[linux-2.6-block.git] / net / bluetooth / rfcomm / tty.c

/*
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct tty_port		port;
	struct list_head	list;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8			channel;

	uint			modem_status;

	struct rfcomm_dlc	*dlc;

	struct device		*tty_dev;

	atomic_t		wmem_alloc;

	struct sk_buff_head	pending;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_SPINLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

/* ---- Device functions ---- */

static void rfcomm_dev_destruct(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	spin_lock(&rfcomm_dev_lock);
	list_del(&dev->list);
	spin_unlock(&rfcomm_dev_lock);

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	kfree(dev);

	/* It's safe to call module_put() here because socket still
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

/* device-specific initialization: open the dlc */
static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
}

/* we block the open until the dlc->state becomes BT_CONNECTED */
static int rfcomm_dev_carrier_raised(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return (dev->dlc->state == BT_CONNECTED);
}

/* device-specific cleanup: close the dlc */
static void rfcomm_dev_shutdown(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	if (dev->tty_dev->parent)
		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);

	/* close the dlc */
	rfcomm_dlc_close(dev->dlc, 0);
}

static const struct tty_port_operations rfcomm_port_ops = {
	.destruct = rfcomm_dev_destruct,
	.activate = rfcomm_dev_activate,
	.shutdown = rfcomm_dev_shutdown,
	.carrier_raised = rfcomm_dev_carrier_raised,
};

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	list_for_each_entry(dev, &rfcomm_dev_list, list)
		if (dev->id == id)
			return dev;

	return NULL;
}

static struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	spin_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);

	if (dev) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			dev = NULL;
		else
			tty_port_get(&dev->port);
	}

	spin_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);

	hci_dev_put(hdev);

	return conn ? &conn->dev : NULL;
}

static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%pMR\n", &dev->dst);
}

static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%d\n", dev->channel);
}

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev, *entry;
	struct list_head *head = &rfcomm_dev_list;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);

	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	spin_lock(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id != dev->id)
				break;

			dev->id++;
			head = &entry->list;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = &entry->list;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags &
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	tty_port_init(&dev->port);
	dev->port.ops = &rfcomm_port_ops;

	skb_queue_head_init(&dev->pending);

	rfcomm_dlc_lock(dlc);

	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
		struct sock *sk = dlc->owner;
		struct sk_buff *skb;

		BUG_ON(!sk);

		rfcomm_dlc_throttle(dlc);

		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
			skb_orphan(skb);
			skb_queue_tail(&dev->pending, skb);
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
		}
	}

	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;

	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);

	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	spin_unlock(&rfcomm_dev_lock);

	if (err < 0)
		goto free;

	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
			dev->id, NULL);
	if (IS_ERR(dev->tty_dev)) {
		err = PTR_ERR(dev->tty_dev);
		spin_lock(&rfcomm_dev_lock);
		list_del(&dev->list);
		spin_unlock(&rfcomm_dev_lock);
		goto free;
	}

	dev_set_drvdata(dev->tty_dev, dev);

	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
		BT_ERR("Failed to create address attribute");

	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
		BT_ERR("Failed to create channel attribute");

	return dev->id;

free:
	kfree(dev);
	return err;
}

static void rfcomm_dev_del(struct rfcomm_dev *dev)
{
	unsigned long flags;
	BT_DBG("dev %p", dev);

	BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));

	spin_lock_irqsave(&dev->port.lock, flags);
	if (dev->port.count > 0) {
		spin_unlock_irqrestore(&dev->port.lock, flags);
		return;
	}
	spin_unlock_irqrestore(&dev->port.lock, flags);

	tty_port_put(&dev->port);
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tty_port_tty_wakeup(&dev->port);
	tty_port_put(&dev->port);
}

static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	tty_port_get(&dev->port);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;
	struct tty_struct *tty;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);

	dev = rfcomm_dev_get(req.dev_id);
	if (!dev)
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		tty_port_put(&dev->port);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	/* Shut down TTY synchronously before freeing rfcomm_dev */
	tty = tty_port_tty_get(&dev->port);
	if (tty) {
		tty_vhangup(tty);
		tty_kref_put(tty);
	}

	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
		rfcomm_dev_del(dev);
	tty_port_put(&dev->port);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	dl = kzalloc(size, GFP_KERNEL);
	if (!dl)
		return -ENOMEM;

	di = dl->dev_info;

	spin_lock(&rfcomm_dev_lock);

	list_for_each_entry(dev, &rfcomm_dev_list, list) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			continue;
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	spin_unlock(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	dev = rfcomm_dev_get(di.id);
	if (!dev)
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	tty_port_put(&dev->port);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;

	if (!dev) {
		kfree_skb(skb);
		return;
	}

	if (!skb_queue_empty(&dev->pending)) {
		skb_queue_tail(&dev->pending, skb);
		return;
	}

	BT_DBG("dlc %p len %d", dlc, skb->len);

	tty_insert_flip_string(&dev->port, skb->data, skb->len);
	tty_flip_buffer_push(&dev->port);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	struct tty_struct *tty;
	if (!dev)
		return;

	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	if (dlc->state == BT_CONNECTED) {
		device_move(dev->tty_dev, rfcomm_get_device(dev),
			    DPM_ORDER_DEV_AFTER_PARENT);

		wake_up_interruptible(&dev->port.open_wait);
	} else if (dlc->state == BT_CLOSED) {
		tty = tty_port_tty_get(&dev->port);
		if (!tty) {
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
				/* Drop DLC lock here to avoid deadlock
				 * 1. rfcomm_dev_get will take rfcomm_dev_lock
				 *    but in rfcomm_dev_add there's lock order:
				 *    rfcomm_dev_lock -> dlc lock
				 * 2. tty_port_put will deadlock if it's
				 *    the last reference
				 */
				rfcomm_dlc_unlock(dlc);
				if (rfcomm_dev_get(dev->id) == NULL) {
					rfcomm_dlc_lock(dlc);
					return;
				}

				rfcomm_dev_del(dev);
				tty_port_put(&dev->port);
				rfcomm_dlc_lock(dlc);
			}
		} else {
			tty_hangup(tty);
			tty_kref_put(tty);
		}
	}
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
8e87d142	1	/*
1da177e4 LT	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142 YH	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4 LT	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1da177e4 LT	18
8e87d142 YH	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
8e87d142 YH	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4 LT	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
1da177e4 LT	26	*/
1da177e4 LT	27
1da177e4 LT	28	#include <linux/module.h>
	29
	30	#include <linux/tty.h>
	31	#include <linux/tty_driver.h>
	32	#include <linux/tty_flip.h>
	33
1da177e4	34	#include <net/bluetooth/bluetooth.h>
0a85b964	35	#include <net/bluetooth/hci_core.h>
1da177e4 LT	36	#include <net/bluetooth/rfcomm.h>
1da177e4 LT	37
1da177e4 LT	38	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	39	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	40	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	41	#define RFCOMM_TTY_MINOR 0
	42
	43	static struct tty_driver *rfcomm_tty_driver;
	44
	45	struct rfcomm_dev {
f60db8c4	46	struct tty_port port;
1da177e4	47	struct list_head list;
1da177e4 LT	48
	49	char name[12];
	50	int id;
	51	unsigned long flags;
1da177e4 LT	52	int err;
	53
	54	bdaddr_t src;
	55	bdaddr_t dst;
285b4e90	56	u8 channel;
1da177e4	57
285b4e90	58	uint modem_status;
1da177e4 LT	59
1da177e4 LT	60	struct rfcomm_dlc *dlc;
1da177e4	61
c1a33136 MH	62	struct device *tty_dev;
c1a33136 MH	63
285b4e90	64	atomic_t wmem_alloc;
a0c22f22 MH	65
a0c22f22 MH	66	struct sk_buff_head pending;
1da177e4 LT	67	};
	68
	69	static LIST_HEAD(rfcomm_dev_list);
393432cd	70	static DEFINE_SPINLOCK(rfcomm_dev_lock);
1da177e4 LT	71
	72	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	73	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	74	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	75
1da177e4	76	/* ---- Device functions ---- */
67054019	77
67054019	78	static void rfcomm_dev_destruct(struct tty_port *port)
1da177e4	79	{
67054019	80	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
1da177e4 LT	81	struct rfcomm_dlc *dlc = dev->dlc;
	82
	83	BT_DBG("dev %p dlc %p", dev, dlc);
	84
ebe937f7 GA	85	spin_lock(&rfcomm_dev_lock);
	86	list_del(&dev->list);
	87	spin_unlock(&rfcomm_dev_lock);
8de0a154	88
1da177e4 LT	89	rfcomm_dlc_lock(dlc);
	90	/* Detach DLC if it's owned by this dev */
	91	if (dlc->owner == dev)
	92	dlc->owner = NULL;
	93	rfcomm_dlc_unlock(dlc);
	94
	95	rfcomm_dlc_put(dlc);
	96
	97	tty_unregister_device(rfcomm_tty_driver, dev->id);
	98
1da177e4 LT	99	kfree(dev);
1da177e4 LT	100
8e87d142	101	/* It's safe to call module_put() here because socket still
1da177e4 LT	102	holds reference to this module. */
	103	module_put(THIS_MODULE);
	104	}
	105
cad348a1 GA	106	/* device-specific initialization: open the dlc */
	107	static int rfcomm_dev_activate(struct tty_port port, struct tty_struct tty)
	108	{
	109	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	110
	111	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
	112	}
	113
	114	/* we block the open until the dlc->state becomes BT_CONNECTED */
	115	static int rfcomm_dev_carrier_raised(struct tty_port *port)
	116	{
	117	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	118
	119	return (dev->dlc->state == BT_CONNECTED);
	120	}
	121
	122	/* device-specific cleanup: close the dlc */
	123	static void rfcomm_dev_shutdown(struct tty_port *port)
	124	{
	125	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	126
	127	if (dev->tty_dev->parent)
	128	device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
	129
	130	/* close the dlc */
	131	rfcomm_dlc_close(dev->dlc, 0);
	132	}
	133
67054019 JS	134	static const struct tty_port_operations rfcomm_port_ops = {
67054019 JS	135	.destruct = rfcomm_dev_destruct,
cad348a1 GA	136	.activate = rfcomm_dev_activate,
	137	.shutdown = rfcomm_dev_shutdown,
	138	.carrier_raised = rfcomm_dev_carrier_raised,
67054019	139	};
1da177e4 LT	140
	141	static struct rfcomm_dev *__rfcomm_dev_get(int id)
	142	{
	143	struct rfcomm_dev *dev;
1da177e4	144
8035ded4	145	list_for_each_entry(dev, &rfcomm_dev_list, list)
1da177e4 LT	146	if (dev->id == id)
1da177e4 LT	147	return dev;
1da177e4 LT	148
	149	return NULL;
	150	}
	151
6039aa73	152	static struct rfcomm_dev *rfcomm_dev_get(int id)
1da177e4 LT	153	{
	154	struct rfcomm_dev *dev;
	155
393432cd	156	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	157
1da177e4 LT	158	dev = __rfcomm_dev_get(id);
8de0a154 VT	159
	160	if (dev) {
	161	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	162	dev = NULL;
	163	else
67054019	164	tty_port_get(&dev->port);
8de0a154	165	}
1da177e4	166
393432cd	167	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	168
	169	return dev;
	170	}
	171
0a85b964 MH	172	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	173	{
	174	struct hci_dev *hdev;
	175	struct hci_conn *conn;
	176
	177	hdev = hci_get_route(&dev->dst, &dev->src);
	178	if (!hdev)
	179	return NULL;
	180
	181	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
0a85b964 MH	182
	183	hci_dev_put(hdev);
	184
b2cfcd75	185	return conn ? &conn->dev : NULL;
0a85b964 MH	186	}
0a85b964 MH	187
dae6a0f6 MH	188	static ssize_t show_address(struct device tty_dev, struct device_attribute attr, char *buf)
	189	{
	190	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
fcb73338	191	return sprintf(buf, "%pMR\n", &dev->dst);
dae6a0f6 MH	192	}
	193
	194	static ssize_t show_channel(struct device tty_dev, struct device_attribute attr, char *buf)
	195	{
	196	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	197	return sprintf(buf, "%d\n", dev->channel);
	198	}
	199
	200	static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
	201	static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
	202
1da177e4 LT	203	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
1da177e4 LT	204	{
8035ded4	205	struct rfcomm_dev dev, entry;
e57d758a	206	struct list_head *head = &rfcomm_dev_list;
1da177e4 LT	207	int err = 0;
	208
	209	BT_DBG("id %d channel %d", req->dev_id, req->channel);
8e87d142	210
25ea6db0	211	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	212	if (!dev)
1da177e4 LT	213	return -ENOMEM;
1da177e4	214
393432cd	215	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	216
	217	if (req->dev_id < 0) {
	218	dev->id = 0;
	219
8035ded4 LAD	220	list_for_each_entry(entry, &rfcomm_dev_list, list) {
8035ded4 LAD	221	if (entry->id != dev->id)
1da177e4 LT	222	break;
	223
	224	dev->id++;
e57d758a	225	head = &entry->list;
1da177e4 LT	226	}
	227	} else {
	228	dev->id = req->dev_id;
	229
8035ded4	230	list_for_each_entry(entry, &rfcomm_dev_list, list) {
1da177e4 LT	231	if (entry->id == dev->id) {
	232	err = -EADDRINUSE;
	233	goto out;
	234	}
	235
	236	if (entry->id > dev->id - 1)
	237	break;
	238
e57d758a	239	head = &entry->list;
1da177e4 LT	240	}
	241	}
	242
	243	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	244	err = -ENFILE;
	245	goto out;
	246	}
	247
	248	sprintf(dev->name, "rfcomm%d", dev->id);
	249
	250	list_add(&dev->list, head);
1da177e4 LT	251
	252	bacpy(&dev->src, &req->src);
	253	bacpy(&dev->dst, &req->dst);
	254	dev->channel = req->channel;
	255
8e87d142	256	dev->flags = req->flags &
1da177e4 LT	257	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
1da177e4 LT	258
f60db8c4	259	tty_port_init(&dev->port);
67054019	260	dev->port.ops = &rfcomm_port_ops;
1da177e4	261
a0c22f22 MH	262	skb_queue_head_init(&dev->pending);
a0c22f22 MH	263
1da177e4	264	rfcomm_dlc_lock(dlc);
a0c22f22 MH	265
	266	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
	267	struct sock *sk = dlc->owner;
	268	struct sk_buff *skb;
	269
	270	BUG_ON(!sk);
	271
	272	rfcomm_dlc_throttle(dlc);
	273
	274	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
	275	skb_orphan(skb);
	276	skb_queue_tail(&dev->pending, skb);
	277	atomic_sub(skb->len, &sk->sk_rmem_alloc);
	278	}
	279	}
	280
1da177e4 LT	281	dlc->data_ready = rfcomm_dev_data_ready;
	282	dlc->state_change = rfcomm_dev_state_change;
	283	dlc->modem_status = rfcomm_dev_modem_status;
	284
	285	dlc->owner = dev;
	286	dev->dlc = dlc;
8b6b3da7 MH	287
	288	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
	289
1da177e4 LT	290	rfcomm_dlc_unlock(dlc);
1da177e4 LT	291
8e87d142	292	/* It's safe to call __module_get() here because socket already
1da177e4 LT	293	holds reference to this module. */
	294	__module_get(THIS_MODULE);
	295
	296	out:
393432cd	297	spin_unlock(&rfcomm_dev_lock);
1da177e4	298
037322ab IJ	299	if (err < 0)
037322ab IJ	300	goto free;
1da177e4	301
734cc178 JS	302	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
734cc178 JS	303	dev->id, NULL);
8de0a154	304	if (IS_ERR(dev->tty_dev)) {
09c7d829	305	err = PTR_ERR(dev->tty_dev);
ebe937f7	306	spin_lock(&rfcomm_dev_lock);
8de0a154	307	list_del(&dev->list);
ebe937f7	308	spin_unlock(&rfcomm_dev_lock);
037322ab	309	goto free;
8de0a154 VT	310	}
8de0a154 VT	311
dae6a0f6 MH	312	dev_set_drvdata(dev->tty_dev, dev);
	313
	314	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
	315	BT_ERR("Failed to create address attribute");
	316
	317	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
	318	BT_ERR("Failed to create channel attribute");
	319
1da177e4	320	return dev->id;
037322ab IJ	321
	322	free:
	323	kfree(dev);
	324	return err;
1da177e4 LT	325	}
	326
	327	static void rfcomm_dev_del(struct rfcomm_dev *dev)
	328	{
f997a01e	329	unsigned long flags;
1da177e4 LT	330	BT_DBG("dev %p", dev);
1da177e4 LT	331
9a5df923 MH	332	BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
9a5df923 MH	333
f997a01e JS	334	spin_lock_irqsave(&dev->port.lock, flags);
	335	if (dev->port.count > 0) {
	336	spin_unlock_irqrestore(&dev->port.lock, flags);
9a5df923	337	return;
f997a01e JS	338	}
f997a01e JS	339	spin_unlock_irqrestore(&dev->port.lock, flags);
f951375d	340
67054019	341	tty_port_put(&dev->port);
1da177e4 LT	342	}
	343
	344	/* ---- Send buffer ---- */
	345	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	346	{
	347	/* We can't let it be zero, because we don't get a callback
	348	when tx_credits becomes nonzero, hence we'd never wake up */
	349	return dlc->mtu * (dlc->tx_credits?:1);
	350	}
	351
	352	static void rfcomm_wfree(struct sk_buff *skb)
	353	{
	354	struct rfcomm_dev dev = (void ) skb->sk;
	355	atomic_sub(skb->truesize, &dev->wmem_alloc);
396dc223 GA	356	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
396dc223 GA	357	tty_port_tty_wakeup(&dev->port);
67054019	358	tty_port_put(&dev->port);
1da177e4 LT	359	}
1da177e4 LT	360
6039aa73	361	static void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
1da177e4	362	{
67054019	363	tty_port_get(&dev->port);
1da177e4 LT	364	atomic_add(skb->truesize, &dev->wmem_alloc);
	365	skb->sk = (void *) dev;
	366	skb->destructor = rfcomm_wfree;
	367	}
	368
dd0fc66f	369	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	370	{
	371	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	372	struct sk_buff *skb = alloc_skb(size, priority);
	373	if (skb) {
	374	rfcomm_set_owner_w(skb, dev);
	375	return skb;
	376	}
	377	}
	378	return NULL;
	379	}
	380
	381	/* ---- Device IOCTLs ---- */
	382
	383	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	384
	385	static int rfcomm_create_dev(struct sock sk, void __user arg)
	386	{
	387	struct rfcomm_dev_req req;
	388	struct rfcomm_dlc *dlc;
	389	int id;
	390
	391	if (copy_from_user(&req, arg, sizeof(req)))
	392	return -EFAULT;
	393
8de0a154	394	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
1da177e4 LT	395
	396	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	397	return -EPERM;
	398
	399	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	400	/* Socket must be connected */
	401	if (sk->sk_state != BT_CONNECTED)
	402	return -EBADFD;
	403
	404	dlc = rfcomm_pi(sk)->dlc;
	405	rfcomm_dlc_hold(dlc);
	406	} else {
	407	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	408	if (!dlc)
	409	return -ENOMEM;
	410	}
	411
	412	id = rfcomm_dev_add(&req, dlc);
	413	if (id < 0) {
	414	rfcomm_dlc_put(dlc);
	415	return id;
	416	}
	417
	418	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	419	/* DLC is now used by device.
	420	* Socket must be disconnected */
	421	sk->sk_state = BT_CLOSED;
	422	}
	423
	424	return id;
	425	}
	426
	427	static int rfcomm_release_dev(void __user *arg)
	428	{
	429	struct rfcomm_dev_req req;
	430	struct rfcomm_dev *dev;
396dc223	431	struct tty_struct *tty;
1da177e4 LT	432
	433	if (copy_from_user(&req, arg, sizeof(req)))
	434	return -EFAULT;
	435
8de0a154	436	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
1da177e4	437
285b4e90 AE	438	dev = rfcomm_dev_get(req.dev_id);
285b4e90 AE	439	if (!dev)
1da177e4 LT	440	return -ENODEV;
	441
	442	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
67054019	443	tty_port_put(&dev->port);
1da177e4 LT	444	return -EPERM;
	445	}
	446
	447	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
	448	rfcomm_dlc_close(dev->dlc, 0);
	449
84950cf0	450	/* Shut down TTY synchronously before freeing rfcomm_dev */
396dc223 GA	451	tty = tty_port_tty_get(&dev->port);
	452	if (tty) {
	453	tty_vhangup(tty);
	454	tty_kref_put(tty);
	455	}
84950cf0	456
93d80740 DY	457	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
93d80740 DY	458	rfcomm_dev_del(dev);
67054019	459	tty_port_put(&dev->port);
1da177e4 LT	460	return 0;
	461	}
	462
	463	static int rfcomm_get_dev_list(void __user *arg)
	464	{
8035ded4	465	struct rfcomm_dev *dev;
1da177e4 LT	466	struct rfcomm_dev_list_req *dl;
1da177e4 LT	467	struct rfcomm_dev_info *di;
1da177e4 LT	468	int n = 0, size, err;
	469	u16 dev_num;
	470
	471	BT_DBG("");
	472
	473	if (get_user(dev_num, (u16 __user *) arg))
	474	return -EFAULT;
	475
	476	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
	477	return -EINVAL;
	478
	479	size = sizeof(dl) + dev_num sizeof(*di);
	480
f9432c5e	481	dl = kzalloc(size, GFP_KERNEL);
285b4e90	482	if (!dl)
1da177e4 LT	483	return -ENOMEM;
	484
	485	di = dl->dev_info;
	486
393432cd	487	spin_lock(&rfcomm_dev_lock);
1da177e4	488
8035ded4	489	list_for_each_entry(dev, &rfcomm_dev_list, list) {
8de0a154 VT	490	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
8de0a154 VT	491	continue;
1da177e4 LT	492	(di + n)->id = dev->id;
	493	(di + n)->flags = dev->flags;
	494	(di + n)->state = dev->dlc->state;
	495	(di + n)->channel = dev->channel;
	496	bacpy(&(di + n)->src, &dev->src);
	497	bacpy(&(di + n)->dst, &dev->dst);
	498	if (++n >= dev_num)
	499	break;
	500	}
	501
393432cd	502	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	503
	504	dl->dev_num = n;
	505	size = sizeof(dl) + n sizeof(*di);
	506
	507	err = copy_to_user(arg, dl, size);
	508	kfree(dl);
	509
	510	return err ? -EFAULT : 0;
	511	}
	512
	513	static int rfcomm_get_dev_info(void __user *arg)
	514	{
	515	struct rfcomm_dev *dev;
	516	struct rfcomm_dev_info di;
	517	int err = 0;
	518
	519	BT_DBG("");
	520
	521	if (copy_from_user(&di, arg, sizeof(di)))
	522	return -EFAULT;
	523
285b4e90 AE	524	dev = rfcomm_dev_get(di.id);
285b4e90 AE	525	if (!dev)
1da177e4 LT	526	return -ENODEV;
	527
	528	di.flags = dev->flags;
	529	di.channel = dev->channel;
	530	di.state = dev->dlc->state;
	531	bacpy(&di.src, &dev->src);
	532	bacpy(&di.dst, &dev->dst);
	533
	534	if (copy_to_user(arg, &di, sizeof(di)))
	535	err = -EFAULT;
	536
67054019	537	tty_port_put(&dev->port);
1da177e4 LT	538	return err;
	539	}
	540
	541	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
	542	{
	543	BT_DBG("cmd %d arg %p", cmd, arg);
	544
	545	switch (cmd) {
	546	case RFCOMMCREATEDEV:
	547	return rfcomm_create_dev(sk, arg);
	548
	549	case RFCOMMRELEASEDEV:
	550	return rfcomm_release_dev(arg);
	551
	552	case RFCOMMGETDEVLIST:
	553	return rfcomm_get_dev_list(arg);
	554
	555	case RFCOMMGETDEVINFO:
	556	return rfcomm_get_dev_info(arg);
	557	}
	558
	559	return -EINVAL;
	560	}
	561
	562	/* ---- DLC callbacks ---- */
	563	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
	564	{
	565	struct rfcomm_dev *dev = dlc->owner;
8e87d142	566
a0c22f22	567	if (!dev) {
1da177e4 LT	568	kfree_skb(skb);
	569	return;
	570	}
	571
2e124b4a	572	if (!skb_queue_empty(&dev->pending)) {
a0c22f22 MH	573	skb_queue_tail(&dev->pending, skb);
	574	return;
	575	}
	576
2e124b4a	577	BT_DBG("dlc %p len %d", dlc, skb->len);
1da177e4	578
05c7cd39	579	tty_insert_flip_string(&dev->port, skb->data, skb->len);
2e124b4a	580	tty_flip_buffer_push(&dev->port);
1da177e4 LT	581
	582	kfree_skb(skb);
	583	}
	584
	585	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	586	{
	587	struct rfcomm_dev *dev = dlc->owner;
396dc223	588	struct tty_struct *tty;
1da177e4 LT	589	if (!dev)
1da177e4 LT	590	return;
8e87d142	591
1da177e4 LT	592	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	593
	594	dev->err = err;
cad348a1 GA	595	if (dlc->state == BT_CONNECTED) {
	596	device_move(dev->tty_dev, rfcomm_get_device(dev),
	597	DPM_ORDER_DEV_AFTER_PARENT);
1da177e4	598
cad348a1 GA	599	wake_up_interruptible(&dev->port.open_wait);
cad348a1 GA	600	} else if (dlc->state == BT_CLOSED) {
396dc223 GA	601	tty = tty_port_tty_get(&dev->port);
396dc223 GA	602	if (!tty) {
1da177e4	603	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
537d59af DY	604	/* Drop DLC lock here to avoid deadlock
	605	* 1. rfcomm_dev_get will take rfcomm_dev_lock
	606	* but in rfcomm_dev_add there's lock order:
	607	* rfcomm_dev_lock -> dlc lock
67054019	608	* 2. tty_port_put will deadlock if it's
537d59af DY	609	* the last reference
	610	*/
	611	rfcomm_dlc_unlock(dlc);
	612	if (rfcomm_dev_get(dev->id) == NULL) {
	613	rfcomm_dlc_lock(dlc);
77f2a45f	614	return;
537d59af	615	}
1da177e4	616
77f2a45f	617	rfcomm_dev_del(dev);
67054019	618	tty_port_put(&dev->port);
537d59af	619	rfcomm_dlc_lock(dlc);
1da177e4	620	}
396dc223 GA	621	} else {
	622	tty_hangup(tty);
	623	tty_kref_put(tty);
	624	}
1da177e4 LT	625	}
	626	}
	627
	628	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	629	{
	630	struct rfcomm_dev *dev = dlc->owner;
	631	if (!dev)
	632	return;