LXR linux/net/bluetooth/rfcomm/tty.c

   1/*
   2   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   3   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   4   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
   5
   6   This program is free software; you can redistribute it and/or modify
   7   it under the terms of the GNU General Public License version 2 as
   8   published by the Free Software Foundation;
   9
  10   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  11   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  12   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  13   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  14   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  15   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  16   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  17   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  18
  19   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  20   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  21   SOFTWARE IS DISCLAIMED.
  22*/
  23
  24/*
  25 * RFCOMM TTY.
  26 */
  27
  28#include <linux/module.h>
  29
  30#include <linux/tty.h>
  31#include <linux/tty_driver.h>
  32#include <linux/tty_flip.h>
  33
  34#include <linux/capability.h>
  35#include <linux/slab.h>
  36#include <linux/skbuff.h>
  37
  38#include <net/bluetooth/bluetooth.h>
  39#include <net/bluetooth/hci_core.h>
  40#include <net/bluetooth/rfcomm.h>
  41
  42#define RFCOMM_TTY_MAGIC 0x6d02         /* magic number for rfcomm struct */
  43#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
  44#define RFCOMM_TTY_MAJOR 216            /* device node major id of the usb/bluetooth.c driver */
  45#define RFCOMM_TTY_MINOR 0
  46
  47static struct tty_driver *rfcomm_tty_driver;
  48
  49struct rfcomm_dev {
  50        struct list_head        list;
  51        atomic_t                refcnt;
  52
  53        char                    name[12];
  54        int                     id;
  55        unsigned long           flags;
  56        atomic_t                opened;
  57        int                     err;
  58
  59        bdaddr_t                src;
  60        bdaddr_t                dst;
  61        u8                      channel;
  62
  63        uint                    modem_status;
  64
  65        struct rfcomm_dlc       *dlc;
  66        struct tty_struct       *tty;
  67        wait_queue_head_t       wait;
  68        struct tasklet_struct   wakeup_task;
  69
  70        struct device           *tty_dev;
  71
  72        atomic_t                wmem_alloc;
  73
  74        struct sk_buff_head     pending;
  75};
  76
  77static LIST_HEAD(rfcomm_dev_list);
  78static DEFINE_RWLOCK(rfcomm_dev_lock);
  79
  80static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
  81static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
  82static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
  83
  84static void rfcomm_tty_wakeup(unsigned long arg);
  85
  86/* ---- Device functions ---- */
  87static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
  88{
  89        struct rfcomm_dlc *dlc = dev->dlc;
  90
  91        BT_DBG("dev %p dlc %p", dev, dlc);
  92
  93        /* Refcount should only hit zero when called from rfcomm_dev_del()
  94           which will have taken us off the list. Everything else are
  95           refcounting bugs. */
  96        BUG_ON(!list_empty(&dev->list));
  97
  98        rfcomm_dlc_lock(dlc);
  99        /* Detach DLC if it's owned by this dev */
 100        if (dlc->owner == dev)
 101                dlc->owner = NULL;
 102        rfcomm_dlc_unlock(dlc);
 103
 104        rfcomm_dlc_put(dlc);
 105
 106        tty_unregister_device(rfcomm_tty_driver, dev->id);
 107
 108        kfree(dev);
 109
 110        /* It's safe to call module_put() here because socket still
 111           holds reference to this module. */
 112        module_put(THIS_MODULE);
 113}
 114
 115static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
 116{
 117        atomic_inc(&dev->refcnt);
 118}
 119
 120static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
 121{
 122        /* The reason this isn't actually a race, as you no
 123           doubt have a little voice screaming at you in your
 124           head, is that the refcount should never actually
 125           reach zero unless the device has already been taken
 126           off the list, in rfcomm_dev_del(). And if that's not
 127           true, we'll hit the BUG() in rfcomm_dev_destruct()
 128           anyway. */
 129        if (atomic_dec_and_test(&dev->refcnt))
 130                rfcomm_dev_destruct(dev);
 131}
 132
 133static struct rfcomm_dev *__rfcomm_dev_get(int id)
 134{
 135        struct rfcomm_dev *dev;
 136        struct list_head  *p;
 137
 138        list_for_each(p, &rfcomm_dev_list) {
 139                dev = list_entry(p, struct rfcomm_dev, list);
 140                if (dev->id == id)
 141                        return dev;
 142        }
 143
 144        return NULL;
 145}
 146
 147static inline struct rfcomm_dev *rfcomm_dev_get(int id)
 148{
 149        struct rfcomm_dev *dev;
 150
 151        read_lock(&rfcomm_dev_lock);
 152
 153        dev = __rfcomm_dev_get(id);
 154
 155        if (dev) {
 156                if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
 157                        dev = NULL;
 158                else
 159                        rfcomm_dev_hold(dev);
 160        }
 161
 162        read_unlock(&rfcomm_dev_lock);
 163
 164        return dev;
 165}
 166
 167static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
 168{
 169        struct hci_dev *hdev;
 170        struct hci_conn *conn;
 171
 172        hdev = hci_get_route(&dev->dst, &dev->src);
 173        if (!hdev)
 174                return NULL;
 175
 176        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
 177
 178        hci_dev_put(hdev);
 179
 180        return conn ? &conn->dev : NULL;
 181}
 182
 183static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
 184{
 185        struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
 186        bdaddr_t bdaddr;
 187        baswap(&bdaddr, &dev->dst);
 188        return sprintf(buf, "%s\n", batostr(&bdaddr));
 189}
 190
 191static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
 192{
 193        struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
 194        return sprintf(buf, "%d\n", dev->channel);
 195}
 196
 197static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
 198static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
 199
 200static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
 201{
 202        struct rfcomm_dev *dev;
 203        struct list_head *head = &rfcomm_dev_list, *p;
 204        int err = 0;
 205
 206        BT_DBG("id %d channel %d", req->dev_id, req->channel);
 207
 208        dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
 209        if (!dev)
 210                return -ENOMEM;
 211
 212        write_lock_bh(&rfcomm_dev_lock);
 213
 214        if (req->dev_id < 0) {
 215                dev->id = 0;
 216
 217                list_for_each(p, &rfcomm_dev_list) {
 218                        if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
 219                                break;
 220
 221                        dev->id++;
 222                        head = p;
 223                }
 224        } else {
 225                dev->id = req->dev_id;
 226
 227                list_for_each(p, &rfcomm_dev_list) {
 228                        struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
 229
 230                        if (entry->id == dev->id) {
 231                                err = -EADDRINUSE;
 232                                goto out;
 233                        }
 234
 235                        if (entry->id > dev->id - 1)
 236                                break;
 237
 238                        head = p;
 239                }
 240        }
 241
 242        if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
 243                err = -ENFILE;
 244                goto out;
 245        }
 246
 247        sprintf(dev->name, "rfcomm%d", dev->id);
 248
 249        list_add(&dev->list, head);
 250        atomic_set(&dev->refcnt, 1);
 251
 252        bacpy(&dev->src, &req->src);
 253        bacpy(&dev->dst, &req->dst);
 254        dev->channel = req->channel;
 255
 256        dev->flags = req->flags &
 257                ((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
 258
 259        atomic_set(&dev->opened, 0);
 260
 261        init_waitqueue_head(&dev->wait);
 262        tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
 263
 264        skb_queue_head_init(&dev->pending);
 265
 266        rfcomm_dlc_lock(dlc);
 267
 268        if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
 269                struct sock *sk = dlc->owner;
 270                struct sk_buff *skb;
 271
 272                BUG_ON(!sk);
 273
 274                rfcomm_dlc_throttle(dlc);
 275
 276                while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
 277                        skb_orphan(skb);
 278                        skb_queue_tail(&dev->pending, skb);
 279                        atomic_sub(skb->len, &sk->sk_rmem_alloc);
 280                }
 281        }
 282
 283        dlc->data_ready   = rfcomm_dev_data_ready;
 284        dlc->state_change = rfcomm_dev_state_change;
 285        dlc->modem_status = rfcomm_dev_modem_status;
 286
 287        dlc->owner = dev;
 288        dev->dlc   = dlc;
 289
 290        rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
 291
 292        rfcomm_dlc_unlock(dlc);
 293
 294        /* It's safe to call __module_get() here because socket already
 295           holds reference to this module. */
 296        __module_get(THIS_MODULE);
 297
 298out:
 299        write_unlock_bh(&rfcomm_dev_lock);
 300
 301        if (err < 0)
 302                goto free;
 303
 304        dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
 305
 306        if (IS_ERR(dev->tty_dev)) {
 307                err = PTR_ERR(dev->tty_dev);
 308                list_del(&dev->list);
 309                goto free;
 310        }
 311
 312        dev_set_drvdata(dev->tty_dev, dev);
 313
 314        if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
 315                BT_ERR("Failed to create address attribute");
 316
 317        if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
 318                BT_ERR("Failed to create channel attribute");
 319
 320        return dev->id;
 321
 322free:
 323        kfree(dev);
 324        return err;
 325}
 326
 327static void rfcomm_dev_del(struct rfcomm_dev *dev)
 328{
 329        BT_DBG("dev %p", dev);
 330
 331        BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
 332
 333        if (atomic_read(&dev->opened) > 0)
 334                return;
 335
 336        write_lock_bh(&rfcomm_dev_lock);
 337        list_del_init(&dev->list);
 338        write_unlock_bh(&rfcomm_dev_lock);
 339
 340        rfcomm_dev_put(dev);
 341}
 342
 343/* ---- Send buffer ---- */
 344static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
 345{
 346        /* We can't let it be zero, because we don't get a callback
 347           when tx_credits becomes nonzero, hence we'd never wake up */
 348        return dlc->mtu * (dlc->tx_credits?:1);
 349}
 350
 351static void rfcomm_wfree(struct sk_buff *skb)
 352{
 353        struct rfcomm_dev *dev = (void *) skb->sk;
 354        atomic_sub(skb->truesize, &dev->wmem_alloc);
 355        if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
 356                tasklet_schedule(&dev->wakeup_task);
 357        rfcomm_dev_put(dev);
 358}
 359
 360static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
 361{
 362        rfcomm_dev_hold(dev);
 363        atomic_add(skb->truesize, &dev->wmem_alloc);
 364        skb->sk = (void *) dev;
 365        skb->destructor = rfcomm_wfree;
 366}
 367
 368static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
 369{
 370        if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
 371                struct sk_buff *skb = alloc_skb(size, priority);
 372                if (skb) {
 373                        rfcomm_set_owner_w(skb, dev);
 374                        return skb;
 375                }
 376        }
 377        return NULL;
 378}
 379
 380/* ---- Device IOCTLs ---- */
 381
 382#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
 383
 384static int rfcomm_create_dev(struct sock *sk, void __user *arg)
 385{
 386        struct rfcomm_dev_req req;
 387        struct rfcomm_dlc *dlc;
 388        int id;
 389
 390        if (copy_from_user(&req, arg, sizeof(req)))
 391                return -EFAULT;
 392
 393        BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
 394
 395        if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
 396                return -EPERM;
 397
 398        if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
 399                /* Socket must be connected */
 400                if (sk->sk_state != BT_CONNECTED)
 401                        return -EBADFD;
 402
 403                dlc = rfcomm_pi(sk)->dlc;
 404                rfcomm_dlc_hold(dlc);
 405        } else {
 406                dlc = rfcomm_dlc_alloc(GFP_KERNEL);
 407                if (!dlc)
 408                        return -ENOMEM;
 409        }
 410
 411        id = rfcomm_dev_add(&req, dlc);
 412        if (id < 0) {
 413                rfcomm_dlc_put(dlc);
 414                return id;
 415        }
 416
 417        if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
 418                /* DLC is now used by device.
 419                 * Socket must be disconnected */
 420                sk->sk_state = BT_CLOSED;
 421        }
 422
 423        return id;
 424}
 425
 426static int rfcomm_release_dev(void __user *arg)
 427{
 428        struct rfcomm_dev_req req;
 429        struct rfcomm_dev *dev;
 430
 431        if (copy_from_user(&req, arg, sizeof(req)))
 432                return -EFAULT;
 433
 434        BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
 435
 436        if (!(dev = rfcomm_dev_get(req.dev_id)))
 437                return -ENODEV;
 438
 439        if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
 440                rfcomm_dev_put(dev);
 441                return -EPERM;
 442        }
 443
 444        if (req.flags & (1 << RFCOMM_HANGUP_NOW))
 445                rfcomm_dlc_close(dev->dlc, 0);
 446
 447        /* Shut down TTY synchronously before freeing rfcomm_dev */
 448        if (dev->tty)
 449                tty_vhangup(dev->tty);
 450
 451        if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
 452                rfcomm_dev_del(dev);
 453        rfcomm_dev_put(dev);
 454        return 0;
 455}
 456
 457static int rfcomm_get_dev_list(void __user *arg)
 458{
 459        struct rfcomm_dev_list_req *dl;
 460        struct rfcomm_dev_info *di;
 461        struct list_head *p;
 462        int n = 0, size, err;
 463        u16 dev_num;
 464
 465        BT_DBG("");
 466
 467        if (get_user(dev_num, (u16 __user *) arg))
 468                return -EFAULT;
 469
 470        if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
 471                return -EINVAL;
 472
 473        size = sizeof(*dl) + dev_num * sizeof(*di);
 474
 475        if (!(dl = kmalloc(size, GFP_KERNEL)))
 476                return -ENOMEM;
 477
 478        di = dl->dev_info;
 479
 480        read_lock_bh(&rfcomm_dev_lock);
 481
 482        list_for_each(p, &rfcomm_dev_list) {
 483                struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
 484                if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
 485                        continue;
 486                (di + n)->id      = dev->id;
 487                (di + n)->flags   = dev->flags;
 488                (di + n)->state   = dev->dlc->state;
 489                (di + n)->channel = dev->channel;
 490                bacpy(&(di + n)->src, &dev->src);
 491                bacpy(&(di + n)->dst, &dev->dst);
 492                if (++n >= dev_num)
 493                        break;
 494        }
 495
 496        read_unlock_bh(&rfcomm_dev_lock);
 497
 498        dl->dev_num = n;
 499        size = sizeof(*dl) + n * sizeof(*di);
 500
 501        err = copy_to_user(arg, dl, size);
 502        kfree(dl);
 503
 504        return err ? -EFAULT : 0;
 505}
 506
 507static int rfcomm_get_dev_info(void __user *arg)
 508{
 509        struct rfcomm_dev *dev;
 510        struct rfcomm_dev_info di;
 511        int err = 0;
 512
 513        BT_DBG("");
 514
 515        if (copy_from_user(&di, arg, sizeof(di)))
 516                return -EFAULT;
 517
 518        if (!(dev = rfcomm_dev_get(di.id)))
 519                return -ENODEV;
 520
 521        di.flags   = dev->flags;
 522        di.channel = dev->channel;
 523        di.state   = dev->dlc->state;
 524        bacpy(&di.src, &dev->src);
 525        bacpy(&di.dst, &dev->dst);
 526
 527        if (copy_to_user(arg, &di, sizeof(di)))
 528                err = -EFAULT;
 529
 530        rfcomm_dev_put(dev);
 531        return err;
 532}
 533
 534int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
 535{
 536        BT_DBG("cmd %d arg %p", cmd, arg);
 537
 538        switch (cmd) {
 539        case RFCOMMCREATEDEV:
 540                return rfcomm_create_dev(sk, arg);
 541
 542        case RFCOMMRELEASEDEV:
 543                return rfcomm_release_dev(arg);
 544
 545        case RFCOMMGETDEVLIST:
 546                return rfcomm_get_dev_list(arg);
 547
 548        case RFCOMMGETDEVINFO:
 549                return rfcomm_get_dev_info(arg);
 550        }
 551
 552        return -EINVAL;
 553}
 554
 555/* ---- DLC callbacks ---- */
 556static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
 557{
 558        struct rfcomm_dev *dev = dlc->owner;
 559        struct tty_struct *tty;
 560
 561        if (!dev) {
 562                kfree_skb(skb);
 563                return;
 564        }
 565
 566        if (!(tty = dev->tty) || !skb_queue_empty(&dev->pending)) {
 567                skb_queue_tail(&dev->pending, skb);
 568                return;
 569        }
 570
 571        BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
 572
 573        tty_insert_flip_string(tty, skb->data, skb->len);
 574        tty_flip_buffer_push(tty);
 575
 576        kfree_skb(skb);
 577}
 578
 579static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
 580{
 581        struct rfcomm_dev *dev = dlc->owner;
 582        if (!dev)
 583                return;
 584
 585        BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
 586
 587        dev->err = err;
 588        wake_up_interruptible(&dev->wait);
 589
 590        if (dlc->state == BT_CLOSED) {
 591                if (!dev->tty) {
 592                        if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
 593                                /* Drop DLC lock here to avoid deadlock
 594                                 * 1. rfcomm_dev_get will take rfcomm_dev_lock
 595                                 *    but in rfcomm_dev_add there's lock order:
 596                                 *    rfcomm_dev_lock -> dlc lock
 597                                 * 2. rfcomm_dev_put will deadlock if it's
 598                                 *    the last reference
 599                                 */
 600                                rfcomm_dlc_unlock(dlc);
 601                                if (rfcomm_dev_get(dev->id) == NULL) {
 602                                        rfcomm_dlc_lock(dlc);
 603                                        return;
 604                                }
 605
 606                                rfcomm_dev_del(dev);
 607                                rfcomm_dev_put(dev);
 608                                rfcomm_dlc_lock(dlc);
 609                        }
 610                } else
 611                        tty_hangup(dev->tty);
 612        }
 613}
 614
 615static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
 616{
 617        struct rfcomm_dev *dev = dlc->owner;
 618        if (!dev)
 619                return;
 620
 621        BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
 622
 623        if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV)) {
 624                if (dev->tty && !C_CLOCAL(dev->tty))
 625                        tty_hangup(dev->tty);
 626        }
 627
 628        dev->modem_status =
 629                ((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
 630                ((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
 631                ((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
 632                ((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
 633}
 634
 635/* ---- TTY functions ---- */
 636static void rfcomm_tty_wakeup(unsigned long arg)
 637{
 638        struct rfcomm_dev *dev = (void *) arg;
 639        struct tty_struct *tty = dev->tty;
 640        if (!tty)
 641                return;
 642
 643        BT_DBG("dev %p tty %p", dev, tty);
 644        tty_wakeup(tty);
 645}
 646
 647static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
 648{
 649        struct tty_struct *tty = dev->tty;
 650        struct sk_buff *skb;
 651        int inserted = 0;
 652
 653        if (!tty)
 654                return;
 655
 656        BT_DBG("dev %p tty %p", dev, tty);
 657
 658        rfcomm_dlc_lock(dev->dlc);
 659
 660        while ((skb = skb_dequeue(&dev->pending))) {
 661                inserted += tty_insert_flip_string(tty, skb->data, skb->len);
 662                kfree_skb(skb);
 663        }
 664
 665        rfcomm_dlc_unlock(dev->dlc);
 666
 667        if (inserted > 0)
 668                tty_flip_buffer_push(tty);
 669}
 670
 671static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
 672{
 673        DECLARE_WAITQUEUE(wait, current);
 674        struct rfcomm_dev *dev;
 675        struct rfcomm_dlc *dlc;
 676        int err, id;
 677
 678        id = tty->index;
 679
 680        BT_DBG("tty %p id %d", tty, id);
 681
 682        /* We don't leak this refcount. For reasons which are not entirely
 683           clear, the TTY layer will call our ->close() method even if the
 684           open fails. We decrease the refcount there, and decreasing it
 685           here too would cause breakage. */
 686        dev = rfcomm_dev_get(id);
 687        if (!dev)
 688                return -ENODEV;
 689
 690        BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst),
 691                                dev->channel, atomic_read(&dev->opened));
 692
 693        if (atomic_inc_return(&dev->opened) > 1)
 694                return 0;
 695
 696        dlc = dev->dlc;
 697
 698        /* Attach TTY and open DLC */
 699
 700        rfcomm_dlc_lock(dlc);
 701        tty->driver_data = dev;
 702        dev->tty = tty;
 703        rfcomm_dlc_unlock(dlc);
 704        set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
 705
 706        err = rfcomm_dlc_open(dlc, &dev->src, &dev->dst, dev->channel);
 707        if (err < 0)
 708                return err;
 709
 710        /* Wait for DLC to connect */
 711        add_wait_queue(&dev->wait, &wait);
 712        while (1) {
 713                set_current_state(TASK_INTERRUPTIBLE);
 714
 715                if (dlc->state == BT_CLOSED) {
 716                        err = -dev->err;
 717                        break;
 718                }
 719
 720                if (dlc->state == BT_CONNECTED)
 721                        break;
 722
 723                if (signal_pending(current)) {
 724                        err = -EINTR;
 725                        break;
 726                }
 727
 728                schedule();
 729        }
 730        set_current_state(TASK_RUNNING);
 731        remove_wait_queue(&dev->wait, &wait);
 732
 733        if (err == 0)
 734                device_move(dev->tty_dev, rfcomm_get_device(dev),
 735                            DPM_ORDER_DEV_AFTER_PARENT);
 736
 737        rfcomm_tty_copy_pending(dev);
 738
 739        rfcomm_dlc_unthrottle(dev->dlc);
 740
 741        return err;
 742}
 743
 744static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
 745{
 746        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
 747        if (!dev)
 748                return;
 749
 750        BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
 751                                                atomic_read(&dev->opened));
 752
 753        if (atomic_dec_and_test(&dev->opened)) {
 754                if (dev->tty_dev->parent)
 755                        device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
 756
 757                /* Close DLC and dettach TTY */
 758                rfcomm_dlc_close(dev->dlc, 0);
 759
 760                clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
 761                tasklet_kill(&dev->wakeup_task);
 762
 763                rfcomm_dlc_lock(dev->dlc);
 764                tty->driver_data = NULL;
 765                dev->tty = NULL;
 766                rfcomm_dlc_unlock(dev->dlc);
 767
 768                if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) {
 769                        write_lock_bh(&rfcomm_dev_lock);
 770                        list_del_init(&dev->list);
 771                        write_unlock_bh(&rfcomm_dev_lock);
 772
 773                        rfcomm_dev_put(dev);
 774                }
 775        }
 776
 777        rfcomm_dev_put(dev);
 778}
 779
 780static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
 781{
 782        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
 783        struct rfcomm_dlc *dlc = dev->dlc;
 784        struct sk_buff *skb;
 785        int err = 0, sent = 0, size;
 786
 787        BT_DBG("tty %p count %d", tty, count);
 788
 789        while (count) {
 790                size = min_t(uint, count, dlc->mtu);
 791
 792                skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
 793
 794                if (!skb)
 795                        break;
 796
 797                skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
 798
 799                memcpy(skb_put(skb, size), buf + sent, size);
 800
 801                if ((err = rfcomm_dlc_send(dlc, skb)) < 0) {
 802                        kfree_skb(skb);
 803                        break;
 804                }
 805
 806                sent  += size;
 807                count -= size;
 808        }
 809
 810        return sent ? sent : err;
 811}
 812
 813static int rfcomm_tty_write_room(struct tty_struct *tty)
 814{
 815        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
 816        int room;
 817
 818        BT_DBG("tty %p", tty);
 819
 820        if (!dev || !dev->dlc)
 821                return 0;
 822
 823        room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc);
 824        if (room < 0)
 825                room = 0;
 826
 827        return room;
 828}
 829
 830static int rfcomm_tty_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd, unsigned long arg)
 831{
 832        BT_DBG("tty %p cmd 0x%02x", tty, cmd);
 833
 834        switch (cmd) {
 835        case TCGETS:
 836                BT_DBG("TCGETS is not supported");
 837                return -ENOIOCTLCMD;
 838
 839        case TCSETS:
 840                BT_DBG("TCSETS is not supported");
 841                return -ENOIOCTLCMD;
 842
 843        case TIOCMIWAIT:
 844                BT_DBG("TIOCMIWAIT");
 845                break;
 846
 847        case TIOCGICOUNT:
 848                BT_DBG("TIOCGICOUNT");
 849                break;
 850
 851        case TIOCGSERIAL:
 852                BT_ERR("TIOCGSERIAL is not supported");
 853                return -ENOIOCTLCMD;
 854
 855        case TIOCSSERIAL:
 856                BT_ERR("TIOCSSERIAL is not supported");
 857                return -ENOIOCTLCMD;
 858
 859        case TIOCSERGSTRUCT:
 860                BT_ERR("TIOCSERGSTRUCT is not supported");
 861                return -ENOIOCTLCMD;
 862
 863        case TIOCSERGETLSR:
 864                BT_ERR("TIOCSERGETLSR is not supported");
 865                return -ENOIOCTLCMD;
 866
 867        case TIOCSERCONFIG:
 868                BT_ERR("TIOCSERCONFIG is not supported");
 869                return -ENOIOCTLCMD;
 870
 871        default:
 872                return -ENOIOCTLCMD;    /* ioctls which we must ignore */
 873
 874        }
 875
 876        return -ENOIOCTLCMD;
 877}
 878
 879static void rfcomm_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
 880{
 881        struct ktermios *new = tty->termios;
 882        int old_baud_rate = tty_termios_baud_rate(old);
 883        int new_baud_rate = tty_termios_baud_rate(new);
 884
 885        u8 baud, data_bits, stop_bits, parity, x_on, x_off;
 886        u16 changes = 0;
 887
 888        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
 889
 890        BT_DBG("tty %p termios %p", tty, old);
 891
 892        if (!dev || !dev->dlc || !dev->dlc->session)
 893                return;
 894
 895        /* Handle turning off CRTSCTS */
 896        if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
 897                BT_DBG("Turning off CRTSCTS unsupported");
 898
 899        /* Parity on/off and when on, odd/even */
 900        if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
 901                        ((old->c_cflag & PARODD) != (new->c_cflag & PARODD)) ) {
 902                changes |= RFCOMM_RPN_PM_PARITY;
 903                BT_DBG("Parity change detected.");
 904        }
 905
 906        /* Mark and space parity are not supported! */
 907        if (new->c_cflag & PARENB) {
 908                if (new->c_cflag & PARODD) {
 909                        BT_DBG("Parity is ODD");
 910                        parity = RFCOMM_RPN_PARITY_ODD;
 911                } else {
 912                        BT_DBG("Parity is EVEN");
 913                        parity = RFCOMM_RPN_PARITY_EVEN;
 914                }
 915        } else {
 916                BT_DBG("Parity is OFF");
 917                parity = RFCOMM_RPN_PARITY_NONE;
 918        }
 919
 920        /* Setting the x_on / x_off characters */
 921        if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
 922                BT_DBG("XOFF custom");
 923                x_on = new->c_cc[VSTOP];
 924                changes |= RFCOMM_RPN_PM_XON;
 925        } else {
 926                BT_DBG("XOFF default");
 927                x_on = RFCOMM_RPN_XON_CHAR;
 928        }
 929
 930        if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
 931                BT_DBG("XON custom");
 932                x_off = new->c_cc[VSTART];
 933                changes |= RFCOMM_RPN_PM_XOFF;
 934        } else {
 935                BT_DBG("XON default");
 936                x_off = RFCOMM_RPN_XOFF_CHAR;
 937        }
 938
 939        /* Handle setting of stop bits */
 940        if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
 941                changes |= RFCOMM_RPN_PM_STOP;
 942
 943        /* POSIX does not support 1.5 stop bits and RFCOMM does not
 944         * support 2 stop bits. So a request for 2 stop bits gets
 945         * translated to 1.5 stop bits */
 946        if (new->c_cflag & CSTOPB) {
 947                stop_bits = RFCOMM_RPN_STOP_15;
 948        } else {
 949                stop_bits = RFCOMM_RPN_STOP_1;
 950        }
 951
 952        /* Handle number of data bits [5-8] */
 953        if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
 954                changes |= RFCOMM_RPN_PM_DATA;
 955
 956        switch (new->c_cflag & CSIZE) {
 957        case CS5:
 958                data_bits = RFCOMM_RPN_DATA_5;
 959                break;
 960        case CS6:
 961                data_bits = RFCOMM_RPN_DATA_6;
 962                break;
 963        case CS7:
 964                data_bits = RFCOMM_RPN_DATA_7;
 965                break;
 966        case CS8:
 967                data_bits = RFCOMM_RPN_DATA_8;
 968                break;
 969        default:
 970                data_bits = RFCOMM_RPN_DATA_8;
 971                break;
 972        }
 973
 974        /* Handle baudrate settings */
 975        if (old_baud_rate != new_baud_rate)
 976                changes |= RFCOMM_RPN_PM_BITRATE;
 977
 978        switch (new_baud_rate) {
 979        case 2400:
 980                baud = RFCOMM_RPN_BR_2400;
 981                break;
 982        case 4800:
 983                baud = RFCOMM_RPN_BR_4800;
 984                break;
 985        case 7200:
 986                baud = RFCOMM_RPN_BR_7200;
 987                break;
 988        case 9600:
 989                baud = RFCOMM_RPN_BR_9600;
 990                break;
 991        case 19200:
 992                baud = RFCOMM_RPN_BR_19200;
 993                break;
 994        case 38400:
 995                baud = RFCOMM_RPN_BR_38400;
 996                break;
 997        case 57600:
 998                baud = RFCOMM_RPN_BR_57600;
 999                break;
1000        case 115200:

1001                baud = RFCOMM_RPN_BR_115200;
1002                break;
1003        case 230400:
1004                baud = RFCOMM_RPN_BR_230400;
1005                break;
1006        default:
1007                /* 9600 is standard accordinag to the RFCOMM specification */
1008                baud = RFCOMM_RPN_BR_9600;
1009                break;
1010
1011        }
1012
1013        if (changes)
1014                rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
1015                                data_bits, stop_bits, parity,
1016                                RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
1017
1018        return;
1019}
1020
1021static void rfcomm_tty_throttle(struct tty_struct *tty)
1022{
1023        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1024
1025        BT_DBG("tty %p dev %p", tty, dev);
1026
1027        rfcomm_dlc_throttle(dev->dlc);
1028}
1029
1030static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1031{
1032        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1033
1034        BT_DBG("tty %p dev %p", tty, dev);
1035
1036        rfcomm_dlc_unthrottle(dev->dlc);
1037}
1038
1039static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1040{
1041        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1042
1043        BT_DBG("tty %p dev %p", tty, dev);
1044
1045        if (!dev || !dev->dlc)
1046                return 0;
1047
1048        if (!skb_queue_empty(&dev->dlc->tx_queue))
1049                return dev->dlc->mtu;
1050
1051        return 0;
1052}
1053
1054static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1055{
1056        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1057
1058        BT_DBG("tty %p dev %p", tty, dev);
1059
1060        if (!dev || !dev->dlc)
1061                return;
1062
1063        skb_queue_purge(&dev->dlc->tx_queue);
1064        tty_wakeup(tty);
1065}
1066
1067static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1068{
1069        BT_DBG("tty %p ch %c", tty, ch);
1070}
1071
1072static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1073{
1074        BT_DBG("tty %p timeout %d", tty, timeout);
1075}
1076
1077static void rfcomm_tty_hangup(struct tty_struct *tty)
1078{
1079        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1080
1081        BT_DBG("tty %p dev %p", tty, dev);
1082
1083        if (!dev)
1084                return;
1085
1086        rfcomm_tty_flush_buffer(tty);
1087
1088        if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
1089                if (rfcomm_dev_get(dev->id) == NULL)
1090                        return;
1091                rfcomm_dev_del(dev);
1092                rfcomm_dev_put(dev);
1093        }
1094}
1095
1096static int rfcomm_tty_tiocmget(struct tty_struct *tty, struct file *filp)
1097{
1098        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1099
1100        BT_DBG("tty %p dev %p", tty, dev);
1101
1102        return dev->modem_status;
1103}
1104
1105static int rfcomm_tty_tiocmset(struct tty_struct *tty, struct file *filp, unsigned int set, unsigned int clear)
1106{
1107        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1108        struct rfcomm_dlc *dlc = dev->dlc;
1109        u8 v24_sig;
1110
1111        BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1112
1113        rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1114
1115        if (set & TIOCM_DSR || set & TIOCM_DTR)
1116                v24_sig |= RFCOMM_V24_RTC;
1117        if (set & TIOCM_RTS || set & TIOCM_CTS)
1118                v24_sig |= RFCOMM_V24_RTR;
1119        if (set & TIOCM_RI)
1120                v24_sig |= RFCOMM_V24_IC;
1121        if (set & TIOCM_CD)
1122                v24_sig |= RFCOMM_V24_DV;
1123
1124        if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1125                v24_sig &= ~RFCOMM_V24_RTC;
1126        if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1127                v24_sig &= ~RFCOMM_V24_RTR;
1128        if (clear & TIOCM_RI)
1129                v24_sig &= ~RFCOMM_V24_IC;
1130        if (clear & TIOCM_CD)
1131                v24_sig &= ~RFCOMM_V24_DV;
1132
1133        rfcomm_dlc_set_modem_status(dlc, v24_sig);
1134
1135        return 0;
1136}
1137
1138/* ---- TTY structure ---- */
1139
1140static const struct tty_operations rfcomm_ops = {
1141        .open                   = rfcomm_tty_open,
1142        .close                  = rfcomm_tty_close,
1143        .write                  = rfcomm_tty_write,
1144        .write_room             = rfcomm_tty_write_room,
1145        .chars_in_buffer        = rfcomm_tty_chars_in_buffer,
1146        .flush_buffer           = rfcomm_tty_flush_buffer,
1147        .ioctl                  = rfcomm_tty_ioctl,
1148        .throttle               = rfcomm_tty_throttle,
1149        .unthrottle             = rfcomm_tty_unthrottle,
1150        .set_termios            = rfcomm_tty_set_termios,
1151        .send_xchar             = rfcomm_tty_send_xchar,
1152        .hangup                 = rfcomm_tty_hangup,
1153        .wait_until_sent        = rfcomm_tty_wait_until_sent,
1154        .tiocmget               = rfcomm_tty_tiocmget,
1155        .tiocmset               = rfcomm_tty_tiocmset,
1156};
1157
1158int rfcomm_init_ttys(void)
1159{
1160        rfcomm_tty_driver = alloc_tty_driver(RFCOMM_TTY_PORTS);
1161        if (!rfcomm_tty_driver)
1162                return -1;
1163
1164        rfcomm_tty_driver->owner        = THIS_MODULE;
1165        rfcomm_tty_driver->driver_name  = "rfcomm";
1166        rfcomm_tty_driver->name         = "rfcomm";
1167        rfcomm_tty_driver->major        = RFCOMM_TTY_MAJOR;
1168        rfcomm_tty_driver->minor_start  = RFCOMM_TTY_MINOR;
1169        rfcomm_tty_driver->type         = TTY_DRIVER_TYPE_SERIAL;
1170        rfcomm_tty_driver->subtype      = SERIAL_TYPE_NORMAL;
1171        rfcomm_tty_driver->flags        = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1172        rfcomm_tty_driver->init_termios = tty_std_termios;
1173        rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL;
1174        rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1175        tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1176
1177        if (tty_register_driver(rfcomm_tty_driver)) {
1178                BT_ERR("Can't register RFCOMM TTY driver");
1179                put_tty_driver(rfcomm_tty_driver);
1180                return -1;
1181        }
1182
1183        BT_INFO("RFCOMM TTY layer initialized");
1184
1185        return 0;
1186}
1187
1188void rfcomm_cleanup_ttys(void)
1189{
1190        tty_unregister_driver(rfcomm_tty_driver);
1191        put_tty_driver(rfcomm_tty_driver);
1192}
1193