Avoid beyond bounds copy while caching ACL
[zen-stable.git] / net / bluetooth / rfcomm / tty.c
bloba2d4f5122a6a2030913814a8ebdc0cf6a381e29d
1 /*
2 RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4 Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation;
10 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21 SOFTWARE IS DISCLAIMED.
25 * RFCOMM TTY.
28 #include <linux/module.h>
30 #include <linux/tty.h>
31 #include <linux/tty_driver.h>
32 #include <linux/tty_flip.h>
34 #include <linux/capability.h>
35 #include <linux/slab.h>
36 #include <linux/skbuff.h>
37 #include <linux/workqueue.h>
39 #include <net/bluetooth/bluetooth.h>
40 #include <net/bluetooth/hci_core.h>
41 #include <net/bluetooth/rfcomm.h>
43 #define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
44 #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
45 #define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
46 #define RFCOMM_TTY_MINOR 0
48 static struct tty_driver *rfcomm_tty_driver;
50 struct rfcomm_dev {
51 struct list_head list;
52 atomic_t refcnt;
54 char name[12];
55 int id;
56 unsigned long flags;
57 atomic_t opened;
58 int err;
60 bdaddr_t src;
61 bdaddr_t dst;
62 u8 channel;
64 uint modem_status;
66 struct rfcomm_dlc *dlc;
67 struct tty_struct *tty;
68 wait_queue_head_t wait;
69 struct work_struct wakeup_task;
71 struct device *tty_dev;
73 atomic_t wmem_alloc;
75 struct sk_buff_head pending;
78 static LIST_HEAD(rfcomm_dev_list);
79 static DEFINE_SPINLOCK(rfcomm_dev_lock);
81 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
82 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
83 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
85 static void rfcomm_tty_wakeup(struct work_struct *work);
87 /* ---- Device functions ---- */
88 static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
90 struct rfcomm_dlc *dlc = dev->dlc;
92 BT_DBG("dev %p dlc %p", dev, dlc);
94 /* Refcount should only hit zero when called from rfcomm_dev_del()
95 which will have taken us off the list. Everything else are
96 refcounting bugs. */
97 BUG_ON(!list_empty(&dev->list));
99 rfcomm_dlc_lock(dlc);
100 /* Detach DLC if it's owned by this dev */
101 if (dlc->owner == dev)
102 dlc->owner = NULL;
103 rfcomm_dlc_unlock(dlc);
105 rfcomm_dlc_put(dlc);
107 tty_unregister_device(rfcomm_tty_driver, dev->id);
109 kfree(dev);
111 /* It's safe to call module_put() here because socket still
112 holds reference to this module. */
113 module_put(THIS_MODULE);
116 static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
118 atomic_inc(&dev->refcnt);
121 static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
123 /* The reason this isn't actually a race, as you no
124 doubt have a little voice screaming at you in your
125 head, is that the refcount should never actually
126 reach zero unless the device has already been taken
127 off the list, in rfcomm_dev_del(). And if that's not
128 true, we'll hit the BUG() in rfcomm_dev_destruct()
129 anyway. */
130 if (atomic_dec_and_test(&dev->refcnt))
131 rfcomm_dev_destruct(dev);
134 static struct rfcomm_dev *__rfcomm_dev_get(int id)
136 struct rfcomm_dev *dev;
138 list_for_each_entry(dev, &rfcomm_dev_list, list)
139 if (dev->id == id)
140 return dev;
142 return NULL;
145 static inline struct rfcomm_dev *rfcomm_dev_get(int id)
147 struct rfcomm_dev *dev;
149 spin_lock(&rfcomm_dev_lock);
151 dev = __rfcomm_dev_get(id);
153 if (dev) {
154 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
155 dev = NULL;
156 else
157 rfcomm_dev_hold(dev);
160 spin_unlock(&rfcomm_dev_lock);
162 return dev;
165 static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
167 struct hci_dev *hdev;
168 struct hci_conn *conn;
170 hdev = hci_get_route(&dev->dst, &dev->src);
171 if (!hdev)
172 return NULL;
174 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
176 hci_dev_put(hdev);
178 return conn ? &conn->dev : NULL;
181 static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
183 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
184 return sprintf(buf, "%s\n", batostr(&dev->dst));
187 static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
189 struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
190 return sprintf(buf, "%d\n", dev->channel);
193 static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
194 static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
196 static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
198 struct rfcomm_dev *dev, *entry;
199 struct list_head *head = &rfcomm_dev_list, *p;
200 int err = 0;
202 BT_DBG("id %d channel %d", req->dev_id, req->channel);
204 dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
205 if (!dev)
206 return -ENOMEM;
208 spin_lock(&rfcomm_dev_lock);
210 if (req->dev_id < 0) {
211 dev->id = 0;
213 list_for_each_entry(entry, &rfcomm_dev_list, list) {
214 if (entry->id != dev->id)
215 break;
217 dev->id++;
218 head = p;
220 } else {
221 dev->id = req->dev_id;
223 list_for_each_entry(entry, &rfcomm_dev_list, list) {
224 if (entry->id == dev->id) {
225 err = -EADDRINUSE;
226 goto out;
229 if (entry->id > dev->id - 1)
230 break;
232 head = p;
236 if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
237 err = -ENFILE;
238 goto out;
241 sprintf(dev->name, "rfcomm%d", dev->id);
243 list_add(&dev->list, head);
244 atomic_set(&dev->refcnt, 1);
246 bacpy(&dev->src, &req->src);
247 bacpy(&dev->dst, &req->dst);
248 dev->channel = req->channel;
250 dev->flags = req->flags &
251 ((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
253 atomic_set(&dev->opened, 0);
255 init_waitqueue_head(&dev->wait);
256 INIT_WORK(&dev->wakeup_task, rfcomm_tty_wakeup);
258 skb_queue_head_init(&dev->pending);
260 rfcomm_dlc_lock(dlc);
262 if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
263 struct sock *sk = dlc->owner;
264 struct sk_buff *skb;
266 BUG_ON(!sk);
268 rfcomm_dlc_throttle(dlc);
270 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
271 skb_orphan(skb);
272 skb_queue_tail(&dev->pending, skb);
273 atomic_sub(skb->len, &sk->sk_rmem_alloc);
277 dlc->data_ready = rfcomm_dev_data_ready;
278 dlc->state_change = rfcomm_dev_state_change;
279 dlc->modem_status = rfcomm_dev_modem_status;
281 dlc->owner = dev;
282 dev->dlc = dlc;
284 rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
286 rfcomm_dlc_unlock(dlc);
288 /* It's safe to call __module_get() here because socket already
289 holds reference to this module. */
290 __module_get(THIS_MODULE);
292 out:
293 spin_unlock(&rfcomm_dev_lock);
295 if (err < 0)
296 goto free;
298 dev->tty_dev = tty_register_device(rfcomm_tty_driver, dev->id, NULL);
300 if (IS_ERR(dev->tty_dev)) {
301 err = PTR_ERR(dev->tty_dev);
302 list_del(&dev->list);
303 goto free;
306 dev_set_drvdata(dev->tty_dev, dev);
308 if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
309 BT_ERR("Failed to create address attribute");
311 if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
312 BT_ERR("Failed to create channel attribute");
314 return dev->id;
316 free:
317 kfree(dev);
318 return err;
321 static void rfcomm_dev_del(struct rfcomm_dev *dev)
323 BT_DBG("dev %p", dev);
325 BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
327 if (atomic_read(&dev->opened) > 0)
328 return;
330 spin_lock(&rfcomm_dev_lock);
331 list_del_init(&dev->list);
332 spin_unlock(&rfcomm_dev_lock);
334 rfcomm_dev_put(dev);
337 /* ---- Send buffer ---- */
338 static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
340 /* We can't let it be zero, because we don't get a callback
341 when tx_credits becomes nonzero, hence we'd never wake up */
342 return dlc->mtu * (dlc->tx_credits?:1);
345 static void rfcomm_wfree(struct sk_buff *skb)
347 struct rfcomm_dev *dev = (void *) skb->sk;
348 atomic_sub(skb->truesize, &dev->wmem_alloc);
349 if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
350 queue_work(system_nrt_wq, &dev->wakeup_task);
351 rfcomm_dev_put(dev);
354 static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
356 rfcomm_dev_hold(dev);
357 atomic_add(skb->truesize, &dev->wmem_alloc);
358 skb->sk = (void *) dev;
359 skb->destructor = rfcomm_wfree;
362 static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
364 if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
365 struct sk_buff *skb = alloc_skb(size, priority);
366 if (skb) {
367 rfcomm_set_owner_w(skb, dev);
368 return skb;
371 return NULL;
374 /* ---- Device IOCTLs ---- */
376 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
378 static int rfcomm_create_dev(struct sock *sk, void __user *arg)
380 struct rfcomm_dev_req req;
381 struct rfcomm_dlc *dlc;
382 int id;
384 if (copy_from_user(&req, arg, sizeof(req)))
385 return -EFAULT;
387 BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
389 if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
390 return -EPERM;
392 if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
393 /* Socket must be connected */
394 if (sk->sk_state != BT_CONNECTED)
395 return -EBADFD;
397 dlc = rfcomm_pi(sk)->dlc;
398 rfcomm_dlc_hold(dlc);
399 } else {
400 dlc = rfcomm_dlc_alloc(GFP_KERNEL);
401 if (!dlc)
402 return -ENOMEM;
405 id = rfcomm_dev_add(&req, dlc);
406 if (id < 0) {
407 rfcomm_dlc_put(dlc);
408 return id;
411 if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
412 /* DLC is now used by device.
413 * Socket must be disconnected */
414 sk->sk_state = BT_CLOSED;
417 return id;
420 static int rfcomm_release_dev(void __user *arg)
422 struct rfcomm_dev_req req;
423 struct rfcomm_dev *dev;
425 if (copy_from_user(&req, arg, sizeof(req)))
426 return -EFAULT;
428 BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
430 dev = rfcomm_dev_get(req.dev_id);
431 if (!dev)
432 return -ENODEV;
434 if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
435 rfcomm_dev_put(dev);
436 return -EPERM;
439 if (req.flags & (1 << RFCOMM_HANGUP_NOW))
440 rfcomm_dlc_close(dev->dlc, 0);
442 /* Shut down TTY synchronously before freeing rfcomm_dev */
443 if (dev->tty)
444 tty_vhangup(dev->tty);
446 if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
447 rfcomm_dev_del(dev);
448 rfcomm_dev_put(dev);
449 return 0;
452 static int rfcomm_get_dev_list(void __user *arg)
454 struct rfcomm_dev *dev;
455 struct rfcomm_dev_list_req *dl;
456 struct rfcomm_dev_info *di;
457 int n = 0, size, err;
458 u16 dev_num;
460 BT_DBG("");
462 if (get_user(dev_num, (u16 __user *) arg))
463 return -EFAULT;
465 if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
466 return -EINVAL;
468 size = sizeof(*dl) + dev_num * sizeof(*di);
470 dl = kmalloc(size, GFP_KERNEL);
471 if (!dl)
472 return -ENOMEM;
474 di = dl->dev_info;
476 spin_lock(&rfcomm_dev_lock);
478 list_for_each_entry(dev, &rfcomm_dev_list, list) {
479 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
480 continue;
481 (di + n)->id = dev->id;
482 (di + n)->flags = dev->flags;
483 (di + n)->state = dev->dlc->state;
484 (di + n)->channel = dev->channel;
485 bacpy(&(di + n)->src, &dev->src);
486 bacpy(&(di + n)->dst, &dev->dst);
487 if (++n >= dev_num)
488 break;
491 spin_unlock(&rfcomm_dev_lock);
493 dl->dev_num = n;
494 size = sizeof(*dl) + n * sizeof(*di);
496 err = copy_to_user(arg, dl, size);
497 kfree(dl);
499 return err ? -EFAULT : 0;
502 static int rfcomm_get_dev_info(void __user *arg)
504 struct rfcomm_dev *dev;
505 struct rfcomm_dev_info di;
506 int err = 0;
508 BT_DBG("");
510 if (copy_from_user(&di, arg, sizeof(di)))
511 return -EFAULT;
513 dev = rfcomm_dev_get(di.id);
514 if (!dev)
515 return -ENODEV;
517 di.flags = dev->flags;
518 di.channel = dev->channel;
519 di.state = dev->dlc->state;
520 bacpy(&di.src, &dev->src);
521 bacpy(&di.dst, &dev->dst);
523 if (copy_to_user(arg, &di, sizeof(di)))
524 err = -EFAULT;
526 rfcomm_dev_put(dev);
527 return err;
530 int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
532 BT_DBG("cmd %d arg %p", cmd, arg);
534 switch (cmd) {
535 case RFCOMMCREATEDEV:
536 return rfcomm_create_dev(sk, arg);
538 case RFCOMMRELEASEDEV:
539 return rfcomm_release_dev(arg);
541 case RFCOMMGETDEVLIST:
542 return rfcomm_get_dev_list(arg);
544 case RFCOMMGETDEVINFO:
545 return rfcomm_get_dev_info(arg);
548 return -EINVAL;
551 /* ---- DLC callbacks ---- */
552 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
554 struct rfcomm_dev *dev = dlc->owner;
555 struct tty_struct *tty;
557 if (!dev) {
558 kfree_skb(skb);
559 return;
562 tty = dev->tty;
563 if (!tty || !skb_queue_empty(&dev->pending)) {
564 skb_queue_tail(&dev->pending, skb);
565 return;
568 BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
570 tty_insert_flip_string(tty, skb->data, skb->len);
571 tty_flip_buffer_push(tty);
573 kfree_skb(skb);
576 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
578 struct rfcomm_dev *dev = dlc->owner;
579 if (!dev)
580 return;
582 BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
584 dev->err = err;
585 wake_up_interruptible(&dev->wait);
587 if (dlc->state == BT_CLOSED) {
588 if (!dev->tty) {
589 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
590 /* Drop DLC lock here to avoid deadlock
591 * 1. rfcomm_dev_get will take rfcomm_dev_lock
592 * but in rfcomm_dev_add there's lock order:
593 * rfcomm_dev_lock -> dlc lock
594 * 2. rfcomm_dev_put will deadlock if it's
595 * the last reference
597 rfcomm_dlc_unlock(dlc);
598 if (rfcomm_dev_get(dev->id) == NULL) {
599 rfcomm_dlc_lock(dlc);
600 return;
603 rfcomm_dev_del(dev);
604 rfcomm_dev_put(dev);
605 rfcomm_dlc_lock(dlc);
607 } else
608 tty_hangup(dev->tty);
612 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
614 struct rfcomm_dev *dev = dlc->owner;
615 if (!dev)
616 return;
618 BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
620 if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV)) {
621 if (dev->tty && !C_CLOCAL(dev->tty))
622 tty_hangup(dev->tty);
625 dev->modem_status =
626 ((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
627 ((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
628 ((v24_sig & RFCOMM_V24_IC) ? TIOCM_RI : 0) |
629 ((v24_sig & RFCOMM_V24_DV) ? TIOCM_CD : 0);
632 /* ---- TTY functions ---- */
633 static void rfcomm_tty_wakeup(struct work_struct *work)
635 struct rfcomm_dev *dev = container_of(work, struct rfcomm_dev,
636 wakeup_task);
637 struct tty_struct *tty = dev->tty;
638 if (!tty)
639 return;
641 BT_DBG("dev %p tty %p", dev, tty);
642 tty_wakeup(tty);
645 static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
647 struct tty_struct *tty = dev->tty;
648 struct sk_buff *skb;
649 int inserted = 0;
651 if (!tty)
652 return;
654 BT_DBG("dev %p tty %p", dev, tty);
656 rfcomm_dlc_lock(dev->dlc);
658 while ((skb = skb_dequeue(&dev->pending))) {
659 inserted += tty_insert_flip_string(tty, skb->data, skb->len);
660 kfree_skb(skb);
663 rfcomm_dlc_unlock(dev->dlc);
665 if (inserted > 0)
666 tty_flip_buffer_push(tty);
669 static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
671 DECLARE_WAITQUEUE(wait, current);
672 struct rfcomm_dev *dev;
673 struct rfcomm_dlc *dlc;
674 int err, id;
676 id = tty->index;
678 BT_DBG("tty %p id %d", tty, id);
680 /* We don't leak this refcount. For reasons which are not entirely
681 clear, the TTY layer will call our ->close() method even if the
682 open fails. We decrease the refcount there, and decreasing it
683 here too would cause breakage. */
684 dev = rfcomm_dev_get(id);
685 if (!dev)
686 return -ENODEV;
688 BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst),
689 dev->channel, atomic_read(&dev->opened));
691 if (atomic_inc_return(&dev->opened) > 1)
692 return 0;
694 dlc = dev->dlc;
696 /* Attach TTY and open DLC */
698 rfcomm_dlc_lock(dlc);
699 tty->driver_data = dev;
700 dev->tty = tty;
701 rfcomm_dlc_unlock(dlc);
702 set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
704 err = rfcomm_dlc_open(dlc, &dev->src, &dev->dst, dev->channel);
705 if (err < 0)
706 return err;
708 /* Wait for DLC to connect */
709 add_wait_queue(&dev->wait, &wait);
710 while (1) {
711 set_current_state(TASK_INTERRUPTIBLE);
713 if (dlc->state == BT_CLOSED) {
714 err = -dev->err;
715 break;
718 if (dlc->state == BT_CONNECTED)
719 break;
721 if (signal_pending(current)) {
722 err = -EINTR;
723 break;
726 tty_unlock();
727 schedule();
728 tty_lock();
730 set_current_state(TASK_RUNNING);
731 remove_wait_queue(&dev->wait, &wait);
733 if (err == 0)
734 device_move(dev->tty_dev, rfcomm_get_device(dev),
735 DPM_ORDER_DEV_AFTER_PARENT);
737 rfcomm_tty_copy_pending(dev);
739 rfcomm_dlc_unthrottle(dev->dlc);
741 return err;
744 static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
746 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
747 if (!dev)
748 return;
750 BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
751 atomic_read(&dev->opened));
753 if (atomic_dec_and_test(&dev->opened)) {
754 if (dev->tty_dev->parent)
755 device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
757 /* Close DLC and dettach TTY */
758 rfcomm_dlc_close(dev->dlc, 0);
760 clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
761 cancel_work_sync(&dev->wakeup_task);
763 rfcomm_dlc_lock(dev->dlc);
764 tty->driver_data = NULL;
765 dev->tty = NULL;
766 rfcomm_dlc_unlock(dev->dlc);
768 if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) {
769 spin_lock(&rfcomm_dev_lock);
770 list_del_init(&dev->list);
771 spin_unlock(&rfcomm_dev_lock);
773 rfcomm_dev_put(dev);
777 rfcomm_dev_put(dev);
780 static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
782 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
783 struct rfcomm_dlc *dlc = dev->dlc;
784 struct sk_buff *skb;
785 int err = 0, sent = 0, size;
787 BT_DBG("tty %p count %d", tty, count);
789 while (count) {
790 size = min_t(uint, count, dlc->mtu);
792 skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
794 if (!skb)
795 break;
797 skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
799 memcpy(skb_put(skb, size), buf + sent, size);
801 err = rfcomm_dlc_send(dlc, skb);
802 if (err < 0) {
803 kfree_skb(skb);
804 break;
807 sent += size;
808 count -= size;
811 return sent ? sent : err;
814 static int rfcomm_tty_write_room(struct tty_struct *tty)
816 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
817 int room;
819 BT_DBG("tty %p", tty);
821 if (!dev || !dev->dlc)
822 return 0;
824 room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc);
825 if (room < 0)
826 room = 0;
828 return room;
831 static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
833 BT_DBG("tty %p cmd 0x%02x", tty, cmd);
835 switch (cmd) {
836 case TCGETS:
837 BT_DBG("TCGETS is not supported");
838 return -ENOIOCTLCMD;
840 case TCSETS:
841 BT_DBG("TCSETS is not supported");
842 return -ENOIOCTLCMD;
844 case TIOCMIWAIT:
845 BT_DBG("TIOCMIWAIT");
846 break;
848 case TIOCGSERIAL:
849 BT_ERR("TIOCGSERIAL is not supported");
850 return -ENOIOCTLCMD;
852 case TIOCSSERIAL:
853 BT_ERR("TIOCSSERIAL is not supported");
854 return -ENOIOCTLCMD;
856 case TIOCSERGSTRUCT:
857 BT_ERR("TIOCSERGSTRUCT is not supported");
858 return -ENOIOCTLCMD;
860 case TIOCSERGETLSR:
861 BT_ERR("TIOCSERGETLSR is not supported");
862 return -ENOIOCTLCMD;
864 case TIOCSERCONFIG:
865 BT_ERR("TIOCSERCONFIG is not supported");
866 return -ENOIOCTLCMD;
868 default:
869 return -ENOIOCTLCMD; /* ioctls which we must ignore */
873 return -ENOIOCTLCMD;
876 static void rfcomm_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
878 struct ktermios *new = tty->termios;
879 int old_baud_rate = tty_termios_baud_rate(old);
880 int new_baud_rate = tty_termios_baud_rate(new);
882 u8 baud, data_bits, stop_bits, parity, x_on, x_off;
883 u16 changes = 0;
885 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
887 BT_DBG("tty %p termios %p", tty, old);
889 if (!dev || !dev->dlc || !dev->dlc->session)
890 return;
892 /* Handle turning off CRTSCTS */
893 if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
894 BT_DBG("Turning off CRTSCTS unsupported");
896 /* Parity on/off and when on, odd/even */
897 if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
898 ((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
899 changes |= RFCOMM_RPN_PM_PARITY;
900 BT_DBG("Parity change detected.");
903 /* Mark and space parity are not supported! */
904 if (new->c_cflag & PARENB) {
905 if (new->c_cflag & PARODD) {
906 BT_DBG("Parity is ODD");
907 parity = RFCOMM_RPN_PARITY_ODD;
908 } else {
909 BT_DBG("Parity is EVEN");
910 parity = RFCOMM_RPN_PARITY_EVEN;
912 } else {
913 BT_DBG("Parity is OFF");
914 parity = RFCOMM_RPN_PARITY_NONE;
917 /* Setting the x_on / x_off characters */
918 if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
919 BT_DBG("XOFF custom");
920 x_on = new->c_cc[VSTOP];
921 changes |= RFCOMM_RPN_PM_XON;
922 } else {
923 BT_DBG("XOFF default");
924 x_on = RFCOMM_RPN_XON_CHAR;
927 if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
928 BT_DBG("XON custom");
929 x_off = new->c_cc[VSTART];
930 changes |= RFCOMM_RPN_PM_XOFF;
931 } else {
932 BT_DBG("XON default");
933 x_off = RFCOMM_RPN_XOFF_CHAR;
936 /* Handle setting of stop bits */
937 if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
938 changes |= RFCOMM_RPN_PM_STOP;
940 /* POSIX does not support 1.5 stop bits and RFCOMM does not
941 * support 2 stop bits. So a request for 2 stop bits gets
942 * translated to 1.5 stop bits */
943 if (new->c_cflag & CSTOPB)
944 stop_bits = RFCOMM_RPN_STOP_15;
945 else
946 stop_bits = RFCOMM_RPN_STOP_1;
948 /* Handle number of data bits [5-8] */
949 if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
950 changes |= RFCOMM_RPN_PM_DATA;
952 switch (new->c_cflag & CSIZE) {
953 case CS5:
954 data_bits = RFCOMM_RPN_DATA_5;
955 break;
956 case CS6:
957 data_bits = RFCOMM_RPN_DATA_6;
958 break;
959 case CS7:
960 data_bits = RFCOMM_RPN_DATA_7;
961 break;
962 case CS8:
963 data_bits = RFCOMM_RPN_DATA_8;
964 break;
965 default:
966 data_bits = RFCOMM_RPN_DATA_8;
967 break;
970 /* Handle baudrate settings */
971 if (old_baud_rate != new_baud_rate)
972 changes |= RFCOMM_RPN_PM_BITRATE;
974 switch (new_baud_rate) {
975 case 2400:
976 baud = RFCOMM_RPN_BR_2400;
977 break;
978 case 4800:
979 baud = RFCOMM_RPN_BR_4800;
980 break;
981 case 7200:
982 baud = RFCOMM_RPN_BR_7200;
983 break;
984 case 9600:
985 baud = RFCOMM_RPN_BR_9600;
986 break;
987 case 19200:
988 baud = RFCOMM_RPN_BR_19200;
989 break;
990 case 38400:
991 baud = RFCOMM_RPN_BR_38400;
992 break;
993 case 57600:
994 baud = RFCOMM_RPN_BR_57600;
995 break;
996 case 115200:
997 baud = RFCOMM_RPN_BR_115200;
998 break;
999 case 230400:
1000 baud = RFCOMM_RPN_BR_230400;
1001 break;
1002 default:
1003 /* 9600 is standard accordinag to the RFCOMM specification */
1004 baud = RFCOMM_RPN_BR_9600;
1005 break;
1009 if (changes)
1010 rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
1011 data_bits, stop_bits, parity,
1012 RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
1015 static void rfcomm_tty_throttle(struct tty_struct *tty)
1017 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1019 BT_DBG("tty %p dev %p", tty, dev);
1021 rfcomm_dlc_throttle(dev->dlc);
1024 static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1026 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1028 BT_DBG("tty %p dev %p", tty, dev);
1030 rfcomm_dlc_unthrottle(dev->dlc);
1033 static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1035 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1037 BT_DBG("tty %p dev %p", tty, dev);
1039 if (!dev || !dev->dlc)
1040 return 0;
1042 if (!skb_queue_empty(&dev->dlc->tx_queue))
1043 return dev->dlc->mtu;
1045 return 0;
1048 static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1050 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1052 BT_DBG("tty %p dev %p", tty, dev);
1054 if (!dev || !dev->dlc)
1055 return;
1057 skb_queue_purge(&dev->dlc->tx_queue);
1058 tty_wakeup(tty);
1061 static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1063 BT_DBG("tty %p ch %c", tty, ch);
1066 static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1068 BT_DBG("tty %p timeout %d", tty, timeout);
1071 static void rfcomm_tty_hangup(struct tty_struct *tty)
1073 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1075 BT_DBG("tty %p dev %p", tty, dev);
1077 if (!dev)
1078 return;
1080 rfcomm_tty_flush_buffer(tty);
1082 if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
1083 if (rfcomm_dev_get(dev->id) == NULL)
1084 return;
1085 rfcomm_dev_del(dev);
1086 rfcomm_dev_put(dev);
1090 static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1092 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1094 BT_DBG("tty %p dev %p", tty, dev);
1096 return dev->modem_status;
1099 static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1101 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1102 struct rfcomm_dlc *dlc = dev->dlc;
1103 u8 v24_sig;
1105 BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1107 rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1109 if (set & TIOCM_DSR || set & TIOCM_DTR)
1110 v24_sig |= RFCOMM_V24_RTC;
1111 if (set & TIOCM_RTS || set & TIOCM_CTS)
1112 v24_sig |= RFCOMM_V24_RTR;
1113 if (set & TIOCM_RI)
1114 v24_sig |= RFCOMM_V24_IC;
1115 if (set & TIOCM_CD)
1116 v24_sig |= RFCOMM_V24_DV;
1118 if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1119 v24_sig &= ~RFCOMM_V24_RTC;
1120 if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1121 v24_sig &= ~RFCOMM_V24_RTR;
1122 if (clear & TIOCM_RI)
1123 v24_sig &= ~RFCOMM_V24_IC;
1124 if (clear & TIOCM_CD)
1125 v24_sig &= ~RFCOMM_V24_DV;
1127 rfcomm_dlc_set_modem_status(dlc, v24_sig);
1129 return 0;
1132 /* ---- TTY structure ---- */
1134 static const struct tty_operations rfcomm_ops = {
1135 .open = rfcomm_tty_open,
1136 .close = rfcomm_tty_close,
1137 .write = rfcomm_tty_write,
1138 .write_room = rfcomm_tty_write_room,
1139 .chars_in_buffer = rfcomm_tty_chars_in_buffer,
1140 .flush_buffer = rfcomm_tty_flush_buffer,
1141 .ioctl = rfcomm_tty_ioctl,
1142 .throttle = rfcomm_tty_throttle,
1143 .unthrottle = rfcomm_tty_unthrottle,
1144 .set_termios = rfcomm_tty_set_termios,
1145 .send_xchar = rfcomm_tty_send_xchar,
1146 .hangup = rfcomm_tty_hangup,
1147 .wait_until_sent = rfcomm_tty_wait_until_sent,
1148 .tiocmget = rfcomm_tty_tiocmget,
1149 .tiocmset = rfcomm_tty_tiocmset,
1152 int __init rfcomm_init_ttys(void)
1154 int error;
1156 rfcomm_tty_driver = alloc_tty_driver(RFCOMM_TTY_PORTS);
1157 if (!rfcomm_tty_driver)
1158 return -ENOMEM;
1160 rfcomm_tty_driver->owner = THIS_MODULE;
1161 rfcomm_tty_driver->driver_name = "rfcomm";
1162 rfcomm_tty_driver->name = "rfcomm";
1163 rfcomm_tty_driver->major = RFCOMM_TTY_MAJOR;
1164 rfcomm_tty_driver->minor_start = RFCOMM_TTY_MINOR;
1165 rfcomm_tty_driver->type = TTY_DRIVER_TYPE_SERIAL;
1166 rfcomm_tty_driver->subtype = SERIAL_TYPE_NORMAL;
1167 rfcomm_tty_driver->flags = TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1168 rfcomm_tty_driver->init_termios = tty_std_termios;
1169 rfcomm_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL;
1170 rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1171 tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1173 error = tty_register_driver(rfcomm_tty_driver);
1174 if (error) {
1175 BT_ERR("Can't register RFCOMM TTY driver");
1176 put_tty_driver(rfcomm_tty_driver);
1177 return error;
1180 BT_INFO("RFCOMM TTY layer initialized");
1182 return 0;
1185 void rfcomm_cleanup_ttys(void)
1187 tty_unregister_driver(rfcomm_tty_driver);
1188 put_tty_driver(rfcomm_tty_driver);