1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM TTY.
26  */
27 
28 #include <linux/module.h>
29 
30 #include <linux/tty.h>
31 #include <linux/tty_driver.h>
32 #include <linux/tty_flip.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 #include <net/bluetooth/rfcomm.h>
37 
38 #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
39 #define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
40 #define RFCOMM_TTY_MINOR 0
41 
42 static DEFINE_MUTEX(rfcomm_ioctl_mutex);
43 static struct tty_driver *rfcomm_tty_driver;
44 
45 struct rfcomm_dev {
46 	struct tty_port		port;
47 	struct list_head	list;
48 
49 	char			name[12];
50 	int			id;
51 	unsigned long		flags;
52 	int			err;
53 
54 	unsigned long		status;		/* don't export to userspace */
55 
56 	bdaddr_t		src;
57 	bdaddr_t		dst;
58 	u8			channel;
59 
60 	uint			modem_status;
61 
62 	struct rfcomm_dlc	*dlc;
63 
64 	struct device		*tty_dev;
65 
66 	atomic_t		wmem_alloc;
67 
68 	struct sk_buff_head	pending;
69 };
70 
71 static LIST_HEAD(rfcomm_dev_list);
72 static DEFINE_MUTEX(rfcomm_dev_lock);
73 
74 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
75 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
76 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
77 
78 /* ---- Device functions ---- */
79 
rfcomm_dev_destruct(struct tty_port * port)80 static void rfcomm_dev_destruct(struct tty_port *port)
81 {
82 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
83 	struct rfcomm_dlc *dlc = dev->dlc;
84 
85 	BT_DBG("dev %p dlc %p", dev, dlc);
86 
87 	rfcomm_dlc_lock(dlc);
88 	/* Detach DLC if it's owned by this dev */
89 	if (dlc->owner == dev)
90 		dlc->owner = NULL;
91 	rfcomm_dlc_unlock(dlc);
92 
93 	rfcomm_dlc_put(dlc);
94 
95 	if (dev->tty_dev)
96 		tty_unregister_device(rfcomm_tty_driver, dev->id);
97 
98 	mutex_lock(&rfcomm_dev_lock);
99 	list_del(&dev->list);
100 	mutex_unlock(&rfcomm_dev_lock);
101 
102 	kfree(dev);
103 
104 	/* It's safe to call module_put() here because socket still
105 	   holds reference to this module. */
106 	module_put(THIS_MODULE);
107 }
108 
109 /* device-specific initialization: open the dlc */
rfcomm_dev_activate(struct tty_port * port,struct tty_struct * tty)110 static int rfcomm_dev_activate(struct tty_port *port, struct tty_struct *tty)
111 {
112 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
113 	int err;
114 
115 	err = rfcomm_dlc_open(dev->dlc, &dev->src, &dev->dst, dev->channel);
116 	if (err)
117 		set_bit(TTY_IO_ERROR, &tty->flags);
118 	return err;
119 }
120 
121 /* we block the open until the dlc->state becomes BT_CONNECTED */
rfcomm_dev_carrier_raised(struct tty_port * port)122 static bool rfcomm_dev_carrier_raised(struct tty_port *port)
123 {
124 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
125 
126 	return (dev->dlc->state == BT_CONNECTED);
127 }
128 
129 /* device-specific cleanup: close the dlc */
rfcomm_dev_shutdown(struct tty_port * port)130 static void rfcomm_dev_shutdown(struct tty_port *port)
131 {
132 	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
133 
134 	if (dev->tty_dev->parent)
135 		device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
136 
137 	/* close the dlc */
138 	rfcomm_dlc_close(dev->dlc, 0);
139 }
140 
141 static const struct tty_port_operations rfcomm_port_ops = {
142 	.destruct = rfcomm_dev_destruct,
143 	.activate = rfcomm_dev_activate,
144 	.shutdown = rfcomm_dev_shutdown,
145 	.carrier_raised = rfcomm_dev_carrier_raised,
146 };
147 
__rfcomm_dev_lookup(int id)148 static struct rfcomm_dev *__rfcomm_dev_lookup(int id)
149 {
150 	struct rfcomm_dev *dev;
151 
152 	list_for_each_entry(dev, &rfcomm_dev_list, list)
153 		if (dev->id == id)
154 			return dev;
155 
156 	return NULL;
157 }
158 
rfcomm_dev_get(int id)159 static struct rfcomm_dev *rfcomm_dev_get(int id)
160 {
161 	struct rfcomm_dev *dev;
162 
163 	mutex_lock(&rfcomm_dev_lock);
164 
165 	dev = __rfcomm_dev_lookup(id);
166 
167 	if (dev && !tty_port_get(&dev->port))
168 		dev = NULL;
169 
170 	mutex_unlock(&rfcomm_dev_lock);
171 
172 	return dev;
173 }
174 
rfcomm_reparent_device(struct rfcomm_dev * dev)175 static void rfcomm_reparent_device(struct rfcomm_dev *dev)
176 {
177 	struct hci_dev *hdev;
178 	struct hci_conn *conn;
179 
180 	hdev = hci_get_route(&dev->dst, &dev->src, BDADDR_BREDR);
181 	if (!hdev)
182 		return;
183 
184 	/* The lookup results are unsafe to access without the
185 	 * hci device lock (FIXME: why is this not documented?)
186 	 */
187 	hci_dev_lock(hdev);
188 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
189 
190 	/* Just because the acl link is in the hash table is no
191 	 * guarantee the sysfs device has been added ...
192 	 */
193 	if (conn && device_is_registered(&conn->dev))
194 		device_move(dev->tty_dev, &conn->dev, DPM_ORDER_DEV_AFTER_PARENT);
195 
196 	hci_dev_unlock(hdev);
197 	hci_dev_put(hdev);
198 }
199 
address_show(struct device * tty_dev,struct device_attribute * attr,char * buf)200 static ssize_t address_show(struct device *tty_dev,
201 			    struct device_attribute *attr, char *buf)
202 {
203 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
204 	return sprintf(buf, "%pMR\n", &dev->dst);
205 }
206 
channel_show(struct device * tty_dev,struct device_attribute * attr,char * buf)207 static ssize_t channel_show(struct device *tty_dev,
208 			    struct device_attribute *attr, char *buf)
209 {
210 	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
211 	return sprintf(buf, "%d\n", dev->channel);
212 }
213 
214 static DEVICE_ATTR_RO(address);
215 static DEVICE_ATTR_RO(channel);
216 
__rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)217 static struct rfcomm_dev *__rfcomm_dev_add(struct rfcomm_dev_req *req,
218 					   struct rfcomm_dlc *dlc)
219 {
220 	struct rfcomm_dev *dev, *entry;
221 	struct list_head *head = &rfcomm_dev_list;
222 	int err = 0;
223 
224 	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
225 	if (!dev)
226 		return ERR_PTR(-ENOMEM);
227 
228 	mutex_lock(&rfcomm_dev_lock);
229 
230 	if (req->dev_id < 0) {
231 		dev->id = 0;
232 
233 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
234 			if (entry->id != dev->id)
235 				break;
236 
237 			dev->id++;
238 			head = &entry->list;
239 		}
240 	} else {
241 		dev->id = req->dev_id;
242 
243 		list_for_each_entry(entry, &rfcomm_dev_list, list) {
244 			if (entry->id == dev->id) {
245 				err = -EADDRINUSE;
246 				goto out;
247 			}
248 
249 			if (entry->id > dev->id - 1)
250 				break;
251 
252 			head = &entry->list;
253 		}
254 	}
255 
256 	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
257 		err = -ENFILE;
258 		goto out;
259 	}
260 
261 	sprintf(dev->name, "rfcomm%d", dev->id);
262 
263 	list_add(&dev->list, head);
264 
265 	bacpy(&dev->src, &req->src);
266 	bacpy(&dev->dst, &req->dst);
267 	dev->channel = req->channel;
268 
269 	dev->flags = req->flags &
270 		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
271 
272 	tty_port_init(&dev->port);
273 	dev->port.ops = &rfcomm_port_ops;
274 
275 	skb_queue_head_init(&dev->pending);
276 
277 	rfcomm_dlc_lock(dlc);
278 
279 	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
280 		struct sock *sk = dlc->owner;
281 		struct sk_buff *skb;
282 
283 		BUG_ON(!sk);
284 
285 		rfcomm_dlc_throttle(dlc);
286 
287 		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
288 			skb_orphan(skb);
289 			skb_queue_tail(&dev->pending, skb);
290 			atomic_sub(skb->len, &sk->sk_rmem_alloc);
291 		}
292 	}
293 
294 	dlc->data_ready   = rfcomm_dev_data_ready;
295 	dlc->state_change = rfcomm_dev_state_change;
296 	dlc->modem_status = rfcomm_dev_modem_status;
297 
298 	dlc->owner = dev;
299 	dev->dlc   = dlc;
300 
301 	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
302 
303 	rfcomm_dlc_unlock(dlc);
304 
305 	/* It's safe to call __module_get() here because socket already
306 	   holds reference to this module. */
307 	__module_get(THIS_MODULE);
308 
309 	mutex_unlock(&rfcomm_dev_lock);
310 	return dev;
311 
312 out:
313 	mutex_unlock(&rfcomm_dev_lock);
314 	kfree(dev);
315 	return ERR_PTR(err);
316 }
317 
rfcomm_dev_add(struct rfcomm_dev_req * req,struct rfcomm_dlc * dlc)318 static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
319 {
320 	struct rfcomm_dev *dev;
321 	struct device *tty;
322 
323 	BT_DBG("id %d channel %d", req->dev_id, req->channel);
324 
325 	dev = __rfcomm_dev_add(req, dlc);
326 	if (IS_ERR(dev)) {
327 		rfcomm_dlc_put(dlc);
328 		return PTR_ERR(dev);
329 	}
330 
331 	tty = tty_port_register_device(&dev->port, rfcomm_tty_driver,
332 			dev->id, NULL);
333 	if (IS_ERR(tty)) {
334 		tty_port_put(&dev->port);
335 		return PTR_ERR(tty);
336 	}
337 
338 	dev->tty_dev = tty;
339 	rfcomm_reparent_device(dev);
340 	dev_set_drvdata(dev->tty_dev, dev);
341 
342 	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
343 		BT_ERR("Failed to create address attribute");
344 
345 	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
346 		BT_ERR("Failed to create channel attribute");
347 
348 	return dev->id;
349 }
350 
351 /* ---- Send buffer ---- */
rfcomm_room(struct rfcomm_dev * dev)352 static inline unsigned int rfcomm_room(struct rfcomm_dev *dev)
353 {
354 	struct rfcomm_dlc *dlc = dev->dlc;
355 
356 	/* Limit the outstanding number of packets not yet sent to 40 */
357 	int pending = 40 - atomic_read(&dev->wmem_alloc);
358 
359 	return max(0, pending) * dlc->mtu;
360 }
361 
rfcomm_wfree(struct sk_buff * skb)362 static void rfcomm_wfree(struct sk_buff *skb)
363 {
364 	struct rfcomm_dev *dev = (void *) skb->sk;
365 	atomic_dec(&dev->wmem_alloc);
366 	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
367 		tty_port_tty_wakeup(&dev->port);
368 	tty_port_put(&dev->port);
369 }
370 
rfcomm_set_owner_w(struct sk_buff * skb,struct rfcomm_dev * dev)371 static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
372 {
373 	tty_port_get(&dev->port);
374 	atomic_inc(&dev->wmem_alloc);
375 	skb->sk = (void *) dev;
376 	skb->destructor = rfcomm_wfree;
377 }
378 
rfcomm_wmalloc(struct rfcomm_dev * dev,unsigned long size,gfp_t priority)379 static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
380 {
381 	struct sk_buff *skb = alloc_skb(size, priority);
382 	if (skb)
383 		rfcomm_set_owner_w(skb, dev);
384 	return skb;
385 }
386 
387 /* ---- Device IOCTLs ---- */
388 
389 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
390 
__rfcomm_create_dev(struct sock * sk,void __user * arg)391 static int __rfcomm_create_dev(struct sock *sk, void __user *arg)
392 {
393 	struct rfcomm_dev_req req;
394 	struct rfcomm_dlc *dlc;
395 	int id;
396 
397 	if (copy_from_user(&req, arg, sizeof(req)))
398 		return -EFAULT;
399 
400 	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
401 
402 	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
403 		return -EPERM;
404 
405 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
406 		/* Socket must be connected */
407 		if (sk->sk_state != BT_CONNECTED)
408 			return -EBADFD;
409 
410 		dlc = rfcomm_pi(sk)->dlc;
411 		rfcomm_dlc_hold(dlc);
412 	} else {
413 		/* Validate the channel is unused */
414 		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
415 		if (IS_ERR(dlc))
416 			return PTR_ERR(dlc);
417 		if (dlc)
418 			return -EBUSY;
419 		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
420 		if (!dlc)
421 			return -ENOMEM;
422 	}
423 
424 	id = rfcomm_dev_add(&req, dlc);
425 	if (id < 0)
426 		return id;
427 
428 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
429 		/* DLC is now used by device.
430 		 * Socket must be disconnected */
431 		sk->sk_state = BT_CLOSED;
432 	}
433 
434 	return id;
435 }
436 
__rfcomm_release_dev(void __user * arg)437 static int __rfcomm_release_dev(void __user *arg)
438 {
439 	struct rfcomm_dev_req req;
440 	struct rfcomm_dev *dev;
441 	struct tty_struct *tty;
442 
443 	if (copy_from_user(&req, arg, sizeof(req)))
444 		return -EFAULT;
445 
446 	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
447 
448 	dev = rfcomm_dev_get(req.dev_id);
449 	if (!dev)
450 		return -ENODEV;
451 
452 	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
453 		tty_port_put(&dev->port);
454 		return -EPERM;
455 	}
456 
457 	/* only release once */
458 	if (test_and_set_bit(RFCOMM_DEV_RELEASED, &dev->status)) {
459 		tty_port_put(&dev->port);
460 		return -EALREADY;
461 	}
462 
463 	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
464 		rfcomm_dlc_close(dev->dlc, 0);
465 
466 	/* Shut down TTY synchronously before freeing rfcomm_dev */
467 	tty = tty_port_tty_get(&dev->port);
468 	if (tty) {
469 		tty_vhangup(tty);
470 		tty_kref_put(tty);
471 	}
472 
473 	if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
474 		tty_port_put(&dev->port);
475 
476 	tty_port_put(&dev->port);
477 	return 0;
478 }
479 
rfcomm_create_dev(struct sock * sk,void __user * arg)480 static int rfcomm_create_dev(struct sock *sk, void __user *arg)
481 {
482 	int ret;
483 
484 	mutex_lock(&rfcomm_ioctl_mutex);
485 	ret = __rfcomm_create_dev(sk, arg);
486 	mutex_unlock(&rfcomm_ioctl_mutex);
487 
488 	return ret;
489 }
490 
rfcomm_release_dev(void __user * arg)491 static int rfcomm_release_dev(void __user *arg)
492 {
493 	int ret;
494 
495 	mutex_lock(&rfcomm_ioctl_mutex);
496 	ret = __rfcomm_release_dev(arg);
497 	mutex_unlock(&rfcomm_ioctl_mutex);
498 
499 	return ret;
500 }
501 
rfcomm_get_dev_list(void __user * arg)502 static int rfcomm_get_dev_list(void __user *arg)
503 {
504 	struct rfcomm_dev *dev;
505 	struct rfcomm_dev_list_req *dl;
506 	struct rfcomm_dev_info *di;
507 	int n = 0, size, err;
508 	u16 dev_num;
509 
510 	BT_DBG("");
511 
512 	if (get_user(dev_num, (u16 __user *) arg))
513 		return -EFAULT;
514 
515 	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
516 		return -EINVAL;
517 
518 	size = sizeof(*dl) + dev_num * sizeof(*di);
519 
520 	dl = kzalloc(size, GFP_KERNEL);
521 	if (!dl)
522 		return -ENOMEM;
523 
524 	di = dl->dev_info;
525 
526 	mutex_lock(&rfcomm_dev_lock);
527 
528 	list_for_each_entry(dev, &rfcomm_dev_list, list) {
529 		if (!tty_port_get(&dev->port))
530 			continue;
531 		(di + n)->id      = dev->id;
532 		(di + n)->flags   = dev->flags;
533 		(di + n)->state   = dev->dlc->state;
534 		(di + n)->channel = dev->channel;
535 		bacpy(&(di + n)->src, &dev->src);
536 		bacpy(&(di + n)->dst, &dev->dst);
537 		tty_port_put(&dev->port);
538 		if (++n >= dev_num)
539 			break;
540 	}
541 
542 	mutex_unlock(&rfcomm_dev_lock);
543 
544 	dl->dev_num = n;
545 	size = sizeof(*dl) + n * sizeof(*di);
546 
547 	err = copy_to_user(arg, dl, size);
548 	kfree(dl);
549 
550 	return err ? -EFAULT : 0;
551 }
552 
rfcomm_get_dev_info(void __user * arg)553 static int rfcomm_get_dev_info(void __user *arg)
554 {
555 	struct rfcomm_dev *dev;
556 	struct rfcomm_dev_info di;
557 	int err = 0;
558 
559 	BT_DBG("");
560 
561 	if (copy_from_user(&di, arg, sizeof(di)))
562 		return -EFAULT;
563 
564 	dev = rfcomm_dev_get(di.id);
565 	if (!dev)
566 		return -ENODEV;
567 
568 	di.flags   = dev->flags;
569 	di.channel = dev->channel;
570 	di.state   = dev->dlc->state;
571 	bacpy(&di.src, &dev->src);
572 	bacpy(&di.dst, &dev->dst);
573 
574 	if (copy_to_user(arg, &di, sizeof(di)))
575 		err = -EFAULT;
576 
577 	tty_port_put(&dev->port);
578 	return err;
579 }
580 
rfcomm_dev_ioctl(struct sock * sk,unsigned int cmd,void __user * arg)581 int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
582 {
583 	BT_DBG("cmd %d arg %p", cmd, arg);
584 
585 	switch (cmd) {
586 	case RFCOMMCREATEDEV:
587 		return rfcomm_create_dev(sk, arg);
588 
589 	case RFCOMMRELEASEDEV:
590 		return rfcomm_release_dev(arg);
591 
592 	case RFCOMMGETDEVLIST:
593 		return rfcomm_get_dev_list(arg);
594 
595 	case RFCOMMGETDEVINFO:
596 		return rfcomm_get_dev_info(arg);
597 	}
598 
599 	return -EINVAL;
600 }
601 
602 /* ---- DLC callbacks ---- */
rfcomm_dev_data_ready(struct rfcomm_dlc * dlc,struct sk_buff * skb)603 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
604 {
605 	struct rfcomm_dev *dev = dlc->owner;
606 
607 	if (!dev) {
608 		kfree_skb(skb);
609 		return;
610 	}
611 
612 	if (!skb_queue_empty(&dev->pending)) {
613 		skb_queue_tail(&dev->pending, skb);
614 		return;
615 	}
616 
617 	BT_DBG("dlc %p len %d", dlc, skb->len);
618 
619 	tty_insert_flip_string(&dev->port, skb->data, skb->len);
620 	tty_flip_buffer_push(&dev->port);
621 
622 	kfree_skb(skb);
623 }
624 
rfcomm_dev_state_change(struct rfcomm_dlc * dlc,int err)625 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
626 {
627 	struct rfcomm_dev *dev = dlc->owner;
628 	if (!dev)
629 		return;
630 
631 	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
632 
633 	dev->err = err;
634 	if (dlc->state == BT_CONNECTED) {
635 		rfcomm_reparent_device(dev);
636 
637 		wake_up_interruptible(&dev->port.open_wait);
638 	} else if (dlc->state == BT_CLOSED)
639 		tty_port_tty_hangup(&dev->port, false);
640 }
641 
rfcomm_dev_modem_status(struct rfcomm_dlc * dlc,u8 v24_sig)642 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
643 {
644 	struct rfcomm_dev *dev = dlc->owner;
645 	if (!dev)
646 		return;
647 
648 	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
649 
650 	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV))
651 		tty_port_tty_hangup(&dev->port, true);
652 
653 	dev->modem_status =
654 		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
655 		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
656 		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
657 		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
658 }
659 
660 /* ---- TTY functions ---- */
rfcomm_tty_copy_pending(struct rfcomm_dev * dev)661 static void rfcomm_tty_copy_pending(struct rfcomm_dev *dev)
662 {
663 	struct sk_buff *skb;
664 	int inserted = 0;
665 
666 	BT_DBG("dev %p", dev);
667 
668 	rfcomm_dlc_lock(dev->dlc);
669 
670 	while ((skb = skb_dequeue(&dev->pending))) {
671 		inserted += tty_insert_flip_string(&dev->port, skb->data,
672 				skb->len);
673 		kfree_skb(skb);
674 	}
675 
676 	rfcomm_dlc_unlock(dev->dlc);
677 
678 	if (inserted > 0)
679 		tty_flip_buffer_push(&dev->port);
680 }
681 
682 /* do the reverse of install, clearing the tty fields and releasing the
683  * reference to tty_port
684  */
rfcomm_tty_cleanup(struct tty_struct * tty)685 static void rfcomm_tty_cleanup(struct tty_struct *tty)
686 {
687 	struct rfcomm_dev *dev = tty->driver_data;
688 
689 	clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
690 
691 	rfcomm_dlc_lock(dev->dlc);
692 	tty->driver_data = NULL;
693 	rfcomm_dlc_unlock(dev->dlc);
694 
695 	/*
696 	 * purge the dlc->tx_queue to avoid circular dependencies
697 	 * between dev and dlc
698 	 */
699 	skb_queue_purge(&dev->dlc->tx_queue);
700 
701 	tty_port_put(&dev->port);
702 }
703 
704 /* we acquire the tty_port reference since it's here the tty is first used
705  * by setting the termios. We also populate the driver_data field and install
706  * the tty port
707  */
rfcomm_tty_install(struct tty_driver * driver,struct tty_struct * tty)708 static int rfcomm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
709 {
710 	struct rfcomm_dev *dev;
711 	struct rfcomm_dlc *dlc;
712 	int err;
713 
714 	dev = rfcomm_dev_get(tty->index);
715 	if (!dev)
716 		return -ENODEV;
717 
718 	dlc = dev->dlc;
719 
720 	/* Attach TTY and open DLC */
721 	rfcomm_dlc_lock(dlc);
722 	tty->driver_data = dev;
723 	rfcomm_dlc_unlock(dlc);
724 	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
725 
726 	/* install the tty_port */
727 	err = tty_port_install(&dev->port, driver, tty);
728 	if (err) {
729 		rfcomm_tty_cleanup(tty);
730 		return err;
731 	}
732 
733 	/* take over the tty_port reference if the port was created with the
734 	 * flag RFCOMM_RELEASE_ONHUP. This will force the release of the port
735 	 * when the last process closes the tty. The behaviour is expected by
736 	 * userspace.
737 	 */
738 	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
739 		set_bit(RFCOMM_TTY_OWNED, &dev->status);
740 		tty_port_put(&dev->port);
741 	}
742 
743 	return 0;
744 }
745 
rfcomm_tty_open(struct tty_struct * tty,struct file * filp)746 static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
747 {
748 	struct rfcomm_dev *dev = tty->driver_data;
749 	int err;
750 
751 	BT_DBG("tty %p id %d", tty, tty->index);
752 
753 	BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
754 	       dev->channel, dev->port.count);
755 
756 	err = tty_port_open(&dev->port, tty, filp);
757 	if (err)
758 		return err;
759 
760 	/*
761 	 * FIXME: rfcomm should use proper flow control for
762 	 * received data. This hack will be unnecessary and can
763 	 * be removed when that's implemented
764 	 */
765 	rfcomm_tty_copy_pending(dev);
766 
767 	rfcomm_dlc_unthrottle(dev->dlc);
768 
769 	return 0;
770 }
771 
rfcomm_tty_close(struct tty_struct * tty,struct file * filp)772 static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
773 {
774 	struct rfcomm_dev *dev = tty->driver_data;
775 
776 	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
777 						dev->port.count);
778 
779 	tty_port_close(&dev->port, tty, filp);
780 }
781 
rfcomm_tty_write(struct tty_struct * tty,const u8 * buf,size_t count)782 static ssize_t rfcomm_tty_write(struct tty_struct *tty, const u8 *buf,
783 				size_t count)
784 {
785 	struct rfcomm_dev *dev = tty->driver_data;
786 	struct rfcomm_dlc *dlc = dev->dlc;
787 	struct sk_buff *skb;
788 	size_t sent = 0, size;
789 
790 	BT_DBG("tty %p count %zu", tty, count);
791 
792 	while (count) {
793 		size = min_t(size_t, count, dlc->mtu);
794 
795 		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
796 		if (!skb)
797 			break;
798 
799 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
800 
801 		skb_put_data(skb, buf + sent, size);
802 
803 		rfcomm_dlc_send_noerror(dlc, skb);
804 
805 		sent  += size;
806 		count -= size;
807 	}
808 
809 	return sent;
810 }
811 
rfcomm_tty_write_room(struct tty_struct * tty)812 static unsigned int rfcomm_tty_write_room(struct tty_struct *tty)
813 {
814 	struct rfcomm_dev *dev = tty->driver_data;
815 	int room = 0;
816 
817 	if (dev && dev->dlc)
818 		room = rfcomm_room(dev);
819 
820 	BT_DBG("tty %p room %d", tty, room);
821 
822 	return room;
823 }
824 
rfcomm_tty_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)825 static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
826 {
827 	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
828 
829 	switch (cmd) {
830 	case TCGETS:
831 		BT_DBG("TCGETS is not supported");
832 		return -ENOIOCTLCMD;
833 
834 	case TCSETS:
835 		BT_DBG("TCSETS is not supported");
836 		return -ENOIOCTLCMD;
837 
838 	case TIOCMIWAIT:
839 		BT_DBG("TIOCMIWAIT");
840 		break;
841 
842 	case TIOCSERGETLSR:
843 		BT_ERR("TIOCSERGETLSR is not supported");
844 		return -ENOIOCTLCMD;
845 
846 	case TIOCSERCONFIG:
847 		BT_ERR("TIOCSERCONFIG is not supported");
848 		return -ENOIOCTLCMD;
849 
850 	default:
851 		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
852 
853 	}
854 
855 	return -ENOIOCTLCMD;
856 }
857 
rfcomm_tty_set_termios(struct tty_struct * tty,const struct ktermios * old)858 static void rfcomm_tty_set_termios(struct tty_struct *tty,
859 				   const struct ktermios *old)
860 {
861 	struct ktermios *new = &tty->termios;
862 	int old_baud_rate = tty_termios_baud_rate(old);
863 	int new_baud_rate = tty_termios_baud_rate(new);
864 
865 	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
866 	u16 changes = 0;
867 
868 	struct rfcomm_dev *dev = tty->driver_data;
869 
870 	BT_DBG("tty %p termios %p", tty, old);
871 
872 	if (!dev || !dev->dlc || !dev->dlc->session)
873 		return;
874 
875 	/* Handle turning off CRTSCTS */
876 	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
877 		BT_DBG("Turning off CRTSCTS unsupported");
878 
879 	/* Parity on/off and when on, odd/even */
880 	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
881 			((old->c_cflag & PARODD) != (new->c_cflag & PARODD))) {
882 		changes |= RFCOMM_RPN_PM_PARITY;
883 		BT_DBG("Parity change detected.");
884 	}
885 
886 	/* Mark and space parity are not supported! */
887 	if (new->c_cflag & PARENB) {
888 		if (new->c_cflag & PARODD) {
889 			BT_DBG("Parity is ODD");
890 			parity = RFCOMM_RPN_PARITY_ODD;
891 		} else {
892 			BT_DBG("Parity is EVEN");
893 			parity = RFCOMM_RPN_PARITY_EVEN;
894 		}
895 	} else {
896 		BT_DBG("Parity is OFF");
897 		parity = RFCOMM_RPN_PARITY_NONE;
898 	}
899 
900 	/* Setting the x_on / x_off characters */
901 	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
902 		BT_DBG("XOFF custom");
903 		x_on = new->c_cc[VSTOP];
904 		changes |= RFCOMM_RPN_PM_XON;
905 	} else {
906 		BT_DBG("XOFF default");
907 		x_on = RFCOMM_RPN_XON_CHAR;
908 	}
909 
910 	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
911 		BT_DBG("XON custom");
912 		x_off = new->c_cc[VSTART];
913 		changes |= RFCOMM_RPN_PM_XOFF;
914 	} else {
915 		BT_DBG("XON default");
916 		x_off = RFCOMM_RPN_XOFF_CHAR;
917 	}
918 
919 	/* Handle setting of stop bits */
920 	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
921 		changes |= RFCOMM_RPN_PM_STOP;
922 
923 	/* POSIX does not support 1.5 stop bits and RFCOMM does not
924 	 * support 2 stop bits. So a request for 2 stop bits gets
925 	 * translated to 1.5 stop bits */
926 	if (new->c_cflag & CSTOPB)
927 		stop_bits = RFCOMM_RPN_STOP_15;
928 	else
929 		stop_bits = RFCOMM_RPN_STOP_1;
930 
931 	/* Handle number of data bits [5-8] */
932 	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
933 		changes |= RFCOMM_RPN_PM_DATA;
934 
935 	switch (new->c_cflag & CSIZE) {
936 	case CS5:
937 		data_bits = RFCOMM_RPN_DATA_5;
938 		break;
939 	case CS6:
940 		data_bits = RFCOMM_RPN_DATA_6;
941 		break;
942 	case CS7:
943 		data_bits = RFCOMM_RPN_DATA_7;
944 		break;
945 	case CS8:
946 		data_bits = RFCOMM_RPN_DATA_8;
947 		break;
948 	default:
949 		data_bits = RFCOMM_RPN_DATA_8;
950 		break;
951 	}
952 
953 	/* Handle baudrate settings */
954 	if (old_baud_rate != new_baud_rate)
955 		changes |= RFCOMM_RPN_PM_BITRATE;
956 
957 	switch (new_baud_rate) {
958 	case 2400:
959 		baud = RFCOMM_RPN_BR_2400;
960 		break;
961 	case 4800:
962 		baud = RFCOMM_RPN_BR_4800;
963 		break;
964 	case 7200:
965 		baud = RFCOMM_RPN_BR_7200;
966 		break;
967 	case 9600:
968 		baud = RFCOMM_RPN_BR_9600;
969 		break;
970 	case 19200:
971 		baud = RFCOMM_RPN_BR_19200;
972 		break;
973 	case 38400:
974 		baud = RFCOMM_RPN_BR_38400;
975 		break;
976 	case 57600:
977 		baud = RFCOMM_RPN_BR_57600;
978 		break;
979 	case 115200:
980 		baud = RFCOMM_RPN_BR_115200;
981 		break;
982 	case 230400:
983 		baud = RFCOMM_RPN_BR_230400;
984 		break;
985 	default:
986 		/* 9600 is standard accordinag to the RFCOMM specification */
987 		baud = RFCOMM_RPN_BR_9600;
988 		break;
989 
990 	}
991 
992 	if (changes)
993 		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
994 				data_bits, stop_bits, parity,
995 				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
996 }
997 
rfcomm_tty_throttle(struct tty_struct * tty)998 static void rfcomm_tty_throttle(struct tty_struct *tty)
999 {
1000 	struct rfcomm_dev *dev = tty->driver_data;
1001 
1002 	BT_DBG("tty %p dev %p", tty, dev);
1003 
1004 	rfcomm_dlc_throttle(dev->dlc);
1005 }
1006 
rfcomm_tty_unthrottle(struct tty_struct * tty)1007 static void rfcomm_tty_unthrottle(struct tty_struct *tty)
1008 {
1009 	struct rfcomm_dev *dev = tty->driver_data;
1010 
1011 	BT_DBG("tty %p dev %p", tty, dev);
1012 
1013 	rfcomm_dlc_unthrottle(dev->dlc);
1014 }
1015 
rfcomm_tty_chars_in_buffer(struct tty_struct * tty)1016 static unsigned int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
1017 {
1018 	struct rfcomm_dev *dev = tty->driver_data;
1019 
1020 	BT_DBG("tty %p dev %p", tty, dev);
1021 
1022 	if (!dev || !dev->dlc)
1023 		return 0;
1024 
1025 	if (!skb_queue_empty(&dev->dlc->tx_queue))
1026 		return dev->dlc->mtu;
1027 
1028 	return 0;
1029 }
1030 
rfcomm_tty_flush_buffer(struct tty_struct * tty)1031 static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
1032 {
1033 	struct rfcomm_dev *dev = tty->driver_data;
1034 
1035 	BT_DBG("tty %p dev %p", tty, dev);
1036 
1037 	if (!dev || !dev->dlc)
1038 		return;
1039 
1040 	skb_queue_purge(&dev->dlc->tx_queue);
1041 	tty_wakeup(tty);
1042 }
1043 
rfcomm_tty_send_xchar(struct tty_struct * tty,char ch)1044 static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
1045 {
1046 	BT_DBG("tty %p ch %c", tty, ch);
1047 }
1048 
rfcomm_tty_wait_until_sent(struct tty_struct * tty,int timeout)1049 static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
1050 {
1051 	BT_DBG("tty %p timeout %d", tty, timeout);
1052 }
1053 
rfcomm_tty_hangup(struct tty_struct * tty)1054 static void rfcomm_tty_hangup(struct tty_struct *tty)
1055 {
1056 	struct rfcomm_dev *dev = tty->driver_data;
1057 
1058 	BT_DBG("tty %p dev %p", tty, dev);
1059 
1060 	tty_port_hangup(&dev->port);
1061 }
1062 
rfcomm_tty_tiocmget(struct tty_struct * tty)1063 static int rfcomm_tty_tiocmget(struct tty_struct *tty)
1064 {
1065 	struct rfcomm_dev *dev = tty->driver_data;
1066 
1067 	BT_DBG("tty %p dev %p", tty, dev);
1068 
1069 	return dev->modem_status;
1070 }
1071 
rfcomm_tty_tiocmset(struct tty_struct * tty,unsigned int set,unsigned int clear)1072 static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
1073 {
1074 	struct rfcomm_dev *dev = tty->driver_data;
1075 	struct rfcomm_dlc *dlc = dev->dlc;
1076 	u8 v24_sig;
1077 
1078 	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
1079 
1080 	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
1081 
1082 	if (set & TIOCM_DSR || set & TIOCM_DTR)
1083 		v24_sig |= RFCOMM_V24_RTC;
1084 	if (set & TIOCM_RTS || set & TIOCM_CTS)
1085 		v24_sig |= RFCOMM_V24_RTR;
1086 	if (set & TIOCM_RI)
1087 		v24_sig |= RFCOMM_V24_IC;
1088 	if (set & TIOCM_CD)
1089 		v24_sig |= RFCOMM_V24_DV;
1090 
1091 	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
1092 		v24_sig &= ~RFCOMM_V24_RTC;
1093 	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
1094 		v24_sig &= ~RFCOMM_V24_RTR;
1095 	if (clear & TIOCM_RI)
1096 		v24_sig &= ~RFCOMM_V24_IC;
1097 	if (clear & TIOCM_CD)
1098 		v24_sig &= ~RFCOMM_V24_DV;
1099 
1100 	rfcomm_dlc_set_modem_status(dlc, v24_sig);
1101 
1102 	return 0;
1103 }
1104 
1105 /* ---- TTY structure ---- */
1106 
1107 static const struct tty_operations rfcomm_ops = {
1108 	.open			= rfcomm_tty_open,
1109 	.close			= rfcomm_tty_close,
1110 	.write			= rfcomm_tty_write,
1111 	.write_room		= rfcomm_tty_write_room,
1112 	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1113 	.flush_buffer		= rfcomm_tty_flush_buffer,
1114 	.ioctl			= rfcomm_tty_ioctl,
1115 	.throttle		= rfcomm_tty_throttle,
1116 	.unthrottle		= rfcomm_tty_unthrottle,
1117 	.set_termios		= rfcomm_tty_set_termios,
1118 	.send_xchar		= rfcomm_tty_send_xchar,
1119 	.hangup			= rfcomm_tty_hangup,
1120 	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1121 	.tiocmget		= rfcomm_tty_tiocmget,
1122 	.tiocmset		= rfcomm_tty_tiocmset,
1123 	.install                = rfcomm_tty_install,
1124 	.cleanup                = rfcomm_tty_cleanup,
1125 };
1126 
rfcomm_init_ttys(void)1127 int __init rfcomm_init_ttys(void)
1128 {
1129 	int error;
1130 
1131 	rfcomm_tty_driver = tty_alloc_driver(RFCOMM_TTY_PORTS,
1132 			TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV);
1133 	if (IS_ERR(rfcomm_tty_driver))
1134 		return PTR_ERR(rfcomm_tty_driver);
1135 
1136 	rfcomm_tty_driver->driver_name	= "rfcomm";
1137 	rfcomm_tty_driver->name		= "rfcomm";
1138 	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1139 	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1140 	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1141 	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1142 	rfcomm_tty_driver->init_termios	= tty_std_termios;
1143 	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL;
1144 	rfcomm_tty_driver->init_termios.c_lflag &= ~ICANON;
1145 	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1146 
1147 	error = tty_register_driver(rfcomm_tty_driver);
1148 	if (error) {
1149 		BT_ERR("Can't register RFCOMM TTY driver");
1150 		tty_driver_kref_put(rfcomm_tty_driver);
1151 		return error;
1152 	}
1153 
1154 	BT_INFO("RFCOMM TTY layer initialized");
1155 
1156 	return 0;
1157 }
1158 
rfcomm_cleanup_ttys(void)1159 void rfcomm_cleanup_ttys(void)
1160 {
1161 	tty_unregister_driver(rfcomm_tty_driver);
1162 	tty_driver_kref_put(rfcomm_tty_driver);
1163 }
1164