1
/*
2
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3
   Copyright (C) 2002 Maxim Krasnyansky <[email protected]>
4
   Copyright (C) 2002 Marcel Holtmann <[email protected]>
5

6
   This program is free software; you can redistribute it and/or modify
7
   it under the terms of the GNU General Public License version 2 as
8
   published by the Free Software Foundation;
9

10
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18

19
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21
   SOFTWARE IS DISCLAIMED.
22
*/
23

24
/*
25
 * RFCOMM TTY.
26
 */
27

28
#include <linux/module.h>
29

30
#include <linux/tty.h>
31
#include <linux/tty_driver.h>
32
#include <linux/tty_flip.h>
33

34
#include <net/bluetooth/bluetooth.h>
35
#include <net/bluetooth/hci_core.h>
36
#include <net/bluetooth/rfcomm.h>
37

38
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
39
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
40
#define RFCOMM_TTY_MINOR 0
41

42
static DEFINE_MUTEX(rfcomm_ioctl_mutex);
43
static struct tty_driver *rfcomm_tty_driver;
44

45
struct rfcomm_dev {
46
	struct tty_port		port;
47
	struct list_head	list;
48

49
	char			name[12];
50
	int			id;
51
	unsigned long		flags;
52
	int			err;
53

54
	unsigned long		status;		/* don't export to userspace */
55

56
	bdaddr_t		src;
57
	bdaddr_t		dst;
58
	u8			channel;
59

60
	uint			modem_status;
61

62
	struct rfcomm_dlc	*dlc;
63

64
	struct device		*tty_dev;
65

66
	atomic_t		wmem_alloc;
67

68
	struct sk_buff_head	pending;
69
};
70

71
static LIST_HEAD(rfcomm_dev_list);
72
static DEFINE_MUTEX(rfcomm_dev_lock);
73

74
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
75
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
76
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
77

78
/* ---- Device functions ---- */
79

80
static void rfcomm_dev_destruct(struct tty_port *port)
81
{
82
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
83
	struct rfcomm_dlc *dlc = dev->dlc;
84

85
	BT_DBG("dev %p dlc %p", dev, dlc);
86

87
	rfcomm_dlc_lock(dlc);
88
	/* Detach DLC if it's owned by this dev */
89
	if (dlc->owner == dev)
90
		dlc->owner = NULL;
91
	rfcomm_dlc_unlock(dlc);
92

93
	rfcomm_dlc_put(dlc);
94

95
	if (dev->tty_dev)
96
		tty_unregister_device(rfcomm_tty_driver, dev->id);
97

98
	mutex_lock(&rfcomm_dev_lock);
99
	list_del(&dev->list);
100
	mutex_unlock(&rfcomm_dev_lock);
101

102
	kfree(dev);
103

104
	/* It's safe to call module_put() here because socket still
105
	   holds reference to this module. */
106
	module_put(THIS_MODULE);
107
}
108

109
/* device-specific initialization: open the dlc */
110
static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
111
{
112
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
113
	int err;
114

115
	err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
116
	if (err)
117
		set_bit(TTY_IO_ERROR, &tty->flags);
118
	return err;
119
}
120

121
/* we block the open until the dlc->state becomes BT_CONNECTED */
122
static bool rfcomm_dev_carrier_raised(struct tty_port *port)
123
{
124
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
125

126
	return (dev->dlc->state == BT_CONNECTED);
127
}
128

129
/* device-specific cleanup: close the dlc */
130
static void rfcomm_dev_shutdown(struct tty_port *port)
131
{
132
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
133

134
	if (dev->tty_dev->parent)
135
		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
136

137
	/* close the dlc */
138
	rfcomm_dlc_close(dev->dlc, 0);
139
}
140

141
static const struct tty_port_operations rfcomm_port_ops = {
142
	.destruct = rfcomm_dev_destruct,
143
	.activate = rfcomm_dev_activate,
144
	.shutdown = rfcomm_dev_shutdown,
145
	.carrier_raised = rfcomm_dev_carrier_raised,
146
};
147

148
static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
149
{
150
	struct rfcomm_dev *dev;
151

152
	list_for_each_entry(dev, &rfcomm_dev_list, list)
153
		if (dev->id == id)
154
			return dev;
155

156
	return NULL;
157
}
158

159
static struct rfcomm_dev *rfcomm_dev_get(int id)
160
{
161
	struct rfcomm_dev *dev;
162

163
	mutex_lock(&rfcomm_dev_lock);
164

165
	dev = __rfcomm_dev_lookup(id);
166

167
	if (dev && !tty_port_get(&dev->port))
168
		dev = NULL;
169

170
	mutex_unlock(&rfcomm_dev_lock);
171

172
	return dev;
173
}
174

175
static void rfcomm_reparent_device(struct rfcomm_dev *dev)
176
{
177
	struct hci_dev *hdev;
178
	struct hci_conn *conn;
179

180
	hdev = hci_get_route(&dev->dst, &dev->src, BDADDR_BREDR);
181
	if (!hdev)
182
		return;
183

184
	/* The lookup results are unsafe to access without the
185
	 * hci device lock (FIXME: why is this not documented?)
186
	 */
187
	hci_dev_lock(hdev);
188
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
189

190
	/* Just because the acl link is in the hash table is no
191
	 * guarantee the sysfs device has been added ...
192
	 */
193
	if (conn && device_is_registered(&conn->dev))
194
		device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
195

196
	hci_dev_unlock(hdev);
197
	hci_dev_put(hdev);
198
}
199

200
static ssize_t address_show(struct device *tty_dev,
201
			    struct device_attribute *attr, char *buf)
202
{
203
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
204
	return sysfs_emit(buf, "%pMR\n", &dev->dst);
205
}
206

207
static ssize_t channel_show(struct device *tty_dev,
208
			    struct device_attribute *attr, char *buf)
209
{
210
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
211
	return sysfs_emit(buf, "%d\n", dev->channel);
212
}
213

214
static DEVICE_ATTR_RO(address);
215
static DEVICE_ATTR_RO(channel);
216

217
static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
218
					   struct rfcomm_dlc *dlc)
219
{
220
	struct rfcomm_dev *dev, *entry;
221
	struct list_head *head = &rfcomm_dev_list;
222
	int err = 0;
223

224
	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
225
	if (!dev)
226
		return ERR_PTR(-ENOMEM);
227

228
	mutex_lock(&rfcomm_dev_lock);
229

230
	if (req->dev_id < 0) {
231
		dev->id = 0;
232

233
		list_for_each_entry(entry, &rfcomm_dev_list, list) {
234
			if (entry->id != dev->id)
235
				break;
236

237
			dev->id++;
238
			head = &entry->list;
239
		}
240
	} else {
241
		dev->id = req->dev_id;
242

243
		list_for_each_entry(entry, &rfcomm_dev_list, list) {
244
			if (entry->id == dev->id) {
245
				err = -EADDRINUSE;
246
				goto out;
247
			}
248

249
			if (entry->id > dev->id - 1)
250
				break;
251

252
			head = &entry->list;
253
		}
254
	}
255

256
	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
257
		err = -ENFILE;
258
		goto out;
259
	}
260

261
	sprintf(dev->name, "rfcomm%d", dev->id);
262

263
	list_add(&dev->list, head);
264

265
	bacpy(&dev->src, &req->src);
266
	bacpy(&dev->dst, &req->dst);
267
	dev->channel = req->channel;
268

269
	dev->flags = req->flags &
270
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
271

272
	tty_port_init(&dev->port);
273
	dev->port.ops = &rfcomm_port_ops;
274

275
	skb_queue_head_init(&dev->pending);
276

277
	rfcomm_dlc_lock(dlc);
278

279
	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
280
		struct sock *sk = dlc->owner;
281
		struct sk_buff *skb;
282

283
		BUG_ON(!sk);
284

285
		rfcomm_dlc_throttle(dlc);
286

287
		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
288
			skb_orphan(skb);
289
			skb_queue_tail(&dev->pending, skb);
290
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
291
		}
292
	}
293

294
	dlc->data_ready   = rfcomm_dev_data_ready;
295
	dlc->state_change = rfcomm_dev_state_change;
296
	dlc->modem_status = rfcomm_dev_modem_status;
297

298
	dlc->owner = dev;
299
	dev->dlc   = dlc;
300

301
	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
302

303
	rfcomm_dlc_unlock(dlc);
304

305
	/* It's safe to call __module_get() here because socket already
306
	   holds reference to this module. */
307
	__module_get(THIS_MODULE);
308

309
	mutex_unlock(&rfcomm_dev_lock);
310
	return dev;
311

312
out:
313
	mutex_unlock(&rfcomm_dev_lock);
314
	kfree(dev);
315
	return ERR_PTR(err);
316
}
317

318
static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
319
{
320
	struct rfcomm_dev *dev;
321
	struct device *tty;
322

323
	BT_DBG("id %d channel %d", req->dev_id, req->channel);
324

325
	dev = __rfcomm_dev_add(req, dlc);
326
	if (IS_ERR(dev)) {
327
		rfcomm_dlc_put(dlc);
328
		return PTR_ERR(dev);
329
	}
330

331
	tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
332
			dev->id, NULL);
333
	if (IS_ERR(tty)) {
334
		tty_port_put(&dev->port);
335
		return PTR_ERR(tty);
336
	}
337

338
	dev->tty_dev = tty;
339
	rfcomm_reparent_device(dev);
340
	dev_set_drvdata(dev->tty_dev, dev);
341

342
	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
343
		BT_ERR("Failed to create address attribute");
344

345
	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
346
		BT_ERR("Failed to create channel attribute");
347

348
	return dev->id;
349
}
350

351
/* ---- Send buffer ---- */
352
static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
353
{
354
	struct rfcomm_dlc *dlc = dev->dlc;
355

356
	/* Limit the outstanding number of packets not yet sent to 40 */
357
	int pending = 40 - atomic_read(&dev->wmem_alloc);
358

359
	return max(0, pending) * dlc->mtu;
360
}
361

362
static void rfcomm_wfree(struct sk_buff *skb)
363
{
364
	struct rfcomm_dev *dev = (void *) skb->sk;
365
	atomic_dec(&dev->wmem_alloc);
366
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
367
		tty_port_tty_wakeup(&dev->port);
368
	tty_port_put(&dev->port);
369
}
370

371
static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
372
{
373
	tty_port_get(&dev->port);
374
	atomic_inc(&dev->wmem_alloc);
375
	skb->sk = (void *) dev;
376
	skb->destructor = rfcomm_wfree;
377
}
378

379
static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
380
{
381
	struct sk_buff *skb = alloc_skb(size, priority);
382
	if (skb)
383
		rfcomm_set_owner_w(skb, dev);
384
	return skb;
385
}
386

387
/* ---- Device IOCTLs ---- */
388

389
#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
390

391
static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
392
{
393
	struct rfcomm_dev_req req;
394
	struct rfcomm_dlc *dlc;
395
	int id;
396

397
	if (copy_from_user(&req, arg, sizeof(req)))
398
		return -EFAULT;
399

400
	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
401

402
	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
403
		return -EPERM;
404

405
	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
406
		/* Socket must be connected */
407
		if (sk->sk_state != BT_CONNECTED)
408
			return -EBADFD;
409

410
		dlc = rfcomm_pi(sk)->dlc;
411
		rfcomm_dlc_hold(dlc);
412
	} else {
413
		/* Validate the channel is unused */
414
		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
415
		if (IS_ERR(dlc))
416
			return PTR_ERR(dlc);
417
		if (dlc)
418
			return -EBUSY;
419
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
420
		if (!dlc)
421
			return -ENOMEM;
422
	}
423

424
	id = rfcomm_dev_add(&req, dlc);
425
	if (id < 0)
426
		return id;
427

428
	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
429
		/* DLC is now used by device.
430
		 * Socket must be disconnected */
431
		sk->sk_state = BT_CLOSED;
432
	}
433

434
	return id;
435
}
436

437
static int __rfcomm_release_dev(void __user *arg)
438
{
439
	struct rfcomm_dev_req req;
440
	struct rfcomm_dev *dev;
441

442
	if (copy_from_user(&req, arg, sizeof(req)))
443
		return -EFAULT;
444

445
	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
446

447
	dev = rfcomm_dev_get(req.dev_id);
448
	if (!dev)
449
		return -ENODEV;
450

451
	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
452
		tty_port_put(&dev->port);
453
		return -EPERM;
454
	}
455

456
	/* only release once */
457
	if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
458
		tty_port_put(&dev->port);
459
		return -EALREADY;
460
	}
461

462
	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
463
		rfcomm_dlc_close(dev->dlc, 0);
464

465
	/* Shut down TTY synchronously before freeing rfcomm_dev */
466
	tty_port_tty_vhangup(&dev->port);
467

468
	if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
469
		tty_port_put(&dev->port);
470

471
	tty_port_put(&dev->port);
472
	return 0;
473
}
474

475
static int rfcomm_create_dev(struct sock *sk, void __user *arg)
476
{
477
	int ret;
478

479
	mutex_lock(&rfcomm_ioctl_mutex);
480
	ret = __rfcomm_create_dev(sk, arg);
481
	mutex_unlock(&rfcomm_ioctl_mutex);
482

483
	return ret;
484
}
485

486
static int rfcomm_release_dev(void __user *arg)
487
{
488
	int ret;
489

490
	mutex_lock(&rfcomm_ioctl_mutex);
491
	ret = __rfcomm_release_dev(arg);
492
	mutex_unlock(&rfcomm_ioctl_mutex);
493

494
	return ret;
495
}
496

497
static int rfcomm_get_dev_list(void __user *arg)
498
{
499
	struct rfcomm_dev *dev;
500
	struct rfcomm_dev_list_req *dl;
501
	struct rfcomm_dev_info *di;
502
	int n = 0, err;
503
	u16 dev_num;
504

505
	BT_DBG("");
506

507
	if (get_user(dev_num, (u16 __user *) arg))
508
		return -EFAULT;
509

510
	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
511
		return -EINVAL;
512

513
	dl = kzalloc(struct_size(dl, dev_info, dev_num), GFP_KERNEL);
514
	if (!dl)
515
		return -ENOMEM;
516

517
	dl->dev_num = dev_num;
518
	di = dl->dev_info;
519

520
	mutex_lock(&rfcomm_dev_lock);
521

522
	list_for_each_entry(dev, &rfcomm_dev_list, list) {
523
		if (!tty_port_get(&dev->port))
524
			continue;
525
		di[n].id      = dev->id;
526
		di[n].flags   = dev->flags;
527
		di[n].state   = dev->dlc->state;
528
		di[n].channel = dev->channel;
529
		bacpy(&di[n].src, &dev->src);
530
		bacpy(&di[n].dst, &dev->dst);
531
		tty_port_put(&dev->port);
532
		if (++n >= dev_num)
533
			break;
534
	}
535

536
	mutex_unlock(&rfcomm_dev_lock);
537

538
	dl->dev_num = n;
539
	err = copy_to_user(arg, dl, struct_size(dl, dev_info, n));
540
	kfree(dl);
541

542
	return err ? -EFAULT : 0;
543
}
544

545
static int rfcomm_get_dev_info(void __user *arg)
546
{
547
	struct rfcomm_dev *dev;
548
	struct rfcomm_dev_info di;
549
	int err = 0;
550

551
	BT_DBG("");
552

553
	if (copy_from_user(&di, arg, sizeof(di)))
554
		return -EFAULT;
555

556
	dev = rfcomm_dev_get(di.id);
557
	if (!dev)
558
		return -ENODEV;
559

560
	di.flags   = dev->flags;
561
	di.channel = dev->channel;
562
	di.state   = dev->dlc->state;
563
	bacpy(&di.src, &dev->src);
564
	bacpy(&di.dst, &dev->dst);
565

566
	if (copy_to_user(arg, &di, sizeof(di)))
567
		err = -EFAULT;
568

569
	tty_port_put(&dev->port);
570
	return err;
571
}
572

573
int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
574
{
575
	BT_DBG("cmd %d arg %p", cmd, arg);
576

577
	switch (cmd) {
578
	case RFCOMMCREATEDEV:
579
		return rfcomm_create_dev(sk, arg);
580

581
	case RFCOMMRELEASEDEV:
582
		return rfcomm_release_dev(arg);
583

584
	case RFCOMMGETDEVLIST:
585
		return rfcomm_get_dev_list(arg);
586

587
	case RFCOMMGETDEVINFO:
588
		return rfcomm_get_dev_info(arg);
589
	}
590

591
	return -EINVAL;
592
}
593

594
/* ---- DLC callbacks ---- */
595
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
596
{
597
	struct rfcomm_dev *dev = dlc->owner;
598

599
	if (!dev) {
600
		kfree_skb(skb);
601
		return;
602
	}
603

604
	if (!skb_queue_empty(&dev->pending)) {
605
		skb_queue_tail(&dev->pending, skb);
606
		return;
607
	}
608

609
	BT_DBG("dlc %p len %d", dlc, skb->len);
610

611
	tty_insert_flip_string(&dev->port, skb->data, skb->len);
612
	tty_flip_buffer_push(&dev->port);
613

614
	kfree_skb(skb);
615
}
616

617
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
618
{
619
	struct rfcomm_dev *dev = dlc->owner;
620
	if (!dev)
621
		return;
622

623
	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
624

625
	dev->err = err;
626
	if (dlc->state == BT_CONNECTED) {
627
		rfcomm_reparent_device(dev);
628

629
		wake_up_interruptible(&dev->port.open_wait);
630
	} else if (dlc->state == BT_CLOSED)
631
		tty_port_tty_hangup(&dev->port, false);
632
}
633

634
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
635
{
636
	struct rfcomm_dev *dev = dlc->owner;
637
	if (!dev)
638
		return;
639

640
	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
641

642
	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV))
643
		tty_port_tty_hangup(&dev->port, true);
644

645
	dev->modem_status =
646
		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
647
		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
648
		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
649
		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
650
}
651

652
/* ---- TTY functions ---- */
653
static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
654
{
655
	struct sk_buff *skb;
656
	int inserted = 0;
657

658
	BT_DBG("dev %p", dev);
659

660
	rfcomm_dlc_lock(dev->dlc);
661

662
	while ((skb = skb_dequeue(&dev->pending))) {
663
		inserted += tty_insert_flip_string(&dev->port, skb->data,
664
				skb->len);
665
		kfree_skb(skb);
666
	}
667

668
	rfcomm_dlc_unlock(dev->dlc);
669

670
	if (inserted > 0)
671
		tty_flip_buffer_push(&dev->port);
672
}
673

674
/* do the reverse of install, clearing the tty fields and releasing the
675
 * reference to tty_port
676
 */
677
static void rfcomm_tty_cleanup(struct tty_struct *tty)
678
{
679
	struct rfcomm_dev *dev = tty->driver_data;
680

681
	clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
682

683
	rfcomm_dlc_lock(dev->dlc);
684
	tty->driver_data = NULL;
685
	rfcomm_dlc_unlock(dev->dlc);
686

687
	/*
688
	 * purge the dlc->tx_queue to avoid circular dependencies
689
	 * between dev and dlc
690
	 */
691
	skb_queue_purge(&dev->dlc->tx_queue);
692

693
	tty_port_put(&dev->port);
694
}
695

696
/* we acquire the tty_port reference since it's here the tty is first used
697
 * by setting the termios. We also populate the driver_data field and install
698
 * the tty port
699
 */
700
static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
701
{
702
	struct rfcomm_dev *dev;
703
	struct rfcomm_dlc *dlc;
704
	int err;
705

706
	dev = rfcomm_dev_get(tty->index);
707
	if (!dev)
708
		return -ENODEV;
709

710
	dlc = dev->dlc;
711

712
	/* Attach TTY and open DLC */
713
	rfcomm_dlc_lock(dlc);
714
	tty->driver_data = dev;
715
	rfcomm_dlc_unlock(dlc);
716
	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
717

718
	/* install the tty_port */
719
	err = tty_port_install(&dev->port, driver, tty);
720
	if (err) {
721
		rfcomm_tty_cleanup(tty);
722
		return err;
723
	}
724

725
	/* take over the tty_port reference if the port was created with the
726
	 * flag RFCOMM_RELEASE_ONHUP. This will force the release of the port
727
	 * when the last process closes the tty. The behaviour is expected by
728
	 * userspace.
729
	 */
730
	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
731
		set_bit(RFCOMM_TTY_OWNED, &dev->status);
732
		tty_port_put(&dev->port);
733
	}
734

735
	return 0;
736
}
737

738
static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
739
{
740
	struct rfcomm_dev *dev = tty->driver_data;
741
	int err;
742

743
	BT_DBG("tty %p id %d", tty, tty->index);
744

745
	BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
746
	       dev->channel, dev->port.count);
747

748
	err = tty_port_open(&dev->port, tty, filp);
749
	if (err)
750
		return err;
751

752
	/*
753
	 * FIXME: rfcomm should use proper flow control for
754
	 * received data. This hack will be unnecessary and can
755
	 * be removed when that's implemented
756
	 */
757
	rfcomm_tty_copy_pending(dev);
758

759
	rfcomm_dlc_unthrottle(dev->dlc);
760

761
	return 0;
762
}
763

764
static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
765
{
766
	struct rfcomm_dev *dev = tty->driver_data;
767

768
	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
769
						dev->port.count);
770

771
	tty_port_close(&dev->port, tty, filp);
772
}
773

774
static ssize_t rfcomm_tty_write(struct tty_struct *tty, const u8 *buf,
775
				size_t count)
776
{
777
	struct rfcomm_dev *dev = tty->driver_data;
778
	struct rfcomm_dlc *dlc = dev->dlc;
779
	struct sk_buff *skb;
780
	size_t sent = 0, size;
781

782
	BT_DBG("tty %p count %zu", tty, count);
783

784
	while (count) {
785
		size = min_t(size_t, count, dlc->mtu);
786

787
		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
788
		if (!skb)
789
			break;
790

791
		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
792

793
		skb_put_data(skb, buf + sent, size);
794

795
		rfcomm_dlc_send_noerror(dlc, skb);
796

797
		sent  += size;
798
		count -= size;
799
	}
800

801
	return sent;
802
}
803

804
static unsigned int rfcomm_tty_write_room(struct tty_struct *tty)
805
{
806
	struct rfcomm_dev *dev = tty->driver_data;
807
	int room = 0;
808

809
	if (dev && dev->dlc)
810
		room = rfcomm_room(dev);
811

812
	BT_DBG("tty %p room %d", tty, room);
813

814
	return room;
815
}
816

817
static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
818
{
819
	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
820

821
	switch (cmd) {
822
	case TCGETS:
823
		BT_DBG("TCGETS is not supported");
824
		return -ENOIOCTLCMD;
825

826
	case TCSETS:
827
		BT_DBG("TCSETS is not supported");
828
		return -ENOIOCTLCMD;
829

830
	case TIOCMIWAIT:
831
		BT_DBG("TIOCMIWAIT");
832
		break;
833

834
	case TIOCSERGETLSR:
835
		BT_ERR("TIOCSERGETLSR is not supported");
836
		return -ENOIOCTLCMD;
837

838
	case TIOCSERCONFIG:
839
		BT_ERR("TIOCSERCONFIG is not supported");
840
		return -ENOIOCTLCMD;
841

842
	default:
843
		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
844

845
	}
846

847
	return -ENOIOCTLCMD;
848
}
849

850
static void rfcomm_tty_set_termios(struct tty_struct *tty,
851
				   const struct ktermios *old)
852
{
853
	struct ktermios *new = &tty->termios;
854
	int old_baud_rate = tty_termios_baud_rate(old);
855
	int new_baud_rate = tty_termios_baud_rate(new);
856

857
	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
858
	u16 changes = 0;
859

860
	struct rfcomm_dev *dev = tty->driver_data;
861

862
	BT_DBG("tty %p termios %p", tty, old);
863

864
	if (!dev || !dev->dlc || !dev->dlc->session)
865
		return;
866

867
	/* Handle turning off CRTSCTS */
868
	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
869
		BT_DBG("Turning off CRTSCTS unsupported");
870

871
	/* Parity on/off and when on, odd/even */
872
	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
873
			((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
874
		changes |= RFCOMM_RPN_PM_PARITY;
875
		BT_DBG("Parity change detected.");
876
	}
877

878
	/* Mark and space parity are not supported! */
879
	if (new->c_cflag & PARENB) {
880
		if (new->c_cflag & PARODD) {
881
			BT_DBG("Parity is ODD");
882
			parity = RFCOMM_RPN_PARITY_ODD;
883
		} else {
884
			BT_DBG("Parity is EVEN");
885
			parity = RFCOMM_RPN_PARITY_EVEN;
886
		}
887
	} else {
888
		BT_DBG("Parity is OFF");
889
		parity = RFCOMM_RPN_PARITY_NONE;
890
	}
891

892
	/* Setting the x_on / x_off characters */
893
	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
894
		BT_DBG("XOFF custom");
895
		x_on = new->c_cc[VSTOP];
896
		changes |= RFCOMM_RPN_PM_XON;
897
	} else {
898
		BT_DBG("XOFF default");
899
		x_on = RFCOMM_RPN_XON_CHAR;
900
	}
901

902
	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
903
		BT_DBG("XON custom");
904
		x_off = new->c_cc[VSTART];
905
		changes |= RFCOMM_RPN_PM_XOFF;
906
	} else {
907
		BT_DBG("XON default");
908
		x_off = RFCOMM_RPN_XOFF_CHAR;
909
	}
910

911
	/* Handle setting of stop bits */
912
	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
913
		changes |= RFCOMM_RPN_PM_STOP;
914

915
	/* POSIX does not support 1.5 stop bits and RFCOMM does not
916
	 * support 2 stop bits. So a request for 2 stop bits gets
917
	 * translated to 1.5 stop bits */
918
	if (new->c_cflag & CSTOPB)
919
		stop_bits = RFCOMM_RPN_STOP_15;
920
	else
921
		stop_bits = RFCOMM_RPN_STOP_1;
922

923
	/* Handle number of data bits [5-8] */
924
	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
925
		changes |= RFCOMM_RPN_PM_DATA;
926

927
	switch (new->c_cflag & CSIZE) {
928
	case CS5:
929
		data_bits = RFCOMM_RPN_DATA_5;
930
		break;
931
	case CS6:
932
		data_bits = RFCOMM_RPN_DATA_6;
933
		break;
934
	case CS7:
935
		data_bits = RFCOMM_RPN_DATA_7;
936
		break;
937
	case CS8:
938
		data_bits = RFCOMM_RPN_DATA_8;
939
		break;
940
	default:
941
		data_bits = RFCOMM_RPN_DATA_8;
942
		break;
943
	}
944

945
	/* Handle baudrate settings */
946
	if (old_baud_rate != new_baud_rate)
947
		changes |= RFCOMM_RPN_PM_BITRATE;
948

949
	switch (new_baud_rate) {
950
	case 2400:
951
		baud = RFCOMM_RPN_BR_2400;
952
		break;
953
	case 4800:
954
		baud = RFCOMM_RPN_BR_4800;
955
		break;
956
	case 7200:
957
		baud = RFCOMM_RPN_BR_7200;
958
		break;
959
	case 9600:
960
		baud = RFCOMM_RPN_BR_9600;
961
		break;
962
	case 19200:
963
		baud = RFCOMM_RPN_BR_19200;
964
		break;
965
	case 38400:
966
		baud = RFCOMM_RPN_BR_38400;
967
		break;
968
	case 57600:
969
		baud = RFCOMM_RPN_BR_57600;
970
		break;
971
	case 115200:
972
		baud = RFCOMM_RPN_BR_115200;
973
		break;
974
	case 230400:
975
		baud = RFCOMM_RPN_BR_230400;
976
		break;
977
	default:
978
		/* 9600 is standard according to the RFCOMM specification */
979
		baud = RFCOMM_RPN_BR_9600;
980
		break;
981

982
	}
983

984
	if (changes)
985
		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
986
				data_bits, stop_bits, parity,
987
				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
988
}
989

990
static void rfcomm_tty_throttle(struct tty_struct *tty)
991
{
992
	struct rfcomm_dev *dev = tty->driver_data;
993

994
	BT_DBG("tty %p dev %p", tty, dev);
995

996
	rfcomm_dlc_throttle(dev->dlc);
997
}
998

999
static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1000
{
1001
	struct rfcomm_dev *dev = tty->driver_data;
1002

1003
	BT_DBG("tty %p dev %p", tty, dev);
1004

1005
	rfcomm_dlc_unthrottle(dev->dlc);
1006
}
1007

1008
static unsigned int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1009
{
1010
	struct rfcomm_dev *dev = tty->driver_data;
1011

1012
	BT_DBG("tty %p dev %p", tty, dev);
1013

1014
	if (!dev || !dev->dlc)
1015
		return 0;
1016

1017
	if (!skb_queue_empty(&dev->dlc->tx_queue))
1018
		return dev->dlc->mtu;
1019

1020
	return 0;
1021
}
1022

1023
static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1024
{
1025
	struct rfcomm_dev *dev = tty->driver_data;
1026

1027
	BT_DBG("tty %p dev %p", tty, dev);
1028

1029
	if (!dev || !dev->dlc)
1030
		return;
1031

1032
	skb_queue_purge(&dev->dlc->tx_queue);
1033
	tty_wakeup(tty);
1034
}
1035

1036
static void rfcomm_tty_send_xchar(struct tty_struct *tty, u8 ch)
1037
{
1038
	BT_DBG("tty %p ch %c", tty, ch);
1039
}
1040

1041
static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1042
{
1043
	BT_DBG("tty %p timeout %d", tty, timeout);
1044
}
1045

1046
static void rfcomm_tty_hangup(struct tty_struct *tty)
1047
{
1048
	struct rfcomm_dev *dev = tty->driver_data;
1049

1050
	BT_DBG("tty %p dev %p", tty, dev);
1051

1052
	tty_port_hangup(&dev->port);
1053
}
1054

1055
static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1056
{
1057
	struct rfcomm_dev *dev = tty->driver_data;
1058

1059
	BT_DBG("tty %p dev %p", tty, dev);
1060

1061
	return dev->modem_status;
1062
}
1063

1064
static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1065
{
1066
	struct rfcomm_dev *dev = tty->driver_data;
1067
	struct rfcomm_dlc *dlc = dev->dlc;
1068
	u8 v24_sig;
1069

1070
	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1071

1072
	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1073

1074
	if (set & TIOCM_DSR || set & TIOCM_DTR)
1075
		v24_sig |= RFCOMM_V24_RTC;
1076
	if (set & TIOCM_RTS || set & TIOCM_CTS)
1077
		v24_sig |= RFCOMM_V24_RTR;
1078
	if (set & TIOCM_RI)
1079
		v24_sig |= RFCOMM_V24_IC;
1080
	if (set & TIOCM_CD)
1081
		v24_sig |= RFCOMM_V24_DV;
1082

1083
	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1084
		v24_sig &= ~RFCOMM_V24_RTC;
1085
	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1086
		v24_sig &= ~RFCOMM_V24_RTR;
1087
	if (clear & TIOCM_RI)
1088
		v24_sig &= ~RFCOMM_V24_IC;
1089
	if (clear & TIOCM_CD)
1090
		v24_sig &= ~RFCOMM_V24_DV;
1091

1092
	rfcomm_dlc_set_modem_status(dlc, v24_sig);
1093

1094
	return 0;
1095
}
1096

1097
/* ---- TTY structure ---- */
1098

1099
static const struct tty_operations rfcomm_ops = {
1100
	.open			= rfcomm_tty_open,
1101
	.close			= rfcomm_tty_close,
1102
	.write			= rfcomm_tty_write,
1103
	.write_room		= rfcomm_tty_write_room,
1104
	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1105
	.flush_buffer		= rfcomm_tty_flush_buffer,
1106
	.ioctl			= rfcomm_tty_ioctl,
1107
	.throttle		= rfcomm_tty_throttle,
1108
	.unthrottle		= rfcomm_tty_unthrottle,
1109
	.set_termios		= rfcomm_tty_set_termios,
1110
	.send_xchar		= rfcomm_tty_send_xchar,
1111
	.hangup			= rfcomm_tty_hangup,
1112
	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1113
	.tiocmget		= rfcomm_tty_tiocmget,
1114
	.tiocmset		= rfcomm_tty_tiocmset,
1115
	.install                = rfcomm_tty_install,
1116
	.cleanup                = rfcomm_tty_cleanup,
1117
};
1118

1119
int __init rfcomm_init_ttys(void)
1120
{
1121
	int error;
1122

1123
	rfcomm_tty_driver = tty_alloc_driver(RFCOMM_TTY_PORTS,
1124
			TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV);
1125
	if (IS_ERR(rfcomm_tty_driver))
1126
		return PTR_ERR(rfcomm_tty_driver);
1127

1128
	rfcomm_tty_driver->driver_name	= "rfcomm";
1129
	rfcomm_tty_driver->name		= "rfcomm";
1130
	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1131
	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1132
	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1133
	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1134
	rfcomm_tty_driver->init_termios	= tty_std_termios;
1135
	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL;
1136
	rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1137
	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1138

1139
	error = tty_register_driver(rfcomm_tty_driver);
1140
	if (error) {
1141
		BT_ERR("Can't register RFCOMM TTY driver");
1142
		tty_driver_kref_put(rfcomm_tty_driver);
1143
		return error;
1144
	}
1145

1146
	BT_INFO("RFCOMM TTY layer initialized");
1147

1148
	return 0;
1149
}
1150

1151
void rfcomm_cleanup_ttys(void)
1152
{
1153
	tty_unregister_driver(rfcomm_tty_driver);
1154
	tty_driver_kref_put(rfcomm_tty_driver);
1155
}
1156

1157