1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM TTY.
26  */
27 
28 #include <linux/module.h>
29 
30 #include <linux/tty.h>
31 #include <linux/tty_driver.h>
32 #include <linux/tty_flip.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
39 #define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
40 #define RFCOMM_TTY_MINOR 0
41 
42 static DEFINE_MUTEX(rfcomm_ioctl_mutex);
43 static struct tty_driver *rfcomm_tty_driver;
44 
45 struct rfcomm_dev {
46 	struct tty_port		port;
47 	struct list_head	list;
48 
49 	char			name[12];
50 	int			id;
51 	unsigned long		flags;
52 	int			err;
53 
54 	unsigned long		status;		/* don't export to userspace */
55 
56 	bdaddr_t		src;
57 	bdaddr_t		dst;
58 	u8			channel;
59 
60 	uint			modem_status;
61 
62 	struct rfcomm_dlc	*dlc;
63 
64 	struct device		*tty_dev;
65 
66 	atomic_t		wmem_alloc;
67 
68 	struct sk_buff_head	pending;
69 };
70 
71 static LIST_HEAD(rfcomm_dev_list);
72 static DEFINE_MUTEX(rfcomm_dev_lock);
73 
74 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
75 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
76 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
77 
78 /* ---- Device functions ---- */
79 
rfcomm_dev_destruct(struct tty_port * port)80 static void rfcomm_dev_destruct(struct tty_port *port)
81 {
82 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
83 	struct rfcomm_dlc *dlc = dev->dlc;
84 
85 	BT_DBG("dev %p dlc %p", dev, dlc);
86 
87 	rfcomm_dlc_lock(dlc);
88 	/* Detach DLC if it's owned by this dev */
89 	if (dlc->owner == dev)
90 		dlc->owner = NULL;
91 	rfcomm_dlc_unlock(dlc);
92 
93 	rfcomm_dlc_put(dlc);
94 
95 	if (dev->tty_dev)
96 		tty_unregister_device(rfcomm_tty_driver, dev->id);
97 
98 	mutex_lock(&rfcomm_dev_lock);
99 	list_del(&dev->list);
100 	mutex_unlock(&rfcomm_dev_lock);
101 
102 	kfree(dev);
103 
104 	/* It's safe to call module_put() here because socket still
105 	   holds reference to this module. */
106 	module_put(THIS_MODULE);
107 }
108 
109 /* device-specific initialization: open the dlc */
rfcomm_dev_activate(struct tty_port * port,struct tty_struct * tty)110 static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
111 {
112 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
113 	int err;
114 
115 	err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
116 	if (err)
117 		set_bit(TTY_IO_ERROR, &tty->flags);
118 	return err;
119 }
120 
121 /* we block the open until the dlc->state becomes BT_CONNECTED */
rfcomm_dev_carrier_raised(struct tty_port * port)122 static int rfcomm_dev_carrier_raised(struct tty_port *port)
123 {
124 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
125 
126 	return (dev->dlc->state == BT_CONNECTED);
127 }
128 
129 /* device-specific cleanup: close the dlc */
rfcomm_dev_shutdown(struct tty_port * port)130 static void rfcomm_dev_shutdown(struct tty_port *port)
131 {
132 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
133 
134 	if (dev->tty_dev->parent)
135 		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
136 
137 	/* close the dlc */
138 	rfcomm_dlc_close(dev->dlc, 0);
139 }
140 
141 static const struct tty_port_operations rfcomm_port_ops = {
142 	.destruct = rfcomm_dev_destruct,
143 	.activate = rfcomm_dev_activate,
144 	.shutdown = rfcomm_dev_shutdown,
145 	.carrier_raised = rfcomm_dev_carrier_raised,
146 };
147 
__rfcomm_dev_lookup(int id)148 static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
149 {
150 	struct rfcomm_dev *dev;
151 
152 	list_for_each_entry(dev, &rfcomm_dev_list, list)
153 		if (dev->id == id)
154 			return dev;
155 
156 	return NULL;
157 }
158 
rfcomm_dev_get(int id)159 static struct rfcomm_dev *rfcomm_dev_get(int id)
160 {
161 	struct rfcomm_dev *dev;
162 
163 	mutex_lock(&rfcomm_dev_lock);
164 
165 	dev = __rfcomm_dev_lookup(id);
166 
167 	if (dev && !tty_port_get(&dev->port))
168 		dev = NULL;
169 
170 	mutex_unlock(&rfcomm_dev_lock);
171 
172 	return dev;
173 }
174 
rfcomm_reparent_device(struct rfcomm_dev * dev)175 static void rfcomm_reparent_device(struct rfcomm_dev *dev)
176 {
177 	struct hci_dev *hdev;
178 	struct hci_conn *conn;
179 
180 	hdev = hci_get_route(&dev->dst, &dev->src, BDADDR_BREDR);
181 	if (!hdev)
182 		return;
183 
184 	/* The lookup results are unsafe to access without the
185 	 * hci device lock (FIXME: why is this not documented?)
186 	 */
187 	hci_dev_lock(hdev);
188 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
189 
190 	/* Just because the acl link is in the hash table is no
191 	 * guarantee the sysfs device has been added ...
192 	 */
193 	if (conn && device_is_registered(&conn->dev))
194 		device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
195 
196 	hci_dev_unlock(hdev);
197 	hci_dev_put(hdev);
198 }
199 
address_show(struct device * tty_dev,struct device_attribute * attr,char * buf)200 static ssize_t address_show(struct device *tty_dev,
201 			    struct device_attribute *attr, char *buf)
202 {
203 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
204 	return sprintf(buf, "%pMR\n", &dev->dst);
205 }
206 
channel_show(struct device * tty_dev,struct device_attribute * attr,char * buf)207 static ssize_t channel_show(struct device *tty_dev,
208 			    struct device_attribute *attr, char *buf)
209 {
210 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
211 	return sprintf(buf, "%d\n", dev->channel);
212 }
213 
214 static DEVICE_ATTR_RO(address);
215 static DEVICE_ATTR_RO(channel);
216 
__rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)217 static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
218 					   struct rfcomm_dlc *dlc)
219 {
220 	struct rfcomm_dev *dev, *entry;
221 	struct list_head *head = &rfcomm_dev_list;
222 	int err = 0;
223 
224 	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
225 	if (!dev)
226 		return ERR_PTR(-ENOMEM);
227 
228 	mutex_lock(&rfcomm_dev_lock);
229 
230 	if (req->dev_id < 0) {
231 		dev->id = 0;
232 
233 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
234 			if (entry->id != dev->id)
235 				break;
236 
237 			dev->id++;
238 			head = &entry->list;
239 		}
240 	} else {
241 		dev->id = req->dev_id;
242 
243 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
244 			if (entry->id == dev->id) {
245 				err = -EADDRINUSE;
246 				goto out;
247 			}
248 
249 			if (entry->id > dev->id - 1)
250 				break;
251 
252 			head = &entry->list;
253 		}
254 	}
255 
256 	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
257 		err = -ENFILE;
258 		goto out;
259 	}
260 
261 	sprintf(dev->name, "rfcomm%d", dev->id);
262 
263 	list_add(&dev->list, head);
264 
265 	bacpy(&dev->src, &req->src);
266 	bacpy(&dev->dst, &req->dst);
267 	dev->channel = req->channel;
268 
269 	dev->flags = req->flags &
270 		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
271 
272 	tty_port_init(&dev->port);
273 	dev->port.ops = &rfcomm_port_ops;
274 
275 	skb_queue_head_init(&dev->pending);
276 
277 	rfcomm_dlc_lock(dlc);
278 
279 	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
280 		struct sock *sk = dlc->owner;
281 		struct sk_buff *skb;
282 
283 		BUG_ON(!sk);
284 
285 		rfcomm_dlc_throttle(dlc);
286 
287 		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
288 			skb_orphan(skb);
289 			skb_queue_tail(&dev->pending, skb);
290 			atomic_sub(skb->len, &sk->sk_rmem_alloc);
291 		}
292 	}
293 
294 	dlc->data_ready   = rfcomm_dev_data_ready;
295 	dlc->state_change = rfcomm_dev_state_change;
296 	dlc->modem_status = rfcomm_dev_modem_status;
297 
298 	dlc->owner = dev;
299 	dev->dlc   = dlc;
300 
301 	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
302 
303 	rfcomm_dlc_unlock(dlc);
304 
305 	/* It's safe to call __module_get() here because socket already
306 	   holds reference to this module. */
307 	__module_get(THIS_MODULE);
308 
309 	mutex_unlock(&rfcomm_dev_lock);
310 	return dev;
311 
312 out:
313 	mutex_unlock(&rfcomm_dev_lock);
314 	kfree(dev);
315 	return ERR_PTR(err);
316 }
317 
rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)318 static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
319 {
320 	struct rfcomm_dev *dev;
321 	struct device *tty;
322 
323 	BT_DBG("id %d channel %d", req->dev_id, req->channel);
324 
325 	dev = __rfcomm_dev_add(req, dlc);
326 	if (IS_ERR(dev)) {
327 		rfcomm_dlc_put(dlc);
328 		return PTR_ERR(dev);
329 	}
330 
331 	tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
332 			dev->id, NULL);
333 	if (IS_ERR(tty)) {
334 		tty_port_put(&dev->port);
335 		return PTR_ERR(tty);
336 	}
337 
338 	dev->tty_dev = tty;
339 	rfcomm_reparent_device(dev);
340 	dev_set_drvdata(dev->tty_dev, dev);
341 
342 	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
343 		BT_ERR("Failed to create address attribute");
344 
345 	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
346 		BT_ERR("Failed to create channel attribute");
347 
348 	return dev->id;
349 }
350 
351 /* ---- Send buffer ---- */
rfcomm_room(struct rfcomm_dev * dev)352 static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
353 {
354 	struct rfcomm_dlc *dlc = dev->dlc;
355 
356 	/* Limit the outstanding number of packets not yet sent to 40 */
357 	int pending = 40 - atomic_read(&dev->wmem_alloc);
358 
359 	return max(0, pending) * dlc->mtu;
360 }
361 
rfcomm_wfree(struct sk_buff * skb)362 static void rfcomm_wfree(struct sk_buff *skb)
363 {
364 	struct rfcomm_dev *dev = (void *) skb->sk;
365 	atomic_dec(&dev->wmem_alloc);
366 	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
367 		tty_port_tty_wakeup(&dev->port);
368 	tty_port_put(&dev->port);
369 }
370 
rfcomm_set_owner_w(struct sk_buff * skb,struct rfcomm_dev * dev)371 static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
372 {
373 	tty_port_get(&dev->port);
374 	atomic_inc(&dev->wmem_alloc);
375 	skb->sk = (void *) dev;
376 	skb->destructor = rfcomm_wfree;
377 }
378 
rfcomm_wmalloc(struct rfcomm_dev * dev,unsigned long size,gfp_t priority)379 static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
380 {
381 	struct sk_buff *skb = alloc_skb(size, priority);
382 	if (skb)
383 		rfcomm_set_owner_w(skb, dev);
384 	return skb;
385 }
386 
387 /* ---- Device IOCTLs ---- */
388 
389 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
390 
__rfcomm_create_dev(struct sock * sk,void __user * arg)391 static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
392 {
393 	struct rfcomm_dev_req req;
394 	struct rfcomm_dlc *dlc;
395 	int id;
396 
397 	if (copy_from_user(&req, arg, sizeof(req)))
398 		return -EFAULT;
399 
400 	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
401 
402 	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
403 		return -EPERM;
404 
405 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
406 		/* Socket must be connected */
407 		if (sk->sk_state != BT_CONNECTED)
408 			return -EBADFD;
409 
410 		dlc = rfcomm_pi(sk)->dlc;
411 		rfcomm_dlc_hold(dlc);
412 	} else {
413 		/* Validate the channel is unused */
414 		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
415 		if (IS_ERR(dlc))
416 			return PTR_ERR(dlc);
417 		if (dlc)
418 			return -EBUSY;
419 		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
420 		if (!dlc)
421 			return -ENOMEM;
422 	}
423 
424 	id = rfcomm_dev_add(&req, dlc);
425 	if (id < 0)
426 		return id;
427 
428 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
429 		/* DLC is now used by device.
430 		 * Socket must be disconnected */
431 		sk->sk_state = BT_CLOSED;
432 	}
433 
434 	return id;
435 }
436 
__rfcomm_release_dev(void __user * arg)437 static int __rfcomm_release_dev(void __user *arg)
438 {
439 	struct rfcomm_dev_req req;
440 	struct rfcomm_dev *dev;
441 	struct tty_struct *tty;
442 
443 	if (copy_from_user(&req, arg, sizeof(req)))
444 		return -EFAULT;
445 
446 	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
447 
448 	dev = rfcomm_dev_get(req.dev_id);
449 	if (!dev)
450 		return -ENODEV;
451 
452 	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
453 		tty_port_put(&dev->port);
454 		return -EPERM;
455 	}
456 
457 	/* only release once */
458 	if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
459 		tty_port_put(&dev->port);
460 		return -EALREADY;
461 	}
462 
463 	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
464 		rfcomm_dlc_close(dev->dlc, 0);
465 
466 	/* Shut down TTY synchronously before freeing rfcomm_dev */
467 	tty = tty_port_tty_get(&dev->port);
468 	if (tty) {
469 		tty_vhangup(tty);
470 		tty_kref_put(tty);
471 	}
472 
473 	if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
474 		tty_port_put(&dev->port);
475 
476 	tty_port_put(&dev->port);
477 	return 0;
478 }
479 
rfcomm_create_dev(struct sock * sk,void __user * arg)480 static int rfcomm_create_dev(struct sock *sk, void __user *arg)
481 {
482 	int ret;
483 
484 	mutex_lock(&rfcomm_ioctl_mutex);
485 	ret = __rfcomm_create_dev(sk, arg);
486 	mutex_unlock(&rfcomm_ioctl_mutex);
487 
488 	return ret;
489 }
490 
rfcomm_release_dev(void __user * arg)491 static int rfcomm_release_dev(void __user *arg)
492 {
493 	int ret;
494 
495 	mutex_lock(&rfcomm_ioctl_mutex);
496 	ret = __rfcomm_release_dev(arg);
497 	mutex_unlock(&rfcomm_ioctl_mutex);
498 
499 	return ret;
500 }
501 
rfcomm_get_dev_list(void __user * arg)502 static int rfcomm_get_dev_list(void __user *arg)
503 {
504 	struct rfcomm_dev *dev;
505 	struct rfcomm_dev_list_req *dl;
506 	struct rfcomm_dev_info *di;
507 	int n = 0, size, err;
508 	u16 dev_num;
509 
510 	BT_DBG("");
511 
512 	if (get_user(dev_num, (u16 __user *) arg))
513 		return -EFAULT;
514 
515 	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
516 		return -EINVAL;
517 
518 	size = sizeof(*dl) + dev_num * sizeof(*di);
519 
520 	dl = kzalloc(size, GFP_KERNEL);
521 	if (!dl)
522 		return -ENOMEM;
523 
524 	di = dl->dev_info;
525 
526 	mutex_lock(&rfcomm_dev_lock);
527 
528 	list_for_each_entry(dev, &rfcomm_dev_list, list) {
529 		if (!tty_port_get(&dev->port))
530 			continue;
531 		(di + n)->id      = dev->id;
532 		(di + n)->flags   = dev->flags;
533 		(di + n)->state   = dev->dlc->state;
534 		(di + n)->channel = dev->channel;
535 		bacpy(&(di + n)->src, &dev->src);
536 		bacpy(&(di + n)->dst, &dev->dst);
537 		tty_port_put(&dev->port);
538 		if (++n >= dev_num)
539 			break;
540 	}
541 
542 	mutex_unlock(&rfcomm_dev_lock);
543 
544 	dl->dev_num = n;
545 	size = sizeof(*dl) + n * sizeof(*di);
546 
547 	err = copy_to_user(arg, dl, size);
548 	kfree(dl);
549 
550 	return err ? -EFAULT : 0;
551 }
552 
rfcomm_get_dev_info(void __user * arg)553 static int rfcomm_get_dev_info(void __user *arg)
554 {
555 	struct rfcomm_dev *dev;
556 	struct rfcomm_dev_info di;
557 	int err = 0;
558 
559 	BT_DBG("");
560 
561 	if (copy_from_user(&di, arg, sizeof(di)))
562 		return -EFAULT;
563 
564 	dev = rfcomm_dev_get(di.id);
565 	if (!dev)
566 		return -ENODEV;
567 
568 	di.flags   = dev->flags;
569 	di.channel = dev->channel;
570 	di.state   = dev->dlc->state;
571 	bacpy(&di.src, &dev->src);
572 	bacpy(&di.dst, &dev->dst);
573 
574 	if (copy_to_user(arg, &di, sizeof(di)))
575 		err = -EFAULT;
576 
577 	tty_port_put(&dev->port);
578 	return err;
579 }
580 
rfcomm_dev_ioctl(struct sock * sk,unsigned int cmd,void __user * arg)581 int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
582 {
583 	BT_DBG("cmd %d arg %p", cmd, arg);
584 
585 	switch (cmd) {
586 	case RFCOMMCREATEDEV:
587 		return rfcomm_create_dev(sk, arg);
588 
589 	case RFCOMMRELEASEDEV:
590 		return rfcomm_release_dev(arg);
591 
592 	case RFCOMMGETDEVLIST:
593 		return rfcomm_get_dev_list(arg);
594 
595 	case RFCOMMGETDEVINFO:
596 		return rfcomm_get_dev_info(arg);
597 	}
598 
599 	return -EINVAL;
600 }
601 
602 /* ---- DLC callbacks ---- */
rfcomm_dev_data_ready(struct rfcomm_dlc * dlc,struct sk_buff * skb)603 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
604 {
605 	struct rfcomm_dev *dev = dlc->owner;
606 
607 	if (!dev) {
608 		kfree_skb(skb);
609 		return;
610 	}
611 
612 	if (!skb_queue_empty(&dev->pending)) {
613 		skb_queue_tail(&dev->pending, skb);
614 		return;
615 	}
616 
617 	BT_DBG("dlc %p len %d", dlc, skb->len);
618 
619 	tty_insert_flip_string(&dev->port, skb->data, skb->len);
620 	tty_flip_buffer_push(&dev->port);
621 
622 	kfree_skb(skb);
623 }
624 
rfcomm_dev_state_change(struct rfcomm_dlc * dlc,int err)625 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
626 {
627 	struct rfcomm_dev *dev = dlc->owner;
628 	if (!dev)
629 		return;
630 
631 	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
632 
633 	dev->err = err;
634 	if (dlc->state == BT_CONNECTED) {
635 		rfcomm_reparent_device(dev);
636 
637 		wake_up_interruptible(&dev->port.open_wait);
638 	} else if (dlc->state == BT_CLOSED)
639 		tty_port_tty_hangup(&dev->port, false);
640 }
641 
rfcomm_dev_modem_status(struct rfcomm_dlc * dlc,u8 v24_sig)642 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
643 {
644 	struct rfcomm_dev *dev = dlc->owner;
645 	if (!dev)
646 		return;
647 
648 	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
649 
650 	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV))
651 		tty_port_tty_hangup(&dev->port, true);
652 
653 	dev->modem_status =
654 		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
655 		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
656 		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
657 		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
658 }
659 
660 /* ---- TTY functions ---- */
rfcomm_tty_copy_pending(struct rfcomm_dev * dev)661 static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
662 {
663 	struct sk_buff *skb;
664 	int inserted = 0;
665 
666 	BT_DBG("dev %p", dev);
667 
668 	rfcomm_dlc_lock(dev->dlc);
669 
670 	while ((skb = skb_dequeue(&dev->pending))) {
671 		inserted += tty_insert_flip_string(&dev->port, skb->data,
672 				skb->len);
673 		kfree_skb(skb);
674 	}
675 
676 	rfcomm_dlc_unlock(dev->dlc);
677 
678 	if (inserted > 0)
679 		tty_flip_buffer_push(&dev->port);
680 }
681 
682 /* do the reverse of install, clearing the tty fields and releasing the
683  * reference to tty_port
684  */
rfcomm_tty_cleanup(struct tty_struct * tty)685 static void rfcomm_tty_cleanup(struct tty_struct *tty)
686 {
687 	struct rfcomm_dev *dev = tty->driver_data;
688 
689 	clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
690 
691 	rfcomm_dlc_lock(dev->dlc);
692 	tty->driver_data = NULL;
693 	rfcomm_dlc_unlock(dev->dlc);
694 
695 	/*
696 	 * purge the dlc->tx_queue to avoid circular dependencies
697 	 * between dev and dlc
698 	 */
699 	skb_queue_purge(&dev->dlc->tx_queue);
700 
701 	tty_port_put(&dev->port);
702 }
703 
704 /* we acquire the tty_port reference since it's here the tty is first used
705  * by setting the termios. We also populate the driver_data field and install
706  * the tty port
707  */
rfcomm_tty_install(struct tty_driver * driver,struct tty_struct * tty)708 static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
709 {
710 	struct rfcomm_dev *dev;
711 	struct rfcomm_dlc *dlc;
712 	int err;
713 
714 	dev = rfcomm_dev_get(tty->index);
715 	if (!dev)
716 		return -ENODEV;
717 
718 	dlc = dev->dlc;
719 
720 	/* Attach TTY and open DLC */
721 	rfcomm_dlc_lock(dlc);
722 	tty->driver_data = dev;
723 	rfcomm_dlc_unlock(dlc);
724 	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
725 
726 	/* install the tty_port */
727 	err = tty_port_install(&dev->port, driver, tty);
728 	if (err) {
729 		rfcomm_tty_cleanup(tty);
730 		return err;
731 	}
732 
733 	/* take over the tty_port reference if the port was created with the
734 	 * flag RFCOMM_RELEASE_ONHUP. This will force the release of the port
735 	 * when the last process closes the tty. The behaviour is expected by
736 	 * userspace.
737 	 */
738 	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
739 		set_bit(RFCOMM_TTY_OWNED, &dev->status);
740 		tty_port_put(&dev->port);
741 	}
742 
743 	return 0;
744 }
745 
rfcomm_tty_open(struct tty_struct * tty,struct file * filp)746 static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
747 {
748 	struct rfcomm_dev *dev = tty->driver_data;
749 	int err;
750 
751 	BT_DBG("tty %p id %d", tty, tty->index);
752 
753 	BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
754 	       dev->channel, dev->port.count);
755 
756 	err = tty_port_open(&dev->port, tty, filp);
757 	if (err)
758 		return err;
759 
760 	/*
761 	 * FIXME: rfcomm should use proper flow control for
762 	 * received data. This hack will be unnecessary and can
763 	 * be removed when that's implemented
764 	 */
765 	rfcomm_tty_copy_pending(dev);
766 
767 	rfcomm_dlc_unthrottle(dev->dlc);
768 
769 	return 0;
770 }
771 
rfcomm_tty_close(struct tty_struct * tty,struct file * filp)772 static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
773 {
774 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
775 
776 	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
777 						dev->port.count);
778 
779 	tty_port_close(&dev->port, tty, filp);
780 }
781 
rfcomm_tty_write(struct tty_struct * tty,const unsigned char * buf,int count)782 static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
783 {
784 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
785 	struct rfcomm_dlc *dlc = dev->dlc;
786 	struct sk_buff *skb;
787 	int sent = 0, size;
788 
789 	BT_DBG("tty %p count %d", tty, count);
790 
791 	while (count) {
792 		size = min_t(uint, count, dlc->mtu);
793 
794 		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
795 		if (!skb)
796 			break;
797 
798 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
799 
800 		skb_put_data(skb, buf + sent, size);
801 
802 		rfcomm_dlc_send_noerror(dlc, skb);
803 
804 		sent  += size;
805 		count -= size;
806 	}
807 
808 	return sent;
809 }
810 
rfcomm_tty_write_room(struct tty_struct * tty)811 static unsigned int rfcomm_tty_write_room(struct tty_struct *tty)
812 {
813 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
814 	int room = 0;
815 
816 	if (dev && dev->dlc)
817 		room = rfcomm_room(dev);
818 
819 	BT_DBG("tty %p room %d", tty, room);
820 
821 	return room;
822 }
823 
rfcomm_tty_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)824 static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
825 {
826 	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
827 
828 	switch (cmd) {
829 	case TCGETS:
830 		BT_DBG("TCGETS is not supported");
831 		return -ENOIOCTLCMD;
832 
833 	case TCSETS:
834 		BT_DBG("TCSETS is not supported");
835 		return -ENOIOCTLCMD;
836 
837 	case TIOCMIWAIT:
838 		BT_DBG("TIOCMIWAIT");
839 		break;
840 
841 	case TIOCSERGETLSR:
842 		BT_ERR("TIOCSERGETLSR is not supported");
843 		return -ENOIOCTLCMD;
844 
845 	case TIOCSERCONFIG:
846 		BT_ERR("TIOCSERCONFIG is not supported");
847 		return -ENOIOCTLCMD;
848 
849 	default:
850 		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
851 
852 	}
853 
854 	return -ENOIOCTLCMD;
855 }
856 
rfcomm_tty_set_termios(struct tty_struct * tty,const struct ktermios * old)857 static void rfcomm_tty_set_termios(struct tty_struct *tty,
858 				   const struct ktermios *old)
859 {
860 	struct ktermios *new = &tty->termios;
861 	int old_baud_rate = tty_termios_baud_rate(old);
862 	int new_baud_rate = tty_termios_baud_rate(new);
863 
864 	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
865 	u16 changes = 0;
866 
867 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
868 
869 	BT_DBG("tty %p termios %p", tty, old);
870 
871 	if (!dev || !dev->dlc || !dev->dlc->session)
872 		return;
873 
874 	/* Handle turning off CRTSCTS */
875 	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
876 		BT_DBG("Turning off CRTSCTS unsupported");
877 
878 	/* Parity on/off and when on, odd/even */
879 	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
880 			((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
881 		changes |= RFCOMM_RPN_PM_PARITY;
882 		BT_DBG("Parity change detected.");
883 	}
884 
885 	/* Mark and space parity are not supported! */
886 	if (new->c_cflag & PARENB) {
887 		if (new->c_cflag & PARODD) {
888 			BT_DBG("Parity is ODD");
889 			parity = RFCOMM_RPN_PARITY_ODD;
890 		} else {
891 			BT_DBG("Parity is EVEN");
892 			parity = RFCOMM_RPN_PARITY_EVEN;
893 		}
894 	} else {
895 		BT_DBG("Parity is OFF");
896 		parity = RFCOMM_RPN_PARITY_NONE;
897 	}
898 
899 	/* Setting the x_on / x_off characters */
900 	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
901 		BT_DBG("XOFF custom");
902 		x_on = new->c_cc[VSTOP];
903 		changes |= RFCOMM_RPN_PM_XON;
904 	} else {
905 		BT_DBG("XOFF default");
906 		x_on = RFCOMM_RPN_XON_CHAR;
907 	}
908 
909 	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
910 		BT_DBG("XON custom");
911 		x_off = new->c_cc[VSTART];
912 		changes |= RFCOMM_RPN_PM_XOFF;
913 	} else {
914 		BT_DBG("XON default");
915 		x_off = RFCOMM_RPN_XOFF_CHAR;
916 	}
917 
918 	/* Handle setting of stop bits */
919 	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
920 		changes |= RFCOMM_RPN_PM_STOP;
921 
922 	/* POSIX does not support 1.5 stop bits and RFCOMM does not
923 	 * support 2 stop bits. So a request for 2 stop bits gets
924 	 * translated to 1.5 stop bits */
925 	if (new->c_cflag & CSTOPB)
926 		stop_bits = RFCOMM_RPN_STOP_15;
927 	else
928 		stop_bits = RFCOMM_RPN_STOP_1;
929 
930 	/* Handle number of data bits [5-8] */
931 	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
932 		changes |= RFCOMM_RPN_PM_DATA;
933 
934 	switch (new->c_cflag & CSIZE) {
935 	case CS5:
936 		data_bits = RFCOMM_RPN_DATA_5;
937 		break;
938 	case CS6:
939 		data_bits = RFCOMM_RPN_DATA_6;
940 		break;
941 	case CS7:
942 		data_bits = RFCOMM_RPN_DATA_7;
943 		break;
944 	case CS8:
945 		data_bits = RFCOMM_RPN_DATA_8;
946 		break;
947 	default:
948 		data_bits = RFCOMM_RPN_DATA_8;
949 		break;
950 	}
951 
952 	/* Handle baudrate settings */
953 	if (old_baud_rate != new_baud_rate)
954 		changes |= RFCOMM_RPN_PM_BITRATE;
955 
956 	switch (new_baud_rate) {
957 	case 2400:
958 		baud = RFCOMM_RPN_BR_2400;
959 		break;
960 	case 4800:
961 		baud = RFCOMM_RPN_BR_4800;
962 		break;
963 	case 7200:
964 		baud = RFCOMM_RPN_BR_7200;
965 		break;
966 	case 9600:
967 		baud = RFCOMM_RPN_BR_9600;
968 		break;
969 	case 19200:
970 		baud = RFCOMM_RPN_BR_19200;
971 		break;
972 	case 38400:
973 		baud = RFCOMM_RPN_BR_38400;
974 		break;
975 	case 57600:
976 		baud = RFCOMM_RPN_BR_57600;
977 		break;
978 	case 115200:
979 		baud = RFCOMM_RPN_BR_115200;
980 		break;
981 	case 230400:
982 		baud = RFCOMM_RPN_BR_230400;
983 		break;
984 	default:
985 		/* 9600 is standard accordinag to the RFCOMM specification */
986 		baud = RFCOMM_RPN_BR_9600;
987 		break;
988 
989 	}
990 
991 	if (changes)
992 		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
993 				data_bits, stop_bits, parity,
994 				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
995 }
996 
rfcomm_tty_throttle(struct tty_struct * tty)997 static void rfcomm_tty_throttle(struct tty_struct *tty)
998 {
999 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1000 
1001 	BT_DBG("tty %p dev %p", tty, dev);
1002 
1003 	rfcomm_dlc_throttle(dev->dlc);
1004 }
1005 
rfcomm_tty_unthrottle(struct tty_struct * tty)1006 static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1007 {
1008 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1009 
1010 	BT_DBG("tty %p dev %p", tty, dev);
1011 
1012 	rfcomm_dlc_unthrottle(dev->dlc);
1013 }
1014 
rfcomm_tty_chars_in_buffer(struct tty_struct * tty)1015 static unsigned int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1016 {
1017 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1018 
1019 	BT_DBG("tty %p dev %p", tty, dev);
1020 
1021 	if (!dev || !dev->dlc)
1022 		return 0;
1023 
1024 	if (!skb_queue_empty(&dev->dlc->tx_queue))
1025 		return dev->dlc->mtu;
1026 
1027 	return 0;
1028 }
1029 
rfcomm_tty_flush_buffer(struct tty_struct * tty)1030 static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1031 {
1032 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1033 
1034 	BT_DBG("tty %p dev %p", tty, dev);
1035 
1036 	if (!dev || !dev->dlc)
1037 		return;
1038 
1039 	skb_queue_purge(&dev->dlc->tx_queue);
1040 	tty_wakeup(tty);
1041 }
1042 
rfcomm_tty_send_xchar(struct tty_struct * tty,char ch)1043 static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1044 {
1045 	BT_DBG("tty %p ch %c", tty, ch);
1046 }
1047 
rfcomm_tty_wait_until_sent(struct tty_struct * tty,int timeout)1048 static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1049 {
1050 	BT_DBG("tty %p timeout %d", tty, timeout);
1051 }
1052 
rfcomm_tty_hangup(struct tty_struct * tty)1053 static void rfcomm_tty_hangup(struct tty_struct *tty)
1054 {
1055 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1056 
1057 	BT_DBG("tty %p dev %p", tty, dev);
1058 
1059 	tty_port_hangup(&dev->port);
1060 }
1061 
rfcomm_tty_tiocmget(struct tty_struct * tty)1062 static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1063 {
1064 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1065 
1066 	BT_DBG("tty %p dev %p", tty, dev);
1067 
1068 	return dev->modem_status;
1069 }
1070 
rfcomm_tty_tiocmset(struct tty_struct * tty,unsigned int set,unsigned int clear)1071 static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1072 {
1073 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
1074 	struct rfcomm_dlc *dlc = dev->dlc;
1075 	u8 v24_sig;
1076 
1077 	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1078 
1079 	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1080 
1081 	if (set & TIOCM_DSR || set & TIOCM_DTR)
1082 		v24_sig |= RFCOMM_V24_RTC;
1083 	if (set & TIOCM_RTS || set & TIOCM_CTS)
1084 		v24_sig |= RFCOMM_V24_RTR;
1085 	if (set & TIOCM_RI)
1086 		v24_sig |= RFCOMM_V24_IC;
1087 	if (set & TIOCM_CD)
1088 		v24_sig |= RFCOMM_V24_DV;
1089 
1090 	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1091 		v24_sig &= ~RFCOMM_V24_RTC;
1092 	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1093 		v24_sig &= ~RFCOMM_V24_RTR;
1094 	if (clear & TIOCM_RI)
1095 		v24_sig &= ~RFCOMM_V24_IC;
1096 	if (clear & TIOCM_CD)
1097 		v24_sig &= ~RFCOMM_V24_DV;
1098 
1099 	rfcomm_dlc_set_modem_status(dlc, v24_sig);
1100 
1101 	return 0;
1102 }
1103 
1104 /* ---- TTY structure ---- */
1105 
1106 static const struct tty_operations rfcomm_ops = {
1107 	.open			= rfcomm_tty_open,
1108 	.close			= rfcomm_tty_close,
1109 	.write			= rfcomm_tty_write,
1110 	.write_room		= rfcomm_tty_write_room,
1111 	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1112 	.flush_buffer		= rfcomm_tty_flush_buffer,
1113 	.ioctl			= rfcomm_tty_ioctl,
1114 	.throttle		= rfcomm_tty_throttle,
1115 	.unthrottle		= rfcomm_tty_unthrottle,
1116 	.set_termios		= rfcomm_tty_set_termios,
1117 	.send_xchar		= rfcomm_tty_send_xchar,
1118 	.hangup			= rfcomm_tty_hangup,
1119 	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1120 	.tiocmget		= rfcomm_tty_tiocmget,
1121 	.tiocmset		= rfcomm_tty_tiocmset,
1122 	.install                = rfcomm_tty_install,
1123 	.cleanup                = rfcomm_tty_cleanup,
1124 };
1125 
rfcomm_init_ttys(void)1126 int __init rfcomm_init_ttys(void)
1127 {
1128 	int error;
1129 
1130 	rfcomm_tty_driver = tty_alloc_driver(RFCOMM_TTY_PORTS,
1131 			TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV);
1132 	if (IS_ERR(rfcomm_tty_driver))
1133 		return PTR_ERR(rfcomm_tty_driver);
1134 
1135 	rfcomm_tty_driver->driver_name	= "rfcomm";
1136 	rfcomm_tty_driver->name		= "rfcomm";
1137 	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1138 	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1139 	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1140 	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1141 	rfcomm_tty_driver->init_termios	= tty_std_termios;
1142 	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL;
1143 	rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1144 	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1145 
1146 	error = tty_register_driver(rfcomm_tty_driver);
1147 	if (error) {
1148 		BT_ERR("Can't register RFCOMM TTY driver");
1149 		tty_driver_kref_put(rfcomm_tty_driver);
1150 		return error;
1151 	}
1152 
1153 	BT_INFO("RFCOMM TTY layer initialized");
1154 
1155 	return 0;
1156 }
1157 
rfcomm_cleanup_ttys(void)1158 void rfcomm_cleanup_ttys(void)
1159 {
1160 	tty_unregister_driver(rfcomm_tty_driver);
1161 	tty_driver_kref_put(rfcomm_tty_driver);
1162 }
1163