321
	kfree(dev);
322
	return err;
323
}
324

325
static void rfcomm_dev_del(struct rfcomm_dev *dev)
326
{
327
	BT_DBG("dev %p", dev);
328

329
	BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
330

331
	if (atomic_read(&dev->opened) > 0)
332
		return;
333

334
	write_lock_bh(&rfcomm_dev_lock);
335
	list_del_init(&dev->list);
336
	write_unlock_bh(&rfcomm_dev_lock);
337

338
	rfcomm_dev_put(dev);
339
}
340

341
/* ---- Send buffer ---- */
342
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
343
{
344
	/* We can't let it be zero, because we don't get a callback
345
	   when tx_credits becomes nonzero, hence we'd never wake up */
346
	return dlc->mtu * (dlc->tx_credits?:1);
347
}
348

349
static void rfcomm_wfree(struct sk_buff *skb)
350
{
351
	struct rfcomm_dev *dev = (void *) skb->sk;
352
	atomic_sub(skb->truesize, &dev->wmem_alloc);
353
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
354
		tasklet_schedule(&dev->wakeup_task);
355
	rfcomm_dev_put(dev);
356
}
357

358
static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
359
{
360
	rfcomm_dev_hold(dev);
361
	atomic_add(skb->truesize, &dev->wmem_alloc);
362
	skb->sk = (void *) dev;
363
	skb->destructor = rfcomm_wfree;
364
}
365

366
static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
367
{
368
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
369
		struct sk_buff *skb = alloc_skb(size, priority);
370
		if (skb) {
371
			rfcomm_set_owner_w(skb, dev);
372
			return skb;
373
		}
374
	}
375
	return NULL;
376
}
377

378
/* ---- Device IOCTLs ---- */
379

380
#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
381

382
static int rfcomm_create_dev(struct sock *sk, void __user *arg)
383
{
384
	struct rfcomm_dev_req req;
385
	struct rfcomm_dlc *dlc;
386
	int id;
387

388
	if (copy_from_user(&req, arg, sizeof(req)))
389
		return -EFAULT;
390

391
	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
392

393
	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
394
		return -EPERM;
395

396
	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
397
		/* Socket must be connected */
398
		if (sk->sk_state != BT_CONNECTED)
399
			return -EBADFD;
400

401
		dlc = rfcomm_pi(sk)->dlc;
402
		rfcomm_dlc_hold(dlc);
403
	} else {
404
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
405
		if (!dlc)
406
			return -ENOMEM;
407
	}
408

409
	id = rfcomm_dev_add(&req, dlc);
410
	if (id < 0) {
411
		rfcomm_dlc_put(dlc);
412
		return id;
413
	}
414

415
	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
416
		/* DLC is now used by device.
417
		 * Socket must be disconnected */
418
		sk->sk_state = BT_CLOSED;
419
	}
420

421
	return id;
422
}
423

424
static int rfcomm_release_dev(void __user *arg)
425
{
426
	struct rfcomm_dev_req req;
427
	struct rfcomm_dev *dev;
428

429
	if (copy_from_user(&req, arg, sizeof(req)))
430
		return -EFAULT;
431

432
	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
433

434
	dev = rfcomm_dev_get(req.dev_id);
435
	if (!dev)
436
		return -ENODEV;
437

438
	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
439
		rfcomm_dev_put(dev);
440
		return -EPERM;
441
	}
442

443
	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
444
		rfcomm_dlc_close(dev->dlc, 0);
445

446
	/* Shut down TTY synchronously before freeing rfcomm_dev */
447
	if (dev->tty)
448
		tty_vhangup(dev->tty);
449

450
	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
451
		rfcomm_dev_del(dev);
452
	rfcomm_dev_put(dev);
453
	return 0;
454
}
455

456
static int rfcomm_get_dev_list(void __user *arg)
457
{
458
	struct rfcomm_dev_list_req *dl;
459
	struct rfcomm_dev_info *di;
460
	struct list_head *p;
461
	int n = 0, size, err;
462
	u16 dev_num;
463

464
	BT_DBG("");
465

466
	if (get_user(dev_num, (u16 __user *) arg))
467
		return -EFAULT;
468

469
	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
470
		return -EINVAL;
471

472
	size = sizeof(*dl) + dev_num * sizeof(*di);
473

474
	dl = kmalloc(size, GFP_KERNEL);
475
	if (!dl)
476
		return -ENOMEM;
477

478
	di = dl->dev_info;
479

480
	read_lock_bh(&rfcomm_dev_lock);
481

482
	list_for_each(p, &rfcomm_dev_list) {
483
		struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
484
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
485
			continue;
486
		(di + n)->id      = dev->id;
487
		(di + n)->flags   = dev->flags;
488
		(di + n)->state   = dev->dlc->state;
489
		(di + n)->channel = dev->channel;
490
		bacpy(&(di + n)->src, &dev->src);
491
		bacpy(&(di + n)->dst, &dev->dst);
492
		if (++n >= dev_num)
493
			break;
494
	}
495

496
	read_unlock_bh(&rfcomm_dev_lock);
497

498
	dl->dev_num = n;
499
	size = sizeof(*dl) + n * sizeof(*di);
500

501
	err = copy_to_user(arg, dl, size);
502
	kfree(dl);
503

504
	return err ? -EFAULT : 0;
505
}
506

507
static int rfcomm_get_dev_info(void __user *arg)
508
{
509
	struct rfcomm_dev *dev;
510
	struct rfcomm_dev_info di;
511
	int err = 0;
512

513
	BT_DBG("");
514

515
	if (copy_from_user(&di, arg, sizeof(di)))
516
		return -EFAULT;
517

518
	dev = rfcomm_dev_get(di.id);
519
	if (!dev)
520
		return -ENODEV;
521

522
	di.flags   = dev->flags;
523
	di.channel = dev->channel;
524
	di.state   = dev->dlc->state;
525
	bacpy(&di.src, &dev->src);
526
	bacpy(&di.dst, &dev->dst);
527

528
	if (copy_to_user(arg, &di, sizeof(di)))
529
		err = -EFAULT;
530

531
	rfcomm_dev_put(dev);
532
	return err;
533
}
534

535
int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
536
{
537
	BT_DBG("cmd %d arg %p", cmd, arg);
538

539
	switch (cmd) {
540
	case RFCOMMCREATEDEV:
541
		return rfcomm_create_dev(sk, arg);
542

543
	case RFCOMMRELEASEDEV:
544
		return rfcomm_release_dev(arg);
545

546
	case RFCOMMGETDEVLIST:
547
		return rfcomm_get_dev_list(arg);
548

549
	case RFCOMMGETDEVINFO:
550
		return rfcomm_get_dev_info(arg);
551
	}
552

553
	return -EINVAL;
554
}
555

556
/* ---- DLC callbacks ---- */
557
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
558
{
559
	struct rfcomm_dev *dev = dlc->owner;
560
	struct tty_struct *tty;
561

562
	if (!dev) {
563
		kfree_skb(skb);
564
		return;
565
	}
566

567
	tty = dev->tty;
568
	if (!tty || !skb_queue_empty(&dev->pending)) {
569
		skb_queue_tail(&dev->pending, skb);
570
		return;
571
	}
572

573
	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
574

575
	tty_insert_flip_string(tty, skb->data, skb->len);
576
	tty_flip_buffer_push(tty);
577

578
	kfree_skb(skb);
579
}
580

581
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
582
{
583
	struct rfcomm_dev *dev = dlc->owner;
584
	if (!dev)
585
		return;
586

587
	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
588

589
	dev->err = err;
590
	wake_up_interruptible(&dev->wait);
591

592
	if (dlc->state == BT_CLOSED) {
593
		if (!dev->tty) {
594
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
595
				/* Drop DLC lock here to avoid deadlock
596
				 * 1. rfcomm_dev_get will take rfcomm_dev_lock
597
				 *    but in rfcomm_dev_add there's lock order:
598
				 *    rfcomm_dev_lock -> dlc lock
599
				 * 2. rfcomm_dev_put will deadlock if it's
600
				 *    the last reference
601
				 */
602
				rfcomm_dlc_unlock(dlc);
603
				if (rfcomm_dev_get(dev->id) == NULL) {
604
					rfcomm_dlc_lock(dlc);
605
					return;
606
				}
607

608
				rfcomm_dev_del(dev);
609
				rfcomm_dev_put(dev);
610
				rfcomm_dlc_lock(dlc);
611
			}
612
		} else
613
			tty_hangup(dev->tty);
614
	}
615
}
616

617
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
618
{
619
	struct rfcomm_dev *dev = dlc->owner;
620
	if (!dev)
621
		return;
622

623
	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
624

625
	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV)) {
626
		if (dev->tty && !C_CLOCAL(dev->tty))
627
			tty_hangup(dev->tty);
628
	}
629

630
	dev->modem_status =
631
		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
632
		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
633
		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
634
		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
635
}
636

637
/* ---- TTY functions ---- */
638
static void rfcomm_tty_wakeup(unsigned long arg)
639
{
640
	struct rfcomm_dev *dev = (void *) arg;
641
	struct tty_struct *tty = dev->tty;
642
	if (!tty)
643
		return;
644

645
	BT_DBG("dev %p tty %p", dev, tty);
646
	tty_wakeup(tty);
647
}
648

649
static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
650
{
651
	struct tty_struct *tty = dev->tty;
652
	struct sk_buff *skb;
653
	int inserted = 0;
654

655
	if (!tty)
656
		return;
657

658
	BT_DBG("dev %p tty %p", dev, tty);
659

660
	rfcomm_dlc_lock(dev->dlc);
661

662
	while ((skb = skb_dequeue(&dev->pending))) {
663
		inserted += tty_insert_flip_string(tty, skb->data, skb->len);
664
		kfree_skb(skb);
665
	}
666

667
	rfcomm_dlc_unlock(dev->dlc);
668

669
	if (inserted > 0)
670
		tty_flip_buffer_push(tty);
671
}
672

673
static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
674
{
675
	DECLARE_WAITQUEUE(wait, current);
676
	struct rfcomm_dev *dev;
677
	struct rfcomm_dlc *dlc;
678
	int err, id;
679

680
	id = tty->index;
681

682
	BT_DBG("tty %p id %d", tty, id);
683

684
	/* We don't leak this refcount. For reasons which are not entirely
685
	   clear, the TTY layer will call our ->close() method even if the
686
	   open fails. We decrease the refcount there, and decreasing it
687
	   here too would cause breakage. */
688
	dev = rfcomm_dev_get(id);
689
	if (!dev)
690
		return -ENODEV;
691

692
	BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst),
693
				dev->channel, atomic_read(&dev->opened));
694

695
	if (atomic_inc_return(&dev->opened) > 1)
696
		return 0;
697

698
	dlc = dev->dlc;
699

700
	/* Attach TTY and open DLC */
701

702
	rfcomm_dlc_lock(dlc);
703
	tty->driver_data = dev;
704
	dev->tty = tty;
705
	rfcomm_dlc_unlock(dlc);
706
	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
707

708
	err = rfcomm_dlc_open(dlc, &dev->src, &dev->dst, dev->channel);
709
	if (err < 0)
710
		return err;
711

712
	/* Wait for DLC to connect */
713
	add_wait_queue(&dev->wait, &wait);
714
	while (1) {
715
		set_current_state(TASK_INTERRUPTIBLE);
716

717
		if (dlc->state == BT_CLOSED) {
718
			err = -dev->err;
719
			break;
720
		}
721

722
		if (dlc->state == BT_CONNECTED)
723
			break;
724

725
		if (signal_pending(current)) {
726
			err = -EINTR;
727
			break;
728
		}
729

730
		tty_unlock();
731
		schedule();
732
		tty_lock();
733
	}
734
	set_current_state(TASK_RUNNING);
735
	remove_wait_queue(&dev->wait, &wait);
736

737
	if (err == 0)
738
		device_move(dev->tty_dev, rfcomm_get_device(dev),
739
			    DPM_ORDER_DEV_AFTER_PARENT);
740

741
	rfcomm_tty_copy_pending(dev);
742

743
	rfcomm_dlc_unthrottle(dev->dlc);
744

745
	return err;
746
}
747

748
static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
749
{
750
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
751
	if (!dev)
752
		return;
753

754
	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
755
						atomic_read(&dev->opened));
756

757
	if (atomic_dec_and_test(&dev->opened)) {
758
		if (dev->tty_dev->parent)
759
			device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
760

761
		/* Close DLC and dettach TTY */
762
		rfcomm_dlc_close(dev->dlc, 0);
763

764
		clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
765
		tasklet_kill(&dev->wakeup_task);
766

767
		rfcomm_dlc_lock(dev->dlc);
768
		tty->driver_data = NULL;
769
		dev->tty = NULL;
770
		rfcomm_dlc_unlock(dev->dlc);
771

772
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) {
773
			write_lock_bh(&rfcomm_dev_lock);
774
			list_del_init(&dev->list);
775
			write_unlock_bh(&rfcomm_dev_lock);
776

777
			rfcomm_dev_put(dev);
778
		}
779
	}
780

781
	rfcomm_dev_put(dev);
782
}
783

784
static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
785
{
786
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
787
	struct rfcomm_dlc *dlc = dev->dlc;
788
	struct sk_buff *skb;
789
	int err = 0, sent = 0, size;
790

791
	BT_DBG("tty %p count %d", tty, count);
792

793
	while (count) {
794
		size = min_t(uint, count, dlc->mtu);
795

796
		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
797

798
		if (!skb)
799
			break;
800

801
		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
802

803
		memcpy(skb_put(skb, size), buf + sent, size);
804

805
		err = rfcomm_dlc_send(dlc, skb);
806
		if (err < 0) {
807
			kfree_skb(skb);
808
			break;
809
		}
810

811
		sent  += size;
812
		count -= size;
813
	}
814

815
	return sent ? sent : err;
816
}
817

818
static int rfcomm_tty_write_room(struct tty_struct *tty)
819
{
820
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
821
	int room;
822

823
	BT_DBG("tty %p", tty);
824

825
	if (!dev || !dev->dlc)
826
		return 0;
827

828
	room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc);
829
	if (room < 0)
830
		room = 0;
831

832
	return room;
833
}
834

835
static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
836
{
837
	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
838

839
	switch (cmd) {
840
	case TCGETS:
841
		BT_DBG("TCGETS is not supported");
842
		return -ENOIOCTLCMD;
843

844
	case TCSETS:
845
		BT_DBG("TCSETS is not supported");
846
		return -ENOIOCTLCMD;
847

848
	case TIOCMIWAIT:
849
		BT_DBG("TIOCMIWAIT");
850
		break;
851

852
	case TIOCGSERIAL:
853
		BT_ERR("TIOCGSERIAL is not supported");
854
		return -ENOIOCTLCMD;
855

856
	case TIOCSSERIAL:
857
		BT_ERR("TIOCSSERIAL is not supported");
858
		return -ENOIOCTLCMD;
859

860
	case TIOCSERGSTRUCT:
861
		BT_ERR("TIOCSERGSTRUCT is not supported");
862
		return -ENOIOCTLCMD;
863

864
	case TIOCSERGETLSR:
865
		BT_ERR("TIOCSERGETLSR is not supported");
866
		return -ENOIOCTLCMD;
867

868
	case TIOCSERCONFIG:
869
		BT_ERR("TIOCSERCONFIG is not supported");
870
		return -ENOIOCTLCMD;
871

872
	default:
873
		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
874

875
	}
876

877
	return -ENOIOCTLCMD;
878
}
879

880
static void rfcomm_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
881
{
882
	struct ktermios *new = tty->termios;
883
	int old_baud_rate = tty_termios_baud_rate(old);
884
	int new_baud_rate = tty_termios_baud_rate(new);
885

886
	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
887
	u16 changes = 0;
888

889
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
890

891
	BT_DBG("tty %p termios %p", tty, old);
892

893
	if (!dev || !dev->dlc || !dev->dlc->session)
894
		return;
895

896
	/* Handle turning off CRTSCTS */
897
	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
898
		BT_DBG("Turning off CRTSCTS unsupported");
899

900
	/* Parity on/off and when on, odd/even */
901
	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
902
			((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
903
		changes |= RFCOMM_RPN_PM_PARITY;
904
		BT_DBG("Parity change detected.");
905
	}
906

907
	/* Mark and space parity are not supported! */
908
	if (new->c_cflag & PARENB) {
909
		if (new->c_cflag & PARODD) {
910
			BT_DBG("Parity is ODD");
911
			parity = RFCOMM_RPN_PARITY_ODD;
912
		} else {
913
			BT_DBG("Parity is EVEN");
914
			parity = RFCOMM_RPN_PARITY_EVEN;
915
		}
916
	} else {
917
		BT_DBG("Parity is OFF");
918
		parity = RFCOMM_RPN_PARITY_NONE;
919
	}
920

921
	/* Setting the x_on / x_off characters */
922
	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
923
		BT_DBG("XOFF custom");
924
		x_on = new->c_cc[VSTOP];
925
		changes |= RFCOMM_RPN_PM_XON;
926
	} else {
927
		BT_DBG("XOFF default");
928
		x_on = RFCOMM_RPN_XON_CHAR;
929
	}
930

931
	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
932
		BT_DBG("XON custom");
933
		x_off = new->c_cc[VSTART];
934
		changes |= RFCOMM_RPN_PM_XOFF;
935
	} else {
936
		BT_DBG("XON default");
937
		x_off = RFCOMM_RPN_XOFF_CHAR;
938
	}
939

940
	/* Handle setting of stop bits */
941
	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
942
		changes |= RFCOMM_RPN_PM_STOP;
943

944
	/* POSIX does not support 1.5 stop bits and RFCOMM does not
945
	 * support 2 stop bits. So a request for 2 stop bits gets
946
	 * translated to 1.5 stop bits */
947
	if (new->c_cflag & CSTOPB)
948
		stop_bits = RFCOMM_RPN_STOP_15;
949
	else
950
		stop_bits = RFCOMM_RPN_STOP_1;
951

952
	/* Handle number of data bits [5-8] */
953
	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
954
		changes |= RFCOMM_RPN_PM_DATA;
955

956
	switch (new->c_cflag & CSIZE) {
957
	case CS5:
958
		data_bits = RFCOMM_RPN_DATA_5;
959
		break;
960
	case CS6:
961
		data_bits = RFCOMM_RPN_DATA_6;
962
		break;
963
	case CS7:
964
		data_bits = RFCOMM_RPN_DATA_7;
965
		break;
966
	case CS8:
967
		data_bits = RFCOMM_RPN_DATA_8;
968
		break;
969
	default:
970
		data_bits = RFCOMM_RPN_DATA_8;
971
		break;
972
	}
973

974
	/* Handle baudrate settings */
975
	if (old_baud_rate != new_baud_rate)
976
		changes |= RFCOMM_RPN_PM_BITRATE;
977

978
	switch (new_baud_rate) {
979
	case 2400:
980
		baud = RFCOMM_RPN_BR_2400;
981
		break;
982
	case 4800:
983
		baud = RFCOMM_RPN_BR_4800;
984
		break;
985
	case 7200:
986
		baud = RFCOMM_RPN_BR_7200;
987
		break;
988
	case 9600:
989
		baud = RFCOMM_RPN_BR_9600;
990
		break;
991
	case 19200:
992
		baud = RFCOMM_RPN_BR_19200;
993
		break;
994
	case 38400:
995
		baud = RFCOMM_RPN_BR_38400;
996
		break;
997
	case 57600:
998
		baud = RFCOMM_RPN_BR_57600;
999
		break;
1000
	case 115200:
1001
		baud = RFCOMM_RPN_BR_115200;
1002
		break;
1003
	case 230400:
1004
		baud = RFCOMM_RPN_BR_230400;
1005
		break;
1006
	default:
1007
		/* 9600 is standard accordinag to the RFCOMM specification */
1008
		baud = RFCOMM_RPN_BR_9600;
1009
		break;
1010

1011
	}
1012

1013
	if (changes)
1014
		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
1015
				data_bits, stop_bits, parity,
1016
				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
1017
}
1018

1019
static void rfcomm_tty_throttle(struct tty_struct *tty)
1020
{
1021
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1022

1023
	BT_DBG("tty %p dev %p", tty, dev);
1024

1025
	rfcomm_dlc_throttle(dev->dlc);
1026
}
1027

1028
static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1029
{
1030
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1031

1032
	BT_DBG("tty %p dev %p", tty, dev);
1033

1034
	rfcomm_dlc_unthrottle(dev->dlc);
1035
}
1036

1037
static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1038
{
1039
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1040

1041
	BT_DBG("tty %p dev %p", tty, dev);
1042

1043
	if (!dev || !dev->dlc)
1044
		return 0;
1045

1046
	if (!skb_queue_empty(&dev->dlc->tx_queue))
1047
		return dev->dlc->mtu;
1048

1049
	return 0;
1050
}
1051

1052
static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1053
{
1054
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1055

1056
	BT_DBG("tty %p dev %p", tty, dev);
1057

1058
	if (!dev || !dev->dlc)
1059
		return;
1060

1061
	skb_queue_purge(&dev->dlc->tx_queue);
1062
	tty_wakeup(tty);
1063
}
1064

1065
static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1066
{
1067
	BT_DBG("tty %p ch %c", tty, ch);
1068
}
1069

1070
static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1071
{
1072
	BT_DBG("tty %p timeout %d", tty, timeout);
1073
}
1074

1075
static void rfcomm_tty_hangup(struct tty_struct *tty)
1076
{
1077
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1078

1079
	BT_DBG("tty %p dev %p", tty, dev);
1080

1081
	if (!dev)
1082
		return;
1083

1084
	rfcomm_tty_flush_buffer(tty);
1085

1086
	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
1087
		if (rfcomm_dev_get(dev->id) == NULL)
1088
			return;
1089
		rfcomm_dev_del(dev);
1090
		rfcomm_dev_put(dev);
1091
	}
1092
}
1093

1094
static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1095
{
1096
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1097

1098
	BT_DBG("tty %p dev %p", tty, dev);
1099

1100
	return dev->modem_status;
1101
}
1102

1103
static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1104
{
1105
	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1106
	struct rfcomm_dlc *dlc = dev->dlc;
1107
	u8 v24_sig;
1108

1109
	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1110

1111
	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1112

1113
	if (set & TIOCM_DSR || set & TIOCM_DTR)
1114
		v24_sig |= RFCOMM_V24_RTC;
1115
	if (set & TIOCM_RTS || set & TIOCM_CTS)
1116
		v24_sig |= RFCOMM_V24_RTR;
1117
	if (set & TIOCM_RI)
1118
		v24_sig |= RFCOMM_V24_IC;
1119
	if (set & TIOCM_CD)
1120
		v24_sig |= RFCOMM_V24_DV;
1121

1122
	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1123
		v24_sig &= ~RFCOMM_V24_RTC;
1124
	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1125
		v24_sig &= ~RFCOMM_V24_RTR;
1126
	if (clear & TIOCM_RI)
1127
		v24_sig &= ~RFCOMM_V24_IC;
1128
	if (clear & TIOCM_CD)
1129
		v24_sig &= ~RFCOMM_V24_DV;
1130

1131
	rfcomm_dlc_set_modem_status(dlc, v24_sig);
1132

1133
	return 0;
1134
}
1135

1136
/* ---- TTY structure ---- */
1137

1138
static const struct tty_operations rfcomm_ops = {
1139
	.open			= rfcomm_tty_open,
1140
	.close			= rfcomm_tty_close,
1141
	.write			= rfcomm_tty_write,
1142
	.write_room		= rfcomm_tty_write_room,
1143
	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1144
	.flush_buffer		= rfcomm_tty_flush_buffer,
1145
	.ioctl			= rfcomm_tty_ioctl,
1146
	.throttle		= rfcomm_tty_throttle,
1147
	.unthrottle		= rfcomm_tty_unthrottle,
1148
	.set_termios		= rfcomm_tty_set_termios,
1149
	.send_xchar		= rfcomm_tty_send_xchar,
1150
	.hangup			= rfcomm_tty_hangup,
1151
	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1152
	.tiocmget		= rfcomm_tty_tiocmget,
1153
	.tiocmset		= rfcomm_tty_tiocmset,
1154
};
1155

1156
int __init rfcomm_init_ttys(void)
1157
{
1158
	rfcomm_tty_driver = alloc_tty_driver(RFCOMM_TTY_PORTS);
1159
	if (!rfcomm_tty_driver)
1160
		return -1;
1161

1162
	rfcomm_tty_driver->owner	= THIS_MODULE;
1163
	rfcomm_tty_driver->driver_name	= "rfcomm";
1164
	rfcomm_tty_driver->name		= "rfcomm";
1165
	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1166
	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1167
	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1168
	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1169
	rfcomm_tty_driver->flags	= TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1170
	rfcomm_tty_driver->init_termios	= tty_std_termios;
1171
	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL | CLOCAL;
1172
	rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1173
	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1174

1175
	if (tty_register_driver(rfcomm_tty_driver)) {
1176
		BT_ERR("Can't register RFCOMM TTY driver");
1177
		put_tty_driver(rfcomm_tty_driver);
1178
		return -1;
1179
	}
1180

1181
	BT_INFO("RFCOMM TTY layer initialized");
1182

1183
	return 0;
1184
}
1185

1186
void rfcomm_cleanup_ttys(void)
1187
{
1188
	tty_unregister_driver(rfcomm_tty_driver);
1189
	put_tty_driver(rfcomm_tty_driver);
1190
}
1191

1192