1 files changed, 85 insertions, 72 deletions
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 075a3e920caf..d478be11d562 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -81,24 +81,20 @@ static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
 static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr)
 {
        struct hidp_session *session;
-        struct list_head *p;
        BT_DBG("");
-        list_for_each(p, &hidp_session_list) {
+        list_for_each_entry(session, &hidp_session_list, list) {
-                session = list_entry(p, struct hidp_session, list);
                if (!bacmp(bdaddr, &session->bdaddr))
                        return session;
        }
        return NULL;
 }
 static void __hidp_link_session(struct hidp_session *session)
 {
-        __module_get(THIS_MODULE);
        list_add(&session->list, &hidp_session_list);
-        hci_conn_hold_device(session->conn);
 }
 static void __hidp_unlink_session(struct hidp_session *session)
@@ -106,7 +102,6 @@ static void __hidp_unlink_session(struct hidp_session *session)
        hci_conn_put_device(session->conn);
        list_del(&session->list);
-        module_put(THIS_MODULE);
 }
 static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
@@ -255,6 +250,9 @@ static int __hidp_send_ctrl_message(struct hidp_session *session,
        BT_DBG("session %p data %p size %d", session, data, size);
+        if (atomic_read(&session->terminate))
+                return -EIO;
        skb = alloc_skb(size + 1, GFP_ATOMIC);
        if (!skb) {
                BT_ERR("Can't allocate memory for new frame");
@@ -329,6 +327,7 @@ static int hidp_get_raw_report(struct hid_device *hid,
        struct sk_buff *skb;
        size_t len;
        int numbered_reports = hid->report_enum[report_type].numbered;
+        int ret;
        switch (report_type) {
        case HID_FEATURE_REPORT:
@@ -352,8 +351,9 @@ static int hidp_get_raw_report(struct hid_device *hid,
        session->waiting_report_number = numbered_reports ? report_number : -1;
        set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
        data[0] = report_number;
-        if (hidp_send_ctrl_message(hid->driver_data, report_type, data, 1))
+        ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1);
-                goto err_eio;
+        if (ret)
+                goto err;
        /* Wait for the return of the report. The returned report
           gets put in session->report_return.  */
@@ -365,11 +365,13 @@ static int hidp_get_raw_report(struct hid_device *hid,
                        5*HZ);
                if (res == 0) {
                        /* timeout */
-                        goto err_eio;
+                        ret = -EIO;
+                        goto err;
                }
                if (res < 0) {
                        /* signal */
-                        goto err_restartsys;
+                        ret = -ERESTARTSYS;
+                        goto err;
                }
        }
@@ -390,14 +392,10 @@ static int hidp_get_raw_report(struct hid_device *hid,
        return len;
-err_restartsys:
+err:
-        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
-        mutex_unlock(&session->report_mutex);
-        return -ERESTARTSYS;
-err_eio:
        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
        mutex_unlock(&session->report_mutex);
-        return -EIO;
+        return ret;
 }
 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
@@ -422,11 +420,10 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
        /* Set up our wait, and send the report request to the device. */
        set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
-        if (hidp_send_ctrl_message(hid->driver_data, report_type,
+        ret = hidp_send_ctrl_message(hid->driver_data, report_type, data,
-                        data, count)) {
+                                                                        count);
-                ret = -ENOMEM;
+        if (ret)
                goto err;
-        }
        /* Wait for the ACK from the device. */
        while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
@@ -496,10 +493,9 @@ static void hidp_process_handshake(struct hidp_session *session,
        case HIDP_HSHK_ERR_INVALID_REPORT_ID:
        case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
        case HIDP_HSHK_ERR_INVALID_PARAMETER:
-                if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
+                if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
-                        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
                        wake_up_interruptible(&session->report_queue);
-                }
                /* FIXME: Call into SET_ GET_ handlers here */
                break;
@@ -520,10 +516,8 @@ static void hidp_process_handshake(struct hidp_session *session,
        }
        /* Wake up the waiting thread. */
-        if (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
+        if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
-                clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
                wake_up_interruptible(&session->report_queue);
-        }
 }
 static void hidp_process_hid_control(struct hidp_session *session,
@@ -663,25 +657,32 @@ static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
        return kernel_sendmsg(sock, &msg, &iv, 1, len);
 }
-static void hidp_process_transmit(struct hidp_session *session)
+static void hidp_process_intr_transmit(struct hidp_session *session)
 {
        struct sk_buff *skb;
        BT_DBG("session %p", session);
-        while ((skb = skb_dequeue(&session->ctrl_transmit))) {
+        while ((skb = skb_dequeue(&session->intr_transmit))) {
-                if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
+                if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
-                        skb_queue_head(&session->ctrl_transmit, skb);
+                        skb_queue_head(&session->intr_transmit, skb);
                        break;
                }
                hidp_set_timer(session);
                kfree_skb(skb);
        }
+}
-        while ((skb = skb_dequeue(&session->intr_transmit))) {
+static void hidp_process_ctrl_transmit(struct hidp_session *session)
-                if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
+{
-                        skb_queue_head(&session->intr_transmit, skb);
+        struct sk_buff *skb;
+        BT_DBG("session %p", session);
+        while ((skb = skb_dequeue(&session->ctrl_transmit))) {
+                if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
+                        skb_queue_head(&session->ctrl_transmit, skb);
                        break;
                }
@@ -700,6 +701,7 @@ static int hidp_session(void *arg)
        BT_DBG("session %p", session);
+        __module_get(THIS_MODULE);
        set_user_nice(current, -15);
        init_waitqueue_entry(&ctrl_wait, current);
@@ -714,23 +716,25 @@ static int hidp_session(void *arg)
                                intr_sk->sk_state != BT_CONNECTED)
                        break;
-                while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
+                while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
                        skb_orphan(skb);
                        if (!skb_linearize(skb))
-                                hidp_recv_ctrl_frame(session, skb);
+                                hidp_recv_intr_frame(session, skb);
                        else
                                kfree_skb(skb);
                }
-                while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
+                hidp_process_intr_transmit(session);
+                while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
                        skb_orphan(skb);
                        if (!skb_linearize(skb))
-                                hidp_recv_intr_frame(session, skb);
+                                hidp_recv_ctrl_frame(session, skb);
                        else
                                kfree_skb(skb);
                }
-                hidp_process_transmit(session);
+                hidp_process_ctrl_transmit(session);
                schedule();
                set_current_state(TASK_INTERRUPTIBLE);
@@ -739,6 +743,10 @@ static int hidp_session(void *arg)
        remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
        remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
+        clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
+        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+        wake_up_interruptible(&session->report_queue);
        down_write(&hidp_session_sem);
        hidp_del_timer(session);
@@ -772,34 +780,37 @@ static int hidp_session(void *arg)
        kfree(session->rd_data);
        kfree(session);
+        module_put_and_exit(0);
        return 0;
 }
-static struct device *hidp_get_device(struct hidp_session *session)
+static struct hci_conn *hidp_get_connection(struct hidp_session *session)
 {
        bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
        bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
-        struct device *device = NULL;
+        struct hci_conn *conn;
        struct hci_dev *hdev;
        hdev = hci_get_route(dst, src);
        if (!hdev)
                return NULL;
-        session->conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
+        hci_dev_lock(hdev);
-        if (session->conn)
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
-                device = &session->conn->dev;
+        if (conn)
+                hci_conn_hold_device(conn);
+        hci_dev_unlock(hdev);
        hci_dev_put(hdev);
-        return device;
+        return conn;
 }
 static int hidp_setup_input(struct hidp_session *session,
                                struct hidp_connadd_req *req)
 {
        struct input_dev *input;
-        int err, i;
+        int i;
        input = input_allocate_device();
        if (!input)
@@ -842,17 +853,10 @@ static int hidp_setup_input(struct hidp_session *session,
                input->relbit[0] |= BIT_MASK(REL_WHEEL);
        }
-        input->dev.parent = hidp_get_device(session);
+        input->dev.parent = &session->conn->dev;
        input->event = hidp_input_event;
-        err = input_register_device(input);
-        if (err < 0) {
-                input_free_device(input);
-                session->input = NULL;
-                return err;
-        }
        return 0;
 }
@@ -949,7 +953,7 @@ static int hidp_setup_hid(struct hidp_session *session,
        strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
        strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
-        hid->dev.parent = hidp_get_device(session);
+        hid->dev.parent = &session->conn->dev;
        hid->ll_driver = &hidp_hid_driver;
        hid->hid_get_raw_report = hidp_get_raw_report;
@@ -976,18 +980,20 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
                        bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
                return -ENOTUNIQ;
-        session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
-        if (!session)
-                return -ENOMEM;
        BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
        down_write(&hidp_session_sem);
        s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
        if (s && s->state == BT_CONNECTED) {
-                err = -EEXIST;
+                up_write(&hidp_session_sem);
-                goto failed;
+                return -EEXIST;
+        }
+        session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
+        if (!session) {
+                up_write(&hidp_session_sem);
+                return -ENOMEM;
        }
        bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
@@ -1003,6 +1009,12 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        session->intr_sock = intr_sock;
        session->state     = BT_CONNECTED;
+        session->conn = hidp_get_connection(session);
+        if (!session->conn) {
+                err = -ENOTCONN;
+                goto failed;
+        }
        setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
        skb_queue_head_init(&session->ctrl_transmit);
@@ -1015,9 +1027,11 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        session->flags   = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
        session->idle_to = req->idle_to;
+        __hidp_link_session(session);
        if (req->rd_size > 0) {
                err = hidp_setup_hid(session, req);
-                if (err && err != -ENODEV)
+                if (err)
                        goto purge;
        }
@@ -1027,8 +1041,6 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
                        goto purge;
        }
-        __hidp_link_session(session);
        hidp_set_timer(session);
        if (session->hid) {
@@ -1054,7 +1066,11 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
                        !session->waiting_for_startup);
        }
-        err = hid_add_device(session->hid);
+        if (session->hid)
+                err = hid_add_device(session->hid);
+        else
+                err = input_register_device(session->input);
        if (err < 0) {
                atomic_inc(&session->terminate);
                wake_up_process(session->task);
@@ -1077,8 +1093,6 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
 unlink:
        hidp_del_timer(session);
-        __hidp_unlink_session(session);
        if (session->input) {
                input_unregister_device(session->input);
                session->input = NULL;
@@ -1093,6 +1107,8 @@ unlink:
        session->rd_data = NULL;
 purge:
+        __hidp_unlink_session(session);
        skb_queue_purge(&session->ctrl_transmit);
        skb_queue_purge(&session->intr_transmit);
@@ -1134,19 +1150,16 @@ int hidp_del_connection(struct hidp_conndel_req *req)
 int hidp_get_connlist(struct hidp_connlist_req *req)
 {
-        struct list_head *p;
+        struct hidp_session *session;
        int err = 0, n = 0;
        BT_DBG("");
        down_read(&hidp_session_sem);
-        list_for_each(p, &hidp_session_list) {
+        list_for_each_entry(session, &hidp_session_list, list) {
-                struct hidp_session *session;
                struct hidp_conninfo ci;
-                session = list_entry(p, struct hidp_session, list);
                __hidp_copy_session(session, &ci);
                if (copy_to_user(req->ci, &ci, sizeof(ci))) {

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 075a3e920caf..d478be11d562 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c
@@ -81,24 +81,20 @@ static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
81	static struct hidp_session __hidp_get_session(bdaddr_t bdaddr)	81	static struct hidp_session __hidp_get_session(bdaddr_t bdaddr)
82	{	82	{
83	struct hidp_session *session;	83	struct hidp_session *session;
84	struct list_head *p;
85		84
86	BT_DBG("");	85	BT_DBG("");
87		86
88	list_for_each(p, &hidp_session_list) {	87	list_for_each_entry(session, &hidp_session_list, list) {
89	session = list_entry(p, struct hidp_session, list);
90	if (!bacmp(bdaddr, &session->bdaddr))	88	if (!bacmp(bdaddr, &session->bdaddr))
91	return session;	89	return session;
92	}	90	}
		91
93	return NULL;	92	return NULL;
94	}	93	}
95		94
96	static void __hidp_link_session(struct hidp_session *session)	95	static void __hidp_link_session(struct hidp_session *session)
97	{	96	{
98	__module_get(THIS_MODULE);
99	list_add(&session->list, &hidp_session_list);	97	list_add(&session->list, &hidp_session_list);
100
101	hci_conn_hold_device(session->conn);
102	}	98	}
103		99
104	static void __hidp_unlink_session(struct hidp_session *session)	100	static void __hidp_unlink_session(struct hidp_session *session)
@@ -106,7 +102,6 @@ static void __hidp_unlink_session(struct hidp_session *session)
106	hci_conn_put_device(session->conn);	102	hci_conn_put_device(session->conn);
107		103
108	list_del(&session->list);	104	list_del(&session->list);
109	module_put(THIS_MODULE);
110	}	105	}
111		106
112	static void __hidp_copy_session(struct hidp_session session, struct hidp_conninfo ci)	107	static void __hidp_copy_session(struct hidp_session session, struct hidp_conninfo ci)
@@ -255,6 +250,9 @@ static int __hidp_send_ctrl_message(struct hidp_session *session,
255		250
256	BT_DBG("session %p data %p size %d", session, data, size);	251	BT_DBG("session %p data %p size %d", session, data, size);
257		252
		253	if (atomic_read(&session->terminate))
		254	return -EIO;
		255
258	skb = alloc_skb(size + 1, GFP_ATOMIC);	256	skb = alloc_skb(size + 1, GFP_ATOMIC);
259	if (!skb) {	257	if (!skb) {
260	BT_ERR("Can't allocate memory for new frame");	258	BT_ERR("Can't allocate memory for new frame");
@@ -329,6 +327,7 @@ static int hidp_get_raw_report(struct hid_device *hid,
329	struct sk_buff *skb;	327	struct sk_buff *skb;
330	size_t len;	328	size_t len;
331	int numbered_reports = hid->report_enum[report_type].numbered;	329	int numbered_reports = hid->report_enum[report_type].numbered;
		330	int ret;
332		331
333	switch (report_type) {	332	switch (report_type) {
334	case HID_FEATURE_REPORT:	333	case HID_FEATURE_REPORT:
@@ -352,8 +351,9 @@ static int hidp_get_raw_report(struct hid_device *hid,
352	session->waiting_report_number = numbered_reports ? report_number : -1;	351	session->waiting_report_number = numbered_reports ? report_number : -1;
353	set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);	352	set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
354	data[0] = report_number;	353	data[0] = report_number;
355	if (hidp_send_ctrl_message(hid->driver_data, report_type, data, 1))	354	ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1);
356	goto err_eio;	355	if (ret)
		356	goto err;
357		357
358	/* Wait for the return of the report. The returned report	358	/* Wait for the return of the report. The returned report
359	gets put in session->report_return. */	359	gets put in session->report_return. */
@@ -365,11 +365,13 @@ static int hidp_get_raw_report(struct hid_device *hid,
365	5*HZ);	365	5*HZ);
366	if (res == 0) {	366	if (res == 0) {
367	/* timeout */	367	/* timeout */
368	goto err_eio;	368	ret = -EIO;
		369	goto err;
369	}	370	}
370	if (res < 0) {	371	if (res < 0) {
371	/* signal */	372	/* signal */
372	goto err_restartsys;	373	ret = -ERESTARTSYS;
		374	goto err;
373	}	375	}
374	}	376	}
375		377
@@ -390,14 +392,10 @@ static int hidp_get_raw_report(struct hid_device *hid,
390		392
391	return len;	393	return len;
392		394
393	err_restartsys:	395	err:
394	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
395	mutex_unlock(&session->report_mutex);
396	return -ERESTARTSYS;
397	err_eio:
398	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);	396	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
399	mutex_unlock(&session->report_mutex);	397	mutex_unlock(&session->report_mutex);
400	return -EIO;	398	return ret;
401	}	399	}
402		400
403	static int hidp_output_raw_report(struct hid_device hid, unsigned char data, size_t count,	401	static int hidp_output_raw_report(struct hid_device hid, unsigned char data, size_t count,
@@ -422,11 +420,10 @@ static int hidp_output_raw_report(struct hid_device hid, unsigned char data, s
422		420
423	/* Set up our wait, and send the report request to the device. */	421	/* Set up our wait, and send the report request to the device. */
424	set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);	422	set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
425	if (hidp_send_ctrl_message(hid->driver_data, report_type,	423	ret = hidp_send_ctrl_message(hid->driver_data, report_type, data,
426	data, count)) {	424	count);
427	ret = -ENOMEM;	425	if (ret)
428	goto err;	426	goto err;
429	}
430		427
431	/* Wait for the ACK from the device. */	428	/* Wait for the ACK from the device. */
432	while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {	429	while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
@@ -496,10 +493,9 @@ static void hidp_process_handshake(struct hidp_session *session,
496	case HIDP_HSHK_ERR_INVALID_REPORT_ID:	493	case HIDP_HSHK_ERR_INVALID_REPORT_ID:
497	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:	494	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
498	case HIDP_HSHK_ERR_INVALID_PARAMETER:	495	case HIDP_HSHK_ERR_INVALID_PARAMETER:
499	if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {	496	if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
500	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
501	wake_up_interruptible(&session->report_queue);	497	wake_up_interruptible(&session->report_queue);
502	}	498
503	/* FIXME: Call into SET_ GET_ handlers here */	499	/* FIXME: Call into SET_ GET_ handlers here */
504	break;	500	break;
505		501
@@ -520,10 +516,8 @@ static void hidp_process_handshake(struct hidp_session *session,
520	}	516	}
521		517
522	/* Wake up the waiting thread. */	518	/* Wake up the waiting thread. */
523	if (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {	519	if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
524	clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
525	wake_up_interruptible(&session->report_queue);	520	wake_up_interruptible(&session->report_queue);
526	}
527	}	521	}
528		522
529	static void hidp_process_hid_control(struct hidp_session *session,	523	static void hidp_process_hid_control(struct hidp_session *session,
@@ -663,25 +657,32 @@ static int hidp_send_frame(struct socket sock, unsigned char data, int len)
663	return kernel_sendmsg(sock, &msg, &iv, 1, len);	657	return kernel_sendmsg(sock, &msg, &iv, 1, len);
664	}	658	}
665		659
666	static void hidp_process_transmit(struct hidp_session *session)	660	static void hidp_process_intr_transmit(struct hidp_session *session)
667	{	661	{
668	struct sk_buff *skb;	662	struct sk_buff *skb;
669		663
670	BT_DBG("session %p", session);	664	BT_DBG("session %p", session);
671		665
672	while ((skb = skb_dequeue(&session->ctrl_transmit))) {	666	while ((skb = skb_dequeue(&session->intr_transmit))) {
673	if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {	667	if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
674	skb_queue_head(&session->ctrl_transmit, skb);	668	skb_queue_head(&session->intr_transmit, skb);
675	break;	669	break;
676	}	670	}
677		671
678	hidp_set_timer(session);	672	hidp_set_timer(session);
679	kfree_skb(skb);	673	kfree_skb(skb);
680	}	674	}
		675	}
681		676
682	while ((skb = skb_dequeue(&session->intr_transmit))) {	677	static void hidp_process_ctrl_transmit(struct hidp_session *session)
683	if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {	678	{
684	skb_queue_head(&session->intr_transmit, skb);	679	struct sk_buff *skb;
		680
		681	BT_DBG("session %p", session);
		682
		683	while ((skb = skb_dequeue(&session->ctrl_transmit))) {
		684	if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
		685	skb_queue_head(&session->ctrl_transmit, skb);
685	break;	686	break;
686	}	687	}
687		688
@@ -700,6 +701,7 @@ static int hidp_session(void *arg)
700		701
701	BT_DBG("session %p", session);	702	BT_DBG("session %p", session);
702		703
		704	__module_get(THIS_MODULE);
703	set_user_nice(current, -15);	705	set_user_nice(current, -15);
704		706
705	init_waitqueue_entry(&ctrl_wait, current);	707	init_waitqueue_entry(&ctrl_wait, current);
@@ -714,23 +716,25 @@ static int hidp_session(void *arg)
714	intr_sk->sk_state != BT_CONNECTED)	716	intr_sk->sk_state != BT_CONNECTED)
715	break;	717	break;
716		718
717	while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {	719	while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
718	skb_orphan(skb);	720	skb_orphan(skb);
719	if (!skb_linearize(skb))	721	if (!skb_linearize(skb))
720	hidp_recv_ctrl_frame(session, skb);	722	hidp_recv_intr_frame(session, skb);
721	else	723	else
722	kfree_skb(skb);	724	kfree_skb(skb);
723	}	725	}
724		726
725	while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {	727	hidp_process_intr_transmit(session);
		728
		729	while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
726	skb_orphan(skb);	730	skb_orphan(skb);
727	if (!skb_linearize(skb))	731	if (!skb_linearize(skb))
728	hidp_recv_intr_frame(session, skb);	732	hidp_recv_ctrl_frame(session, skb);
729	else	733	else
730	kfree_skb(skb);	734	kfree_skb(skb);
731	}	735	}
732		736
733	hidp_process_transmit(session);	737	hidp_process_ctrl_transmit(session);
734		738
735	schedule();	739	schedule();
736	set_current_state(TASK_INTERRUPTIBLE);	740	set_current_state(TASK_INTERRUPTIBLE);
@@ -739,6 +743,10 @@ static int hidp_session(void *arg)
739	remove_wait_queue(sk_sleep(intr_sk), &intr_wait);	743	remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
740	remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);	744	remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
741		745
		746	clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
		747	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
		748	wake_up_interruptible(&session->report_queue);
		749
742	down_write(&hidp_session_sem);	750	down_write(&hidp_session_sem);
743		751
744	hidp_del_timer(session);	752	hidp_del_timer(session);
@@ -772,34 +780,37 @@ static int hidp_session(void *arg)
772		780
773	kfree(session->rd_data);	781	kfree(session->rd_data);
774	kfree(session);	782	kfree(session);
		783	module_put_and_exit(0);
775	return 0;	784	return 0;
776	}	785	}
777		786
778	static struct device hidp_get_device(struct hidp_session session)	787	static struct hci_conn hidp_get_connection(struct hidp_session session)
779	{	788	{
780	bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;	789	bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
781	bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;	790	bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
782	struct device *device = NULL;	791	struct hci_conn *conn;
783	struct hci_dev *hdev;	792	struct hci_dev *hdev;
784		793
785	hdev = hci_get_route(dst, src);	794	hdev = hci_get_route(dst, src);
786	if (!hdev)	795	if (!hdev)
787	return NULL;	796	return NULL;
788		797
789	session->conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);	798	hci_dev_lock(hdev);
790	if (session->conn)	799	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
791	device = &session->conn->dev;	800	if (conn)
		801	hci_conn_hold_device(conn);
		802	hci_dev_unlock(hdev);
792		803
793	hci_dev_put(hdev);	804	hci_dev_put(hdev);
794		805
795	return device;	806	return conn;
796	}	807	}
797		808
798	static int hidp_setup_input(struct hidp_session *session,	809	static int hidp_setup_input(struct hidp_session *session,
799	struct hidp_connadd_req *req)	810	struct hidp_connadd_req *req)
800	{	811	{
801	struct input_dev *input;	812	struct input_dev *input;
802	int err, i;	813	int i;
803		814
804	input = input_allocate_device();	815	input = input_allocate_device();
805	if (!input)	816	if (!input)
@@ -842,17 +853,10 @@ static int hidp_setup_input(struct hidp_session *session,
842	input->relbit[0] \|= BIT_MASK(REL_WHEEL);	853	input->relbit[0] \|= BIT_MASK(REL_WHEEL);
843	}	854	}
844		855
845	input->dev.parent = hidp_get_device(session);	856	input->dev.parent = &session->conn->dev;
846		857
847	input->event = hidp_input_event;	858	input->event = hidp_input_event;
848		859
849	err = input_register_device(input);
850	if (err < 0) {
851	input_free_device(input);
852	session->input = NULL;
853	return err;
854	}
855
856	return 0;	860	return 0;
857	}	861	}
858		862
@@ -949,7 +953,7 @@ static int hidp_setup_hid(struct hidp_session *session,
949	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);	953	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
950	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);	954	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
951		955
952	hid->dev.parent = hidp_get_device(session);	956	hid->dev.parent = &session->conn->dev;
953	hid->ll_driver = &hidp_hid_driver;	957	hid->ll_driver = &hidp_hid_driver;
954		958
955	hid->hid_get_raw_report = hidp_get_raw_report;	959	hid->hid_get_raw_report = hidp_get_raw_report;
@@ -976,18 +980,20 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
976	bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))	980	bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
977	return -ENOTUNIQ;	981	return -ENOTUNIQ;
978		982
979	session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
980	if (!session)
981	return -ENOMEM;
982
983	BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);	983	BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
984		984
985	down_write(&hidp_session_sem);	985	down_write(&hidp_session_sem);
986		986
987	s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);	987	s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
988	if (s && s->state == BT_CONNECTED) {	988	if (s && s->state == BT_CONNECTED) {
989	err = -EEXIST;	989	up_write(&hidp_session_sem);
990	goto failed;	990	return -EEXIST;
		991	}
		992
		993	session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
		994	if (!session) {
		995	up_write(&hidp_session_sem);
		996	return -ENOMEM;
991	}	997	}
992		998
993	bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);	999	bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
@@ -1003,6 +1009,12 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
1003	session->intr_sock = intr_sock;	1009	session->intr_sock = intr_sock;
1004	session->state = BT_CONNECTED;	1010	session->state = BT_CONNECTED;
1005		1011
		1012	session->conn = hidp_get_connection(session);
		1013	if (!session->conn) {
		1014	err = -ENOTCONN;
		1015	goto failed;
		1016	}
		1017
1006	setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);	1018	setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
1007		1019
1008	skb_queue_head_init(&session->ctrl_transmit);	1020	skb_queue_head_init(&session->ctrl_transmit);
@@ -1015,9 +1027,11 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
1015	session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);	1027	session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
1016	session->idle_to = req->idle_to;	1028	session->idle_to = req->idle_to;
1017		1029
		1030	__hidp_link_session(session);
		1031
1018	if (req->rd_size > 0) {	1032	if (req->rd_size > 0) {
1019	err = hidp_setup_hid(session, req);	1033	err = hidp_setup_hid(session, req);
1020	if (err && err != -ENODEV)	1034	if (err)
1021	goto purge;	1035	goto purge;
1022	}	1036	}
1023		1037
@@ -1027,8 +1041,6 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
1027	goto purge;	1041	goto purge;
1028	}	1042	}
1029		1043
1030	__hidp_link_session(session);
1031
1032	hidp_set_timer(session);	1044	hidp_set_timer(session);
1033		1045
1034	if (session->hid) {	1046	if (session->hid) {
@@ -1054,7 +1066,11 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
1054	!session->waiting_for_startup);	1066	!session->waiting_for_startup);
1055	}	1067	}
1056		1068
1057	err = hid_add_device(session->hid);	1069	if (session->hid)
		1070	err = hid_add_device(session->hid);
		1071	else
		1072	err = input_register_device(session->input);
		1073
1058	if (err < 0) {	1074	if (err < 0) {
1059	atomic_inc(&session->terminate);	1075	atomic_inc(&session->terminate);
1060	wake_up_process(session->task);	1076	wake_up_process(session->task);
@@ -1077,8 +1093,6 @@ int hidp_add_connection(struct hidp_connadd_req req, struct socket ctrl_sock,
1077	unlink:	1093	unlink:
1078	hidp_del_timer(session);	1094	hidp_del_timer(session);
1079		1095
1080	__hidp_unlink_session(session);
1081
1082	if (session->input) {	1096	if (session->input) {
1083	input_unregister_device(session->input);	1097	input_unregister_device(session->input);
1084	session->input = NULL;	1098	session->input = NULL;
@@ -1093,6 +1107,8 @@ unlink:
1093	session->rd_data = NULL;	1107	session->rd_data = NULL;
1094		1108
1095	purge:	1109	purge:
		1110	__hidp_unlink_session(session);
		1111
1096	skb_queue_purge(&session->ctrl_transmit);	1112	skb_queue_purge(&session->ctrl_transmit);
1097	skb_queue_purge(&session->intr_transmit);	1113	skb_queue_purge(&session->intr_transmit);
1098		1114
@@ -1134,19 +1150,16 @@ int hidp_del_connection(struct hidp_conndel_req *req)
1134		1150
1135	int hidp_get_connlist(struct hidp_connlist_req *req)	1151	int hidp_get_connlist(struct hidp_connlist_req *req)
1136	{	1152	{
1137	struct list_head *p;	1153	struct hidp_session *session;
1138	int err = 0, n = 0;	1154	int err = 0, n = 0;
1139		1155
1140	BT_DBG("");	1156	BT_DBG("");
1141		1157
1142	down_read(&hidp_session_sem);	1158	down_read(&hidp_session_sem);
1143		1159
1144	list_for_each(p, &hidp_session_list) {	1160	list_for_each_entry(session, &hidp_session_list, list) {
1145	struct hidp_session *session;
1146	struct hidp_conninfo ci;	1161	struct hidp_conninfo ci;
1147		1162
1148	session = list_entry(p, struct hidp_session, list);
1149
1150	__hidp_copy_session(session, &ci);	1163	__hidp_copy_session(session, &ci);
1151		1164
1152	if (copy_to_user(req->ci, &ci, sizeof(ci))) {	1165	if (copy_to_user(req->ci, &ci, sizeof(ci))) {