6 files changed, 38 insertions, 28 deletions
diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
index f36defa37764..57d965b7f521 100644
--- a/drivers/bluetooth/btmrvl_sdio.c
+++ b/drivers/bluetooth/btmrvl_sdio.c
@@ -808,6 +808,7 @@ static int btmrvl_sdio_host_to_card(struct btmrvl_private *priv,
 exit:
        sdio_release_host(card->func);
+        kfree(tmpbuf);
        return ret;
 }
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b7c4224f4e7d..b10e3cdb08f8 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -377,6 +377,9 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
        if (acl->state == BT_CONNECTED &&
                        (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
+                acl->power_save = 1;
+                hci_conn_enter_active_mode(acl);
                if (lmp_esco_capable(hdev))
                        hci_setup_sync(sco, acl->handle);
                else
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 28517bad796c..592da5c909c1 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1699,6 +1699,7 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
                break;
        case 0x1c:      /* SCO interval rejected */
+        case 0x1a:      /* Unsupported Remote Feature */
        case 0x1f:      /* Unspecified error */
                if (conn->out && conn->attempt < 2) {
                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 6cf526d06e21..fc6ec1e72652 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -703,29 +703,9 @@ static void hidp_close(struct hid_device *hid)
 static int hidp_parse(struct hid_device *hid)
 {
        struct hidp_session *session = hid->driver_data;
-        struct hidp_connadd_req *req = session->req;
-        unsigned char *buf;
-        int ret;
-        buf = kmalloc(req->rd_size, GFP_KERNEL);
-        if (!buf)
-                return -ENOMEM;
-        if (copy_from_user(buf, req->rd_data, req->rd_size)) {
-                kfree(buf);
-                return -EFAULT;
-        }
-        ret = hid_parse_report(session->hid, buf, req->rd_size);
-        kfree(buf);
-        if (ret)
-                return ret;
-        session->req = NULL;
-        return 0;
+        return hid_parse_report(session->hid, session->rd_data,
+                        session->rd_size);
 }
 static int hidp_start(struct hid_device *hid)
@@ -770,12 +750,24 @@ static int hidp_setup_hid(struct hidp_session *session,
        bdaddr_t src, dst;
        int err;
+        session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
+        if (!session->rd_data)
+                return -ENOMEM;
+        if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
+                err = -EFAULT;
+                goto fault;
+        }
+        session->rd_size = req->rd_size;
        hid = hid_allocate_device();
-        if (IS_ERR(hid))
+        if (IS_ERR(hid)) {
-                return PTR_ERR(hid);
+                err = PTR_ERR(hid);
+                goto fault;
+        }
        session->hid = hid;
-        session->req = req;
        hid->driver_data = session;
        baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);
@@ -806,6 +798,10 @@ failed:
        hid_destroy_device(hid);
        session->hid = NULL;
+fault:
+        kfree(session->rd_data);
+        session->rd_data = NULL;
        return err;
 }
@@ -900,6 +896,9 @@ unlink:
                session->hid = NULL;
        }
+        kfree(session->rd_data);
+        session->rd_data = NULL;
 purge:
        skb_queue_purge(&session->ctrl_transmit);
        skb_queue_purge(&session->intr_transmit);
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index faf3d74c3586..a4e215d50c10 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -154,7 +154,9 @@ struct hidp_session {
        struct sk_buff_head ctrl_transmit;
        struct sk_buff_head intr_transmit;
-        struct hidp_connadd_req *req;
+        /* Report descriptor */
+        __u8 *rd_data;
+        uint rd_size;
 };
 static inline void hidp_schedule(struct hidp_session *session)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index fc5ee3296e22..89f4a59eb82b 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -252,7 +252,6 @@ static void rfcomm_session_timeout(unsigned long arg)
        BT_DBG("session %p state %ld", s, s->state);
        set_bit(RFCOMM_TIMED_OUT, &s->flags);
-        rfcomm_session_put(s);
        rfcomm_schedule(RFCOMM_SCHED_TIMEO);
 }
@@ -1151,7 +1150,11 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
                        break;
                case BT_DISCONN:
-                        rfcomm_session_put(s);
+                        /* When socket is closed and we are not RFCOMM
+                         * initiator rfcomm_process_rx already calls
+                         * rfcomm_session_put() */
+                        if (s->sock->sk->sk_state != BT_CLOSED)
+                                rfcomm_session_put(s);
                        break;
                }
        }
@@ -1920,6 +1923,7 @@ static inline void rfcomm_process_sessions(void)
                if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
                        s->state = BT_DISCONN;
                        rfcomm_send_disc(s, 0);
+                        rfcomm_session_put(s);
                        continue;
                }

diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c index f36defa37764..57d965b7f521 100644 --- a/drivers/bluetooth/btmrvl_sdio.c +++ b/drivers/bluetooth/btmrvl_sdio.c
@@ -808,6 +808,7 @@ static int btmrvl_sdio_host_to_card(struct btmrvl_private *priv,
808		808
809	exit:	809	exit:
810	sdio_release_host(card->func);	810	sdio_release_host(card->func);
		811	kfree(tmpbuf);
811		812
812	return ret;	813	return ret;
813	}	814	}


diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index b7c4224f4e7d..b10e3cdb08f8 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c
@@ -377,6 +377,9 @@ struct hci_conn hci_connect(struct hci_dev hdev, int type, bdaddr_t *dst, __u8
377		377
378	if (acl->state == BT_CONNECTED &&	378	if (acl->state == BT_CONNECTED &&
379	(sco->state == BT_OPEN \|\| sco->state == BT_CLOSED)) {	379	(sco->state == BT_OPEN \|\| sco->state == BT_CLOSED)) {
		380	acl->power_save = 1;
		381	hci_conn_enter_active_mode(acl);
		382
380	if (lmp_esco_capable(hdev))	383	if (lmp_esco_capable(hdev))
381	hci_setup_sync(sco, acl->handle);	384	hci_setup_sync(sco, acl->handle);
382	else	385	else


diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 28517bad796c..592da5c909c1 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c
@@ -1699,6 +1699,7 @@ static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_bu
1699	break;	1699	break;
1700		1700
1701	case 0x1c: /* SCO interval rejected */	1701	case 0x1c: /* SCO interval rejected */
		1702	case 0x1a: /* Unsupported Remote Feature */
1702	case 0x1f: /* Unspecified error */	1703	case 0x1f: /* Unspecified error */
1703	if (conn->out && conn->attempt < 2) {	1704	if (conn->out && conn->attempt < 2) {
1704	conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) \|	1705	conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) \|


diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 6cf526d06e21..fc6ec1e72652 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c
@@ -703,29 +703,9 @@ static void hidp_close(struct hid_device *hid)
703	static int hidp_parse(struct hid_device *hid)	703	static int hidp_parse(struct hid_device *hid)
704	{	704	{
705	struct hidp_session *session = hid->driver_data;	705	struct hidp_session *session = hid->driver_data;
706	struct hidp_connadd_req *req = session->req;
707	unsigned char *buf;
708	int ret;
709
710	buf = kmalloc(req->rd_size, GFP_KERNEL);
711	if (!buf)
712	return -ENOMEM;
713
714	if (copy_from_user(buf, req->rd_data, req->rd_size)) {
715	kfree(buf);
716	return -EFAULT;
717	}
718
719	ret = hid_parse_report(session->hid, buf, req->rd_size);
720
721	kfree(buf);
722
723	if (ret)
724	return ret;
725
726	session->req = NULL;
727		706
728	return 0;	707	return hid_parse_report(session->hid, session->rd_data,
		708	session->rd_size);
729	}	709	}
730		710
731	static int hidp_start(struct hid_device *hid)	711	static int hidp_start(struct hid_device *hid)
@@ -770,12 +750,24 @@ static int hidp_setup_hid(struct hidp_session *session,
770	bdaddr_t src, dst;	750	bdaddr_t src, dst;
771	int err;	751	int err;
772		752
		753	session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
		754	if (!session->rd_data)
		755	return -ENOMEM;
		756
		757	if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
		758	err = -EFAULT;
		759	goto fault;
		760	}
		761	session->rd_size = req->rd_size;
		762
773	hid = hid_allocate_device();	763	hid = hid_allocate_device();
774	if (IS_ERR(hid))	764	if (IS_ERR(hid)) {
775	return PTR_ERR(hid);	765	err = PTR_ERR(hid);
		766	goto fault;
		767	}
776		768
777	session->hid = hid;	769	session->hid = hid;
778	session->req = req;	770
779	hid->driver_data = session;	771	hid->driver_data = session;
780		772
781	baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);	773	baswap(&src, &bt_sk(session->ctrl_sock->sk)->src);
@@ -806,6 +798,10 @@ failed:
806	hid_destroy_device(hid);	798	hid_destroy_device(hid);
807	session->hid = NULL;	799	session->hid = NULL;
808		800
		801	fault:
		802	kfree(session->rd_data);
		803	session->rd_data = NULL;
		804
809	return err;	805	return err;
810	}	806	}
811		807
@@ -900,6 +896,9 @@ unlink:
900	session->hid = NULL;	896	session->hid = NULL;
901	}	897	}
902		898
		899	kfree(session->rd_data);
		900	session->rd_data = NULL;
		901
903	purge:	902	purge:
904	skb_queue_purge(&session->ctrl_transmit);	903	skb_queue_purge(&session->ctrl_transmit);
905	skb_queue_purge(&session->intr_transmit);	904	skb_queue_purge(&session->intr_transmit);


diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h index faf3d74c3586..a4e215d50c10 100644 --- a/net/bluetooth/hidp/hidp.h +++ b/net/bluetooth/hidp/hidp.h
@@ -154,7 +154,9 @@ struct hidp_session {
154	struct sk_buff_head ctrl_transmit;	154	struct sk_buff_head ctrl_transmit;
155	struct sk_buff_head intr_transmit;	155	struct sk_buff_head intr_transmit;
156		156
157	struct hidp_connadd_req *req;	157	/* Report descriptor */
		158	__u8 *rd_data;
		159	uint rd_size;
158	};	160	};
159		161
160	static inline void hidp_schedule(struct hidp_session *session)	162	static inline void hidp_schedule(struct hidp_session *session)


diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index fc5ee3296e22..89f4a59eb82b 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c
@@ -252,7 +252,6 @@ static void rfcomm_session_timeout(unsigned long arg)
252	BT_DBG("session %p state %ld", s, s->state);	252	BT_DBG("session %p state %ld", s, s->state);
253		253
254	set_bit(RFCOMM_TIMED_OUT, &s->flags);	254	set_bit(RFCOMM_TIMED_OUT, &s->flags);
255	rfcomm_session_put(s);
256	rfcomm_schedule(RFCOMM_SCHED_TIMEO);	255	rfcomm_schedule(RFCOMM_SCHED_TIMEO);
257	}	256	}
258		257
@@ -1151,7 +1150,11 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
1151	break;	1150	break;
1152		1151
1153	case BT_DISCONN:	1152	case BT_DISCONN:
1154	rfcomm_session_put(s);	1153	/* When socket is closed and we are not RFCOMM
		1154	* initiator rfcomm_process_rx already calls
		1155	* rfcomm_session_put() */
		1156	if (s->sock->sk->sk_state != BT_CLOSED)
		1157	rfcomm_session_put(s);
1155	break;	1158	break;
1156	}	1159	}
1157	}	1160	}
@@ -1920,6 +1923,7 @@ static inline void rfcomm_process_sessions(void)
1920	if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {	1923	if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) {
1921	s->state = BT_DISCONN;	1924	s->state = BT_DISCONN;
1922	rfcomm_send_disc(s, 0);	1925	rfcomm_send_disc(s, 0);
		1926	rfcomm_session_put(s);
1923	continue;	1927	continue;
1924	}	1928	}
1925		1929