aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJohn W. Linville <linville@tuxdriver.com>2012-01-03 15:16:34 -0500
committerJohn W. Linville <linville@tuxdriver.com>2012-01-03 15:16:34 -0500
commit57adc1fcbae2c13104ce291b40f23e40a414fa87 (patch)
treea22d95cd3a96cbd515cd24fb0833739576c5e92f /net
parentfaa85aa24286a9e14ae7cc797352350c3ac39986 (diff)
parentdc0d633e35643662f27a0b1c531da3cd6b204b9c (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem
Conflicts: drivers/net/wireless/b43/dma.c drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/Kconfig37
-rw-r--r--net/bluetooth/Makefile5
-rw-r--r--net/bluetooth/af_bluetooth.c11
-rw-r--r--net/bluetooth/bnep/Kconfig2
-rw-r--r--net/bluetooth/cmtp/Kconfig2
-rw-r--r--net/bluetooth/hci_conn.c139
-rw-r--r--net/bluetooth/hci_core.c325
-rw-r--r--net/bluetooth/hci_event.c127
-rw-r--r--net/bluetooth/hci_sock.c21
-rw-r--r--net/bluetooth/hci_sysfs.c91
-rw-r--r--net/bluetooth/hidp/Kconfig2
-rw-r--r--net/bluetooth/hidp/core.c4
-rw-r--r--net/bluetooth/l2cap_core.c434
-rw-r--r--net/bluetooth/l2cap_sock.c62
-rw-r--r--net/bluetooth/mgmt.c706
-rw-r--r--net/bluetooth/rfcomm/Kconfig2
-rw-r--r--net/bluetooth/rfcomm/core.c41
-rw-r--r--net/bluetooth/sco.c42
-rw-r--r--net/bluetooth/smp.c235
-rw-r--r--net/mac80211/agg-tx.c19
-rw-r--r--net/mac80211/cfg.c4
-rw-r--r--net/mac80211/mlme.c8
-rw-r--r--net/mac80211/rx.c65
-rw-r--r--net/mac80211/sta_info.c12
-rw-r--r--net/mac80211/sta_info.h8
-rw-r--r--net/nfc/llcp/llcp.c6
-rw-r--r--net/nfc/nfc.h4
-rw-r--r--net/wireless/nl80211.c3
28 files changed, 1282 insertions, 1135 deletions
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index bfb3dc03c9de..9ec85eb8853d 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -6,7 +6,11 @@ menuconfig BT
6 tristate "Bluetooth subsystem support" 6 tristate "Bluetooth subsystem support"
7 depends on NET && !S390 7 depends on NET && !S390
8 depends on RFKILL || !RFKILL 8 depends on RFKILL || !RFKILL
9 select CRC16
9 select CRYPTO 10 select CRYPTO
11 select CRYPTO_BLKCIPHER
12 select CRYPTO_AES
13 select CRYPTO_ECB
10 help 14 help
11 Bluetooth is low-cost, low-power, short-range wireless technology. 15 Bluetooth is low-cost, low-power, short-range wireless technology.
12 It was designed as a replacement for cables and other short-range 16 It was designed as a replacement for cables and other short-range
@@ -15,10 +19,12 @@ menuconfig BT
15 Bluetooth can be found at <http://www.bluetooth.com/>. 19 Bluetooth can be found at <http://www.bluetooth.com/>.
16 20
17 Linux Bluetooth subsystem consist of several layers: 21 Linux Bluetooth subsystem consist of several layers:
18 Bluetooth Core (HCI device and connection manager, scheduler) 22 Bluetooth Core
23 HCI device and connection manager, scheduler
24 SCO audio links
25 L2CAP (Logical Link Control and Adaptation Protocol)
26 SMP (Security Manager Protocol) on LE (Low Energy) links
19 HCI Device drivers (Interface to the hardware) 27 HCI Device drivers (Interface to the hardware)
20 SCO Module (SCO audio links)
21 L2CAP Module (Logical Link Control and Adaptation Protocol)
22 RFCOMM Module (RFCOMM Protocol) 28 RFCOMM Module (RFCOMM Protocol)
23 BNEP Module (Bluetooth Network Encapsulation Protocol) 29 BNEP Module (Bluetooth Network Encapsulation Protocol)
24 CMTP Module (CAPI Message Transport Protocol) 30 CMTP Module (CAPI Message Transport Protocol)
@@ -33,31 +39,6 @@ menuconfig BT
33 to Bluetooth kernel modules are provided in the BlueZ packages. For 39 to Bluetooth kernel modules are provided in the BlueZ packages. For
34 more information, see <http://www.bluez.org/>. 40 more information, see <http://www.bluez.org/>.
35 41
36if BT != n
37
38config BT_L2CAP
39 bool "L2CAP protocol support"
40 select CRC16
41 select CRYPTO
42 select CRYPTO_BLKCIPHER
43 select CRYPTO_AES
44 select CRYPTO_ECB
45 help
46 L2CAP (Logical Link Control and Adaptation Protocol) provides
47 connection oriented and connection-less data transport. L2CAP
48 support is required for most Bluetooth applications.
49
50 Also included is support for SMP (Security Manager Protocol) which
51 is the security layer on top of LE (Low Energy) links.
52
53config BT_SCO
54 bool "SCO links support"
55 help
56 SCO link provides voice transport over Bluetooth. SCO support is
57 required for voice applications like Headset and Audio.
58
59endif
60
61source "net/bluetooth/rfcomm/Kconfig" 42source "net/bluetooth/rfcomm/Kconfig"
62 43
63source "net/bluetooth/bnep/Kconfig" 44source "net/bluetooth/bnep/Kconfig"
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 9b67f3d08fa4..2dc5a5700f53 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -8,6 +8,5 @@ obj-$(CONFIG_BT_BNEP) += bnep/
8obj-$(CONFIG_BT_CMTP) += cmtp/ 8obj-$(CONFIG_BT_CMTP) += cmtp/
9obj-$(CONFIG_BT_HIDP) += hidp/ 9obj-$(CONFIG_BT_HIDP) += hidp/
10 10
11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o 11bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \
12bluetooth-$(CONFIG_BT_L2CAP) += l2cap_core.o l2cap_sock.o smp.o 12 hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o
13bluetooth-$(CONFIG_BT_SCO) += sco.o
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 062124cd89cf..cdcfcabb34ab 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -199,15 +199,14 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
199 199
200 BT_DBG("parent %p", parent); 200 BT_DBG("parent %p", parent);
201 201
202 local_bh_disable();
203 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) { 202 list_for_each_safe(p, n, &bt_sk(parent)->accept_q) {
204 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q); 203 sk = (struct sock *) list_entry(p, struct bt_sock, accept_q);
205 204
206 bh_lock_sock(sk); 205 lock_sock(sk);
207 206
208 /* FIXME: Is this check still needed */ 207 /* FIXME: Is this check still needed */
209 if (sk->sk_state == BT_CLOSED) { 208 if (sk->sk_state == BT_CLOSED) {
210 bh_unlock_sock(sk); 209 release_sock(sk);
211 bt_accept_unlink(sk); 210 bt_accept_unlink(sk);
212 continue; 211 continue;
213 } 212 }
@@ -218,14 +217,12 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
218 if (newsock) 217 if (newsock)
219 sock_graft(sk, newsock); 218 sock_graft(sk, newsock);
220 219
221 bh_unlock_sock(sk); 220 release_sock(sk);
222 local_bh_enable();
223 return sk; 221 return sk;
224 } 222 }
225 223
226 bh_unlock_sock(sk); 224 release_sock(sk);
227 } 225 }
228 local_bh_enable();
229 226
230 return NULL; 227 return NULL;
231} 228}
diff --git a/net/bluetooth/bnep/Kconfig b/net/bluetooth/bnep/Kconfig
index 35158b036d54..71791fc9f6b1 100644
--- a/net/bluetooth/bnep/Kconfig
+++ b/net/bluetooth/bnep/Kconfig
@@ -1,6 +1,6 @@
1config BT_BNEP 1config BT_BNEP
2 tristate "BNEP protocol support" 2 tristate "BNEP protocol support"
3 depends on BT && BT_L2CAP 3 depends on BT
4 select CRC32 4 select CRC32
5 help 5 help
6 BNEP (Bluetooth Network Encapsulation Protocol) is Ethernet 6 BNEP (Bluetooth Network Encapsulation Protocol) is Ethernet
diff --git a/net/bluetooth/cmtp/Kconfig b/net/bluetooth/cmtp/Kconfig
index d6b0382f6f3a..94cbf42ce155 100644
--- a/net/bluetooth/cmtp/Kconfig
+++ b/net/bluetooth/cmtp/Kconfig
@@ -1,6 +1,6 @@
1config BT_CMTP 1config BT_CMTP
2 tristate "CMTP protocol support" 2 tristate "CMTP protocol support"
3 depends on BT && BT_L2CAP && ISDN_CAPI 3 depends on BT && ISDN_CAPI
4 help 4 help
5 CMTP (CAPI Message Transport Protocol) is a transport layer 5 CMTP (CAPI Message Transport Protocol) is a transport layer
6 for CAPI messages. CMTP is required for the Bluetooth Common 6 for CAPI messages. CMTP is required for the Bluetooth Common
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 3fa08dda825e..3db432473ad5 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -275,9 +275,10 @@ void hci_sco_setup(struct hci_conn *conn, __u8 status)
275 } 275 }
276} 276}
277 277
278static void hci_conn_timeout(unsigned long arg) 278static void hci_conn_timeout(struct work_struct *work)
279{ 279{
280 struct hci_conn *conn = (void *) arg; 280 struct hci_conn *conn = container_of(work, struct hci_conn,
281 disc_work.work);
281 struct hci_dev *hdev = conn->hdev; 282 struct hci_dev *hdev = conn->hdev;
282 __u8 reason; 283 __u8 reason;
283 284
@@ -311,6 +312,42 @@ static void hci_conn_timeout(unsigned long arg)
311 hci_dev_unlock(hdev); 312 hci_dev_unlock(hdev);
312} 313}
313 314
315/* Enter sniff mode */
316static void hci_conn_enter_sniff_mode(struct hci_conn *conn)
317{
318 struct hci_dev *hdev = conn->hdev;
319
320 BT_DBG("conn %p mode %d", conn, conn->mode);
321
322 if (test_bit(HCI_RAW, &hdev->flags))
323 return;
324
325 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
326 return;
327
328 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
329 return;
330
331 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
332 struct hci_cp_sniff_subrate cp;
333 cp.handle = cpu_to_le16(conn->handle);
334 cp.max_latency = cpu_to_le16(0);
335 cp.min_remote_timeout = cpu_to_le16(0);
336 cp.min_local_timeout = cpu_to_le16(0);
337 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
338 }
339
340 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
341 struct hci_cp_sniff_mode cp;
342 cp.handle = cpu_to_le16(conn->handle);
343 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
344 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
345 cp.attempt = cpu_to_le16(4);
346 cp.timeout = cpu_to_le16(1);
347 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
348 }
349}
350
314static void hci_conn_idle(unsigned long arg) 351static void hci_conn_idle(unsigned long arg)
315{ 352{
316 struct hci_conn *conn = (void *) arg; 353 struct hci_conn *conn = (void *) arg;
@@ -325,12 +362,8 @@ static void hci_conn_auto_accept(unsigned long arg)
325 struct hci_conn *conn = (void *) arg; 362 struct hci_conn *conn = (void *) arg;
326 struct hci_dev *hdev = conn->hdev; 363 struct hci_dev *hdev = conn->hdev;
327 364
328 hci_dev_lock(hdev);
329
330 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst), 365 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
331 &conn->dst); 366 &conn->dst);
332
333 hci_dev_unlock(hdev);
334} 367}
335 368
336struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst) 369struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
@@ -374,9 +407,9 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
374 407
375 skb_queue_head_init(&conn->data_q); 408 skb_queue_head_init(&conn->data_q);
376 409
377 hci_chan_hash_init(conn); 410 INIT_LIST_HEAD(&conn->chan_list);;
378 411
379 setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn); 412 INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
380 setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn); 413 setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
381 setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept, 414 setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept,
382 (unsigned long) conn); 415 (unsigned long) conn);
@@ -385,8 +418,6 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
385 418
386 hci_dev_hold(hdev); 419 hci_dev_hold(hdev);
387 420
388 tasklet_disable(&hdev->tx_task);
389
390 hci_conn_hash_add(hdev, conn); 421 hci_conn_hash_add(hdev, conn);
391 if (hdev->notify) 422 if (hdev->notify)
392 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 423 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
@@ -395,8 +426,6 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
395 426
396 hci_conn_init_sysfs(conn); 427 hci_conn_init_sysfs(conn);
397 428
398 tasklet_enable(&hdev->tx_task);
399
400 return conn; 429 return conn;
401} 430}
402 431
@@ -408,7 +437,7 @@ int hci_conn_del(struct hci_conn *conn)
408 437
409 del_timer(&conn->idle_timer); 438 del_timer(&conn->idle_timer);
410 439
411 del_timer(&conn->disc_timer); 440 cancel_delayed_work_sync(&conn->disc_work);
412 441
413 del_timer(&conn->auto_accept_timer); 442 del_timer(&conn->auto_accept_timer);
414 443
@@ -432,16 +461,13 @@ int hci_conn_del(struct hci_conn *conn)
432 } 461 }
433 } 462 }
434 463
435 tasklet_disable(&hdev->tx_task);
436 464
437 hci_chan_hash_flush(conn); 465 hci_chan_list_flush(conn);
438 466
439 hci_conn_hash_del(hdev, conn); 467 hci_conn_hash_del(hdev, conn);
440 if (hdev->notify) 468 if (hdev->notify)
441 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL); 469 hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
442 470
443 tasklet_enable(&hdev->tx_task);
444
445 skb_queue_purge(&conn->data_q); 471 skb_queue_purge(&conn->data_q);
446 472
447 hci_conn_put_device(conn); 473 hci_conn_put_device(conn);
@@ -461,7 +487,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
461 487
462 BT_DBG("%s -> %s", batostr(src), batostr(dst)); 488 BT_DBG("%s -> %s", batostr(src), batostr(dst));
463 489
464 read_lock_bh(&hci_dev_list_lock); 490 read_lock(&hci_dev_list_lock);
465 491
466 list_for_each_entry(d, &hci_dev_list, list) { 492 list_for_each_entry(d, &hci_dev_list, list) {
467 if (!test_bit(HCI_UP, &d->flags) || test_bit(HCI_RAW, &d->flags)) 493 if (!test_bit(HCI_UP, &d->flags) || test_bit(HCI_RAW, &d->flags))
@@ -486,7 +512,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
486 if (hdev) 512 if (hdev)
487 hdev = hci_dev_hold(hdev); 513 hdev = hci_dev_hold(hdev);
488 514
489 read_unlock_bh(&hci_dev_list_lock); 515 read_unlock(&hci_dev_list_lock);
490 return hdev; 516 return hdev;
491} 517}
492EXPORT_SYMBOL(hci_get_route); 518EXPORT_SYMBOL(hci_get_route);
@@ -767,57 +793,15 @@ timer:
767 jiffies + msecs_to_jiffies(hdev->idle_timeout)); 793 jiffies + msecs_to_jiffies(hdev->idle_timeout));
768} 794}
769 795
770/* Enter sniff mode */
771void hci_conn_enter_sniff_mode(struct hci_conn *conn)
772{
773 struct hci_dev *hdev = conn->hdev;
774
775 BT_DBG("conn %p mode %d", conn, conn->mode);
776
777 if (test_bit(HCI_RAW, &hdev->flags))
778 return;
779
780 if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
781 return;
782
783 if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
784 return;
785
786 if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
787 struct hci_cp_sniff_subrate cp;
788 cp.handle = cpu_to_le16(conn->handle);
789 cp.max_latency = cpu_to_le16(0);
790 cp.min_remote_timeout = cpu_to_le16(0);
791 cp.min_local_timeout = cpu_to_le16(0);
792 hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
793 }
794
795 if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
796 struct hci_cp_sniff_mode cp;
797 cp.handle = cpu_to_le16(conn->handle);
798 cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
799 cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
800 cp.attempt = cpu_to_le16(4);
801 cp.timeout = cpu_to_le16(1);
802 hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
803 }
804}
805
806/* Drop all connection on the device */ 796/* Drop all connection on the device */
807void hci_conn_hash_flush(struct hci_dev *hdev) 797void hci_conn_hash_flush(struct hci_dev *hdev)
808{ 798{
809 struct hci_conn_hash *h = &hdev->conn_hash; 799 struct hci_conn_hash *h = &hdev->conn_hash;
810 struct list_head *p; 800 struct hci_conn *c;
811 801
812 BT_DBG("hdev %s", hdev->name); 802 BT_DBG("hdev %s", hdev->name);
813 803
814 p = h->list.next; 804 list_for_each_entry_rcu(c, &h->list, list) {
815 while (p != &h->list) {
816 struct hci_conn *c;
817
818 c = list_entry(p, struct hci_conn, list);
819 p = p->next;
820
821 c->state = BT_CLOSED; 805 c->state = BT_CLOSED;
822 806
823 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM); 807 hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
@@ -882,7 +866,7 @@ int hci_get_conn_list(void __user *arg)
882 866
883 ci = cl->conn_info; 867 ci = cl->conn_info;
884 868
885 hci_dev_lock_bh(hdev); 869 hci_dev_lock(hdev);
886 list_for_each_entry(c, &hdev->conn_hash.list, list) { 870 list_for_each_entry(c, &hdev->conn_hash.list, list) {
887 bacpy(&(ci + n)->bdaddr, &c->dst); 871 bacpy(&(ci + n)->bdaddr, &c->dst);
888 (ci + n)->handle = c->handle; 872 (ci + n)->handle = c->handle;
@@ -893,7 +877,7 @@ int hci_get_conn_list(void __user *arg)
893 if (++n >= req.conn_num) 877 if (++n >= req.conn_num)
894 break; 878 break;
895 } 879 }
896 hci_dev_unlock_bh(hdev); 880 hci_dev_unlock(hdev);
897 881
898 cl->dev_id = hdev->id; 882 cl->dev_id = hdev->id;
899 cl->conn_num = n; 883 cl->conn_num = n;
@@ -917,7 +901,7 @@ int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
917 if (copy_from_user(&req, arg, sizeof(req))) 901 if (copy_from_user(&req, arg, sizeof(req)))
918 return -EFAULT; 902 return -EFAULT;
919 903
920 hci_dev_lock_bh(hdev); 904 hci_dev_lock(hdev);
921 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr); 905 conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
922 if (conn) { 906 if (conn) {
923 bacpy(&ci.bdaddr, &conn->dst); 907 bacpy(&ci.bdaddr, &conn->dst);
@@ -927,7 +911,7 @@ int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
927 ci.state = conn->state; 911 ci.state = conn->state;
928 ci.link_mode = conn->link_mode; 912 ci.link_mode = conn->link_mode;
929 } 913 }
930 hci_dev_unlock_bh(hdev); 914 hci_dev_unlock(hdev);
931 915
932 if (!conn) 916 if (!conn)
933 return -ENOENT; 917 return -ENOENT;
@@ -943,11 +927,11 @@ int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
943 if (copy_from_user(&req, arg, sizeof(req))) 927 if (copy_from_user(&req, arg, sizeof(req)))
944 return -EFAULT; 928 return -EFAULT;
945 929
946 hci_dev_lock_bh(hdev); 930 hci_dev_lock(hdev);
947 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr); 931 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
948 if (conn) 932 if (conn)
949 req.type = conn->auth_type; 933 req.type = conn->auth_type;
950 hci_dev_unlock_bh(hdev); 934 hci_dev_unlock(hdev);
951 935
952 if (!conn) 936 if (!conn)
953 return -ENOENT; 937 return -ENOENT;
@@ -969,9 +953,7 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn)
969 chan->conn = conn; 953 chan->conn = conn;
970 skb_queue_head_init(&chan->data_q); 954 skb_queue_head_init(&chan->data_q);
971 955
972 tasklet_disable(&hdev->tx_task); 956 list_add_rcu(&chan->list, &conn->chan_list);
973 hci_chan_hash_add(conn, chan);
974 tasklet_enable(&hdev->tx_task);
975 957
976 return chan; 958 return chan;
977} 959}
@@ -983,9 +965,9 @@ int hci_chan_del(struct hci_chan *chan)
983 965
984 BT_DBG("%s conn %p chan %p", hdev->name, conn, chan); 966 BT_DBG("%s conn %p chan %p", hdev->name, conn, chan);
985 967
986 tasklet_disable(&hdev->tx_task); 968 list_del_rcu(&chan->list);
987 hci_chan_hash_del(conn, chan); 969
988 tasklet_enable(&hdev->tx_task); 970 synchronize_rcu();
989 971
990 skb_queue_purge(&chan->data_q); 972 skb_queue_purge(&chan->data_q);
991 kfree(chan); 973 kfree(chan);
@@ -993,13 +975,12 @@ int hci_chan_del(struct hci_chan *chan)
993 return 0; 975 return 0;
994} 976}
995 977
996void hci_chan_hash_flush(struct hci_conn *conn) 978void hci_chan_list_flush(struct hci_conn *conn)
997{ 979{
998 struct hci_chan_hash *h = &conn->chan_hash; 980 struct hci_chan *chan;
999 struct hci_chan *chan, *tmp;
1000 981
1001 BT_DBG("conn %p", conn); 982 BT_DBG("conn %p", conn);
1002 983
1003 list_for_each_entry_safe(chan, tmp, &h->list, list) 984 list_for_each_entry_rcu(chan, &conn->chan_list, list)
1004 hci_chan_del(chan); 985 hci_chan_del(chan);
1005} 986}
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index ce3727ecc0c4..6d38d80195cb 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1,6 +1,7 @@
1/* 1/*
2 BlueZ - Bluetooth protocol stack for Linux 2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
4 5
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 7
@@ -56,11 +57,9 @@
56 57
57int enable_hs; 58int enable_hs;
58 59
59static void hci_cmd_task(unsigned long arg); 60static void hci_rx_work(struct work_struct *work);
60static void hci_rx_task(unsigned long arg); 61static void hci_cmd_work(struct work_struct *work);
61static void hci_tx_task(unsigned long arg); 62static void hci_tx_work(struct work_struct *work);
62
63static DEFINE_RWLOCK(hci_task_lock);
64 63
65/* HCI device list */ 64/* HCI device list */
66LIST_HEAD(hci_dev_list); 65LIST_HEAD(hci_dev_list);
@@ -70,10 +69,6 @@ DEFINE_RWLOCK(hci_dev_list_lock);
70LIST_HEAD(hci_cb_list); 69LIST_HEAD(hci_cb_list);
71DEFINE_RWLOCK(hci_cb_list_lock); 70DEFINE_RWLOCK(hci_cb_list_lock);
72 71
73/* HCI protocols */
74#define HCI_MAX_PROTO 2
75struct hci_proto *hci_proto[HCI_MAX_PROTO];
76
77/* HCI notifiers list */ 72/* HCI notifiers list */
78static ATOMIC_NOTIFIER_HEAD(hci_notifier); 73static ATOMIC_NOTIFIER_HEAD(hci_notifier);
79 74
@@ -192,33 +187,20 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
192 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 187 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
193} 188}
194 189
195static void hci_init_req(struct hci_dev *hdev, unsigned long opt) 190static void bredr_init(struct hci_dev *hdev)
196{ 191{
197 struct hci_cp_delete_stored_link_key cp; 192 struct hci_cp_delete_stored_link_key cp;
198 struct sk_buff *skb;
199 __le16 param; 193 __le16 param;
200 __u8 flt_type; 194 __u8 flt_type;
201 195
202 BT_DBG("%s %ld", hdev->name, opt); 196 hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
203
204 /* Driver initialization */
205
206 /* Special commands */
207 while ((skb = skb_dequeue(&hdev->driver_init))) {
208 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
209 skb->dev = (void *) hdev;
210
211 skb_queue_tail(&hdev->cmd_q, skb);
212 tasklet_schedule(&hdev->cmd_task);
213 }
214 skb_queue_purge(&hdev->driver_init);
215 197
216 /* Mandatory initialization */ 198 /* Mandatory initialization */
217 199
218 /* Reset */ 200 /* Reset */
219 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) { 201 if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
220 set_bit(HCI_RESET, &hdev->flags); 202 set_bit(HCI_RESET, &hdev->flags);
221 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL); 203 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
222 } 204 }
223 205
224 /* Read Local Supported Features */ 206 /* Read Local Supported Features */
@@ -257,6 +239,51 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
257 hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp); 239 hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
258} 240}
259 241
242static void amp_init(struct hci_dev *hdev)
243{
244 hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
245
246 /* Reset */
247 hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
248
249 /* Read Local Version */
250 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
251}
252
253static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
254{
255 struct sk_buff *skb;
256
257 BT_DBG("%s %ld", hdev->name, opt);
258
259 /* Driver initialization */
260
261 /* Special commands */
262 while ((skb = skb_dequeue(&hdev->driver_init))) {
263 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
264 skb->dev = (void *) hdev;
265
266 skb_queue_tail(&hdev->cmd_q, skb);
267 queue_work(hdev->workqueue, &hdev->cmd_work);
268 }
269 skb_queue_purge(&hdev->driver_init);
270
271 switch (hdev->dev_type) {
272 case HCI_BREDR:
273 bredr_init(hdev);
274 break;
275
276 case HCI_AMP:
277 amp_init(hdev);
278 break;
279
280 default:
281 BT_ERR("Unknown device type %d", hdev->dev_type);
282 break;
283 }
284
285}
286
260static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt) 287static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
261{ 288{
262 BT_DBG("%s", hdev->name); 289 BT_DBG("%s", hdev->name);
@@ -433,14 +460,14 @@ int hci_inquiry(void __user *arg)
433 if (!hdev) 460 if (!hdev)
434 return -ENODEV; 461 return -ENODEV;
435 462
436 hci_dev_lock_bh(hdev); 463 hci_dev_lock(hdev);
437 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || 464 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
438 inquiry_cache_empty(hdev) || 465 inquiry_cache_empty(hdev) ||
439 ir.flags & IREQ_CACHE_FLUSH) { 466 ir.flags & IREQ_CACHE_FLUSH) {
440 inquiry_cache_flush(hdev); 467 inquiry_cache_flush(hdev);
441 do_inquiry = 1; 468 do_inquiry = 1;
442 } 469 }
443 hci_dev_unlock_bh(hdev); 470 hci_dev_unlock(hdev);
444 471
445 timeo = ir.length * msecs_to_jiffies(2000); 472 timeo = ir.length * msecs_to_jiffies(2000);
446 473
@@ -462,9 +489,9 @@ int hci_inquiry(void __user *arg)
462 goto done; 489 goto done;
463 } 490 }
464 491
465 hci_dev_lock_bh(hdev); 492 hci_dev_lock(hdev);
466 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf); 493 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
467 hci_dev_unlock_bh(hdev); 494 hci_dev_unlock(hdev);
468 495
469 BT_DBG("num_rsp %d", ir.num_rsp); 496 BT_DBG("num_rsp %d", ir.num_rsp);
470 497
@@ -541,15 +568,15 @@ int hci_dev_open(__u16 dev)
541 set_bit(HCI_UP, &hdev->flags); 568 set_bit(HCI_UP, &hdev->flags);
542 hci_notify(hdev, HCI_DEV_UP); 569 hci_notify(hdev, HCI_DEV_UP);
543 if (!test_bit(HCI_SETUP, &hdev->flags)) { 570 if (!test_bit(HCI_SETUP, &hdev->flags)) {
544 hci_dev_lock_bh(hdev); 571 hci_dev_lock(hdev);
545 mgmt_powered(hdev, 1); 572 mgmt_powered(hdev, 1);
546 hci_dev_unlock_bh(hdev); 573 hci_dev_unlock(hdev);
547 } 574 }
548 } else { 575 } else {
549 /* Init failed, cleanup */ 576 /* Init failed, cleanup */
550 tasklet_kill(&hdev->rx_task); 577 flush_work(&hdev->tx_work);
551 tasklet_kill(&hdev->tx_task); 578 flush_work(&hdev->cmd_work);
552 tasklet_kill(&hdev->cmd_task); 579 flush_work(&hdev->rx_work);
553 580
554 skb_queue_purge(&hdev->cmd_q); 581 skb_queue_purge(&hdev->cmd_q);
555 skb_queue_purge(&hdev->rx_q); 582 skb_queue_purge(&hdev->rx_q);
@@ -585,9 +612,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
585 return 0; 612 return 0;
586 } 613 }
587 614
588 /* Kill RX and TX tasks */ 615 /* Flush RX and TX works */
589 tasklet_kill(&hdev->rx_task); 616 flush_work(&hdev->tx_work);
590 tasklet_kill(&hdev->tx_task); 617 flush_work(&hdev->rx_work);
591 618
592 if (hdev->discov_timeout > 0) { 619 if (hdev->discov_timeout > 0) {
593 cancel_delayed_work(&hdev->discov_off); 620 cancel_delayed_work(&hdev->discov_off);
@@ -597,10 +624,13 @@ static int hci_dev_do_close(struct hci_dev *hdev)
597 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags)) 624 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags))
598 cancel_delayed_work(&hdev->power_off); 625 cancel_delayed_work(&hdev->power_off);
599 626
600 hci_dev_lock_bh(hdev); 627 if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->flags))
628 cancel_delayed_work(&hdev->service_cache);
629
630 hci_dev_lock(hdev);
601 inquiry_cache_flush(hdev); 631 inquiry_cache_flush(hdev);
602 hci_conn_hash_flush(hdev); 632 hci_conn_hash_flush(hdev);
603 hci_dev_unlock_bh(hdev); 633 hci_dev_unlock(hdev);
604 634
605 hci_notify(hdev, HCI_DEV_DOWN); 635 hci_notify(hdev, HCI_DEV_DOWN);
606 636
@@ -617,8 +647,8 @@ static int hci_dev_do_close(struct hci_dev *hdev)
617 clear_bit(HCI_INIT, &hdev->flags); 647 clear_bit(HCI_INIT, &hdev->flags);
618 } 648 }
619 649
620 /* Kill cmd task */ 650 /* flush cmd work */
621 tasklet_kill(&hdev->cmd_task); 651 flush_work(&hdev->cmd_work);
622 652
623 /* Drop queues */ 653 /* Drop queues */
624 skb_queue_purge(&hdev->rx_q); 654 skb_queue_purge(&hdev->rx_q);
@@ -636,9 +666,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
636 * and no tasks are scheduled. */ 666 * and no tasks are scheduled. */
637 hdev->close(hdev); 667 hdev->close(hdev);
638 668
639 hci_dev_lock_bh(hdev); 669 hci_dev_lock(hdev);
640 mgmt_powered(hdev, 0); 670 mgmt_powered(hdev, 0);
641 hci_dev_unlock_bh(hdev); 671 hci_dev_unlock(hdev);
642 672
643 /* Clear flags */ 673 /* Clear flags */
644 hdev->flags = 0; 674 hdev->flags = 0;
@@ -672,7 +702,6 @@ int hci_dev_reset(__u16 dev)
672 return -ENODEV; 702 return -ENODEV;
673 703
674 hci_req_lock(hdev); 704 hci_req_lock(hdev);
675 tasklet_disable(&hdev->tx_task);
676 705
677 if (!test_bit(HCI_UP, &hdev->flags)) 706 if (!test_bit(HCI_UP, &hdev->flags))
678 goto done; 707 goto done;
@@ -681,10 +710,10 @@ int hci_dev_reset(__u16 dev)
681 skb_queue_purge(&hdev->rx_q); 710 skb_queue_purge(&hdev->rx_q);
682 skb_queue_purge(&hdev->cmd_q); 711 skb_queue_purge(&hdev->cmd_q);
683 712
684 hci_dev_lock_bh(hdev); 713 hci_dev_lock(hdev);
685 inquiry_cache_flush(hdev); 714 inquiry_cache_flush(hdev);
686 hci_conn_hash_flush(hdev); 715 hci_conn_hash_flush(hdev);
687 hci_dev_unlock_bh(hdev); 716 hci_dev_unlock(hdev);
688 717
689 if (hdev->flush) 718 if (hdev->flush)
690 hdev->flush(hdev); 719 hdev->flush(hdev);
@@ -697,7 +726,6 @@ int hci_dev_reset(__u16 dev)
697 msecs_to_jiffies(HCI_INIT_TIMEOUT)); 726 msecs_to_jiffies(HCI_INIT_TIMEOUT));
698 727
699done: 728done:
700 tasklet_enable(&hdev->tx_task);
701 hci_req_unlock(hdev); 729 hci_req_unlock(hdev);
702 hci_dev_put(hdev); 730 hci_dev_put(hdev);
703 return ret; 731 return ret;
@@ -816,7 +844,7 @@ int hci_get_dev_list(void __user *arg)
816 844
817 dr = dl->dev_req; 845 dr = dl->dev_req;
818 846
819 read_lock_bh(&hci_dev_list_lock); 847 read_lock(&hci_dev_list_lock);
820 list_for_each_entry(hdev, &hci_dev_list, list) { 848 list_for_each_entry(hdev, &hci_dev_list, list) {
821 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags)) 849 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags))
822 cancel_delayed_work(&hdev->power_off); 850 cancel_delayed_work(&hdev->power_off);
@@ -830,7 +858,7 @@ int hci_get_dev_list(void __user *arg)
830 if (++n >= dev_num) 858 if (++n >= dev_num)
831 break; 859 break;
832 } 860 }
833 read_unlock_bh(&hci_dev_list_lock); 861 read_unlock(&hci_dev_list_lock);
834 862
835 dl->dev_num = n; 863 dl->dev_num = n;
836 size = sizeof(*dl) + n * sizeof(*dr); 864 size = sizeof(*dl) + n * sizeof(*dr);
@@ -939,7 +967,7 @@ static void hci_power_on(struct work_struct *work)
939 return; 967 return;
940 968
941 if (test_bit(HCI_AUTO_OFF, &hdev->flags)) 969 if (test_bit(HCI_AUTO_OFF, &hdev->flags))
942 queue_delayed_work(hdev->workqueue, &hdev->power_off, 970 schedule_delayed_work(&hdev->power_off,
943 msecs_to_jiffies(AUTO_OFF_TIMEOUT)); 971 msecs_to_jiffies(AUTO_OFF_TIMEOUT));
944 972
945 if (test_and_clear_bit(HCI_SETUP, &hdev->flags)) 973 if (test_and_clear_bit(HCI_SETUP, &hdev->flags))
@@ -967,13 +995,13 @@ static void hci_discov_off(struct work_struct *work)
967 995
968 BT_DBG("%s", hdev->name); 996 BT_DBG("%s", hdev->name);
969 997
970 hci_dev_lock_bh(hdev); 998 hci_dev_lock(hdev);
971 999
972 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan); 1000 hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
973 1001
974 hdev->discov_timeout = 0; 1002 hdev->discov_timeout = 0;
975 1003
976 hci_dev_unlock_bh(hdev); 1004 hci_dev_unlock(hdev);
977} 1005}
978 1006
979int hci_uuids_clear(struct hci_dev *hdev) 1007int hci_uuids_clear(struct hci_dev *hdev)
@@ -1207,7 +1235,7 @@ static void hci_cmd_timer(unsigned long arg)
1207 1235
1208 BT_ERR("%s command tx timeout", hdev->name); 1236 BT_ERR("%s command tx timeout", hdev->name);
1209 atomic_set(&hdev->cmd_cnt, 1); 1237 atomic_set(&hdev->cmd_cnt, 1);
1210 tasklet_schedule(&hdev->cmd_task); 1238 queue_work(hdev->workqueue, &hdev->cmd_work);
1211} 1239}
1212 1240
1213struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 1241struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
@@ -1340,9 +1368,10 @@ int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr)
1340 return mgmt_device_unblocked(hdev, bdaddr); 1368 return mgmt_device_unblocked(hdev, bdaddr);
1341} 1369}
1342 1370
1343static void hci_clear_adv_cache(unsigned long arg) 1371static void hci_clear_adv_cache(struct work_struct *work)
1344{ 1372{
1345 struct hci_dev *hdev = (void *) arg; 1373 struct hci_dev *hdev = container_of(work, struct hci_dev,
1374 adv_work.work);
1346 1375
1347 hci_dev_lock(hdev); 1376 hci_dev_lock(hdev);
1348 1377
@@ -1429,7 +1458,7 @@ int hci_register_dev(struct hci_dev *hdev)
1429 */ 1458 */
1430 id = (hdev->dev_type == HCI_BREDR) ? 0 : 1; 1459 id = (hdev->dev_type == HCI_BREDR) ? 0 : 1;
1431 1460
1432 write_lock_bh(&hci_dev_list_lock); 1461 write_lock(&hci_dev_list_lock);
1433 1462
1434 /* Find first available device id */ 1463 /* Find first available device id */
1435 list_for_each(p, &hci_dev_list) { 1464 list_for_each(p, &hci_dev_list) {
@@ -1443,7 +1472,7 @@ int hci_register_dev(struct hci_dev *hdev)
1443 list_add_tail(&hdev->list, head); 1472 list_add_tail(&hdev->list, head);
1444 1473
1445 atomic_set(&hdev->refcnt, 1); 1474 atomic_set(&hdev->refcnt, 1);
1446 spin_lock_init(&hdev->lock); 1475 mutex_init(&hdev->lock);
1447 1476
1448 hdev->flags = 0; 1477 hdev->flags = 0;
1449 hdev->dev_flags = 0; 1478 hdev->dev_flags = 0;
@@ -1456,9 +1485,10 @@ int hci_register_dev(struct hci_dev *hdev)
1456 hdev->sniff_max_interval = 800; 1485 hdev->sniff_max_interval = 800;
1457 hdev->sniff_min_interval = 80; 1486 hdev->sniff_min_interval = 80;
1458 1487
1459 tasklet_init(&hdev->cmd_task, hci_cmd_task, (unsigned long) hdev); 1488 INIT_WORK(&hdev->rx_work, hci_rx_work);
1460 tasklet_init(&hdev->rx_task, hci_rx_task, (unsigned long) hdev); 1489 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
1461 tasklet_init(&hdev->tx_task, hci_tx_task, (unsigned long) hdev); 1490 INIT_WORK(&hdev->tx_work, hci_tx_work);
1491
1462 1492
1463 skb_queue_head_init(&hdev->rx_q); 1493 skb_queue_head_init(&hdev->rx_q);
1464 skb_queue_head_init(&hdev->cmd_q); 1494 skb_queue_head_init(&hdev->cmd_q);
@@ -1487,9 +1517,8 @@ int hci_register_dev(struct hci_dev *hdev)
1487 INIT_LIST_HEAD(&hdev->remote_oob_data); 1517 INIT_LIST_HEAD(&hdev->remote_oob_data);
1488 1518
1489 INIT_LIST_HEAD(&hdev->adv_entries); 1519 INIT_LIST_HEAD(&hdev->adv_entries);
1490 setup_timer(&hdev->adv_timer, hci_clear_adv_cache,
1491 (unsigned long) hdev);
1492 1520
1521 INIT_DELAYED_WORK(&hdev->adv_work, hci_clear_adv_cache);
1493 INIT_WORK(&hdev->power_on, hci_power_on); 1522 INIT_WORK(&hdev->power_on, hci_power_on);
1494 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off); 1523 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
1495 1524
@@ -1499,9 +1528,10 @@ int hci_register_dev(struct hci_dev *hdev)
1499 1528
1500 atomic_set(&hdev->promisc, 0); 1529 atomic_set(&hdev->promisc, 0);
1501 1530
1502 write_unlock_bh(&hci_dev_list_lock); 1531 write_unlock(&hci_dev_list_lock);
1503 1532
1504 hdev->workqueue = create_singlethread_workqueue(hdev->name); 1533 hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
1534 WQ_MEM_RECLAIM, 1);
1505 if (!hdev->workqueue) { 1535 if (!hdev->workqueue) {
1506 error = -ENOMEM; 1536 error = -ENOMEM;
1507 goto err; 1537 goto err;
@@ -1522,7 +1552,7 @@ int hci_register_dev(struct hci_dev *hdev)
1522 1552
1523 set_bit(HCI_AUTO_OFF, &hdev->flags); 1553 set_bit(HCI_AUTO_OFF, &hdev->flags);
1524 set_bit(HCI_SETUP, &hdev->flags); 1554 set_bit(HCI_SETUP, &hdev->flags);
1525 queue_work(hdev->workqueue, &hdev->power_on); 1555 schedule_work(&hdev->power_on);
1526 1556
1527 hci_notify(hdev, HCI_DEV_REG); 1557 hci_notify(hdev, HCI_DEV_REG);
1528 1558
@@ -1531,9 +1561,9 @@ int hci_register_dev(struct hci_dev *hdev)
1531err_wqueue: 1561err_wqueue:
1532 destroy_workqueue(hdev->workqueue); 1562 destroy_workqueue(hdev->workqueue);
1533err: 1563err:
1534 write_lock_bh(&hci_dev_list_lock); 1564 write_lock(&hci_dev_list_lock);
1535 list_del(&hdev->list); 1565 list_del(&hdev->list);
1536 write_unlock_bh(&hci_dev_list_lock); 1566 write_unlock(&hci_dev_list_lock);
1537 1567
1538 return error; 1568 return error;
1539} 1569}
@@ -1546,9 +1576,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
1546 1576
1547 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 1577 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
1548 1578
1549 write_lock_bh(&hci_dev_list_lock); 1579 write_lock(&hci_dev_list_lock);
1550 list_del(&hdev->list); 1580 list_del(&hdev->list);
1551 write_unlock_bh(&hci_dev_list_lock); 1581 write_unlock(&hci_dev_list_lock);
1552 1582
1553 hci_dev_do_close(hdev); 1583 hci_dev_do_close(hdev);
1554 1584
@@ -1557,9 +1587,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
1557 1587
1558 if (!test_bit(HCI_INIT, &hdev->flags) && 1588 if (!test_bit(HCI_INIT, &hdev->flags) &&
1559 !test_bit(HCI_SETUP, &hdev->flags)) { 1589 !test_bit(HCI_SETUP, &hdev->flags)) {
1560 hci_dev_lock_bh(hdev); 1590 hci_dev_lock(hdev);
1561 mgmt_index_removed(hdev); 1591 mgmt_index_removed(hdev);
1562 hci_dev_unlock_bh(hdev); 1592 hci_dev_unlock(hdev);
1563 } 1593 }
1564 1594
1565 /* mgmt_index_removed should take care of emptying the 1595 /* mgmt_index_removed should take care of emptying the
@@ -1575,17 +1605,17 @@ void hci_unregister_dev(struct hci_dev *hdev)
1575 1605
1576 hci_del_sysfs(hdev); 1606 hci_del_sysfs(hdev);
1577 1607
1578 del_timer(&hdev->adv_timer); 1608 cancel_delayed_work_sync(&hdev->adv_work);
1579 1609
1580 destroy_workqueue(hdev->workqueue); 1610 destroy_workqueue(hdev->workqueue);
1581 1611
1582 hci_dev_lock_bh(hdev); 1612 hci_dev_lock(hdev);
1583 hci_blacklist_clear(hdev); 1613 hci_blacklist_clear(hdev);
1584 hci_uuids_clear(hdev); 1614 hci_uuids_clear(hdev);
1585 hci_link_keys_clear(hdev); 1615 hci_link_keys_clear(hdev);
1586 hci_remote_oob_data_clear(hdev); 1616 hci_remote_oob_data_clear(hdev);
1587 hci_adv_entries_clear(hdev); 1617 hci_adv_entries_clear(hdev);
1588 hci_dev_unlock_bh(hdev); 1618 hci_dev_unlock(hdev);
1589 1619
1590 __hci_dev_put(hdev); 1620 __hci_dev_put(hdev);
1591} 1621}
@@ -1623,9 +1653,8 @@ int hci_recv_frame(struct sk_buff *skb)
1623 /* Time stamp */ 1653 /* Time stamp */
1624 __net_timestamp(skb); 1654 __net_timestamp(skb);
1625 1655
1626 /* Queue frame for rx task */
1627 skb_queue_tail(&hdev->rx_q, skb); 1656 skb_queue_tail(&hdev->rx_q, skb);
1628 tasklet_schedule(&hdev->rx_task); 1657 queue_work(hdev->workqueue, &hdev->rx_work);
1629 1658
1630 return 0; 1659 return 0;
1631} 1660}
@@ -1797,59 +1826,13 @@ EXPORT_SYMBOL(hci_recv_stream_fragment);
1797 1826
1798/* ---- Interface to upper protocols ---- */ 1827/* ---- Interface to upper protocols ---- */
1799 1828
1800/* Register/Unregister protocols.
1801 * hci_task_lock is used to ensure that no tasks are running. */
1802int hci_register_proto(struct hci_proto *hp)
1803{
1804 int err = 0;
1805
1806 BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1807
1808 if (hp->id >= HCI_MAX_PROTO)
1809 return -EINVAL;
1810
1811 write_lock_bh(&hci_task_lock);
1812
1813 if (!hci_proto[hp->id])
1814 hci_proto[hp->id] = hp;
1815 else
1816 err = -EEXIST;
1817
1818 write_unlock_bh(&hci_task_lock);
1819
1820 return err;
1821}
1822EXPORT_SYMBOL(hci_register_proto);
1823
1824int hci_unregister_proto(struct hci_proto *hp)
1825{
1826 int err = 0;
1827
1828 BT_DBG("%p name %s id %d", hp, hp->name, hp->id);
1829
1830 if (hp->id >= HCI_MAX_PROTO)
1831 return -EINVAL;
1832
1833 write_lock_bh(&hci_task_lock);
1834
1835 if (hci_proto[hp->id])
1836 hci_proto[hp->id] = NULL;
1837 else
1838 err = -ENOENT;
1839
1840 write_unlock_bh(&hci_task_lock);
1841
1842 return err;
1843}
1844EXPORT_SYMBOL(hci_unregister_proto);
1845
1846int hci_register_cb(struct hci_cb *cb) 1829int hci_register_cb(struct hci_cb *cb)
1847{ 1830{
1848 BT_DBG("%p name %s", cb, cb->name); 1831 BT_DBG("%p name %s", cb, cb->name);
1849 1832
1850 write_lock_bh(&hci_cb_list_lock); 1833 write_lock(&hci_cb_list_lock);
1851 list_add(&cb->list, &hci_cb_list); 1834 list_add(&cb->list, &hci_cb_list);
1852 write_unlock_bh(&hci_cb_list_lock); 1835 write_unlock(&hci_cb_list_lock);
1853 1836
1854 return 0; 1837 return 0;
1855} 1838}
@@ -1859,9 +1842,9 @@ int hci_unregister_cb(struct hci_cb *cb)
1859{ 1842{
1860 BT_DBG("%p name %s", cb, cb->name); 1843 BT_DBG("%p name %s", cb, cb->name);
1861 1844
1862 write_lock_bh(&hci_cb_list_lock); 1845 write_lock(&hci_cb_list_lock);
1863 list_del(&cb->list); 1846 list_del(&cb->list);
1864 write_unlock_bh(&hci_cb_list_lock); 1847 write_unlock(&hci_cb_list_lock);
1865 1848
1866 return 0; 1849 return 0;
1867} 1850}
@@ -1922,7 +1905,7 @@ int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
1922 hdev->init_last_cmd = opcode; 1905 hdev->init_last_cmd = opcode;
1923 1906
1924 skb_queue_tail(&hdev->cmd_q, skb); 1907 skb_queue_tail(&hdev->cmd_q, skb);
1925 tasklet_schedule(&hdev->cmd_task); 1908 queue_work(hdev->workqueue, &hdev->cmd_work);
1926 1909
1927 return 0; 1910 return 0;
1928} 1911}
@@ -1977,7 +1960,7 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
1977 skb_shinfo(skb)->frag_list = NULL; 1960 skb_shinfo(skb)->frag_list = NULL;
1978 1961
1979 /* Queue all fragments atomically */ 1962 /* Queue all fragments atomically */
1980 spin_lock_bh(&queue->lock); 1963 spin_lock(&queue->lock);
1981 1964
1982 __skb_queue_tail(queue, skb); 1965 __skb_queue_tail(queue, skb);
1983 1966
@@ -1995,7 +1978,7 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
1995 __skb_queue_tail(queue, skb); 1978 __skb_queue_tail(queue, skb);
1996 } while (list); 1979 } while (list);
1997 1980
1998 spin_unlock_bh(&queue->lock); 1981 spin_unlock(&queue->lock);
1999 } 1982 }
2000} 1983}
2001 1984
@@ -2012,7 +1995,7 @@ void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2012 1995
2013 hci_queue_acl(conn, &chan->data_q, skb, flags); 1996 hci_queue_acl(conn, &chan->data_q, skb, flags);
2014 1997
2015 tasklet_schedule(&hdev->tx_task); 1998 queue_work(hdev->workqueue, &hdev->tx_work);
2016} 1999}
2017EXPORT_SYMBOL(hci_send_acl); 2000EXPORT_SYMBOL(hci_send_acl);
2018 2001
@@ -2035,7 +2018,7 @@ void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2035 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 2018 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2036 2019
2037 skb_queue_tail(&conn->data_q, skb); 2020 skb_queue_tail(&conn->data_q, skb);
2038 tasklet_schedule(&hdev->tx_task); 2021 queue_work(hdev->workqueue, &hdev->tx_work);
2039} 2022}
2040EXPORT_SYMBOL(hci_send_sco); 2023EXPORT_SYMBOL(hci_send_sco);
2041 2024
@@ -2050,7 +2033,10 @@ static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int
2050 2033
2051 /* We don't have to lock device here. Connections are always 2034 /* We don't have to lock device here. Connections are always
2052 * added and removed with TX task disabled. */ 2035 * added and removed with TX task disabled. */
2053 list_for_each_entry(c, &h->list, list) { 2036
2037 rcu_read_lock();
2038
2039 list_for_each_entry_rcu(c, &h->list, list) {
2054 if (c->type != type || skb_queue_empty(&c->data_q)) 2040 if (c->type != type || skb_queue_empty(&c->data_q))
2055 continue; 2041 continue;
2056 2042
@@ -2068,6 +2054,8 @@ static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int
2068 break; 2054 break;
2069 } 2055 }
2070 2056
2057 rcu_read_unlock();
2058
2071 if (conn) { 2059 if (conn) {
2072 int cnt, q; 2060 int cnt, q;
2073 2061
@@ -2103,14 +2091,18 @@ static inline void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2103 2091
2104 BT_ERR("%s link tx timeout", hdev->name); 2092 BT_ERR("%s link tx timeout", hdev->name);
2105 2093
2094 rcu_read_lock();
2095
2106 /* Kill stalled connections */ 2096 /* Kill stalled connections */
2107 list_for_each_entry(c, &h->list, list) { 2097 list_for_each_entry_rcu(c, &h->list, list) {
2108 if (c->type == type && c->sent) { 2098 if (c->type == type && c->sent) {
2109 BT_ERR("%s killing stalled connection %s", 2099 BT_ERR("%s killing stalled connection %s",
2110 hdev->name, batostr(&c->dst)); 2100 hdev->name, batostr(&c->dst));
2111 hci_acl_disconn(c, 0x13); 2101 hci_acl_disconn(c, 0x13);
2112 } 2102 }
2113 } 2103 }
2104
2105 rcu_read_unlock();
2114} 2106}
2115 2107
2116static inline struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type, 2108static inline struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
@@ -2124,8 +2116,9 @@ static inline struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2124 2116
2125 BT_DBG("%s", hdev->name); 2117 BT_DBG("%s", hdev->name);
2126 2118
2127 list_for_each_entry(conn, &h->list, list) { 2119 rcu_read_lock();
2128 struct hci_chan_hash *ch; 2120
2121 list_for_each_entry_rcu(conn, &h->list, list) {
2129 struct hci_chan *tmp; 2122 struct hci_chan *tmp;
2130 2123
2131 if (conn->type != type) 2124 if (conn->type != type)
@@ -2136,9 +2129,7 @@ static inline struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2136 2129
2137 conn_num++; 2130 conn_num++;
2138 2131
2139 ch = &conn->chan_hash; 2132 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2140
2141 list_for_each_entry(tmp, &ch->list, list) {
2142 struct sk_buff *skb; 2133 struct sk_buff *skb;
2143 2134
2144 if (skb_queue_empty(&tmp->data_q)) 2135 if (skb_queue_empty(&tmp->data_q))
@@ -2166,6 +2157,8 @@ static inline struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2166 break; 2157 break;
2167 } 2158 }
2168 2159
2160 rcu_read_unlock();
2161
2169 if (!chan) 2162 if (!chan)
2170 return NULL; 2163 return NULL;
2171 2164
@@ -2199,8 +2192,9 @@ static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2199 2192
2200 BT_DBG("%s", hdev->name); 2193 BT_DBG("%s", hdev->name);
2201 2194
2202 list_for_each_entry(conn, &h->list, list) { 2195 rcu_read_lock();
2203 struct hci_chan_hash *ch; 2196
2197 list_for_each_entry_rcu(conn, &h->list, list) {
2204 struct hci_chan *chan; 2198 struct hci_chan *chan;
2205 2199
2206 if (conn->type != type) 2200 if (conn->type != type)
@@ -2211,8 +2205,7 @@ static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2211 2205
2212 num++; 2206 num++;
2213 2207
2214 ch = &conn->chan_hash; 2208 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
2215 list_for_each_entry(chan, &ch->list, list) {
2216 struct sk_buff *skb; 2209 struct sk_buff *skb;
2217 2210
2218 if (chan->sent) { 2211 if (chan->sent) {
@@ -2236,6 +2229,9 @@ static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2236 if (hci_conn_num(hdev, type) == num) 2229 if (hci_conn_num(hdev, type) == num)
2237 break; 2230 break;
2238 } 2231 }
2232
2233 rcu_read_unlock();
2234
2239} 2235}
2240 2236
2241static inline void hci_sched_acl(struct hci_dev *hdev) 2237static inline void hci_sched_acl(struct hci_dev *hdev)
@@ -2386,13 +2382,11 @@ static inline void hci_sched_le(struct hci_dev *hdev)
2386 hci_prio_recalculate(hdev, LE_LINK); 2382 hci_prio_recalculate(hdev, LE_LINK);
2387} 2383}
2388 2384
2389static void hci_tx_task(unsigned long arg) 2385static void hci_tx_work(struct work_struct *work)
2390{ 2386{
2391 struct hci_dev *hdev = (struct hci_dev *) arg; 2387 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
2392 struct sk_buff *skb; 2388 struct sk_buff *skb;
2393 2389
2394 read_lock(&hci_task_lock);
2395
2396 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt, 2390 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
2397 hdev->sco_cnt, hdev->le_cnt); 2391 hdev->sco_cnt, hdev->le_cnt);
2398 2392
@@ -2409,8 +2403,6 @@ static void hci_tx_task(unsigned long arg)
2409 /* Send next queued raw (unknown type) packet */ 2403 /* Send next queued raw (unknown type) packet */
2410 while ((skb = skb_dequeue(&hdev->raw_q))) 2404 while ((skb = skb_dequeue(&hdev->raw_q)))
2411 hci_send_frame(skb); 2405 hci_send_frame(skb);
2412
2413 read_unlock(&hci_task_lock);
2414} 2406}
2415 2407
2416/* ----- HCI RX task (incoming data processing) ----- */ 2408/* ----- HCI RX task (incoming data processing) ----- */
@@ -2437,16 +2429,11 @@ static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2437 hci_dev_unlock(hdev); 2429 hci_dev_unlock(hdev);
2438 2430
2439 if (conn) { 2431 if (conn) {
2440 register struct hci_proto *hp; 2432 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
2441
2442 hci_conn_enter_active_mode(conn, bt_cb(skb)->force_active);
2443 2433
2444 /* Send to upper protocol */ 2434 /* Send to upper protocol */
2445 hp = hci_proto[HCI_PROTO_L2CAP]; 2435 l2cap_recv_acldata(conn, skb, flags);
2446 if (hp && hp->recv_acldata) { 2436 return;
2447 hp->recv_acldata(conn, skb, flags);
2448 return;
2449 }
2450 } else { 2437 } else {
2451 BT_ERR("%s ACL packet for unknown connection handle %d", 2438 BT_ERR("%s ACL packet for unknown connection handle %d",
2452 hdev->name, handle); 2439 hdev->name, handle);
@@ -2475,14 +2462,9 @@ static inline void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2475 hci_dev_unlock(hdev); 2462 hci_dev_unlock(hdev);
2476 2463
2477 if (conn) { 2464 if (conn) {
2478 register struct hci_proto *hp;
2479
2480 /* Send to upper protocol */ 2465 /* Send to upper protocol */
2481 hp = hci_proto[HCI_PROTO_SCO]; 2466 sco_recv_scodata(conn, skb);
2482 if (hp && hp->recv_scodata) { 2467 return;
2483 hp->recv_scodata(conn, skb);
2484 return;
2485 }
2486 } else { 2468 } else {
2487 BT_ERR("%s SCO packet for unknown connection handle %d", 2469 BT_ERR("%s SCO packet for unknown connection handle %d",
2488 hdev->name, handle); 2470 hdev->name, handle);
@@ -2491,15 +2473,13 @@ static inline void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
2491 kfree_skb(skb); 2473 kfree_skb(skb);
2492} 2474}
2493 2475
2494static void hci_rx_task(unsigned long arg) 2476static void hci_rx_work(struct work_struct *work)
2495{ 2477{
2496 struct hci_dev *hdev = (struct hci_dev *) arg; 2478 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
2497 struct sk_buff *skb; 2479 struct sk_buff *skb;
2498 2480
2499 BT_DBG("%s", hdev->name); 2481 BT_DBG("%s", hdev->name);
2500 2482
2501 read_lock(&hci_task_lock);
2502
2503 while ((skb = skb_dequeue(&hdev->rx_q))) { 2483 while ((skb = skb_dequeue(&hdev->rx_q))) {
2504 if (atomic_read(&hdev->promisc)) { 2484 if (atomic_read(&hdev->promisc)) {
2505 /* Send copy to the sockets */ 2485 /* Send copy to the sockets */
@@ -2524,6 +2504,7 @@ static void hci_rx_task(unsigned long arg)
2524 /* Process frame */ 2504 /* Process frame */
2525 switch (bt_cb(skb)->pkt_type) { 2505 switch (bt_cb(skb)->pkt_type) {
2526 case HCI_EVENT_PKT: 2506 case HCI_EVENT_PKT:
2507 BT_DBG("%s Event packet", hdev->name);
2527 hci_event_packet(hdev, skb); 2508 hci_event_packet(hdev, skb);
2528 break; 2509 break;
2529 2510
@@ -2542,13 +2523,11 @@ static void hci_rx_task(unsigned long arg)
2542 break; 2523 break;
2543 } 2524 }
2544 } 2525 }
2545
2546 read_unlock(&hci_task_lock);
2547} 2526}
2548 2527
2549static void hci_cmd_task(unsigned long arg) 2528static void hci_cmd_work(struct work_struct *work)
2550{ 2529{
2551 struct hci_dev *hdev = (struct hci_dev *) arg; 2530 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
2552 struct sk_buff *skb; 2531 struct sk_buff *skb;
2553 2532
2554 BT_DBG("%s cmd %d", hdev->name, atomic_read(&hdev->cmd_cnt)); 2533 BT_DBG("%s cmd %d", hdev->name, atomic_read(&hdev->cmd_cnt));
@@ -2572,7 +2551,7 @@ static void hci_cmd_task(unsigned long arg)
2572 jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT)); 2551 jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
2573 } else { 2552 } else {
2574 skb_queue_head(&hdev->cmd_q, skb); 2553 skb_queue_head(&hdev->cmd_q, skb);
2575 tasklet_schedule(&hdev->cmd_task); 2554 queue_work(hdev->workqueue, &hdev->cmd_work);
2576 } 2555 }
2577 } 2556 }
2578} 2557}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 918dc09164ba..4221bd256bdd 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -378,11 +378,8 @@ static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
378 378
379 BT_DBG("%s voice setting 0x%04x", hdev->name, setting); 379 BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
380 380
381 if (hdev->notify) { 381 if (hdev->notify)
382 tasklet_disable(&hdev->tx_task);
383 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 382 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
384 tasklet_enable(&hdev->tx_task);
385 }
386} 383}
387 384
388static void hci_cc_write_voice_setting(struct hci_dev *hdev, struct sk_buff *skb) 385static void hci_cc_write_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
@@ -409,11 +406,8 @@ static void hci_cc_write_voice_setting(struct hci_dev *hdev, struct sk_buff *skb
409 406
410 BT_DBG("%s voice setting 0x%04x", hdev->name, setting); 407 BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
411 408
412 if (hdev->notify) { 409 if (hdev->notify)
413 tasklet_disable(&hdev->tx_task);
414 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING); 410 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
415 tasklet_enable(&hdev->tx_task);
416 }
417} 411}
418 412
419static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb) 413static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
@@ -562,6 +556,9 @@ static void hci_set_le_support(struct hci_dev *hdev)
562 556
563static void hci_setup(struct hci_dev *hdev) 557static void hci_setup(struct hci_dev *hdev)
564{ 558{
559 if (hdev->dev_type != HCI_BREDR)
560 return;
561
565 hci_setup_event_mask(hdev); 562 hci_setup_event_mask(hdev);
566 563
567 if (hdev->hci_ver > BLUETOOTH_VER_1_1) 564 if (hdev->hci_ver > BLUETOOTH_VER_1_1)
@@ -773,6 +770,28 @@ static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
773 hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status); 770 hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status);
774} 771}
775 772
773static void hci_cc_read_data_block_size(struct hci_dev *hdev,
774 struct sk_buff *skb)
775{
776 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
777
778 BT_DBG("%s status 0x%x", hdev->name, rp->status);
779
780 if (rp->status)
781 return;
782
783 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
784 hdev->block_len = __le16_to_cpu(rp->block_len);
785 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
786
787 hdev->block_cnt = hdev->num_blocks;
788
789 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
790 hdev->block_cnt, hdev->block_len);
791
792 hci_req_complete(hdev, HCI_OP_READ_DATA_BLOCK_SIZE, rp->status);
793}
794
776static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb) 795static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
777{ 796{
778 __u8 status = *((__u8 *) skb->data); 797 __u8 status = *((__u8 *) skb->data);
@@ -1014,18 +1033,28 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1014 if (!cp) 1033 if (!cp)
1015 return; 1034 return;
1016 1035
1017 if (cp->enable == 0x01) { 1036 switch (cp->enable) {
1037 case LE_SCANNING_ENABLED:
1018 set_bit(HCI_LE_SCAN, &hdev->dev_flags); 1038 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1019 1039
1020 del_timer(&hdev->adv_timer); 1040 cancel_delayed_work_sync(&hdev->adv_work);
1021 1041
1022 hci_dev_lock(hdev); 1042 hci_dev_lock(hdev);
1023 hci_adv_entries_clear(hdev); 1043 hci_adv_entries_clear(hdev);
1024 hci_dev_unlock(hdev); 1044 hci_dev_unlock(hdev);
1025 } else if (cp->enable == 0x00) { 1045 break;
1046
1047 case LE_SCANNING_DISABLED:
1026 clear_bit(HCI_LE_SCAN, &hdev->dev_flags); 1048 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1027 1049
1028 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT); 1050 cancel_delayed_work_sync(&hdev->adv_work);
1051 queue_delayed_work(hdev->workqueue, &hdev->adv_work,
1052 jiffies + ADV_CLEAR_TIMEOUT);
1053 break;
1054
1055 default:
1056 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1057 break;
1029 } 1058 }
1030} 1059}
1031 1060
@@ -2022,6 +2051,10 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
2022 hci_cc_read_bd_addr(hdev, skb); 2051 hci_cc_read_bd_addr(hdev, skb);
2023 break; 2052 break;
2024 2053
2054 case HCI_OP_READ_DATA_BLOCK_SIZE:
2055 hci_cc_read_data_block_size(hdev, skb);
2056 break;
2057
2025 case HCI_OP_WRITE_CA_TIMEOUT: 2058 case HCI_OP_WRITE_CA_TIMEOUT:
2026 hci_cc_write_ca_timeout(hdev, skb); 2059 hci_cc_write_ca_timeout(hdev, skb);
2027 break; 2060 break;
@@ -2116,7 +2149,7 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
2116 if (ev->ncmd) { 2149 if (ev->ncmd) {
2117 atomic_set(&hdev->cmd_cnt, 1); 2150 atomic_set(&hdev->cmd_cnt, 1);
2118 if (!skb_queue_empty(&hdev->cmd_q)) 2151 if (!skb_queue_empty(&hdev->cmd_q))
2119 tasklet_schedule(&hdev->cmd_task); 2152 queue_work(hdev->workqueue, &hdev->cmd_work);
2120 } 2153 }
2121} 2154}
2122 2155
@@ -2198,7 +2231,7 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2198 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2231 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2199 atomic_set(&hdev->cmd_cnt, 1); 2232 atomic_set(&hdev->cmd_cnt, 1);
2200 if (!skb_queue_empty(&hdev->cmd_q)) 2233 if (!skb_queue_empty(&hdev->cmd_q))
2201 tasklet_schedule(&hdev->cmd_task); 2234 queue_work(hdev->workqueue, &hdev->cmd_work);
2202 } 2235 }
2203} 2236}
2204 2237
@@ -2231,56 +2264,68 @@ static inline void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb
2231static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) 2264static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2232{ 2265{
2233 struct hci_ev_num_comp_pkts *ev = (void *) skb->data; 2266 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2234 __le16 *ptr;
2235 int i; 2267 int i;
2236 2268
2237 skb_pull(skb, sizeof(*ev)); 2269 skb_pull(skb, sizeof(*ev));
2238 2270
2239 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); 2271 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2240 2272
2273 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2274 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2275 return;
2276 }
2277
2241 if (skb->len < ev->num_hndl * 4) { 2278 if (skb->len < ev->num_hndl * 4) {
2242 BT_DBG("%s bad parameters", hdev->name); 2279 BT_DBG("%s bad parameters", hdev->name);
2243 return; 2280 return;
2244 } 2281 }
2245 2282
2246 tasklet_disable(&hdev->tx_task); 2283 for (i = 0; i < ev->num_hndl; i++) {
2247 2284 struct hci_comp_pkts_info *info = &ev->handles[i];
2248 for (i = 0, ptr = (__le16 *) skb->data; i < ev->num_hndl; i++) {
2249 struct hci_conn *conn; 2285 struct hci_conn *conn;
2250 __u16 handle, count; 2286 __u16 handle, count;
2251 2287
2252 handle = get_unaligned_le16(ptr++); 2288 handle = __le16_to_cpu(info->handle);
2253 count = get_unaligned_le16(ptr++); 2289 count = __le16_to_cpu(info->count);
2254 2290
2255 conn = hci_conn_hash_lookup_handle(hdev, handle); 2291 conn = hci_conn_hash_lookup_handle(hdev, handle);
2256 if (conn) { 2292 if (!conn)
2257 conn->sent -= count; 2293 continue;
2258 2294
2259 if (conn->type == ACL_LINK) { 2295 conn->sent -= count;
2296
2297 switch (conn->type) {
2298 case ACL_LINK:
2299 hdev->acl_cnt += count;
2300 if (hdev->acl_cnt > hdev->acl_pkts)
2301 hdev->acl_cnt = hdev->acl_pkts;
2302 break;
2303
2304 case LE_LINK:
2305 if (hdev->le_pkts) {
2306 hdev->le_cnt += count;
2307 if (hdev->le_cnt > hdev->le_pkts)
2308 hdev->le_cnt = hdev->le_pkts;
2309 } else {
2260 hdev->acl_cnt += count; 2310 hdev->acl_cnt += count;
2261 if (hdev->acl_cnt > hdev->acl_pkts) 2311 if (hdev->acl_cnt > hdev->acl_pkts)
2262 hdev->acl_cnt = hdev->acl_pkts; 2312 hdev->acl_cnt = hdev->acl_pkts;
2263 } else if (conn->type == LE_LINK) {
2264 if (hdev->le_pkts) {
2265 hdev->le_cnt += count;
2266 if (hdev->le_cnt > hdev->le_pkts)
2267 hdev->le_cnt = hdev->le_pkts;
2268 } else {
2269 hdev->acl_cnt += count;
2270 if (hdev->acl_cnt > hdev->acl_pkts)
2271 hdev->acl_cnt = hdev->acl_pkts;
2272 }
2273 } else {
2274 hdev->sco_cnt += count;
2275 if (hdev->sco_cnt > hdev->sco_pkts)
2276 hdev->sco_cnt = hdev->sco_pkts;
2277 } 2313 }
2314 break;
2315
2316 case SCO_LINK:
2317 hdev->sco_cnt += count;
2318 if (hdev->sco_cnt > hdev->sco_pkts)
2319 hdev->sco_cnt = hdev->sco_pkts;
2320 break;
2321
2322 default:
2323 BT_ERR("Unknown type %d conn %p", conn->type, conn);
2324 break;
2278 } 2325 }
2279 } 2326 }
2280 2327
2281 tasklet_schedule(&hdev->tx_task); 2328 queue_work(hdev->workqueue, &hdev->tx_work);
2282
2283 tasklet_enable(&hdev->tx_task);
2284} 2329}
2285 2330
2286static inline void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb) 2331static inline void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 78746cfa1659..6d94616af312 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -188,11 +188,11 @@ static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg)
188 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 188 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
189 return -EFAULT; 189 return -EFAULT;
190 190
191 hci_dev_lock_bh(hdev); 191 hci_dev_lock(hdev);
192 192
193 err = hci_blacklist_add(hdev, &bdaddr); 193 err = hci_blacklist_add(hdev, &bdaddr);
194 194
195 hci_dev_unlock_bh(hdev); 195 hci_dev_unlock(hdev);
196 196
197 return err; 197 return err;
198} 198}
@@ -205,11 +205,11 @@ static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
205 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) 205 if (copy_from_user(&bdaddr, arg, sizeof(bdaddr)))
206 return -EFAULT; 206 return -EFAULT;
207 207
208 hci_dev_lock_bh(hdev); 208 hci_dev_lock(hdev);
209 209
210 err = hci_blacklist_del(hdev, &bdaddr); 210 err = hci_blacklist_del(hdev, &bdaddr);
211 211
212 hci_dev_unlock_bh(hdev); 212 hci_dev_unlock(hdev);
213 213
214 return err; 214 return err;
215} 215}
@@ -343,8 +343,11 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
343 if (haddr.hci_channel > HCI_CHANNEL_CONTROL) 343 if (haddr.hci_channel > HCI_CHANNEL_CONTROL)
344 return -EINVAL; 344 return -EINVAL;
345 345
346 if (haddr.hci_channel == HCI_CHANNEL_CONTROL && !enable_mgmt) 346 if (haddr.hci_channel == HCI_CHANNEL_CONTROL) {
347 return -EINVAL; 347 if (!enable_mgmt)
348 return -EINVAL;
349 set_bit(HCI_PI_MGMT_INIT, &hci_pi(sk)->flags);
350 }
348 351
349 lock_sock(sk); 352 lock_sock(sk);
350 353
@@ -535,10 +538,10 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
535 538
536 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) { 539 if (test_bit(HCI_RAW, &hdev->flags) || (ogf == 0x3f)) {
537 skb_queue_tail(&hdev->raw_q, skb); 540 skb_queue_tail(&hdev->raw_q, skb);
538 tasklet_schedule(&hdev->tx_task); 541 queue_work(hdev->workqueue, &hdev->tx_work);
539 } else { 542 } else {
540 skb_queue_tail(&hdev->cmd_q, skb); 543 skb_queue_tail(&hdev->cmd_q, skb);
541 tasklet_schedule(&hdev->cmd_task); 544 queue_work(hdev->workqueue, &hdev->cmd_work);
542 } 545 }
543 } else { 546 } else {
544 if (!capable(CAP_NET_RAW)) { 547 if (!capable(CAP_NET_RAW)) {
@@ -547,7 +550,7 @@ static int hci_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
547 } 550 }
548 551
549 skb_queue_tail(&hdev->raw_q, skb); 552 skb_queue_tail(&hdev->raw_q, skb);
550 tasklet_schedule(&hdev->tx_task); 553 queue_work(hdev->workqueue, &hdev->tx_work);
551 } 554 }
552 555
553 err = len; 556 err = len;
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index c62d254a1379..521095614235 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -89,11 +89,35 @@ static struct device_type bt_link = {
89 .release = bt_link_release, 89 .release = bt_link_release,
90}; 90};
91 91
92static void add_conn(struct work_struct *work) 92/*
93 * The rfcomm tty device will possibly retain even when conn
94 * is down, and sysfs doesn't support move zombie device,
95 * so we should move the device before conn device is destroyed.
96 */
97static int __match_tty(struct device *dev, void *data)
98{
99 return !strncmp(dev_name(dev), "rfcomm", 6);
100}
101
102void hci_conn_init_sysfs(struct hci_conn *conn)
103{
104 struct hci_dev *hdev = conn->hdev;
105
106 BT_DBG("conn %p", conn);
107
108 conn->dev.type = &bt_link;
109 conn->dev.class = bt_class;
110 conn->dev.parent = &hdev->dev;
111
112 device_initialize(&conn->dev);
113}
114
115void hci_conn_add_sysfs(struct hci_conn *conn)
93{ 116{
94 struct hci_conn *conn = container_of(work, struct hci_conn, work_add);
95 struct hci_dev *hdev = conn->hdev; 117 struct hci_dev *hdev = conn->hdev;
96 118
119 BT_DBG("conn %p", conn);
120
97 dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); 121 dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
98 122
99 dev_set_drvdata(&conn->dev, conn); 123 dev_set_drvdata(&conn->dev, conn);
@@ -106,19 +130,8 @@ static void add_conn(struct work_struct *work)
106 hci_dev_hold(hdev); 130 hci_dev_hold(hdev);
107} 131}
108 132
109/* 133void hci_conn_del_sysfs(struct hci_conn *conn)
110 * The rfcomm tty device will possibly retain even when conn
111 * is down, and sysfs doesn't support move zombie device,
112 * so we should move the device before conn device is destroyed.
113 */
114static int __match_tty(struct device *dev, void *data)
115{
116 return !strncmp(dev_name(dev), "rfcomm", 6);
117}
118
119static void del_conn(struct work_struct *work)
120{ 134{
121 struct hci_conn *conn = container_of(work, struct hci_conn, work_del);
122 struct hci_dev *hdev = conn->hdev; 135 struct hci_dev *hdev = conn->hdev;
123 136
124 if (!device_is_registered(&conn->dev)) 137 if (!device_is_registered(&conn->dev))
@@ -140,36 +153,6 @@ static void del_conn(struct work_struct *work)
140 hci_dev_put(hdev); 153 hci_dev_put(hdev);
141} 154}
142 155
143void hci_conn_init_sysfs(struct hci_conn *conn)
144{
145 struct hci_dev *hdev = conn->hdev;
146
147 BT_DBG("conn %p", conn);
148
149 conn->dev.type = &bt_link;
150 conn->dev.class = bt_class;
151 conn->dev.parent = &hdev->dev;
152
153 device_initialize(&conn->dev);
154
155 INIT_WORK(&conn->work_add, add_conn);
156 INIT_WORK(&conn->work_del, del_conn);
157}
158
159void hci_conn_add_sysfs(struct hci_conn *conn)
160{
161 BT_DBG("conn %p", conn);
162
163 queue_work(conn->hdev->workqueue, &conn->work_add);
164}
165
166void hci_conn_del_sysfs(struct hci_conn *conn)
167{
168 BT_DBG("conn %p", conn);
169
170 queue_work(conn->hdev->workqueue, &conn->work_del);
171}
172
173static inline char *host_bustostr(int bus) 156static inline char *host_bustostr(int bus)
174{ 157{
175 switch (bus) { 158 switch (bus) {
@@ -403,7 +386,7 @@ static int inquiry_cache_show(struct seq_file *f, void *p)
403 struct inquiry_cache *cache = &hdev->inq_cache; 386 struct inquiry_cache *cache = &hdev->inq_cache;
404 struct inquiry_entry *e; 387 struct inquiry_entry *e;
405 388
406 hci_dev_lock_bh(hdev); 389 hci_dev_lock(hdev);
407 390
408 for (e = cache->list; e; e = e->next) { 391 for (e = cache->list; e; e = e->next) {
409 struct inquiry_data *data = &e->data; 392 struct inquiry_data *data = &e->data;
@@ -416,7 +399,7 @@ static int inquiry_cache_show(struct seq_file *f, void *p)
416 data->rssi, data->ssp_mode, e->timestamp); 399 data->rssi, data->ssp_mode, e->timestamp);
417 } 400 }
418 401
419 hci_dev_unlock_bh(hdev); 402 hci_dev_unlock(hdev);
420 403
421 return 0; 404 return 0;
422} 405}
@@ -438,12 +421,12 @@ static int blacklist_show(struct seq_file *f, void *p)
438 struct hci_dev *hdev = f->private; 421 struct hci_dev *hdev = f->private;
439 struct bdaddr_list *b; 422 struct bdaddr_list *b;
440 423
441 hci_dev_lock_bh(hdev); 424 hci_dev_lock(hdev);
442 425
443 list_for_each_entry(b, &hdev->blacklist, list) 426 list_for_each_entry(b, &hdev->blacklist, list)
444 seq_printf(f, "%s\n", batostr(&b->bdaddr)); 427 seq_printf(f, "%s\n", batostr(&b->bdaddr));
445 428
446 hci_dev_unlock_bh(hdev); 429 hci_dev_unlock(hdev);
447 430
448 return 0; 431 return 0;
449} 432}
@@ -482,12 +465,12 @@ static int uuids_show(struct seq_file *f, void *p)
482 struct hci_dev *hdev = f->private; 465 struct hci_dev *hdev = f->private;
483 struct bt_uuid *uuid; 466 struct bt_uuid *uuid;
484 467
485 hci_dev_lock_bh(hdev); 468 hci_dev_lock(hdev);
486 469
487 list_for_each_entry(uuid, &hdev->uuids, list) 470 list_for_each_entry(uuid, &hdev->uuids, list)
488 print_bt_uuid(f, uuid->uuid); 471 print_bt_uuid(f, uuid->uuid);
489 472
490 hci_dev_unlock_bh(hdev); 473 hci_dev_unlock(hdev);
491 474
492 return 0; 475 return 0;
493} 476}
@@ -508,11 +491,11 @@ static int auto_accept_delay_set(void *data, u64 val)
508{ 491{
509 struct hci_dev *hdev = data; 492 struct hci_dev *hdev = data;
510 493
511 hci_dev_lock_bh(hdev); 494 hci_dev_lock(hdev);
512 495
513 hdev->auto_accept_delay = val; 496 hdev->auto_accept_delay = val;
514 497
515 hci_dev_unlock_bh(hdev); 498 hci_dev_unlock(hdev);
516 499
517 return 0; 500 return 0;
518} 501}
@@ -521,11 +504,11 @@ static int auto_accept_delay_get(void *data, u64 *val)
521{ 504{
522 struct hci_dev *hdev = data; 505 struct hci_dev *hdev = data;
523 506
524 hci_dev_lock_bh(hdev); 507 hci_dev_lock(hdev);
525 508
526 *val = hdev->auto_accept_delay; 509 *val = hdev->auto_accept_delay;
527 510
528 hci_dev_unlock_bh(hdev); 511 hci_dev_unlock(hdev);
529 512
530 return 0; 513 return 0;
531} 514}
diff --git a/net/bluetooth/hidp/Kconfig b/net/bluetooth/hidp/Kconfig
index 86a91543172a..4deaca78e91e 100644
--- a/net/bluetooth/hidp/Kconfig
+++ b/net/bluetooth/hidp/Kconfig
@@ -1,6 +1,6 @@
1config BT_HIDP 1config BT_HIDP
2 tristate "HIDP protocol support" 2 tristate "HIDP protocol support"
3 depends on BT && BT_L2CAP && INPUT && HID_SUPPORT 3 depends on BT && INPUT && HID_SUPPORT
4 select HID 4 select HID
5 help 5 help
6 HIDP (Human Interface Device Protocol) is a transport layer 6 HIDP (Human Interface Device Protocol) is a transport layer
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 3c2d888925d7..d478be11d562 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -795,11 +795,11 @@ static struct hci_conn *hidp_get_connection(struct hidp_session *session)
795 if (!hdev) 795 if (!hdev)
796 return NULL; 796 return NULL;
797 797
798 hci_dev_lock_bh(hdev); 798 hci_dev_lock(hdev);
799 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); 799 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
800 if (conn) 800 if (conn)
801 hci_conn_hold_device(conn); 801 hci_conn_hold_device(conn);
802 hci_dev_unlock_bh(hdev); 802 hci_dev_unlock(hdev);
803 803
804 hci_dev_put(hdev); 804 hci_dev_put(hdev);
805 805
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9bc22e4c4c61..aa78d8c4b93b 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3,6 +3,7 @@
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc. 5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
6 7
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 9
@@ -76,37 +77,38 @@ static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
76 77
77/* ---- L2CAP channels ---- */ 78/* ---- L2CAP channels ---- */
78 79
79static inline void chan_hold(struct l2cap_chan *c)
80{
81 atomic_inc(&c->refcnt);
82}
83
84static inline void chan_put(struct l2cap_chan *c)
85{
86 if (atomic_dec_and_test(&c->refcnt))
87 kfree(c);
88}
89
90static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid) 80static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
91{ 81{
92 struct l2cap_chan *c; 82 struct l2cap_chan *c, *r = NULL;
93 83
94 list_for_each_entry(c, &conn->chan_l, list) { 84 rcu_read_lock();
95 if (c->dcid == cid) 85
96 return c; 86 list_for_each_entry_rcu(c, &conn->chan_l, list) {
87 if (c->dcid == cid) {
88 r = c;
89 break;
90 }
97 } 91 }
98 return NULL; 92
93 rcu_read_unlock();
94 return r;
99} 95}
100 96
101static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid) 97static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
102{ 98{
103 struct l2cap_chan *c; 99 struct l2cap_chan *c, *r = NULL;
104 100
105 list_for_each_entry(c, &conn->chan_l, list) { 101 rcu_read_lock();
106 if (c->scid == cid) 102
107 return c; 103 list_for_each_entry_rcu(c, &conn->chan_l, list) {
104 if (c->scid == cid) {
105 r = c;
106 break;
107 }
108 } 108 }
109 return NULL; 109
110 rcu_read_unlock();
111 return r;
110} 112}
111 113
112/* Find channel with given SCID. 114/* Find channel with given SCID.
@@ -115,34 +117,36 @@ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 ci
115{ 117{
116 struct l2cap_chan *c; 118 struct l2cap_chan *c;
117 119
118 read_lock(&conn->chan_lock);
119 c = __l2cap_get_chan_by_scid(conn, cid); 120 c = __l2cap_get_chan_by_scid(conn, cid);
120 if (c) 121 if (c)
121 bh_lock_sock(c->sk); 122 lock_sock(c->sk);
122 read_unlock(&conn->chan_lock);
123 return c; 123 return c;
124} 124}
125 125
126static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident) 126static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
127{ 127{
128 struct l2cap_chan *c; 128 struct l2cap_chan *c, *r = NULL;
129 129
130 list_for_each_entry(c, &conn->chan_l, list) { 130 rcu_read_lock();
131 if (c->ident == ident) 131
132 return c; 132 list_for_each_entry_rcu(c, &conn->chan_l, list) {
133 if (c->ident == ident) {
134 r = c;
135 break;
136 }
133 } 137 }
134 return NULL; 138
139 rcu_read_unlock();
140 return r;
135} 141}
136 142
137static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident) 143static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
138{ 144{
139 struct l2cap_chan *c; 145 struct l2cap_chan *c;
140 146
141 read_lock(&conn->chan_lock);
142 c = __l2cap_get_chan_by_ident(conn, ident); 147 c = __l2cap_get_chan_by_ident(conn, ident);
143 if (c) 148 if (c)
144 bh_lock_sock(c->sk); 149 lock_sock(c->sk);
145 read_unlock(&conn->chan_lock);
146 return c; 150 return c;
147} 151}
148 152
@@ -213,22 +217,6 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
213 return 0; 217 return 0;
214} 218}
215 219
216static void l2cap_set_timer(struct l2cap_chan *chan, struct timer_list *timer, long timeout)
217{
218 BT_DBG("chan %p state %d timeout %ld", chan, chan->state, timeout);
219
220 if (!mod_timer(timer, jiffies + msecs_to_jiffies(timeout)))
221 chan_hold(chan);
222}
223
224static void l2cap_clear_timer(struct l2cap_chan *chan, struct timer_list *timer)
225{
226 BT_DBG("chan %p state %d", chan, chan->state);
227
228 if (timer_pending(timer) && del_timer(timer))
229 chan_put(chan);
230}
231
232static char *state_to_string(int state) 220static char *state_to_string(int state)
233{ 221{
234 switch(state) { 222 switch(state) {
@@ -264,23 +252,16 @@ static void l2cap_state_change(struct l2cap_chan *chan, int state)
264 chan->ops->state_change(chan->data, state); 252 chan->ops->state_change(chan->data, state);
265} 253}
266 254
267static void l2cap_chan_timeout(unsigned long arg) 255static void l2cap_chan_timeout(struct work_struct *work)
268{ 256{
269 struct l2cap_chan *chan = (struct l2cap_chan *) arg; 257 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
258 chan_timer.work);
270 struct sock *sk = chan->sk; 259 struct sock *sk = chan->sk;
271 int reason; 260 int reason;
272 261
273 BT_DBG("chan %p state %d", chan, chan->state); 262 BT_DBG("chan %p state %d", chan, chan->state);
274 263
275 bh_lock_sock(sk); 264 lock_sock(sk);
276
277 if (sock_owned_by_user(sk)) {
278 /* sk is owned by user. Try again later */
279 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
280 bh_unlock_sock(sk);
281 chan_put(chan);
282 return;
283 }
284 265
285 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) 266 if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
286 reason = ECONNREFUSED; 267 reason = ECONNREFUSED;
@@ -292,10 +273,10 @@ static void l2cap_chan_timeout(unsigned long arg)
292 273
293 l2cap_chan_close(chan, reason); 274 l2cap_chan_close(chan, reason);
294 275
295 bh_unlock_sock(sk); 276 release_sock(sk);
296 277
297 chan->ops->close(chan->data); 278 chan->ops->close(chan->data);
298 chan_put(chan); 279 l2cap_chan_put(chan);
299} 280}
300 281
301struct l2cap_chan *l2cap_chan_create(struct sock *sk) 282struct l2cap_chan *l2cap_chan_create(struct sock *sk)
@@ -312,7 +293,7 @@ struct l2cap_chan *l2cap_chan_create(struct sock *sk)
312 list_add(&chan->global_l, &chan_list); 293 list_add(&chan->global_l, &chan_list);
313 write_unlock_bh(&chan_list_lock); 294 write_unlock_bh(&chan_list_lock);
314 295
315 setup_timer(&chan->chan_timer, l2cap_chan_timeout, (unsigned long) chan); 296 INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
316 297
317 chan->state = BT_OPEN; 298 chan->state = BT_OPEN;
318 299
@@ -329,10 +310,10 @@ void l2cap_chan_destroy(struct l2cap_chan *chan)
329 list_del(&chan->global_l); 310 list_del(&chan->global_l);
330 write_unlock_bh(&chan_list_lock); 311 write_unlock_bh(&chan_list_lock);
331 312
332 chan_put(chan); 313 l2cap_chan_put(chan);
333} 314}
334 315
335static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan) 316static void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
336{ 317{
337 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn, 318 BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
338 chan->psm, chan->dcid); 319 chan->psm, chan->dcid);
@@ -371,9 +352,9 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
371 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT; 352 chan->local_acc_lat = L2CAP_DEFAULT_ACC_LAT;
372 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO; 353 chan->local_flush_to = L2CAP_DEFAULT_FLUSH_TO;
373 354
374 chan_hold(chan); 355 l2cap_chan_hold(chan);
375 356
376 list_add(&chan->list, &conn->chan_l); 357 list_add_rcu(&chan->list, &conn->chan_l);
377} 358}
378 359
379/* Delete channel. 360/* Delete channel.
@@ -390,10 +371,10 @@ static void l2cap_chan_del(struct l2cap_chan *chan, int err)
390 371
391 if (conn) { 372 if (conn) {
392 /* Delete from channel list */ 373 /* Delete from channel list */
393 write_lock_bh(&conn->chan_lock); 374 list_del_rcu(&chan->list);
394 list_del(&chan->list); 375 synchronize_rcu();
395 write_unlock_bh(&conn->chan_lock); 376
396 chan_put(chan); 377 l2cap_chan_put(chan);
397 378
398 chan->conn = NULL; 379 chan->conn = NULL;
399 hci_conn_put(conn->hcon); 380 hci_conn_put(conn->hcon);
@@ -707,7 +688,7 @@ static void l2cap_do_start(struct l2cap_chan *chan)
707 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 688 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
708 conn->info_ident = l2cap_get_ident(conn); 689 conn->info_ident = l2cap_get_ident(conn);
709 690
710 mod_timer(&conn->info_timer, jiffies + 691 schedule_delayed_work(&conn->info_timer,
711 msecs_to_jiffies(L2CAP_INFO_TIMEOUT)); 692 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
712 693
713 l2cap_send_cmd(conn, conn->info_ident, 694 l2cap_send_cmd(conn, conn->info_ident,
@@ -759,13 +740,13 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *c
759/* ---- L2CAP connections ---- */ 740/* ---- L2CAP connections ---- */
760static void l2cap_conn_start(struct l2cap_conn *conn) 741static void l2cap_conn_start(struct l2cap_conn *conn)
761{ 742{
762 struct l2cap_chan *chan, *tmp; 743 struct l2cap_chan *chan;
763 744
764 BT_DBG("conn %p", conn); 745 BT_DBG("conn %p", conn);
765 746
766 read_lock(&conn->chan_lock); 747 rcu_read_lock();
767 748
768 list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) { 749 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
769 struct sock *sk = chan->sk; 750 struct sock *sk = chan->sk;
770 751
771 bh_lock_sock(sk); 752 bh_lock_sock(sk);
@@ -789,9 +770,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
789 &chan->conf_state)) { 770 &chan->conf_state)) {
790 /* l2cap_chan_close() calls list_del(chan) 771 /* l2cap_chan_close() calls list_del(chan)
791 * so release the lock */ 772 * so release the lock */
792 read_unlock(&conn->chan_lock);
793 l2cap_chan_close(chan, ECONNRESET); 773 l2cap_chan_close(chan, ECONNRESET);
794 read_lock(&conn->chan_lock);
795 bh_unlock_sock(sk); 774 bh_unlock_sock(sk);
796 continue; 775 continue;
797 } 776 }
@@ -847,7 +826,7 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
847 bh_unlock_sock(sk); 826 bh_unlock_sock(sk);
848 } 827 }
849 828
850 read_unlock(&conn->chan_lock); 829 rcu_read_unlock();
851} 830}
852 831
853/* Find socket with cid and source bdaddr. 832/* Find socket with cid and source bdaddr.
@@ -898,7 +877,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
898 877
899 parent = pchan->sk; 878 parent = pchan->sk;
900 879
901 bh_lock_sock(parent); 880 lock_sock(parent);
902 881
903 /* Check for backlog size */ 882 /* Check for backlog size */
904 if (sk_acceptq_is_full(parent)) { 883 if (sk_acceptq_is_full(parent)) {
@@ -912,8 +891,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
912 891
913 sk = chan->sk; 892 sk = chan->sk;
914 893
915 write_lock_bh(&conn->chan_lock);
916
917 hci_conn_hold(conn->hcon); 894 hci_conn_hold(conn->hcon);
918 895
919 bacpy(&bt_sk(sk)->src, conn->src); 896 bacpy(&bt_sk(sk)->src, conn->src);
@@ -921,17 +898,15 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
921 898
922 bt_accept_enqueue(parent, sk); 899 bt_accept_enqueue(parent, sk);
923 900
924 __l2cap_chan_add(conn, chan); 901 l2cap_chan_add(conn, chan);
925 902
926 __set_chan_timer(chan, sk->sk_sndtimeo); 903 __set_chan_timer(chan, sk->sk_sndtimeo);
927 904
928 l2cap_state_change(chan, BT_CONNECTED); 905 l2cap_state_change(chan, BT_CONNECTED);
929 parent->sk_data_ready(parent, 0); 906 parent->sk_data_ready(parent, 0);
930 907
931 write_unlock_bh(&conn->chan_lock);
932
933clean: 908clean:
934 bh_unlock_sock(parent); 909 release_sock(parent);
935} 910}
936 911
937static void l2cap_chan_ready(struct sock *sk) 912static void l2cap_chan_ready(struct sock *sk)
@@ -963,9 +938,9 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
963 if (conn->hcon->out && conn->hcon->type == LE_LINK) 938 if (conn->hcon->out && conn->hcon->type == LE_LINK)
964 smp_conn_security(conn, conn->hcon->pending_sec_level); 939 smp_conn_security(conn, conn->hcon->pending_sec_level);
965 940
966 read_lock(&conn->chan_lock); 941 rcu_read_lock();
967 942
968 list_for_each_entry(chan, &conn->chan_l, list) { 943 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
969 struct sock *sk = chan->sk; 944 struct sock *sk = chan->sk;
970 945
971 bh_lock_sock(sk); 946 bh_lock_sock(sk);
@@ -985,7 +960,7 @@ static void l2cap_conn_ready(struct l2cap_conn *conn)
985 bh_unlock_sock(sk); 960 bh_unlock_sock(sk);
986 } 961 }
987 962
988 read_unlock(&conn->chan_lock); 963 rcu_read_unlock();
989} 964}
990 965
991/* Notify sockets that we cannot guaranty reliability anymore */ 966/* Notify sockets that we cannot guaranty reliability anymore */
@@ -995,21 +970,22 @@ static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
995 970
996 BT_DBG("conn %p", conn); 971 BT_DBG("conn %p", conn);
997 972
998 read_lock(&conn->chan_lock); 973 rcu_read_lock();
999 974
1000 list_for_each_entry(chan, &conn->chan_l, list) { 975 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
1001 struct sock *sk = chan->sk; 976 struct sock *sk = chan->sk;
1002 977
1003 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 978 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
1004 sk->sk_err = err; 979 sk->sk_err = err;
1005 } 980 }
1006 981
1007 read_unlock(&conn->chan_lock); 982 rcu_read_unlock();
1008} 983}
1009 984
1010static void l2cap_info_timeout(unsigned long arg) 985static void l2cap_info_timeout(struct work_struct *work)
1011{ 986{
1012 struct l2cap_conn *conn = (void *) arg; 987 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
988 info_timer.work);
1013 989
1014 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 990 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
1015 conn->info_ident = 0; 991 conn->info_ident = 0;
@@ -1033,19 +1009,19 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1033 /* Kill channels */ 1009 /* Kill channels */
1034 list_for_each_entry_safe(chan, l, &conn->chan_l, list) { 1010 list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
1035 sk = chan->sk; 1011 sk = chan->sk;
1036 bh_lock_sock(sk); 1012 lock_sock(sk);
1037 l2cap_chan_del(chan, err); 1013 l2cap_chan_del(chan, err);
1038 bh_unlock_sock(sk); 1014 release_sock(sk);
1039 chan->ops->close(chan->data); 1015 chan->ops->close(chan->data);
1040 } 1016 }
1041 1017
1042 hci_chan_del(conn->hchan); 1018 hci_chan_del(conn->hchan);
1043 1019
1044 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) 1020 if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
1045 del_timer_sync(&conn->info_timer); 1021 __cancel_delayed_work(&conn->info_timer);
1046 1022
1047 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) { 1023 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) {
1048 del_timer(&conn->security_timer); 1024 __cancel_delayed_work(&conn->security_timer);
1049 smp_chan_destroy(conn); 1025 smp_chan_destroy(conn);
1050 } 1026 }
1051 1027
@@ -1053,9 +1029,10 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1053 kfree(conn); 1029 kfree(conn);
1054} 1030}
1055 1031
1056static void security_timeout(unsigned long arg) 1032static void security_timeout(struct work_struct *work)
1057{ 1033{
1058 struct l2cap_conn *conn = (void *) arg; 1034 struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
1035 security_timer.work);
1059 1036
1060 l2cap_conn_del(conn->hcon, ETIMEDOUT); 1037 l2cap_conn_del(conn->hcon, ETIMEDOUT);
1061} 1038}
@@ -1095,29 +1072,19 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1095 conn->feat_mask = 0; 1072 conn->feat_mask = 0;
1096 1073
1097 spin_lock_init(&conn->lock); 1074 spin_lock_init(&conn->lock);
1098 rwlock_init(&conn->chan_lock);
1099 1075
1100 INIT_LIST_HEAD(&conn->chan_l); 1076 INIT_LIST_HEAD(&conn->chan_l);
1101 1077
1102 if (hcon->type == LE_LINK) 1078 if (hcon->type == LE_LINK)
1103 setup_timer(&conn->security_timer, security_timeout, 1079 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
1104 (unsigned long) conn);
1105 else 1080 else
1106 setup_timer(&conn->info_timer, l2cap_info_timeout, 1081 INIT_DELAYED_WORK(&conn->info_timer, l2cap_info_timeout);
1107 (unsigned long) conn);
1108 1082
1109 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM; 1083 conn->disc_reason = HCI_ERROR_REMOTE_USER_TERM;
1110 1084
1111 return conn; 1085 return conn;
1112} 1086}
1113 1087
1114static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
1115{
1116 write_lock_bh(&conn->chan_lock);
1117 __l2cap_chan_add(conn, chan);
1118 write_unlock_bh(&conn->chan_lock);
1119}
1120
1121/* ---- Socket interface ---- */ 1088/* ---- Socket interface ---- */
1122 1089
1123/* Find socket with psm and source bdaddr. 1090/* Find socket with psm and source bdaddr.
@@ -1153,11 +1120,10 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr
1153 return c1; 1120 return c1;
1154} 1121}
1155 1122
1156int l2cap_chan_connect(struct l2cap_chan *chan) 1123inline int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid, bdaddr_t *dst)
1157{ 1124{
1158 struct sock *sk = chan->sk; 1125 struct sock *sk = chan->sk;
1159 bdaddr_t *src = &bt_sk(sk)->src; 1126 bdaddr_t *src = &bt_sk(sk)->src;
1160 bdaddr_t *dst = &bt_sk(sk)->dst;
1161 struct l2cap_conn *conn; 1127 struct l2cap_conn *conn;
1162 struct hci_conn *hcon; 1128 struct hci_conn *hcon;
1163 struct hci_dev *hdev; 1129 struct hci_dev *hdev;
@@ -1171,7 +1137,62 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
1171 if (!hdev) 1137 if (!hdev)
1172 return -EHOSTUNREACH; 1138 return -EHOSTUNREACH;
1173 1139
1174 hci_dev_lock_bh(hdev); 1140 hci_dev_lock(hdev);
1141
1142 lock_sock(sk);
1143
1144 /* PSM must be odd and lsb of upper byte must be 0 */
1145 if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
1146 chan->chan_type != L2CAP_CHAN_RAW) {
1147 err = -EINVAL;
1148 goto done;
1149 }
1150
1151 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED && !(psm || cid)) {
1152 err = -EINVAL;
1153 goto done;
1154 }
1155
1156 switch (chan->mode) {
1157 case L2CAP_MODE_BASIC:
1158 break;
1159 case L2CAP_MODE_ERTM:
1160 case L2CAP_MODE_STREAMING:
1161 if (!disable_ertm)
1162 break;
1163 /* fall through */
1164 default:
1165 err = -ENOTSUPP;
1166 goto done;
1167 }
1168
1169 switch (sk->sk_state) {
1170 case BT_CONNECT:
1171 case BT_CONNECT2:
1172 case BT_CONFIG:
1173 /* Already connecting */
1174 err = 0;
1175 goto done;
1176
1177 case BT_CONNECTED:
1178 /* Already connected */
1179 err = -EISCONN;
1180 goto done;
1181
1182 case BT_OPEN:
1183 case BT_BOUND:
1184 /* Can connect */
1185 break;
1186
1187 default:
1188 err = -EBADFD;
1189 goto done;
1190 }
1191
1192 /* Set destination address and psm */
1193 bacpy(&bt_sk(sk)->dst, src);
1194 chan->psm = psm;
1195 chan->dcid = cid;
1175 1196
1176 auth_type = l2cap_get_auth_type(chan); 1197 auth_type = l2cap_get_auth_type(chan);
1177 1198
@@ -1214,7 +1235,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan)
1214 err = 0; 1235 err = 0;
1215 1236
1216done: 1237done:
1217 hci_dev_unlock_bh(hdev); 1238 hci_dev_unlock(hdev);
1218 hci_dev_put(hdev); 1239 hci_dev_put(hdev);
1219 return err; 1240 return err;
1220} 1241}
@@ -1251,17 +1272,18 @@ int __l2cap_wait_ack(struct sock *sk)
1251 return err; 1272 return err;
1252} 1273}
1253 1274
1254static void l2cap_monitor_timeout(unsigned long arg) 1275static void l2cap_monitor_timeout(struct work_struct *work)
1255{ 1276{
1256 struct l2cap_chan *chan = (void *) arg; 1277 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1278 monitor_timer.work);
1257 struct sock *sk = chan->sk; 1279 struct sock *sk = chan->sk;
1258 1280
1259 BT_DBG("chan %p", chan); 1281 BT_DBG("chan %p", chan);
1260 1282
1261 bh_lock_sock(sk); 1283 lock_sock(sk);
1262 if (chan->retry_count >= chan->remote_max_tx) { 1284 if (chan->retry_count >= chan->remote_max_tx) {
1263 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED); 1285 l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
1264 bh_unlock_sock(sk); 1286 release_sock(sk);
1265 return; 1287 return;
1266 } 1288 }
1267 1289
@@ -1269,24 +1291,25 @@ static void l2cap_monitor_timeout(unsigned long arg)
1269 __set_monitor_timer(chan); 1291 __set_monitor_timer(chan);
1270 1292
1271 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1293 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1272 bh_unlock_sock(sk); 1294 release_sock(sk);
1273} 1295}
1274 1296
1275static void l2cap_retrans_timeout(unsigned long arg) 1297static void l2cap_retrans_timeout(struct work_struct *work)
1276{ 1298{
1277 struct l2cap_chan *chan = (void *) arg; 1299 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1300 retrans_timer.work);
1278 struct sock *sk = chan->sk; 1301 struct sock *sk = chan->sk;
1279 1302
1280 BT_DBG("chan %p", chan); 1303 BT_DBG("chan %p", chan);
1281 1304
1282 bh_lock_sock(sk); 1305 lock_sock(sk);
1283 chan->retry_count = 1; 1306 chan->retry_count = 1;
1284 __set_monitor_timer(chan); 1307 __set_monitor_timer(chan);
1285 1308
1286 set_bit(CONN_WAIT_F, &chan->conn_state); 1309 set_bit(CONN_WAIT_F, &chan->conn_state);
1287 1310
1288 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL); 1311 l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
1289 bh_unlock_sock(sk); 1312 release_sock(sk);
1290} 1313}
1291 1314
1292static void l2cap_drop_acked_frames(struct l2cap_chan *chan) 1315static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
@@ -1778,8 +1801,9 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1778 1801
1779 BT_DBG("conn %p", conn); 1802 BT_DBG("conn %p", conn);
1780 1803
1781 read_lock(&conn->chan_lock); 1804 rcu_read_lock();
1782 list_for_each_entry(chan, &conn->chan_l, list) { 1805
1806 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
1783 struct sock *sk = chan->sk; 1807 struct sock *sk = chan->sk;
1784 if (chan->chan_type != L2CAP_CHAN_RAW) 1808 if (chan->chan_type != L2CAP_CHAN_RAW)
1785 continue; 1809 continue;
@@ -1794,7 +1818,8 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
1794 if (chan->ops->recv(chan->data, nskb)) 1818 if (chan->ops->recv(chan->data, nskb))
1795 kfree_skb(nskb); 1819 kfree_skb(nskb);
1796 } 1820 }
1797 read_unlock(&conn->chan_lock); 1821
1822 rcu_read_unlock();
1798} 1823}
1799 1824
1800/* ---- L2CAP signalling commands ---- */ 1825/* ---- L2CAP signalling commands ---- */
@@ -1955,37 +1980,33 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
1955 (unsigned long) &efs); 1980 (unsigned long) &efs);
1956} 1981}
1957 1982
1958static void l2cap_ack_timeout(unsigned long arg) 1983static void l2cap_ack_timeout(struct work_struct *work)
1959{ 1984{
1960 struct l2cap_chan *chan = (void *) arg; 1985 struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
1986 ack_timer.work);
1961 1987
1962 bh_lock_sock(chan->sk); 1988 BT_DBG("chan %p", chan);
1989
1990 lock_sock(chan->sk);
1963 l2cap_send_ack(chan); 1991 l2cap_send_ack(chan);
1964 bh_unlock_sock(chan->sk); 1992 release_sock(chan->sk);
1965} 1993}
1966 1994
1967static inline void l2cap_ertm_init(struct l2cap_chan *chan) 1995static inline void l2cap_ertm_init(struct l2cap_chan *chan)
1968{ 1996{
1969 struct sock *sk = chan->sk;
1970
1971 chan->expected_ack_seq = 0; 1997 chan->expected_ack_seq = 0;
1972 chan->unacked_frames = 0; 1998 chan->unacked_frames = 0;
1973 chan->buffer_seq = 0; 1999 chan->buffer_seq = 0;
1974 chan->num_acked = 0; 2000 chan->num_acked = 0;
1975 chan->frames_sent = 0; 2001 chan->frames_sent = 0;
1976 2002
1977 setup_timer(&chan->retrans_timer, l2cap_retrans_timeout, 2003 INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
1978 (unsigned long) chan); 2004 INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
1979 setup_timer(&chan->monitor_timer, l2cap_monitor_timeout, 2005 INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
1980 (unsigned long) chan);
1981 setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
1982 2006
1983 skb_queue_head_init(&chan->srej_q); 2007 skb_queue_head_init(&chan->srej_q);
1984 2008
1985 INIT_LIST_HEAD(&chan->srej_l); 2009 INIT_LIST_HEAD(&chan->srej_l);
1986
1987
1988 sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
1989} 2010}
1990 2011
1991static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask) 2012static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
@@ -2553,7 +2574,7 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
2553 2574
2554 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) && 2575 if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
2555 cmd->ident == conn->info_ident) { 2576 cmd->ident == conn->info_ident) {
2556 del_timer(&conn->info_timer); 2577 __cancel_delayed_work(&conn->info_timer);
2557 2578
2558 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 2579 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
2559 conn->info_ident = 0; 2580 conn->info_ident = 0;
@@ -2586,7 +2607,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2586 2607
2587 parent = pchan->sk; 2608 parent = pchan->sk;
2588 2609
2589 bh_lock_sock(parent); 2610 lock_sock(parent);
2590 2611
2591 /* Check if the ACL is secure enough (if not SDP) */ 2612 /* Check if the ACL is secure enough (if not SDP) */
2592 if (psm != cpu_to_le16(0x0001) && 2613 if (psm != cpu_to_le16(0x0001) &&
@@ -2610,11 +2631,8 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2610 2631
2611 sk = chan->sk; 2632 sk = chan->sk;
2612 2633
2613 write_lock_bh(&conn->chan_lock);
2614
2615 /* Check if we already have channel with that dcid */ 2634 /* Check if we already have channel with that dcid */
2616 if (__l2cap_get_chan_by_dcid(conn, scid)) { 2635 if (__l2cap_get_chan_by_dcid(conn, scid)) {
2617 write_unlock_bh(&conn->chan_lock);
2618 sock_set_flag(sk, SOCK_ZAPPED); 2636 sock_set_flag(sk, SOCK_ZAPPED);
2619 chan->ops->close(chan->data); 2637 chan->ops->close(chan->data);
2620 goto response; 2638 goto response;
@@ -2629,7 +2647,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2629 2647
2630 bt_accept_enqueue(parent, sk); 2648 bt_accept_enqueue(parent, sk);
2631 2649
2632 __l2cap_chan_add(conn, chan); 2650 l2cap_chan_add(conn, chan);
2633 2651
2634 dcid = chan->scid; 2652 dcid = chan->scid;
2635 2653
@@ -2660,10 +2678,8 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
2660 status = L2CAP_CS_NO_INFO; 2678 status = L2CAP_CS_NO_INFO;
2661 } 2679 }
2662 2680
2663 write_unlock_bh(&conn->chan_lock);
2664
2665response: 2681response:
2666 bh_unlock_sock(parent); 2682 release_sock(parent);
2667 2683
2668sendresp: 2684sendresp:
2669 rsp.scid = cpu_to_le16(scid); 2685 rsp.scid = cpu_to_le16(scid);
@@ -2679,7 +2695,7 @@ sendresp:
2679 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT; 2695 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
2680 conn->info_ident = l2cap_get_ident(conn); 2696 conn->info_ident = l2cap_get_ident(conn);
2681 2697
2682 mod_timer(&conn->info_timer, jiffies + 2698 schedule_delayed_work(&conn->info_timer,
2683 msecs_to_jiffies(L2CAP_INFO_TIMEOUT)); 2699 msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
2684 2700
2685 l2cap_send_cmd(conn, conn->info_ident, 2701 l2cap_send_cmd(conn, conn->info_ident,
@@ -2745,19 +2761,11 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
2745 break; 2761 break;
2746 2762
2747 default: 2763 default:
2748 /* don't delete l2cap channel if sk is owned by user */
2749 if (sock_owned_by_user(sk)) {
2750 l2cap_state_change(chan, BT_DISCONN);
2751 __clear_chan_timer(chan);
2752 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
2753 break;
2754 }
2755
2756 l2cap_chan_del(chan, ECONNREFUSED); 2764 l2cap_chan_del(chan, ECONNREFUSED);
2757 break; 2765 break;
2758 } 2766 }
2759 2767
2760 bh_unlock_sock(sk); 2768 release_sock(sk);
2761 return 0; 2769 return 0;
2762} 2770}
2763 2771
@@ -2879,7 +2887,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2879 } 2887 }
2880 2888
2881unlock: 2889unlock:
2882 bh_unlock_sock(sk); 2890 release_sock(sk);
2883 return 0; 2891 return 0;
2884} 2892}
2885 2893
@@ -2986,7 +2994,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
2986 } 2994 }
2987 2995
2988done: 2996done:
2989 bh_unlock_sock(sk); 2997 release_sock(sk);
2990 return 0; 2998 return 0;
2991} 2999}
2992 3000
@@ -3015,17 +3023,8 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
3015 3023
3016 sk->sk_shutdown = SHUTDOWN_MASK; 3024 sk->sk_shutdown = SHUTDOWN_MASK;
3017 3025
3018 /* don't delete l2cap channel if sk is owned by user */
3019 if (sock_owned_by_user(sk)) {
3020 l2cap_state_change(chan, BT_DISCONN);
3021 __clear_chan_timer(chan);
3022 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
3023 bh_unlock_sock(sk);
3024 return 0;
3025 }
3026
3027 l2cap_chan_del(chan, ECONNRESET); 3026 l2cap_chan_del(chan, ECONNRESET);
3028 bh_unlock_sock(sk); 3027 release_sock(sk);
3029 3028
3030 chan->ops->close(chan->data); 3029 chan->ops->close(chan->data);
3031 return 0; 3030 return 0;
@@ -3049,17 +3048,8 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
3049 3048
3050 sk = chan->sk; 3049 sk = chan->sk;
3051 3050
3052 /* don't delete l2cap channel if sk is owned by user */
3053 if (sock_owned_by_user(sk)) {
3054 l2cap_state_change(chan, BT_DISCONN);
3055 __clear_chan_timer(chan);
3056 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
3057 bh_unlock_sock(sk);
3058 return 0;
3059 }
3060
3061 l2cap_chan_del(chan, 0); 3051 l2cap_chan_del(chan, 0);
3062 bh_unlock_sock(sk); 3052 release_sock(sk);
3063 3053
3064 chan->ops->close(chan->data); 3054 chan->ops->close(chan->data);
3065 return 0; 3055 return 0;
@@ -3130,7 +3120,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
3130 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) 3120 conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
3131 return 0; 3121 return 0;
3132 3122
3133 del_timer(&conn->info_timer); 3123 __cancel_delayed_work(&conn->info_timer);
3134 3124
3135 if (result != L2CAP_IR_SUCCESS) { 3125 if (result != L2CAP_IR_SUCCESS) {
3136 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; 3126 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
@@ -4247,12 +4237,7 @@ static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk
4247 break; 4237 break;
4248 4238
4249 case L2CAP_MODE_ERTM: 4239 case L2CAP_MODE_ERTM:
4250 if (!sock_owned_by_user(sk)) { 4240 l2cap_ertm_data_rcv(sk, skb);
4251 l2cap_ertm_data_rcv(sk, skb);
4252 } else {
4253 if (sk_add_backlog(sk, skb))
4254 goto drop;
4255 }
4256 4241
4257 goto done; 4242 goto done;
4258 4243
@@ -4302,7 +4287,7 @@ drop:
4302 4287
4303done: 4288done:
4304 if (sk) 4289 if (sk)
4305 bh_unlock_sock(sk); 4290 release_sock(sk);
4306 4291
4307 return 0; 4292 return 0;
4308} 4293}
@@ -4318,7 +4303,7 @@ static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, str
4318 4303
4319 sk = chan->sk; 4304 sk = chan->sk;
4320 4305
4321 bh_lock_sock(sk); 4306 lock_sock(sk);
4322 4307
4323 BT_DBG("sk %p, len %d", sk, skb->len); 4308 BT_DBG("sk %p, len %d", sk, skb->len);
4324 4309
@@ -4336,7 +4321,7 @@ drop:
4336 4321
4337done: 4322done:
4338 if (sk) 4323 if (sk)
4339 bh_unlock_sock(sk); 4324 release_sock(sk);
4340 return 0; 4325 return 0;
4341} 4326}
4342 4327
@@ -4351,7 +4336,7 @@ static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct
4351 4336
4352 sk = chan->sk; 4337 sk = chan->sk;
4353 4338
4354 bh_lock_sock(sk); 4339 lock_sock(sk);
4355 4340
4356 BT_DBG("sk %p, len %d", sk, skb->len); 4341 BT_DBG("sk %p, len %d", sk, skb->len);
4357 4342
@@ -4369,7 +4354,7 @@ drop:
4369 4354
4370done: 4355done:
4371 if (sk) 4356 if (sk)
4372 bh_unlock_sock(sk); 4357 release_sock(sk);
4373 return 0; 4358 return 0;
4374} 4359}
4375 4360
@@ -4419,14 +4404,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
4419 4404
4420/* ---- L2CAP interface with lower layer (HCI) ---- */ 4405/* ---- L2CAP interface with lower layer (HCI) ---- */
4421 4406
4422static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 4407int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
4423{ 4408{
4424 int exact = 0, lm1 = 0, lm2 = 0; 4409 int exact = 0, lm1 = 0, lm2 = 0;
4425 struct l2cap_chan *c; 4410 struct l2cap_chan *c;
4426 4411
4427 if (type != ACL_LINK)
4428 return -EINVAL;
4429
4430 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 4412 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
4431 4413
4432 /* Find listening sockets and check their link_mode */ 4414 /* Find listening sockets and check their link_mode */
@@ -4453,15 +4435,12 @@ static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4453 return exact ? lm1 : lm2; 4435 return exact ? lm1 : lm2;
4454} 4436}
4455 4437
4456static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status) 4438int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4457{ 4439{
4458 struct l2cap_conn *conn; 4440 struct l2cap_conn *conn;
4459 4441
4460 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 4442 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
4461 4443
4462 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4463 return -EINVAL;
4464
4465 if (!status) { 4444 if (!status) {
4466 conn = l2cap_conn_add(hcon, status); 4445 conn = l2cap_conn_add(hcon, status);
4467 if (conn) 4446 if (conn)
@@ -4472,27 +4451,22 @@ static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
4472 return 0; 4451 return 0;
4473} 4452}
4474 4453
4475static int l2cap_disconn_ind(struct hci_conn *hcon) 4454int l2cap_disconn_ind(struct hci_conn *hcon)
4476{ 4455{
4477 struct l2cap_conn *conn = hcon->l2cap_data; 4456 struct l2cap_conn *conn = hcon->l2cap_data;
4478 4457
4479 BT_DBG("hcon %p", hcon); 4458 BT_DBG("hcon %p", hcon);
4480 4459
4481 if ((hcon->type != ACL_LINK && hcon->type != LE_LINK) || !conn) 4460 if (!conn)
4482 return HCI_ERROR_REMOTE_USER_TERM; 4461 return HCI_ERROR_REMOTE_USER_TERM;
4483
4484 return conn->disc_reason; 4462 return conn->disc_reason;
4485} 4463}
4486 4464
4487static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) 4465int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
4488{ 4466{
4489 BT_DBG("hcon %p reason %d", hcon, reason); 4467 BT_DBG("hcon %p reason %d", hcon, reason);
4490 4468
4491 if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
4492 return -EINVAL;
4493
4494 l2cap_conn_del(hcon, bt_to_errno(reason)); 4469 l2cap_conn_del(hcon, bt_to_errno(reason));
4495
4496 return 0; 4470 return 0;
4497} 4471}
4498 4472
@@ -4513,7 +4487,7 @@ static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
4513 } 4487 }
4514} 4488}
4515 4489
4516static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt) 4490int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4517{ 4491{
4518 struct l2cap_conn *conn = hcon->l2cap_data; 4492 struct l2cap_conn *conn = hcon->l2cap_data;
4519 struct l2cap_chan *chan; 4493 struct l2cap_chan *chan;
@@ -4525,12 +4499,12 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4525 4499
4526 if (hcon->type == LE_LINK) { 4500 if (hcon->type == LE_LINK) {
4527 smp_distribute_keys(conn, 0); 4501 smp_distribute_keys(conn, 0);
4528 del_timer(&conn->security_timer); 4502 __cancel_delayed_work(&conn->security_timer);
4529 } 4503 }
4530 4504
4531 read_lock(&conn->chan_lock); 4505 rcu_read_lock();
4532 4506
4533 list_for_each_entry(chan, &conn->chan_l, list) { 4507 list_for_each_entry_rcu(chan, &conn->chan_l, list) {
4534 struct sock *sk = chan->sk; 4508 struct sock *sk = chan->sk;
4535 4509
4536 bh_lock_sock(sk); 4510 bh_lock_sock(sk);
@@ -4608,12 +4582,12 @@ static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
4608 bh_unlock_sock(sk); 4582 bh_unlock_sock(sk);
4609 } 4583 }
4610 4584
4611 read_unlock(&conn->chan_lock); 4585 rcu_read_unlock();
4612 4586
4613 return 0; 4587 return 0;
4614} 4588}
4615 4589
4616static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags) 4590int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
4617{ 4591{
4618 struct l2cap_conn *conn = hcon->l2cap_data; 4592 struct l2cap_conn *conn = hcon->l2cap_data;
4619 4593
@@ -4674,11 +4648,11 @@ static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 fl
4674 BT_ERR("Frame exceeding recv MTU (len %d, " 4648 BT_ERR("Frame exceeding recv MTU (len %d, "
4675 "MTU %d)", len, 4649 "MTU %d)", len,
4676 chan->imtu); 4650 chan->imtu);
4677 bh_unlock_sock(sk); 4651 release_sock(sk);
4678 l2cap_conn_unreliable(conn, ECOMM); 4652 l2cap_conn_unreliable(conn, ECOMM);
4679 goto drop; 4653 goto drop;
4680 } 4654 }
4681 bh_unlock_sock(sk); 4655 release_sock(sk);
4682 } 4656 }
4683 4657
4684 /* Allocate skb for the complete frame (with header) */ 4658 /* Allocate skb for the complete frame (with header) */
@@ -4760,17 +4734,6 @@ static const struct file_operations l2cap_debugfs_fops = {
4760 4734
4761static struct dentry *l2cap_debugfs; 4735static struct dentry *l2cap_debugfs;
4762 4736
4763static struct hci_proto l2cap_hci_proto = {
4764 .name = "L2CAP",
4765 .id = HCI_PROTO_L2CAP,
4766 .connect_ind = l2cap_connect_ind,
4767 .connect_cfm = l2cap_connect_cfm,
4768 .disconn_ind = l2cap_disconn_ind,
4769 .disconn_cfm = l2cap_disconn_cfm,
4770 .security_cfm = l2cap_security_cfm,
4771 .recv_acldata = l2cap_recv_acldata
4772};
4773
4774int __init l2cap_init(void) 4737int __init l2cap_init(void)
4775{ 4738{
4776 int err; 4739 int err;
@@ -4779,13 +4742,6 @@ int __init l2cap_init(void)
4779 if (err < 0) 4742 if (err < 0)
4780 return err; 4743 return err;
4781 4744
4782 err = hci_register_proto(&l2cap_hci_proto);
4783 if (err < 0) {
4784 BT_ERR("L2CAP protocol registration failed");
4785 bt_sock_unregister(BTPROTO_L2CAP);
4786 goto error;
4787 }
4788
4789 if (bt_debugfs) { 4745 if (bt_debugfs) {
4790 l2cap_debugfs = debugfs_create_file("l2cap", 0444, 4746 l2cap_debugfs = debugfs_create_file("l2cap", 0444,
4791 bt_debugfs, NULL, &l2cap_debugfs_fops); 4747 bt_debugfs, NULL, &l2cap_debugfs_fops);
@@ -4794,19 +4750,11 @@ int __init l2cap_init(void)
4794 } 4750 }
4795 4751
4796 return 0; 4752 return 0;
4797
4798error:
4799 l2cap_cleanup_sockets();
4800 return err;
4801} 4753}
4802 4754
4803void l2cap_exit(void) 4755void l2cap_exit(void)
4804{ 4756{
4805 debugfs_remove(l2cap_debugfs); 4757 debugfs_remove(l2cap_debugfs);
4806
4807 if (hci_unregister_proto(&l2cap_hci_proto) < 0)
4808 BT_ERR("L2CAP protocol unregistration failed");
4809
4810 l2cap_cleanup_sockets(); 4758 l2cap_cleanup_sockets();
4811} 4759}
4812 4760
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index f73704321a77..9ca5616166f7 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -3,6 +3,7 @@
3 Copyright (C) 2000-2001 Qualcomm Incorporated 3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
5 Copyright (C) 2010 Google Inc. 5 Copyright (C) 2010 Google Inc.
6 Copyright (C) 2011 ProFUSION Embedded Systems
6 7
7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 9
@@ -122,70 +123,15 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
122 if (la.l2_cid && la.l2_psm) 123 if (la.l2_cid && la.l2_psm)
123 return -EINVAL; 124 return -EINVAL;
124 125
125 lock_sock(sk); 126 err = l2cap_chan_connect(chan, la.l2_psm, la.l2_cid, &la.l2_bdaddr);
126
127 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED
128 && !(la.l2_psm || la.l2_cid)) {
129 err = -EINVAL;
130 goto done;
131 }
132
133 switch (chan->mode) {
134 case L2CAP_MODE_BASIC:
135 break;
136 case L2CAP_MODE_ERTM:
137 case L2CAP_MODE_STREAMING:
138 if (!disable_ertm)
139 break;
140 /* fall through */
141 default:
142 err = -ENOTSUPP;
143 goto done;
144 }
145
146 switch (sk->sk_state) {
147 case BT_CONNECT:
148 case BT_CONNECT2:
149 case BT_CONFIG:
150 /* Already connecting */
151 goto wait;
152
153 case BT_CONNECTED:
154 /* Already connected */
155 err = -EISCONN;
156 goto done;
157
158 case BT_OPEN:
159 case BT_BOUND:
160 /* Can connect */
161 break;
162
163 default:
164 err = -EBADFD;
165 goto done;
166 }
167
168 /* PSM must be odd and lsb of upper byte must be 0 */
169 if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 && !la.l2_cid &&
170 chan->chan_type != L2CAP_CHAN_RAW) {
171 err = -EINVAL;
172 goto done;
173 }
174
175 /* Set destination address and psm */
176 bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
177 chan->psm = la.l2_psm;
178 chan->dcid = la.l2_cid;
179
180 err = l2cap_chan_connect(l2cap_pi(sk)->chan);
181 if (err) 127 if (err)
182 goto done; 128 goto done;
183 129
184wait:
185 err = bt_sock_wait_state(sk, BT_CONNECTED, 130 err = bt_sock_wait_state(sk, BT_CONNECTED,
186 sock_sndtimeo(sk, flags & O_NONBLOCK)); 131 sock_sndtimeo(sk, flags & O_NONBLOCK));
187done: 132done:
188 release_sock(sk); 133 if (sock_owned_by_user(sk))
134 release_sock(sk);
189 return err; 135 return err;
190} 136}
191 137
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 1ce549bae241..2540944d871f 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -30,12 +30,15 @@
30#include <net/bluetooth/bluetooth.h> 30#include <net/bluetooth/bluetooth.h>
31#include <net/bluetooth/hci_core.h> 31#include <net/bluetooth/hci_core.h>
32#include <net/bluetooth/mgmt.h> 32#include <net/bluetooth/mgmt.h>
33#include <net/bluetooth/smp.h>
33 34
34#define MGMT_VERSION 0 35#define MGMT_VERSION 0
35#define MGMT_REVISION 1 36#define MGMT_REVISION 1
36 37
37#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */ 38#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */
38 39
40#define SERVICE_CACHE_TIMEOUT (5 * 1000)
41
39struct pending_cmd { 42struct pending_cmd {
40 struct list_head list; 43 struct list_head list;
41 u16 opcode; 44 u16 opcode;
@@ -243,6 +246,262 @@ static int read_index_list(struct sock *sk)
243 return err; 246 return err;
244} 247}
245 248
249static u32 get_supported_settings(struct hci_dev *hdev)
250{
251 u32 settings = 0;
252
253 settings |= MGMT_SETTING_POWERED;
254 settings |= MGMT_SETTING_CONNECTABLE;
255 settings |= MGMT_SETTING_FAST_CONNECTABLE;
256 settings |= MGMT_SETTING_DISCOVERABLE;
257 settings |= MGMT_SETTING_PAIRABLE;
258
259 if (hdev->features[6] & LMP_SIMPLE_PAIR)
260 settings |= MGMT_SETTING_SSP;
261
262 if (!(hdev->features[4] & LMP_NO_BREDR)) {
263 settings |= MGMT_SETTING_BREDR;
264 settings |= MGMT_SETTING_LINK_SECURITY;
265 }
266
267 if (hdev->features[4] & LMP_LE)
268 settings |= MGMT_SETTING_LE;
269
270 return settings;
271}
272
273static u32 get_current_settings(struct hci_dev *hdev)
274{
275 u32 settings = 0;
276
277 if (test_bit(HCI_UP, &hdev->flags))
278 settings |= MGMT_SETTING_POWERED;
279 else
280 return settings;
281
282 if (test_bit(HCI_PSCAN, &hdev->flags))
283 settings |= MGMT_SETTING_CONNECTABLE;
284
285 if (test_bit(HCI_ISCAN, &hdev->flags))
286 settings |= MGMT_SETTING_DISCOVERABLE;
287
288 if (test_bit(HCI_PAIRABLE, &hdev->flags))
289 settings |= MGMT_SETTING_PAIRABLE;
290
291 if (!(hdev->features[4] & LMP_NO_BREDR))
292 settings |= MGMT_SETTING_BREDR;
293
294 if (hdev->extfeatures[0] & LMP_HOST_LE)
295 settings |= MGMT_SETTING_LE;
296
297 if (test_bit(HCI_AUTH, &hdev->flags))
298 settings |= MGMT_SETTING_LINK_SECURITY;
299
300 if (hdev->ssp_mode > 0)
301 settings |= MGMT_SETTING_SSP;
302
303 return settings;
304}
305
306#define EIR_FLAGS 0x01 /* flags */
307#define EIR_UUID16_SOME 0x02 /* 16-bit UUID, more available */
308#define EIR_UUID16_ALL 0x03 /* 16-bit UUID, all listed */
309#define EIR_UUID32_SOME 0x04 /* 32-bit UUID, more available */
310#define EIR_UUID32_ALL 0x05 /* 32-bit UUID, all listed */
311#define EIR_UUID128_SOME 0x06 /* 128-bit UUID, more available */
312#define EIR_UUID128_ALL 0x07 /* 128-bit UUID, all listed */
313#define EIR_NAME_SHORT 0x08 /* shortened local name */
314#define EIR_NAME_COMPLETE 0x09 /* complete local name */
315#define EIR_TX_POWER 0x0A /* transmit power level */
316#define EIR_DEVICE_ID 0x10 /* device ID */
317
318#define PNP_INFO_SVCLASS_ID 0x1200
319
320static u8 bluetooth_base_uuid[] = {
321 0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
322 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
323};
324
325static u16 get_uuid16(u8 *uuid128)
326{
327 u32 val;
328 int i;
329
330 for (i = 0; i < 12; i++) {
331 if (bluetooth_base_uuid[i] != uuid128[i])
332 return 0;
333 }
334
335 memcpy(&val, &uuid128[12], 4);
336
337 val = le32_to_cpu(val);
338 if (val > 0xffff)
339 return 0;
340
341 return (u16) val;
342}
343
344static void create_eir(struct hci_dev *hdev, u8 *data)
345{
346 u8 *ptr = data;
347 u16 eir_len = 0;
348 u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
349 int i, truncated = 0;
350 struct bt_uuid *uuid;
351 size_t name_len;
352
353 name_len = strlen(hdev->dev_name);
354
355 if (name_len > 0) {
356 /* EIR Data type */
357 if (name_len > 48) {
358 name_len = 48;
359 ptr[1] = EIR_NAME_SHORT;
360 } else
361 ptr[1] = EIR_NAME_COMPLETE;
362
363 /* EIR Data length */
364 ptr[0] = name_len + 1;
365
366 memcpy(ptr + 2, hdev->dev_name, name_len);
367
368 eir_len += (name_len + 2);
369 ptr += (name_len + 2);
370 }
371
372 memset(uuid16_list, 0, sizeof(uuid16_list));
373
374 /* Group all UUID16 types */
375 list_for_each_entry(uuid, &hdev->uuids, list) {
376 u16 uuid16;
377
378 uuid16 = get_uuid16(uuid->uuid);
379 if (uuid16 == 0)
380 return;
381
382 if (uuid16 < 0x1100)
383 continue;
384
385 if (uuid16 == PNP_INFO_SVCLASS_ID)
386 continue;
387
388 /* Stop if not enough space to put next UUID */
389 if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
390 truncated = 1;
391 break;
392 }
393
394 /* Check for duplicates */
395 for (i = 0; uuid16_list[i] != 0; i++)
396 if (uuid16_list[i] == uuid16)
397 break;
398
399 if (uuid16_list[i] == 0) {
400 uuid16_list[i] = uuid16;
401 eir_len += sizeof(u16);
402 }
403 }
404
405 if (uuid16_list[0] != 0) {
406 u8 *length = ptr;
407
408 /* EIR Data type */
409 ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
410
411 ptr += 2;
412 eir_len += 2;
413
414 for (i = 0; uuid16_list[i] != 0; i++) {
415 *ptr++ = (uuid16_list[i] & 0x00ff);
416 *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
417 }
418
419 /* EIR Data length */
420 *length = (i * sizeof(u16)) + 1;
421 }
422}
423
424static int update_eir(struct hci_dev *hdev)
425{
426 struct hci_cp_write_eir cp;
427
428 if (!(hdev->features[6] & LMP_EXT_INQ))
429 return 0;
430
431 if (hdev->ssp_mode == 0)
432 return 0;
433
434 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
435 return 0;
436
437 memset(&cp, 0, sizeof(cp));
438
439 create_eir(hdev, cp.data);
440
441 if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
442 return 0;
443
444 memcpy(hdev->eir, cp.data, sizeof(cp.data));
445
446 return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
447}
448
449static u8 get_service_classes(struct hci_dev *hdev)
450{
451 struct bt_uuid *uuid;
452 u8 val = 0;
453
454 list_for_each_entry(uuid, &hdev->uuids, list)
455 val |= uuid->svc_hint;
456
457 return val;
458}
459
460static int update_class(struct hci_dev *hdev)
461{
462 u8 cod[3];
463
464 BT_DBG("%s", hdev->name);
465
466 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
467 return 0;
468
469 cod[0] = hdev->minor_class;
470 cod[1] = hdev->major_class;
471 cod[2] = get_service_classes(hdev);
472
473 if (memcmp(cod, hdev->dev_class, 3) == 0)
474 return 0;
475
476 return hci_send_cmd(hdev, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
477}
478
479static void service_cache_off(struct work_struct *work)
480{
481 struct hci_dev *hdev = container_of(work, struct hci_dev,
482 service_cache.work);
483
484 if (!test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->flags))
485 return;
486
487 hci_dev_lock(hdev);
488
489 update_eir(hdev);
490 update_class(hdev);
491
492 hci_dev_unlock(hdev);
493}
494
495static void mgmt_init_hdev(struct hci_dev *hdev)
496{
497 if (!test_and_set_bit(HCI_MGMT, &hdev->flags))
498 INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
499
500 if (!test_and_set_bit(HCI_SERVICE_CACHE, &hdev->flags))
501 schedule_delayed_work(&hdev->service_cache,
502 msecs_to_jiffies(SERVICE_CACHE_TIMEOUT));
503}
504
246static int read_controller_info(struct sock *sk, u16 index) 505static int read_controller_info(struct sock *sk, u16 index)
247{ 506{
248 struct mgmt_rp_read_info rp; 507 struct mgmt_rp_read_info rp;
@@ -258,36 +517,27 @@ static int read_controller_info(struct sock *sk, u16 index)
258 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags)) 517 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->flags))
259 cancel_delayed_work_sync(&hdev->power_off); 518 cancel_delayed_work_sync(&hdev->power_off);
260 519
261 hci_dev_lock_bh(hdev); 520 hci_dev_lock(hdev);
262 521
263 set_bit(HCI_MGMT, &hdev->flags); 522 if (test_and_clear_bit(HCI_PI_MGMT_INIT, &hci_pi(sk)->flags))
523 mgmt_init_hdev(hdev);
264 524
265 memset(&rp, 0, sizeof(rp)); 525 memset(&rp, 0, sizeof(rp));
266 526
267 rp.type = hdev->dev_type; 527 bacpy(&rp.bdaddr, &hdev->bdaddr);
268 528
269 rp.powered = test_bit(HCI_UP, &hdev->flags); 529 rp.version = hdev->hci_ver;
270 rp.connectable = test_bit(HCI_PSCAN, &hdev->flags);
271 rp.discoverable = test_bit(HCI_ISCAN, &hdev->flags);
272 rp.pairable = test_bit(HCI_PSCAN, &hdev->flags);
273 530
274 if (test_bit(HCI_AUTH, &hdev->flags)) 531 put_unaligned_le16(hdev->manufacturer, &rp.manufacturer);
275 rp.sec_mode = 3; 532
276 else if (hdev->ssp_mode > 0) 533 rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
277 rp.sec_mode = 4; 534 rp.current_settings = cpu_to_le32(get_current_settings(hdev));
278 else
279 rp.sec_mode = 2;
280 535
281 bacpy(&rp.bdaddr, &hdev->bdaddr);
282 memcpy(rp.features, hdev->features, 8);
283 memcpy(rp.dev_class, hdev->dev_class, 3); 536 memcpy(rp.dev_class, hdev->dev_class, 3);
284 put_unaligned_le16(hdev->manufacturer, &rp.manufacturer);
285 rp.hci_ver = hdev->hci_ver;
286 put_unaligned_le16(hdev->hci_rev, &rp.hci_rev);
287 537
288 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name)); 538 memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
289 539
290 hci_dev_unlock_bh(hdev); 540 hci_dev_unlock(hdev);
291 hci_dev_put(hdev); 541 hci_dev_put(hdev);
292 542
293 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp)); 543 return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
@@ -366,13 +616,11 @@ static void mgmt_pending_remove(struct pending_cmd *cmd)
366 mgmt_pending_free(cmd); 616 mgmt_pending_free(cmd);
367} 617}
368 618
369static int send_mode_rsp(struct sock *sk, u16 opcode, u16 index, u8 val) 619static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
370{ 620{
371 struct mgmt_mode rp; 621 __le32 settings = cpu_to_le32(get_current_settings(hdev));
372 622
373 rp.val = val; 623 return cmd_complete(sk, hdev->id, opcode, &settings, sizeof(settings));
374
375 return cmd_complete(sk, index, opcode, &rp, sizeof(rp));
376} 624}
377 625
378static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len) 626static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
@@ -395,11 +643,11 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
395 return cmd_status(sk, index, MGMT_OP_SET_POWERED, 643 return cmd_status(sk, index, MGMT_OP_SET_POWERED,
396 MGMT_STATUS_INVALID_PARAMS); 644 MGMT_STATUS_INVALID_PARAMS);
397 645
398 hci_dev_lock_bh(hdev); 646 hci_dev_lock(hdev);
399 647
400 up = test_bit(HCI_UP, &hdev->flags); 648 up = test_bit(HCI_UP, &hdev->flags);
401 if ((cp->val && up) || (!cp->val && !up)) { 649 if ((cp->val && up) || (!cp->val && !up)) {
402 err = send_mode_rsp(sk, index, MGMT_OP_SET_POWERED, cp->val); 650 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
403 goto failed; 651 goto failed;
404 } 652 }
405 653
@@ -416,14 +664,14 @@ static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
416 } 664 }
417 665
418 if (cp->val) 666 if (cp->val)
419 queue_work(hdev->workqueue, &hdev->power_on); 667 schedule_work(&hdev->power_on);
420 else 668 else
421 queue_work(hdev->workqueue, &hdev->power_off.work); 669 schedule_work(&hdev->power_off.work);
422 670
423 err = 0; 671 err = 0;
424 672
425failed: 673failed:
426 hci_dev_unlock_bh(hdev); 674 hci_dev_unlock(hdev);
427 hci_dev_put(hdev); 675 hci_dev_put(hdev);
428 return err; 676 return err;
429} 677}
@@ -450,7 +698,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
450 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, 698 return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE,
451 MGMT_STATUS_INVALID_PARAMS); 699 MGMT_STATUS_INVALID_PARAMS);
452 700
453 hci_dev_lock_bh(hdev); 701 hci_dev_lock(hdev);
454 702
455 if (!test_bit(HCI_UP, &hdev->flags)) { 703 if (!test_bit(HCI_UP, &hdev->flags)) {
456 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, 704 err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE,
@@ -467,8 +715,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
467 715
468 if (cp->val == test_bit(HCI_ISCAN, &hdev->flags) && 716 if (cp->val == test_bit(HCI_ISCAN, &hdev->flags) &&
469 test_bit(HCI_PSCAN, &hdev->flags)) { 717 test_bit(HCI_PSCAN, &hdev->flags)) {
470 err = send_mode_rsp(sk, index, MGMT_OP_SET_DISCOVERABLE, 718 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
471 cp->val);
472 goto failed; 719 goto failed;
473 } 720 }
474 721
@@ -493,7 +740,7 @@ static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
493 hdev->discov_timeout = get_unaligned_le16(&cp->timeout); 740 hdev->discov_timeout = get_unaligned_le16(&cp->timeout);
494 741
495failed: 742failed:
496 hci_dev_unlock_bh(hdev); 743 hci_dev_unlock(hdev);
497 hci_dev_put(hdev); 744 hci_dev_put(hdev);
498 745
499 return err; 746 return err;
@@ -521,7 +768,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
521 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, 768 return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE,
522 MGMT_STATUS_INVALID_PARAMS); 769 MGMT_STATUS_INVALID_PARAMS);
523 770
524 hci_dev_lock_bh(hdev); 771 hci_dev_lock(hdev);
525 772
526 if (!test_bit(HCI_UP, &hdev->flags)) { 773 if (!test_bit(HCI_UP, &hdev->flags)) {
527 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, 774 err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE,
@@ -537,8 +784,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
537 } 784 }
538 785
539 if (cp->val == test_bit(HCI_PSCAN, &hdev->flags)) { 786 if (cp->val == test_bit(HCI_PSCAN, &hdev->flags)) {
540 err = send_mode_rsp(sk, index, MGMT_OP_SET_CONNECTABLE, 787 err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
541 cp->val);
542 goto failed; 788 goto failed;
543 } 789 }
544 790
@@ -558,7 +804,7 @@ static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
558 mgmt_pending_remove(cmd); 804 mgmt_pending_remove(cmd);
559 805
560failed: 806failed:
561 hci_dev_unlock_bh(hdev); 807 hci_dev_unlock(hdev);
562 hci_dev_put(hdev); 808 hci_dev_put(hdev);
563 809
564 return err; 810 return err;
@@ -596,8 +842,9 @@ static int mgmt_event(u16 event, struct hci_dev *hdev, void *data,
596static int set_pairable(struct sock *sk, u16 index, unsigned char *data, 842static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
597 u16 len) 843 u16 len)
598{ 844{
599 struct mgmt_mode *cp, ev; 845 struct mgmt_mode *cp;
600 struct hci_dev *hdev; 846 struct hci_dev *hdev;
847 __le32 ev;
601 int err; 848 int err;
602 849
603 cp = (void *) data; 850 cp = (void *) data;
@@ -613,201 +860,28 @@ static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
613 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, 860 return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE,
614 MGMT_STATUS_INVALID_PARAMS); 861 MGMT_STATUS_INVALID_PARAMS);
615 862
616 hci_dev_lock_bh(hdev); 863 hci_dev_lock(hdev);
617 864
618 if (cp->val) 865 if (cp->val)
619 set_bit(HCI_PAIRABLE, &hdev->flags); 866 set_bit(HCI_PAIRABLE, &hdev->flags);
620 else 867 else
621 clear_bit(HCI_PAIRABLE, &hdev->flags); 868 clear_bit(HCI_PAIRABLE, &hdev->flags);
622 869
623 err = send_mode_rsp(sk, MGMT_OP_SET_PAIRABLE, index, cp->val); 870 err = send_settings_rsp(sk, MGMT_OP_SET_PAIRABLE, hdev);
624 if (err < 0) 871 if (err < 0)
625 goto failed; 872 goto failed;
626 873
627 ev.val = cp->val; 874 ev = cpu_to_le32(get_current_settings(hdev));
628 875
629 err = mgmt_event(MGMT_EV_PAIRABLE, hdev, &ev, sizeof(ev), sk); 876 err = mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev), sk);
630 877
631failed: 878failed:
632 hci_dev_unlock_bh(hdev); 879 hci_dev_unlock(hdev);
633 hci_dev_put(hdev); 880 hci_dev_put(hdev);
634 881
635 return err; 882 return err;
636} 883}
637 884
638#define EIR_FLAGS 0x01 /* flags */
639#define EIR_UUID16_SOME 0x02 /* 16-bit UUID, more available */
640#define EIR_UUID16_ALL 0x03 /* 16-bit UUID, all listed */
641#define EIR_UUID32_SOME 0x04 /* 32-bit UUID, more available */
642#define EIR_UUID32_ALL 0x05 /* 32-bit UUID, all listed */
643#define EIR_UUID128_SOME 0x06 /* 128-bit UUID, more available */
644#define EIR_UUID128_ALL 0x07 /* 128-bit UUID, all listed */
645#define EIR_NAME_SHORT 0x08 /* shortened local name */
646#define EIR_NAME_COMPLETE 0x09 /* complete local name */
647#define EIR_TX_POWER 0x0A /* transmit power level */
648#define EIR_DEVICE_ID 0x10 /* device ID */
649
650#define PNP_INFO_SVCLASS_ID 0x1200
651
652static u8 bluetooth_base_uuid[] = {
653 0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
654 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
655};
656
657static u16 get_uuid16(u8 *uuid128)
658{
659 u32 val;
660 int i;
661
662 for (i = 0; i < 12; i++) {
663 if (bluetooth_base_uuid[i] != uuid128[i])
664 return 0;
665 }
666
667 memcpy(&val, &uuid128[12], 4);
668
669 val = le32_to_cpu(val);
670 if (val > 0xffff)
671 return 0;
672
673 return (u16) val;
674}
675
676static void create_eir(struct hci_dev *hdev, u8 *data)
677{
678 u8 *ptr = data;
679 u16 eir_len = 0;
680 u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
681 int i, truncated = 0;
682 struct bt_uuid *uuid;
683 size_t name_len;
684
685 name_len = strlen(hdev->dev_name);
686
687 if (name_len > 0) {
688 /* EIR Data type */
689 if (name_len > 48) {
690 name_len = 48;
691 ptr[1] = EIR_NAME_SHORT;
692 } else
693 ptr[1] = EIR_NAME_COMPLETE;
694
695 /* EIR Data length */
696 ptr[0] = name_len + 1;
697
698 memcpy(ptr + 2, hdev->dev_name, name_len);
699
700 eir_len += (name_len + 2);
701 ptr += (name_len + 2);
702 }
703
704 memset(uuid16_list, 0, sizeof(uuid16_list));
705
706 /* Group all UUID16 types */
707 list_for_each_entry(uuid, &hdev->uuids, list) {
708 u16 uuid16;
709
710 uuid16 = get_uuid16(uuid->uuid);
711 if (uuid16 == 0)
712 return;
713
714 if (uuid16 < 0x1100)
715 continue;
716
717 if (uuid16 == PNP_INFO_SVCLASS_ID)
718 continue;
719
720 /* Stop if not enough space to put next UUID */
721 if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
722 truncated = 1;
723 break;
724 }
725
726 /* Check for duplicates */
727 for (i = 0; uuid16_list[i] != 0; i++)
728 if (uuid16_list[i] == uuid16)
729 break;
730
731 if (uuid16_list[i] == 0) {
732 uuid16_list[i] = uuid16;
733 eir_len += sizeof(u16);
734 }
735 }
736
737 if (uuid16_list[0] != 0) {
738 u8 *length = ptr;
739
740 /* EIR Data type */
741 ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
742
743 ptr += 2;
744 eir_len += 2;
745
746 for (i = 0; uuid16_list[i] != 0; i++) {
747 *ptr++ = (uuid16_list[i] & 0x00ff);
748 *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
749 }
750
751 /* EIR Data length */
752 *length = (i * sizeof(u16)) + 1;
753 }
754}
755
756static int update_eir(struct hci_dev *hdev)
757{
758 struct hci_cp_write_eir cp;
759
760 if (!(hdev->features[6] & LMP_EXT_INQ))
761 return 0;
762
763 if (hdev->ssp_mode == 0)
764 return 0;
765
766 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
767 return 0;
768
769 memset(&cp, 0, sizeof(cp));
770
771 create_eir(hdev, cp.data);
772
773 if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
774 return 0;
775
776 memcpy(hdev->eir, cp.data, sizeof(cp.data));
777
778 return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
779}
780
781static u8 get_service_classes(struct hci_dev *hdev)
782{
783 struct bt_uuid *uuid;
784 u8 val = 0;
785
786 list_for_each_entry(uuid, &hdev->uuids, list)
787 val |= uuid->svc_hint;
788
789 return val;
790}
791
792static int update_class(struct hci_dev *hdev)
793{
794 u8 cod[3];
795
796 BT_DBG("%s", hdev->name);
797
798 if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
799 return 0;
800
801 cod[0] = hdev->minor_class;
802 cod[1] = hdev->major_class;
803 cod[2] = get_service_classes(hdev);
804
805 if (memcmp(cod, hdev->dev_class, 3) == 0)
806 return 0;
807
808 return hci_send_cmd(hdev, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
809}
810
811static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len) 885static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
812{ 886{
813 struct mgmt_cp_add_uuid *cp; 887 struct mgmt_cp_add_uuid *cp;
@@ -828,7 +902,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
828 return cmd_status(sk, index, MGMT_OP_ADD_UUID, 902 return cmd_status(sk, index, MGMT_OP_ADD_UUID,
829 MGMT_STATUS_INVALID_PARAMS); 903 MGMT_STATUS_INVALID_PARAMS);
830 904
831 hci_dev_lock_bh(hdev); 905 hci_dev_lock(hdev);
832 906
833 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC); 907 uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
834 if (!uuid) { 908 if (!uuid) {
@@ -852,7 +926,7 @@ static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
852 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0); 926 err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
853 927
854failed: 928failed:
855 hci_dev_unlock_bh(hdev); 929 hci_dev_unlock(hdev);
856 hci_dev_put(hdev); 930 hci_dev_put(hdev);
857 931
858 return err; 932 return err;
@@ -879,7 +953,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
879 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, 953 return cmd_status(sk, index, MGMT_OP_REMOVE_UUID,
880 MGMT_STATUS_INVALID_PARAMS); 954 MGMT_STATUS_INVALID_PARAMS);
881 955
882 hci_dev_lock_bh(hdev); 956 hci_dev_lock(hdev);
883 957
884 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) { 958 if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
885 err = hci_uuids_clear(hdev); 959 err = hci_uuids_clear(hdev);
@@ -915,7 +989,7 @@ static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
915 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0); 989 err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
916 990
917unlock: 991unlock:
918 hci_dev_unlock_bh(hdev); 992 hci_dev_unlock(hdev);
919 hci_dev_put(hdev); 993 hci_dev_put(hdev);
920 994
921 return err; 995 return err;
@@ -941,62 +1015,24 @@ static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
941 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, 1015 return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS,
942 MGMT_STATUS_INVALID_PARAMS); 1016 MGMT_STATUS_INVALID_PARAMS);
943 1017
944 hci_dev_lock_bh(hdev); 1018 hci_dev_lock(hdev);
945 1019
946 hdev->major_class = cp->major; 1020 hdev->major_class = cp->major;
947 hdev->minor_class = cp->minor; 1021 hdev->minor_class = cp->minor;
948 1022
1023 if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->flags)) {
1024 hci_dev_unlock(hdev);
1025 cancel_delayed_work_sync(&hdev->service_cache);
1026 hci_dev_lock(hdev);
1027 update_eir(hdev);
1028 }
1029
949 err = update_class(hdev); 1030 err = update_class(hdev);
950 1031
951 if (err == 0) 1032 if (err == 0)
952 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0); 1033 err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
953 1034
954 hci_dev_unlock_bh(hdev); 1035 hci_dev_unlock(hdev);
955 hci_dev_put(hdev);
956
957 return err;
958}
959
960static int set_service_cache(struct sock *sk, u16 index, unsigned char *data,
961 u16 len)
962{
963 struct hci_dev *hdev;
964 struct mgmt_cp_set_service_cache *cp;
965 int err;
966
967 cp = (void *) data;
968
969 if (len != sizeof(*cp))
970 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE,
971 MGMT_STATUS_INVALID_PARAMS);
972
973 hdev = hci_dev_get(index);
974 if (!hdev)
975 return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE,
976 MGMT_STATUS_INVALID_PARAMS);
977
978 hci_dev_lock_bh(hdev);
979
980 BT_DBG("hci%u enable %d", index, cp->enable);
981
982 if (cp->enable) {
983 set_bit(HCI_SERVICE_CACHE, &hdev->flags);
984 err = 0;
985 } else {
986 clear_bit(HCI_SERVICE_CACHE, &hdev->flags);
987 err = update_class(hdev);
988 if (err == 0)
989 err = update_eir(hdev);
990 }
991
992 if (err == 0)
993 err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
994 0);
995 else
996 cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, -err);
997
998
999 hci_dev_unlock_bh(hdev);
1000 hci_dev_put(hdev); 1036 hci_dev_put(hdev);
1001 1037
1002 return err; 1038 return err;
@@ -1035,7 +1071,7 @@ static int load_link_keys(struct sock *sk, u16 index, unsigned char *data,
1035 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys, 1071 BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
1036 key_count); 1072 key_count);
1037 1073
1038 hci_dev_lock_bh(hdev); 1074 hci_dev_lock(hdev);
1039 1075
1040 hci_link_keys_clear(hdev); 1076 hci_link_keys_clear(hdev);
1041 1077
@@ -1055,7 +1091,7 @@ static int load_link_keys(struct sock *sk, u16 index, unsigned char *data,
1055 1091
1056 cmd_complete(sk, index, MGMT_OP_LOAD_LINK_KEYS, NULL, 0); 1092 cmd_complete(sk, index, MGMT_OP_LOAD_LINK_KEYS, NULL, 0);
1057 1093
1058 hci_dev_unlock_bh(hdev); 1094 hci_dev_unlock(hdev);
1059 hci_dev_put(hdev); 1095 hci_dev_put(hdev);
1060 1096
1061 return 0; 1097 return 0;
@@ -1083,7 +1119,7 @@ static int remove_keys(struct sock *sk, u16 index, unsigned char *data,
1083 return cmd_status(sk, index, MGMT_OP_REMOVE_KEYS, 1119 return cmd_status(sk, index, MGMT_OP_REMOVE_KEYS,
1084 MGMT_STATUS_INVALID_PARAMS); 1120 MGMT_STATUS_INVALID_PARAMS);
1085 1121
1086 hci_dev_lock_bh(hdev); 1122 hci_dev_lock(hdev);
1087 1123
1088 memset(&rp, 0, sizeof(rp)); 1124 memset(&rp, 0, sizeof(rp));
1089 bacpy(&rp.bdaddr, &cp->bdaddr); 1125 bacpy(&rp.bdaddr, &cp->bdaddr);
@@ -1124,7 +1160,7 @@ unlock:
1124 if (err < 0) 1160 if (err < 0)
1125 err = cmd_complete(sk, index, MGMT_OP_REMOVE_KEYS, &rp, 1161 err = cmd_complete(sk, index, MGMT_OP_REMOVE_KEYS, &rp,
1126 sizeof(rp)); 1162 sizeof(rp));
1127 hci_dev_unlock_bh(hdev); 1163 hci_dev_unlock(hdev);
1128 hci_dev_put(hdev); 1164 hci_dev_put(hdev);
1129 1165
1130 return err; 1166 return err;
@@ -1152,7 +1188,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1152 return cmd_status(sk, index, MGMT_OP_DISCONNECT, 1188 return cmd_status(sk, index, MGMT_OP_DISCONNECT,
1153 MGMT_STATUS_INVALID_PARAMS); 1189 MGMT_STATUS_INVALID_PARAMS);
1154 1190
1155 hci_dev_lock_bh(hdev); 1191 hci_dev_lock(hdev);
1156 1192
1157 if (!test_bit(HCI_UP, &hdev->flags)) { 1193 if (!test_bit(HCI_UP, &hdev->flags)) {
1158 err = cmd_status(sk, index, MGMT_OP_DISCONNECT, 1194 err = cmd_status(sk, index, MGMT_OP_DISCONNECT,
@@ -1190,7 +1226,7 @@ static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
1190 mgmt_pending_remove(cmd); 1226 mgmt_pending_remove(cmd);
1191 1227
1192failed: 1228failed:
1193 hci_dev_unlock_bh(hdev); 1229 hci_dev_unlock(hdev);
1194 hci_dev_put(hdev); 1230 hci_dev_put(hdev);
1195 1231
1196 return err; 1232 return err;
@@ -1232,7 +1268,7 @@ static int get_connections(struct sock *sk, u16 index)
1232 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, 1268 return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS,
1233 MGMT_STATUS_INVALID_PARAMS); 1269 MGMT_STATUS_INVALID_PARAMS);
1234 1270
1235 hci_dev_lock_bh(hdev); 1271 hci_dev_lock(hdev);
1236 1272
1237 count = 0; 1273 count = 0;
1238 list_for_each(p, &hdev->conn_hash.list) { 1274 list_for_each(p, &hdev->conn_hash.list) {
@@ -1264,7 +1300,7 @@ static int get_connections(struct sock *sk, u16 index)
1264 1300
1265unlock: 1301unlock:
1266 kfree(rp); 1302 kfree(rp);
1267 hci_dev_unlock_bh(hdev); 1303 hci_dev_unlock(hdev);
1268 hci_dev_put(hdev); 1304 hci_dev_put(hdev);
1269 return err; 1305 return err;
1270} 1306}
@@ -1312,7 +1348,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1312 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, 1348 return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY,
1313 MGMT_STATUS_INVALID_PARAMS); 1349 MGMT_STATUS_INVALID_PARAMS);
1314 1350
1315 hci_dev_lock_bh(hdev); 1351 hci_dev_lock(hdev);
1316 1352
1317 if (!test_bit(HCI_UP, &hdev->flags)) { 1353 if (!test_bit(HCI_UP, &hdev->flags)) {
1318 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, 1354 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY,
@@ -1355,7 +1391,7 @@ static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
1355 mgmt_pending_remove(cmd); 1391 mgmt_pending_remove(cmd);
1356 1392
1357failed: 1393failed:
1358 hci_dev_unlock_bh(hdev); 1394 hci_dev_unlock(hdev);
1359 hci_dev_put(hdev); 1395 hci_dev_put(hdev);
1360 1396
1361 return err; 1397 return err;
@@ -1381,7 +1417,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1381 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1417 return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
1382 MGMT_STATUS_INVALID_PARAMS); 1418 MGMT_STATUS_INVALID_PARAMS);
1383 1419
1384 hci_dev_lock_bh(hdev); 1420 hci_dev_lock(hdev);
1385 1421
1386 if (!test_bit(HCI_UP, &hdev->flags)) { 1422 if (!test_bit(HCI_UP, &hdev->flags)) {
1387 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, 1423 err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
@@ -1392,7 +1428,7 @@ static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
1392 err = send_pin_code_neg_reply(sk, index, hdev, cp); 1428 err = send_pin_code_neg_reply(sk, index, hdev, cp);
1393 1429
1394failed: 1430failed:
1395 hci_dev_unlock_bh(hdev); 1431 hci_dev_unlock(hdev);
1396 hci_dev_put(hdev); 1432 hci_dev_put(hdev);
1397 1433
1398 return err; 1434 return err;
@@ -1417,14 +1453,14 @@ static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
1417 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, 1453 return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY,
1418 MGMT_STATUS_INVALID_PARAMS); 1454 MGMT_STATUS_INVALID_PARAMS);
1419 1455
1420 hci_dev_lock_bh(hdev); 1456 hci_dev_lock(hdev);
1421 1457
1422 hdev->io_capability = cp->io_capability; 1458 hdev->io_capability = cp->io_capability;
1423 1459
1424 BT_DBG("%s IO capability set to 0x%02x", hdev->name, 1460 BT_DBG("%s IO capability set to 0x%02x", hdev->name,
1425 hdev->io_capability); 1461 hdev->io_capability);
1426 1462
1427 hci_dev_unlock_bh(hdev); 1463 hci_dev_unlock(hdev);
1428 hci_dev_put(hdev); 1464 hci_dev_put(hdev);
1429 1465
1430 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0); 1466 return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
@@ -1505,7 +1541,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1505 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, 1541 return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE,
1506 MGMT_STATUS_INVALID_PARAMS); 1542 MGMT_STATUS_INVALID_PARAMS);
1507 1543
1508 hci_dev_lock_bh(hdev); 1544 hci_dev_lock(hdev);
1509 1545
1510 sec_level = BT_SECURITY_MEDIUM; 1546 sec_level = BT_SECURITY_MEDIUM;
1511 if (cp->io_cap == 0x03) 1547 if (cp->io_cap == 0x03)
@@ -1562,7 +1598,7 @@ static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
1562 err = 0; 1598 err = 0;
1563 1599
1564unlock: 1600unlock:
1565 hci_dev_unlock_bh(hdev); 1601 hci_dev_unlock(hdev);
1566 hci_dev_put(hdev); 1602 hci_dev_put(hdev);
1567 1603
1568 return err; 1604 return err;
@@ -1581,7 +1617,7 @@ static int user_pairing_resp(struct sock *sk, u16 index, bdaddr_t *bdaddr,
1581 return cmd_status(sk, index, mgmt_op, 1617 return cmd_status(sk, index, mgmt_op,
1582 MGMT_STATUS_INVALID_PARAMS); 1618 MGMT_STATUS_INVALID_PARAMS);
1583 1619
1584 hci_dev_lock_bh(hdev); 1620 hci_dev_lock(hdev);
1585 1621
1586 if (!test_bit(HCI_UP, &hdev->flags)) { 1622 if (!test_bit(HCI_UP, &hdev->flags)) {
1587 err = cmd_status(sk, index, mgmt_op, MGMT_STATUS_NOT_POWERED); 1623 err = cmd_status(sk, index, mgmt_op, MGMT_STATUS_NOT_POWERED);
@@ -1607,8 +1643,15 @@ static int user_pairing_resp(struct sock *sk, u16 index, bdaddr_t *bdaddr,
1607 } 1643 }
1608 1644
1609 /* Continue with pairing via SMP */ 1645 /* Continue with pairing via SMP */
1646 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
1647
1648 if (!err)
1649 err = cmd_status(sk, index, mgmt_op,
1650 MGMT_STATUS_SUCCESS);
1651 else
1652 err = cmd_status(sk, index, mgmt_op,
1653 MGMT_STATUS_FAILED);
1610 1654
1611 err = cmd_status(sk, index, mgmt_op, MGMT_STATUS_SUCCESS);
1612 goto done; 1655 goto done;
1613 } 1656 }
1614 1657
@@ -1632,7 +1675,7 @@ static int user_pairing_resp(struct sock *sk, u16 index, bdaddr_t *bdaddr,
1632 mgmt_pending_remove(cmd); 1675 mgmt_pending_remove(cmd);
1633 1676
1634done: 1677done:
1635 hci_dev_unlock_bh(hdev); 1678 hci_dev_unlock(hdev);
1636 hci_dev_put(hdev); 1679 hci_dev_put(hdev);
1637 1680
1638 return err; 1681 return err;
@@ -1656,7 +1699,7 @@ static int user_confirm_reply(struct sock *sk, u16 index, void *data, u16 len)
1656static int user_confirm_neg_reply(struct sock *sk, u16 index, void *data, 1699static int user_confirm_neg_reply(struct sock *sk, u16 index, void *data,
1657 u16 len) 1700 u16 len)
1658{ 1701{
1659 struct mgmt_cp_user_confirm_reply *cp = (void *) data; 1702 struct mgmt_cp_user_confirm_neg_reply *cp = data;
1660 1703
1661 BT_DBG(""); 1704 BT_DBG("");
1662 1705
@@ -1720,7 +1763,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1720 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, 1763 return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME,
1721 MGMT_STATUS_INVALID_PARAMS); 1764 MGMT_STATUS_INVALID_PARAMS);
1722 1765
1723 hci_dev_lock_bh(hdev); 1766 hci_dev_lock(hdev);
1724 1767
1725 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len); 1768 cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
1726 if (!cmd) { 1769 if (!cmd) {
@@ -1735,7 +1778,7 @@ static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
1735 mgmt_pending_remove(cmd); 1778 mgmt_pending_remove(cmd);
1736 1779
1737failed: 1780failed:
1738 hci_dev_unlock_bh(hdev); 1781 hci_dev_unlock(hdev);
1739 hci_dev_put(hdev); 1782 hci_dev_put(hdev);
1740 1783
1741 return err; 1784 return err;
@@ -1754,7 +1797,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1754 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1797 return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
1755 MGMT_STATUS_INVALID_PARAMS); 1798 MGMT_STATUS_INVALID_PARAMS);
1756 1799
1757 hci_dev_lock_bh(hdev); 1800 hci_dev_lock(hdev);
1758 1801
1759 if (!test_bit(HCI_UP, &hdev->flags)) { 1802 if (!test_bit(HCI_UP, &hdev->flags)) {
1760 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, 1803 err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
@@ -1785,7 +1828,7 @@ static int read_local_oob_data(struct sock *sk, u16 index)
1785 mgmt_pending_remove(cmd); 1828 mgmt_pending_remove(cmd);
1786 1829
1787unlock: 1830unlock:
1788 hci_dev_unlock_bh(hdev); 1831 hci_dev_unlock(hdev);
1789 hci_dev_put(hdev); 1832 hci_dev_put(hdev);
1790 1833
1791 return err; 1834 return err;
@@ -1809,7 +1852,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1809 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, 1852 return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
1810 MGMT_STATUS_INVALID_PARAMS); 1853 MGMT_STATUS_INVALID_PARAMS);
1811 1854
1812 hci_dev_lock_bh(hdev); 1855 hci_dev_lock(hdev);
1813 1856
1814 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash, 1857 err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
1815 cp->randomizer); 1858 cp->randomizer);
@@ -1820,7 +1863,7 @@ static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
1820 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL, 1863 err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
1821 0); 1864 0);
1822 1865
1823 hci_dev_unlock_bh(hdev); 1866 hci_dev_unlock(hdev);
1824 hci_dev_put(hdev); 1867 hci_dev_put(hdev);
1825 1868
1826 return err; 1869 return err;
@@ -1844,7 +1887,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1844 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1887 return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1845 MGMT_STATUS_INVALID_PARAMS); 1888 MGMT_STATUS_INVALID_PARAMS);
1846 1889
1847 hci_dev_lock_bh(hdev); 1890 hci_dev_lock(hdev);
1848 1891
1849 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr); 1892 err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
1850 if (err < 0) 1893 if (err < 0)
@@ -1854,7 +1897,7 @@ static int remove_remote_oob_data(struct sock *sk, u16 index,
1854 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA, 1897 err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
1855 NULL, 0); 1898 NULL, 0);
1856 1899
1857 hci_dev_unlock_bh(hdev); 1900 hci_dev_unlock(hdev);
1858 hci_dev_put(hdev); 1901 hci_dev_put(hdev);
1859 1902
1860 return err; 1903 return err;
@@ -1879,7 +1922,7 @@ static int start_discovery(struct sock *sk, u16 index,
1879 return cmd_status(sk, index, MGMT_OP_START_DISCOVERY, 1922 return cmd_status(sk, index, MGMT_OP_START_DISCOVERY,
1880 MGMT_STATUS_INVALID_PARAMS); 1923 MGMT_STATUS_INVALID_PARAMS);
1881 1924
1882 hci_dev_lock_bh(hdev); 1925 hci_dev_lock(hdev);
1883 1926
1884 if (!test_bit(HCI_UP, &hdev->flags)) { 1927 if (!test_bit(HCI_UP, &hdev->flags)) {
1885 err = cmd_status(sk, index, MGMT_OP_START_DISCOVERY, 1928 err = cmd_status(sk, index, MGMT_OP_START_DISCOVERY,
@@ -1898,7 +1941,7 @@ static int start_discovery(struct sock *sk, u16 index,
1898 mgmt_pending_remove(cmd); 1941 mgmt_pending_remove(cmd);
1899 1942
1900failed: 1943failed:
1901 hci_dev_unlock_bh(hdev); 1944 hci_dev_unlock(hdev);
1902 hci_dev_put(hdev); 1945 hci_dev_put(hdev);
1903 1946
1904 return err; 1947 return err;
@@ -1917,7 +1960,7 @@ static int stop_discovery(struct sock *sk, u16 index)
1917 return cmd_status(sk, index, MGMT_OP_STOP_DISCOVERY, 1960 return cmd_status(sk, index, MGMT_OP_STOP_DISCOVERY,
1918 MGMT_STATUS_INVALID_PARAMS); 1961 MGMT_STATUS_INVALID_PARAMS);
1919 1962
1920 hci_dev_lock_bh(hdev); 1963 hci_dev_lock(hdev);
1921 1964
1922 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, NULL, 0); 1965 cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, NULL, 0);
1923 if (!cmd) { 1966 if (!cmd) {
@@ -1930,7 +1973,7 @@ static int stop_discovery(struct sock *sk, u16 index)
1930 mgmt_pending_remove(cmd); 1973 mgmt_pending_remove(cmd);
1931 1974
1932failed: 1975failed:
1933 hci_dev_unlock_bh(hdev); 1976 hci_dev_unlock(hdev);
1934 hci_dev_put(hdev); 1977 hci_dev_put(hdev);
1935 1978
1936 return err; 1979 return err;
@@ -1954,7 +1997,7 @@ static int block_device(struct sock *sk, u16 index, unsigned char *data,
1954 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE, 1997 return cmd_status(sk, index, MGMT_OP_BLOCK_DEVICE,
1955 MGMT_STATUS_INVALID_PARAMS); 1998 MGMT_STATUS_INVALID_PARAMS);
1956 1999
1957 hci_dev_lock_bh(hdev); 2000 hci_dev_lock(hdev);
1958 2001
1959 err = hci_blacklist_add(hdev, &cp->bdaddr); 2002 err = hci_blacklist_add(hdev, &cp->bdaddr);
1960 if (err < 0) 2003 if (err < 0)
@@ -1964,7 +2007,7 @@ static int block_device(struct sock *sk, u16 index, unsigned char *data,
1964 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE, 2007 err = cmd_complete(sk, index, MGMT_OP_BLOCK_DEVICE,
1965 NULL, 0); 2008 NULL, 0);
1966 2009
1967 hci_dev_unlock_bh(hdev); 2010 hci_dev_unlock(hdev);
1968 hci_dev_put(hdev); 2011 hci_dev_put(hdev);
1969 2012
1970 return err; 2013 return err;
@@ -1988,7 +2031,7 @@ static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1988 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE, 2031 return cmd_status(sk, index, MGMT_OP_UNBLOCK_DEVICE,
1989 MGMT_STATUS_INVALID_PARAMS); 2032 MGMT_STATUS_INVALID_PARAMS);
1990 2033
1991 hci_dev_lock_bh(hdev); 2034 hci_dev_lock(hdev);
1992 2035
1993 err = hci_blacklist_del(hdev, &cp->bdaddr); 2036 err = hci_blacklist_del(hdev, &cp->bdaddr);
1994 2037
@@ -1999,7 +2042,7 @@ static int unblock_device(struct sock *sk, u16 index, unsigned char *data,
1999 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE, 2042 err = cmd_complete(sk, index, MGMT_OP_UNBLOCK_DEVICE,
2000 NULL, 0); 2043 NULL, 0);
2001 2044
2002 hci_dev_unlock_bh(hdev); 2045 hci_dev_unlock(hdev);
2003 hci_dev_put(hdev); 2046 hci_dev_put(hdev);
2004 2047
2005 return err; 2048 return err;
@@ -2009,7 +2052,7 @@ static int set_fast_connectable(struct sock *sk, u16 index,
2009 unsigned char *data, u16 len) 2052 unsigned char *data, u16 len)
2010{ 2053{
2011 struct hci_dev *hdev; 2054 struct hci_dev *hdev;
2012 struct mgmt_cp_set_fast_connectable *cp = (void *) data; 2055 struct mgmt_mode *cp = (void *) data;
2013 struct hci_cp_write_page_scan_activity acp; 2056 struct hci_cp_write_page_scan_activity acp;
2014 u8 type; 2057 u8 type;
2015 int err; 2058 int err;
@@ -2027,7 +2070,7 @@ static int set_fast_connectable(struct sock *sk, u16 index,
2027 2070
2028 hci_dev_lock(hdev); 2071 hci_dev_lock(hdev);
2029 2072
2030 if (cp->enable) { 2073 if (cp->val) {
2031 type = PAGE_SCAN_TYPE_INTERLACED; 2074 type = PAGE_SCAN_TYPE_INTERLACED;
2032 acp.interval = 0x0024; /* 22.5 msec page scan interval */ 2075 acp.interval = 0x0024; /* 22.5 msec page scan interval */
2033 } else { 2076 } else {
@@ -2111,6 +2154,10 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
2111 case MGMT_OP_SET_CONNECTABLE: 2154 case MGMT_OP_SET_CONNECTABLE:
2112 err = set_connectable(sk, index, buf + sizeof(*hdr), len); 2155 err = set_connectable(sk, index, buf + sizeof(*hdr), len);
2113 break; 2156 break;
2157 case MGMT_OP_SET_FAST_CONNECTABLE:
2158 err = set_fast_connectable(sk, index, buf + sizeof(*hdr),
2159 len);
2160 break;
2114 case MGMT_OP_SET_PAIRABLE: 2161 case MGMT_OP_SET_PAIRABLE:
2115 err = set_pairable(sk, index, buf + sizeof(*hdr), len); 2162 err = set_pairable(sk, index, buf + sizeof(*hdr), len);
2116 break; 2163 break;
@@ -2123,9 +2170,6 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
2123 case MGMT_OP_SET_DEV_CLASS: 2170 case MGMT_OP_SET_DEV_CLASS:
2124 err = set_dev_class(sk, index, buf + sizeof(*hdr), len); 2171 err = set_dev_class(sk, index, buf + sizeof(*hdr), len);
2125 break; 2172 break;
2126 case MGMT_OP_SET_SERVICE_CACHE:
2127 err = set_service_cache(sk, index, buf + sizeof(*hdr), len);
2128 break;
2129 case MGMT_OP_LOAD_LINK_KEYS: 2173 case MGMT_OP_LOAD_LINK_KEYS:
2130 err = load_link_keys(sk, index, buf + sizeof(*hdr), len); 2174 err = load_link_keys(sk, index, buf + sizeof(*hdr), len);
2131 break; 2175 break;
@@ -2189,10 +2233,6 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
2189 case MGMT_OP_UNBLOCK_DEVICE: 2233 case MGMT_OP_UNBLOCK_DEVICE:
2190 err = unblock_device(sk, index, buf + sizeof(*hdr), len); 2234 err = unblock_device(sk, index, buf + sizeof(*hdr), len);
2191 break; 2235 break;
2192 case MGMT_OP_SET_FAST_CONNECTABLE:
2193 err = set_fast_connectable(sk, index, buf + sizeof(*hdr),
2194 len);
2195 break;
2196 default: 2236 default:
2197 BT_DBG("Unknown op %u", opcode); 2237 BT_DBG("Unknown op %u", opcode);
2198 err = cmd_status(sk, index, opcode, 2238 err = cmd_status(sk, index, opcode,
@@ -2235,17 +2275,14 @@ int mgmt_index_removed(struct hci_dev *hdev)
2235struct cmd_lookup { 2275struct cmd_lookup {
2236 u8 val; 2276 u8 val;
2237 struct sock *sk; 2277 struct sock *sk;
2278 struct hci_dev *hdev;
2238}; 2279};
2239 2280
2240static void mode_rsp(struct pending_cmd *cmd, void *data) 2281static void settings_rsp(struct pending_cmd *cmd, void *data)
2241{ 2282{
2242 struct mgmt_mode *cp = cmd->param;
2243 struct cmd_lookup *match = data; 2283 struct cmd_lookup *match = data;
2244 2284
2245 if (cp->val != match->val) 2285 send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
2246 return;
2247
2248 send_mode_rsp(cmd->sk, cmd->opcode, cmd->index, cp->val);
2249 2286
2250 list_del(&cmd->list); 2287 list_del(&cmd->list);
2251 2288
@@ -2259,20 +2296,21 @@ static void mode_rsp(struct pending_cmd *cmd, void *data)
2259 2296
2260int mgmt_powered(struct hci_dev *hdev, u8 powered) 2297int mgmt_powered(struct hci_dev *hdev, u8 powered)
2261{ 2298{
2262 struct mgmt_mode ev; 2299 struct cmd_lookup match = { powered, NULL, hdev };
2263 struct cmd_lookup match = { powered, NULL }; 2300 __le32 ev;
2264 int ret; 2301 int ret;
2265 2302
2266 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, mode_rsp, &match); 2303 mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
2267 2304
2268 if (!powered) { 2305 if (!powered) {
2269 u8 status = ENETDOWN; 2306 u8 status = ENETDOWN;
2270 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status); 2307 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status);
2271 } 2308 }
2272 2309
2273 ev.val = powered; 2310 ev = cpu_to_le32(get_current_settings(hdev));
2274 2311
2275 ret = mgmt_event(MGMT_EV_POWERED, hdev, &ev, sizeof(ev), match.sk); 2312 ret = mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev),
2313 match.sk);
2276 2314
2277 if (match.sk) 2315 if (match.sk)
2278 sock_put(match.sk); 2316 sock_put(match.sk);
@@ -2282,17 +2320,16 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
2282 2320
2283int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable) 2321int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
2284{ 2322{
2285 struct mgmt_mode ev; 2323 struct cmd_lookup match = { discoverable, NULL, hdev };
2286 struct cmd_lookup match = { discoverable, NULL }; 2324 __le32 ev;
2287 int ret; 2325 int ret;
2288 2326
2289 mgmt_pending_foreach(MGMT_OP_SET_DISCOVERABLE, hdev, mode_rsp, &match); 2327 mgmt_pending_foreach(MGMT_OP_SET_DISCOVERABLE, hdev, settings_rsp, &match);
2290 2328
2291 ev.val = discoverable; 2329 ev = cpu_to_le32(get_current_settings(hdev));
2292 2330
2293 ret = mgmt_event(MGMT_EV_DISCOVERABLE, hdev, &ev, sizeof(ev), 2331 ret = mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev),
2294 match.sk); 2332 match.sk);
2295
2296 if (match.sk) 2333 if (match.sk)
2297 sock_put(match.sk); 2334 sock_put(match.sk);
2298 2335
@@ -2301,15 +2338,16 @@ int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
2301 2338
2302int mgmt_connectable(struct hci_dev *hdev, u8 connectable) 2339int mgmt_connectable(struct hci_dev *hdev, u8 connectable)
2303{ 2340{
2304 struct mgmt_mode ev; 2341 __le32 ev;
2305 struct cmd_lookup match = { connectable, NULL }; 2342 struct cmd_lookup match = { connectable, NULL, hdev };
2306 int ret; 2343 int ret;
2307 2344
2308 mgmt_pending_foreach(MGMT_OP_SET_CONNECTABLE, hdev, mode_rsp, &match); 2345 mgmt_pending_foreach(MGMT_OP_SET_CONNECTABLE, hdev, settings_rsp,
2346 &match);
2309 2347
2310 ev.val = connectable; 2348 ev = cpu_to_le32(get_current_settings(hdev));
2311 2349
2312 ret = mgmt_event(MGMT_EV_CONNECTABLE, hdev, &ev, sizeof(ev), match.sk); 2350 ret = mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev), match.sk);
2313 2351
2314 if (match.sk) 2352 if (match.sk)
2315 sock_put(match.sk); 2353 sock_put(match.sk);
diff --git a/net/bluetooth/rfcomm/Kconfig b/net/bluetooth/rfcomm/Kconfig
index 405a0e61e7dc..22e718b554e4 100644
--- a/net/bluetooth/rfcomm/Kconfig
+++ b/net/bluetooth/rfcomm/Kconfig
@@ -1,6 +1,6 @@
1config BT_RFCOMM 1config BT_RFCOMM
2 tristate "RFCOMM protocol support" 2 tristate "RFCOMM protocol support"
3 depends on BT && BT_L2CAP 3 depends on BT
4 help 4 help
5 RFCOMM provides connection oriented stream transport. RFCOMM 5 RFCOMM provides connection oriented stream transport. RFCOMM
6 support is required for Dialup Networking, OBEX and other Bluetooth 6 support is required for Dialup Networking, OBEX and other Bluetooth
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index eac849b935a1..501649bf5596 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -65,8 +65,7 @@ static DEFINE_MUTEX(rfcomm_mutex);
65 65
66static LIST_HEAD(session_list); 66static LIST_HEAD(session_list);
67 67
68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 68static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len);
69 u32 priority);
70static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci); 69static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci);
71static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci); 70static int rfcomm_send_disc(struct rfcomm_session *s, u8 dlci);
72static int rfcomm_queue_disc(struct rfcomm_dlc *d); 71static int rfcomm_queue_disc(struct rfcomm_dlc *d);
@@ -748,32 +747,23 @@ void rfcomm_session_getaddr(struct rfcomm_session *s, bdaddr_t *src, bdaddr_t *d
748} 747}
749 748
750/* ---- RFCOMM frame sending ---- */ 749/* ---- RFCOMM frame sending ---- */
751static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len, 750static int rfcomm_send_frame(struct rfcomm_session *s, u8 *data, int len)
752 u32 priority)
753{ 751{
754 struct socket *sock = s->sock;
755 struct sock *sk = sock->sk;
756 struct kvec iv = { data, len }; 752 struct kvec iv = { data, len };
757 struct msghdr msg; 753 struct msghdr msg;
758 754
759 BT_DBG("session %p len %d priority %u", s, len, priority); 755 BT_DBG("session %p len %d", s, len);
760
761 if (sk->sk_priority != priority) {
762 lock_sock(sk);
763 sk->sk_priority = priority;
764 release_sock(sk);
765 }
766 756
767 memset(&msg, 0, sizeof(msg)); 757 memset(&msg, 0, sizeof(msg));
768 758
769 return kernel_sendmsg(sock, &msg, &iv, 1, len); 759 return kernel_sendmsg(s->sock, &msg, &iv, 1, len);
770} 760}
771 761
772static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd) 762static int rfcomm_send_cmd(struct rfcomm_session *s, struct rfcomm_cmd *cmd)
773{ 763{
774 BT_DBG("%p cmd %u", s, cmd->ctrl); 764 BT_DBG("%p cmd %u", s, cmd->ctrl);
775 765
776 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd), HCI_PRIO_MAX); 766 return rfcomm_send_frame(s, (void *) cmd, sizeof(*cmd));
777} 767}
778 768
779static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci) 769static int rfcomm_send_sabm(struct rfcomm_session *s, u8 dlci)
@@ -829,8 +819,6 @@ static int rfcomm_queue_disc(struct rfcomm_dlc *d)
829 if (!skb) 819 if (!skb)
830 return -ENOMEM; 820 return -ENOMEM;
831 821
832 skb->priority = HCI_PRIO_MAX;
833
834 cmd = (void *) __skb_put(skb, sizeof(*cmd)); 822 cmd = (void *) __skb_put(skb, sizeof(*cmd));
835 cmd->addr = d->addr; 823 cmd->addr = d->addr;
836 cmd->ctrl = __ctrl(RFCOMM_DISC, 1); 824 cmd->ctrl = __ctrl(RFCOMM_DISC, 1);
@@ -878,7 +866,7 @@ static int rfcomm_send_nsc(struct rfcomm_session *s, int cr, u8 type)
878 866
879 *ptr = __fcs(buf); ptr++; 867 *ptr = __fcs(buf); ptr++;
880 868
881 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 869 return rfcomm_send_frame(s, buf, ptr - buf);
882} 870}
883 871
884static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d) 872static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d)
@@ -920,7 +908,7 @@ static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d
920 908
921 *ptr = __fcs(buf); ptr++; 909 *ptr = __fcs(buf); ptr++;
922 910
923 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 911 return rfcomm_send_frame(s, buf, ptr - buf);
924} 912}
925 913
926int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci, 914int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
@@ -958,7 +946,7 @@ int rfcomm_send_rpn(struct rfcomm_session *s, int cr, u8 dlci,
958 946
959 *ptr = __fcs(buf); ptr++; 947 *ptr = __fcs(buf); ptr++;
960 948
961 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 949 return rfcomm_send_frame(s, buf, ptr - buf);
962} 950}
963 951
964static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status) 952static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
@@ -985,7 +973,7 @@ static int rfcomm_send_rls(struct rfcomm_session *s, int cr, u8 dlci, u8 status)
985 973
986 *ptr = __fcs(buf); ptr++; 974 *ptr = __fcs(buf); ptr++;
987 975
988 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 976 return rfcomm_send_frame(s, buf, ptr - buf);
989} 977}
990 978
991static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig) 979static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig)
@@ -1012,7 +1000,7 @@ static int rfcomm_send_msc(struct rfcomm_session *s, int cr, u8 dlci, u8 v24_sig
1012 1000
1013 *ptr = __fcs(buf); ptr++; 1001 *ptr = __fcs(buf); ptr++;
1014 1002
1015 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1003 return rfcomm_send_frame(s, buf, ptr - buf);
1016} 1004}
1017 1005
1018static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr) 1006static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
@@ -1034,7 +1022,7 @@ static int rfcomm_send_fcoff(struct rfcomm_session *s, int cr)
1034 1022
1035 *ptr = __fcs(buf); ptr++; 1023 *ptr = __fcs(buf); ptr++;
1036 1024
1037 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1025 return rfcomm_send_frame(s, buf, ptr - buf);
1038} 1026}
1039 1027
1040static int rfcomm_send_fcon(struct rfcomm_session *s, int cr) 1028static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
@@ -1056,7 +1044,7 @@ static int rfcomm_send_fcon(struct rfcomm_session *s, int cr)
1056 1044
1057 *ptr = __fcs(buf); ptr++; 1045 *ptr = __fcs(buf); ptr++;
1058 1046
1059 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1047 return rfcomm_send_frame(s, buf, ptr - buf);
1060} 1048}
1061 1049
1062static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len) 1050static int rfcomm_send_test(struct rfcomm_session *s, int cr, u8 *pattern, int len)
@@ -1107,7 +1095,7 @@ static int rfcomm_send_credits(struct rfcomm_session *s, u8 addr, u8 credits)
1107 1095
1108 *ptr = __fcs(buf); ptr++; 1096 *ptr = __fcs(buf); ptr++;
1109 1097
1110 return rfcomm_send_frame(s, buf, ptr - buf, HCI_PRIO_MAX); 1098 return rfcomm_send_frame(s, buf, ptr - buf);
1111} 1099}
1112 1100
1113static void rfcomm_make_uih(struct sk_buff *skb, u8 addr) 1101static void rfcomm_make_uih(struct sk_buff *skb, u8 addr)
@@ -1786,8 +1774,7 @@ static inline int rfcomm_process_tx(struct rfcomm_dlc *d)
1786 return skb_queue_len(&d->tx_queue); 1774 return skb_queue_len(&d->tx_queue);
1787 1775
1788 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) { 1776 while (d->tx_credits && (skb = skb_dequeue(&d->tx_queue))) {
1789 err = rfcomm_send_frame(d->session, skb->data, skb->len, 1777 err = rfcomm_send_frame(d->session, skb->data, skb->len);
1790 skb->priority);
1791 if (err < 0) { 1778 if (err < 0) {
1792 skb_queue_head(&d->tx_queue, skb); 1779 skb_queue_head(&d->tx_queue, skb);
1793 break; 1780 break;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a0d11b873831..5dc2f2126fac 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -189,7 +189,7 @@ static int sco_connect(struct sock *sk)
189 if (!hdev) 189 if (!hdev)
190 return -EHOSTUNREACH; 190 return -EHOSTUNREACH;
191 191
192 hci_dev_lock_bh(hdev); 192 hci_dev_lock(hdev);
193 193
194 if (lmp_esco_capable(hdev) && !disable_esco) 194 if (lmp_esco_capable(hdev) && !disable_esco)
195 type = ESCO_LINK; 195 type = ESCO_LINK;
@@ -225,7 +225,7 @@ static int sco_connect(struct sock *sk)
225 } 225 }
226 226
227done: 227done:
228 hci_dev_unlock_bh(hdev); 228 hci_dev_unlock(hdev);
229 hci_dev_put(hdev); 229 hci_dev_put(hdev);
230 return err; 230 return err;
231} 231}
@@ -893,15 +893,12 @@ done:
893} 893}
894 894
895/* ----- SCO interface with lower layer (HCI) ----- */ 895/* ----- SCO interface with lower layer (HCI) ----- */
896static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type) 896int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
897{ 897{
898 register struct sock *sk; 898 register struct sock *sk;
899 struct hlist_node *node; 899 struct hlist_node *node;
900 int lm = 0; 900 int lm = 0;
901 901
902 if (type != SCO_LINK && type != ESCO_LINK)
903 return -EINVAL;
904
905 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr)); 902 BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
906 903
907 /* Find listening sockets */ 904 /* Find listening sockets */
@@ -921,13 +918,9 @@ static int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 type)
921 return lm; 918 return lm;
922} 919}
923 920
924static int sco_connect_cfm(struct hci_conn *hcon, __u8 status) 921int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
925{ 922{
926 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status); 923 BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
927
928 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
929 return -EINVAL;
930
931 if (!status) { 924 if (!status) {
932 struct sco_conn *conn; 925 struct sco_conn *conn;
933 926
@@ -940,19 +933,15 @@ static int sco_connect_cfm(struct hci_conn *hcon, __u8 status)
940 return 0; 933 return 0;
941} 934}
942 935
943static int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason) 936int sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
944{ 937{
945 BT_DBG("hcon %p reason %d", hcon, reason); 938 BT_DBG("hcon %p reason %d", hcon, reason);
946 939
947 if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
948 return -EINVAL;
949
950 sco_conn_del(hcon, bt_to_errno(reason)); 940 sco_conn_del(hcon, bt_to_errno(reason));
951
952 return 0; 941 return 0;
953} 942}
954 943
955static int sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb) 944int sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
956{ 945{
957 struct sco_conn *conn = hcon->sco_data; 946 struct sco_conn *conn = hcon->sco_data;
958 947
@@ -1028,15 +1017,6 @@ static const struct net_proto_family sco_sock_family_ops = {
1028 .create = sco_sock_create, 1017 .create = sco_sock_create,
1029}; 1018};
1030 1019
1031static struct hci_proto sco_hci_proto = {
1032 .name = "SCO",
1033 .id = HCI_PROTO_SCO,
1034 .connect_ind = sco_connect_ind,
1035 .connect_cfm = sco_connect_cfm,
1036 .disconn_cfm = sco_disconn_cfm,
1037 .recv_scodata = sco_recv_scodata
1038};
1039
1040int __init sco_init(void) 1020int __init sco_init(void)
1041{ 1021{
1042 int err; 1022 int err;
@@ -1051,13 +1031,6 @@ int __init sco_init(void)
1051 goto error; 1031 goto error;
1052 } 1032 }
1053 1033
1054 err = hci_register_proto(&sco_hci_proto);
1055 if (err < 0) {
1056 BT_ERR("SCO protocol registration failed");
1057 bt_sock_unregister(BTPROTO_SCO);
1058 goto error;
1059 }
1060
1061 if (bt_debugfs) { 1034 if (bt_debugfs) {
1062 sco_debugfs = debugfs_create_file("sco", 0444, 1035 sco_debugfs = debugfs_create_file("sco", 0444,
1063 bt_debugfs, NULL, &sco_debugfs_fops); 1036 bt_debugfs, NULL, &sco_debugfs_fops);
@@ -1081,9 +1054,6 @@ void __exit sco_exit(void)
1081 if (bt_sock_unregister(BTPROTO_SCO) < 0) 1054 if (bt_sock_unregister(BTPROTO_SCO) < 0)
1082 BT_ERR("SCO socket unregistration failed"); 1055 BT_ERR("SCO socket unregistration failed");
1083 1056
1084 if (hci_unregister_proto(&sco_hci_proto) < 0)
1085 BT_ERR("SCO protocol unregistration failed");
1086
1087 proto_unregister(&sco_proto); 1057 proto_unregister(&sco_proto);
1088} 1058}
1089 1059
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 0b96737d0ad3..32c47de30344 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -23,6 +23,7 @@
23#include <net/bluetooth/bluetooth.h> 23#include <net/bluetooth/bluetooth.h>
24#include <net/bluetooth/hci_core.h> 24#include <net/bluetooth/hci_core.h>
25#include <net/bluetooth/l2cap.h> 25#include <net/bluetooth/l2cap.h>
26#include <net/bluetooth/mgmt.h>
26#include <net/bluetooth/smp.h> 27#include <net/bluetooth/smp.h>
27#include <linux/crypto.h> 28#include <linux/crypto.h>
28#include <linux/scatterlist.h> 29#include <linux/scatterlist.h>
@@ -184,28 +185,50 @@ static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
184 skb->priority = HCI_PRIO_MAX; 185 skb->priority = HCI_PRIO_MAX;
185 hci_send_acl(conn->hchan, skb, 0); 186 hci_send_acl(conn->hchan, skb, 0);
186 187
187 mod_timer(&conn->security_timer, jiffies + 188 cancel_delayed_work_sync(&conn->security_timer);
189 schedule_delayed_work(&conn->security_timer,
188 msecs_to_jiffies(SMP_TIMEOUT)); 190 msecs_to_jiffies(SMP_TIMEOUT));
189} 191}
190 192
193static __u8 authreq_to_seclevel(__u8 authreq)
194{
195 if (authreq & SMP_AUTH_MITM)
196 return BT_SECURITY_HIGH;
197 else
198 return BT_SECURITY_MEDIUM;
199}
200
201static __u8 seclevel_to_authreq(__u8 sec_level)
202{
203 switch (sec_level) {
204 case BT_SECURITY_HIGH:
205 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
206 case BT_SECURITY_MEDIUM:
207 return SMP_AUTH_BONDING;
208 default:
209 return SMP_AUTH_NONE;
210 }
211}
212
191static void build_pairing_cmd(struct l2cap_conn *conn, 213static void build_pairing_cmd(struct l2cap_conn *conn,
192 struct smp_cmd_pairing *req, 214 struct smp_cmd_pairing *req,
193 struct smp_cmd_pairing *rsp, 215 struct smp_cmd_pairing *rsp,
194 __u8 authreq) 216 __u8 authreq)
195{ 217{
196 u8 dist_keys; 218 u8 dist_keys = 0;
197 219
198 dist_keys = 0;
199 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) { 220 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) {
200 dist_keys = SMP_DIST_ENC_KEY; 221 dist_keys = SMP_DIST_ENC_KEY;
201 authreq |= SMP_AUTH_BONDING; 222 authreq |= SMP_AUTH_BONDING;
223 } else {
224 authreq &= ~SMP_AUTH_BONDING;
202 } 225 }
203 226
204 if (rsp == NULL) { 227 if (rsp == NULL) {
205 req->io_capability = conn->hcon->io_capability; 228 req->io_capability = conn->hcon->io_capability;
206 req->oob_flag = SMP_OOB_NOT_PRESENT; 229 req->oob_flag = SMP_OOB_NOT_PRESENT;
207 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 230 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
208 req->init_key_dist = dist_keys; 231 req->init_key_dist = 0;
209 req->resp_key_dist = dist_keys; 232 req->resp_key_dist = dist_keys;
210 req->auth_req = authreq; 233 req->auth_req = authreq;
211 return; 234 return;
@@ -214,7 +237,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
214 rsp->io_capability = conn->hcon->io_capability; 237 rsp->io_capability = conn->hcon->io_capability;
215 rsp->oob_flag = SMP_OOB_NOT_PRESENT; 238 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
216 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 239 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
217 rsp->init_key_dist = req->init_key_dist & dist_keys; 240 rsp->init_key_dist = 0;
218 rsp->resp_key_dist = req->resp_key_dist & dist_keys; 241 rsp->resp_key_dist = req->resp_key_dist & dist_keys;
219 rsp->auth_req = authreq; 242 rsp->auth_req = authreq;
220} 243}
@@ -240,10 +263,99 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
240 263
241 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->pend); 264 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->pend);
242 mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason); 265 mgmt_auth_failed(conn->hcon->hdev, conn->dst, reason);
243 del_timer(&conn->security_timer); 266 cancel_delayed_work_sync(&conn->security_timer);
244 smp_chan_destroy(conn); 267 smp_chan_destroy(conn);
245} 268}
246 269
270#define JUST_WORKS 0x00
271#define JUST_CFM 0x01
272#define REQ_PASSKEY 0x02
273#define CFM_PASSKEY 0x03
274#define REQ_OOB 0x04
275#define OVERLAP 0xFF
276
277static const u8 gen_method[5][5] = {
278 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
279 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
280 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
281 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
282 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
283};
284
285static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
286 u8 local_io, u8 remote_io)
287{
288 struct hci_conn *hcon = conn->hcon;
289 struct smp_chan *smp = conn->smp_chan;
290 u8 method;
291 u32 passkey = 0;
292 int ret = 0;
293
294 /* Initialize key for JUST WORKS */
295 memset(smp->tk, 0, sizeof(smp->tk));
296 clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
297
298 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
299
300 /* If neither side wants MITM, use JUST WORKS */
301 /* If either side has unknown io_caps, use JUST WORKS */
302 /* Otherwise, look up method from the table */
303 if (!(auth & SMP_AUTH_MITM) ||
304 local_io > SMP_IO_KEYBOARD_DISPLAY ||
305 remote_io > SMP_IO_KEYBOARD_DISPLAY)
306 method = JUST_WORKS;
307 else
308 method = gen_method[local_io][remote_io];
309
310 /* If not bonding, don't ask user to confirm a Zero TK */
311 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
312 method = JUST_WORKS;
313
314 /* If Just Works, Continue with Zero TK */
315 if (method == JUST_WORKS) {
316 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
317 return 0;
318 }
319
320 /* Not Just Works/Confirm results in MITM Authentication */
321 if (method != JUST_CFM)
322 set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
323
324 /* If both devices have Keyoard-Display I/O, the master
325 * Confirms and the slave Enters the passkey.
326 */
327 if (method == OVERLAP) {
328 if (hcon->link_mode & HCI_LM_MASTER)
329 method = CFM_PASSKEY;
330 else
331 method = REQ_PASSKEY;
332 }
333
334 /* Generate random passkey. Not valid until confirmed. */
335 if (method == CFM_PASSKEY) {
336 u8 key[16];
337
338 memset(key, 0, sizeof(key));
339 get_random_bytes(&passkey, sizeof(passkey));
340 passkey %= 1000000;
341 put_unaligned_le32(passkey, key);
342 swap128(key, smp->tk);
343 BT_DBG("PassKey: %d", passkey);
344 }
345
346 hci_dev_lock(hcon->hdev);
347
348 if (method == REQ_PASSKEY)
349 ret = mgmt_user_passkey_request(hcon->hdev, conn->dst);
350 else
351 ret = mgmt_user_confirm_request(hcon->hdev, conn->dst,
352 cpu_to_le32(passkey), 0);
353
354 hci_dev_unlock(hcon->hdev);
355
356 return ret;
357}
358
247static void confirm_work(struct work_struct *work) 359static void confirm_work(struct work_struct *work)
248{ 360{
249 struct smp_chan *smp = container_of(work, struct smp_chan, confirm); 361 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
@@ -276,6 +388,8 @@ static void confirm_work(struct work_struct *work)
276 goto error; 388 goto error;
277 } 389 }
278 390
391 clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
392
279 swap128(res, cp.confirm_val); 393 swap128(res, cp.confirm_val);
280 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 394 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
281 395
@@ -381,6 +495,7 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
381 495
382 smp->conn = conn; 496 smp->conn = conn;
383 conn->smp_chan = smp; 497 conn->smp_chan = smp;
498 conn->hcon->smp_conn = conn;
384 499
385 hci_conn_hold(conn->hcon); 500 hci_conn_hold(conn->hcon);
386 501
@@ -398,18 +513,64 @@ void smp_chan_destroy(struct l2cap_conn *conn)
398 513
399 kfree(smp); 514 kfree(smp);
400 conn->smp_chan = NULL; 515 conn->smp_chan = NULL;
516 conn->hcon->smp_conn = NULL;
401 hci_conn_put(conn->hcon); 517 hci_conn_put(conn->hcon);
402} 518}
403 519
520int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
521{
522 struct l2cap_conn *conn = hcon->smp_conn;
523 struct smp_chan *smp;
524 u32 value;
525 u8 key[16];
526
527 BT_DBG("");
528
529 if (!conn)
530 return -ENOTCONN;
531
532 smp = conn->smp_chan;
533
534 switch (mgmt_op) {
535 case MGMT_OP_USER_PASSKEY_REPLY:
536 value = le32_to_cpu(passkey);
537 memset(key, 0, sizeof(key));
538 BT_DBG("PassKey: %d", value);
539 put_unaligned_le32(value, key);
540 swap128(key, smp->tk);
541 /* Fall Through */
542 case MGMT_OP_USER_CONFIRM_REPLY:
543 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
544 break;
545 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
546 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
547 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1);
548 return 0;
549 default:
550 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1);
551 return -EOPNOTSUPP;
552 }
553
554 /* If it is our turn to send Pairing Confirm, do so now */
555 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags))
556 queue_work(hcon->hdev->workqueue, &smp->confirm);
557
558 return 0;
559}
560
404static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 561static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
405{ 562{
406 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 563 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
407 struct smp_chan *smp; 564 struct smp_chan *smp;
408 u8 key_size; 565 u8 key_size;
566 u8 auth = SMP_AUTH_NONE;
409 int ret; 567 int ret;
410 568
411 BT_DBG("conn %p", conn); 569 BT_DBG("conn %p", conn);
412 570
571 if (conn->hcon->link_mode & HCI_LM_MASTER)
572 return SMP_CMD_NOTSUPP;
573
413 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) 574 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend))
414 smp = smp_chan_create(conn); 575 smp = smp_chan_create(conn);
415 576
@@ -419,19 +580,16 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
419 memcpy(&smp->preq[1], req, sizeof(*req)); 580 memcpy(&smp->preq[1], req, sizeof(*req));
420 skb_pull(skb, sizeof(*req)); 581 skb_pull(skb, sizeof(*req));
421 582
422 if (req->oob_flag) 583 /* We didn't start the pairing, so match remote */
423 return SMP_OOB_NOT_AVAIL; 584 if (req->auth_req & SMP_AUTH_BONDING)
585 auth = req->auth_req;
424 586
425 /* We didn't start the pairing, so no requirements */ 587 build_pairing_cmd(conn, req, &rsp, auth);
426 build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE);
427 588
428 key_size = min(req->max_key_size, rsp.max_key_size); 589 key_size = min(req->max_key_size, rsp.max_key_size);
429 if (check_enc_key_size(conn, key_size)) 590 if (check_enc_key_size(conn, key_size))
430 return SMP_ENC_KEY_SIZE; 591 return SMP_ENC_KEY_SIZE;
431 592
432 /* Just works */
433 memset(smp->tk, 0, sizeof(smp->tk));
434
435 ret = smp_rand(smp->prnd); 593 ret = smp_rand(smp->prnd);
436 if (ret) 594 if (ret)
437 return SMP_UNSPECIFIED; 595 return SMP_UNSPECIFIED;
@@ -441,6 +599,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
441 599
442 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 600 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
443 601
602 /* Request setup of TK */
603 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
604 if (ret)
605 return SMP_UNSPECIFIED;
606
444 return 0; 607 return 0;
445} 608}
446 609
@@ -449,11 +612,14 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
449 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 612 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
450 struct smp_chan *smp = conn->smp_chan; 613 struct smp_chan *smp = conn->smp_chan;
451 struct hci_dev *hdev = conn->hcon->hdev; 614 struct hci_dev *hdev = conn->hcon->hdev;
452 u8 key_size; 615 u8 key_size, auth = SMP_AUTH_NONE;
453 int ret; 616 int ret;
454 617
455 BT_DBG("conn %p", conn); 618 BT_DBG("conn %p", conn);
456 619
620 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
621 return SMP_CMD_NOTSUPP;
622
457 skb_pull(skb, sizeof(*rsp)); 623 skb_pull(skb, sizeof(*rsp));
458 624
459 req = (void *) &smp->preq[1]; 625 req = (void *) &smp->preq[1];
@@ -462,12 +628,6 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
462 if (check_enc_key_size(conn, key_size)) 628 if (check_enc_key_size(conn, key_size))
463 return SMP_ENC_KEY_SIZE; 629 return SMP_ENC_KEY_SIZE;
464 630
465 if (rsp->oob_flag)
466 return SMP_OOB_NOT_AVAIL;
467
468 /* Just works */
469 memset(smp->tk, 0, sizeof(smp->tk));
470
471 ret = smp_rand(smp->prnd); 631 ret = smp_rand(smp->prnd);
472 if (ret) 632 if (ret)
473 return SMP_UNSPECIFIED; 633 return SMP_UNSPECIFIED;
@@ -475,6 +635,22 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
475 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 635 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
476 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 636 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
477 637
638 if ((req->auth_req & SMP_AUTH_BONDING) &&
639 (rsp->auth_req & SMP_AUTH_BONDING))
640 auth = SMP_AUTH_BONDING;
641
642 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
643
644 ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability);
645 if (ret)
646 return SMP_UNSPECIFIED;
647
648 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
649
650 /* Can't compose response until we have been confirmed */
651 if (!test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
652 return 0;
653
478 queue_work(hdev->workqueue, &smp->confirm); 654 queue_work(hdev->workqueue, &smp->confirm);
479 655
480 return 0; 656 return 0;
@@ -496,8 +672,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
496 swap128(smp->prnd, random); 672 swap128(smp->prnd, random);
497 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random), 673 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
498 random); 674 random);
499 } else { 675 } else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) {
500 queue_work(hdev->workqueue, &smp->confirm); 676 queue_work(hdev->workqueue, &smp->confirm);
677 } else {
678 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
501 } 679 }
502 680
503 return 0; 681 return 0;
@@ -550,7 +728,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
550 728
551 BT_DBG("conn %p", conn); 729 BT_DBG("conn %p", conn);
552 730
553 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 731 hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
554 732
555 if (smp_ltk_encrypt(conn)) 733 if (smp_ltk_encrypt(conn))
556 return 0; 734 return 0;
@@ -577,6 +755,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
577{ 755{
578 struct hci_conn *hcon = conn->hcon; 756 struct hci_conn *hcon = conn->hcon;
579 struct smp_chan *smp = conn->smp_chan; 757 struct smp_chan *smp = conn->smp_chan;
758 __u8 authreq;
580 759
581 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 760 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
582 761
@@ -597,18 +776,22 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
597 return 0; 776 return 0;
598 777
599 smp = smp_chan_create(conn); 778 smp = smp_chan_create(conn);
779 if (!smp)
780 return 1;
781
782 authreq = seclevel_to_authreq(sec_level);
600 783
601 if (hcon->link_mode & HCI_LM_MASTER) { 784 if (hcon->link_mode & HCI_LM_MASTER) {
602 struct smp_cmd_pairing cp; 785 struct smp_cmd_pairing cp;
603 786
604 build_pairing_cmd(conn, &cp, NULL, SMP_AUTH_NONE); 787 build_pairing_cmd(conn, &cp, NULL, authreq);
605 smp->preq[0] = SMP_CMD_PAIRING_REQ; 788 smp->preq[0] = SMP_CMD_PAIRING_REQ;
606 memcpy(&smp->preq[1], &cp, sizeof(cp)); 789 memcpy(&smp->preq[1], &cp, sizeof(cp));
607 790
608 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 791 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
609 } else { 792 } else {
610 struct smp_cmd_security_req cp; 793 struct smp_cmd_security_req cp;
611 cp.auth_req = SMP_AUTH_NONE; 794 cp.auth_req = authreq;
612 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 795 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
613 } 796 }
614 797
@@ -637,7 +820,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
637 820
638 skb_pull(skb, sizeof(*rp)); 821 skb_pull(skb, sizeof(*rp));
639 822
640 hci_add_ltk(conn->hcon->hdev, 1, conn->src, smp->smp_key_size, 823 hci_add_ltk(conn->hcon->hdev, 1, conn->dst, smp->smp_key_size,
641 rp->ediv, rp->rand, smp->tk); 824 rp->ediv, rp->rand, smp->tk);
642 825
643 smp_distribute_keys(conn, 1); 826 smp_distribute_keys(conn, 1);
@@ -800,7 +983,7 @@ int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
800 983
801 if (conn->hcon->out || force) { 984 if (conn->hcon->out || force) {
802 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend); 985 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend);
803 del_timer(&conn->security_timer); 986 cancel_delayed_work_sync(&conn->security_timer);
804 smp_chan_destroy(conn); 987 smp_chan_destroy(conn);
805 } 988 }
806 989
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index e92f98d32746..76be61744198 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -392,6 +392,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
392#endif 392#endif
393 393
394 spin_lock_bh(&sta->lock); 394 spin_lock_bh(&sta->lock);
395 sta->ampdu_mlme.last_addba_req_time[tid] = jiffies;
395 sta->ampdu_mlme.addba_req_num[tid]++; 396 sta->ampdu_mlme.addba_req_num[tid]++;
396 spin_unlock_bh(&sta->lock); 397 spin_unlock_bh(&sta->lock);
397 398
@@ -492,6 +493,24 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
492 goto err_unlock_sta; 493 goto err_unlock_sta;
493 } 494 }
494 495
496 /*
497 * if we have tried more than HT_AGG_BURST_RETRIES times we
498 * will spread our requests in time to avoid stalling connection
499 * for too long
500 */
501 if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_BURST_RETRIES &&
502 time_before(jiffies, sta->ampdu_mlme.last_addba_req_time[tid] +
503 HT_AGG_RETRIES_PERIOD)) {
504#ifdef CONFIG_MAC80211_HT_DEBUG
505 printk(KERN_DEBUG "BA request denied - "
506 "waiting a grace period after %d failed requests "
507 "on tid %u\n",
508 sta->ampdu_mlme.addba_req_num[tid], tid);
509#endif /* CONFIG_MAC80211_HT_DEBUG */
510 ret = -EBUSY;
511 goto err_unlock_sta;
512 }
513
495 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 514 tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
496 /* check if the TID is not in aggregation flow already */ 515 /* check if the TID is not in aggregation flow already */
497 if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) { 516 if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) {
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 66ad9d9af87f..850bb96bd680 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -355,7 +355,8 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
355 STATION_INFO_RX_DROP_MISC | 355 STATION_INFO_RX_DROP_MISC |
356 STATION_INFO_BSS_PARAM | 356 STATION_INFO_BSS_PARAM |
357 STATION_INFO_CONNECTED_TIME | 357 STATION_INFO_CONNECTED_TIME |
358 STATION_INFO_STA_FLAGS; 358 STATION_INFO_STA_FLAGS |
359 STATION_INFO_BEACON_LOSS_COUNT;
359 360
360 do_posix_clock_monotonic_gettime(&uptime); 361 do_posix_clock_monotonic_gettime(&uptime);
361 sinfo->connected_time = uptime.tv_sec - sta->last_connected; 362 sinfo->connected_time = uptime.tv_sec - sta->last_connected;
@@ -368,6 +369,7 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
368 sinfo->tx_retries = sta->tx_retry_count; 369 sinfo->tx_retries = sta->tx_retry_count;
369 sinfo->tx_failed = sta->tx_retry_failed; 370 sinfo->tx_failed = sta->tx_retry_failed;
370 sinfo->rx_dropped_misc = sta->rx_dropped; 371 sinfo->rx_dropped_misc = sta->rx_dropped;
372 sinfo->beacon_loss_count = sta->beacon_loss_count;
371 373
372 if ((sta->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) || 374 if ((sta->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) ||
373 (sta->local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC)) { 375 (sta->local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC)) {
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a984f1f60ddb..57989a046fca 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1381,6 +1381,14 @@ void ieee80211_beacon_connection_loss_work(struct work_struct *work)
1381 struct ieee80211_sub_if_data *sdata = 1381 struct ieee80211_sub_if_data *sdata =
1382 container_of(work, struct ieee80211_sub_if_data, 1382 container_of(work, struct ieee80211_sub_if_data,
1383 u.mgd.beacon_connection_loss_work); 1383 u.mgd.beacon_connection_loss_work);
1384 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
1385 struct sta_info *sta;
1386
1387 if (ifmgd->associated) {
1388 sta = sta_info_get(sdata, ifmgd->bssid);
1389 if (sta)
1390 sta->beacon_loss_count++;
1391 }
1384 1392
1385 if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR) 1393 if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
1386 __ieee80211_connection_loss(sdata); 1394 __ieee80211_connection_loss(sdata);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 2be5b7d69ad7..59f124c58333 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -28,6 +28,7 @@
28#include "wpa.h" 28#include "wpa.h"
29#include "tkip.h" 29#include "tkip.h"
30#include "wme.h" 30#include "wme.h"
31#include "rate.h"
31 32
32/* 33/*
33 * monitor mode reception 34 * monitor mode reception
@@ -1826,7 +1827,12 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1826 } 1827 }
1827 1828
1828 if (xmit_skb) { 1829 if (xmit_skb) {
1829 /* send to wireless media */ 1830 /*
1831 * Send to wireless media and increase priority by 256 to
1832 * keep the received priority instead of reclassifying
1833 * the frame (see cfg80211_classify8021d).
1834 */
1835 xmit_skb->priority += 256;
1830 xmit_skb->protocol = htons(ETH_P_802_3); 1836 xmit_skb->protocol = htons(ETH_P_802_3);
1831 skb_reset_network_header(xmit_skb); 1837 skb_reset_network_header(xmit_skb);
1832 skb_reset_mac_header(xmit_skb); 1838 skb_reset_mac_header(xmit_skb);
@@ -2233,6 +2239,63 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2233 return RX_DROP_UNUSABLE; 2239 return RX_DROP_UNUSABLE;
2234 2240
2235 switch (mgmt->u.action.category) { 2241 switch (mgmt->u.action.category) {
2242 case WLAN_CATEGORY_HT:
2243 /* reject HT action frames from stations not supporting HT */
2244 if (!rx->sta->sta.ht_cap.ht_supported)
2245 goto invalid;
2246
2247 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2248 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2249 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2250 sdata->vif.type != NL80211_IFTYPE_AP &&
2251 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2252 break;
2253
2254 /* verify action & smps_control are present */
2255 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2256 goto invalid;
2257
2258 switch (mgmt->u.action.u.ht_smps.action) {
2259 case WLAN_HT_ACTION_SMPS: {
2260 struct ieee80211_supported_band *sband;
2261 u8 smps;
2262
2263 /* convert to HT capability */
2264 switch (mgmt->u.action.u.ht_smps.smps_control) {
2265 case WLAN_HT_SMPS_CONTROL_DISABLED:
2266 smps = WLAN_HT_CAP_SM_PS_DISABLED;
2267 break;
2268 case WLAN_HT_SMPS_CONTROL_STATIC:
2269 smps = WLAN_HT_CAP_SM_PS_STATIC;
2270 break;
2271 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
2272 smps = WLAN_HT_CAP_SM_PS_DYNAMIC;
2273 break;
2274 default:
2275 goto invalid;
2276 }
2277 smps <<= IEEE80211_HT_CAP_SM_PS_SHIFT;
2278
2279 /* if no change do nothing */
2280 if ((rx->sta->sta.ht_cap.cap &
2281 IEEE80211_HT_CAP_SM_PS) == smps)
2282 goto handled;
2283
2284 rx->sta->sta.ht_cap.cap &= ~IEEE80211_HT_CAP_SM_PS;
2285 rx->sta->sta.ht_cap.cap |= smps;
2286
2287 sband = rx->local->hw.wiphy->bands[status->band];
2288
2289 rate_control_rate_update(local, sband, rx->sta,
2290 IEEE80211_RC_SMPS_CHANGED,
2291 local->_oper_channel_type);
2292 goto handled;
2293 }
2294 default:
2295 goto invalid;
2296 }
2297
2298 break;
2236 case WLAN_CATEGORY_BACK: 2299 case WLAN_CATEGORY_BACK:
2237 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2300 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2238 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2301 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 2db01e9541e7..f0d3b483dabd 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -822,10 +822,13 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
822 * until the aggregation stop completes. Refer 822 * until the aggregation stop completes. Refer
823 * http://thread.gmane.org/gmane.linux.kernel.wireless.general/81936 823 * http://thread.gmane.org/gmane.linux.kernel.wireless.general/81936
824 */ 824 */
825
826 mutex_lock(&sta->ampdu_mlme.mtx);
827
825 for (i = 0; i < STA_TID_NUM; i++) { 828 for (i = 0; i < STA_TID_NUM; i++) {
826 if (!sta->ampdu_mlme.tid_tx[i]) 829 tid_tx = rcu_dereference_protected_tid_tx(sta, i);
830 if (!tid_tx)
827 continue; 831 continue;
828 tid_tx = sta->ampdu_mlme.tid_tx[i];
829 if (skb_queue_len(&tid_tx->pending)) { 832 if (skb_queue_len(&tid_tx->pending)) {
830#ifdef CONFIG_MAC80211_HT_DEBUG 833#ifdef CONFIG_MAC80211_HT_DEBUG
831 wiphy_debug(local->hw.wiphy, "TX A-MPDU purging %d " 834 wiphy_debug(local->hw.wiphy, "TX A-MPDU purging %d "
@@ -837,6 +840,8 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
837 kfree_rcu(tid_tx, rcu_head); 840 kfree_rcu(tid_tx, rcu_head);
838 } 841 }
839 842
843 mutex_unlock(&sta->ampdu_mlme.mtx);
844
840 sta_info_free(local, sta); 845 sta_info_free(local, sta);
841 846
842 return 0; 847 return 0;
@@ -941,6 +946,9 @@ void ieee80211_sta_expire(struct ieee80211_sub_if_data *sdata,
941 946
942 mutex_lock(&local->sta_mtx); 947 mutex_lock(&local->sta_mtx);
943 list_for_each_entry_safe(sta, tmp, &local->sta_list, list) 948 list_for_each_entry_safe(sta, tmp, &local->sta_list, list)
949 if (sdata != sta->sdata)
950 continue;
951
944 if (time_after(jiffies, sta->last_rx + exp_time)) { 952 if (time_after(jiffies, sta->last_rx + exp_time)) {
945#ifdef CONFIG_MAC80211_IBSS_DEBUG 953#ifdef CONFIG_MAC80211_IBSS_DEBUG
946 printk(KERN_DEBUG "%s: expiring inactive STA %pM\n", 954 printk(KERN_DEBUG "%s: expiring inactive STA %pM\n",
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 15b3bb7d8629..6f77f12dc3fc 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -83,7 +83,9 @@ enum ieee80211_sta_state {
83 83
84#define STA_TID_NUM 16 84#define STA_TID_NUM 16
85#define ADDBA_RESP_INTERVAL HZ 85#define ADDBA_RESP_INTERVAL HZ
86#define HT_AGG_MAX_RETRIES 0x3 86#define HT_AGG_MAX_RETRIES 15
87#define HT_AGG_BURST_RETRIES 3
88#define HT_AGG_RETRIES_PERIOD (15 * HZ)
87 89
88#define HT_AGG_STATE_DRV_READY 0 90#define HT_AGG_STATE_DRV_READY 0
89#define HT_AGG_STATE_RESPONSE_RECEIVED 1 91#define HT_AGG_STATE_RESPONSE_RECEIVED 1
@@ -179,6 +181,7 @@ struct tid_ampdu_rx {
179 * @tid_tx: aggregation info for Tx per TID 181 * @tid_tx: aggregation info for Tx per TID
180 * @tid_start_tx: sessions where start was requested 182 * @tid_start_tx: sessions where start was requested
181 * @addba_req_num: number of times addBA request has been sent. 183 * @addba_req_num: number of times addBA request has been sent.
184 * @last_addba_req_time: timestamp of the last addBA request.
182 * @dialog_token_allocator: dialog token enumerator for each new session; 185 * @dialog_token_allocator: dialog token enumerator for each new session;
183 * @work: work struct for starting/stopping aggregation 186 * @work: work struct for starting/stopping aggregation
184 * @tid_rx_timer_expired: bitmap indicating on which TIDs the 187 * @tid_rx_timer_expired: bitmap indicating on which TIDs the
@@ -198,6 +201,7 @@ struct sta_ampdu_mlme {
198 struct work_struct work; 201 struct work_struct work;
199 struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM]; 202 struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM];
200 struct tid_ampdu_tx *tid_start_tx[STA_TID_NUM]; 203 struct tid_ampdu_tx *tid_start_tx[STA_TID_NUM];
204 unsigned long last_addba_req_time[STA_TID_NUM];
201 u8 addba_req_num[STA_TID_NUM]; 205 u8 addba_req_num[STA_TID_NUM];
202 u8 dialog_token_allocator; 206 u8 dialog_token_allocator;
203}; 207};
@@ -271,6 +275,7 @@ struct sta_ampdu_mlme {
271 * EAP frames before association 275 * EAP frames before association
272 * @sta: station information we share with the driver 276 * @sta: station information we share with the driver
273 * @sta_state: duplicates information about station state (for debug) 277 * @sta_state: duplicates information about station state (for debug)
278 * @beacon_loss_count: number of times beacon loss has triggered
274 */ 279 */
275struct sta_info { 280struct sta_info {
276 /* General information, mostly static */ 281 /* General information, mostly static */
@@ -363,6 +368,7 @@ struct sta_info {
363#endif 368#endif
364 369
365 unsigned int lost_packets; 370 unsigned int lost_packets;
371 unsigned int beacon_loss_count;
366 372
367 /* should be right in front of sta to be in the same cache line */ 373 /* should be right in front of sta to be in the same cache line */
368 bool dummy; 374 bool dummy;
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 67756b23eac5..1d32680807d6 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -554,11 +554,9 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
554 goto enqueue; 554 goto enqueue;
555 } 555 }
556 } 556 }
557 557 mutex_unlock(&local->socket_lock);
558 } 558 }
559 559
560 mutex_unlock(&local->socket_lock);
561
562 reason = LLCP_DM_NOBOUND; 560 reason = LLCP_DM_NOBOUND;
563 goto fail; 561 goto fail;
564 562
@@ -956,7 +954,7 @@ void nfc_llcp_unregister_device(struct nfc_dev *dev)
956 skb_queue_purge(&local->tx_queue); 954 skb_queue_purge(&local->tx_queue);
957 destroy_workqueue(local->tx_wq); 955 destroy_workqueue(local->tx_wq);
958 destroy_workqueue(local->rx_wq); 956 destroy_workqueue(local->rx_wq);
959 kfree(local->rx_pending); 957 kfree_skb(local->rx_pending);
960 kfree(local); 958 kfree(local);
961} 959}
962 960
diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
index 2c2c4015c68b..6d28d75995b0 100644
--- a/net/nfc/nfc.h
+++ b/net/nfc/nfc.h
@@ -60,11 +60,11 @@ void nfc_llcp_exit(void);
60 60
61#else 61#else
62 62
63void nfc_llcp_mac_is_down(struct nfc_dev *dev) 63static inline void nfc_llcp_mac_is_down(struct nfc_dev *dev)
64{ 64{
65} 65}
66 66
67void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, 67static inline void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
68 u8 comm_mode, u8 rf_mode) 68 u8 comm_mode, u8 rf_mode)
69{ 69{
70} 70}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index b07c4fc4ae22..b3d3cf8931cb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2390,6 +2390,9 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
2390 if (sinfo->filled & STATION_INFO_TX_FAILED) 2390 if (sinfo->filled & STATION_INFO_TX_FAILED)
2391 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_FAILED, 2391 NLA_PUT_U32(msg, NL80211_STA_INFO_TX_FAILED,
2392 sinfo->tx_failed); 2392 sinfo->tx_failed);
2393 if (sinfo->filled & STATION_INFO_BEACON_LOSS_COUNT)
2394 NLA_PUT_U32(msg, NL80211_STA_INFO_BEACON_LOSS,
2395 sinfo->beacon_loss_count);
2393 if (sinfo->filled & STATION_INFO_BSS_PARAM) { 2396 if (sinfo->filled & STATION_INFO_BSS_PARAM) {
2394 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM); 2397 bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
2395 if (!bss_param) 2398 if (!bss_param)
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-17 06:35:26 -0400