[deliverable/linux.git] / net / bluetooth / rfcomm / tty.c

/* 
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 *
 * $Id: tty.c,v 1.24 2002/10/03 01:54:38 holtmann Exp $
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <linux/capability.h>
#include <linux/slab.h>
#include <linux/skbuff.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/rfcomm.h>

#ifndef CONFIG_BT_RFCOMM_DEBUG
#undef  BT_DBG
#define BT_DBG(D...)
#endif

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct list_head	list;
	atomic_t		refcnt;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			opened;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8 			channel;

	uint 			modem_status;

	struct rfcomm_dlc	*dlc;
	struct tty_struct	*tty;
	wait_queue_head_t       wait;
	struct tasklet_struct   wakeup_task;

	atomic_t 		wmem_alloc;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_RWLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

static void rfcomm_tty_wakeup(unsigned long arg);

/* ---- Device functions ---- */
static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
{
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	/* Refcount should only hit zero when called from rfcomm_dev_del()
	   which will have taken us off the list. Everything else are
	   refcounting bugs. */
	BUG_ON(!list_empty(&dev->list));

	kfree(dev);

	/* It's safe to call module_put() here because socket still 
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
{
	atomic_inc(&dev->refcnt);
}

static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
{
	/* The reason this isn't actually a race, as you no
	   doubt have a little voice screaming at you in your
	   head, is that the refcount should never actually
	   reach zero unless the device has already been taken
	   off the list, in rfcomm_dev_del(). And if that's not
	   true, we'll hit the BUG() in rfcomm_dev_destruct()
	   anyway. */
	if (atomic_dec_and_test(&dev->refcnt))
		rfcomm_dev_destruct(dev);
}

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;
	struct list_head  *p;

	list_for_each(p, &rfcomm_dev_list) {
		dev = list_entry(p, struct rfcomm_dev, list);
		if (dev->id == id)
			return dev;
	}

	return NULL;
}

static inline struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	read_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);
	if (dev)
		rfcomm_dev_hold(dev);

	read_unlock(&rfcomm_dev_lock);

	return dev;
}

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev;
	struct list_head *head = &rfcomm_dev_list, *p;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);
	
	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	write_lock_bh(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each(p, &rfcomm_dev_list) {
			if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
				break;

			dev->id++;
			head = p;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each(p, &rfcomm_dev_list) {
			struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);

			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = p;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);
	atomic_set(&dev->refcnt, 1);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags & 
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	init_waitqueue_head(&dev->wait);
	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);

	rfcomm_dlc_lock(dlc);
	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;
	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already 
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	write_unlock_bh(&rfcomm_dev_lock);

	if (err) {
		kfree(dev);
		return err;
	}

	tty_register_device(rfcomm_tty_driver, dev->id, NULL);

	return dev->id;
}

static void rfcomm_dev_del(struct rfcomm_dev *dev)
{
	BT_DBG("dev %p", dev);

	write_lock_bh(&rfcomm_dev_lock);
	list_del_init(&dev->list);
	write_unlock_bh(&rfcomm_dev_lock);

	rfcomm_dev_put(dev);
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
		tasklet_schedule(&dev->wakeup_task);
	rfcomm_dev_put(dev);
}

static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	rfcomm_dev_hold(dev);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);

	if (!(dev = rfcomm_dev_get(req.dev_id)))
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		rfcomm_dev_put(dev);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	rfcomm_dev_del(dev);
	rfcomm_dev_put(dev);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	struct list_head *p;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	if (!(dl = kmalloc(size, GFP_KERNEL)))
		return -ENOMEM;

	di = dl->dev_info;

	read_lock_bh(&rfcomm_dev_lock);

	list_for_each(p, &rfcomm_dev_list) {
		struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	read_unlock_bh(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	if (!(dev = rfcomm_dev_get(di.id)))
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	rfcomm_dev_put(dev);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;
	struct tty_struct *tty;
       
	if (!dev || !(tty = dev->tty)) {
		kfree_skb(skb);
		return;
	}

	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);

	tty_insert_flip_string(tty, skb->data, skb->len);
	tty_flip_buffer_push(tty);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
	
	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	wake_up_interruptible(&dev->wait);

	if (dlc->state == BT_CLOSED) {
		if (!dev->tty) {
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
				rfcomm_dev_hold(dev);
				rfcomm_dev_del(dev);

				/* We have to drop DLC lock here, otherwise
				   rfcomm_dev_put() will dead lock if it's
				   the last reference. */
				rfcomm_dlc_unlock(dlc);
				rfcomm_dev_put(dev);
				rfcomm_dlc_lock(dlc);
			}
		} else 
			tty_hangup(dev->tty);
	}
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
1da177e4 LT	1	/*
	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	18
	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
	26	*
	27	* $Id: tty.c,v 1.24 2002/10/03 01:54:38 holtmann Exp $
	28	*/
	29
1da177e4 LT	30	#include <linux/module.h>
	31
	32	#include <linux/tty.h>
	33	#include <linux/tty_driver.h>
	34	#include <linux/tty_flip.h>
	35
4fc268d2	36	#include <linux/capability.h>
1da177e4 LT	37	#include <linux/slab.h>
	38	#include <linux/skbuff.h>
	39
	40	#include <net/bluetooth/bluetooth.h>
	41	#include <net/bluetooth/rfcomm.h>
	42
	43	#ifndef CONFIG_BT_RFCOMM_DEBUG
	44	#undef BT_DBG
	45	#define BT_DBG(D...)
	46	#endif
	47
	48	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	49	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	50	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	51	#define RFCOMM_TTY_MINOR 0
	52
	53	static struct tty_driver *rfcomm_tty_driver;
	54
	55	struct rfcomm_dev {
	56	struct list_head list;
	57	atomic_t refcnt;
	58
	59	char name[12];
	60	int id;
	61	unsigned long flags;
	62	int opened;
	63	int err;
	64
	65	bdaddr_t src;
	66	bdaddr_t dst;
	67	u8 channel;
	68
	69	uint modem_status;
	70
	71	struct rfcomm_dlc *dlc;
	72	struct tty_struct *tty;
	73	wait_queue_head_t wait;
	74	struct tasklet_struct wakeup_task;
	75
	76	atomic_t wmem_alloc;
	77	};
	78
	79	static LIST_HEAD(rfcomm_dev_list);
	80	static DEFINE_RWLOCK(rfcomm_dev_lock);
	81
	82	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	83	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	84	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	85
	86	static void rfcomm_tty_wakeup(unsigned long arg);
	87
	88	/* ---- Device functions ---- */
	89	static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
	90	{
	91	struct rfcomm_dlc *dlc = dev->dlc;
	92
	93	BT_DBG("dev %p dlc %p", dev, dlc);
	94
	95	rfcomm_dlc_lock(dlc);
	96	/* Detach DLC if it's owned by this dev */
	97	if (dlc->owner == dev)
	98	dlc->owner = NULL;
	99	rfcomm_dlc_unlock(dlc);
	100
101	rfcomm_dlc_put(dlc);
102
103	tty_unregister_device(rfcomm_tty_driver, dev->id);
104
105	/* Refcount should only hit zero when called from rfcomm_dev_del()
106	which will have taken us off the list. Everything else are
107	refcounting bugs. */
108	BUG_ON(!list_empty(&dev->list));
109
110	kfree(dev);
111
112	/* It's safe to call module_put() here because socket still
113	holds reference to this module. */
114	module_put(THIS_MODULE);
115	}
116
117	static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
118	{
119	atomic_inc(&dev->refcnt);
120	}
121
122	static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
123	{
124	/* The reason this isn't actually a race, as you no
125	doubt have a little voice screaming at you in your
126	head, is that the refcount should never actually
127	reach zero unless the device has already been taken
128	off the list, in rfcomm_dev_del(). And if that's not
129	true, we'll hit the BUG() in rfcomm_dev_destruct()
130	anyway. */
131	if (atomic_dec_and_test(&dev->refcnt))
132	rfcomm_dev_destruct(dev);
133	}
134
135	static struct rfcomm_dev *__rfcomm_dev_get(int id)
136	{
137	struct rfcomm_dev *dev;
138	struct list_head *p;
139
140	list_for_each(p, &rfcomm_dev_list) {
141	dev = list_entry(p, struct rfcomm_dev, list);
142	if (dev->id == id)
143	return dev;
144	}
145
146	return NULL;
147	}
148
149	static inline struct rfcomm_dev *rfcomm_dev_get(int id)
150	{
151	struct rfcomm_dev *dev;
152
153	read_lock(&rfcomm_dev_lock);
154
155	dev = __rfcomm_dev_get(id);
156	if (dev)
157	rfcomm_dev_hold(dev);
158
159	read_unlock(&rfcomm_dev_lock);
160
161	return dev;
162	}
163
164	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
165	{
166	struct rfcomm_dev *dev;
167	struct list_head head = &rfcomm_dev_list, p;
168	int err = 0;
169
170	BT_DBG("id %d channel %d", req->dev_id, req->channel);
171
25ea6db0	172	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	173	if (!dev)
1da177e4 LT	174	return -ENOMEM;
1da177e4 LT	175
	176	write_lock_bh(&rfcomm_dev_lock);
	177
	178	if (req->dev_id < 0) {
	179	dev->id = 0;
	180
	181	list_for_each(p, &rfcomm_dev_list) {
	182	if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
	183	break;
	184
	185	dev->id++;
	186	head = p;
	187	}
	188	} else {
	189	dev->id = req->dev_id;
	190
	191	list_for_each(p, &rfcomm_dev_list) {
	192	struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
	193
	194	if (entry->id == dev->id) {
	195	err = -EADDRINUSE;
	196	goto out;
	197	}
	198
	199	if (entry->id > dev->id - 1)
	200	break;
	201
	202	head = p;
	203	}
	204	}
	205
	206	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	207	err = -ENFILE;
	208	goto out;
	209	}
	210
	211	sprintf(dev->name, "rfcomm%d", dev->id);
	212
	213	list_add(&dev->list, head);
	214	atomic_set(&dev->refcnt, 1);
	215
	216	bacpy(&dev->src, &req->src);
	217	bacpy(&dev->dst, &req->dst);
	218	dev->channel = req->channel;
	219
	220	dev->flags = req->flags &
	221	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
	222
	223	init_waitqueue_head(&dev->wait);
	224	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
	225
	226	rfcomm_dlc_lock(dlc);
	227	dlc->data_ready = rfcomm_dev_data_ready;
	228	dlc->state_change = rfcomm_dev_state_change;
	229	dlc->modem_status = rfcomm_dev_modem_status;
	230
	231	dlc->owner = dev;
	232	dev->dlc = dlc;
	233	rfcomm_dlc_unlock(dlc);
	234
	235	/* It's safe to call __module_get() here because socket already
	236	holds reference to this module. */
	237	__module_get(THIS_MODULE);
	238
239	out:
240	write_unlock_bh(&rfcomm_dev_lock);
241
242	if (err) {
243	kfree(dev);
244	return err;
245	}
246
247	tty_register_device(rfcomm_tty_driver, dev->id, NULL);
248
249	return dev->id;
250	}
251
252	static void rfcomm_dev_del(struct rfcomm_dev *dev)
253	{
254	BT_DBG("dev %p", dev);
255
256	write_lock_bh(&rfcomm_dev_lock);
257	list_del_init(&dev->list);
258	write_unlock_bh(&rfcomm_dev_lock);
259
260	rfcomm_dev_put(dev);
261	}
262
263	/* ---- Send buffer ---- */
264	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
265	{
266	/* We can't let it be zero, because we don't get a callback
267	when tx_credits becomes nonzero, hence we'd never wake up */
268	return dlc->mtu * (dlc->tx_credits?:1);
269	}
270
271	static void rfcomm_wfree(struct sk_buff *skb)
272	{
273	struct rfcomm_dev dev = (void ) skb->sk;
274	atomic_sub(skb->truesize, &dev->wmem_alloc);
275	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
276	tasklet_schedule(&dev->wakeup_task);
277	rfcomm_dev_put(dev);
278	}
279
280	static inline void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
281	{
282	rfcomm_dev_hold(dev);
283	atomic_add(skb->truesize, &dev->wmem_alloc);
284	skb->sk = (void *) dev;
285	skb->destructor = rfcomm_wfree;
286	}
287
dd0fc66f	288	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	289	{
	290	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	291	struct sk_buff *skb = alloc_skb(size, priority);
	292	if (skb) {
	293	rfcomm_set_owner_w(skb, dev);
	294	return skb;
	295	}
	296	}
	297	return NULL;
	298	}
	299
	300	/* ---- Device IOCTLs ---- */
	301
	302	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	303
	304	static int rfcomm_create_dev(struct sock sk, void __user arg)
	305	{
	306	struct rfcomm_dev_req req;
	307	struct rfcomm_dlc *dlc;
	308	int id;
	309
	310	if (copy_from_user(&req, arg, sizeof(req)))
	311	return -EFAULT;
	312
	313	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);
	314
	315	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	316	return -EPERM;
	317
	318	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	319	/* Socket must be connected */
	320	if (sk->sk_state != BT_CONNECTED)
	321	return -EBADFD;
	322
	323	dlc = rfcomm_pi(sk)->dlc;
	324	rfcomm_dlc_hold(dlc);
	325	} else {
	326	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	327	if (!dlc)
	328	return -ENOMEM;
	329	}
	330
	331	id = rfcomm_dev_add(&req, dlc);
	332	if (id < 0) {
	333	rfcomm_dlc_put(dlc);
	334	return id;
	335	}
	336
	337	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	338	/* DLC is now used by device.
	339	* Socket must be disconnected */
	340	sk->sk_state = BT_CLOSED;
	341	}
	342
	343	return id;
	344	}
	345
	346	static int rfcomm_release_dev(void __user *arg)
	347	{
	348	struct rfcomm_dev_req req;
	349	struct rfcomm_dev *dev;
	350
	351	if (copy_from_user(&req, arg, sizeof(req)))
	352	return -EFAULT;
353
354	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);
355
356	if (!(dev = rfcomm_dev_get(req.dev_id)))
357	return -ENODEV;
358
359	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
360	rfcomm_dev_put(dev);
361	return -EPERM;
362	}
363
364	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
365	rfcomm_dlc_close(dev->dlc, 0);
366
367	rfcomm_dev_del(dev);
368	rfcomm_dev_put(dev);
369	return 0;
370	}
371
372	static int rfcomm_get_dev_list(void __user *arg)
373	{
374	struct rfcomm_dev_list_req *dl;
375	struct rfcomm_dev_info *di;
376	struct list_head *p;
377	int n = 0, size, err;
378	u16 dev_num;
379
380	BT_DBG("");
381
382	if (get_user(dev_num, (u16 __user *) arg))
383	return -EFAULT;
384
385	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
386	return -EINVAL;
387
388	size = sizeof(dl) + dev_num sizeof(*di);
389
390	if (!(dl = kmalloc(size, GFP_KERNEL)))
391	return -ENOMEM;
392
393	di = dl->dev_info;
394
395	read_lock_bh(&rfcomm_dev_lock);
396
397	list_for_each(p, &rfcomm_dev_list) {
398	struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
399	(di + n)->id = dev->id;
400	(di + n)->flags = dev->flags;
401	(di + n)->state = dev->dlc->state;
402	(di + n)->channel = dev->channel;
403	bacpy(&(di + n)->src, &dev->src);
404	bacpy(&(di + n)->dst, &dev->dst);
405	if (++n >= dev_num)
406	break;
407	}
408
409	read_unlock_bh(&rfcomm_dev_lock);
410
411	dl->dev_num = n;
412	size = sizeof(dl) + n sizeof(*di);
413
414	err = copy_to_user(arg, dl, size);
415	kfree(dl);
416
417	return err ? -EFAULT : 0;
418	}
419
420	static int rfcomm_get_dev_info(void __user *arg)
421	{
422	struct rfcomm_dev *dev;
423	struct rfcomm_dev_info di;
424	int err = 0;
425
426	BT_DBG("");
427
428	if (copy_from_user(&di, arg, sizeof(di)))
429	return -EFAULT;
430
431	if (!(dev = rfcomm_dev_get(di.id)))
432	return -ENODEV;
433
434	di.flags = dev->flags;
435	di.channel = dev->channel;
436	di.state = dev->dlc->state;
437	bacpy(&di.src, &dev->src);
438	bacpy(&di.dst, &dev->dst);
439
440	if (copy_to_user(arg, &di, sizeof(di)))
441	err = -EFAULT;
442
443	rfcomm_dev_put(dev);
444	return err;
445	}
446
447	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
448	{
449	BT_DBG("cmd %d arg %p", cmd, arg);
450
451	switch (cmd) {
452	case RFCOMMCREATEDEV:
453	return rfcomm_create_dev(sk, arg);
454
455	case RFCOMMRELEASEDEV:
456	return rfcomm_release_dev(arg);
457
458	case RFCOMMGETDEVLIST:
459	return rfcomm_get_dev_list(arg);
460
461	case RFCOMMGETDEVINFO:
462	return rfcomm_get_dev_info(arg);
463	}
464
465	return -EINVAL;
466	}
467
468	/* ---- DLC callbacks ---- */
469	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
470	{
471	struct rfcomm_dev *dev = dlc->owner;
472	struct tty_struct *tty;
473
474	if (!dev \|\| !(tty = dev->tty)) {
475	kfree_skb(skb);
476	return;
477	}
478
479	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
480
817d6d3b PF	481	tty_insert_flip_string(tty, skb->data, skb->len);
817d6d3b PF	482	tty_flip_buffer_push(tty);
1da177e4 LT	483
	484	kfree_skb(skb);
	485	}
	486
	487	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	488	{
	489	struct rfcomm_dev *dev = dlc->owner;
	490	if (!dev)
	491	return;
	492
	493	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	494
	495	dev->err = err;
	496	wake_up_interruptible(&dev->wait);
	497
	498	if (dlc->state == BT_CLOSED) {
	499	if (!dev->tty) {
	500	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
	501	rfcomm_dev_hold(dev);
	502	rfcomm_dev_del(dev);
	503
	504	/* We have to drop DLC lock here, otherwise
	505	rfcomm_dev_put() will dead lock if it's
	506	the last reference. */
	507	rfcomm_dlc_unlock(dlc);
	508	rfcomm_dev_put(dev);
	509	rfcomm_dlc_lock(dlc);
	510	}
	511	} else
	512	tty_hangup(dev->tty);
	513	}
	514	}
	515
	516	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	517	{
	518	struct rfcomm_dev *dev = dlc->owner;
	519	if (!dev)
	520	return;