[deliverable/linux.git] / net / bluetooth / rfcomm / tty.c

/*
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <linux/capability.h>
#include <linux/slab.h>
#include <linux/skbuff.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#ifndef CONFIG_BT_RFCOMM_DEBUG
#undef  BT_DBG
#define BT_DBG(D...)
#endif

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct list_head	list;
	atomic_t		refcnt;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			opened;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8 			channel;

	uint 			modem_status;

	struct rfcomm_dlc	*dlc;
	struct tty_struct	*tty;
	wait_queue_head_t       wait;
	struct tasklet_struct   wakeup_task;

	struct device		*tty_dev;

	atomic_t 		wmem_alloc;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_RWLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

static void rfcomm_tty_wakeup(unsigned long arg);

/* ---- Device functions ---- */
static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
{
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	/* Refcount should only hit zero when called from rfcomm_dev_del()
	   which will have taken us off the list. Everything else are
	   refcounting bugs. */
	BUG_ON(!list_empty(&dev->list));

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	kfree(dev);

	/* It's safe to call module_put() here because socket still
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
{
	atomic_inc(&dev->refcnt);
}

static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
{
	/* The reason this isn't actually a race, as you no
	   doubt have a little voice screaming at you in your
	   head, is that the refcount should never actually
	   reach zero unless the device has already been taken
	   off the list, in rfcomm_dev_del(). And if that's not
	   true, we'll hit the BUG() in rfcomm_dev_destruct()
	   anyway. */
	if (atomic_dec_and_test(&dev->refcnt))
		rfcomm_dev_destruct(dev);
}

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;
	struct list_head  *p;

	list_for_each(p, &rfcomm_dev_list) {
		dev = list_entry(p, struct rfcomm_dev, list);
		if (dev->id == id)
			return dev;
	}

	return NULL;
}

static inline struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	read_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);

	if (dev) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			dev = NULL;
		else
			rfcomm_dev_hold(dev);
	}

	read_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);

	hci_dev_put(hdev);

	return conn ? &conn->dev : NULL;
}

static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	bdaddr_t bdaddr;
	baswap(&bdaddr, &dev->dst);
	return sprintf(buf, "%s\n", batostr(&bdaddr));
}

static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%d\n", dev->channel);
}

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev;
	struct list_head *head = &rfcomm_dev_list, *p;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);

	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	write_lock_bh(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each(p, &rfcomm_dev_list) {
			if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
				break;

			dev->id++;
			head = p;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each(p, &rfcomm_dev_list) {
			struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);

			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = p;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);
	atomic_set(&dev->refcnt, 1);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags &
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	init_waitqueue_head(&dev->wait);
	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);

	rfcomm_dlc_lock(dlc);
	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;
	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	write_unlock_bh(&rfcomm_dev_lock);

	if (err < 0) {
		kfree(dev);
		return err;
	}

	dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);

	if (IS_ERR(dev->tty_dev)) {
		err = PTR_ERR(dev->tty_dev);
		list_del(&dev->list);
		kfree(dev);
		return err;
	}

	dev_set_drvdata(dev->tty_dev, dev);

	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
		BT_ERR("Failed to create address attribute");

	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
		BT_ERR("Failed to create channel attribute");

	return dev->id;
}

static void rfcomm_dev_del(struct rfcomm_dev *dev)
{
	BT_DBG("dev %p", dev);

	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		BUG_ON(1);
	else
		set_bit(RFCOMM_TTY_RELEASED, &dev->flags);

	write_lock_bh(&rfcomm_dev_lock);
	list_del_init(&dev->list);
	write_unlock_bh(&rfcomm_dev_lock);

	rfcomm_dev_put(dev);
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tasklet_schedule(&dev->wakeup_task);
	rfcomm_dev_put(dev);
}

static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	rfcomm_dev_hold(dev);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);

	if (!(dev = rfcomm_dev_get(req.dev_id)))
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		rfcomm_dev_put(dev);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	/* Shut down TTY synchronously before freeing rfcomm_dev */
	if (dev->tty)
		tty_vhangup(dev->tty);

	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
		rfcomm_dev_del(dev);
	rfcomm_dev_put(dev);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	struct list_head *p;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	if (!(dl = kmalloc(size, GFP_KERNEL)))
		return -ENOMEM;

	di = dl->dev_info;

	read_lock_bh(&rfcomm_dev_lock);

	list_for_each(p, &rfcomm_dev_list) {
		struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			continue;
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	read_unlock_bh(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	if (!(dev = rfcomm_dev_get(di.id)))
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	rfcomm_dev_put(dev);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;
	struct tty_struct *tty;

	if (!dev || !(tty = dev->tty)) {
		kfree_skb(skb);
		return;
	}

	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);

	tty_insert_flip_string(tty, skb->data, skb->len);
	tty_flip_buffer_push(tty);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;

	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	wake_up_interruptible(&dev->wait);

	if (dlc->state == BT_CLOSED) {
		if (!dev->tty) {
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
				/* Drop DLC lock here to avoid deadlock
				 * 1. rfcomm_dev_get will take rfcomm_dev_lock
				 *    but in rfcomm_dev_add there's lock order:
				 *    rfcomm_dev_lock -> dlc lock
				 * 2. rfcomm_dev_put will deadlock if it's
				 *    the last reference
				 */
				rfcomm_dlc_unlock(dlc);
				if (rfcomm_dev_get(dev->id) == NULL) {
					rfcomm_dlc_lock(dlc);
					return;
				}

				rfcomm_dev_del(dev);
				rfcomm_dev_put(dev);
				rfcomm_dlc_lock(dlc);
			}
		} else
			tty_hangup(dev->tty);
	}
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
8e87d142	1	/*
1da177e4 LT	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142 YH	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4 LT	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1da177e4 LT	18
8e87d142 YH	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
8e87d142 YH	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4 LT	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
1da177e4 LT	26	*/
1da177e4 LT	27
1da177e4 LT	28	#include <linux/module.h>
	29
	30	#include <linux/tty.h>
	31	#include <linux/tty_driver.h>
	32	#include <linux/tty_flip.h>
	33
4fc268d2	34	#include <linux/capability.h>
1da177e4 LT	35	#include <linux/slab.h>
	36	#include <linux/skbuff.h>
	37
	38	#include <net/bluetooth/bluetooth.h>
0a85b964	39	#include <net/bluetooth/hci_core.h>
1da177e4 LT	40	#include <net/bluetooth/rfcomm.h>
	41
	42	#ifndef CONFIG_BT_RFCOMM_DEBUG
	43	#undef BT_DBG
	44	#define BT_DBG(D...)
	45	#endif
	46
	47	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	48	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	49	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	50	#define RFCOMM_TTY_MINOR 0
	51
	52	static struct tty_driver *rfcomm_tty_driver;
	53
	54	struct rfcomm_dev {
	55	struct list_head list;
	56	atomic_t refcnt;
	57
	58	char name[12];
	59	int id;
	60	unsigned long flags;
	61	int opened;
	62	int err;
	63
	64	bdaddr_t src;
	65	bdaddr_t dst;
	66	u8 channel;
	67
	68	uint modem_status;
	69
	70	struct rfcomm_dlc *dlc;
	71	struct tty_struct *tty;
	72	wait_queue_head_t wait;
	73	struct tasklet_struct wakeup_task;
	74
c1a33136 MH	75	struct device *tty_dev;
c1a33136 MH	76
1da177e4 LT	77	atomic_t wmem_alloc;
	78	};
	79
	80	static LIST_HEAD(rfcomm_dev_list);
	81	static DEFINE_RWLOCK(rfcomm_dev_lock);
	82
	83	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	84	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	85	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	86
	87	static void rfcomm_tty_wakeup(unsigned long arg);
	88
	89	/* ---- Device functions ---- */
	90	static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
	91	{
	92	struct rfcomm_dlc *dlc = dev->dlc;
	93
	94	BT_DBG("dev %p dlc %p", dev, dlc);
	95
f951375d DY	96	/* Refcount should only hit zero when called from rfcomm_dev_del()
	97	which will have taken us off the list. Everything else are
	98	refcounting bugs. */
	99	BUG_ON(!list_empty(&dev->list));
8de0a154	100
1da177e4 LT	101	rfcomm_dlc_lock(dlc);
	102	/* Detach DLC if it's owned by this dev */
	103	if (dlc->owner == dev)
	104	dlc->owner = NULL;
	105	rfcomm_dlc_unlock(dlc);
	106
	107	rfcomm_dlc_put(dlc);
	108
	109	tty_unregister_device(rfcomm_tty_driver, dev->id);
	110
1da177e4 LT	111	kfree(dev);
1da177e4 LT	112
8e87d142	113	/* It's safe to call module_put() here because socket still
1da177e4 LT	114	holds reference to this module. */
	115	module_put(THIS_MODULE);
	116	}
	117
	118	static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
	119	{
	120	atomic_inc(&dev->refcnt);
	121	}
	122
	123	static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
	124	{
	125	/* The reason this isn't actually a race, as you no
	126	doubt have a little voice screaming at you in your
	127	head, is that the refcount should never actually
	128	reach zero unless the device has already been taken
	129	off the list, in rfcomm_dev_del(). And if that's not
	130	true, we'll hit the BUG() in rfcomm_dev_destruct()
	131	anyway. */
	132	if (atomic_dec_and_test(&dev->refcnt))
	133	rfcomm_dev_destruct(dev);
	134	}
	135
	136	static struct rfcomm_dev *__rfcomm_dev_get(int id)
	137	{
	138	struct rfcomm_dev *dev;
	139	struct list_head *p;
	140
	141	list_for_each(p, &rfcomm_dev_list) {
	142	dev = list_entry(p, struct rfcomm_dev, list);
	143	if (dev->id == id)
	144	return dev;
	145	}
	146
	147	return NULL;
	148	}
	149
	150	static inline struct rfcomm_dev *rfcomm_dev_get(int id)
	151	{
	152	struct rfcomm_dev *dev;
	153
	154	read_lock(&rfcomm_dev_lock);
	155
	156	dev = __rfcomm_dev_get(id);
8de0a154 VT	157
	158	if (dev) {
	159	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	160	dev = NULL;
	161	else
	162	rfcomm_dev_hold(dev);
	163	}
1da177e4 LT	164
	165	read_unlock(&rfcomm_dev_lock);
	166
	167	return dev;
	168	}
	169
0a85b964 MH	170	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	171	{
	172	struct hci_dev *hdev;
	173	struct hci_conn *conn;
	174
	175	hdev = hci_get_route(&dev->dst, &dev->src);
	176	if (!hdev)
	177	return NULL;
	178
	179	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
0a85b964 MH	180
	181	hci_dev_put(hdev);
	182
b2cfcd75	183	return conn ? &conn->dev : NULL;
0a85b964 MH	184	}
0a85b964 MH	185
dae6a0f6 MH	186	static ssize_t show_address(struct device tty_dev, struct device_attribute attr, char *buf)
	187	{
	188	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	189	bdaddr_t bdaddr;
	190	baswap(&bdaddr, &dev->dst);
	191	return sprintf(buf, "%s\n", batostr(&bdaddr));
	192	}
	193
	194	static ssize_t show_channel(struct device tty_dev, struct device_attribute attr, char *buf)
	195	{
	196	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	197	return sprintf(buf, "%d\n", dev->channel);
	198	}
	199
	200	static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
	201	static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
	202
1da177e4 LT	203	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
	204	{
	205	struct rfcomm_dev *dev;
	206	struct list_head head = &rfcomm_dev_list, p;
	207	int err = 0;
	208
	209	BT_DBG("id %d channel %d", req->dev_id, req->channel);
8e87d142	210
25ea6db0	211	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	212	if (!dev)
1da177e4 LT	213	return -ENOMEM;
1da177e4 LT	214
	215	write_lock_bh(&rfcomm_dev_lock);
	216
	217	if (req->dev_id < 0) {
	218	dev->id = 0;
	219
	220	list_for_each(p, &rfcomm_dev_list) {
	221	if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
	222	break;
	223
	224	dev->id++;
	225	head = p;
	226	}
	227	} else {
	228	dev->id = req->dev_id;
	229
	230	list_for_each(p, &rfcomm_dev_list) {
	231	struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
	232
	233	if (entry->id == dev->id) {
	234	err = -EADDRINUSE;
	235	goto out;
	236	}
	237
	238	if (entry->id > dev->id - 1)
	239	break;
	240
	241	head = p;
	242	}
	243	}
	244
	245	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	246	err = -ENFILE;
	247	goto out;
	248	}
	249
	250	sprintf(dev->name, "rfcomm%d", dev->id);
	251
	252	list_add(&dev->list, head);
	253	atomic_set(&dev->refcnt, 1);
	254
	255	bacpy(&dev->src, &req->src);
	256	bacpy(&dev->dst, &req->dst);
	257	dev->channel = req->channel;
	258
8e87d142	259	dev->flags = req->flags &
1da177e4 LT	260	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
	261
	262	init_waitqueue_head(&dev->wait);
	263	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
	264
	265	rfcomm_dlc_lock(dlc);
	266	dlc->data_ready = rfcomm_dev_data_ready;
	267	dlc->state_change = rfcomm_dev_state_change;
	268	dlc->modem_status = rfcomm_dev_modem_status;
	269
	270	dlc->owner = dev;
	271	dev->dlc = dlc;
	272	rfcomm_dlc_unlock(dlc);
	273
8e87d142	274	/* It's safe to call __module_get() here because socket already
1da177e4 LT	275	holds reference to this module. */
	276	__module_get(THIS_MODULE);
	277
	278	out:
	279	write_unlock_bh(&rfcomm_dev_lock);
	280
09c7d829	281	if (err < 0) {
1da177e4 LT	282	kfree(dev);
	283	return err;
	284	}
	285
c1a33136	286	dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
1da177e4	287
8de0a154	288	if (IS_ERR(dev->tty_dev)) {
09c7d829	289	err = PTR_ERR(dev->tty_dev);
8de0a154 VT	290	list_del(&dev->list);
8de0a154 VT	291	kfree(dev);
09c7d829	292	return err;
8de0a154 VT	293	}
8de0a154 VT	294
dae6a0f6 MH	295	dev_set_drvdata(dev->tty_dev, dev);
	296
	297	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
	298	BT_ERR("Failed to create address attribute");
	299
	300	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
	301	BT_ERR("Failed to create channel attribute");
	302
1da177e4 LT	303	return dev->id;
	304	}
	305
	306	static void rfcomm_dev_del(struct rfcomm_dev *dev)
	307	{
	308	BT_DBG("dev %p", dev);
	309
f951375d DY	310	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	311	BUG_ON(1);
	312	else
	313	set_bit(RFCOMM_TTY_RELEASED, &dev->flags);
	314
	315	write_lock_bh(&rfcomm_dev_lock);
	316	list_del_init(&dev->list);
	317	write_unlock_bh(&rfcomm_dev_lock);
	318
1da177e4 LT	319	rfcomm_dev_put(dev);
	320	}
	321
	322	/* ---- Send buffer ---- */
	323	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	324	{
	325	/* We can't let it be zero, because we don't get a callback
	326	when tx_credits becomes nonzero, hence we'd never wake up */
	327	return dlc->mtu * (dlc->tx_credits?:1);
	328	}
	329
	330	static void rfcomm_wfree(struct sk_buff *skb)
	331	{
	332	struct rfcomm_dev dev = (void ) skb->sk;
	333	atomic_sub(skb->truesize, &dev->wmem_alloc);
	334	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
	335	tasklet_schedule(&dev->wakeup_task);
	336	rfcomm_dev_put(dev);
	337	}
	338
	339	static inline void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
	340	{
	341	rfcomm_dev_hold(dev);
	342	atomic_add(skb->truesize, &dev->wmem_alloc);
	343	skb->sk = (void *) dev;
	344	skb->destructor = rfcomm_wfree;
	345	}
	346
dd0fc66f	347	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	348	{
	349	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	350	struct sk_buff *skb = alloc_skb(size, priority);
	351	if (skb) {
	352	rfcomm_set_owner_w(skb, dev);
	353	return skb;
	354	}
	355	}
	356	return NULL;
	357	}
	358
	359	/* ---- Device IOCTLs ---- */
	360
	361	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	362
	363	static int rfcomm_create_dev(struct sock sk, void __user arg)
	364	{
	365	struct rfcomm_dev_req req;
	366	struct rfcomm_dlc *dlc;
	367	int id;
	368
	369	if (copy_from_user(&req, arg, sizeof(req)))
	370	return -EFAULT;
	371
8de0a154	372	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
1da177e4 LT	373
	374	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	375	return -EPERM;
	376
	377	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	378	/* Socket must be connected */
	379	if (sk->sk_state != BT_CONNECTED)
	380	return -EBADFD;
	381
	382	dlc = rfcomm_pi(sk)->dlc;
	383	rfcomm_dlc_hold(dlc);
	384	} else {
	385	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	386	if (!dlc)
	387	return -ENOMEM;
	388	}
	389
	390	id = rfcomm_dev_add(&req, dlc);
	391	if (id < 0) {
	392	rfcomm_dlc_put(dlc);
	393	return id;
	394	}
	395
	396	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	397	/* DLC is now used by device.
	398	* Socket must be disconnected */
	399	sk->sk_state = BT_CLOSED;
	400	}
	401
	402	return id;
	403	}
	404
	405	static int rfcomm_release_dev(void __user *arg)
	406	{
	407	struct rfcomm_dev_req req;
	408	struct rfcomm_dev *dev;
	409
	410	if (copy_from_user(&req, arg, sizeof(req)))
	411	return -EFAULT;
	412
8de0a154	413	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
1da177e4 LT	414
	415	if (!(dev = rfcomm_dev_get(req.dev_id)))
	416	return -ENODEV;
	417
	418	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
	419	rfcomm_dev_put(dev);
	420	return -EPERM;
	421	}
	422
	423	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
	424	rfcomm_dlc_close(dev->dlc, 0);
	425
84950cf0 MR	426	/* Shut down TTY synchronously before freeing rfcomm_dev */
	427	if (dev->tty)
	428	tty_vhangup(dev->tty);
	429
93d80740 DY	430	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
93d80740 DY	431	rfcomm_dev_del(dev);
1da177e4 LT	432	rfcomm_dev_put(dev);
	433	return 0;
	434	}
	435
	436	static int rfcomm_get_dev_list(void __user *arg)
	437	{
	438	struct rfcomm_dev_list_req *dl;
	439	struct rfcomm_dev_info *di;
	440	struct list_head *p;
	441	int n = 0, size, err;
	442	u16 dev_num;
	443
	444	BT_DBG("");
	445
	446	if (get_user(dev_num, (u16 __user *) arg))
	447	return -EFAULT;
	448
	449	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
	450	return -EINVAL;
	451
	452	size = sizeof(dl) + dev_num sizeof(*di);
	453
	454	if (!(dl = kmalloc(size, GFP_KERNEL)))
	455	return -ENOMEM;
	456
	457	di = dl->dev_info;
	458
	459	read_lock_bh(&rfcomm_dev_lock);
	460
	461	list_for_each(p, &rfcomm_dev_list) {
	462	struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
8de0a154 VT	463	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
8de0a154 VT	464	continue;
1da177e4 LT	465	(di + n)->id = dev->id;
	466	(di + n)->flags = dev->flags;
	467	(di + n)->state = dev->dlc->state;
	468	(di + n)->channel = dev->channel;
	469	bacpy(&(di + n)->src, &dev->src);
	470	bacpy(&(di + n)->dst, &dev->dst);
	471	if (++n >= dev_num)
	472	break;
	473	}
	474
	475	read_unlock_bh(&rfcomm_dev_lock);
	476
	477	dl->dev_num = n;
	478	size = sizeof(dl) + n sizeof(*di);
	479
	480	err = copy_to_user(arg, dl, size);
	481	kfree(dl);
	482
	483	return err ? -EFAULT : 0;
	484	}
	485
	486	static int rfcomm_get_dev_info(void __user *arg)
	487	{
	488	struct rfcomm_dev *dev;
	489	struct rfcomm_dev_info di;
	490	int err = 0;
	491
	492	BT_DBG("");
	493
	494	if (copy_from_user(&di, arg, sizeof(di)))
	495	return -EFAULT;
	496
	497	if (!(dev = rfcomm_dev_get(di.id)))
	498	return -ENODEV;
	499
	500	di.flags = dev->flags;
	501	di.channel = dev->channel;
	502	di.state = dev->dlc->state;
	503	bacpy(&di.src, &dev->src);
	504	bacpy(&di.dst, &dev->dst);
	505
	506	if (copy_to_user(arg, &di, sizeof(di)))
	507	err = -EFAULT;
	508
	509	rfcomm_dev_put(dev);
	510	return err;
	511	}
	512
	513	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
	514	{
	515	BT_DBG("cmd %d arg %p", cmd, arg);
	516
	517	switch (cmd) {
	518	case RFCOMMCREATEDEV:
	519	return rfcomm_create_dev(sk, arg);
	520
	521	case RFCOMMRELEASEDEV:
	522	return rfcomm_release_dev(arg);
	523
	524	case RFCOMMGETDEVLIST:
	525	return rfcomm_get_dev_list(arg);
	526
	527	case RFCOMMGETDEVINFO:
	528	return rfcomm_get_dev_info(arg);
529	}
530
531	return -EINVAL;
532	}
533
534	/* ---- DLC callbacks ---- */
535	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
536	{
537	struct rfcomm_dev *dev = dlc->owner;
538	struct tty_struct *tty;
8e87d142	539
1da177e4 LT	540	if (!dev \|\| !(tty = dev->tty)) {
	541	kfree_skb(skb);
	542	return;
	543	}
	544
	545	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
	546
817d6d3b PF	547	tty_insert_flip_string(tty, skb->data, skb->len);
817d6d3b PF	548	tty_flip_buffer_push(tty);
1da177e4 LT	549
	550	kfree_skb(skb);
	551	}
	552
	553	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	554	{
	555	struct rfcomm_dev *dev = dlc->owner;
	556	if (!dev)
	557	return;
8e87d142	558
1da177e4 LT	559	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	560
	561	dev->err = err;
	562	wake_up_interruptible(&dev->wait);
	563
	564	if (dlc->state == BT_CLOSED) {
	565	if (!dev->tty) {
	566	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
537d59af DY	567	/* Drop DLC lock here to avoid deadlock
	568	* 1. rfcomm_dev_get will take rfcomm_dev_lock
	569	* but in rfcomm_dev_add there's lock order:
	570	* rfcomm_dev_lock -> dlc lock
	571	* 2. rfcomm_dev_put will deadlock if it's
	572	* the last reference
	573	*/
	574	rfcomm_dlc_unlock(dlc);
	575	if (rfcomm_dev_get(dev->id) == NULL) {
	576	rfcomm_dlc_lock(dlc);
77f2a45f	577	return;
537d59af	578	}
1da177e4	579
77f2a45f	580	rfcomm_dev_del(dev);
1da177e4	581	rfcomm_dev_put(dev);
537d59af	582	rfcomm_dlc_lock(dlc);
1da177e4	583	}
8e87d142	584	} else
1da177e4 LT	585	tty_hangup(dev->tty);
	586	}
	587	}
	588
	589	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	590	{
	591	struct rfcomm_dev *dev = dlc->owner;
	592	if (!dev)
	593	return;