xref: /linux/net/bluetooth/rfcomm/tty.c (revision 6e8331ac6973435b1e7604c30f2ad394035b46e1)
1 /*
2    RFCOMM implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
4    Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 /*
25  * RFCOMM TTY.
26  *
27  * $Id: tty.c,v 1.24 2002/10/03 01:54:38 holtmann Exp $
28  */
29 
30 #include <linux/module.h>
31 
32 #include <linux/tty.h>
33 #include <linux/tty_driver.h>
34 #include <linux/tty_flip.h>
35 
36 #include <linux/capability.h>
37 #include <linux/slab.h>
38 #include <linux/skbuff.h>
39 
40 #include <net/bluetooth/bluetooth.h>
41 #include <net/bluetooth/rfcomm.h>
42 
43 #ifndef CONFIG_BT_RFCOMM_DEBUG
44 #undef  BT_DBG
45 #define BT_DBG(D...)
46 #endif
47 
48 #define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
49 #define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
50 #define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
51 #define RFCOMM_TTY_MINOR 0
52 
53 static struct tty_driver *rfcomm_tty_driver;
54 
55 struct rfcomm_dev {
56 	struct list_head	list;
57 	atomic_t		refcnt;
58 
59 	char			name[12];
60 	int			id;
61 	unsigned long		flags;
62 	int			opened;
63 	int			err;
64 
65 	bdaddr_t		src;
66 	bdaddr_t		dst;
67 	u8 			channel;
68 
69 	uint 			modem_status;
70 
71 	struct rfcomm_dlc	*dlc;
72 	struct tty_struct	*tty;
73 	wait_queue_head_t       wait;
74 	struct tasklet_struct   wakeup_task;
75 
76 	atomic_t 		wmem_alloc;
77 };
78 
79 static LIST_HEAD(rfcomm_dev_list);
80 static DEFINE_RWLOCK(rfcomm_dev_lock);
81 
82 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
83 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
84 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
85 
86 static void rfcomm_tty_wakeup(unsigned long arg);
87 
88 /* ---- Device functions ---- */
89 static void rfcomm_dev_destruct(struct rfcomm_dev *dev)
90 {
91 	struct rfcomm_dlc *dlc = dev->dlc;
92 
93 	BT_DBG("dev %p dlc %p", dev, dlc);
94 
95 	rfcomm_dlc_lock(dlc);
96 	/* Detach DLC if it's owned by this dev */
97 	if (dlc->owner == dev)
98 		dlc->owner = NULL;
99 	rfcomm_dlc_unlock(dlc);
100 
101 	rfcomm_dlc_put(dlc);
102 
103 	tty_unregister_device(rfcomm_tty_driver, dev->id);
104 
105 	/* Refcount should only hit zero when called from rfcomm_dev_del()
106 	   which will have taken us off the list. Everything else are
107 	   refcounting bugs. */
108 	BUG_ON(!list_empty(&dev->list));
109 
110 	kfree(dev);
111 
112 	/* It's safe to call module_put() here because socket still
113 	   holds reference to this module. */
114 	module_put(THIS_MODULE);
115 }
116 
117 static inline void rfcomm_dev_hold(struct rfcomm_dev *dev)
118 {
119 	atomic_inc(&dev->refcnt);
120 }
121 
122 static inline void rfcomm_dev_put(struct rfcomm_dev *dev)
123 {
124 	/* The reason this isn't actually a race, as you no
125 	   doubt have a little voice screaming at you in your
126 	   head, is that the refcount should never actually
127 	   reach zero unless the device has already been taken
128 	   off the list, in rfcomm_dev_del(). And if that's not
129 	   true, we'll hit the BUG() in rfcomm_dev_destruct()
130 	   anyway. */
131 	if (atomic_dec_and_test(&dev->refcnt))
132 		rfcomm_dev_destruct(dev);
133 }
134 
135 static struct rfcomm_dev *__rfcomm_dev_get(int id)
136 {
137 	struct rfcomm_dev *dev;
138 	struct list_head  *p;
139 
140 	list_for_each(p, &rfcomm_dev_list) {
141 		dev = list_entry(p, struct rfcomm_dev, list);
142 		if (dev->id == id)
143 			return dev;
144 	}
145 
146 	return NULL;
147 }
148 
149 static inline struct rfcomm_dev *rfcomm_dev_get(int id)
150 {
151 	struct rfcomm_dev *dev;
152 
153 	read_lock(&rfcomm_dev_lock);
154 
155 	dev = __rfcomm_dev_get(id);
156 	if (dev)
157 		rfcomm_dev_hold(dev);
158 
159 	read_unlock(&rfcomm_dev_lock);
160 
161 	return dev;
162 }
163 
164 static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
165 {
166 	struct rfcomm_dev *dev;
167 	struct list_head *head = &rfcomm_dev_list, *p;
168 	int err = 0;
169 
170 	BT_DBG("id %d channel %d", req->dev_id, req->channel);
171 
172 	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
173 	if (!dev)
174 		return -ENOMEM;
175 
176 	write_lock_bh(&rfcomm_dev_lock);
177 
178 	if (req->dev_id < 0) {
179 		dev->id = 0;
180 
181 		list_for_each(p, &rfcomm_dev_list) {
182 			if (list_entry(p, struct rfcomm_dev, list)->id != dev->id)
183 				break;
184 
185 			dev->id++;
186 			head = p;
187 		}
188 	} else {
189 		dev->id = req->dev_id;
190 
191 		list_for_each(p, &rfcomm_dev_list) {
192 			struct rfcomm_dev *entry = list_entry(p, struct rfcomm_dev, list);
193 
194 			if (entry->id == dev->id) {
195 				err = -EADDRINUSE;
196 				goto out;
197 			}
198 
199 			if (entry->id > dev->id - 1)
200 				break;
201 
202 			head = p;
203 		}
204 	}
205 
206 	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
207 		err = -ENFILE;
208 		goto out;
209 	}
210 
211 	sprintf(dev->name, "rfcomm%d", dev->id);
212 
213 	list_add(&dev->list, head);
214 	atomic_set(&dev->refcnt, 1);
215 
216 	bacpy(&dev->src, &req->src);
217 	bacpy(&dev->dst, &req->dst);
218 	dev->channel = req->channel;
219 
220 	dev->flags = req->flags &
221 		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));
222 
223 	init_waitqueue_head(&dev->wait);
224 	tasklet_init(&dev->wakeup_task, rfcomm_tty_wakeup, (unsigned long) dev);
225 
226 	rfcomm_dlc_lock(dlc);
227 	dlc->data_ready   = rfcomm_dev_data_ready;
228 	dlc->state_change = rfcomm_dev_state_change;
229 	dlc->modem_status = rfcomm_dev_modem_status;
230 
231 	dlc->owner = dev;
232 	dev->dlc   = dlc;
233 	rfcomm_dlc_unlock(dlc);
234 
235 	/* It's safe to call __module_get() here because socket already
236 	   holds reference to this module. */
237 	__module_get(THIS_MODULE);
238 
239 out:
240 	write_unlock_bh(&rfcomm_dev_lock);
241 
242 	if (err) {
243 		kfree(dev);
244 		return err;
245 	}
246 
247 	tty_register_device(rfcomm_tty_driver, dev->id, NULL);
248 
249 	return dev->id;
250 }
251 
252 static void rfcomm_dev_del(struct rfcomm_dev *dev)
253 {
254 	BT_DBG("dev %p", dev);
255 
256 	write_lock_bh(&rfcomm_dev_lock);
257 	list_del_init(&dev->list);
258 	write_unlock_bh(&rfcomm_dev_lock);
259 
260 	rfcomm_dev_put(dev);
261 }
262 
263 /* ---- Send buffer ---- */
264 static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
265 {
266 	/* We can't let it be zero, because we don't get a callback
267 	   when tx_credits becomes nonzero, hence we'd never wake up */
268 	return dlc->mtu * (dlc->tx_credits?:1);
269 }
270 
271 static void rfcomm_wfree(struct sk_buff *skb)
272 {
273 	struct rfcomm_dev *dev = (void *) skb->sk;
274 	atomic_sub(skb->truesize, &dev->wmem_alloc);
275 	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags))
276 		tasklet_schedule(&dev->wakeup_task);
277 	rfcomm_dev_put(dev);
278 }
279 
280 static inline void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
281 {
282 	rfcomm_dev_hold(dev);
283 	atomic_add(skb->truesize, &dev->wmem_alloc);
284 	skb->sk = (void *) dev;
285 	skb->destructor = rfcomm_wfree;
286 }
287 
288 static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
289 {
290 	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
291 		struct sk_buff *skb = alloc_skb(size, priority);
292 		if (skb) {
293 			rfcomm_set_owner_w(skb, dev);
294 			return skb;
295 		}
296 	}
297 	return NULL;
298 }
299 
300 /* ---- Device IOCTLs ---- */
301 
302 #define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))
303 
304 static int rfcomm_create_dev(struct sock *sk, void __user *arg)
305 {
306 	struct rfcomm_dev_req req;
307 	struct rfcomm_dlc *dlc;
308 	int id;
309 
310 	if (copy_from_user(&req, arg, sizeof(req)))
311 		return -EFAULT;
312 
313 	BT_DBG("sk %p dev_id %id flags 0x%x", sk, req.dev_id, req.flags);
314 
315 	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
316 		return -EPERM;
317 
318 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
319 		/* Socket must be connected */
320 		if (sk->sk_state != BT_CONNECTED)
321 			return -EBADFD;
322 
323 		dlc = rfcomm_pi(sk)->dlc;
324 		rfcomm_dlc_hold(dlc);
325 	} else {
326 		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
327 		if (!dlc)
328 			return -ENOMEM;
329 	}
330 
331 	id = rfcomm_dev_add(&req, dlc);
332 	if (id < 0) {
333 		rfcomm_dlc_put(dlc);
334 		return id;
335 	}
336 
337 	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
338 		/* DLC is now used by device.
339 		 * Socket must be disconnected */
340 		sk->sk_state = BT_CLOSED;
341 	}
342 
343 	return id;
344 }
345 
346 static int rfcomm_release_dev(void __user *arg)
347 {
348 	struct rfcomm_dev_req req;
349 	struct rfcomm_dev *dev;
350 
351 	if (copy_from_user(&req, arg, sizeof(req)))
352 		return -EFAULT;
353 
354 	BT_DBG("dev_id %id flags 0x%x", req.dev_id, req.flags);
355 
356 	if (!(dev = rfcomm_dev_get(req.dev_id)))
357 		return -ENODEV;
358 
359 	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
360 		rfcomm_dev_put(dev);
361 		return -EPERM;
362 	}
363 
364 	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
365 		rfcomm_dlc_close(dev->dlc, 0);
366 
367 	rfcomm_dev_del(dev);
368 	rfcomm_dev_put(dev);
369 	return 0;
370 }
371 
372 static int rfcomm_get_dev_list(void __user *arg)
373 {
374 	struct rfcomm_dev_list_req *dl;
375 	struct rfcomm_dev_info *di;
376 	struct list_head *p;
377 	int n = 0, size, err;
378 	u16 dev_num;
379 
380 	BT_DBG("");
381 
382 	if (get_user(dev_num, (u16 __user *) arg))
383 		return -EFAULT;
384 
385 	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
386 		return -EINVAL;
387 
388 	size = sizeof(*dl) + dev_num * sizeof(*di);
389 
390 	if (!(dl = kmalloc(size, GFP_KERNEL)))
391 		return -ENOMEM;
392 
393 	di = dl->dev_info;
394 
395 	read_lock_bh(&rfcomm_dev_lock);
396 
397 	list_for_each(p, &rfcomm_dev_list) {
398 		struct rfcomm_dev *dev = list_entry(p, struct rfcomm_dev, list);
399 		(di + n)->id      = dev->id;
400 		(di + n)->flags   = dev->flags;
401 		(di + n)->state   = dev->dlc->state;
402 		(di + n)->channel = dev->channel;
403 		bacpy(&(di + n)->src, &dev->src);
404 		bacpy(&(di + n)->dst, &dev->dst);
405 		if (++n >= dev_num)
406 			break;
407 	}
408 
409 	read_unlock_bh(&rfcomm_dev_lock);
410 
411 	dl->dev_num = n;
412 	size = sizeof(*dl) + n * sizeof(*di);
413 
414 	err = copy_to_user(arg, dl, size);
415 	kfree(dl);
416 
417 	return err ? -EFAULT : 0;
418 }
419 
420 static int rfcomm_get_dev_info(void __user *arg)
421 {
422 	struct rfcomm_dev *dev;
423 	struct rfcomm_dev_info di;
424 	int err = 0;
425 
426 	BT_DBG("");
427 
428 	if (copy_from_user(&di, arg, sizeof(di)))
429 		return -EFAULT;
430 
431 	if (!(dev = rfcomm_dev_get(di.id)))
432 		return -ENODEV;
433 
434 	di.flags   = dev->flags;
435 	di.channel = dev->channel;
436 	di.state   = dev->dlc->state;
437 	bacpy(&di.src, &dev->src);
438 	bacpy(&di.dst, &dev->dst);
439 
440 	if (copy_to_user(arg, &di, sizeof(di)))
441 		err = -EFAULT;
442 
443 	rfcomm_dev_put(dev);
444 	return err;
445 }
446 
447 int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
448 {
449 	BT_DBG("cmd %d arg %p", cmd, arg);
450 
451 	switch (cmd) {
452 	case RFCOMMCREATEDEV:
453 		return rfcomm_create_dev(sk, arg);
454 
455 	case RFCOMMRELEASEDEV:
456 		return rfcomm_release_dev(arg);
457 
458 	case RFCOMMGETDEVLIST:
459 		return rfcomm_get_dev_list(arg);
460 
461 	case RFCOMMGETDEVINFO:
462 		return rfcomm_get_dev_info(arg);
463 	}
464 
465 	return -EINVAL;
466 }
467 
468 /* ---- DLC callbacks ---- */
469 static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
470 {
471 	struct rfcomm_dev *dev = dlc->owner;
472 	struct tty_struct *tty;
473 
474 	if (!dev || !(tty = dev->tty)) {
475 		kfree_skb(skb);
476 		return;
477 	}
478 
479 	BT_DBG("dlc %p tty %p len %d", dlc, tty, skb->len);
480 
481 	tty_insert_flip_string(tty, skb->data, skb->len);
482 	tty_flip_buffer_push(tty);
483 
484 	kfree_skb(skb);
485 }
486 
487 static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
488 {
489 	struct rfcomm_dev *dev = dlc->owner;
490 	if (!dev)
491 		return;
492 
493 	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
494 
495 	dev->err = err;
496 	wake_up_interruptible(&dev->wait);
497 
498 	if (dlc->state == BT_CLOSED) {
499 		if (!dev->tty) {
500 			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
501 				rfcomm_dev_hold(dev);
502 				rfcomm_dev_del(dev);
503 
504 				/* We have to drop DLC lock here, otherwise
505 				   rfcomm_dev_put() will dead lock if it's
506 				   the last reference. */
507 				rfcomm_dlc_unlock(dlc);
508 				rfcomm_dev_put(dev);
509 				rfcomm_dlc_lock(dlc);
510 			}
511 		} else
512 			tty_hangup(dev->tty);
513 	}
514 }
515 
516 static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
517 {
518 	struct rfcomm_dev *dev = dlc->owner;
519 	if (!dev)
520 		return;
521 
522 	BT_DBG("dlc %p dev %p v24_sig 0x%02x", dlc, dev, v24_sig);
523 
524 	if ((dev->modem_status & TIOCM_CD) && !(v24_sig & RFCOMM_V24_DV)) {
525 		if (dev->tty && !C_CLOCAL(dev->tty))
526 			tty_hangup(dev->tty);
527 	}
528 
529 	dev->modem_status =
530 		((v24_sig & RFCOMM_V24_RTC) ? (TIOCM_DSR | TIOCM_DTR) : 0) |
531 		((v24_sig & RFCOMM_V24_RTR) ? (TIOCM_RTS | TIOCM_CTS) : 0) |
532 		((v24_sig & RFCOMM_V24_IC)  ? TIOCM_RI : 0) |
533 		((v24_sig & RFCOMM_V24_DV)  ? TIOCM_CD : 0);
534 }
535 
536 /* ---- TTY functions ---- */
537 static void rfcomm_tty_wakeup(unsigned long arg)
538 {
539 	struct rfcomm_dev *dev = (void *) arg;
540 	struct tty_struct *tty = dev->tty;
541 	if (!tty)
542 		return;
543 
544 	BT_DBG("dev %p tty %p", dev, tty);
545 
546 	if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags) && tty->ldisc.write_wakeup)
547                 (tty->ldisc.write_wakeup)(tty);
548 
549 	wake_up_interruptible(&tty->write_wait);
550 #ifdef SERIAL_HAVE_POLL_WAIT
551 	wake_up_interruptible(&tty->poll_wait);
552 #endif
553 }
554 
555 static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
556 {
557 	DECLARE_WAITQUEUE(wait, current);
558 	struct rfcomm_dev *dev;
559 	struct rfcomm_dlc *dlc;
560 	int err, id;
561 
562         id = tty->index;
563 
564 	BT_DBG("tty %p id %d", tty, id);
565 
566 	/* We don't leak this refcount. For reasons which are not entirely
567 	   clear, the TTY layer will call our ->close() method even if the
568 	   open fails. We decrease the refcount there, and decreasing it
569 	   here too would cause breakage. */
570 	dev = rfcomm_dev_get(id);
571 	if (!dev)
572 		return -ENODEV;
573 
574 	BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst), dev->channel, dev->opened);
575 
576 	if (dev->opened++ != 0)
577 		return 0;
578 
579 	dlc = dev->dlc;
580 
581 	/* Attach TTY and open DLC */
582 
583 	rfcomm_dlc_lock(dlc);
584 	tty->driver_data = dev;
585 	dev->tty = tty;
586 	rfcomm_dlc_unlock(dlc);
587 	set_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
588 
589 	err = rfcomm_dlc_open(dlc, &dev->src, &dev->dst, dev->channel);
590 	if (err < 0)
591 		return err;
592 
593 	/* Wait for DLC to connect */
594 	add_wait_queue(&dev->wait, &wait);
595 	while (1) {
596 		set_current_state(TASK_INTERRUPTIBLE);
597 
598 		if (dlc->state == BT_CLOSED) {
599 			err = -dev->err;
600 			break;
601 		}
602 
603 		if (dlc->state == BT_CONNECTED)
604 			break;
605 
606 		if (signal_pending(current)) {
607 			err = -EINTR;
608 			break;
609 		}
610 
611 		schedule();
612 	}
613 	set_current_state(TASK_RUNNING);
614 	remove_wait_queue(&dev->wait, &wait);
615 
616 	return err;
617 }
618 
619 static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
620 {
621 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
622 	if (!dev)
623 		return;
624 
625 	BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc, dev->opened);
626 
627 	if (--dev->opened == 0) {
628 		/* Close DLC and dettach TTY */
629 		rfcomm_dlc_close(dev->dlc, 0);
630 
631 		clear_bit(RFCOMM_TTY_ATTACHED, &dev->flags);
632 		tasklet_kill(&dev->wakeup_task);
633 
634 		rfcomm_dlc_lock(dev->dlc);
635 		tty->driver_data = NULL;
636 		dev->tty = NULL;
637 		rfcomm_dlc_unlock(dev->dlc);
638 	}
639 
640 	rfcomm_dev_put(dev);
641 }
642 
643 static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count)
644 {
645 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
646 	struct rfcomm_dlc *dlc = dev->dlc;
647 	struct sk_buff *skb;
648 	int err = 0, sent = 0, size;
649 
650 	BT_DBG("tty %p count %d", tty, count);
651 
652 	while (count) {
653 		size = min_t(uint, count, dlc->mtu);
654 
655 		skb = rfcomm_wmalloc(dev, size + RFCOMM_SKB_RESERVE, GFP_ATOMIC);
656 
657 		if (!skb)
658 			break;
659 
660 		skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
661 
662 		memcpy(skb_put(skb, size), buf + sent, size);
663 
664 		if ((err = rfcomm_dlc_send(dlc, skb)) < 0) {
665 			kfree_skb(skb);
666 			break;
667 		}
668 
669 		sent  += size;
670 		count -= size;
671 	}
672 
673 	return sent ? sent : err;
674 }
675 
676 static int rfcomm_tty_write_room(struct tty_struct *tty)
677 {
678 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
679 	int room;
680 
681 	BT_DBG("tty %p", tty);
682 
683 	room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc);
684 	if (room < 0)
685 		room = 0;
686 	return room;
687 }
688 
689 static int rfcomm_tty_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd, unsigned long arg)
690 {
691 	BT_DBG("tty %p cmd 0x%02x", tty, cmd);
692 
693 	switch (cmd) {
694 	case TCGETS:
695 		BT_DBG("TCGETS is not supported");
696 		return -ENOIOCTLCMD;
697 
698 	case TCSETS:
699 		BT_DBG("TCSETS is not supported");
700 		return -ENOIOCTLCMD;
701 
702 	case TIOCMIWAIT:
703 		BT_DBG("TIOCMIWAIT");
704 		break;
705 
706 	case TIOCGICOUNT:
707 		BT_DBG("TIOCGICOUNT");
708 		break;
709 
710 	case TIOCGSERIAL:
711 		BT_ERR("TIOCGSERIAL is not supported");
712 		return -ENOIOCTLCMD;
713 
714 	case TIOCSSERIAL:
715 		BT_ERR("TIOCSSERIAL is not supported");
716 		return -ENOIOCTLCMD;
717 
718 	case TIOCSERGSTRUCT:
719 		BT_ERR("TIOCSERGSTRUCT is not supported");
720 		return -ENOIOCTLCMD;
721 
722 	case TIOCSERGETLSR:
723 		BT_ERR("TIOCSERGETLSR is not supported");
724 		return -ENOIOCTLCMD;
725 
726 	case TIOCSERCONFIG:
727 		BT_ERR("TIOCSERCONFIG is not supported");
728 		return -ENOIOCTLCMD;
729 
730 	default:
731 		return -ENOIOCTLCMD;	/* ioctls which we must ignore */
732 
733 	}
734 
735 	return -ENOIOCTLCMD;
736 }
737 
738 static void rfcomm_tty_set_termios(struct tty_struct *tty, struct termios *old)
739 {
740 	struct termios *new = (struct termios *) tty->termios;
741 	int old_baud_rate = tty_termios_baud_rate(old);
742 	int new_baud_rate = tty_termios_baud_rate(new);
743 
744 	u8 baud, data_bits, stop_bits, parity, x_on, x_off;
745 	u16 changes = 0;
746 
747 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
748 
749 	BT_DBG("tty %p termios %p", tty, old);
750 
751 	/* Handle turning off CRTSCTS */
752 	if ((old->c_cflag & CRTSCTS) && !(new->c_cflag & CRTSCTS))
753 		BT_DBG("Turning off CRTSCTS unsupported");
754 
755 	/* Parity on/off and when on, odd/even */
756 	if (((old->c_cflag & PARENB) != (new->c_cflag & PARENB)) ||
757 			((old->c_cflag & PARODD) != (new->c_cflag & PARODD)) ) {
758 		changes |= RFCOMM_RPN_PM_PARITY;
759 		BT_DBG("Parity change detected.");
760 	}
761 
762 	/* Mark and space parity are not supported! */
763 	if (new->c_cflag & PARENB) {
764 		if (new->c_cflag & PARODD) {
765 			BT_DBG("Parity is ODD");
766 			parity = RFCOMM_RPN_PARITY_ODD;
767 		} else {
768 			BT_DBG("Parity is EVEN");
769 			parity = RFCOMM_RPN_PARITY_EVEN;
770 		}
771 	} else {
772 		BT_DBG("Parity is OFF");
773 		parity = RFCOMM_RPN_PARITY_NONE;
774 	}
775 
776 	/* Setting the x_on / x_off characters */
777 	if (old->c_cc[VSTOP] != new->c_cc[VSTOP]) {
778 		BT_DBG("XOFF custom");
779 		x_on = new->c_cc[VSTOP];
780 		changes |= RFCOMM_RPN_PM_XON;
781 	} else {
782 		BT_DBG("XOFF default");
783 		x_on = RFCOMM_RPN_XON_CHAR;
784 	}
785 
786 	if (old->c_cc[VSTART] != new->c_cc[VSTART]) {
787 		BT_DBG("XON custom");
788 		x_off = new->c_cc[VSTART];
789 		changes |= RFCOMM_RPN_PM_XOFF;
790 	} else {
791 		BT_DBG("XON default");
792 		x_off = RFCOMM_RPN_XOFF_CHAR;
793 	}
794 
795 	/* Handle setting of stop bits */
796 	if ((old->c_cflag & CSTOPB) != (new->c_cflag & CSTOPB))
797 		changes |= RFCOMM_RPN_PM_STOP;
798 
799 	/* POSIX does not support 1.5 stop bits and RFCOMM does not
800 	 * support 2 stop bits. So a request for 2 stop bits gets
801 	 * translated to 1.5 stop bits */
802 	if (new->c_cflag & CSTOPB) {
803 		stop_bits = RFCOMM_RPN_STOP_15;
804 	} else {
805 		stop_bits = RFCOMM_RPN_STOP_1;
806 	}
807 
808 	/* Handle number of data bits [5-8] */
809 	if ((old->c_cflag & CSIZE) != (new->c_cflag & CSIZE))
810 		changes |= RFCOMM_RPN_PM_DATA;
811 
812 	switch (new->c_cflag & CSIZE) {
813 	case CS5:
814 		data_bits = RFCOMM_RPN_DATA_5;
815 		break;
816 	case CS6:
817 		data_bits = RFCOMM_RPN_DATA_6;
818 		break;
819 	case CS7:
820 		data_bits = RFCOMM_RPN_DATA_7;
821 		break;
822 	case CS8:
823 		data_bits = RFCOMM_RPN_DATA_8;
824 		break;
825 	default:
826 		data_bits = RFCOMM_RPN_DATA_8;
827 		break;
828 	}
829 
830 	/* Handle baudrate settings */
831 	if (old_baud_rate != new_baud_rate)
832 		changes |= RFCOMM_RPN_PM_BITRATE;
833 
834 	switch (new_baud_rate) {
835 	case 2400:
836 		baud = RFCOMM_RPN_BR_2400;
837 		break;
838 	case 4800:
839 		baud = RFCOMM_RPN_BR_4800;
840 		break;
841 	case 7200:
842 		baud = RFCOMM_RPN_BR_7200;
843 		break;
844 	case 9600:
845 		baud = RFCOMM_RPN_BR_9600;
846 		break;
847 	case 19200:
848 		baud = RFCOMM_RPN_BR_19200;
849 		break;
850 	case 38400:
851 		baud = RFCOMM_RPN_BR_38400;
852 		break;
853 	case 57600:
854 		baud = RFCOMM_RPN_BR_57600;
855 		break;
856 	case 115200:
857 		baud = RFCOMM_RPN_BR_115200;
858 		break;
859 	case 230400:
860 		baud = RFCOMM_RPN_BR_230400;
861 		break;
862 	default:
863 		/* 9600 is standard accordinag to the RFCOMM specification */
864 		baud = RFCOMM_RPN_BR_9600;
865 		break;
866 
867 	}
868 
869 	if (changes)
870 		rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
871 				data_bits, stop_bits, parity,
872 				RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
873 
874 	return;
875 }
876 
877 static void rfcomm_tty_throttle(struct tty_struct *tty)
878 {
879 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
880 
881 	BT_DBG("tty %p dev %p", tty, dev);
882 
883 	rfcomm_dlc_throttle(dev->dlc);
884 }
885 
886 static void rfcomm_tty_unthrottle(struct tty_struct *tty)
887 {
888 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
889 
890 	BT_DBG("tty %p dev %p", tty, dev);
891 
892 	rfcomm_dlc_unthrottle(dev->dlc);
893 }
894 
895 static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty)
896 {
897 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
898 	struct rfcomm_dlc *dlc = dev->dlc;
899 
900 	BT_DBG("tty %p dev %p", tty, dev);
901 
902 	if (!skb_queue_empty(&dlc->tx_queue))
903 		return dlc->mtu;
904 
905 	return 0;
906 }
907 
908 static void rfcomm_tty_flush_buffer(struct tty_struct *tty)
909 {
910 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
911 	if (!dev)
912 		return;
913 
914 	BT_DBG("tty %p dev %p", tty, dev);
915 
916 	skb_queue_purge(&dev->dlc->tx_queue);
917 
918 	if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags) && tty->ldisc.write_wakeup)
919 		tty->ldisc.write_wakeup(tty);
920 }
921 
922 static void rfcomm_tty_send_xchar(struct tty_struct *tty, char ch)
923 {
924 	BT_DBG("tty %p ch %c", tty, ch);
925 }
926 
927 static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
928 {
929 	BT_DBG("tty %p timeout %d", tty, timeout);
930 }
931 
932 static void rfcomm_tty_hangup(struct tty_struct *tty)
933 {
934 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
935 	if (!dev)
936 		return;
937 
938 	BT_DBG("tty %p dev %p", tty, dev);
939 
940 	rfcomm_tty_flush_buffer(tty);
941 
942 	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
943 		rfcomm_dev_del(dev);
944 }
945 
946 static int rfcomm_tty_read_proc(char *buf, char **start, off_t offset, int len, int *eof, void *unused)
947 {
948 	return 0;
949 }
950 
951 static int rfcomm_tty_tiocmget(struct tty_struct *tty, struct file *filp)
952 {
953  	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
954 
955 	BT_DBG("tty %p dev %p", tty, dev);
956 
957  	return dev->modem_status;
958 }
959 
960 static int rfcomm_tty_tiocmset(struct tty_struct *tty, struct file *filp, unsigned int set, unsigned int clear)
961 {
962 	struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
963 	struct rfcomm_dlc *dlc = dev->dlc;
964 	u8 v24_sig;
965 
966 	BT_DBG("tty %p dev %p set 0x%02x clear 0x%02x", tty, dev, set, clear);
967 
968 	rfcomm_dlc_get_modem_status(dlc, &v24_sig);
969 
970 	if (set & TIOCM_DSR || set & TIOCM_DTR)
971 		v24_sig |= RFCOMM_V24_RTC;
972 	if (set & TIOCM_RTS || set & TIOCM_CTS)
973 		v24_sig |= RFCOMM_V24_RTR;
974 	if (set & TIOCM_RI)
975 		v24_sig |= RFCOMM_V24_IC;
976 	if (set & TIOCM_CD)
977 		v24_sig |= RFCOMM_V24_DV;
978 
979 	if (clear & TIOCM_DSR || clear & TIOCM_DTR)
980 		v24_sig &= ~RFCOMM_V24_RTC;
981 	if (clear & TIOCM_RTS || clear & TIOCM_CTS)
982 		v24_sig &= ~RFCOMM_V24_RTR;
983 	if (clear & TIOCM_RI)
984 		v24_sig &= ~RFCOMM_V24_IC;
985 	if (clear & TIOCM_CD)
986 		v24_sig &= ~RFCOMM_V24_DV;
987 
988 	rfcomm_dlc_set_modem_status(dlc, v24_sig);
989 
990 	return 0;
991 }
992 
993 /* ---- TTY structure ---- */
994 
995 static struct tty_operations rfcomm_ops = {
996 	.open			= rfcomm_tty_open,
997 	.close			= rfcomm_tty_close,
998 	.write			= rfcomm_tty_write,
999 	.write_room		= rfcomm_tty_write_room,
1000 	.chars_in_buffer	= rfcomm_tty_chars_in_buffer,
1001 	.flush_buffer		= rfcomm_tty_flush_buffer,
1002 	.ioctl			= rfcomm_tty_ioctl,
1003 	.throttle		= rfcomm_tty_throttle,
1004 	.unthrottle		= rfcomm_tty_unthrottle,
1005 	.set_termios		= rfcomm_tty_set_termios,
1006 	.send_xchar		= rfcomm_tty_send_xchar,
1007 	.hangup			= rfcomm_tty_hangup,
1008 	.wait_until_sent	= rfcomm_tty_wait_until_sent,
1009 	.read_proc		= rfcomm_tty_read_proc,
1010 	.tiocmget		= rfcomm_tty_tiocmget,
1011 	.tiocmset		= rfcomm_tty_tiocmset,
1012 };
1013 
1014 int rfcomm_init_ttys(void)
1015 {
1016 	rfcomm_tty_driver = alloc_tty_driver(RFCOMM_TTY_PORTS);
1017 	if (!rfcomm_tty_driver)
1018 		return -1;
1019 
1020 	rfcomm_tty_driver->owner	= THIS_MODULE;
1021 	rfcomm_tty_driver->driver_name	= "rfcomm";
1022 	rfcomm_tty_driver->name		= "rfcomm";
1023 	rfcomm_tty_driver->major	= RFCOMM_TTY_MAJOR;
1024 	rfcomm_tty_driver->minor_start	= RFCOMM_TTY_MINOR;
1025 	rfcomm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
1026 	rfcomm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
1027 	rfcomm_tty_driver->flags	= TTY_DRIVER_REAL_RAW | TTY_DRIVER_DYNAMIC_DEV;
1028 	rfcomm_tty_driver->init_termios	= tty_std_termios;
1029 	rfcomm_tty_driver->init_termios.c_cflag	= B9600 | CS8 | CREAD | HUPCL | CLOCAL;
1030 	tty_set_operations(rfcomm_tty_driver, &rfcomm_ops);
1031 
1032 	if (tty_register_driver(rfcomm_tty_driver)) {
1033 		BT_ERR("Can't register RFCOMM TTY driver");
1034 		put_tty_driver(rfcomm_tty_driver);
1035 		return -1;
1036 	}
1037 
1038 	BT_INFO("RFCOMM TTY layer initialized");
1039 
1040 	return 0;
1041 }
1042 
1043 void rfcomm_cleanup_ttys(void)
1044 {
1045 	tty_unregister_driver(rfcomm_tty_driver);
1046 	put_tty_driver(rfcomm_tty_driver);
1047 }
1048