[deliverable/linux.git] / net / bluetooth / rfcomm / tty.c

/*
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct tty_port		port;
	struct list_head	list;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8			channel;

	uint			modem_status;

	struct rfcomm_dlc	*dlc;

	struct device		*tty_dev;

	atomic_t		wmem_alloc;

	struct sk_buff_head	pending;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_SPINLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

/* ---- Device functions ---- */

static void rfcomm_dev_destruct(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	spin_lock(&rfcomm_dev_lock);
	list_del(&dev->list);
	spin_unlock(&rfcomm_dev_lock);

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	kfree(dev);

	/* It's safe to call module_put() here because socket still
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

/* device-specific initialization: open the dlc */
static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
}

/* we block the open until the dlc->state becomes BT_CONNECTED */
static int rfcomm_dev_carrier_raised(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	return (dev->dlc->state == BT_CONNECTED);
}

/* device-specific cleanup: close the dlc */
static void rfcomm_dev_shutdown(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);

	if (dev->tty_dev->parent)
		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);

	/* close the dlc */
	rfcomm_dlc_close(dev->dlc, 0);
}

static const struct tty_port_operations rfcomm_port_ops = {
	.destruct = rfcomm_dev_destruct,
	.activate = rfcomm_dev_activate,
	.shutdown = rfcomm_dev_shutdown,
	.carrier_raised = rfcomm_dev_carrier_raised,
};

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	list_for_each_entry(dev, &rfcomm_dev_list, list)
		if (dev->id == id)
			return dev;

	return NULL;
}

static struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	spin_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);

	if (dev) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			dev = NULL;
		else
			tty_port_get(&dev->port);
	}

	spin_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);

	hci_dev_put(hdev);

	return conn ? &conn->dev : NULL;
}

static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%pMR\n", &dev->dst);
}

static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%d\n", dev->channel);
}

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev, *entry;
	struct list_head *head = &rfcomm_dev_list;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);

	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	spin_lock(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id != dev->id)
				break;

			dev->id++;
			head = &entry->list;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = &entry->list;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags &
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	tty_port_init(&dev->port);
	dev->port.ops = &rfcomm_port_ops;

	skb_queue_head_init(&dev->pending);

	rfcomm_dlc_lock(dlc);

	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
		struct sock *sk = dlc->owner;
		struct sk_buff *skb;

		BUG_ON(!sk);

		rfcomm_dlc_throttle(dlc);

		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
			skb_orphan(skb);
			skb_queue_tail(&dev->pending, skb);
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
		}
	}

	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;

	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);

	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	spin_unlock(&rfcomm_dev_lock);

	if (err < 0)
		goto free;

	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
			dev->id, NULL);
	if (IS_ERR(dev->tty_dev)) {
		err = PTR_ERR(dev->tty_dev);
		spin_lock(&rfcomm_dev_lock);
		list_del(&dev->list);
		spin_unlock(&rfcomm_dev_lock);
		goto free;
	}

	dev_set_drvdata(dev->tty_dev, dev);

	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
		BT_ERR("Failed to create address attribute");

	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
		BT_ERR("Failed to create channel attribute");

	return dev->id;

free:
	kfree(dev);
	return err;
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tty_port_tty_wakeup(&dev->port);
	tty_port_put(&dev->port);
}

static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	tty_port_get(&dev->port);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;
	struct tty_struct *tty;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);

	dev = rfcomm_dev_get(req.dev_id);
	if (!dev)
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		tty_port_put(&dev->port);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	/* Shut down TTY synchronously before freeing rfcomm_dev */
	tty = tty_port_tty_get(&dev->port);
	if (tty) {
		tty_vhangup(tty);
		tty_kref_put(tty);
	}

	if (!test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
		tty_port_put(&dev->port);

	tty_port_put(&dev->port);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	dl = kzalloc(size, GFP_KERNEL);
	if (!dl)
		return -ENOMEM;

	di = dl->dev_info;

	spin_lock(&rfcomm_dev_lock);

	list_for_each_entry(dev, &rfcomm_dev_list, list) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			continue;
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	spin_unlock(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	dev = rfcomm_dev_get(di.id);
	if (!dev)
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	tty_port_put(&dev->port);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;

	if (!dev) {
		kfree_skb(skb);
		return;
	}

	if (!skb_queue_empty(&dev->pending)) {
		skb_queue_tail(&dev->pending, skb);
		return;
	}

	BT_DBG("dlc %p len %d", dlc, skb->len);

	tty_insert_flip_string(&dev->port, skb->data, skb->len);
	tty_flip_buffer_push(&dev->port);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;

	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	if (dlc->state == BT_CONNECTED) {
		device_move(dev->tty_dev, rfcomm_get_device(dev),
			    DPM_ORDER_DEV_AFTER_PARENT);

		wake_up_interruptible(&dev->port.open_wait);
	} else if (dlc->state == BT_CLOSED)
		tty_port_tty_hangup(&dev->port, false);
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
8e87d142	1	/*
1da177e4 LT	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142 YH	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4 LT	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1da177e4 LT	18
8e87d142 YH	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
8e87d142 YH	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4 LT	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
1da177e4 LT	26	*/
1da177e4 LT	27
1da177e4 LT	28	#include <linux/module.h>
	29
	30	#include <linux/tty.h>
	31	#include <linux/tty_driver.h>
	32	#include <linux/tty_flip.h>
	33
1da177e4	34	#include <net/bluetooth/bluetooth.h>
0a85b964	35	#include <net/bluetooth/hci_core.h>
1da177e4 LT	36	#include <net/bluetooth/rfcomm.h>
1da177e4 LT	37
1da177e4 LT	38	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	39	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	40	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	41	#define RFCOMM_TTY_MINOR 0
	42
	43	static struct tty_driver *rfcomm_tty_driver;
	44
	45	struct rfcomm_dev {
f60db8c4	46	struct tty_port port;
1da177e4	47	struct list_head list;
1da177e4 LT	48
	49	char name[12];
	50	int id;
	51	unsigned long flags;
1da177e4 LT	52	int err;
	53
	54	bdaddr_t src;
	55	bdaddr_t dst;
285b4e90	56	u8 channel;
1da177e4	57
285b4e90	58	uint modem_status;
1da177e4 LT	59
1da177e4 LT	60	struct rfcomm_dlc *dlc;
1da177e4	61
c1a33136 MH	62	struct device *tty_dev;
c1a33136 MH	63
285b4e90	64	atomic_t wmem_alloc;
a0c22f22 MH	65
a0c22f22 MH	66	struct sk_buff_head pending;
1da177e4 LT	67	};
	68
	69	static LIST_HEAD(rfcomm_dev_list);
393432cd	70	static DEFINE_SPINLOCK(rfcomm_dev_lock);
1da177e4 LT	71
	72	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	73	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	74	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	75
1da177e4	76	/* ---- Device functions ---- */
67054019	77
67054019	78	static void rfcomm_dev_destruct(struct tty_port *port)
1da177e4	79	{
67054019	80	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
1da177e4 LT	81	struct rfcomm_dlc *dlc = dev->dlc;
	82
	83	BT_DBG("dev %p dlc %p", dev, dlc);
	84
ebe937f7 GA	85	spin_lock(&rfcomm_dev_lock);
	86	list_del(&dev->list);
	87	spin_unlock(&rfcomm_dev_lock);
8de0a154	88
1da177e4 LT	89	rfcomm_dlc_lock(dlc);
	90	/* Detach DLC if it's owned by this dev */
	91	if (dlc->owner == dev)
	92	dlc->owner = NULL;
	93	rfcomm_dlc_unlock(dlc);
	94
	95	rfcomm_dlc_put(dlc);
	96
	97	tty_unregister_device(rfcomm_tty_driver, dev->id);
	98
1da177e4 LT	99	kfree(dev);
1da177e4 LT	100
8e87d142	101	/* It's safe to call module_put() here because socket still
1da177e4 LT	102	holds reference to this module. */
	103	module_put(THIS_MODULE);
	104	}
	105
cad348a1 GA	106	/* device-specific initialization: open the dlc */
	107	static int rfcomm_dev_activate(struct tty_port port, struct tty_struct tty)
	108	{
	109	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	110
	111	return rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
	112	}
	113
	114	/* we block the open until the dlc->state becomes BT_CONNECTED */
	115	static int rfcomm_dev_carrier_raised(struct tty_port *port)
	116	{
	117	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	118
	119	return (dev->dlc->state == BT_CONNECTED);
	120	}
	121
	122	/* device-specific cleanup: close the dlc */
	123	static void rfcomm_dev_shutdown(struct tty_port *port)
	124	{
	125	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	126
	127	if (dev->tty_dev->parent)
	128	device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
	129
	130	/* close the dlc */
	131	rfcomm_dlc_close(dev->dlc, 0);
	132	}
	133
67054019 JS	134	static const struct tty_port_operations rfcomm_port_ops = {
67054019 JS	135	.destruct = rfcomm_dev_destruct,
cad348a1 GA	136	.activate = rfcomm_dev_activate,
	137	.shutdown = rfcomm_dev_shutdown,
	138	.carrier_raised = rfcomm_dev_carrier_raised,
67054019	139	};
1da177e4 LT	140
	141	static struct rfcomm_dev *__rfcomm_dev_get(int id)
	142	{
	143	struct rfcomm_dev *dev;
1da177e4	144
8035ded4	145	list_for_each_entry(dev, &rfcomm_dev_list, list)
1da177e4 LT	146	if (dev->id == id)
1da177e4 LT	147	return dev;
1da177e4 LT	148
	149	return NULL;
	150	}
	151
6039aa73	152	static struct rfcomm_dev *rfcomm_dev_get(int id)
1da177e4 LT	153	{
	154	struct rfcomm_dev *dev;
	155
393432cd	156	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	157
1da177e4 LT	158	dev = __rfcomm_dev_get(id);
8de0a154 VT	159
	160	if (dev) {
	161	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	162	dev = NULL;
	163	else
67054019	164	tty_port_get(&dev->port);
8de0a154	165	}
1da177e4	166
393432cd	167	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	168
	169	return dev;
	170	}
	171
0a85b964 MH	172	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	173	{
	174	struct hci_dev *hdev;
	175	struct hci_conn *conn;
	176
	177	hdev = hci_get_route(&dev->dst, &dev->src);
	178	if (!hdev)
	179	return NULL;
	180
	181	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
0a85b964 MH	182
	183	hci_dev_put(hdev);
	184
b2cfcd75	185	return conn ? &conn->dev : NULL;
0a85b964 MH	186	}
0a85b964 MH	187
dae6a0f6 MH	188	static ssize_t show_address(struct device tty_dev, struct device_attribute attr, char *buf)
	189	{
	190	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
fcb73338	191	return sprintf(buf, "%pMR\n", &dev->dst);
dae6a0f6 MH	192	}
	193
	194	static ssize_t show_channel(struct device tty_dev, struct device_attribute attr, char *buf)
	195	{
	196	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	197	return sprintf(buf, "%d\n", dev->channel);
	198	}
	199
	200	static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
	201	static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
	202
1da177e4 LT	203	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
1da177e4 LT	204	{
8035ded4	205	struct rfcomm_dev dev, entry;
e57d758a	206	struct list_head *head = &rfcomm_dev_list;
1da177e4 LT	207	int err = 0;
	208
	209	BT_DBG("id %d channel %d", req->dev_id, req->channel);
8e87d142	210
25ea6db0	211	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	212	if (!dev)
1da177e4 LT	213	return -ENOMEM;
1da177e4	214
393432cd	215	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	216
	217	if (req->dev_id < 0) {
	218	dev->id = 0;
	219
8035ded4 LAD	220	list_for_each_entry(entry, &rfcomm_dev_list, list) {
8035ded4 LAD	221	if (entry->id != dev->id)
1da177e4 LT	222	break;
	223
	224	dev->id++;
e57d758a	225	head = &entry->list;
1da177e4 LT	226	}
	227	} else {
	228	dev->id = req->dev_id;
	229
8035ded4	230	list_for_each_entry(entry, &rfcomm_dev_list, list) {
1da177e4 LT	231	if (entry->id == dev->id) {
	232	err = -EADDRINUSE;
	233	goto out;
	234	}
	235
	236	if (entry->id > dev->id - 1)
	237	break;
	238
e57d758a	239	head = &entry->list;
1da177e4 LT	240	}
	241	}
	242
	243	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	244	err = -ENFILE;
	245	goto out;
	246	}
	247
	248	sprintf(dev->name, "rfcomm%d", dev->id);
	249
	250	list_add(&dev->list, head);
1da177e4 LT	251
	252	bacpy(&dev->src, &req->src);
	253	bacpy(&dev->dst, &req->dst);
	254	dev->channel = req->channel;
	255
8e87d142	256	dev->flags = req->flags &
1da177e4 LT	257	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
1da177e4 LT	258
f60db8c4	259	tty_port_init(&dev->port);
67054019	260	dev->port.ops = &rfcomm_port_ops;
1da177e4	261
a0c22f22 MH	262	skb_queue_head_init(&dev->pending);
a0c22f22 MH	263
1da177e4	264	rfcomm_dlc_lock(dlc);
a0c22f22 MH	265
	266	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
	267	struct sock *sk = dlc->owner;
	268	struct sk_buff *skb;
	269
	270	BUG_ON(!sk);
	271
	272	rfcomm_dlc_throttle(dlc);
	273
	274	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
	275	skb_orphan(skb);
	276	skb_queue_tail(&dev->pending, skb);
	277	atomic_sub(skb->len, &sk->sk_rmem_alloc);
	278	}
	279	}
	280
1da177e4 LT	281	dlc->data_ready = rfcomm_dev_data_ready;
	282	dlc->state_change = rfcomm_dev_state_change;
	283	dlc->modem_status = rfcomm_dev_modem_status;
	284
	285	dlc->owner = dev;
	286	dev->dlc = dlc;
8b6b3da7 MH	287
	288	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
	289
1da177e4 LT	290	rfcomm_dlc_unlock(dlc);
1da177e4 LT	291
8e87d142	292	/* It's safe to call __module_get() here because socket already
1da177e4 LT	293	holds reference to this module. */
	294	__module_get(THIS_MODULE);
	295
	296	out:
393432cd	297	spin_unlock(&rfcomm_dev_lock);
1da177e4	298
037322ab IJ	299	if (err < 0)
037322ab IJ	300	goto free;
1da177e4	301
734cc178 JS	302	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
734cc178 JS	303	dev->id, NULL);
8de0a154	304	if (IS_ERR(dev->tty_dev)) {
09c7d829	305	err = PTR_ERR(dev->tty_dev);
ebe937f7	306	spin_lock(&rfcomm_dev_lock);
8de0a154	307	list_del(&dev->list);
ebe937f7	308	spin_unlock(&rfcomm_dev_lock);
037322ab	309	goto free;
8de0a154 VT	310	}
8de0a154 VT	311
dae6a0f6 MH	312	dev_set_drvdata(dev->tty_dev, dev);
	313
	314	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
	315	BT_ERR("Failed to create address attribute");
	316
	317	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
	318	BT_ERR("Failed to create channel attribute");
	319
1da177e4	320	return dev->id;
037322ab IJ	321
	322	free:
	323	kfree(dev);
	324	return err;
1da177e4 LT	325	}
1da177e4 LT	326
1da177e4 LT	327	/* ---- Send buffer ---- */
	328	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	329	{
	330	/* We can't let it be zero, because we don't get a callback
	331	when tx_credits becomes nonzero, hence we'd never wake up */
	332	return dlc->mtu * (dlc->tx_credits?:1);
	333	}
	334
	335	static void rfcomm_wfree(struct sk_buff *skb)
	336	{
	337	struct rfcomm_dev dev = (void ) skb->sk;
	338	atomic_sub(skb->truesize, &dev->wmem_alloc);
396dc223 GA	339	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
396dc223 GA	340	tty_port_tty_wakeup(&dev->port);
67054019	341	tty_port_put(&dev->port);
1da177e4 LT	342	}
1da177e4 LT	343
6039aa73	344	static void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
1da177e4	345	{
67054019	346	tty_port_get(&dev->port);
1da177e4 LT	347	atomic_add(skb->truesize, &dev->wmem_alloc);
	348	skb->sk = (void *) dev;
	349	skb->destructor = rfcomm_wfree;
	350	}
	351
dd0fc66f	352	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	353	{
	354	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	355	struct sk_buff *skb = alloc_skb(size, priority);
	356	if (skb) {
	357	rfcomm_set_owner_w(skb, dev);
	358	return skb;
	359	}
	360	}
	361	return NULL;
	362	}
	363
	364	/* ---- Device IOCTLs ---- */
	365
	366	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	367
	368	static int rfcomm_create_dev(struct sock sk, void __user arg)
	369	{
	370	struct rfcomm_dev_req req;
	371	struct rfcomm_dlc *dlc;
	372	int id;
	373
	374	if (copy_from_user(&req, arg, sizeof(req)))
	375	return -EFAULT;
	376
8de0a154	377	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
1da177e4 LT	378
	379	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	380	return -EPERM;
	381
	382	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	383	/* Socket must be connected */
	384	if (sk->sk_state != BT_CONNECTED)
	385	return -EBADFD;
	386
	387	dlc = rfcomm_pi(sk)->dlc;
	388	rfcomm_dlc_hold(dlc);
	389	} else {
	390	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	391	if (!dlc)
	392	return -ENOMEM;
	393	}
	394
	395	id = rfcomm_dev_add(&req, dlc);
	396	if (id < 0) {
	397	rfcomm_dlc_put(dlc);
	398	return id;
	399	}
	400
	401	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	402	/* DLC is now used by device.
	403	* Socket must be disconnected */
	404	sk->sk_state = BT_CLOSED;
	405	}
	406
	407	return id;
	408	}
	409
	410	static int rfcomm_release_dev(void __user *arg)
	411	{
	412	struct rfcomm_dev_req req;
	413	struct rfcomm_dev *dev;
396dc223	414	struct tty_struct *tty;
1da177e4 LT	415
	416	if (copy_from_user(&req, arg, sizeof(req)))
	417	return -EFAULT;
	418
8de0a154	419	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
1da177e4	420
285b4e90 AE	421	dev = rfcomm_dev_get(req.dev_id);
285b4e90 AE	422	if (!dev)
1da177e4 LT	423	return -ENODEV;
	424
	425	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
67054019	426	tty_port_put(&dev->port);
1da177e4 LT	427	return -EPERM;
	428	}
	429
	430	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
	431	rfcomm_dlc_close(dev->dlc, 0);
	432
84950cf0	433	/* Shut down TTY synchronously before freeing rfcomm_dev */
396dc223 GA	434	tty = tty_port_tty_get(&dev->port);
	435	if (tty) {
	436	tty_vhangup(tty);
	437	tty_kref_put(tty);
	438	}
84950cf0	439
ece3150d GA	440	if (!test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	441	tty_port_put(&dev->port);
	442
67054019	443	tty_port_put(&dev->port);
1da177e4 LT	444	return 0;
	445	}
	446
	447	static int rfcomm_get_dev_list(void __user *arg)
	448	{
8035ded4	449	struct rfcomm_dev *dev;
1da177e4 LT	450	struct rfcomm_dev_list_req *dl;
1da177e4 LT	451	struct rfcomm_dev_info *di;
1da177e4 LT	452	int n = 0, size, err;
	453	u16 dev_num;
	454
	455	BT_DBG("");
	456
	457	if (get_user(dev_num, (u16 __user *) arg))
	458	return -EFAULT;
	459
	460	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
	461	return -EINVAL;
	462
	463	size = sizeof(dl) + dev_num sizeof(*di);
	464
f9432c5e	465	dl = kzalloc(size, GFP_KERNEL);
285b4e90	466	if (!dl)
1da177e4 LT	467	return -ENOMEM;
	468
	469	di = dl->dev_info;
	470
393432cd	471	spin_lock(&rfcomm_dev_lock);
1da177e4	472
8035ded4	473	list_for_each_entry(dev, &rfcomm_dev_list, list) {
8de0a154 VT	474	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
8de0a154 VT	475	continue;
1da177e4 LT	476	(di + n)->id = dev->id;
	477	(di + n)->flags = dev->flags;
	478	(di + n)->state = dev->dlc->state;
	479	(di + n)->channel = dev->channel;
	480	bacpy(&(di + n)->src, &dev->src);
	481	bacpy(&(di + n)->dst, &dev->dst);
	482	if (++n >= dev_num)
	483	break;
	484	}
	485
393432cd	486	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	487
	488	dl->dev_num = n;
	489	size = sizeof(dl) + n sizeof(*di);
	490
	491	err = copy_to_user(arg, dl, size);
	492	kfree(dl);
	493
	494	return err ? -EFAULT : 0;
	495	}
	496
	497	static int rfcomm_get_dev_info(void __user *arg)
	498	{
	499	struct rfcomm_dev *dev;
	500	struct rfcomm_dev_info di;
	501	int err = 0;
	502
	503	BT_DBG("");
	504
	505	if (copy_from_user(&di, arg, sizeof(di)))
	506	return -EFAULT;
	507
285b4e90 AE	508	dev = rfcomm_dev_get(di.id);
285b4e90 AE	509	if (!dev)
1da177e4 LT	510	return -ENODEV;
	511
	512	di.flags = dev->flags;
	513	di.channel = dev->channel;
	514	di.state = dev->dlc->state;
	515	bacpy(&di.src, &dev->src);
	516	bacpy(&di.dst, &dev->dst);
	517
	518	if (copy_to_user(arg, &di, sizeof(di)))
	519	err = -EFAULT;
	520
67054019	521	tty_port_put(&dev->port);
1da177e4 LT	522	return err;
	523	}
	524
	525	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
	526	{
	527	BT_DBG("cmd %d arg %p", cmd, arg);
	528
	529	switch (cmd) {
	530	case RFCOMMCREATEDEV:
	531	return rfcomm_create_dev(sk, arg);
	532
	533	case RFCOMMRELEASEDEV:
	534	return rfcomm_release_dev(arg);
	535
	536	case RFCOMMGETDEVLIST:
	537	return rfcomm_get_dev_list(arg);
	538
	539	case RFCOMMGETDEVINFO:
	540	return rfcomm_get_dev_info(arg);
	541	}
	542
	543	return -EINVAL;
	544	}
	545
	546	/* ---- DLC callbacks ---- */
	547	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
	548	{
	549	struct rfcomm_dev *dev = dlc->owner;
8e87d142	550
a0c22f22	551	if (!dev) {
1da177e4 LT	552	kfree_skb(skb);
	553	return;
	554	}
	555
2e124b4a	556	if (!skb_queue_empty(&dev->pending)) {
a0c22f22 MH	557	skb_queue_tail(&dev->pending, skb);
	558	return;
	559	}
	560
2e124b4a	561	BT_DBG("dlc %p len %d", dlc, skb->len);
1da177e4	562
05c7cd39	563	tty_insert_flip_string(&dev->port, skb->data, skb->len);
2e124b4a	564	tty_flip_buffer_push(&dev->port);
1da177e4 LT	565
	566	kfree_skb(skb);
	567	}
	568
	569	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	570	{
	571	struct rfcomm_dev *dev = dlc->owner;
	572	if (!dev)
	573	return;
8e87d142	574
1da177e4 LT	575	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	576
	577	dev->err = err;
cad348a1 GA	578	if (dlc->state == BT_CONNECTED) {
	579	device_move(dev->tty_dev, rfcomm_get_device(dev),
	580	DPM_ORDER_DEV_AFTER_PARENT);
1da177e4	581
cad348a1	582	wake_up_interruptible(&dev->port.open_wait);
29cd718b GA	583	} else if (dlc->state == BT_CLOSED)
29cd718b GA	584	tty_port_tty_hangup(&dev->port, false);
1da177e4 LT	585	}
	586
	587	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	588	{
	589	struct rfcomm_dev *dev = dlc->owner;
	590	if (!dev)
	591	return;