[linux-2.6-block.git] / net / bluetooth / rfcomm / tty.c

/* 
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 *
 * $Id: tty.c,v 1.24 2002/10/03 01:54:38 holtmann Exp $
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <linux/capability.h>
#include <linux/slab.h>
#include <linux/skbuff.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#ifndef CONFIG_BT_RFCOMM_DEBUG
#undef  BT_DBG
#define BT_DBG(D...)
#endif

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct list_head	list;
	atomic_t		refcnt;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			opened;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8 			channel;

	uint 			modem_status;

	struct rfcomm_dlc	*dlc;
	struct tty_struct	*tty;
	wait_queue_head_t       wait;
	struct tasklet_struct   wakeup_task;

	atomic_t 		wmem_alloc;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_RWLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

static void rfcomm_tty_wakeup(unsigned long arg);

/* ---- Device functions ---- */
static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
{
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	/* Refcount should only hit zero when called from rfcomm_dev_del()
	   which will have taken us off the list. Everything else are
	   refcounting bugs. */
	BUG_ON(!list_empty(&dev->list));

	kfree(dev);

	/* It's safe to call module_put() here because socket still 
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
{
	atomic_inc(&dev->refcnt);
}

static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
{
	/* The reason this isn't actually a race, as you no
	   doubt have a little voice screaming at you in your
	   head, is that the refcount should never actually
	   reach zero unless the device has already been taken
	   off the list, in rfcomm_dev_del(). And if that's not
	   true, we'll hit the BUG() in rfcomm_dev_destruct()
	   anyway. */
	if (atomic_dec_and_test(&dev->refcnt))
		rfcomm_dev_destruct(dev);
}

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;
	struct list_head  *p;

	list_for_each(p, &rfcomm_dev_list) {
		dev = list_entry(p, struct rfcomm_dev, list);
		if (dev->id == id)
			return dev;
	}

	return NULL;
}

static inline struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	read_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);
	if (dev)
		rfcomm_dev_hold(dev);

	read_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
	if (!conn)
		return NULL;

	hci_dev_put(hdev);

	return &conn->dev;
}

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev;
	struct list_head *head = &rfcomm_dev_list, *p;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);
	
	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	write_lock_bh(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each(p, &rfcomm_dev_list) {
			if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
				break;

			dev->id++;
			head = p;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each(p, &rfcomm_dev_list) {
			struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);

			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = p;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);
	atomic_set(&dev->refcnt, 1);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags & 
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	init_waitqueue_head(&dev->wait);
	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);

	rfcomm_dlc_lock(dlc);
	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;
	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already 
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	write_unlock_bh(&rfcomm_dev_lock);

	if (err) {
		kfree(dev);
		return err;
	}

	tty_register_device(rfcomm_tty_driver, dev->id, rfcomm_get_device(dev));

	return dev->id;
}

static void rfcomm_dev_del(struct rfcomm_dev *dev)
{
	BT_DBG("dev %p", dev);

	write_lock_bh(&rfcomm_dev_lock);
	list_del_init(&dev->list);
	write_unlock_bh(&rfcomm_dev_lock);

	rfcomm_dev_put(dev);
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tasklet_schedule(&dev->wakeup_task);
	rfcomm_dev_put(dev);
}

static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	rfcomm_dev_hold(dev);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);

	if (!(dev = rfcomm_dev_get(req.dev_id)))
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		rfcomm_dev_put(dev);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	rfcomm_dev_del(dev);
	rfcomm_dev_put(dev);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	struct list_head *p;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	if (!(dl = kmalloc(size, GFP_KERNEL)))
		return -ENOMEM;

	di = dl->dev_info;

	read_lock_bh(&rfcomm_dev_lock);

	list_for_each(p, &rfcomm_dev_list) {
		struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	read_unlock_bh(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	if (!(dev = rfcomm_dev_get(di.id)))
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	rfcomm_dev_put(dev);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;
	struct tty_struct *tty;
       
	if (!dev || !(tty = dev->tty)) {
		kfree_skb(skb);
		return;
	}

	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);

	tty_insert_flip_string(tty, skb->data, skb->len);
	tty_flip_buffer_push(tty);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
	
	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	wake_up_interruptible(&dev->wait);

	if (dlc->state == BT_CLOSED) {
		if (!dev->tty) {
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
				rfcomm_dev_hold(dev);
				rfcomm_dev_del(dev);

				/* We have to drop DLC lock here, otherwise
				   rfcomm_dev_put() will dead lock if it's
				   the last reference. */
				rfcomm_dlc_unlock(dlc);
				rfcomm_dev_put(dev);
				rfcomm_dlc_lock(dlc);
			}
		} else 
			tty_hangup(dev->tty);
	}
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
1da177e4 LT	1	/*
	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	18
	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
	26	*
	27	* $Id: tty.c,v 1.24 2002/10/03 01:54:38 holtmann Exp $
	28	*/
	29
1da177e4 LT	30	#include <linux/module.h>
	31
	32	#include <linux/tty.h>
	33	#include <linux/tty_driver.h>
	34	#include <linux/tty_flip.h>
	35
4fc268d2	36	#include <linux/capability.h>
1da177e4 LT	37	#include <linux/slab.h>
	38	#include <linux/skbuff.h>
	39
	40	#include <net/bluetooth/bluetooth.h>
0a85b964	41	#include <net/bluetooth/hci_core.h>
1da177e4 LT	42	#include <net/bluetooth/rfcomm.h>
	43
	44	#ifndef CONFIG_BT_RFCOMM_DEBUG
	45	#undef BT_DBG
	46	#define BT_DBG(D...)
	47	#endif
	48
	49	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	50	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	51	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	52	#define RFCOMM_TTY_MINOR 0
	53
	54	static struct tty_driver *rfcomm_tty_driver;
	55
	56	struct rfcomm_dev {
	57	struct list_head list;
	58	atomic_t refcnt;
	59
	60	char name[12];
	61	int id;
	62	unsigned long flags;
	63	int opened;
	64	int err;
	65
	66	bdaddr_t src;
	67	bdaddr_t dst;
	68	u8 channel;
	69
	70	uint modem_status;
	71
	72	struct rfcomm_dlc *dlc;
	73	struct tty_struct *tty;
	74	wait_queue_head_t wait;
	75	struct tasklet_struct wakeup_task;
	76
	77	atomic_t wmem_alloc;
	78	};
	79
	80	static LIST_HEAD(rfcomm_dev_list);
	81	static DEFINE_RWLOCK(rfcomm_dev_lock);
	82
	83	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	84	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	85	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	86
	87	static void rfcomm_tty_wakeup(unsigned long arg);
	88
	89	/* ---- Device functions ---- */
	90	static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
	91	{
	92	struct rfcomm_dlc *dlc = dev->dlc;
	93
	94	BT_DBG("dev %p dlc %p", dev, dlc);
	95
	96	rfcomm_dlc_lock(dlc);
	97	/* Detach DLC if it's owned by this dev */
	98	if (dlc->owner == dev)
	99	dlc->owner = NULL;
	100	rfcomm_dlc_unlock(dlc);
	101
	102	rfcomm_dlc_put(dlc);
	103
	104	tty_unregister_device(rfcomm_tty_driver, dev->id);
	105
106	/* Refcount should only hit zero when called from rfcomm_dev_del()
107	which will have taken us off the list. Everything else are
108	refcounting bugs. */
109	BUG_ON(!list_empty(&dev->list));
110
111	kfree(dev);
112
113	/* It's safe to call module_put() here because socket still
114	holds reference to this module. */
115	module_put(THIS_MODULE);
116	}
117
118	static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
119	{
120	atomic_inc(&dev->refcnt);
121	}
122
123	static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
124	{
125	/* The reason this isn't actually a race, as you no
126	doubt have a little voice screaming at you in your
127	head, is that the refcount should never actually
128	reach zero unless the device has already been taken
129	off the list, in rfcomm_dev_del(). And if that's not
130	true, we'll hit the BUG() in rfcomm_dev_destruct()
131	anyway. */
132	if (atomic_dec_and_test(&dev->refcnt))
133	rfcomm_dev_destruct(dev);
134	}
135
136	static struct rfcomm_dev *__rfcomm_dev_get(int id)
137	{
138	struct rfcomm_dev *dev;
139	struct list_head *p;
140
141	list_for_each(p, &rfcomm_dev_list) {
142	dev = list_entry(p, struct rfcomm_dev, list);
143	if (dev->id == id)
144	return dev;
145	}
146
147	return NULL;
148	}
149
150	static inline struct rfcomm_dev *rfcomm_dev_get(int id)
151	{
152	struct rfcomm_dev *dev;
153
154	read_lock(&rfcomm_dev_lock);
155
156	dev = __rfcomm_dev_get(id);
157	if (dev)
158	rfcomm_dev_hold(dev);
159
160	read_unlock(&rfcomm_dev_lock);
161
162	return dev;
163	}
164
0a85b964 MH	165	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	166	{
	167	struct hci_dev *hdev;
	168	struct hci_conn *conn;
	169
	170	hdev = hci_get_route(&dev->dst, &dev->src);
	171	if (!hdev)
	172	return NULL;
	173
	174	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
	175	if (!conn)
	176	return NULL;
	177
	178	hci_dev_put(hdev);
	179
	180	return &conn->dev;
	181	}
	182
1da177e4 LT	183	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
	184	{
	185	struct rfcomm_dev *dev;
	186	struct list_head head = &rfcomm_dev_list, p;
	187	int err = 0;
	188
	189	BT_DBG("id %d channel %d", req->dev_id, req->channel);
	190
25ea6db0	191	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	192	if (!dev)
1da177e4 LT	193	return -ENOMEM;
1da177e4 LT	194
	195	write_lock_bh(&rfcomm_dev_lock);
	196
	197	if (req->dev_id < 0) {
	198	dev->id = 0;
	199
	200	list_for_each(p, &rfcomm_dev_list) {
	201	if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
	202	break;
	203
	204	dev->id++;
	205	head = p;
	206	}
	207	} else {
	208	dev->id = req->dev_id;
	209
	210	list_for_each(p, &rfcomm_dev_list) {
	211	struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
	212
	213	if (entry->id == dev->id) {
	214	err = -EADDRINUSE;
	215	goto out;
	216	}
	217
	218	if (entry->id > dev->id - 1)
	219	break;
	220
	221	head = p;
	222	}
	223	}
	224
	225	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	226	err = -ENFILE;
	227	goto out;
	228	}
	229
	230	sprintf(dev->name, "rfcomm%d", dev->id);
	231
	232	list_add(&dev->list, head);
	233	atomic_set(&dev->refcnt, 1);
	234
	235	bacpy(&dev->src, &req->src);
	236	bacpy(&dev->dst, &req->dst);
	237	dev->channel = req->channel;
	238
	239	dev->flags = req->flags &
	240	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
	241
	242	init_waitqueue_head(&dev->wait);
	243	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
	244
	245	rfcomm_dlc_lock(dlc);
	246	dlc->data_ready = rfcomm_dev_data_ready;
	247	dlc->state_change = rfcomm_dev_state_change;
	248	dlc->modem_status = rfcomm_dev_modem_status;
	249
	250	dlc->owner = dev;
	251	dev->dlc = dlc;
	252	rfcomm_dlc_unlock(dlc);
	253
	254	/* It's safe to call __module_get() here because socket already
	255	holds reference to this module. */
	256	__module_get(THIS_MODULE);
	257
258	out:
259	write_unlock_bh(&rfcomm_dev_lock);
260
261	if (err) {
262	kfree(dev);
263	return err;
264	}
265
0a85b964	266	tty_register_device(rfcomm_tty_driver, dev->id, rfcomm_get_device(dev));
1da177e4 LT	267
	268	return dev->id;
	269	}
	270
	271	static void rfcomm_dev_del(struct rfcomm_dev *dev)
	272	{
	273	BT_DBG("dev %p", dev);
	274
	275	write_lock_bh(&rfcomm_dev_lock);
	276	list_del_init(&dev->list);
	277	write_unlock_bh(&rfcomm_dev_lock);
	278
	279	rfcomm_dev_put(dev);
	280	}
	281
	282	/* ---- Send buffer ---- */
	283	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	284	{
	285	/* We can't let it be zero, because we don't get a callback
	286	when tx_credits becomes nonzero, hence we'd never wake up */
	287	return dlc->mtu * (dlc->tx_credits?:1);
	288	}
	289
	290	static void rfcomm_wfree(struct sk_buff *skb)
	291	{
	292	struct rfcomm_dev dev = (void ) skb->sk;
	293	atomic_sub(skb->truesize, &dev->wmem_alloc);
	294	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
	295	tasklet_schedule(&dev->wakeup_task);
	296	rfcomm_dev_put(dev);
	297	}
	298
	299	static inline void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
	300	{
	301	rfcomm_dev_hold(dev);
	302	atomic_add(skb->truesize, &dev->wmem_alloc);
	303	skb->sk = (void *) dev;
	304	skb->destructor = rfcomm_wfree;
	305	}
	306
dd0fc66f	307	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	308	{
	309	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	310	struct sk_buff *skb = alloc_skb(size, priority);
	311	if (skb) {
	312	rfcomm_set_owner_w(skb, dev);
	313	return skb;
	314	}
	315	}
	316	return NULL;
	317	}
	318
	319	/* ---- Device IOCTLs ---- */
	320
	321	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	322
	323	static int rfcomm_create_dev(struct sock sk, void __user arg)
	324	{
	325	struct rfcomm_dev_req req;
	326	struct rfcomm_dlc *dlc;
	327	int id;
	328
	329	if (copy_from_user(&req, arg, sizeof(req)))
	330	return -EFAULT;
	331
	332	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);
	333
	334	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	335	return -EPERM;
	336
	337	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	338	/* Socket must be connected */
	339	if (sk->sk_state != BT_CONNECTED)
	340	return -EBADFD;
	341
	342	dlc = rfcomm_pi(sk)->dlc;
	343	rfcomm_dlc_hold(dlc);
	344	} else {
	345	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	346	if (!dlc)
	347	return -ENOMEM;
	348	}
	349
	350	id = rfcomm_dev_add(&req, dlc);
	351	if (id < 0) {
	352	rfcomm_dlc_put(dlc);
	353	return id;
	354	}
	355
	356	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	357	/* DLC is now used by device.
	358	* Socket must be disconnected */
	359	sk->sk_state = BT_CLOSED;
	360	}
	361
	362	return id;
	363	}
	364
	365	static int rfcomm_release_dev(void __user *arg)
	366	{
	367	struct rfcomm_dev_req req;
	368	struct rfcomm_dev *dev;
	369
	370	if (copy_from_user(&req, arg, sizeof(req)))
	371	return -EFAULT;
372
373	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);
374
375	if (!(dev = rfcomm_dev_get(req.dev_id)))
376	return -ENODEV;
377
378	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
379	rfcomm_dev_put(dev);
380	return -EPERM;
381	}
382
383	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
384	rfcomm_dlc_close(dev->dlc, 0);
385
386	rfcomm_dev_del(dev);
387	rfcomm_dev_put(dev);
388	return 0;
389	}
390
391	static int rfcomm_get_dev_list(void __user *arg)
392	{
393	struct rfcomm_dev_list_req *dl;
394	struct rfcomm_dev_info *di;
395	struct list_head *p;
396	int n = 0, size, err;
397	u16 dev_num;
398
399	BT_DBG("");
400
401	if (get_user(dev_num, (u16 __user *) arg))
402	return -EFAULT;
403
404	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
405	return -EINVAL;
406
407	size = sizeof(dl) + dev_num sizeof(*di);
408
409	if (!(dl = kmalloc(size, GFP_KERNEL)))
410	return -ENOMEM;
411
412	di = dl->dev_info;
413
414	read_lock_bh(&rfcomm_dev_lock);
415
416	list_for_each(p, &rfcomm_dev_list) {
417	struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
418	(di + n)->id = dev->id;
419	(di + n)->flags = dev->flags;
420	(di + n)->state = dev->dlc->state;
421	(di + n)->channel = dev->channel;
422	bacpy(&(di + n)->src, &dev->src);
423	bacpy(&(di + n)->dst, &dev->dst);
424	if (++n >= dev_num)
425	break;
426	}
427
428	read_unlock_bh(&rfcomm_dev_lock);
429
430	dl->dev_num = n;
431	size = sizeof(dl) + n sizeof(*di);
432
433	err = copy_to_user(arg, dl, size);
434	kfree(dl);
435
436	return err ? -EFAULT : 0;
437	}
438
439	static int rfcomm_get_dev_info(void __user *arg)
440	{
441	struct rfcomm_dev *dev;
442	struct rfcomm_dev_info di;
443	int err = 0;
444
445	BT_DBG("");
446
447	if (copy_from_user(&di, arg, sizeof(di)))
448	return -EFAULT;
449
450	if (!(dev = rfcomm_dev_get(di.id)))
451	return -ENODEV;
452
453	di.flags = dev->flags;
454	di.channel = dev->channel;
455	di.state = dev->dlc->state;
456	bacpy(&di.src, &dev->src);
457	bacpy(&di.dst, &dev->dst);
458
459	if (copy_to_user(arg, &di, sizeof(di)))
460	err = -EFAULT;
461
462	rfcomm_dev_put(dev);
463	return err;
464	}
465
466	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
467	{
468	BT_DBG("cmd %d arg %p", cmd, arg);
469
470	switch (cmd) {
471	case RFCOMMCREATEDEV:
472	return rfcomm_create_dev(sk, arg);
473
474	case RFCOMMRELEASEDEV:
475	return rfcomm_release_dev(arg);
476
477	case RFCOMMGETDEVLIST:
478	return rfcomm_get_dev_list(arg);
479
480	case RFCOMMGETDEVINFO:
481	return rfcomm_get_dev_info(arg);
482	}
483
484	return -EINVAL;
485	}
486
487	/* ---- DLC callbacks ---- */
488	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
489	{
490	struct rfcomm_dev *dev = dlc->owner;
491	struct tty_struct *tty;
492
493	if (!dev \|\| !(tty = dev->tty)) {
494	kfree_skb(skb);
495	return;
496	}
497
498	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
499
817d6d3b PF	500	tty_insert_flip_string(tty, skb->data, skb->len);
817d6d3b PF	501	tty_flip_buffer_push(tty);
1da177e4 LT	502
	503	kfree_skb(skb);
	504	}
	505
	506	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	507	{
	508	struct rfcomm_dev *dev = dlc->owner;
	509	if (!dev)
	510	return;
	511
	512	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	513
	514	dev->err = err;
	515	wake_up_interruptible(&dev->wait);
	516
	517	if (dlc->state == BT_CLOSED) {
	518	if (!dev->tty) {
	519	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
	520	rfcomm_dev_hold(dev);
	521	rfcomm_dev_del(dev);
	522
	523	/* We have to drop DLC lock here, otherwise
	524	rfcomm_dev_put() will dead lock if it's
	525	the last reference. */
	526	rfcomm_dlc_unlock(dlc);
	527	rfcomm_dev_put(dev);
	528	rfcomm_dlc_lock(dlc);
	529	}
	530	} else
	531	tty_hangup(dev->tty);
	532	}
	533	}
	534
	535	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	536	{
	537	struct rfcomm_dev *dev = dlc->owner;
	538	if (!dev)
	539	return;