[linux-2.6-block.git] / net / bluetooth / rfcomm / tty.c

/*
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct tty_port		port;
	struct list_head	list;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8			channel;

	uint			modem_status;

	struct rfcomm_dlc	*dlc;

	struct device		*tty_dev;

	atomic_t		wmem_alloc;

	struct sk_buff_head	pending;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_SPINLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

/* ---- Device functions ---- */

static void rfcomm_dev_destruct(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	spin_lock(&rfcomm_dev_lock);
	list_del(&dev->list);
	spin_unlock(&rfcomm_dev_lock);

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	kfree(dev);

	/* It's safe to call module_put() here because socket still
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

/* device-specific initialization: open the dlc */
static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
}

/* we block the open until the dlc->state becomes BT_CONNECTED */
static int rfcomm_dev_carrier_raised(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return (dev->dlc->state == BT_CONNECTED);
}

/* device-specific cleanup: close the dlc */
static void rfcomm_dev_shutdown(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	if (dev->tty_dev->parent)
		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);

	/* close the dlc */
	rfcomm_dlc_close(dev->dlc, 0);
}

static const struct tty_port_operations rfcomm_port_ops = {
	.destruct = rfcomm_dev_destruct,
	.activate = rfcomm_dev_activate,
	.shutdown = rfcomm_dev_shutdown,
	.carrier_raised = rfcomm_dev_carrier_raised,
};

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	list_for_each_entry(dev, &rfcomm_dev_list, list)
		if (dev->id == id)
			return dev;

	return NULL;
}

static struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	spin_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);

	if (dev && !tty_port_get(&dev->port))
		dev = NULL;

	spin_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);

	hci_dev_put(hdev);

	return conn ? &conn->dev : NULL;
}

static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%pMR\n", &dev->dst);
}

static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%d\n", dev->channel);
}

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev, *entry;
	struct list_head *head = &rfcomm_dev_list;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);

	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	spin_lock(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id != dev->id)
				break;

			dev->id++;
			head = &entry->list;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = &entry->list;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags &
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	tty_port_init(&dev->port);
	dev->port.ops = &rfcomm_port_ops;

	skb_queue_head_init(&dev->pending);

	rfcomm_dlc_lock(dlc);

	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
		struct sock *sk = dlc->owner;
		struct sk_buff *skb;

		BUG_ON(!sk);

		rfcomm_dlc_throttle(dlc);

		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
			skb_orphan(skb);
			skb_queue_tail(&dev->pending, skb);
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
		}
	}

	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;

	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);

	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	spin_unlock(&rfcomm_dev_lock);

	if (err < 0)
		goto free;

	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
			dev->id, NULL);
	if (IS_ERR(dev->tty_dev)) {
		err = PTR_ERR(dev->tty_dev);
		spin_lock(&rfcomm_dev_lock);
		list_del(&dev->list);
		spin_unlock(&rfcomm_dev_lock);
		goto free;
	}

	dev_set_drvdata(dev->tty_dev, dev);

	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
		BT_ERR("Failed to create address attribute");

	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
		BT_ERR("Failed to create channel attribute");

	return dev->id;

free:
	kfree(dev);
	return err;
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tty_port_tty_wakeup(&dev->port);
	tty_port_put(&dev->port);
}

static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	tty_port_get(&dev->port);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;
	struct tty_struct *tty;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);

	dev = rfcomm_dev_get(req.dev_id);
	if (!dev)
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		tty_port_put(&dev->port);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	/* Shut down TTY synchronously before freeing rfcomm_dev */
	tty = tty_port_tty_get(&dev->port);
	if (tty) {
		tty_vhangup(tty);
		tty_kref_put(tty);
	}

	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags) &&
	    !test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		tty_port_put(&dev->port);

	tty_port_put(&dev->port);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	dl = kzalloc(size, GFP_KERNEL);
	if (!dl)
		return -ENOMEM;

	di = dl->dev_info;

	spin_lock(&rfcomm_dev_lock);

	list_for_each_entry(dev, &rfcomm_dev_list, list) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			continue;
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	spin_unlock(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	dev = rfcomm_dev_get(di.id);
	if (!dev)
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	tty_port_put(&dev->port);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;

	if (!dev) {
		kfree_skb(skb);
		return;
	}

	if (!skb_queue_empty(&dev->pending)) {
		skb_queue_tail(&dev->pending, skb);
		return;
	}

	BT_DBG("dlc %p len %d", dlc, skb->len);

	tty_insert_flip_string(&dev->port, skb->data, skb->len);
	tty_flip_buffer_push(&dev->port);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;

	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	if (dlc->state == BT_CONNECTED) {
		device_move(dev->tty_dev, rfcomm_get_device(dev),
			    DPM_ORDER_DEV_AFTER_PARENT);

		wake_up_interruptible(&dev->port.open_wait);
	} else if (dlc->state == BT_CLOSED)
		tty_port_tty_hangup(&dev->port, false);
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
8e87d142	1	/*
1da177e4 LT	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142 YH	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4 LT	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1da177e4 LT	18
8e87d142 YH	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
8e87d142 YH	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4 LT	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
1da177e4 LT	26	*/
1da177e4 LT	27
1da177e4 LT	28	#include <linux/module.h>
	29
	30	#include <linux/tty.h>
	31	#include <linux/tty_driver.h>
	32	#include <linux/tty_flip.h>
	33
1da177e4	34	#include <net/bluetooth/bluetooth.h>
0a85b964	35	#include <net/bluetooth/hci_core.h>
1da177e4 LT	36	#include <net/bluetooth/rfcomm.h>
1da177e4 LT	37
1da177e4 LT	38	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	39	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	40	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	41	#define RFCOMM_TTY_MINOR 0
	42
	43	static struct tty_driver *rfcomm_tty_driver;
	44
	45	struct rfcomm_dev {
f60db8c4	46	struct tty_port port;
1da177e4	47	struct list_head list;
1da177e4 LT	48
	49	char name[12];
	50	int id;
	51	unsigned long flags;
1da177e4 LT	52	int err;
	53
	54	bdaddr_t src;
	55	bdaddr_t dst;
285b4e90	56	u8 channel;
1da177e4	57
285b4e90	58	uint modem_status;
1da177e4 LT	59
1da177e4 LT	60	struct rfcomm_dlc *dlc;
1da177e4	61
c1a33136 MH	62	struct device *tty_dev;
c1a33136 MH	63
285b4e90	64	atomic_t wmem_alloc;
a0c22f22 MH	65
a0c22f22 MH	66	struct sk_buff_head pending;
1da177e4 LT	67	};
	68
	69	static LIST_HEAD(rfcomm_dev_list);
393432cd	70	static DEFINE_SPINLOCK(rfcomm_dev_lock);
1da177e4 LT	71
	72	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	73	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	74	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	75
1da177e4	76	/* ---- Device functions ---- */
67054019	77
67054019	78	static void rfcomm_dev_destruct(struct tty_port *port)
1da177e4	79	{
67054019	80	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
1da177e4 LT	81	struct rfcomm_dlc *dlc = dev->dlc;
	82
	83	BT_DBG("dev %p dlc %p", dev, dlc);
	84
ebe937f7 GA	85	spin_lock(&rfcomm_dev_lock);
	86	list_del(&dev->list);
	87	spin_unlock(&rfcomm_dev_lock);
8de0a154	88
1da177e4 LT	89	rfcomm_dlc_lock(dlc);
	90	/* Detach DLC if it's owned by this dev */
	91	if (dlc->owner == dev)
	92	dlc->owner = NULL;
	93	rfcomm_dlc_unlock(dlc);
	94
	95	rfcomm_dlc_put(dlc);
	96
	97	tty_unregister_device(rfcomm_tty_driver, dev->id);
	98
1da177e4 LT	99	kfree(dev);
1da177e4 LT	100
8e87d142	101	/* It's safe to call module_put() here because socket still
1da177e4 LT	102	holds reference to this module. */
	103	module_put(THIS_MODULE);
	104	}
	105
cad348a1 GA	106	/* device-specific initialization: open the dlc */
	107	static int rfcomm_dev_activate(struct tty_port port, struct tty_struct tty)
	108	{
	109	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	110
136c373b	111	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
cad348a1 GA	112	}
cad348a1 GA	113
7f717b91 PH	114	/* we block the open until the dlc->state becomes BT_CONNECTED */
	115	static int rfcomm_dev_carrier_raised(struct tty_port *port)
	116	{
	117	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	118
	119	return (dev->dlc->state == BT_CONNECTED);
	120	}
	121
cad348a1 GA	122	/* device-specific cleanup: close the dlc */
	123	static void rfcomm_dev_shutdown(struct tty_port *port)
	124	{
	125	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	126
	127	if (dev->tty_dev->parent)
	128	device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
	129
	130	/* close the dlc */
	131	rfcomm_dlc_close(dev->dlc, 0);
	132	}
	133
67054019 JS	134	static const struct tty_port_operations rfcomm_port_ops = {
67054019 JS	135	.destruct = rfcomm_dev_destruct,
cad348a1 GA	136	.activate = rfcomm_dev_activate,
cad348a1 GA	137	.shutdown = rfcomm_dev_shutdown,
136c373b	138	.carrier_raised = rfcomm_dev_carrier_raised,
67054019	139	};
1da177e4 LT	140
	141	static struct rfcomm_dev *__rfcomm_dev_get(int id)
	142	{
	143	struct rfcomm_dev *dev;
1da177e4	144
8035ded4	145	list_for_each_entry(dev, &rfcomm_dev_list, list)
1da177e4 LT	146	if (dev->id == id)
1da177e4 LT	147	return dev;
1da177e4 LT	148
	149	return NULL;
	150	}
	151
6039aa73	152	static struct rfcomm_dev *rfcomm_dev_get(int id)
1da177e4 LT	153	{
	154	struct rfcomm_dev *dev;
	155
393432cd	156	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	157
1da177e4 LT	158	dev = __rfcomm_dev_get(id);
8de0a154	159
082a1532 PH	160	if (dev && !tty_port_get(&dev->port))
082a1532 PH	161	dev = NULL;
1da177e4	162
393432cd	163	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	164
	165	return dev;
	166	}
	167
f87c24e7 PH	168	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	169	{
	170	struct hci_dev *hdev;
	171	struct hci_conn *conn;
	172
	173	hdev = hci_get_route(&dev->dst, &dev->src);
	174	if (!hdev)
	175	return NULL;
	176
	177	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
	178
	179	hci_dev_put(hdev);
	180
	181	return conn ? &conn->dev : NULL;
	182	}
	183
dae6a0f6 MH	184	static ssize_t show_address(struct device tty_dev, struct device_attribute attr, char *buf)
	185	{
	186	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
fcb73338	187	return sprintf(buf, "%pMR\n", &dev->dst);
dae6a0f6 MH	188	}
	189
	190	static ssize_t show_channel(struct device tty_dev, struct device_attribute attr, char *buf)
	191	{
	192	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	193	return sprintf(buf, "%d\n", dev->channel);
	194	}
	195
	196	static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
	197	static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
	198
1da177e4 LT	199	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
1da177e4 LT	200	{
8035ded4	201	struct rfcomm_dev dev, entry;
e57d758a	202	struct list_head *head = &rfcomm_dev_list;
1da177e4 LT	203	int err = 0;
	204
	205	BT_DBG("id %d channel %d", req->dev_id, req->channel);
8e87d142	206
25ea6db0	207	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	208	if (!dev)
1da177e4 LT	209	return -ENOMEM;
1da177e4	210
393432cd	211	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	212
	213	if (req->dev_id < 0) {
	214	dev->id = 0;
	215
8035ded4 LAD	216	list_for_each_entry(entry, &rfcomm_dev_list, list) {
8035ded4 LAD	217	if (entry->id != dev->id)
1da177e4 LT	218	break;
	219
	220	dev->id++;
e57d758a	221	head = &entry->list;
1da177e4 LT	222	}
	223	} else {
	224	dev->id = req->dev_id;
	225
8035ded4	226	list_for_each_entry(entry, &rfcomm_dev_list, list) {
1da177e4 LT	227	if (entry->id == dev->id) {
	228	err = -EADDRINUSE;
	229	goto out;
	230	}
	231
	232	if (entry->id > dev->id - 1)
	233	break;
	234
e57d758a	235	head = &entry->list;
1da177e4 LT	236	}
	237	}
	238
	239	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	240	err = -ENFILE;
	241	goto out;
	242	}
	243
	244	sprintf(dev->name, "rfcomm%d", dev->id);
	245
	246	list_add(&dev->list, head);
1da177e4 LT	247
	248	bacpy(&dev->src, &req->src);
	249	bacpy(&dev->dst, &req->dst);
	250	dev->channel = req->channel;
	251
8e87d142	252	dev->flags = req->flags &
1da177e4 LT	253	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
1da177e4 LT	254
f60db8c4	255	tty_port_init(&dev->port);
67054019	256	dev->port.ops = &rfcomm_port_ops;
1da177e4	257
a0c22f22 MH	258	skb_queue_head_init(&dev->pending);
a0c22f22 MH	259
1da177e4	260	rfcomm_dlc_lock(dlc);
a0c22f22 MH	261
	262	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
	263	struct sock *sk = dlc->owner;
	264	struct sk_buff *skb;
	265
	266	BUG_ON(!sk);
	267
	268	rfcomm_dlc_throttle(dlc);
	269
	270	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
	271	skb_orphan(skb);
	272	skb_queue_tail(&dev->pending, skb);
	273	atomic_sub(skb->len, &sk->sk_rmem_alloc);
	274	}
	275	}
	276
1da177e4 LT	277	dlc->data_ready = rfcomm_dev_data_ready;
	278	dlc->state_change = rfcomm_dev_state_change;
	279	dlc->modem_status = rfcomm_dev_modem_status;
	280
	281	dlc->owner = dev;
	282	dev->dlc = dlc;
8b6b3da7 MH	283
	284	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
	285
1da177e4 LT	286	rfcomm_dlc_unlock(dlc);
1da177e4 LT	287
8e87d142	288	/* It's safe to call __module_get() here because socket already
1da177e4 LT	289	holds reference to this module. */
	290	__module_get(THIS_MODULE);
	291
	292	out:
393432cd	293	spin_unlock(&rfcomm_dev_lock);
1da177e4	294
037322ab IJ	295	if (err < 0)
037322ab IJ	296	goto free;
1da177e4	297
734cc178 JS	298	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
734cc178 JS	299	dev->id, NULL);
8de0a154	300	if (IS_ERR(dev->tty_dev)) {
09c7d829	301	err = PTR_ERR(dev->tty_dev);
ebe937f7	302	spin_lock(&rfcomm_dev_lock);
8de0a154	303	list_del(&dev->list);
ebe937f7	304	spin_unlock(&rfcomm_dev_lock);
037322ab	305	goto free;
8de0a154 VT	306	}
8de0a154 VT	307
dae6a0f6 MH	308	dev_set_drvdata(dev->tty_dev, dev);
	309
	310	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
	311	BT_ERR("Failed to create address attribute");
	312
	313	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
	314	BT_ERR("Failed to create channel attribute");
	315
1da177e4	316	return dev->id;
037322ab IJ	317
	318	free:
	319	kfree(dev);
	320	return err;
1da177e4 LT	321	}
1da177e4 LT	322
1da177e4 LT	323	/* ---- Send buffer ---- */
	324	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	325	{
	326	/* We can't let it be zero, because we don't get a callback
	327	when tx_credits becomes nonzero, hence we'd never wake up */
	328	return dlc->mtu * (dlc->tx_credits?:1);
	329	}
	330
	331	static void rfcomm_wfree(struct sk_buff *skb)
	332	{
	333	struct rfcomm_dev dev = (void ) skb->sk;
	334	atomic_sub(skb->truesize, &dev->wmem_alloc);
396dc223 GA	335	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
396dc223 GA	336	tty_port_tty_wakeup(&dev->port);
67054019	337	tty_port_put(&dev->port);
1da177e4 LT	338	}
1da177e4 LT	339
6039aa73	340	static void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
1da177e4	341	{
67054019	342	tty_port_get(&dev->port);
1da177e4 LT	343	atomic_add(skb->truesize, &dev->wmem_alloc);
	344	skb->sk = (void *) dev;
	345	skb->destructor = rfcomm_wfree;
	346	}
	347
dd0fc66f	348	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	349	{
	350	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	351	struct sk_buff *skb = alloc_skb(size, priority);
	352	if (skb) {
	353	rfcomm_set_owner_w(skb, dev);
	354	return skb;
	355	}
	356	}
	357	return NULL;
	358	}
	359
	360	/* ---- Device IOCTLs ---- */
	361
	362	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	363
	364	static int rfcomm_create_dev(struct sock sk, void __user arg)
	365	{
	366	struct rfcomm_dev_req req;
	367	struct rfcomm_dlc *dlc;
	368	int id;
	369
	370	if (copy_from_user(&req, arg, sizeof(req)))
	371	return -EFAULT;
	372
8de0a154	373	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
1da177e4 LT	374
	375	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	376	return -EPERM;
	377
	378	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	379	/* Socket must be connected */
	380	if (sk->sk_state != BT_CONNECTED)
	381	return -EBADFD;
	382
	383	dlc = rfcomm_pi(sk)->dlc;
	384	rfcomm_dlc_hold(dlc);
	385	} else {
	386	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	387	if (!dlc)
	388	return -ENOMEM;
	389	}
	390
	391	id = rfcomm_dev_add(&req, dlc);
	392	if (id < 0) {
	393	rfcomm_dlc_put(dlc);
	394	return id;
	395	}
	396
	397	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	398	/* DLC is now used by device.
	399	* Socket must be disconnected */
	400	sk->sk_state = BT_CLOSED;
	401	}
	402
	403	return id;
	404	}
	405
	406	static int rfcomm_release_dev(void __user *arg)
	407	{
	408	struct rfcomm_dev_req req;
	409	struct rfcomm_dev *dev;
396dc223	410	struct tty_struct *tty;
1da177e4 LT	411
	412	if (copy_from_user(&req, arg, sizeof(req)))
	413	return -EFAULT;
	414
8de0a154	415	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
1da177e4	416
285b4e90 AE	417	dev = rfcomm_dev_get(req.dev_id);
285b4e90 AE	418	if (!dev)
1da177e4 LT	419	return -ENODEV;
	420
	421	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
67054019	422	tty_port_put(&dev->port);
1da177e4 LT	423	return -EPERM;
	424	}
	425
	426	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
	427	rfcomm_dlc_close(dev->dlc, 0);
	428
84950cf0	429	/* Shut down TTY synchronously before freeing rfcomm_dev */
396dc223 GA	430	tty = tty_port_tty_get(&dev->port);
	431	if (tty) {
	432	tty_vhangup(tty);
	433	tty_kref_put(tty);
	434	}
84950cf0	435
5b899241 GA	436	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags) &&
5b899241 GA	437	!test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
ece3150d GA	438	tty_port_put(&dev->port);
ece3150d GA	439
67054019	440	tty_port_put(&dev->port);
1da177e4 LT	441	return 0;
	442	}
	443
	444	static int rfcomm_get_dev_list(void __user *arg)
	445	{
8035ded4	446	struct rfcomm_dev *dev;
1da177e4 LT	447	struct rfcomm_dev_list_req *dl;
1da177e4 LT	448	struct rfcomm_dev_info *di;
1da177e4 LT	449	int n = 0, size, err;
	450	u16 dev_num;
	451
	452	BT_DBG("");
	453
	454	if (get_user(dev_num, (u16 __user *) arg))
	455	return -EFAULT;
	456
	457	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
	458	return -EINVAL;
	459
	460	size = sizeof(dl) + dev_num sizeof(*di);
	461
f9432c5e	462	dl = kzalloc(size, GFP_KERNEL);
285b4e90	463	if (!dl)
1da177e4 LT	464	return -ENOMEM;
	465
	466	di = dl->dev_info;
	467
393432cd	468	spin_lock(&rfcomm_dev_lock);
1da177e4	469
8035ded4	470	list_for_each_entry(dev, &rfcomm_dev_list, list) {
8de0a154 VT	471	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
8de0a154 VT	472	continue;
1da177e4 LT	473	(di + n)->id = dev->id;
	474	(di + n)->flags = dev->flags;
	475	(di + n)->state = dev->dlc->state;
	476	(di + n)->channel = dev->channel;
	477	bacpy(&(di + n)->src, &dev->src);
	478	bacpy(&(di + n)->dst, &dev->dst);
	479	if (++n >= dev_num)
	480	break;
	481	}
	482
393432cd	483	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	484
	485	dl->dev_num = n;
	486	size = sizeof(dl) + n sizeof(*di);
	487
	488	err = copy_to_user(arg, dl, size);
	489	kfree(dl);
	490
	491	return err ? -EFAULT : 0;
	492	}
	493
	494	static int rfcomm_get_dev_info(void __user *arg)
	495	{
	496	struct rfcomm_dev *dev;
	497	struct rfcomm_dev_info di;
	498	int err = 0;
	499
	500	BT_DBG("");
	501
	502	if (copy_from_user(&di, arg, sizeof(di)))
	503	return -EFAULT;
	504
285b4e90 AE	505	dev = rfcomm_dev_get(di.id);
285b4e90 AE	506	if (!dev)
1da177e4 LT	507	return -ENODEV;
	508
	509	di.flags = dev->flags;
	510	di.channel = dev->channel;
	511	di.state = dev->dlc->state;
	512	bacpy(&di.src, &dev->src);
	513	bacpy(&di.dst, &dev->dst);
	514
	515	if (copy_to_user(arg, &di, sizeof(di)))
	516	err = -EFAULT;
	517
67054019	518	tty_port_put(&dev->port);
1da177e4 LT	519	return err;
	520	}
	521
	522	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
	523	{
	524	BT_DBG("cmd %d arg %p", cmd, arg);
	525
	526	switch (cmd) {
	527	case RFCOMMCREATEDEV:
	528	return rfcomm_create_dev(sk, arg);
	529
	530	case RFCOMMRELEASEDEV:
	531	return rfcomm_release_dev(arg);
	532
	533	case RFCOMMGETDEVLIST:
	534	return rfcomm_get_dev_list(arg);
	535
	536	case RFCOMMGETDEVINFO:
	537	return rfcomm_get_dev_info(arg);
	538	}
	539
	540	return -EINVAL;
	541	}
	542
	543	/* ---- DLC callbacks ---- */
	544	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
	545	{
	546	struct rfcomm_dev *dev = dlc->owner;
8e87d142	547
a0c22f22	548	if (!dev) {
1da177e4 LT	549	kfree_skb(skb);
	550	return;
	551	}
	552
2e124b4a	553	if (!skb_queue_empty(&dev->pending)) {
a0c22f22 MH	554	skb_queue_tail(&dev->pending, skb);
	555	return;
	556	}
	557
2e124b4a	558	BT_DBG("dlc %p len %d", dlc, skb->len);
1da177e4	559
05c7cd39	560	tty_insert_flip_string(&dev->port, skb->data, skb->len);
2e124b4a	561	tty_flip_buffer_push(&dev->port);
1da177e4 LT	562
	563	kfree_skb(skb);
	564	}
	565
	566	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	567	{
	568	struct rfcomm_dev *dev = dlc->owner;
	569	if (!dev)
	570	return;
8e87d142	571
1da177e4 LT	572	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	573
	574	dev->err = err;
136c373b PH	575	if (dlc->state == BT_CONNECTED) {
	576	device_move(dev->tty_dev, rfcomm_get_device(dev),
	577	DPM_ORDER_DEV_AFTER_PARENT);
1da177e4	578
136c373b PH	579	wake_up_interruptible(&dev->port.open_wait);
136c373b PH	580	} else if (dlc->state == BT_CLOSED)
29cd718b	581	tty_port_tty_hangup(&dev->port, false);
1da177e4 LT	582	}
	583
	584	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	585	{
	586	struct rfcomm_dev *dev = dlc->owner;
	587	if (!dev)
	588	return;