• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM TTY.
26  */
27 
28 #include <linux/module.h>
29 
30 #include <linux/tty.h>
31 #include <linux/tty_driver.h>
32 #include <linux/tty_flip.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
39 #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
40 #define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
41 #define RFCOMM_TTY_MINOR 0
42 
43 static DEFINE_MUTEX(rfcomm_ioctl_mutex);
44 static struct tty_driver *rfcomm_tty_driver;
45 
46 struct rfcomm_dev {
47 	struct tty_port		port;
48 	struct list_head	list;
49 
50 	char			name[12];
51 	int			id;
52 	unsigned long		flags;
53 	int			err;
54 
55 	unsigned long		status;		/* don't export to userspace */
56 
57 	bdaddr_t		src;
58 	bdaddr_t		dst;
59 	u8			channel;
60 
61 	uint			modem_status;
62 
63 	struct rfcomm_dlc	*dlc;
64 
65 	struct device		*tty_dev;
66 
67 	atomic_t		wmem_alloc;
68 
69 	struct sk_buff_head	pending;
70 };
71 
72 static LIST_HEAD(rfcomm_dev_list);
73 static DEFINE_MUTEX(rfcomm_dev_lock);
74 
75 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
76 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
77 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
78 
79 /* ---- Device functions ---- */
80 
rfcomm_dev_destruct(struct tty_port * port)81 static void rfcomm_dev_destruct(struct tty_port *port)
82 {
83 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
84 	struct rfcomm_dlc *dlc = dev->dlc;
85 
86 	BT_DBG("dev %p dlc %p", dev, dlc);
87 
88 	rfcomm_dlc_lock(dlc);
89 	/* Detach DLC if it's owned by this dev */
90 	if (dlc->owner == dev)
91 		dlc->owner = NULL;
92 	rfcomm_dlc_unlock(dlc);
93 
94 	rfcomm_dlc_put(dlc);
95 
96 	if (dev->tty_dev)
97 		tty_unregister_device(rfcomm_tty_driver, dev->id);
98 
99 	mutex_lock(&rfcomm_dev_lock);
100 	list_del(&dev->list);
101 	mutex_unlock(&rfcomm_dev_lock);
102 
103 	kfree(dev);
104 
105 	/* It's safe to call module_put() here because socket still
106 	   holds reference to this module. */
107 	module_put(THIS_MODULE);
108 }
109 
110 /* device-specific initialization: open the dlc */
rfcomm_dev_activate(struct tty_port * port,struct tty_struct * tty)111 static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
112 {
113 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
114 	int err;
115 
116 	err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
117 	if (err)
118 		set_bit(TTY_IO_ERROR, &tty->flags);
119 	return err;
120 }
121 
122 /* we block the open until the dlc->state becomes BT_CONNECTED */
rfcomm_dev_carrier_raised(struct tty_port * port)123 static int rfcomm_dev_carrier_raised(struct tty_port *port)
124 {
125 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
126 
127 	return (dev->dlc->state == BT_CONNECTED);
128 }
129 
130 /* device-specific cleanup: close the dlc */
rfcomm_dev_shutdown(struct tty_port * port)131 static void rfcomm_dev_shutdown(struct tty_port *port)
132 {
133 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
134 
135 	if (dev->tty_dev->parent)
136 		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
137 
138 	/* close the dlc */
139 	rfcomm_dlc_close(dev->dlc, 0);
140 }
141 
142 static const struct tty_port_operations rfcomm_port_ops = {
143 	.destruct = rfcomm_dev_destruct,
144 	.activate = rfcomm_dev_activate,
145 	.shutdown = rfcomm_dev_shutdown,
146 	.carrier_raised = rfcomm_dev_carrier_raised,
147 };
148 
__rfcomm_dev_lookup(int id)149 static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
150 {
151 	struct rfcomm_dev *dev;
152 
153 	list_for_each_entry(dev, &rfcomm_dev_list, list)
154 		if (dev->id == id)
155 			return dev;
156 
157 	return NULL;
158 }
159 
rfcomm_dev_get(int id)160 static struct rfcomm_dev *rfcomm_dev_get(int id)
161 {
162 	struct rfcomm_dev *dev;
163 
164 	mutex_lock(&rfcomm_dev_lock);
165 
166 	dev = __rfcomm_dev_lookup(id);
167 
168 	if (dev && !tty_port_get(&dev->port))
169 		dev = NULL;
170 
171 	mutex_unlock(&rfcomm_dev_lock);
172 
173 	return dev;
174 }
175 
rfcomm_reparent_device(struct rfcomm_dev * dev)176 static void rfcomm_reparent_device(struct rfcomm_dev *dev)
177 {
178 	struct hci_dev *hdev;
179 	struct hci_conn *conn;
180 
181 	hdev = hci_get_route(&dev->dst, &dev->src, BDADDR_BREDR);
182 	if (!hdev)
183 		return;
184 
185 	/* The lookup results are unsafe to access without the
186 	 * hci device lock (FIXME: why is this not documented?)
187 	 */
188 	hci_dev_lock(hdev);
189 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
190 
191 	/* Just because the acl link is in the hash table is no
192 	 * guarantee the sysfs device has been added ...
193 	 */
194 	if (conn && device_is_registered(&conn->dev))
195 		device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
196 
197 	hci_dev_unlock(hdev);
198 	hci_dev_put(hdev);
199 }
200 
show_address(struct device * tty_dev,struct device_attribute * attr,char * buf)201 static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
202 {
203 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
204 	return sprintf(buf, "%pMR\n", &dev->dst);
205 }
206 
show_channel(struct device * tty_dev,struct device_attribute * attr,char * buf)207 static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
208 {
209 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
210 	return sprintf(buf, "%d\n", dev->channel);
211 }
212 
213 static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
214 static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
215 
__rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)216 static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
217 					   struct rfcomm_dlc *dlc)
218 {
219 	struct rfcomm_dev *dev, *entry;
220 	struct list_head *head = &rfcomm_dev_list;
221 	int err = 0;
222 
223 	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
224 	if (!dev)
225 		return ERR_PTR(-ENOMEM);
226 
227 	mutex_lock(&rfcomm_dev_lock);
228 
229 	if (req->dev_id < 0) {
230 		dev->id = 0;
231 
232 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
233 			if (entry->id != dev->id)
234 				break;
235 
236 			dev->id++;
237 			head = &entry->list;
238 		}
239 	} else {
240 		dev->id = req->dev_id;
241 
242 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
243 			if (entry->id == dev->id) {
244 				err = -EADDRINUSE;
245 				goto out;
246 			}
247 
248 			if (entry->id > dev->id - 1)
249 				break;
250 
251 			head = &entry->list;
252 		}
253 	}
254 
255 	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
256 		err = -ENFILE;
257 		goto out;
258 	}
259 
260 	sprintf(dev->name, "rfcomm%d", dev->id);
261 
262 	list_add(&dev->list, head);
263 
264 	bacpy(&dev->src, &req->src);
265 	bacpy(&dev->dst, &req->dst);
266 	dev->channel = req->channel;
267 
268 	dev->flags = req->flags &
269 		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
270 
271 	tty_port_init(&dev->port);
272 	dev->port.ops = &rfcomm_port_ops;
273 
274 	skb_queue_head_init(&dev->pending);
275 
276 	rfcomm_dlc_lock(dlc);
277 
278 	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
279 		struct sock *sk = dlc->owner;
280 		struct sk_buff *skb;
281 
282 		BUG_ON(!sk);
283 
284 		rfcomm_dlc_throttle(dlc);
285 
286 		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
287 			skb_orphan(skb);
288 			skb_queue_tail(&dev->pending, skb);
289 			atomic_sub(skb->len, &sk->sk_rmem_alloc);
290 		}
291 	}
292 
293 	dlc->data_ready   = rfcomm_dev_data_ready;
294 	dlc->state_change = rfcomm_dev_state_change;
295 	dlc->modem_status = rfcomm_dev_modem_status;
296 
297 	dlc->owner = dev;
298 	dev->dlc   = dlc;
299 
300 	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
301 
302 	rfcomm_dlc_unlock(dlc);
303 
304 	/* It's safe to call __module_get() here because socket already
305 	   holds reference to this module. */
306 	__module_get(THIS_MODULE);
307 
308 	mutex_unlock(&rfcomm_dev_lock);
309 	return dev;
310 
311 out:
312 	mutex_unlock(&rfcomm_dev_lock);
313 	kfree(dev);
314 	return ERR_PTR(err);
315 }
316 
rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)317 static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
318 {
319 	struct rfcomm_dev *dev;
320 	struct device *tty;
321 
322 	BT_DBG("id %d channel %d", req->dev_id, req->channel);
323 
324 	dev = __rfcomm_dev_add(req, dlc);
325 	if (IS_ERR(dev)) {
326 		rfcomm_dlc_put(dlc);
327 		return PTR_ERR(dev);
328 	}
329 
330 	tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
331 			dev->id, NULL);
332 	if (IS_ERR(tty)) {
333 		tty_port_put(&dev->port);
334 		return PTR_ERR(tty);
335 	}
336 
337 	dev->tty_dev = tty;
338 	rfcomm_reparent_device(dev);
339 	dev_set_drvdata(dev->tty_dev, dev);
340 
341 	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
342 		BT_ERR("Failed to create address attribute");
343 
344 	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
345 		BT_ERR("Failed to create channel attribute");
346 
347 	return dev->id;
348 }
349 
350 /* ---- Send buffer ---- */
rfcomm_room(struct rfcomm_dev * dev)351 static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
352 {
353 	struct rfcomm_dlc *dlc = dev->dlc;
354 
355 	/* Limit the outstanding number of packets not yet sent to 40 */
356 	int pending = 40 - atomic_read(&dev->wmem_alloc);
357 
358 	return max(0, pending) * dlc->mtu;
359 }
360 
rfcomm_wfree(struct sk_buff * skb)361 static void rfcomm_wfree(struct sk_buff *skb)
362 {
363 	struct rfcomm_dev *dev = (void *) skb->sk;
364 	atomic_dec(&dev->wmem_alloc);
365 	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
366 		tty_port_tty_wakeup(&dev->port);
367 	tty_port_put(&dev->port);
368 }
369 
rfcomm_set_owner_w(struct sk_buff * skb,struct rfcomm_dev * dev)370 static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
371 {
372 	tty_port_get(&dev->port);
373 	atomic_inc(&dev->wmem_alloc);
374 	skb->sk = (void *) dev;
375 	skb->destructor = rfcomm_wfree;
376 }
377 
rfcomm_wmalloc(struct rfcomm_dev * dev,unsigned long size,gfp_t priority)378 static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
379 {
380 	struct sk_buff *skb = alloc_skb(size, priority);
381 	if (skb)
382 		rfcomm_set_owner_w(skb, dev);
383 	return skb;
384 }
385 
386 /* ---- Device IOCTLs ---- */
387 
388 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
389 
__rfcomm_create_dev(struct sock * sk,void __user * arg)390 static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
391 {
392 	struct rfcomm_dev_req req;
393 	struct rfcomm_dlc *dlc;
394 	int id;
395 
396 	if (copy_from_user(&req, arg, sizeof(req)))
397 		return -EFAULT;
398 
399 	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
400 
401 	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
402 		return -EPERM;
403 
404 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
405 		/* Socket must be connected */
406 		if (sk->sk_state != BT_CONNECTED)
407 			return -EBADFD;
408 
409 		dlc = rfcomm_pi(sk)->dlc;
410 		rfcomm_dlc_hold(dlc);
411 	} else {
412 		/* Validate the channel is unused */
413 		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
414 		if (IS_ERR(dlc))
415 			return PTR_ERR(dlc);
416 		else if (dlc) {
417 			rfcomm_dlc_put(dlc);
418 			return -EBUSY;
419 		}
420 		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
421 		if (!dlc)
422 			return -ENOMEM;
423 	}
424 
425 	id = rfcomm_dev_add(&req, dlc);
426 	if (id < 0)
427 		return id;
428 
429 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
430 		/* DLC is now used by device.
431 		 * Socket must be disconnected */
432 		sk->sk_state = BT_CLOSED;
433 	}
434 
435 	return id;
436 }
437 
__rfcomm_release_dev(void __user * arg)438 static int __rfcomm_release_dev(void __user *arg)
439 {
440 	struct rfcomm_dev_req req;
441 	struct rfcomm_dev *dev;
442 	struct tty_struct *tty;
443 
444 	if (copy_from_user(&req, arg, sizeof(req)))
445 		return -EFAULT;
446 
447 	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
448 
449 	dev = rfcomm_dev_get(req.dev_id);
450 	if (!dev)
451 		return -ENODEV;
452 
453 	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
454 		tty_port_put(&dev->port);
455 		return -EPERM;
456 	}
457 
458 	/* only release once */
459 	if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
460 		tty_port_put(&dev->port);
461 		return -EALREADY;
462 	}
463 
464 	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
465 		rfcomm_dlc_close(dev->dlc, 0);
466 
467 	/* Shut down TTY synchronously before freeing rfcomm_dev */
468 	tty = tty_port_tty_get(&dev->port);
469 	if (tty) {
470 		tty_vhangup(tty);
471 		tty_kref_put(tty);
472 	}
473 
474 	if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
475 		tty_port_put(&dev->port);
476 
477 	tty_port_put(&dev->port);
478 	return 0;
479 }
480 
rfcomm_create_dev(struct sock * sk,void __user * arg)481 static int rfcomm_create_dev(struct sock *sk, void __user *arg)
482 {
483 	int ret;
484 
485 	mutex_lock(&rfcomm_ioctl_mutex);
486 	ret = __rfcomm_create_dev(sk, arg);
487 	mutex_unlock(&rfcomm_ioctl_mutex);
488 
489 	return ret;
490 }
491 
rfcomm_release_dev(void __user * arg)492 static int rfcomm_release_dev(void __user *arg)
493 {
494 	int ret;
495 
496 	mutex_lock(&rfcomm_ioctl_mutex);
497 	ret = __rfcomm_release_dev(arg);
498 	mutex_unlock(&rfcomm_ioctl_mutex);
499 
500 	return ret;
501 }
502 
rfcomm_get_dev_list(void __user * arg)503 static int rfcomm_get_dev_list(void __user *arg)
504 {
505 	struct rfcomm_dev *dev;
506 	struct rfcomm_dev_list_req *dl;
507 	struct rfcomm_dev_info *di;
508 	int n = 0, size, err;
509 	u16 dev_num;
510 
511 	BT_DBG("");
512 
513 	if (get_user(dev_num, (u16 __user *) arg))
514 		return -EFAULT;
515 
516 	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
517 		return -EINVAL;
518 
519 	size = sizeof(*dl) + dev_num * sizeof(*di);
520 
521 	dl = kzalloc(size, GFP_KERNEL);
522 	if (!dl)
523 		return -ENOMEM;
524 
525 	di = dl->dev_info;
526 
527 	mutex_lock(&rfcomm_dev_lock);
528 
529 	list_for_each_entry(dev, &rfcomm_dev_list, list) {
530 		if (!tty_port_get(&dev->port))
531 			continue;
532 		(di + n)->id      = dev->id;
533 		(di + n)->flags   = dev->flags;
534 		(di + n)->state   = dev->dlc->state;
535 		(di + n)->channel = dev->channel;
536 		bacpy(&(di + n)->src, &dev->src);
537 		bacpy(&(di + n)->dst, &dev->dst);
538 		tty_port_put(&dev->port);
539 		if (++n >= dev_num)
540 			break;
541 	}
542 
543 	mutex_unlock(&rfcomm_dev_lock);
544 
545 	dl->dev_num = n;
546 	size = sizeof(*dl) + n * sizeof(*di);
547 
548 	err = copy_to_user(arg, dl, size);
549 	kfree(dl);
550 
551 	return err ? -EFAULT : 0;
552 }
553 
rfcomm_get_dev_info(void __user * arg)554 static int rfcomm_get_dev_info(void __user *arg)
555 {
556 	struct rfcomm_dev *dev;
557 	struct rfcomm_dev_info di;
558 	int err = 0;
559 
560 	BT_DBG("");
561 
562 	if (copy_from_user(&di, arg, sizeof(di)))
563 		return -EFAULT;
564 
565 	dev = rfcomm_dev_get(di.id);
566 	if (!dev)
567 		return -ENODEV;
568 
569 	di.flags   = dev->flags;
570 	di.channel = dev->channel;
571 	di.state   = dev->dlc->state;
572 	bacpy(&di.src, &dev->src);
573 	bacpy(&di.dst, &dev->dst);
574 
575 	if (copy_to_user(arg, &di, sizeof(di)))
576 		err = -EFAULT;
577 
578 	tty_port_put(&dev->port);
579 	return err;
580 }
581 
rfcomm_dev_ioctl(struct sock * sk,unsigned int cmd,void __user * arg)582 int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
583 {
584 	BT_DBG("cmd %d arg %p", cmd, arg);
585 
586 	switch (cmd) {
587 	case RFCOMMCREATEDEV:
588 		return rfcomm_create_dev(sk, arg);
589 
590 	case RFCOMMRELEASEDEV:
591 		return rfcomm_release_dev(arg);
592 
593 	case RFCOMMGETDEVLIST:
594 		return rfcomm_get_dev_list(arg);
595 
596 	case RFCOMMGETDEVINFO:
597 		return rfcomm_get_dev_info(arg);
598 	}
599 
600 	return -EINVAL;
601 }
602 
603 /* ---- DLC callbacks ---- */
rfcomm_dev_data_ready(struct rfcomm_dlc * dlc,struct sk_buff * skb)604 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
605 {
606 	struct rfcomm_dev *dev = dlc->owner;
607 
608 	if (!dev) {
609 		kfree_skb(skb);
610 		return;
611 	}
612 
613 	if (!skb_queue_empty(&dev->pending)) {
614 		skb_queue_tail(&dev->pending, skb);
615 		return;
616 	}
617 
618 	BT_DBG("dlc %p len %d", dlc, skb->len);
619 
620 	tty_insert_flip_string(&dev->port, skb->data, skb->len);
621 	tty_flip_buffer_push(&dev->port);
622 
623 	kfree_skb(skb);
624 }
625 
rfcomm_dev_state_change(struct rfcomm_dlc * dlc,int err)626 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
627 {
628 	struct rfcomm_dev *dev = dlc->owner;
629 	if (!dev)
630 		return;
631 
632 	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
633 
634 	dev->err = err;
635 	if (dlc->state == BT_CONNECTED) {
636 		rfcomm_reparent_device(dev);
637 
638 		wake_up_interruptible(&dev->port.open_wait);
639 	} else if (dlc->state == BT_CLOSED)
640 		tty_port_tty_hangup(&dev->port, false);
641 }
642 
rfcomm_dev_modem_status(struct rfcomm_dlc * dlc,u8 v24_sig)643 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
644 {
645 	struct rfcomm_dev *dev = dlc->owner;
646 	if (!dev)
647 		return;
648 
649 	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
650 
651 	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV))
652 		tty_port_tty_hangup(&dev->port, true);
653 
654 	dev->modem_status =
655 		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
656 		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
657 		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
658 		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
659 }
660 
661 /* ---- TTY functions ---- */
rfcomm_tty_copy_pending(struct rfcomm_dev * dev)662 static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
663 {
664 	struct sk_buff *skb;
665 	int inserted = 0;
666 
667 	BT_DBG("dev %p", dev);
668 
669 	rfcomm_dlc_lock(dev->dlc);
670 
671 	while ((skb = skb_dequeue(&dev->pending))) {
672 		inserted += tty_insert_flip_string(&dev->port, skb->data,
673 				skb->len);
674 		kfree_skb(skb);
675 	}
676 
677 	rfcomm_dlc_unlock(dev->dlc);
678 
679 	if (inserted > 0)
680 		tty_flip_buffer_push(&dev->port);
681 }
682 
683 /* do the reverse of install, clearing the tty fields and releasing the
684  * reference to tty_port
685  */
rfcomm_tty_cleanup(struct tty_struct * tty)686 static void rfcomm_tty_cleanup(struct tty_struct *tty)
687 {
688 	struct rfcomm_dev *dev = tty->driver_data;
689 
690 	clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
691 
692 	rfcomm_dlc_lock(dev->dlc);
693 	tty->driver_data = NULL;
694 	rfcomm_dlc_unlock(dev->dlc);
695 
696 	/*
697 	 * purge the dlc->tx_queue to avoid circular dependencies
698 	 * between dev and dlc
699 	 */
700 	skb_queue_purge(&dev->dlc->tx_queue);
701 
702 	tty_port_put(&dev->port);
703 }
704 
705 /* we acquire the tty_port reference since it's here the tty is first used
706  * by setting the termios. We also populate the driver_data field and install
707  * the tty port
708  */
rfcomm_tty_install(struct tty_driver * driver,struct tty_struct * tty)709 static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
710 {
711 	struct rfcomm_dev *dev;
712 	struct rfcomm_dlc *dlc;
713 	int err;
714 
715 	dev = rfcomm_dev_get(tty->index);
716 	if (!dev)
717 		return -ENODEV;
718 
719 	dlc = dev->dlc;
720 
721 	/* Attach TTY and open DLC */
722 	rfcomm_dlc_lock(dlc);
723 	tty->driver_data = dev;
724 	rfcomm_dlc_unlock(dlc);
725 	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
726 
727 	/* install the tty_port */
728 	err = tty_port_install(&dev->port, driver, tty);
729 	if (err) {
730 		rfcomm_tty_cleanup(tty);
731 		return err;
732 	}
733 
734 	/* take over the tty_port reference if the port was created with the
735 	 * flag RFCOMM_RELEASE_ONHUP. This will force the release of the port
736 	 * when the last process closes the tty. The behaviour is expected by
737 	 * userspace.
738 	 */
739 	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
740 		set_bit(RFCOMM_TTY_OWNED, &dev->status);
741 		tty_port_put(&dev->port);
742 	}
743 
744 	return 0;
745 }
746 
rfcomm_tty_open(struct tty_struct * tty,struct file * filp)747 static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
748 {
749 	struct rfcomm_dev *dev = tty->driver_data;
750 	int err;
751 
752 	BT_DBG("tty %p id %d", tty, tty->index);
753 
754 	BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
755 	       dev->channel, dev->port.count);
756 
757 	err = tty_port_open(&dev->port, tty, filp);
758 	if (err)
759 		return err;
760 
761 	/*
762 	 * FIXME: rfcomm should use proper flow control for
763 	 * received data. This hack will be unnecessary and can
764 	 * be removed when that's implemented
765 	 */
766 	rfcomm_tty_copy_pending(dev);
767 
768 	rfcomm_dlc_unthrottle(dev->dlc);
769 
770 	return 0;
771 }
772 
rfcomm_tty_close(struct tty_struct * tty,struct file * filp)773 static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
774 {
775 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
776 
777 	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
778 						dev->port.count);
779 
780 	tty_port_close(&dev->port, tty, filp);
781 }
782 
rfcomm_tty_write(struct tty_struct * tty,const unsigned char * buf,int count)783 static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
784 {
785 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
786 	struct rfcomm_dlc *dlc = dev->dlc;
787 	struct sk_buff *skb;
788 	int sent = 0, size;
789 
790 	BT_DBG("tty %p count %d", tty, count);
791 
792 	while (count) {
793 		size = min_t(uint, count, dlc->mtu);
794 
795 		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
796 		if (!skb)
797 			break;
798 
799 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
800 
801 		memcpy(skb_put(skb, size), buf + sent, size);
802 
803 		rfcomm_dlc_send_noerror(dlc, skb);
804 
805 		sent  += size;
806 		count -= size;
807 	}
808 
809 	return sent;
810 }
811 
rfcomm_tty_write_room(struct tty_struct * tty)812 static int rfcomm_tty_write_room(struct tty_struct *tty)
813 {
814 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
815 	int room = 0;
816 
817 	if (dev && dev->dlc)
818 		room = rfcomm_room(dev);
819 
820 	BT_DBG("tty %p room %d", tty, room);
821 
822 	return room;
823 }
824 
rfcomm_tty_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)825 static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
826 {
827 	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
828 
829 	switch (cmd) {
830 	case TCGETS:
831 		BT_DBG("TCGETS is not supported");
832 		return -ENOIOCTLCMD;
833 
834 	case TCSETS:
835 		BT_DBG("TCSETS is not supported");
836 		return -ENOIOCTLCMD;
837 
838 	case TIOCMIWAIT:
839 		BT_DBG("TIOCMIWAIT");
840 		break;
841 
842 	case TIOCGSERIAL:
843 		BT_ERR("TIOCGSERIAL is not supported");
844 		return -ENOIOCTLCMD;
845 
846 	case TIOCSSERIAL:
847 		BT_ERR("TIOCSSERIAL is not supported");
848 		return -ENOIOCTLCMD;
849 
850 	case TIOCSERGSTRUCT:
851 		BT_ERR("TIOCSERGSTRUCT is not supported");
852 		return -ENOIOCTLCMD;
853 
854 	case TIOCSERGETLSR:
855 		BT_ERR("TIOCSERGETLSR is not supported");
856 		return -ENOIOCTLCMD;
857 
858 	case TIOCSERCONFIG:
859 		BT_ERR("TIOCSERCONFIG is not supported");
860 		return -ENOIOCTLCMD;
861 
862 	default:
863 		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
864 
865 	}
866 
867 	return -ENOIOCTLCMD;
868 }
869 
rfcomm_tty_set_termios(struct tty_struct * tty,struct ktermios * old)870 static void rfcomm_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
871 {
872 	struct ktermios *new = &tty->termios;
873 	int old_baud_rate = tty_termios_baud_rate(old);
874 	int new_baud_rate = tty_termios_baud_rate(new);
875 
876 	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
877 	u16 changes = 0;
878 
879 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
880 
881 	BT_DBG("tty %p termios %p", tty, old);
882 
883 	if (!dev || !dev->dlc || !dev->dlc->session)
884 		return;
885 
886 	/* Handle turning off CRTSCTS */
887 	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
888 		BT_DBG("Turning off CRTSCTS unsupported");
889 
890 	/* Parity on/off and when on, odd/even */
891 	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
892 			((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
893 		changes |= RFCOMM_RPN_PM_PARITY;
894 		BT_DBG("Parity change detected.");
895 	}
896 
897 	/* Mark and space parity are not supported! */
898 	if (new->c_cflag & PARENB) {
899 		if (new->c_cflag & PARODD) {
900 			BT_DBG("Parity is ODD");
901 			parity = RFCOMM_RPN_PARITY_ODD;
902 		} else {
903 			BT_DBG("Parity is EVEN");
904 			parity = RFCOMM_RPN_PARITY_EVEN;
905 		}
906 	} else {
907 		BT_DBG("Parity is OFF");
908 		parity = RFCOMM_RPN_PARITY_NONE;
909 	}
910 
911 	/* Setting the x_on / x_off characters */
912 	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
913 		BT_DBG("XOFF custom");
914 		x_on = new->c_cc[VSTOP];
915 		changes |= RFCOMM_RPN_PM_XON;
916 	} else {
917 		BT_DBG("XOFF default");
918 		x_on = RFCOMM_RPN_XON_CHAR;
919 	}
920 
921 	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
922 		BT_DBG("XON custom");
923 		x_off = new->c_cc[VSTART];
924 		changes |= RFCOMM_RPN_PM_XOFF;
925 	} else {
926 		BT_DBG("XON default");
927 		x_off = RFCOMM_RPN_XOFF_CHAR;
928 	}
929 
930 	/* Handle setting of stop bits */
931 	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
932 		changes |= RFCOMM_RPN_PM_STOP;
933 
934 	/* POSIX does not support 1.5 stop bits and RFCOMM does not
935 	 * support 2 stop bits. So a request for 2 stop bits gets
936 	 * translated to 1.5 stop bits */
937 	if (new->c_cflag & CSTOPB)
938 		stop_bits = RFCOMM_RPN_STOP_15;
939 	else
940 		stop_bits = RFCOMM_RPN_STOP_1;
941 
942 	/* Handle number of data bits [5-8] */
943 	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
944 		changes |= RFCOMM_RPN_PM_DATA;
945 
946 	switch (new->c_cflag & CSIZE) {
947 	case CS5:
948 		data_bits = RFCOMM_RPN_DATA_5;
949 		break;
950 	case CS6:
951 		data_bits = RFCOMM_RPN_DATA_6;
952 		break;
953 	case CS7:
954 		data_bits = RFCOMM_RPN_DATA_7;
955 		break;
956 	case CS8:
957 		data_bits = RFCOMM_RPN_DATA_8;
958 		break;
959 	default:
960 		data_bits = RFCOMM_RPN_DATA_8;
961 		break;
962 	}
963 
964 	/* Handle baudrate settings */
965 	if (old_baud_rate != new_baud_rate)
966 		changes |= RFCOMM_RPN_PM_BITRATE;
967 
968 	switch (new_baud_rate) {
969 	case 2400:
970 		baud = RFCOMM_RPN_BR_2400;
971 		break;
972 	case 4800:
973 		baud = RFCOMM_RPN_BR_4800;
974 		break;
975 	case 7200:
976 		baud = RFCOMM_RPN_BR_7200;
977 		break;
978 	case 9600:
979 		baud = RFCOMM_RPN_BR_9600;
980 		break;
981 	case 19200:
982 		baud = RFCOMM_RPN_BR_19200;
983 		break;
984 	case 38400:
985 		baud = RFCOMM_RPN_BR_38400;
986 		break;
987 	case 57600:
988 		baud = RFCOMM_RPN_BR_57600;
989 		break;
990 	case 115200:
991 		baud = RFCOMM_RPN_BR_115200;
992 		break;
993 	case 230400:
994 		baud = RFCOMM_RPN_BR_230400;
995 		break;
996 	default:
997 		/* 9600 is standard accordinag to the RFCOMM specification */
998 		baud = RFCOMM_RPN_BR_9600;
999 		break;
1000 
1001 	}
1002 
1003 	if (changes)
1004 		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
1005 				data_bits, stop_bits, parity,
1006 				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
1007 }
1008 
rfcomm_tty_throttle(struct tty_struct * tty)1009 static void rfcomm_tty_throttle(struct tty_struct *tty)
1010 {
1011 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1012 
1013 	BT_DBG("tty %p dev %p", tty, dev);
1014 
1015 	rfcomm_dlc_throttle(dev->dlc);
1016 }
1017 
rfcomm_tty_unthrottle(struct tty_struct * tty)1018 static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1019 {
1020 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1021 
1022 	BT_DBG("tty %p dev %p", tty, dev);
1023 
1024 	rfcomm_dlc_unthrottle(dev->dlc);
1025 }
1026 
rfcomm_tty_chars_in_buffer(struct tty_struct * tty)1027 static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1028 {
1029 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1030 
1031 	BT_DBG("tty %p dev %p", tty, dev);
1032 
1033 	if (!dev || !dev->dlc)
1034 		return 0;
1035 
1036 	if (!skb_queue_empty(&dev->dlc->tx_queue))
1037 		return dev->dlc->mtu;
1038 
1039 	return 0;
1040 }
1041 
rfcomm_tty_flush_buffer(struct tty_struct * tty)1042 static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1043 {
1044 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1045 
1046 	BT_DBG("tty %p dev %p", tty, dev);
1047 
1048 	if (!dev || !dev->dlc)
1049 		return;
1050 
1051 	skb_queue_purge(&dev->dlc->tx_queue);
1052 	tty_wakeup(tty);
1053 }
1054 
rfcomm_tty_send_xchar(struct tty_struct * tty,char ch)1055 static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1056 {
1057 	BT_DBG("tty %p ch %c", tty, ch);
1058 }
1059 
rfcomm_tty_wait_until_sent(struct tty_struct * tty,int timeout)1060 static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1061 {
1062 	BT_DBG("tty %p timeout %d", tty, timeout);
1063 }
1064 
rfcomm_tty_hangup(struct tty_struct * tty)1065 static void rfcomm_tty_hangup(struct tty_struct *tty)
1066 {
1067 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1068 
1069 	BT_DBG("tty %p dev %p", tty, dev);
1070 
1071 	tty_port_hangup(&dev->port);
1072 }
1073 
rfcomm_tty_tiocmget(struct tty_struct * tty)1074 static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1075 {
1076 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1077 
1078 	BT_DBG("tty %p dev %p", tty, dev);
1079 
1080 	return dev->modem_status;
1081 }
1082 
rfcomm_tty_tiocmset(struct tty_struct * tty,unsigned int set,unsigned int clear)1083 static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1084 {
1085 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1086 	struct rfcomm_dlc *dlc = dev->dlc;
1087 	u8 v24_sig;
1088 
1089 	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1090 
1091 	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1092 
1093 	if (set & TIOCM_DSR || set & TIOCM_DTR)
1094 		v24_sig |= RFCOMM_V24_RTC;
1095 	if (set & TIOCM_RTS || set & TIOCM_CTS)
1096 		v24_sig |= RFCOMM_V24_RTR;
1097 	if (set & TIOCM_RI)
1098 		v24_sig |= RFCOMM_V24_IC;
1099 	if (set & TIOCM_CD)
1100 		v24_sig |= RFCOMM_V24_DV;
1101 
1102 	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1103 		v24_sig &= ~RFCOMM_V24_RTC;
1104 	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1105 		v24_sig &= ~RFCOMM_V24_RTR;
1106 	if (clear & TIOCM_RI)
1107 		v24_sig &= ~RFCOMM_V24_IC;
1108 	if (clear & TIOCM_CD)
1109 		v24_sig &= ~RFCOMM_V24_DV;
1110 
1111 	rfcomm_dlc_set_modem_status(dlc, v24_sig);
1112 
1113 	return 0;
1114 }
1115 
1116 /* ---- TTY structure ---- */
1117 
1118 static const struct tty_operations rfcomm_ops = {
1119 	.open			= rfcomm_tty_open,
1120 	.close			= rfcomm_tty_close,
1121 	.write			= rfcomm_tty_write,
1122 	.write_room		= rfcomm_tty_write_room,
1123 	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1124 	.flush_buffer		= rfcomm_tty_flush_buffer,
1125 	.ioctl			= rfcomm_tty_ioctl,
1126 	.throttle		= rfcomm_tty_throttle,
1127 	.unthrottle		= rfcomm_tty_unthrottle,
1128 	.set_termios		= rfcomm_tty_set_termios,
1129 	.send_xchar		= rfcomm_tty_send_xchar,
1130 	.hangup			= rfcomm_tty_hangup,
1131 	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1132 	.tiocmget		= rfcomm_tty_tiocmget,
1133 	.tiocmset		= rfcomm_tty_tiocmset,
1134 	.install                = rfcomm_tty_install,
1135 	.cleanup                = rfcomm_tty_cleanup,
1136 };
1137 
rfcomm_init_ttys(void)1138 int __init rfcomm_init_ttys(void)
1139 {
1140 	int error;
1141 
1142 	rfcomm_tty_driver = alloc_tty_driver(RFCOMM_TTY_PORTS);
1143 	if (!rfcomm_tty_driver)
1144 		return -ENOMEM;
1145 
1146 	rfcomm_tty_driver->driver_name	= "rfcomm";
1147 	rfcomm_tty_driver->name		= "rfcomm";
1148 	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1149 	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1150 	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1151 	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1152 	rfcomm_tty_driver->flags	= TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1153 	rfcomm_tty_driver->init_termios	= tty_std_termios;
1154 	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL;
1155 	rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1156 	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1157 
1158 	error = tty_register_driver(rfcomm_tty_driver);
1159 	if (error) {
1160 		BT_ERR("Can't register RFCOMM TTY driver");
1161 		put_tty_driver(rfcomm_tty_driver);
1162 		return error;
1163 	}
1164 
1165 	BT_INFO("RFCOMM TTY layer initialized");
1166 
1167 	return 0;
1168 }
1169 
rfcomm_cleanup_ttys(void)1170 void rfcomm_cleanup_ttys(void)
1171 {
1172 	tty_unregister_driver(rfcomm_tty_driver);
1173 	put_tty_driver(rfcomm_tty_driver);
1174 }
1175