aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--drivers/bluetooth/ath3k.c2
-rw-r--r--drivers/bluetooth/btusb.c41
-rw-r--r--drivers/bluetooth/hci_h4.c3
-rw-r--r--drivers/bluetooth/hci_ldisc.c15
-rw-r--r--drivers/nfc/Kconfig10
-rw-r--r--drivers/nfc/Makefile1
-rw-r--r--drivers/nfc/mei_phy.c164
-rw-r--r--drivers/nfc/mei_phy.h30
-rw-r--r--drivers/nfc/microread/Kconfig2
-rw-r--r--drivers/nfc/microread/mei.c139
-rw-r--r--drivers/nfc/pn533.c653
-rw-r--r--drivers/nfc/pn544/Kconfig13
-rw-r--r--drivers/nfc/pn544/Makefile2
-rw-r--r--drivers/nfc/pn544/mei.c121
-rw-r--r--include/net/bluetooth/bluetooth.h5
-rw-r--r--include/net/bluetooth/hci.h9
-rw-r--r--include/net/bluetooth/hci_core.h98
-rw-r--r--include/net/bluetooth/l2cap.h15
-rw-r--r--include/net/nfc/nfc.h2
-rw-r--r--include/uapi/linux/nfc.h7
-rw-r--r--include/uapi/linux/rfkill.h2
-rw-r--r--net/bluetooth/hci_conn.c38
-rw-r--r--net/bluetooth/hci_core.c239
-rw-r--r--net/bluetooth/hci_event.c184
-rw-r--r--net/bluetooth/hci_sysfs.c17
-rw-r--r--net/bluetooth/hidp/core.c992
-rw-r--r--net/bluetooth/hidp/hidp.h67
-rw-r--r--net/bluetooth/hidp/sock.c22
-rw-r--r--net/bluetooth/l2cap_core.c127
-rw-r--r--net/bluetooth/l2cap_sock.c6
-rw-r--r--net/bluetooth/mgmt.c17
-rw-r--r--net/bluetooth/sco.c49
-rw-r--r--net/bluetooth/smp.c2
-rw-r--r--net/nfc/core.c43
-rw-r--r--net/nfc/llcp/commands.c30
-rw-r--r--net/nfc/llcp/llcp.c127
-rw-r--r--net/nfc/llcp/llcp.h5
-rw-r--r--net/nfc/llcp/sock.c43
-rw-r--r--net/rfkill/core.c4
39 files changed, 2224 insertions, 1122 deletions
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 6aab00ef4379..11f467c00d0a 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -90,6 +90,7 @@ static struct usb_device_id ath3k_table[] = {
90 { USB_DEVICE(0x13d3, 0x3393) }, 90 { USB_DEVICE(0x13d3, 0x3393) },
91 { USB_DEVICE(0x0489, 0xe04e) }, 91 { USB_DEVICE(0x0489, 0xe04e) },
92 { USB_DEVICE(0x0489, 0xe056) }, 92 { USB_DEVICE(0x0489, 0xe056) },
93 { USB_DEVICE(0x0489, 0xe04d) },
93 94
94 /* Atheros AR5BBU12 with sflash firmware */ 95 /* Atheros AR5BBU12 with sflash firmware */
95 { USB_DEVICE(0x0489, 0xE02C) }, 96 { USB_DEVICE(0x0489, 0xE02C) },
@@ -126,6 +127,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
126 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 127 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
127 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 128 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
128 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 129 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
130 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
129 131
130 /* Atheros AR5BBU22 with sflash firmware */ 132 /* Atheros AR5BBU22 with sflash firmware */
131 { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 }, 133 { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 2cc5f774a29c..3d684d20b584 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -148,6 +148,7 @@ static struct usb_device_id blacklist_table[] = {
148 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 148 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
149 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 149 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
150 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 150 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
151 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
151 152
152 /* Atheros AR5BBU12 with sflash firmware */ 153 /* Atheros AR5BBU12 with sflash firmware */
153 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 154 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
@@ -926,6 +927,22 @@ static void btusb_waker(struct work_struct *work)
926 usb_autopm_put_interface(data->intf); 927 usb_autopm_put_interface(data->intf);
927} 928}
928 929
930static int btusb_setup_bcm92035(struct hci_dev *hdev)
931{
932 struct sk_buff *skb;
933 u8 val = 0x00;
934
935 BT_DBG("%s", hdev->name);
936
937 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
938 if (IS_ERR(skb))
939 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
940 else
941 kfree_skb(skb);
942
943 return 0;
944}
945
929static int btusb_probe(struct usb_interface *intf, 946static int btusb_probe(struct usb_interface *intf,
930 const struct usb_device_id *id) 947 const struct usb_device_id *id)
931{ 948{
@@ -1022,11 +1039,14 @@ static int btusb_probe(struct usb_interface *intf,
1022 1039
1023 SET_HCIDEV_DEV(hdev, &intf->dev); 1040 SET_HCIDEV_DEV(hdev, &intf->dev);
1024 1041
1025 hdev->open = btusb_open; 1042 hdev->open = btusb_open;
1026 hdev->close = btusb_close; 1043 hdev->close = btusb_close;
1027 hdev->flush = btusb_flush; 1044 hdev->flush = btusb_flush;
1028 hdev->send = btusb_send_frame; 1045 hdev->send = btusb_send_frame;
1029 hdev->notify = btusb_notify; 1046 hdev->notify = btusb_notify;
1047
1048 if (id->driver_info & BTUSB_BCM92035)
1049 hdev->setup = btusb_setup_bcm92035;
1030 1050
1031 /* Interface numbers are hardcoded in the specification */ 1051 /* Interface numbers are hardcoded in the specification */
1032 data->isoc = usb_ifnum_to_if(data->udev, 1); 1052 data->isoc = usb_ifnum_to_if(data->udev, 1);
@@ -1065,17 +1085,6 @@ static int btusb_probe(struct usb_interface *intf,
1065 data->isoc = NULL; 1085 data->isoc = NULL;
1066 } 1086 }
1067 1087
1068 if (id->driver_info & BTUSB_BCM92035) {
1069 unsigned char cmd[] = { 0x3b, 0xfc, 0x01, 0x00 };
1070 struct sk_buff *skb;
1071
1072 skb = bt_skb_alloc(sizeof(cmd), GFP_KERNEL);
1073 if (skb) {
1074 memcpy(skb_put(skb, sizeof(cmd)), cmd, sizeof(cmd));
1075 skb_queue_tail(&hdev->driver_init, skb);
1076 }
1077 }
1078
1079 if (data->isoc) { 1088 if (data->isoc) {
1080 err = usb_driver_claim_interface(&btusb_driver, 1089 err = usb_driver_claim_interface(&btusb_driver,
1081 data->isoc, data); 1090 data->isoc, data);
diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index c60623f206d4..8ae9f1ea2bb5 100644
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -153,6 +153,9 @@ static int h4_recv(struct hci_uart *hu, void *data, int count)
153{ 153{
154 int ret; 154 int ret;
155 155
156 if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
157 return -EUNATCH;
158
156 ret = hci_recv_stream_fragment(hu->hdev, data, count); 159 ret = hci_recv_stream_fragment(hu->hdev, data, count);
157 if (ret < 0) { 160 if (ret < 0) {
158 BT_ERR("Frame Reassembly Failed"); 161 BT_ERR("Frame Reassembly Failed");
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index ed0fade46aed..bc68a440d432 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -260,12 +260,12 @@ static int hci_uart_send_frame(struct sk_buff *skb)
260 260
261/* ------ LDISC part ------ */ 261/* ------ LDISC part ------ */
262/* hci_uart_tty_open 262/* hci_uart_tty_open
263 * 263 *
264 * Called when line discipline changed to HCI_UART. 264 * Called when line discipline changed to HCI_UART.
265 * 265 *
266 * Arguments: 266 * Arguments:
267 * tty pointer to tty info structure 267 * tty pointer to tty info structure
268 * Return Value: 268 * Return Value:
269 * 0 if success, otherwise error code 269 * 0 if success, otherwise error code
270 */ 270 */
271static int hci_uart_tty_open(struct tty_struct *tty) 271static int hci_uart_tty_open(struct tty_struct *tty)
@@ -365,15 +365,15 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty)
365} 365}
366 366
367/* hci_uart_tty_receive() 367/* hci_uart_tty_receive()
368 * 368 *
369 * Called by tty low level driver when receive data is 369 * Called by tty low level driver when receive data is
370 * available. 370 * available.
371 * 371 *
372 * Arguments: tty pointer to tty isntance data 372 * Arguments: tty pointer to tty isntance data
373 * data pointer to received data 373 * data pointer to received data
374 * flags pointer to flags for data 374 * flags pointer to flags for data
375 * count count of received data in bytes 375 * count count of received data in bytes
376 * 376 *
377 * Return Value: None 377 * Return Value: None
378 */ 378 */
379static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, char *flags, int count) 379static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, char *flags, int count)
@@ -388,7 +388,10 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, char *f
388 388
389 spin_lock(&hu->rx_lock); 389 spin_lock(&hu->rx_lock);
390 hu->proto->recv(hu, (void *) data, count); 390 hu->proto->recv(hu, (void *) data, count);
391 hu->hdev->stat.byte_rx += count; 391
392 if (hu->hdev)
393 hu->hdev->stat.byte_rx += count;
394
392 spin_unlock(&hu->rx_lock); 395 spin_unlock(&hu->rx_lock);
393 396
394 tty_unthrottle(tty); 397 tty_unthrottle(tty);
diff --git a/drivers/nfc/Kconfig b/drivers/nfc/Kconfig
index e57034971ccc..4775d4e61b88 100644
--- a/drivers/nfc/Kconfig
+++ b/drivers/nfc/Kconfig
@@ -26,6 +26,16 @@ config NFC_WILINK
26 Say Y here to compile support for Texas Instrument's NFC WiLink driver 26 Say Y here to compile support for Texas Instrument's NFC WiLink driver
27 into the kernel or say M to compile it as module. 27 into the kernel or say M to compile it as module.
28 28
29config NFC_MEI_PHY
30 tristate "MEI bus NFC device support"
31 depends on INTEL_MEI_BUS_NFC && NFC_HCI
32 help
33 This adds support to use an mei bus nfc device. Select this if you
34 will use an HCI NFC driver for an NFC chip connected behind an
35 Intel's Management Engine chip.
36
37 If unsure, say N.
38
29source "drivers/nfc/pn544/Kconfig" 39source "drivers/nfc/pn544/Kconfig"
30source "drivers/nfc/microread/Kconfig" 40source "drivers/nfc/microread/Kconfig"
31 41
diff --git a/drivers/nfc/Makefile b/drivers/nfc/Makefile
index a189ada0926a..aa6bd657ef40 100644
--- a/drivers/nfc/Makefile
+++ b/drivers/nfc/Makefile
@@ -6,5 +6,6 @@ obj-$(CONFIG_NFC_PN544) += pn544/
6obj-$(CONFIG_NFC_MICROREAD) += microread/ 6obj-$(CONFIG_NFC_MICROREAD) += microread/
7obj-$(CONFIG_NFC_PN533) += pn533.o 7obj-$(CONFIG_NFC_PN533) += pn533.o
8obj-$(CONFIG_NFC_WILINK) += nfcwilink.o 8obj-$(CONFIG_NFC_WILINK) += nfcwilink.o
9obj-$(CONFIG_NFC_MEI_PHY) += mei_phy.o
9 10
10ccflags-$(CONFIG_NFC_DEBUG) := -DDEBUG 11ccflags-$(CONFIG_NFC_DEBUG) := -DDEBUG
diff --git a/drivers/nfc/mei_phy.c b/drivers/nfc/mei_phy.c
new file mode 100644
index 000000000000..b8f8abc422f0
--- /dev/null
+++ b/drivers/nfc/mei_phy.c
@@ -0,0 +1,164 @@
1/*
2 * MEI Library for mei bus nfc device access
3 *
4 * Copyright (C) 2013 Intel Corporation. All rights reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms and conditions of the GNU General Public License,
8 * version 2, as published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the
17 * Free Software Foundation, Inc.,
18 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 */
20
21#include <linux/module.h>
22#include <linux/slab.h>
23#include <linux/nfc.h>
24
25#include "mei_phy.h"
26
27struct mei_nfc_hdr {
28 u8 cmd;
29 u8 status;
30 u16 req_id;
31 u32 reserved;
32 u16 data_size;
33} __attribute__((packed));
34
35#define MEI_NFC_MAX_READ (MEI_NFC_HEADER_SIZE + MEI_NFC_MAX_HCI_PAYLOAD)
36
37#define MEI_DUMP_SKB_IN(info, skb) \
38do { \
39 pr_debug("%s:\n", info); \
40 print_hex_dump_debug("mei in : ", DUMP_PREFIX_OFFSET, \
41 16, 1, (skb)->data, (skb)->len, false); \
42} while (0)
43
44#define MEI_DUMP_SKB_OUT(info, skb) \
45do { \
46 pr_debug("%s:\n", info); \
47 print_hex_dump_debug("mei out: ", DUMP_PREFIX_OFFSET, \
48 16, 1, (skb)->data, (skb)->len, false); \
49} while (0)
50
51int nfc_mei_phy_enable(void *phy_id)
52{
53 int r;
54 struct nfc_mei_phy *phy = phy_id;
55
56 pr_info("%s\n", __func__);
57
58 if (phy->powered == 1)
59 return 0;
60
61 r = mei_cl_enable_device(phy->device);
62 if (r < 0) {
63 pr_err("MEI_PHY: Could not enable device\n");
64 return r;
65 }
66
67 phy->powered = 1;
68
69 return 0;
70}
71EXPORT_SYMBOL_GPL(nfc_mei_phy_enable);
72
73void nfc_mei_phy_disable(void *phy_id)
74{
75 struct nfc_mei_phy *phy = phy_id;
76
77 pr_info("%s\n", __func__);
78
79 mei_cl_disable_device(phy->device);
80
81 phy->powered = 0;
82}
83EXPORT_SYMBOL_GPL(nfc_mei_phy_disable);
84
85/*
86 * Writing a frame must not return the number of written bytes.
87 * It must return either zero for success, or <0 for error.
88 * In addition, it must not alter the skb
89 */
90static int nfc_mei_phy_write(void *phy_id, struct sk_buff *skb)
91{
92 struct nfc_mei_phy *phy = phy_id;
93 int r;
94
95 MEI_DUMP_SKB_OUT("mei frame sent", skb);
96
97 r = mei_cl_send(phy->device, skb->data, skb->len);
98 if (r > 0)
99 r = 0;
100
101 return r;
102}
103
104void nfc_mei_event_cb(struct mei_cl_device *device, u32 events, void *context)
105{
106 struct nfc_mei_phy *phy = context;
107
108 if (phy->hard_fault != 0)
109 return;
110
111 if (events & BIT(MEI_CL_EVENT_RX)) {
112 struct sk_buff *skb;
113 int reply_size;
114
115 skb = alloc_skb(MEI_NFC_MAX_READ, GFP_KERNEL);
116 if (!skb)
117 return;
118
119 reply_size = mei_cl_recv(device, skb->data, MEI_NFC_MAX_READ);
120 if (reply_size < MEI_NFC_HEADER_SIZE) {
121 kfree(skb);
122 return;
123 }
124
125 skb_put(skb, reply_size);
126 skb_pull(skb, MEI_NFC_HEADER_SIZE);
127
128 MEI_DUMP_SKB_IN("mei frame read", skb);
129
130 nfc_hci_recv_frame(phy->hdev, skb);
131 }
132}
133EXPORT_SYMBOL_GPL(nfc_mei_event_cb);
134
135struct nfc_phy_ops mei_phy_ops = {
136 .write = nfc_mei_phy_write,
137 .enable = nfc_mei_phy_enable,
138 .disable = nfc_mei_phy_disable,
139};
140EXPORT_SYMBOL_GPL(mei_phy_ops);
141
142struct nfc_mei_phy *nfc_mei_phy_alloc(struct mei_cl_device *device)
143{
144 struct nfc_mei_phy *phy;
145
146 phy = kzalloc(sizeof(struct nfc_mei_phy), GFP_KERNEL);
147 if (!phy)
148 return NULL;
149
150 phy->device = device;
151 mei_cl_set_drvdata(device, phy);
152
153 return phy;
154}
155EXPORT_SYMBOL_GPL(nfc_mei_phy_alloc);
156
157void nfc_mei_phy_free(struct nfc_mei_phy *phy)
158{
159 kfree(phy);
160}
161EXPORT_SYMBOL_GPL(nfc_mei_phy_free);
162
163MODULE_LICENSE("GPL");
164MODULE_DESCRIPTION("mei bus NFC device interface");
diff --git a/drivers/nfc/mei_phy.h b/drivers/nfc/mei_phy.h
new file mode 100644
index 000000000000..d669900f8278
--- /dev/null
+++ b/drivers/nfc/mei_phy.h
@@ -0,0 +1,30 @@
1#ifndef __LOCAL_MEI_PHY_H_
2#define __LOCAL_MEI_PHY_H_
3
4#include <linux/mei_cl_bus.h>
5#include <net/nfc/hci.h>
6
7#define MEI_NFC_HEADER_SIZE 10
8#define MEI_NFC_MAX_HCI_PAYLOAD 300
9
10struct nfc_mei_phy {
11 struct mei_cl_device *device;
12 struct nfc_hci_dev *hdev;
13
14 int powered;
15
16 int hard_fault; /*
17 * < 0 if hardware error occured
18 * and prevents normal operation.
19 */
20};
21
22extern struct nfc_phy_ops mei_phy_ops;
23
24int nfc_mei_phy_enable(void *phy_id);
25void nfc_mei_phy_disable(void *phy_id);
26void nfc_mei_event_cb(struct mei_cl_device *device, u32 events, void *context);
27struct nfc_mei_phy *nfc_mei_phy_alloc(struct mei_cl_device *device);
28void nfc_mei_phy_free(struct nfc_mei_phy *phy);
29
30#endif /* __LOCAL_MEI_PHY_H_ */
diff --git a/drivers/nfc/microread/Kconfig b/drivers/nfc/microread/Kconfig
index 572305be6e37..951d5542f6bc 100644
--- a/drivers/nfc/microread/Kconfig
+++ b/drivers/nfc/microread/Kconfig
@@ -25,7 +25,7 @@ config NFC_MICROREAD_I2C
25 25
26config NFC_MICROREAD_MEI 26config NFC_MICROREAD_MEI
27 tristate "NFC Microread MEI support" 27 tristate "NFC Microread MEI support"
28 depends on NFC_MICROREAD && INTEL_MEI_BUS_NFC 28 depends on NFC_MICROREAD && NFC_MEI_PHY
29 ---help--- 29 ---help---
30 This module adds support for the mei interface of adapters using 30 This module adds support for the mei interface of adapters using
31 Inside microread chipsets. Select this if your microread chipset 31 Inside microread chipsets. Select this if your microread chipset
diff --git a/drivers/nfc/microread/mei.c b/drivers/nfc/microread/mei.c
index ca33ae193935..1ad044dce7b6 100644
--- a/drivers/nfc/microread/mei.c
+++ b/drivers/nfc/microread/mei.c
@@ -19,151 +19,31 @@
19 */ 19 */
20 20
21#include <linux/module.h> 21#include <linux/module.h>
22#include <linux/slab.h> 22#include <linux/mod_devicetable.h>
23#include <linux/interrupt.h>
24#include <linux/gpio.h>
25#include <linux/mei_cl_bus.h>
26
27#include <linux/nfc.h> 23#include <linux/nfc.h>
28#include <net/nfc/hci.h> 24#include <net/nfc/hci.h>
29#include <net/nfc/llc.h> 25#include <net/nfc/llc.h>
30 26
27#include "../mei_phy.h"
31#include "microread.h" 28#include "microread.h"
32 29
33#define MICROREAD_DRIVER_NAME "microread" 30#define MICROREAD_DRIVER_NAME "microread"
34 31
35struct mei_nfc_hdr {
36 u8 cmd;
37 u8 status;
38 u16 req_id;
39 u32 reserved;
40 u16 data_size;
41} __attribute__((packed));
42
43#define MEI_NFC_HEADER_SIZE 10
44#define MEI_NFC_MAX_HCI_PAYLOAD 300
45#define MEI_NFC_MAX_READ (MEI_NFC_HEADER_SIZE + MEI_NFC_MAX_HCI_PAYLOAD)
46
47struct microread_mei_phy {
48 struct mei_cl_device *device;
49 struct nfc_hci_dev *hdev;
50
51 int powered;
52
53 int hard_fault; /*
54 * < 0 if hardware error occured (e.g. i2c err)
55 * and prevents normal operation.
56 */
57};
58
59#define MEI_DUMP_SKB_IN(info, skb) \
60do { \
61 pr_debug("%s:\n", info); \
62 print_hex_dump(KERN_DEBUG, "mei in : ", DUMP_PREFIX_OFFSET, \
63 16, 1, (skb)->data, (skb)->len, 0); \
64} while (0)
65
66#define MEI_DUMP_SKB_OUT(info, skb) \
67do { \
68 pr_debug("%s:\n", info); \
69 print_hex_dump(KERN_DEBUG, "mei out: ", DUMP_PREFIX_OFFSET, \
70 16, 1, (skb)->data, (skb)->len, 0); \
71} while (0)
72
73static int microread_mei_enable(void *phy_id)
74{
75 struct microread_mei_phy *phy = phy_id;
76
77 pr_info(DRIVER_DESC ": %s\n", __func__);
78
79 phy->powered = 1;
80
81 return 0;
82}
83
84static void microread_mei_disable(void *phy_id)
85{
86 struct microread_mei_phy *phy = phy_id;
87
88 pr_info(DRIVER_DESC ": %s\n", __func__);
89
90 phy->powered = 0;
91}
92
93/*
94 * Writing a frame must not return the number of written bytes.
95 * It must return either zero for success, or <0 for error.
96 * In addition, it must not alter the skb
97 */
98static int microread_mei_write(void *phy_id, struct sk_buff *skb)
99{
100 struct microread_mei_phy *phy = phy_id;
101 int r;
102
103 MEI_DUMP_SKB_OUT("mei frame sent", skb);
104
105 r = mei_cl_send(phy->device, skb->data, skb->len);
106 if (r > 0)
107 r = 0;
108
109 return r;
110}
111
112static void microread_event_cb(struct mei_cl_device *device, u32 events,
113 void *context)
114{
115 struct microread_mei_phy *phy = context;
116
117 if (phy->hard_fault != 0)
118 return;
119
120 if (events & BIT(MEI_CL_EVENT_RX)) {
121 struct sk_buff *skb;
122 int reply_size;
123
124 skb = alloc_skb(MEI_NFC_MAX_READ, GFP_KERNEL);
125 if (!skb)
126 return;
127
128 reply_size = mei_cl_recv(device, skb->data, MEI_NFC_MAX_READ);
129 if (reply_size < MEI_NFC_HEADER_SIZE) {
130 kfree(skb);
131 return;
132 }
133
134 skb_put(skb, reply_size);
135 skb_pull(skb, MEI_NFC_HEADER_SIZE);
136
137 MEI_DUMP_SKB_IN("mei frame read", skb);
138
139 nfc_hci_recv_frame(phy->hdev, skb);
140 }
141}
142
143static struct nfc_phy_ops mei_phy_ops = {
144 .write = microread_mei_write,
145 .enable = microread_mei_enable,
146 .disable = microread_mei_disable,
147};
148
149static int microread_mei_probe(struct mei_cl_device *device, 32static int microread_mei_probe(struct mei_cl_device *device,
150 const struct mei_cl_device_id *id) 33 const struct mei_cl_device_id *id)
151{ 34{
152 struct microread_mei_phy *phy; 35 struct nfc_mei_phy *phy;
153 int r; 36 int r;
154 37
155 pr_info("Probing NFC microread\n"); 38 pr_info("Probing NFC microread\n");
156 39
157 phy = kzalloc(sizeof(struct microread_mei_phy), GFP_KERNEL); 40 phy = nfc_mei_phy_alloc(device);
158 if (!phy) { 41 if (!phy) {
159 pr_err("Cannot allocate memory for microread mei phy.\n"); 42 pr_err("Cannot allocate memory for microread mei phy.\n");
160 return -ENOMEM; 43 return -ENOMEM;
161 } 44 }
162 45
163 phy->device = device; 46 r = mei_cl_register_event_cb(device, nfc_mei_event_cb, phy);
164 mei_cl_set_drvdata(device, phy);
165
166 r = mei_cl_register_event_cb(device, microread_event_cb, phy);
167 if (r) { 47 if (r) {
168 pr_err(MICROREAD_DRIVER_NAME ": event cb registration failed\n"); 48 pr_err(MICROREAD_DRIVER_NAME ": event cb registration failed\n");
169 goto err_out; 49 goto err_out;
@@ -178,23 +58,22 @@ static int microread_mei_probe(struct mei_cl_device *device,
178 return 0; 58 return 0;
179 59
180err_out: 60err_out:
181 kfree(phy); 61 nfc_mei_phy_free(phy);
182 62
183 return r; 63 return r;
184} 64}
185 65
186static int microread_mei_remove(struct mei_cl_device *device) 66static int microread_mei_remove(struct mei_cl_device *device)
187{ 67{
188 struct microread_mei_phy *phy = mei_cl_get_drvdata(device); 68 struct nfc_mei_phy *phy = mei_cl_get_drvdata(device);
189 69
190 pr_info("Removing microread\n"); 70 pr_info("Removing microread\n");
191 71
192 microread_remove(phy->hdev); 72 microread_remove(phy->hdev);
193 73
194 if (phy->powered) 74 nfc_mei_phy_disable(phy);
195 microread_mei_disable(phy);
196 75
197 kfree(phy); 76 nfc_mei_phy_free(phy);
198 77
199 return 0; 78 return 0;
200} 79}
diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c
index f0f6763d67ae..8f6f2baa930d 100644
--- a/drivers/nfc/pn533.c
+++ b/drivers/nfc/pn533.c
@@ -1,9 +1,6 @@
1/* 1/*
2 * Copyright (C) 2011 Instituto Nokia de Tecnologia 2 * Copyright (C) 2011 Instituto Nokia de Tecnologia
3 * 3 * Copyright (C) 2012-2013 Tieto Poland
4 * Authors:
5 * Lauro Ramos Venancio <lauro.venancio@openbossa.org>
6 * Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
7 * 4 *
8 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by 6 * it under the terms of the GNU General Public License as published by
@@ -30,7 +27,7 @@
30#include <linux/netdevice.h> 27#include <linux/netdevice.h>
31#include <net/nfc/nfc.h> 28#include <net/nfc/nfc.h>
32 29
33#define VERSION "0.1" 30#define VERSION "0.2"
34 31
35#define PN533_VENDOR_ID 0x4CC 32#define PN533_VENDOR_ID 0x4CC
36#define PN533_PRODUCT_ID 0x2533 33#define PN533_PRODUCT_ID 0x2533
@@ -41,8 +38,12 @@
41#define SONY_VENDOR_ID 0x054c 38#define SONY_VENDOR_ID 0x054c
42#define PASORI_PRODUCT_ID 0x02e1 39#define PASORI_PRODUCT_ID 0x02e1
43 40
44#define PN533_DEVICE_STD 0x1 41#define ACS_VENDOR_ID 0x072f
45#define PN533_DEVICE_PASORI 0x2 42#define ACR122U_PRODUCT_ID 0x2200
43
44#define PN533_DEVICE_STD 0x1
45#define PN533_DEVICE_PASORI 0x2
46#define PN533_DEVICE_ACR122U 0x3
46 47
47#define PN533_ALL_PROTOCOLS (NFC_PROTO_JEWEL_MASK | NFC_PROTO_MIFARE_MASK |\ 48#define PN533_ALL_PROTOCOLS (NFC_PROTO_JEWEL_MASK | NFC_PROTO_MIFARE_MASK |\
48 NFC_PROTO_FELICA_MASK | NFC_PROTO_ISO14443_MASK |\ 49 NFC_PROTO_FELICA_MASK | NFC_PROTO_ISO14443_MASK |\
@@ -71,6 +72,11 @@ static const struct usb_device_id pn533_table[] = {
71 .idProduct = PASORI_PRODUCT_ID, 72 .idProduct = PASORI_PRODUCT_ID,
72 .driver_info = PN533_DEVICE_PASORI, 73 .driver_info = PN533_DEVICE_PASORI,
73 }, 74 },
75 { .match_flags = USB_DEVICE_ID_MATCH_DEVICE,
76 .idVendor = ACS_VENDOR_ID,
77 .idProduct = ACR122U_PRODUCT_ID,
78 .driver_info = PN533_DEVICE_ACR122U,
79 },
74 { } 80 { }
75}; 81};
76MODULE_DEVICE_TABLE(usb, pn533_table); 82MODULE_DEVICE_TABLE(usb, pn533_table);
@@ -78,32 +84,47 @@ MODULE_DEVICE_TABLE(usb, pn533_table);
78/* How much time we spend listening for initiators */ 84/* How much time we spend listening for initiators */
79#define PN533_LISTEN_TIME 2 85#define PN533_LISTEN_TIME 2
80 86
81/* frame definitions */ 87/* Standard pn533 frame definitions */
82#define PN533_FRAME_HEADER_LEN (sizeof(struct pn533_frame) \ 88#define PN533_STD_FRAME_HEADER_LEN (sizeof(struct pn533_std_frame) \
83 + 2) /* data[0] TFI, data[1] CC */ 89 + 2) /* data[0] TFI, data[1] CC */
84#define PN533_FRAME_TAIL_LEN 2 /* data[len] DCS, data[len + 1] postamble*/ 90#define PN533_STD_FRAME_TAIL_LEN 2 /* data[len] DCS, data[len + 1] postamble*/
85 91
86/* 92/*
87 * Max extended frame payload len, excluding TFI and CC 93 * Max extended frame payload len, excluding TFI and CC
88 * which are already in PN533_FRAME_HEADER_LEN. 94 * which are already in PN533_FRAME_HEADER_LEN.
89 */ 95 */
90#define PN533_FRAME_MAX_PAYLOAD_LEN 263 96#define PN533_STD_FRAME_MAX_PAYLOAD_LEN 263
91 97
92#define PN533_FRAME_ACK_SIZE 6 /* Preamble (1), SoPC (2), ACK Code (2), 98#define PN533_STD_FRAME_ACK_SIZE 6 /* Preamble (1), SoPC (2), ACK Code (2),
93 Postamble (1) */ 99 Postamble (1) */
94#define PN533_FRAME_CHECKSUM(f) (f->data[f->datalen]) 100#define PN533_STD_FRAME_CHECKSUM(f) (f->data[f->datalen])
95#define PN533_FRAME_POSTAMBLE(f) (f->data[f->datalen + 1]) 101#define PN533_STD_FRAME_POSTAMBLE(f) (f->data[f->datalen + 1])
96 102
97/* start of frame */ 103/* start of frame */
98#define PN533_SOF 0x00FF 104#define PN533_STD_FRAME_SOF 0x00FF
105
106/* standard frame identifier: in/out/error */
107#define PN533_STD_FRAME_IDENTIFIER(f) (f->data[0]) /* TFI */
108#define PN533_STD_FRAME_DIR_OUT 0xD4
109#define PN533_STD_FRAME_DIR_IN 0xD5
110
111/* ACS ACR122 pn533 frame definitions */
112#define PN533_ACR122_TX_FRAME_HEADER_LEN (sizeof(struct pn533_acr122_tx_frame) \
113 + 2)
114#define PN533_ACR122_TX_FRAME_TAIL_LEN 0
115#define PN533_ACR122_RX_FRAME_HEADER_LEN (sizeof(struct pn533_acr122_rx_frame) \
116 + 2)
117#define PN533_ACR122_RX_FRAME_TAIL_LEN 2
118#define PN533_ACR122_FRAME_MAX_PAYLOAD_LEN PN533_STD_FRAME_MAX_PAYLOAD_LEN
119
120/* CCID messages types */
121#define PN533_ACR122_PC_TO_RDR_ICCPOWERON 0x62
122#define PN533_ACR122_PC_TO_RDR_ESCAPE 0x6B
99 123
100/* frame identifier: in/out/error */ 124#define PN533_ACR122_RDR_TO_PC_ESCAPE 0x83
101#define PN533_FRAME_IDENTIFIER(f) (f->data[0])
102#define PN533_DIR_OUT 0xD4
103#define PN533_DIR_IN 0xD5
104 125
105/* PN533 Commands */ 126/* PN533 Commands */
106#define PN533_FRAME_CMD(f) (f->data[1]) 127#define PN533_STD_FRAME_CMD(f) (f->data[1])
107 128
108#define PN533_CMD_GET_FIRMWARE_VERSION 0x02 129#define PN533_CMD_GET_FIRMWARE_VERSION 0x02
109#define PN533_CMD_RF_CONFIGURATION 0x32 130#define PN533_CMD_RF_CONFIGURATION 0x32
@@ -128,8 +149,6 @@ MODULE_DEVICE_TABLE(usb, pn533_table);
128 149
129struct pn533; 150struct pn533;
130 151
131typedef int (*pn533_cmd_complete_t) (struct pn533 *dev, void *arg, int status);
132
133typedef int (*pn533_send_async_complete_t) (struct pn533 *dev, void *arg, 152typedef int (*pn533_send_async_complete_t) (struct pn533 *dev, void *arg,
134 struct sk_buff *resp); 153 struct sk_buff *resp);
135 154
@@ -144,9 +163,13 @@ struct pn533_fw_version {
144}; 163};
145 164
146/* PN533_CMD_RF_CONFIGURATION */ 165/* PN533_CMD_RF_CONFIGURATION */
147#define PN533_CFGITEM_TIMING 0x02 166#define PN533_CFGITEM_RF_FIELD 0x01
167#define PN533_CFGITEM_TIMING 0x02
148#define PN533_CFGITEM_MAX_RETRIES 0x05 168#define PN533_CFGITEM_MAX_RETRIES 0x05
149#define PN533_CFGITEM_PASORI 0x82 169#define PN533_CFGITEM_PASORI 0x82
170
171#define PN533_CFGITEM_RF_FIELD_ON 0x1
172#define PN533_CFGITEM_RF_FIELD_OFF 0x0
150 173
151#define PN533_CONFIG_TIMING_102 0xb 174#define PN533_CONFIG_TIMING_102 0xb
152#define PN533_CONFIG_TIMING_204 0xc 175#define PN533_CONFIG_TIMING_204 0xc
@@ -313,10 +336,17 @@ struct pn533_cmd_jump_dep_response {
313#define PN533_INIT_TARGET_RESP_ACTIVE 0x1 336#define PN533_INIT_TARGET_RESP_ACTIVE 0x1
314#define PN533_INIT_TARGET_RESP_DEP 0x4 337#define PN533_INIT_TARGET_RESP_DEP 0x4
315 338
339enum pn533_protocol_type {
340 PN533_PROTO_REQ_ACK_RESP = 0,
341 PN533_PROTO_REQ_RESP
342};
343
316struct pn533 { 344struct pn533 {
317 struct usb_device *udev; 345 struct usb_device *udev;
318 struct usb_interface *interface; 346 struct usb_interface *interface;
319 struct nfc_dev *nfc_dev; 347 struct nfc_dev *nfc_dev;
348 u32 device_type;
349 enum pn533_protocol_type protocol_type;
320 350
321 struct urb *out_urb; 351 struct urb *out_urb;
322 struct urb *in_urb; 352 struct urb *in_urb;
@@ -329,21 +359,21 @@ struct pn533 {
329 struct work_struct poll_work; 359 struct work_struct poll_work;
330 struct work_struct mi_work; 360 struct work_struct mi_work;
331 struct work_struct tg_work; 361 struct work_struct tg_work;
332 struct timer_list listen_timer;
333 int wq_in_error;
334 int cancel_listen;
335 362
336 pn533_cmd_complete_t cmd_complete; 363 struct list_head cmd_queue;
337 void *cmd_complete_arg; 364 struct pn533_cmd *cmd;
365 u8 cmd_pending;
366 struct mutex cmd_lock; /* protects cmd queue */
367
338 void *cmd_complete_mi_arg; 368 void *cmd_complete_mi_arg;
339 struct mutex cmd_lock;
340 u8 cmd;
341 369
342 struct pn533_poll_modulations *poll_mod_active[PN533_POLL_MOD_MAX + 1]; 370 struct pn533_poll_modulations *poll_mod_active[PN533_POLL_MOD_MAX + 1];
343 u8 poll_mod_count; 371 u8 poll_mod_count;
344 u8 poll_mod_curr; 372 u8 poll_mod_curr;
345 u32 poll_protocols; 373 u32 poll_protocols;
346 u32 listen_protocols; 374 u32 listen_protocols;
375 struct timer_list listen_timer;
376 int cancel_listen;
347 377
348 u8 *gb; 378 u8 *gb;
349 size_t gb_len; 379 size_t gb_len;
@@ -352,24 +382,21 @@ struct pn533 {
352 u8 tgt_active_prot; 382 u8 tgt_active_prot;
353 u8 tgt_mode; 383 u8 tgt_mode;
354 384
355 u32 device_type;
356
357 struct list_head cmd_queue;
358 u8 cmd_pending;
359
360 struct pn533_frame_ops *ops; 385 struct pn533_frame_ops *ops;
361}; 386};
362 387
363struct pn533_cmd { 388struct pn533_cmd {
364 struct list_head queue; 389 struct list_head queue;
365 u8 cmd_code; 390 u8 code;
391 int status;
366 struct sk_buff *req; 392 struct sk_buff *req;
367 struct sk_buff *resp; 393 struct sk_buff *resp;
368 int resp_len; 394 int resp_len;
369 void *arg; 395 pn533_send_async_complete_t complete_cb;
396 void *complete_cb_context;
370}; 397};
371 398
372struct pn533_frame { 399struct pn533_std_frame {
373 u8 preamble; 400 u8 preamble;
374 __be16 start_frame; 401 __be16 start_frame;
375 u8 datalen; 402 u8 datalen;
@@ -393,14 +420,124 @@ struct pn533_frame_ops {
393 u8 (*get_cmd_code)(void *frame); 420 u8 (*get_cmd_code)(void *frame);
394}; 421};
395 422
423struct pn533_acr122_ccid_hdr {
424 u8 type;
425 u32 datalen;
426 u8 slot;
427 u8 seq;
428 u8 params[3]; /* 3 msg specific bytes or status, error and 1 specific
429 byte for reposnse msg */
430 u8 data[]; /* payload */
431} __packed;
432
433struct pn533_acr122_apdu_hdr {
434 u8 class;
435 u8 ins;
436 u8 p1;
437 u8 p2;
438} __packed;
439
440struct pn533_acr122_tx_frame {
441 struct pn533_acr122_ccid_hdr ccid;
442 struct pn533_acr122_apdu_hdr apdu;
443 u8 datalen;
444 u8 data[]; /* pn533 frame: TFI ... */
445} __packed;
446
447struct pn533_acr122_rx_frame {
448 struct pn533_acr122_ccid_hdr ccid;
449 u8 data[]; /* pn533 frame : TFI ... */
450} __packed;
451
452static void pn533_acr122_tx_frame_init(void *_frame, u8 cmd_code)
453{
454 struct pn533_acr122_tx_frame *frame = _frame;
455
456 frame->ccid.type = PN533_ACR122_PC_TO_RDR_ESCAPE;
457 frame->ccid.datalen = sizeof(frame->apdu) + 1; /* sizeof(apdu_hdr) +
458 sizeof(datalen) */
459 frame->ccid.slot = 0;
460 frame->ccid.seq = 0;
461 frame->ccid.params[0] = 0;
462 frame->ccid.params[1] = 0;
463 frame->ccid.params[2] = 0;
464
465 frame->data[0] = PN533_STD_FRAME_DIR_OUT;
466 frame->data[1] = cmd_code;
467 frame->datalen = 2; /* data[0] + data[1] */
468
469 frame->apdu.class = 0xFF;
470 frame->apdu.ins = 0;
471 frame->apdu.p1 = 0;
472 frame->apdu.p2 = 0;
473}
474
475static void pn533_acr122_tx_frame_finish(void *_frame)
476{
477 struct pn533_acr122_tx_frame *frame = _frame;
478
479 frame->ccid.datalen += frame->datalen;
480}
481
482static void pn533_acr122_tx_update_payload_len(void *_frame, int len)
483{
484 struct pn533_acr122_tx_frame *frame = _frame;
485
486 frame->datalen += len;
487}
488
489static bool pn533_acr122_is_rx_frame_valid(void *_frame)
490{
491 struct pn533_acr122_rx_frame *frame = _frame;
492
493 if (frame->ccid.type != 0x83)
494 return false;
495
496 if (frame->data[frame->ccid.datalen - 2] == 0x63)
497 return false;
498
499 return true;
500}
501
502static int pn533_acr122_rx_frame_size(void *frame)
503{
504 struct pn533_acr122_rx_frame *f = frame;
505
506 /* f->ccid.datalen already includes tail length */
507 return sizeof(struct pn533_acr122_rx_frame) + f->ccid.datalen;
508}
509
510static u8 pn533_acr122_get_cmd_code(void *frame)
511{
512 struct pn533_acr122_rx_frame *f = frame;
513
514 return PN533_STD_FRAME_CMD(f);
515}
516
517static struct pn533_frame_ops pn533_acr122_frame_ops = {
518 .tx_frame_init = pn533_acr122_tx_frame_init,
519 .tx_frame_finish = pn533_acr122_tx_frame_finish,
520 .tx_update_payload_len = pn533_acr122_tx_update_payload_len,
521 .tx_header_len = PN533_ACR122_TX_FRAME_HEADER_LEN,
522 .tx_tail_len = PN533_ACR122_TX_FRAME_TAIL_LEN,
523
524 .rx_is_frame_valid = pn533_acr122_is_rx_frame_valid,
525 .rx_header_len = PN533_ACR122_RX_FRAME_HEADER_LEN,
526 .rx_tail_len = PN533_ACR122_RX_FRAME_TAIL_LEN,
527 .rx_frame_size = pn533_acr122_rx_frame_size,
528
529 .max_payload_len = PN533_ACR122_FRAME_MAX_PAYLOAD_LEN,
530 .get_cmd_code = pn533_acr122_get_cmd_code,
531};
532
396/* The rule: value + checksum = 0 */ 533/* The rule: value + checksum = 0 */
397static inline u8 pn533_checksum(u8 value) 534static inline u8 pn533_std_checksum(u8 value)
398{ 535{
399 return ~value + 1; 536 return ~value + 1;
400} 537}
401 538
402/* The rule: sum(data elements) + checksum = 0 */ 539/* The rule: sum(data elements) + checksum = 0 */
403static u8 pn533_data_checksum(u8 *data, int datalen) 540static u8 pn533_std_data_checksum(u8 *data, int datalen)
404{ 541{
405 u8 sum = 0; 542 u8 sum = 0;
406 int i; 543 int i;
@@ -408,61 +545,61 @@ static u8 pn533_data_checksum(u8 *data, int datalen)
408 for (i = 0; i < datalen; i++) 545 for (i = 0; i < datalen; i++)
409 sum += data[i]; 546 sum += data[i];
410 547
411 return pn533_checksum(sum); 548 return pn533_std_checksum(sum);
412} 549}
413 550
414static void pn533_tx_frame_init(void *_frame, u8 cmd_code) 551static void pn533_std_tx_frame_init(void *_frame, u8 cmd_code)
415{ 552{
416 struct pn533_frame *frame = _frame; 553 struct pn533_std_frame *frame = _frame;
417 554
418 frame->preamble = 0; 555 frame->preamble = 0;
419 frame->start_frame = cpu_to_be16(PN533_SOF); 556 frame->start_frame = cpu_to_be16(PN533_STD_FRAME_SOF);
420 PN533_FRAME_IDENTIFIER(frame) = PN533_DIR_OUT; 557 PN533_STD_FRAME_IDENTIFIER(frame) = PN533_STD_FRAME_DIR_OUT;
421 PN533_FRAME_CMD(frame) = cmd_code; 558 PN533_STD_FRAME_CMD(frame) = cmd_code;
422 frame->datalen = 2; 559 frame->datalen = 2;
423} 560}
424 561
425static void pn533_tx_frame_finish(void *_frame) 562static void pn533_std_tx_frame_finish(void *_frame)
426{ 563{
427 struct pn533_frame *frame = _frame; 564 struct pn533_std_frame *frame = _frame;
428 565
429 frame->datalen_checksum = pn533_checksum(frame->datalen); 566 frame->datalen_checksum = pn533_std_checksum(frame->datalen);
430 567
431 PN533_FRAME_CHECKSUM(frame) = 568 PN533_STD_FRAME_CHECKSUM(frame) =
432 pn533_data_checksum(frame->data, frame->datalen); 569 pn533_std_data_checksum(frame->data, frame->datalen);
433 570
434 PN533_FRAME_POSTAMBLE(frame) = 0; 571 PN533_STD_FRAME_POSTAMBLE(frame) = 0;
435} 572}
436 573
437static void pn533_tx_update_payload_len(void *_frame, int len) 574static void pn533_std_tx_update_payload_len(void *_frame, int len)
438{ 575{
439 struct pn533_frame *frame = _frame; 576 struct pn533_std_frame *frame = _frame;
440 577
441 frame->datalen += len; 578 frame->datalen += len;
442} 579}
443 580
444static bool pn533_rx_frame_is_valid(void *_frame) 581static bool pn533_std_rx_frame_is_valid(void *_frame)
445{ 582{
446 u8 checksum; 583 u8 checksum;
447 struct pn533_frame *frame = _frame; 584 struct pn533_std_frame *frame = _frame;
448 585
449 if (frame->start_frame != cpu_to_be16(PN533_SOF)) 586 if (frame->start_frame != cpu_to_be16(PN533_STD_FRAME_SOF))
450 return false; 587 return false;
451 588
452 checksum = pn533_checksum(frame->datalen); 589 checksum = pn533_std_checksum(frame->datalen);
453 if (checksum != frame->datalen_checksum) 590 if (checksum != frame->datalen_checksum)
454 return false; 591 return false;
455 592
456 checksum = pn533_data_checksum(frame->data, frame->datalen); 593 checksum = pn533_std_data_checksum(frame->data, frame->datalen);
457 if (checksum != PN533_FRAME_CHECKSUM(frame)) 594 if (checksum != PN533_STD_FRAME_CHECKSUM(frame))
458 return false; 595 return false;
459 596
460 return true; 597 return true;
461} 598}
462 599
463static bool pn533_rx_frame_is_ack(struct pn533_frame *frame) 600static bool pn533_std_rx_frame_is_ack(struct pn533_std_frame *frame)
464{ 601{
465 if (frame->start_frame != cpu_to_be16(PN533_SOF)) 602 if (frame->start_frame != cpu_to_be16(PN533_STD_FRAME_SOF))
466 return false; 603 return false;
467 604
468 if (frame->datalen != 0 || frame->datalen_checksum != 0xFF) 605 if (frame->datalen != 0 || frame->datalen_checksum != 0xFF)
@@ -471,57 +608,51 @@ static bool pn533_rx_frame_is_ack(struct pn533_frame *frame)
471 return true; 608 return true;
472} 609}
473 610
474static inline int pn533_rx_frame_size(void *frame) 611static inline int pn533_std_rx_frame_size(void *frame)
475{ 612{
476 struct pn533_frame *f = frame; 613 struct pn533_std_frame *f = frame;
477 614
478 return sizeof(struct pn533_frame) + f->datalen + PN533_FRAME_TAIL_LEN; 615 return sizeof(struct pn533_std_frame) + f->datalen +
616 PN533_STD_FRAME_TAIL_LEN;
479} 617}
480 618
481static u8 pn533_get_cmd_code(void *frame) 619static u8 pn533_std_get_cmd_code(void *frame)
482{ 620{
483 struct pn533_frame *f = frame; 621 struct pn533_std_frame *f = frame;
484 622
485 return PN533_FRAME_CMD(f); 623 return PN533_STD_FRAME_CMD(f);
486} 624}
487 625
488static struct pn533_frame_ops pn533_std_frame_ops = { 626static struct pn533_frame_ops pn533_std_frame_ops = {
489 .tx_frame_init = pn533_tx_frame_init, 627 .tx_frame_init = pn533_std_tx_frame_init,
490 .tx_frame_finish = pn533_tx_frame_finish, 628 .tx_frame_finish = pn533_std_tx_frame_finish,
491 .tx_update_payload_len = pn533_tx_update_payload_len, 629 .tx_update_payload_len = pn533_std_tx_update_payload_len,
492 .tx_header_len = PN533_FRAME_HEADER_LEN, 630 .tx_header_len = PN533_STD_FRAME_HEADER_LEN,
493 .tx_tail_len = PN533_FRAME_TAIL_LEN, 631 .tx_tail_len = PN533_STD_FRAME_TAIL_LEN,
494 632
495 .rx_is_frame_valid = pn533_rx_frame_is_valid, 633 .rx_is_frame_valid = pn533_std_rx_frame_is_valid,
496 .rx_frame_size = pn533_rx_frame_size, 634 .rx_frame_size = pn533_std_rx_frame_size,
497 .rx_header_len = PN533_FRAME_HEADER_LEN, 635 .rx_header_len = PN533_STD_FRAME_HEADER_LEN,
498 .rx_tail_len = PN533_FRAME_TAIL_LEN, 636 .rx_tail_len = PN533_STD_FRAME_TAIL_LEN,
499 637
500 .max_payload_len = PN533_FRAME_MAX_PAYLOAD_LEN, 638 .max_payload_len = PN533_STD_FRAME_MAX_PAYLOAD_LEN,
501 .get_cmd_code = pn533_get_cmd_code, 639 .get_cmd_code = pn533_std_get_cmd_code,
502}; 640};
503 641
504static bool pn533_rx_frame_is_cmd_response(struct pn533 *dev, void *frame) 642static bool pn533_rx_frame_is_cmd_response(struct pn533 *dev, void *frame)
505{ 643{
506 return (dev->ops->get_cmd_code(frame) == PN533_CMD_RESPONSE(dev->cmd)); 644 return (dev->ops->get_cmd_code(frame) ==
507} 645 PN533_CMD_RESPONSE(dev->cmd->code));
508
509
510static void pn533_wq_cmd_complete(struct work_struct *work)
511{
512 struct pn533 *dev = container_of(work, struct pn533, cmd_complete_work);
513 int rc;
514
515 rc = dev->cmd_complete(dev, dev->cmd_complete_arg, dev->wq_in_error);
516 if (rc != -EINPROGRESS)
517 queue_work(dev->wq, &dev->cmd_work);
518} 646}
519 647
520static void pn533_recv_response(struct urb *urb) 648static void pn533_recv_response(struct urb *urb)
521{ 649{
522 struct pn533 *dev = urb->context; 650 struct pn533 *dev = urb->context;
651 struct pn533_cmd *cmd = dev->cmd;
523 u8 *in_frame; 652 u8 *in_frame;
524 653
654 cmd->status = urb->status;
655
525 switch (urb->status) { 656 switch (urb->status) {
526 case 0: 657 case 0:
527 break; /* success */ 658 break; /* success */
@@ -530,37 +661,33 @@ static void pn533_recv_response(struct urb *urb)
530 nfc_dev_dbg(&dev->interface->dev, 661 nfc_dev_dbg(&dev->interface->dev,
531 "The urb has been canceled (status %d)", 662 "The urb has been canceled (status %d)",
532 urb->status); 663 urb->status);
533 dev->wq_in_error = urb->status;
534 goto sched_wq; 664 goto sched_wq;
535 case -ESHUTDOWN: 665 case -ESHUTDOWN:
536 default: 666 default:
537 nfc_dev_err(&dev->interface->dev, 667 nfc_dev_err(&dev->interface->dev,
538 "Urb failure (status %d)", urb->status); 668 "Urb failure (status %d)", urb->status);
539 dev->wq_in_error = urb->status;
540 goto sched_wq; 669 goto sched_wq;
541 } 670 }
542 671
543 in_frame = dev->in_urb->transfer_buffer; 672 in_frame = dev->in_urb->transfer_buffer;
544 673
545 nfc_dev_dbg(&dev->interface->dev, "Received a frame."); 674 nfc_dev_dbg(&dev->interface->dev, "Received a frame.");
546 print_hex_dump(KERN_DEBUG, "PN533 RX: ", DUMP_PREFIX_NONE, 16, 1, 675 print_hex_dump_debug("PN533 RX: ", DUMP_PREFIX_NONE, 16, 1, in_frame,
547 in_frame, dev->ops->rx_frame_size(in_frame), false); 676 dev->ops->rx_frame_size(in_frame), false);
548 677
549 if (!dev->ops->rx_is_frame_valid(in_frame)) { 678 if (!dev->ops->rx_is_frame_valid(in_frame)) {
550 nfc_dev_err(&dev->interface->dev, "Received an invalid frame"); 679 nfc_dev_err(&dev->interface->dev, "Received an invalid frame");
551 dev->wq_in_error = -EIO; 680 cmd->status = -EIO;
552 goto sched_wq; 681 goto sched_wq;
553 } 682 }
554 683
555 if (!pn533_rx_frame_is_cmd_response(dev, in_frame)) { 684 if (!pn533_rx_frame_is_cmd_response(dev, in_frame)) {
556 nfc_dev_err(&dev->interface->dev, 685 nfc_dev_err(&dev->interface->dev,
557 "It it not the response to the last command"); 686 "It it not the response to the last command");
558 dev->wq_in_error = -EIO; 687 cmd->status = -EIO;
559 goto sched_wq; 688 goto sched_wq;
560 } 689 }
561 690
562 dev->wq_in_error = 0;
563
564sched_wq: 691sched_wq:
565 queue_work(dev->wq, &dev->cmd_complete_work); 692 queue_work(dev->wq, &dev->cmd_complete_work);
566} 693}
@@ -575,9 +702,12 @@ static int pn533_submit_urb_for_response(struct pn533 *dev, gfp_t flags)
575static void pn533_recv_ack(struct urb *urb) 702static void pn533_recv_ack(struct urb *urb)
576{ 703{
577 struct pn533 *dev = urb->context; 704 struct pn533 *dev = urb->context;
578 struct pn533_frame *in_frame; 705 struct pn533_cmd *cmd = dev->cmd;
706 struct pn533_std_frame *in_frame;
579 int rc; 707 int rc;
580 708
709 cmd->status = urb->status;
710
581 switch (urb->status) { 711 switch (urb->status) {
582 case 0: 712 case 0:
583 break; /* success */ 713 break; /* success */
@@ -586,21 +716,19 @@ static void pn533_recv_ack(struct urb *urb)
586 nfc_dev_dbg(&dev->interface->dev, 716 nfc_dev_dbg(&dev->interface->dev,
587 "The urb has been stopped (status %d)", 717 "The urb has been stopped (status %d)",
588 urb->status); 718 urb->status);
589 dev->wq_in_error = urb->status;
590 goto sched_wq; 719 goto sched_wq;
591 case -ESHUTDOWN: 720 case -ESHUTDOWN:
592 default: 721 default:
593 nfc_dev_err(&dev->interface->dev, 722 nfc_dev_err(&dev->interface->dev,
594 "Urb failure (status %d)", urb->status); 723 "Urb failure (status %d)", urb->status);
595 dev->wq_in_error = urb->status;
596 goto sched_wq; 724 goto sched_wq;
597 } 725 }
598 726
599 in_frame = dev->in_urb->transfer_buffer; 727 in_frame = dev->in_urb->transfer_buffer;
600 728
601 if (!pn533_rx_frame_is_ack(in_frame)) { 729 if (!pn533_std_rx_frame_is_ack(in_frame)) {
602 nfc_dev_err(&dev->interface->dev, "Received an invalid ack"); 730 nfc_dev_err(&dev->interface->dev, "Received an invalid ack");
603 dev->wq_in_error = -EIO; 731 cmd->status = -EIO;
604 goto sched_wq; 732 goto sched_wq;
605 } 733 }
606 734
@@ -608,7 +736,7 @@ static void pn533_recv_ack(struct urb *urb)
608 if (rc) { 736 if (rc) {
609 nfc_dev_err(&dev->interface->dev, 737 nfc_dev_err(&dev->interface->dev,
610 "usb_submit_urb failed with result %d", rc); 738 "usb_submit_urb failed with result %d", rc);
611 dev->wq_in_error = rc; 739 cmd->status = rc;
612 goto sched_wq; 740 goto sched_wq;
613 } 741 }
614 742
@@ -627,7 +755,7 @@ static int pn533_submit_urb_for_ack(struct pn533 *dev, gfp_t flags)
627 755
628static int pn533_send_ack(struct pn533 *dev, gfp_t flags) 756static int pn533_send_ack(struct pn533 *dev, gfp_t flags)
629{ 757{
630 u8 ack[PN533_FRAME_ACK_SIZE] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00}; 758 u8 ack[PN533_STD_FRAME_ACK_SIZE] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00};
631 /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */ 759 /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */
632 int rc; 760 int rc;
633 761
@@ -643,32 +771,34 @@ static int pn533_send_ack(struct pn533 *dev, gfp_t flags)
643static int __pn533_send_frame_async(struct pn533 *dev, 771static int __pn533_send_frame_async(struct pn533 *dev,
644 struct sk_buff *out, 772 struct sk_buff *out,
645 struct sk_buff *in, 773 struct sk_buff *in,
646 int in_len, 774 int in_len)
647 pn533_cmd_complete_t cmd_complete,
648 void *arg)
649{ 775{
650 int rc; 776 int rc;
651 777
652 dev->cmd = dev->ops->get_cmd_code(out->data);
653 dev->cmd_complete = cmd_complete;
654 dev->cmd_complete_arg = arg;
655
656 dev->out_urb->transfer_buffer = out->data; 778 dev->out_urb->transfer_buffer = out->data;
657 dev->out_urb->transfer_buffer_length = out->len; 779 dev->out_urb->transfer_buffer_length = out->len;
658 780
659 dev->in_urb->transfer_buffer = in->data; 781 dev->in_urb->transfer_buffer = in->data;
660 dev->in_urb->transfer_buffer_length = in_len; 782 dev->in_urb->transfer_buffer_length = in_len;
661 783
662 print_hex_dump(KERN_DEBUG, "PN533 TX: ", DUMP_PREFIX_NONE, 16, 1, 784 print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1,
663 out->data, out->len, false); 785 out->data, out->len, false);
664 786
665 rc = usb_submit_urb(dev->out_urb, GFP_KERNEL); 787 rc = usb_submit_urb(dev->out_urb, GFP_KERNEL);
666 if (rc) 788 if (rc)
667 return rc; 789 return rc;
668 790
669 rc = pn533_submit_urb_for_ack(dev, GFP_KERNEL); 791 if (dev->protocol_type == PN533_PROTO_REQ_RESP) {
670 if (rc) 792 /* request for response for sent packet directly */
671 goto error; 793 rc = pn533_submit_urb_for_response(dev, GFP_ATOMIC);
794 if (rc)
795 goto error;
796 } else if (dev->protocol_type == PN533_PROTO_REQ_ACK_RESP) {
797 /* request for ACK if that's the case */
798 rc = pn533_submit_urb_for_ack(dev, GFP_KERNEL);
799 if (rc)
800 goto error;
801 }
672 802
673 return 0; 803 return 0;
674 804
@@ -693,39 +823,34 @@ static void pn533_build_cmd_frame(struct pn533 *dev, u8 cmd_code,
693 ops->tx_frame_finish(skb->data); 823 ops->tx_frame_finish(skb->data);
694} 824}
695 825
696struct pn533_send_async_complete_arg { 826static int pn533_send_async_complete(struct pn533 *dev)
697 pn533_send_async_complete_t complete_cb;
698 void *complete_cb_context;
699 struct sk_buff *resp;
700 struct sk_buff *req;
701};
702
703static int pn533_send_async_complete(struct pn533 *dev, void *_arg, int status)
704{ 827{
705 struct pn533_send_async_complete_arg *arg = _arg; 828 struct pn533_cmd *cmd = dev->cmd;
829 int status = cmd->status;
706 830
707 struct sk_buff *req = arg->req; 831 struct sk_buff *req = cmd->req;
708 struct sk_buff *resp = arg->resp; 832 struct sk_buff *resp = cmd->resp;
709 833
710 int rc; 834 int rc;
711 835
712 dev_kfree_skb(req); 836 dev_kfree_skb(req);
713 837
714 if (status < 0) { 838 if (status < 0) {
715 arg->complete_cb(dev, arg->complete_cb_context, 839 rc = cmd->complete_cb(dev, cmd->complete_cb_context,
716 ERR_PTR(status)); 840 ERR_PTR(status));
717 dev_kfree_skb(resp); 841 dev_kfree_skb(resp);
718 kfree(arg); 842 goto done;
719 return status;
720 } 843 }
721 844
722 skb_put(resp, dev->ops->rx_frame_size(resp->data)); 845 skb_put(resp, dev->ops->rx_frame_size(resp->data));
723 skb_pull(resp, dev->ops->rx_header_len); 846 skb_pull(resp, dev->ops->rx_header_len);
724 skb_trim(resp, resp->len - dev->ops->rx_tail_len); 847 skb_trim(resp, resp->len - dev->ops->rx_tail_len);
725 848
726 rc = arg->complete_cb(dev, arg->complete_cb_context, resp); 849 rc = cmd->complete_cb(dev, cmd->complete_cb_context, resp);
727 850
728 kfree(arg); 851done:
852 kfree(cmd);
853 dev->cmd = NULL;
729 return rc; 854 return rc;
730} 855}
731 856
@@ -736,56 +861,45 @@ static int __pn533_send_async(struct pn533 *dev, u8 cmd_code,
736 void *complete_cb_context) 861 void *complete_cb_context)
737{ 862{
738 struct pn533_cmd *cmd; 863 struct pn533_cmd *cmd;
739 struct pn533_send_async_complete_arg *arg;
740 int rc = 0; 864 int rc = 0;
741 865
742 nfc_dev_dbg(&dev->interface->dev, "Sending command 0x%x", cmd_code); 866 nfc_dev_dbg(&dev->interface->dev, "Sending command 0x%x", cmd_code);
743 867
744 arg = kzalloc(sizeof(*arg), GFP_KERNEL); 868 cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
745 if (!arg) 869 if (!cmd)
746 return -ENOMEM; 870 return -ENOMEM;
747 871
748 arg->complete_cb = complete_cb; 872 cmd->code = cmd_code;
749 arg->complete_cb_context = complete_cb_context; 873 cmd->req = req;
750 arg->resp = resp; 874 cmd->resp = resp;
751 arg->req = req; 875 cmd->resp_len = resp_len;
876 cmd->complete_cb = complete_cb;
877 cmd->complete_cb_context = complete_cb_context;
752 878
753 pn533_build_cmd_frame(dev, cmd_code, req); 879 pn533_build_cmd_frame(dev, cmd_code, req);
754 880
755 mutex_lock(&dev->cmd_lock); 881 mutex_lock(&dev->cmd_lock);
756 882
757 if (!dev->cmd_pending) { 883 if (!dev->cmd_pending) {
758 rc = __pn533_send_frame_async(dev, req, resp, resp_len, 884 rc = __pn533_send_frame_async(dev, req, resp, resp_len);
759 pn533_send_async_complete, arg);
760 if (rc) 885 if (rc)
761 goto error; 886 goto error;
762 887
763 dev->cmd_pending = 1; 888 dev->cmd_pending = 1;
889 dev->cmd = cmd;
764 goto unlock; 890 goto unlock;
765 } 891 }
766 892
767 nfc_dev_dbg(&dev->interface->dev, "%s Queueing command 0x%x", __func__, 893 nfc_dev_dbg(&dev->interface->dev, "%s Queueing command 0x%x", __func__,
768 cmd_code); 894 cmd_code);
769 895
770 cmd = kzalloc(sizeof(struct pn533_cmd), GFP_KERNEL);
771 if (!cmd) {
772 rc = -ENOMEM;
773 goto error;
774 }
775
776 INIT_LIST_HEAD(&cmd->queue); 896 INIT_LIST_HEAD(&cmd->queue);
777 cmd->cmd_code = cmd_code;
778 cmd->req = req;
779 cmd->resp = resp;
780 cmd->resp_len = resp_len;
781 cmd->arg = arg;
782
783 list_add_tail(&cmd->queue, &dev->cmd_queue); 897 list_add_tail(&cmd->queue, &dev->cmd_queue);
784 898
785 goto unlock; 899 goto unlock;
786 900
787error: 901error:
788 kfree(arg); 902 kfree(cmd);
789unlock: 903unlock:
790 mutex_unlock(&dev->cmd_lock); 904 mutex_unlock(&dev->cmd_lock);
791 return rc; 905 return rc;
@@ -850,8 +964,8 @@ static int pn533_send_cmd_direct_async(struct pn533 *dev, u8 cmd_code,
850 pn533_send_async_complete_t complete_cb, 964 pn533_send_async_complete_t complete_cb,
851 void *complete_cb_context) 965 void *complete_cb_context)
852{ 966{
853 struct pn533_send_async_complete_arg *arg;
854 struct sk_buff *resp; 967 struct sk_buff *resp;
968 struct pn533_cmd *cmd;
855 int rc; 969 int rc;
856 int resp_len = dev->ops->rx_header_len + 970 int resp_len = dev->ops->rx_header_len +
857 dev->ops->max_payload_len + 971 dev->ops->max_payload_len +
@@ -861,33 +975,47 @@ static int pn533_send_cmd_direct_async(struct pn533 *dev, u8 cmd_code,
861 if (!resp) 975 if (!resp)
862 return -ENOMEM; 976 return -ENOMEM;
863 977
864 arg = kzalloc(sizeof(*arg), GFP_KERNEL); 978 cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
865 if (!arg) { 979 if (!cmd) {
866 dev_kfree_skb(resp); 980 dev_kfree_skb(resp);
867 return -ENOMEM; 981 return -ENOMEM;
868 } 982 }
869 983
870 arg->complete_cb = complete_cb; 984 cmd->code = cmd_code;
871 arg->complete_cb_context = complete_cb_context; 985 cmd->req = req;
872 arg->resp = resp; 986 cmd->resp = resp;
873 arg->req = req; 987 cmd->resp_len = resp_len;
988 cmd->complete_cb = complete_cb;
989 cmd->complete_cb_context = complete_cb_context;
874 990
875 pn533_build_cmd_frame(dev, cmd_code, req); 991 pn533_build_cmd_frame(dev, cmd_code, req);
876 992
877 rc = __pn533_send_frame_async(dev, req, resp, resp_len, 993 rc = __pn533_send_frame_async(dev, req, resp, resp_len);
878 pn533_send_async_complete, arg);
879 if (rc < 0) { 994 if (rc < 0) {
880 dev_kfree_skb(resp); 995 dev_kfree_skb(resp);
881 kfree(arg); 996 kfree(cmd);
997 } else {
998 dev->cmd = cmd;
882 } 999 }
883 1000
884 return rc; 1001 return rc;
885} 1002}
886 1003
1004static void pn533_wq_cmd_complete(struct work_struct *work)
1005{
1006 struct pn533 *dev = container_of(work, struct pn533, cmd_complete_work);
1007 int rc;
1008
1009 rc = pn533_send_async_complete(dev);
1010 if (rc != -EINPROGRESS)
1011 queue_work(dev->wq, &dev->cmd_work);
1012}
1013
887static void pn533_wq_cmd(struct work_struct *work) 1014static void pn533_wq_cmd(struct work_struct *work)
888{ 1015{
889 struct pn533 *dev = container_of(work, struct pn533, cmd_work); 1016 struct pn533 *dev = container_of(work, struct pn533, cmd_work);
890 struct pn533_cmd *cmd; 1017 struct pn533_cmd *cmd;
1018 int rc;
891 1019
892 mutex_lock(&dev->cmd_lock); 1020 mutex_lock(&dev->cmd_lock);
893 1021
@@ -903,10 +1031,15 @@ static void pn533_wq_cmd(struct work_struct *work)
903 1031
904 mutex_unlock(&dev->cmd_lock); 1032 mutex_unlock(&dev->cmd_lock);
905 1033
906 __pn533_send_frame_async(dev, cmd->req, cmd->resp, cmd->resp_len, 1034 rc = __pn533_send_frame_async(dev, cmd->req, cmd->resp, cmd->resp_len);
907 pn533_send_async_complete, cmd->arg); 1035 if (rc < 0) {
1036 dev_kfree_skb(cmd->req);
1037 dev_kfree_skb(cmd->resp);
1038 kfree(cmd);
1039 return;
1040 }
908 1041
909 kfree(cmd); 1042 dev->cmd = cmd;
910} 1043}
911 1044
912struct pn533_sync_cmd_response { 1045struct pn533_sync_cmd_response {
@@ -982,6 +1115,23 @@ static void pn533_send_complete(struct urb *urb)
982 } 1115 }
983} 1116}
984 1117
1118static void pn533_abort_cmd(struct pn533 *dev, gfp_t flags)
1119{
1120 /* ACR122U does not support any command which aborts last
1121 * issued command i.e. as ACK for standard PN533. Additionally,
1122 * it behaves stange, sending broken or incorrect responses,
1123 * when we cancel urb before the chip will send response.
1124 */
1125 if (dev->device_type == PN533_DEVICE_ACR122U)
1126 return;
1127
1128 /* An ack will cancel the last issued command */
1129 pn533_send_ack(dev, flags);
1130
1131 /* cancel the urb request */
1132 usb_kill_urb(dev->in_urb);
1133}
1134
985static struct sk_buff *pn533_alloc_skb(struct pn533 *dev, unsigned int size) 1135static struct sk_buff *pn533_alloc_skb(struct pn533 *dev, unsigned int size)
986{ 1136{
987 struct sk_buff *skb; 1137 struct sk_buff *skb;
@@ -1500,9 +1650,6 @@ static void pn533_listen_mode_timer(unsigned long data)
1500 1650
1501 nfc_dev_dbg(&dev->interface->dev, "Listen mode timeout"); 1651 nfc_dev_dbg(&dev->interface->dev, "Listen mode timeout");
1502 1652
1503 /* An ack will cancel the last issued command (poll) */
1504 pn533_send_ack(dev, GFP_ATOMIC);
1505
1506 dev->cancel_listen = 1; 1653 dev->cancel_listen = 1;
1507 1654
1508 pn533_poll_next_mod(dev); 1655 pn533_poll_next_mod(dev);
@@ -1549,6 +1696,11 @@ static int pn533_poll_complete(struct pn533 *dev, void *arg,
1549 if (!rc) 1696 if (!rc)
1550 goto done; 1697 goto done;
1551 1698
1699 if (!dev->poll_mod_count) {
1700 nfc_dev_dbg(&dev->interface->dev, "Polling has been stoped.");
1701 goto done;
1702 }
1703
1552 pn533_poll_next_mod(dev); 1704 pn533_poll_next_mod(dev);
1553 queue_work(dev->wq, &dev->poll_work); 1705 queue_work(dev->wq, &dev->poll_work);
1554 1706
@@ -1627,7 +1779,7 @@ static void pn533_wq_poll(struct work_struct *work)
1627 1779
1628 if (dev->cancel_listen == 1) { 1780 if (dev->cancel_listen == 1) {
1629 dev->cancel_listen = 0; 1781 dev->cancel_listen = 0;
1630 usb_kill_urb(dev->in_urb); 1782 pn533_abort_cmd(dev, GFP_ATOMIC);
1631 } 1783 }
1632 1784
1633 rc = pn533_send_poll_frame(dev); 1785 rc = pn533_send_poll_frame(dev);
@@ -1689,12 +1841,7 @@ static void pn533_stop_poll(struct nfc_dev *nfc_dev)
1689 return; 1841 return;
1690 } 1842 }
1691 1843
1692 /* An ack will cancel the last issued command (poll) */ 1844 pn533_abort_cmd(dev, GFP_KERNEL);
1693 pn533_send_ack(dev, GFP_KERNEL);
1694
1695 /* prevent pn533_start_poll_complete to issue a new poll meanwhile */
1696 usb_kill_urb(dev->in_urb);
1697
1698 pn533_poll_reset_mod_list(dev); 1845 pn533_poll_reset_mod_list(dev);
1699} 1846}
1700 1847
@@ -1723,6 +1870,8 @@ static int pn533_activate_target_nfcdep(struct pn533 *dev)
1723 rsp = (struct pn533_cmd_activate_response *)resp->data; 1870 rsp = (struct pn533_cmd_activate_response *)resp->data;
1724 rc = rsp->status & PN533_CMD_RET_MASK; 1871 rc = rsp->status & PN533_CMD_RET_MASK;
1725 if (rc != PN533_CMD_RET_SUCCESS) { 1872 if (rc != PN533_CMD_RET_SUCCESS) {
1873 nfc_dev_err(&dev->interface->dev,
1874 "Target activation failed (error 0x%x)", rc);
1726 dev_kfree_skb(resp); 1875 dev_kfree_skb(resp);
1727 return -EIO; 1876 return -EIO;
1728 } 1877 }
@@ -1850,7 +1999,7 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
1850 rc = rsp->status & PN533_CMD_RET_MASK; 1999 rc = rsp->status & PN533_CMD_RET_MASK;
1851 if (rc != PN533_CMD_RET_SUCCESS) { 2000 if (rc != PN533_CMD_RET_SUCCESS) {
1852 nfc_dev_err(&dev->interface->dev, 2001 nfc_dev_err(&dev->interface->dev,
1853 "Bringing DEP link up failed %d", rc); 2002 "Bringing DEP link up failed (error 0x%x)", rc);
1854 goto error; 2003 goto error;
1855 } 2004 }
1856 2005
@@ -1985,10 +2134,8 @@ static int pn533_dep_link_down(struct nfc_dev *nfc_dev)
1985 2134
1986 pn533_poll_reset_mod_list(dev); 2135 pn533_poll_reset_mod_list(dev);
1987 2136
1988 if (dev->tgt_mode || dev->tgt_active_prot) { 2137 if (dev->tgt_mode || dev->tgt_active_prot)
1989 pn533_send_ack(dev, GFP_KERNEL); 2138 pn533_abort_cmd(dev, GFP_KERNEL);
1990 usb_kill_urb(dev->in_urb);
1991 }
1992 2139
1993 dev->tgt_active_prot = 0; 2140 dev->tgt_active_prot = 0;
1994 dev->tgt_mode = 0; 2141 dev->tgt_mode = 0;
@@ -2064,8 +2211,7 @@ static int pn533_data_exchange_complete(struct pn533 *dev, void *_arg,
2064 2211
2065 if (ret != PN533_CMD_RET_SUCCESS) { 2212 if (ret != PN533_CMD_RET_SUCCESS) {
2066 nfc_dev_err(&dev->interface->dev, 2213 nfc_dev_err(&dev->interface->dev,
2067 "PN533 reported error %d when exchanging data", 2214 "Exchanging data failed (error 0x%x)", ret);
2068 ret);
2069 rc = -EIO; 2215 rc = -EIO;
2070 goto error; 2216 goto error;
2071 } 2217 }
@@ -2253,7 +2399,7 @@ static void pn533_wq_mi_recv(struct work_struct *work)
2253 "Error %d when trying to perform data_exchange", rc); 2399 "Error %d when trying to perform data_exchange", rc);
2254 2400
2255 dev_kfree_skb(skb); 2401 dev_kfree_skb(skb);
2256 kfree(dev->cmd_complete_arg); 2402 kfree(dev->cmd_complete_mi_arg);
2257 2403
2258error: 2404error:
2259 pn533_send_ack(dev, GFP_KERNEL); 2405 pn533_send_ack(dev, GFP_KERNEL);
@@ -2310,7 +2456,7 @@ static int pn533_get_firmware_version(struct pn533 *dev,
2310 return 0; 2456 return 0;
2311} 2457}
2312 2458
2313static int pn533_fw_reset(struct pn533 *dev) 2459static int pn533_pasori_fw_reset(struct pn533 *dev)
2314{ 2460{
2315 struct sk_buff *skb; 2461 struct sk_buff *skb;
2316 struct sk_buff *resp; 2462 struct sk_buff *resp;
@@ -2332,9 +2478,102 @@ static int pn533_fw_reset(struct pn533 *dev)
2332 return 0; 2478 return 0;
2333} 2479}
2334 2480
2481struct pn533_acr122_poweron_rdr_arg {
2482 int rc;
2483 struct completion done;
2484};
2485
2486static void pn533_acr122_poweron_rdr_resp(struct urb *urb)
2487{
2488 struct pn533_acr122_poweron_rdr_arg *arg = urb->context;
2489
2490 nfc_dev_dbg(&urb->dev->dev, "%s", __func__);
2491
2492 print_hex_dump(KERN_ERR, "ACR122 RX: ", DUMP_PREFIX_NONE, 16, 1,
2493 urb->transfer_buffer, urb->transfer_buffer_length,
2494 false);
2495
2496 arg->rc = urb->status;
2497 complete(&arg->done);
2498}
2499
2500static int pn533_acr122_poweron_rdr(struct pn533 *dev)
2501{
2502 /* Power on th reader (CCID cmd) */
2503 u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON,
2504 0, 0, 0, 0, 0, 0, 3, 0, 0};
2505 u8 buf[255];
2506 int rc;
2507 void *cntx;
2508 struct pn533_acr122_poweron_rdr_arg arg;
2509
2510 nfc_dev_dbg(&dev->interface->dev, "%s", __func__);
2511
2512 init_completion(&arg.done);
2513 cntx = dev->in_urb->context; /* backup context */
2514
2515 dev->in_urb->transfer_buffer = buf;
2516 dev->in_urb->transfer_buffer_length = 255;
2517 dev->in_urb->complete = pn533_acr122_poweron_rdr_resp;
2518 dev->in_urb->context = &arg;
2519
2520 dev->out_urb->transfer_buffer = cmd;
2521 dev->out_urb->transfer_buffer_length = sizeof(cmd);
2522
2523 print_hex_dump(KERN_ERR, "ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1,
2524 cmd, sizeof(cmd), false);
2525
2526 rc = usb_submit_urb(dev->out_urb, GFP_KERNEL);
2527 if (rc) {
2528 nfc_dev_err(&dev->interface->dev,
2529 "Reader power on cmd error %d", rc);
2530 return rc;
2531 }
2532
2533 rc = usb_submit_urb(dev->in_urb, GFP_KERNEL);
2534 if (rc) {
2535 nfc_dev_err(&dev->interface->dev,
2536 "Can't submit for reader power on cmd response %d",
2537 rc);
2538 return rc;
2539 }
2540
2541 wait_for_completion(&arg.done);
2542 dev->in_urb->context = cntx; /* restore context */
2543
2544 return arg.rc;
2545}
2546
2547static int pn533_rf_field(struct nfc_dev *nfc_dev, u8 rf)
2548{
2549 struct pn533 *dev = nfc_get_drvdata(nfc_dev);
2550 u8 rf_field = !!rf;
2551 int rc;
2552
2553 rc = pn533_set_configuration(dev, PN533_CFGITEM_RF_FIELD,
2554 (u8 *)&rf_field, 1);
2555 if (rc) {
2556 nfc_dev_err(&dev->interface->dev,
2557 "Error on setting RF field");
2558 return rc;
2559 }
2560
2561 return rc;
2562}
2563
2564int pn533_dev_up(struct nfc_dev *nfc_dev)
2565{
2566 return pn533_rf_field(nfc_dev, 1);
2567}
2568
2569int pn533_dev_down(struct nfc_dev *nfc_dev)
2570{
2571 return pn533_rf_field(nfc_dev, 0);
2572}
2573
2335static struct nfc_ops pn533_nfc_ops = { 2574static struct nfc_ops pn533_nfc_ops = {
2336 .dev_up = NULL, 2575 .dev_up = pn533_dev_up,
2337 .dev_down = NULL, 2576 .dev_down = pn533_dev_down,
2338 .dep_link_up = pn533_dep_link_up, 2577 .dep_link_up = pn533_dep_link_up,
2339 .dep_link_down = pn533_dep_link_down, 2578 .dep_link_down = pn533_dep_link_down,
2340 .start_poll = pn533_start_poll, 2579 .start_poll = pn533_start_poll,
@@ -2366,6 +2605,7 @@ static int pn533_setup(struct pn533 *dev)
2366 break; 2605 break;
2367 2606
2368 case PN533_DEVICE_PASORI: 2607 case PN533_DEVICE_PASORI:
2608 case PN533_DEVICE_ACR122U:
2369 max_retries.mx_rty_atr = 0x2; 2609 max_retries.mx_rty_atr = 0x2;
2370 max_retries.mx_rty_psl = 0x1; 2610 max_retries.mx_rty_psl = 0x1;
2371 max_retries.mx_rty_passive_act = 2611 max_retries.mx_rty_passive_act =
@@ -2405,7 +2645,7 @@ static int pn533_setup(struct pn533 *dev)
2405 break; 2645 break;
2406 2646
2407 case PN533_DEVICE_PASORI: 2647 case PN533_DEVICE_PASORI:
2408 pn533_fw_reset(dev); 2648 pn533_pasori_fw_reset(dev);
2409 2649
2410 rc = pn533_set_configuration(dev, PN533_CFGITEM_PASORI, 2650 rc = pn533_set_configuration(dev, PN533_CFGITEM_PASORI,
2411 pasori_cfg, 3); 2651 pasori_cfg, 3);
@@ -2415,7 +2655,7 @@ static int pn533_setup(struct pn533 *dev)
2415 return rc; 2655 return rc;
2416 } 2656 }
2417 2657
2418 pn533_fw_reset(dev); 2658 pn533_pasori_fw_reset(dev);
2419 2659
2420 break; 2660 break;
2421 } 2661 }
@@ -2496,6 +2736,7 @@ static int pn533_probe(struct usb_interface *interface,
2496 2736
2497 dev->ops = &pn533_std_frame_ops; 2737 dev->ops = &pn533_std_frame_ops;
2498 2738
2739 dev->protocol_type = PN533_PROTO_REQ_ACK_RESP;
2499 dev->device_type = id->driver_info; 2740 dev->device_type = id->driver_info;
2500 switch (dev->device_type) { 2741 switch (dev->device_type) {
2501 case PN533_DEVICE_STD: 2742 case PN533_DEVICE_STD:
@@ -2506,6 +2747,20 @@ static int pn533_probe(struct usb_interface *interface,
2506 protocols = PN533_NO_TYPE_B_PROTOCOLS; 2747 protocols = PN533_NO_TYPE_B_PROTOCOLS;
2507 break; 2748 break;
2508 2749
2750 case PN533_DEVICE_ACR122U:
2751 protocols = PN533_NO_TYPE_B_PROTOCOLS;
2752 dev->ops = &pn533_acr122_frame_ops;
2753 dev->protocol_type = PN533_PROTO_REQ_RESP,
2754
2755 rc = pn533_acr122_poweron_rdr(dev);
2756 if (rc < 0) {
2757 nfc_dev_err(&dev->interface->dev,
2758 "Couldn't poweron the reader (error %d)",
2759 rc);
2760 goto destroy_wq;
2761 }
2762 break;
2763
2509 default: 2764 default:
2510 nfc_dev_err(&dev->interface->dev, "Unknown device type %d\n", 2765 nfc_dev_err(&dev->interface->dev, "Unknown device type %d\n",
2511 dev->device_type); 2766 dev->device_type);
@@ -2555,6 +2810,7 @@ destroy_wq:
2555error: 2810error:
2556 usb_free_urb(dev->in_urb); 2811 usb_free_urb(dev->in_urb);
2557 usb_free_urb(dev->out_urb); 2812 usb_free_urb(dev->out_urb);
2813 usb_put_dev(dev->udev);
2558 kfree(dev); 2814 kfree(dev);
2559 return rc; 2815 return rc;
2560} 2816}
@@ -2600,8 +2856,9 @@ static struct usb_driver pn533_driver = {
2600 2856
2601module_usb_driver(pn533_driver); 2857module_usb_driver(pn533_driver);
2602 2858
2603MODULE_AUTHOR("Lauro Ramos Venancio <lauro.venancio@openbossa.org>," 2859MODULE_AUTHOR("Lauro Ramos Venancio <lauro.venancio@openbossa.org>");
2604 " Aloisio Almeida Jr <aloisio.almeida@openbossa.org>"); 2860MODULE_AUTHOR("Aloisio Almeida Jr <aloisio.almeida@openbossa.org>");
2861MODULE_AUTHOR("Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>");
2605MODULE_DESCRIPTION("PN533 usb driver ver " VERSION); 2862MODULE_DESCRIPTION("PN533 usb driver ver " VERSION);
2606MODULE_VERSION(VERSION); 2863MODULE_VERSION(VERSION);
2607MODULE_LICENSE("GPL"); 2864MODULE_LICENSE("GPL");
diff --git a/drivers/nfc/pn544/Kconfig b/drivers/nfc/pn544/Kconfig
index c277790ac71c..ccf06f5f6ebb 100644
--- a/drivers/nfc/pn544/Kconfig
+++ b/drivers/nfc/pn544/Kconfig
@@ -20,4 +20,15 @@ config NFC_PN544_I2C
20 Select this if your platform is using the i2c bus. 20 Select this if your platform is using the i2c bus.
21 21
22 If you choose to build a module, it'll be called pn544_i2c. 22 If you choose to build a module, it'll be called pn544_i2c.
23 Say N if unsure. \ No newline at end of file 23 Say N if unsure.
24
25config NFC_PN544_MEI
26 tristate "NFC PN544 MEI support"
27 depends on NFC_PN544 && NFC_MEI_PHY
28 ---help---
29 This module adds support for the mei interface of adapters using
30 NXP pn544 chipsets. Select this if your pn544 chipset
31 is handled by Intel's Management Engine Interface on your platform.
32
33 If you choose to build a module, it'll be called pn544_mei.
34 Say N if unsure.
diff --git a/drivers/nfc/pn544/Makefile b/drivers/nfc/pn544/Makefile
index ac076793687d..29fb5a174036 100644
--- a/drivers/nfc/pn544/Makefile
+++ b/drivers/nfc/pn544/Makefile
@@ -3,6 +3,8 @@
3# 3#
4 4
5pn544_i2c-objs = i2c.o 5pn544_i2c-objs = i2c.o
6pn544_mei-objs = mei.o
6 7
7obj-$(CONFIG_NFC_PN544) += pn544.o 8obj-$(CONFIG_NFC_PN544) += pn544.o
8obj-$(CONFIG_NFC_PN544_I2C) += pn544_i2c.o 9obj-$(CONFIG_NFC_PN544_I2C) += pn544_i2c.o
10obj-$(CONFIG_NFC_PN544_MEI) += pn544_mei.o
diff --git a/drivers/nfc/pn544/mei.c b/drivers/nfc/pn544/mei.c
new file mode 100644
index 000000000000..1eb48848a35a
--- /dev/null
+++ b/drivers/nfc/pn544/mei.c
@@ -0,0 +1,121 @@
1/*
2 * HCI based Driver for NXP pn544 NFC Chip
3 *
4 * Copyright (C) 2013 Intel Corporation. All rights reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms and conditions of the GNU General Public License,
8 * version 2, as published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the
17 * Free Software Foundation, Inc.,
18 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 */
20
21#include <linux/module.h>
22#include <linux/mod_devicetable.h>
23#include <linux/nfc.h>
24#include <net/nfc/hci.h>
25#include <net/nfc/llc.h>
26
27#include "../mei_phy.h"
28#include "pn544.h"
29
30#define PN544_DRIVER_NAME "pn544"
31
32static int pn544_mei_probe(struct mei_cl_device *device,
33 const struct mei_cl_device_id *id)
34{
35 struct nfc_mei_phy *phy;
36 int r;
37
38 pr_info("Probing NFC pn544\n");
39
40 phy = nfc_mei_phy_alloc(device);
41 if (!phy) {
42 pr_err("Cannot allocate memory for pn544 mei phy.\n");
43 return -ENOMEM;
44 }
45
46 r = mei_cl_register_event_cb(device, nfc_mei_event_cb, phy);
47 if (r) {
48 pr_err(PN544_DRIVER_NAME ": event cb registration failed\n");
49 goto err_out;
50 }
51
52 r = pn544_hci_probe(phy, &mei_phy_ops, LLC_NOP_NAME,
53 MEI_NFC_HEADER_SIZE, 0, MEI_NFC_MAX_HCI_PAYLOAD,
54 &phy->hdev);
55 if (r < 0)
56 goto err_out;
57
58 return 0;
59
60err_out:
61 nfc_mei_phy_free(phy);
62
63 return r;
64}
65
66static int pn544_mei_remove(struct mei_cl_device *device)
67{
68 struct nfc_mei_phy *phy = mei_cl_get_drvdata(device);
69
70 pr_info("Removing pn544\n");
71
72 pn544_hci_remove(phy->hdev);
73
74 nfc_mei_phy_disable(phy);
75
76 nfc_mei_phy_free(phy);
77
78 return 0;
79}
80
81static struct mei_cl_device_id pn544_mei_tbl[] = {
82 { PN544_DRIVER_NAME },
83
84 /* required last entry */
85 { }
86};
87MODULE_DEVICE_TABLE(mei, pn544_mei_tbl);
88
89static struct mei_cl_driver pn544_driver = {
90 .id_table = pn544_mei_tbl,
91 .name = PN544_DRIVER_NAME,
92
93 .probe = pn544_mei_probe,
94 .remove = pn544_mei_remove,
95};
96
97static int pn544_mei_init(void)
98{
99 int r;
100
101 pr_debug(DRIVER_DESC ": %s\n", __func__);
102
103 r = mei_cl_driver_register(&pn544_driver);
104 if (r) {
105 pr_err(PN544_DRIVER_NAME ": driver registration failed\n");
106 return r;
107 }
108
109 return 0;
110}
111
112static void pn544_mei_exit(void)
113{
114 mei_cl_driver_unregister(&pn544_driver);
115}
116
117module_init(pn544_mei_init);
118module_exit(pn544_mei_exit);
119
120MODULE_LICENSE("GPL");
121MODULE_DESCRIPTION(DRIVER_DESC);
diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index ed6e9552252e..6912ef9a1881 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -193,11 +193,11 @@ static inline bool bdaddr_type_is_le(__u8 type)
193#define BDADDR_LOCAL (&(bdaddr_t) {{0, 0, 0, 0xff, 0xff, 0xff} }) 193#define BDADDR_LOCAL (&(bdaddr_t) {{0, 0, 0, 0xff, 0xff, 0xff} })
194 194
195/* Copy, swap, convert BD Address */ 195/* Copy, swap, convert BD Address */
196static inline int bacmp(bdaddr_t *ba1, bdaddr_t *ba2) 196static inline int bacmp(const bdaddr_t *ba1, const bdaddr_t *ba2)
197{ 197{
198 return memcmp(ba1, ba2, sizeof(bdaddr_t)); 198 return memcmp(ba1, ba2, sizeof(bdaddr_t));
199} 199}
200static inline void bacpy(bdaddr_t *dst, bdaddr_t *src) 200static inline void bacpy(bdaddr_t *dst, const bdaddr_t *src)
201{ 201{
202 memcpy(dst, src, sizeof(bdaddr_t)); 202 memcpy(dst, src, sizeof(bdaddr_t));
203} 203}
@@ -266,6 +266,7 @@ typedef void (*hci_req_complete_t)(struct hci_dev *hdev, u8 status);
266 266
267struct hci_req_ctrl { 267struct hci_req_ctrl {
268 bool start; 268 bool start;
269 u8 event;
269 hci_req_complete_t complete; 270 hci_req_complete_t complete;
270}; 271};
271 272
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index b3308927a0a1..e0512aaef4b8 100644
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -984,6 +984,9 @@ struct hci_cp_le_set_adv_data {
984 984
985#define HCI_OP_LE_SET_ADV_ENABLE 0x200a 985#define HCI_OP_LE_SET_ADV_ENABLE 0x200a
986 986
987#define LE_SCAN_PASSIVE 0x00
988#define LE_SCAN_ACTIVE 0x01
989
987#define HCI_OP_LE_SET_SCAN_PARAM 0x200b 990#define HCI_OP_LE_SET_SCAN_PARAM 0x200b
988struct hci_cp_le_set_scan_param { 991struct hci_cp_le_set_scan_param {
989 __u8 type; 992 __u8 type;
@@ -993,8 +996,10 @@ struct hci_cp_le_set_scan_param {
993 __u8 filter_policy; 996 __u8 filter_policy;
994} __packed; 997} __packed;
995 998
996#define LE_SCANNING_DISABLED 0x00 999#define LE_SCAN_DISABLE 0x00
997#define LE_SCANNING_ENABLED 0x01 1000#define LE_SCAN_ENABLE 0x01
1001#define LE_SCAN_FILTER_DUP_DISABLE 0x00
1002#define LE_SCAN_FILTER_DUP_ENABLE 0x01
998 1003
999#define HCI_OP_LE_SET_SCAN_ENABLE 0x200c 1004#define HCI_OP_LE_SET_SCAN_ENABLE 0x200c
1000struct hci_cp_le_set_scan_enable { 1005struct hci_cp_le_set_scan_enable {
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 358a6983d3bb..80d718a9b31f 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -134,6 +134,8 @@ struct amp_assoc {
134 __u8 data[HCI_MAX_AMP_ASSOC_SIZE]; 134 __u8 data[HCI_MAX_AMP_ASSOC_SIZE];
135}; 135};
136 136
137#define HCI_MAX_PAGES 3
138
137#define NUM_REASSEMBLY 4 139#define NUM_REASSEMBLY 4
138struct hci_dev { 140struct hci_dev {
139 struct list_head list; 141 struct list_head list;
@@ -151,8 +153,8 @@ struct hci_dev {
151 __u8 dev_class[3]; 153 __u8 dev_class[3];
152 __u8 major_class; 154 __u8 major_class;
153 __u8 minor_class; 155 __u8 minor_class;
154 __u8 features[8]; 156 __u8 max_page;
155 __u8 host_features[8]; 157 __u8 features[HCI_MAX_PAGES][8];
156 __u8 le_features[8]; 158 __u8 le_features[8];
157 __u8 le_white_list_size; 159 __u8 le_white_list_size;
158 __u8 le_states[8]; 160 __u8 le_states[8];
@@ -244,6 +246,7 @@ struct hci_dev {
244 struct sk_buff_head raw_q; 246 struct sk_buff_head raw_q;
245 struct sk_buff_head cmd_q; 247 struct sk_buff_head cmd_q;
246 248
249 struct sk_buff *recv_evt;
247 struct sk_buff *sent_cmd; 250 struct sk_buff *sent_cmd;
248 struct sk_buff *reassembly[NUM_REASSEMBLY]; 251 struct sk_buff *reassembly[NUM_REASSEMBLY];
249 252
@@ -268,8 +271,6 @@ struct hci_dev {
268 271
269 struct hci_dev_stats stat; 272 struct hci_dev_stats stat;
270 273
271 struct sk_buff_head driver_init;
272
273 atomic_t promisc; 274 atomic_t promisc;
274 275
275 struct dentry *debugfs; 276 struct dentry *debugfs;
@@ -292,6 +293,7 @@ struct hci_dev {
292 int (*open)(struct hci_dev *hdev); 293 int (*open)(struct hci_dev *hdev);
293 int (*close)(struct hci_dev *hdev); 294 int (*close)(struct hci_dev *hdev);
294 int (*flush)(struct hci_dev *hdev); 295 int (*flush)(struct hci_dev *hdev);
296 int (*setup)(struct hci_dev *hdev);
295 int (*send)(struct sk_buff *skb); 297 int (*send)(struct sk_buff *skb);
296 void (*notify)(struct hci_dev *hdev, unsigned int evt); 298 void (*notify)(struct hci_dev *hdev, unsigned int evt);
297 int (*ioctl)(struct hci_dev *hdev, unsigned int cmd, unsigned long arg); 299 int (*ioctl)(struct hci_dev *hdev, unsigned int cmd, unsigned long arg);
@@ -313,7 +315,7 @@ struct hci_conn {
313 bool out; 315 bool out;
314 __u8 attempt; 316 __u8 attempt;
315 __u8 dev_class[3]; 317 __u8 dev_class[3];
316 __u8 features[8]; 318 __u8 features[HCI_MAX_PAGES][8];
317 __u16 interval; 319 __u16 interval;
318 __u16 pkt_type; 320 __u16 pkt_type;
319 __u16 link_policy; 321 __u16 link_policy;
@@ -345,7 +347,6 @@ struct hci_conn {
345 struct timer_list auto_accept_timer; 347 struct timer_list auto_accept_timer;
346 348
347 struct device dev; 349 struct device dev;
348 atomic_t devref;
349 350
350 struct hci_dev *hdev; 351 struct hci_dev *hdev;
351 void *l2cap_data; 352 void *l2cap_data;
@@ -584,7 +585,6 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst);
584int hci_conn_del(struct hci_conn *conn); 585int hci_conn_del(struct hci_conn *conn);
585void hci_conn_hash_flush(struct hci_dev *hdev); 586void hci_conn_hash_flush(struct hci_dev *hdev);
586void hci_conn_check_pending(struct hci_dev *hdev); 587void hci_conn_check_pending(struct hci_dev *hdev);
587void hci_conn_accept(struct hci_conn *conn, int mask);
588 588
589struct hci_chan *hci_chan_create(struct hci_conn *conn); 589struct hci_chan *hci_chan_create(struct hci_conn *conn);
590void hci_chan_del(struct hci_chan *chan); 590void hci_chan_del(struct hci_chan *chan);
@@ -601,8 +601,36 @@ int hci_conn_switch_role(struct hci_conn *conn, __u8 role);
601 601
602void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active); 602void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active);
603 603
604void hci_conn_hold_device(struct hci_conn *conn); 604/*
605void hci_conn_put_device(struct hci_conn *conn); 605 * hci_conn_get() and hci_conn_put() are used to control the life-time of an
606 * "hci_conn" object. They do not guarantee that the hci_conn object is running,
607 * working or anything else. They just guarantee that the object is available
608 * and can be dereferenced. So you can use its locks, local variables and any
609 * other constant data.
610 * Before accessing runtime data, you _must_ lock the object and then check that
611 * it is still running. As soon as you release the locks, the connection might
612 * get dropped, though.
613 *
614 * On the other hand, hci_conn_hold() and hci_conn_drop() are used to control
615 * how long the underlying connection is held. So every channel that runs on the
616 * hci_conn object calls this to prevent the connection from disappearing. As
617 * long as you hold a device, you must also guarantee that you have a valid
618 * reference to the device via hci_conn_get() (or the initial reference from
619 * hci_conn_add()).
620 * The hold()/drop() ref-count is known to drop below 0 sometimes, which doesn't
621 * break because nobody cares for that. But this means, we cannot use
622 * _get()/_drop() in it, but require the caller to have a valid ref (FIXME).
623 */
624
625static inline void hci_conn_get(struct hci_conn *conn)
626{
627 get_device(&conn->dev);
628}
629
630static inline void hci_conn_put(struct hci_conn *conn)
631{
632 put_device(&conn->dev);
633}
606 634
607static inline void hci_conn_hold(struct hci_conn *conn) 635static inline void hci_conn_hold(struct hci_conn *conn)
608{ 636{
@@ -612,7 +640,7 @@ static inline void hci_conn_hold(struct hci_conn *conn)
612 cancel_delayed_work(&conn->disc_work); 640 cancel_delayed_work(&conn->disc_work);
613} 641}
614 642
615static inline void hci_conn_put(struct hci_conn *conn) 643static inline void hci_conn_drop(struct hci_conn *conn)
616{ 644{
617 BT_DBG("hcon %p orig refcnt %d", conn, atomic_read(&conn->refcnt)); 645 BT_DBG("hcon %p orig refcnt %d", conn, atomic_read(&conn->refcnt));
618 646
@@ -760,29 +788,29 @@ void hci_conn_del_sysfs(struct hci_conn *conn);
760#define SET_HCIDEV_DEV(hdev, pdev) ((hdev)->dev.parent = (pdev)) 788#define SET_HCIDEV_DEV(hdev, pdev) ((hdev)->dev.parent = (pdev))
761 789
762/* ----- LMP capabilities ----- */ 790/* ----- LMP capabilities ----- */
763#define lmp_encrypt_capable(dev) ((dev)->features[0] & LMP_ENCRYPT) 791#define lmp_encrypt_capable(dev) ((dev)->features[0][0] & LMP_ENCRYPT)
764#define lmp_rswitch_capable(dev) ((dev)->features[0] & LMP_RSWITCH) 792#define lmp_rswitch_capable(dev) ((dev)->features[0][0] & LMP_RSWITCH)
765#define lmp_hold_capable(dev) ((dev)->features[0] & LMP_HOLD) 793#define lmp_hold_capable(dev) ((dev)->features[0][0] & LMP_HOLD)
766#define lmp_sniff_capable(dev) ((dev)->features[0] & LMP_SNIFF) 794#define lmp_sniff_capable(dev) ((dev)->features[0][0] & LMP_SNIFF)
767#define lmp_park_capable(dev) ((dev)->features[1] & LMP_PARK) 795#define lmp_park_capable(dev) ((dev)->features[0][1] & LMP_PARK)
768#define lmp_inq_rssi_capable(dev) ((dev)->features[3] & LMP_RSSI_INQ) 796#define lmp_inq_rssi_capable(dev) ((dev)->features[0][3] & LMP_RSSI_INQ)
769#define lmp_esco_capable(dev) ((dev)->features[3] & LMP_ESCO) 797#define lmp_esco_capable(dev) ((dev)->features[0][3] & LMP_ESCO)
770#define lmp_bredr_capable(dev) (!((dev)->features[4] & LMP_NO_BREDR)) 798#define lmp_bredr_capable(dev) (!((dev)->features[0][4] & LMP_NO_BREDR))
771#define lmp_le_capable(dev) ((dev)->features[4] & LMP_LE) 799#define lmp_le_capable(dev) ((dev)->features[0][4] & LMP_LE)
772#define lmp_sniffsubr_capable(dev) ((dev)->features[5] & LMP_SNIFF_SUBR) 800#define lmp_sniffsubr_capable(dev) ((dev)->features[0][5] & LMP_SNIFF_SUBR)
773#define lmp_pause_enc_capable(dev) ((dev)->features[5] & LMP_PAUSE_ENC) 801#define lmp_pause_enc_capable(dev) ((dev)->features[0][5] & LMP_PAUSE_ENC)
774#define lmp_ext_inq_capable(dev) ((dev)->features[6] & LMP_EXT_INQ) 802#define lmp_ext_inq_capable(dev) ((dev)->features[0][6] & LMP_EXT_INQ)
775#define lmp_le_br_capable(dev) !!((dev)->features[6] & LMP_SIMUL_LE_BR) 803#define lmp_le_br_capable(dev) (!!((dev)->features[0][6] & LMP_SIMUL_LE_BR))
776#define lmp_ssp_capable(dev) ((dev)->features[6] & LMP_SIMPLE_PAIR) 804#define lmp_ssp_capable(dev) ((dev)->features[0][6] & LMP_SIMPLE_PAIR)
777#define lmp_no_flush_capable(dev) ((dev)->features[6] & LMP_NO_FLUSH) 805#define lmp_no_flush_capable(dev) ((dev)->features[0][6] & LMP_NO_FLUSH)
778#define lmp_lsto_capable(dev) ((dev)->features[7] & LMP_LSTO) 806#define lmp_lsto_capable(dev) ((dev)->features[0][7] & LMP_LSTO)
779#define lmp_inq_tx_pwr_capable(dev) ((dev)->features[7] & LMP_INQ_TX_PWR) 807#define lmp_inq_tx_pwr_capable(dev) ((dev)->features[0][7] & LMP_INQ_TX_PWR)
780#define lmp_ext_feat_capable(dev) ((dev)->features[7] & LMP_EXTFEATURES) 808#define lmp_ext_feat_capable(dev) ((dev)->features[0][7] & LMP_EXTFEATURES)
781 809
782/* ----- Extended LMP capabilities ----- */ 810/* ----- Extended LMP capabilities ----- */
783#define lmp_host_ssp_capable(dev) ((dev)->host_features[0] & LMP_HOST_SSP) 811#define lmp_host_ssp_capable(dev) ((dev)->features[1][0] & LMP_HOST_SSP)
784#define lmp_host_le_capable(dev) !!((dev)->host_features[0] & LMP_HOST_LE) 812#define lmp_host_le_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE))
785#define lmp_host_le_br_capable(dev) !!((dev)->host_features[0] & LMP_HOST_LE_BREDR) 813#define lmp_host_le_br_capable(dev) (!!((dev)->features[1][0] & LMP_HOST_LE_BREDR))
786 814
787/* returns true if at least one AMP active */ 815/* returns true if at least one AMP active */
788static inline bool hci_amp_capable(void) 816static inline bool hci_amp_capable(void)
@@ -1054,8 +1082,14 @@ struct hci_request {
1054void hci_req_init(struct hci_request *req, struct hci_dev *hdev); 1082void hci_req_init(struct hci_request *req, struct hci_dev *hdev);
1055int hci_req_run(struct hci_request *req, hci_req_complete_t complete); 1083int hci_req_run(struct hci_request *req, hci_req_complete_t complete);
1056void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param); 1084void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param);
1085void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen, void *param,
1086 u8 event);
1057void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status); 1087void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status);
1058void hci_req_cmd_status(struct hci_dev *hdev, u16 opcode, u8 status); 1088
1089struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
1090 void *param, u32 timeout);
1091struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
1092 void *param, u8 event, u32 timeout);
1059 1093
1060int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param); 1094int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param);
1061void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags); 1095void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags);
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index cdd33021f831..fb94cf13c777 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -583,6 +583,14 @@ struct l2cap_conn {
583 583
584 struct list_head chan_l; 584 struct list_head chan_l;
585 struct mutex chan_lock; 585 struct mutex chan_lock;
586 struct kref ref;
587 struct list_head users;
588};
589
590struct l2cap_user {
591 struct list_head list;
592 int (*probe) (struct l2cap_conn *conn, struct l2cap_user *user);
593 void (*remove) (struct l2cap_conn *conn, struct l2cap_user *user);
586}; 594};
587 595
588#define L2CAP_INFO_CL_MTU_REQ_SENT 0x01 596#define L2CAP_INFO_CL_MTU_REQ_SENT 0x01
@@ -786,6 +794,7 @@ extern bool disable_ertm;
786 794
787int l2cap_init_sockets(void); 795int l2cap_init_sockets(void);
788void l2cap_cleanup_sockets(void); 796void l2cap_cleanup_sockets(void);
797bool l2cap_is_socket(struct socket *sock);
789 798
790void __l2cap_connect_rsp_defer(struct l2cap_chan *chan); 799void __l2cap_connect_rsp_defer(struct l2cap_chan *chan);
791int __l2cap_wait_ack(struct sock *sk); 800int __l2cap_wait_ack(struct sock *sk);
@@ -812,4 +821,10 @@ void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
812 u8 status); 821 u8 status);
813void __l2cap_physical_cfm(struct l2cap_chan *chan, int result); 822void __l2cap_physical_cfm(struct l2cap_chan *chan, int result);
814 823
824void l2cap_conn_get(struct l2cap_conn *conn);
825void l2cap_conn_put(struct l2cap_conn *conn);
826
827int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user);
828void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user);
829
815#endif /* __L2CAP_H */ 830#endif /* __L2CAP_H */
diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
index 87a6417fc934..5eb80bb3cbb2 100644
--- a/include/net/nfc/nfc.h
+++ b/include/net/nfc/nfc.h
@@ -122,6 +122,8 @@ struct nfc_dev {
122 122
123 bool shutting_down; 123 bool shutting_down;
124 124
125 struct rfkill *rfkill;
126
125 struct nfc_ops *ops; 127 struct nfc_ops *ops;
126}; 128};
127#define to_nfc_dev(_dev) container_of(_dev, struct nfc_dev, dev) 129#define to_nfc_dev(_dev) container_of(_dev, struct nfc_dev, dev)
diff --git a/include/uapi/linux/nfc.h b/include/uapi/linux/nfc.h
index 7440bc81a04b..7c6f627a717d 100644
--- a/include/uapi/linux/nfc.h
+++ b/include/uapi/linux/nfc.h
@@ -233,7 +233,10 @@ struct sockaddr_nfc_llcp {
233#define NFC_LLCP_DIRECTION_TX 0x01 233#define NFC_LLCP_DIRECTION_TX 0x01
234 234
235/* socket option names */ 235/* socket option names */
236#define NFC_LLCP_RW 0 236#define NFC_LLCP_RW 0
237#define NFC_LLCP_MIUX 1 237#define NFC_LLCP_MIUX 1
238#define NFC_LLCP_REMOTE_MIU 2
239#define NFC_LLCP_REMOTE_LTO 3
240#define NFC_LLCP_REMOTE_RW 4
238 241
239#endif /*__LINUX_NFC_H */ 242#endif /*__LINUX_NFC_H */
diff --git a/include/uapi/linux/rfkill.h b/include/uapi/linux/rfkill.h
index 2753c6cc9740..058757f7a733 100644
--- a/include/uapi/linux/rfkill.h
+++ b/include/uapi/linux/rfkill.h
@@ -37,6 +37,7 @@
37 * @RFKILL_TYPE_WWAN: switch is on a wireless WAN device. 37 * @RFKILL_TYPE_WWAN: switch is on a wireless WAN device.
38 * @RFKILL_TYPE_GPS: switch is on a GPS device. 38 * @RFKILL_TYPE_GPS: switch is on a GPS device.
39 * @RFKILL_TYPE_FM: switch is on a FM radio device. 39 * @RFKILL_TYPE_FM: switch is on a FM radio device.
40 * @RFKILL_TYPE_NFC: switch is on an NFC device.
40 * @NUM_RFKILL_TYPES: number of defined rfkill types 41 * @NUM_RFKILL_TYPES: number of defined rfkill types
41 */ 42 */
42enum rfkill_type { 43enum rfkill_type {
@@ -48,6 +49,7 @@ enum rfkill_type {
48 RFKILL_TYPE_WWAN, 49 RFKILL_TYPE_WWAN,
49 RFKILL_TYPE_GPS, 50 RFKILL_TYPE_GPS,
50 RFKILL_TYPE_FM, 51 RFKILL_TYPE_FM,
52 RFKILL_TYPE_NFC,
51 NUM_RFKILL_TYPES, 53 NUM_RFKILL_TYPES,
52}; 54};
53 55
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b9f90169940b..6c7f36379722 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -117,6 +117,16 @@ static void hci_acl_create_connection_cancel(struct hci_conn *conn)
117 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp); 117 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
118} 118}
119 119
120static void hci_reject_sco(struct hci_conn *conn)
121{
122 struct hci_cp_reject_sync_conn_req cp;
123
124 cp.reason = HCI_ERROR_REMOTE_USER_TERM;
125 bacpy(&cp.bdaddr, &conn->dst);
126
127 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
128}
129
120void hci_disconnect(struct hci_conn *conn, __u8 reason) 130void hci_disconnect(struct hci_conn *conn, __u8 reason)
121{ 131{
122 struct hci_cp_disconnect cp; 132 struct hci_cp_disconnect cp;
@@ -276,6 +286,8 @@ static void hci_conn_timeout(struct work_struct *work)
276 hci_acl_create_connection_cancel(conn); 286 hci_acl_create_connection_cancel(conn);
277 else if (conn->type == LE_LINK) 287 else if (conn->type == LE_LINK)
278 hci_le_create_connection_cancel(conn); 288 hci_le_create_connection_cancel(conn);
289 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
290 hci_reject_sco(conn);
279 } 291 }
280 break; 292 break;
281 case BT_CONFIG: 293 case BT_CONFIG:
@@ -398,8 +410,6 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
398 if (hdev->notify) 410 if (hdev->notify)
399 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 411 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
400 412
401 atomic_set(&conn->devref, 0);
402
403 hci_conn_init_sysfs(conn); 413 hci_conn_init_sysfs(conn);
404 414
405 return conn; 415 return conn;
@@ -433,7 +443,7 @@ int hci_conn_del(struct hci_conn *conn)
433 struct hci_conn *acl = conn->link; 443 struct hci_conn *acl = conn->link;
434 if (acl) { 444 if (acl) {
435 acl->link = NULL; 445 acl->link = NULL;
436 hci_conn_put(acl); 446 hci_conn_drop(acl);
437 } 447 }
438 } 448 }
439 449
@@ -448,12 +458,11 @@ int hci_conn_del(struct hci_conn *conn)
448 458
449 skb_queue_purge(&conn->data_q); 459 skb_queue_purge(&conn->data_q);
450 460
451 hci_conn_put_device(conn); 461 hci_conn_del_sysfs(conn);
452 462
453 hci_dev_put(hdev); 463 hci_dev_put(hdev);
454 464
455 if (conn->handle == 0) 465 hci_conn_put(conn);
456 kfree(conn);
457 466
458 return 0; 467 return 0;
459} 468}
@@ -565,7 +574,7 @@ static struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type,
565 if (!sco) { 574 if (!sco) {
566 sco = hci_conn_add(hdev, type, dst); 575 sco = hci_conn_add(hdev, type, dst);
567 if (!sco) { 576 if (!sco) {
568 hci_conn_put(acl); 577 hci_conn_drop(acl);
569 return ERR_PTR(-ENOMEM); 578 return ERR_PTR(-ENOMEM);
570 } 579 }
571 } 580 }
@@ -835,19 +844,6 @@ void hci_conn_check_pending(struct hci_dev *hdev)
835 hci_dev_unlock(hdev); 844 hci_dev_unlock(hdev);
836} 845}
837 846
838void hci_conn_hold_device(struct hci_conn *conn)
839{
840 atomic_inc(&conn->devref);
841}
842EXPORT_SYMBOL(hci_conn_hold_device);
843
844void hci_conn_put_device(struct hci_conn *conn)
845{
846 if (atomic_dec_and_test(&conn->devref))
847 hci_conn_del_sysfs(conn);
848}
849EXPORT_SYMBOL(hci_conn_put_device);
850
851int hci_get_conn_list(void __user *arg) 847int hci_get_conn_list(void __user *arg)
852{ 848{
853 struct hci_conn *c; 849 struct hci_conn *c;
@@ -980,7 +976,7 @@ void hci_chan_del(struct hci_chan *chan)
980 976
981 synchronize_rcu(); 977 synchronize_rcu();
982 978
983 hci_conn_put(conn); 979 hci_conn_drop(conn);
984 980
985 skb_queue_purge(&chan->data_q); 981 skb_queue_purge(&chan->data_q);
986 kfree(chan); 982 kfree(chan);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index cfcad5423f1c..ce82265f5619 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -79,6 +79,121 @@ static void hci_req_cancel(struct hci_dev *hdev, int err)
79 } 79 }
80} 80}
81 81
82struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 event)
83{
84 struct hci_ev_cmd_complete *ev;
85 struct hci_event_hdr *hdr;
86 struct sk_buff *skb;
87
88 hci_dev_lock(hdev);
89
90 skb = hdev->recv_evt;
91 hdev->recv_evt = NULL;
92
93 hci_dev_unlock(hdev);
94
95 if (!skb)
96 return ERR_PTR(-ENODATA);
97
98 if (skb->len < sizeof(*hdr)) {
99 BT_ERR("Too short HCI event");
100 goto failed;
101 }
102
103 hdr = (void *) skb->data;
104 skb_pull(skb, HCI_EVENT_HDR_SIZE);
105
106 if (event) {
107 if (hdr->evt != event)
108 goto failed;
109 return skb;
110 }
111
112 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
113 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
114 goto failed;
115 }
116
117 if (skb->len < sizeof(*ev)) {
118 BT_ERR("Too short cmd_complete event");
119 goto failed;
120 }
121
122 ev = (void *) skb->data;
123 skb_pull(skb, sizeof(*ev));
124
125 if (opcode == __le16_to_cpu(ev->opcode))
126 return skb;
127
128 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
129 __le16_to_cpu(ev->opcode));
130
131failed:
132 kfree_skb(skb);
133 return ERR_PTR(-ENODATA);
134}
135
136struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
137 void *param, u8 event, u32 timeout)
138{
139 DECLARE_WAITQUEUE(wait, current);
140 struct hci_request req;
141 int err = 0;
142
143 BT_DBG("%s", hdev->name);
144
145 hci_req_init(&req, hdev);
146
147 hci_req_add_ev(&req, opcode, plen, param, event);
148
149 hdev->req_status = HCI_REQ_PEND;
150
151 err = hci_req_run(&req, hci_req_sync_complete);
152 if (err < 0)
153 return ERR_PTR(err);
154
155 add_wait_queue(&hdev->req_wait_q, &wait);
156 set_current_state(TASK_INTERRUPTIBLE);
157
158 schedule_timeout(timeout);
159
160 remove_wait_queue(&hdev->req_wait_q, &wait);
161
162 if (signal_pending(current))
163 return ERR_PTR(-EINTR);
164
165 switch (hdev->req_status) {
166 case HCI_REQ_DONE:
167 err = -bt_to_errno(hdev->req_result);
168 break;
169
170 case HCI_REQ_CANCELED:
171 err = -hdev->req_result;
172 break;
173
174 default:
175 err = -ETIMEDOUT;
176 break;
177 }
178
179 hdev->req_status = hdev->req_result = 0;
180
181 BT_DBG("%s end: err %d", hdev->name, err);
182
183 if (err < 0)
184 return ERR_PTR(err);
185
186 return hci_get_cmd_complete(hdev, opcode, event);
187}
188EXPORT_SYMBOL(__hci_cmd_sync_ev);
189
190struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
191 void *param, u32 timeout)
192{
193 return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
194}
195EXPORT_SYMBOL(__hci_cmd_sync);
196
82/* Execute request and wait for completion. */ 197/* Execute request and wait for completion. */
83static int __hci_req_sync(struct hci_dev *hdev, 198static int __hci_req_sync(struct hci_dev *hdev,
84 void (*func)(struct hci_request *req, 199 void (*func)(struct hci_request *req,
@@ -201,29 +316,9 @@ static void amp_init(struct hci_request *req)
201static void hci_init1_req(struct hci_request *req, unsigned long opt) 316static void hci_init1_req(struct hci_request *req, unsigned long opt)
202{ 317{
203 struct hci_dev *hdev = req->hdev; 318 struct hci_dev *hdev = req->hdev;
204 struct hci_request init_req;
205 struct sk_buff *skb;
206 319
207 BT_DBG("%s %ld", hdev->name, opt); 320 BT_DBG("%s %ld", hdev->name, opt);
208 321
209 /* Driver initialization */
210
211 hci_req_init(&init_req, hdev);
212
213 /* Special commands */
214 while ((skb = skb_dequeue(&hdev->driver_init))) {
215 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
216 skb->dev = (void *) hdev;
217
218 if (skb_queue_empty(&init_req.cmd_q))
219 bt_cb(skb)->req.start = true;
220
221 skb_queue_tail(&init_req.cmd_q, skb);
222 }
223 skb_queue_purge(&hdev->driver_init);
224
225 hci_req_run(&init_req, NULL);
226
227 /* Reset */ 322 /* Reset */
228 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) 323 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
229 hci_reset_req(req, 0); 324 hci_reset_req(req, 0);
@@ -494,6 +589,7 @@ static void hci_set_le_support(struct hci_request *req)
494static void hci_init3_req(struct hci_request *req, unsigned long opt) 589static void hci_init3_req(struct hci_request *req, unsigned long opt)
495{ 590{
496 struct hci_dev *hdev = req->hdev; 591 struct hci_dev *hdev = req->hdev;
592 u8 p;
497 593
498 if (hdev->commands[5] & 0x10) 594 if (hdev->commands[5] & 0x10)
499 hci_setup_link_policy(req); 595 hci_setup_link_policy(req);
@@ -502,6 +598,15 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
502 hci_set_le_support(req); 598 hci_set_le_support(req);
503 hci_update_ad(req); 599 hci_update_ad(req);
504 } 600 }
601
602 /* Read features beyond page 1 if available */
603 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
604 struct hci_cp_read_local_ext_features cp;
605
606 cp.page = p;
607 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
608 sizeof(cp), &cp);
609 }
505} 610}
506 611
507static int __hci_init(struct hci_dev *hdev) 612static int __hci_init(struct hci_dev *hdev)
@@ -818,6 +923,12 @@ static void hci_inq_req(struct hci_request *req, unsigned long opt)
818 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp); 923 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
819} 924}
820 925
926static int wait_inquiry(void *word)
927{
928 schedule();
929 return signal_pending(current);
930}
931
821int hci_inquiry(void __user *arg) 932int hci_inquiry(void __user *arg)
822{ 933{
823 __u8 __user *ptr = arg; 934 __u8 __user *ptr = arg;
@@ -849,6 +960,13 @@ int hci_inquiry(void __user *arg)
849 timeo); 960 timeo);
850 if (err < 0) 961 if (err < 0)
851 goto done; 962 goto done;
963
964 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
965 * cleared). If it is interrupted by a signal, return -EINTR.
966 */
967 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
968 TASK_INTERRUPTIBLE))
969 return -EINTR;
852 } 970 }
853 971
854 /* for unlimited number of responses we will use buffer with 972 /* for unlimited number of responses we will use buffer with
@@ -999,26 +1117,33 @@ int hci_dev_open(__u16 dev)
999 goto done; 1117 goto done;
1000 } 1118 }
1001 1119
1002 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1003 set_bit(HCI_RAW, &hdev->flags);
1004
1005 /* Treat all non BR/EDR controllers as raw devices if
1006 enable_hs is not set */
1007 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1008 set_bit(HCI_RAW, &hdev->flags);
1009
1010 if (hdev->open(hdev)) { 1120 if (hdev->open(hdev)) {
1011 ret = -EIO; 1121 ret = -EIO;
1012 goto done; 1122 goto done;
1013 } 1123 }
1014 1124
1015 if (!test_bit(HCI_RAW, &hdev->flags)) { 1125 atomic_set(&hdev->cmd_cnt, 1);
1016 atomic_set(&hdev->cmd_cnt, 1); 1126 set_bit(HCI_INIT, &hdev->flags);
1017 set_bit(HCI_INIT, &hdev->flags); 1127
1018 ret = __hci_init(hdev); 1128 if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1019 clear_bit(HCI_INIT, &hdev->flags); 1129 ret = hdev->setup(hdev);
1130
1131 if (!ret) {
1132 /* Treat all non BR/EDR controllers as raw devices if
1133 * enable_hs is not set.
1134 */
1135 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1136 set_bit(HCI_RAW, &hdev->flags);
1137
1138 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1139 set_bit(HCI_RAW, &hdev->flags);
1140
1141 if (!test_bit(HCI_RAW, &hdev->flags))
1142 ret = __hci_init(hdev);
1020 } 1143 }
1021 1144
1145 clear_bit(HCI_INIT, &hdev->flags);
1146
1022 if (!ret) { 1147 if (!ret) {
1023 hci_dev_hold(hdev); 1148 hci_dev_hold(hdev);
1024 set_bit(HCI_UP, &hdev->flags); 1149 set_bit(HCI_UP, &hdev->flags);
@@ -1123,6 +1248,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
1123 hdev->sent_cmd = NULL; 1248 hdev->sent_cmd = NULL;
1124 } 1249 }
1125 1250
1251 kfree_skb(hdev->recv_evt);
1252 hdev->recv_evt = NULL;
1253
1126 /* After this point our queues are empty 1254 /* After this point our queues are empty
1127 * and no tasks are scheduled. */ 1255 * and no tasks are scheduled. */
1128 hdev->close(hdev); 1256 hdev->close(hdev);
@@ -1861,8 +1989,8 @@ static void le_scan_enable_req(struct hci_request *req, unsigned long opt)
1861 struct hci_cp_le_set_scan_enable cp; 1989 struct hci_cp_le_set_scan_enable cp;
1862 1990
1863 memset(&cp, 0, sizeof(cp)); 1991 memset(&cp, 0, sizeof(cp));
1864 cp.enable = 1; 1992 cp.enable = LE_SCAN_ENABLE;
1865 cp.filter_dup = 1; 1993 cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
1866 1994
1867 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp); 1995 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1868} 1996}
@@ -1896,7 +2024,7 @@ static int hci_do_le_scan(struct hci_dev *hdev, u8 type, u16 interval,
1896 return err; 2024 return err;
1897 2025
1898 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 2026 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable,
1899 msecs_to_jiffies(timeout)); 2027 timeout);
1900 2028
1901 return 0; 2029 return 0;
1902} 2030}
@@ -2006,7 +2134,6 @@ struct hci_dev *hci_alloc_dev(void)
2006 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off); 2134 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2007 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work); 2135 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2008 2136
2009 skb_queue_head_init(&hdev->driver_init);
2010 skb_queue_head_init(&hdev->rx_q); 2137 skb_queue_head_init(&hdev->rx_q);
2011 skb_queue_head_init(&hdev->cmd_q); 2138 skb_queue_head_init(&hdev->cmd_q);
2012 skb_queue_head_init(&hdev->raw_q); 2139 skb_queue_head_init(&hdev->raw_q);
@@ -2025,8 +2152,6 @@ EXPORT_SYMBOL(hci_alloc_dev);
2025/* Free HCI device */ 2152/* Free HCI device */
2026void hci_free_dev(struct hci_dev *hdev) 2153void hci_free_dev(struct hci_dev *hdev)
2027{ 2154{
2028 skb_queue_purge(&hdev->driver_init);
2029
2030 /* will free via device release */ 2155 /* will free via device release */
2031 put_device(&hdev->dev); 2156 put_device(&hdev->dev);
2032} 2157}
@@ -2527,7 +2652,8 @@ int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
2527} 2652}
2528 2653
2529/* Queue a command to an asynchronous HCI request */ 2654/* Queue a command to an asynchronous HCI request */
2530void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param) 2655void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen, void *param,
2656 u8 event)
2531{ 2657{
2532 struct hci_dev *hdev = req->hdev; 2658 struct hci_dev *hdev = req->hdev;
2533 struct sk_buff *skb; 2659 struct sk_buff *skb;
@@ -2551,9 +2677,16 @@ void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2551 if (skb_queue_empty(&req->cmd_q)) 2677 if (skb_queue_empty(&req->cmd_q))
2552 bt_cb(skb)->req.start = true; 2678 bt_cb(skb)->req.start = true;
2553 2679
2680 bt_cb(skb)->req.event = event;
2681
2554 skb_queue_tail(&req->cmd_q, skb); 2682 skb_queue_tail(&req->cmd_q, skb);
2555} 2683}
2556 2684
2685void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2686{
2687 hci_req_add_ev(req, opcode, plen, param, 0);
2688}
2689
2557/* Get data from the previously sent command */ 2690/* Get data from the previously sent command */
2558void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode) 2691void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2559{ 2692{
@@ -3309,32 +3442,6 @@ call_complete:
3309 req_complete(hdev, status); 3442 req_complete(hdev, status);
3310} 3443}
3311 3444
3312void hci_req_cmd_status(struct hci_dev *hdev, u16 opcode, u8 status)
3313{
3314 hci_req_complete_t req_complete = NULL;
3315
3316 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3317
3318 if (status) {
3319 hci_req_cmd_complete(hdev, opcode, status);
3320 return;
3321 }
3322
3323 /* No need to handle success status if there are more commands */
3324 if (!hci_req_is_complete(hdev))
3325 return;
3326
3327 if (hdev->sent_cmd)
3328 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3329
3330 /* If the request doesn't have a complete callback or there
3331 * are other commands/requests in the hdev queue we consider
3332 * this request as completed.
3333 */
3334 if (!req_complete || !skb_queue_empty(&hdev->cmd_q))
3335 hci_req_cmd_complete(hdev, opcode, status);
3336}
3337
3338static void hci_rx_work(struct work_struct *work) 3445static void hci_rx_work(struct work_struct *work)
3339{ 3446{
3340 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work); 3447 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 138580745c2c..b93cd2eb5d58 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -48,13 +48,13 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
48 } 48 }
49 49
50 clear_bit(HCI_INQUIRY, &hdev->flags); 50 clear_bit(HCI_INQUIRY, &hdev->flags);
51 smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
52 wake_up_bit(&hdev->flags, HCI_INQUIRY);
51 53
52 hci_dev_lock(hdev); 54 hci_dev_lock(hdev);
53 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 55 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
54 hci_dev_unlock(hdev); 56 hci_dev_unlock(hdev);
55 57
56 hci_req_cmd_complete(hdev, HCI_OP_INQUIRY, status);
57
58 hci_conn_check_pending(hdev); 58 hci_conn_check_pending(hdev);
59} 59}
60 60
@@ -433,9 +433,9 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
433 433
434 if (!status) { 434 if (!status) {
435 if (sent->mode) 435 if (sent->mode)
436 hdev->host_features[0] |= LMP_HOST_SSP; 436 hdev->features[1][0] |= LMP_HOST_SSP;
437 else 437 else
438 hdev->host_features[0] &= ~LMP_HOST_SSP; 438 hdev->features[1][0] &= ~LMP_HOST_SSP;
439 } 439 }
440 440
441 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 441 if (test_bit(HCI_MGMT, &hdev->dev_flags))
@@ -493,18 +493,18 @@ static void hci_cc_read_local_features(struct hci_dev *hdev,
493 /* Adjust default settings according to features 493 /* Adjust default settings according to features
494 * supported by device. */ 494 * supported by device. */
495 495
496 if (hdev->features[0] & LMP_3SLOT) 496 if (hdev->features[0][0] & LMP_3SLOT)
497 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 497 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
498 498
499 if (hdev->features[0] & LMP_5SLOT) 499 if (hdev->features[0][0] & LMP_5SLOT)
500 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 500 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
501 501
502 if (hdev->features[1] & LMP_HV2) { 502 if (hdev->features[0][1] & LMP_HV2) {
503 hdev->pkt_type |= (HCI_HV2); 503 hdev->pkt_type |= (HCI_HV2);
504 hdev->esco_type |= (ESCO_HV2); 504 hdev->esco_type |= (ESCO_HV2);
505 } 505 }
506 506
507 if (hdev->features[1] & LMP_HV3) { 507 if (hdev->features[0][1] & LMP_HV3) {
508 hdev->pkt_type |= (HCI_HV3); 508 hdev->pkt_type |= (HCI_HV3);
509 hdev->esco_type |= (ESCO_HV3); 509 hdev->esco_type |= (ESCO_HV3);
510 } 510 }
@@ -512,26 +512,26 @@ static void hci_cc_read_local_features(struct hci_dev *hdev,
512 if (lmp_esco_capable(hdev)) 512 if (lmp_esco_capable(hdev))
513 hdev->esco_type |= (ESCO_EV3); 513 hdev->esco_type |= (ESCO_EV3);
514 514
515 if (hdev->features[4] & LMP_EV4) 515 if (hdev->features[0][4] & LMP_EV4)
516 hdev->esco_type |= (ESCO_EV4); 516 hdev->esco_type |= (ESCO_EV4);
517 517
518 if (hdev->features[4] & LMP_EV5) 518 if (hdev->features[0][4] & LMP_EV5)
519 hdev->esco_type |= (ESCO_EV5); 519 hdev->esco_type |= (ESCO_EV5);
520 520
521 if (hdev->features[5] & LMP_EDR_ESCO_2M) 521 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
522 hdev->esco_type |= (ESCO_2EV3); 522 hdev->esco_type |= (ESCO_2EV3);
523 523
524 if (hdev->features[5] & LMP_EDR_ESCO_3M) 524 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
525 hdev->esco_type |= (ESCO_3EV3); 525 hdev->esco_type |= (ESCO_3EV3);
526 526
527 if (hdev->features[5] & LMP_EDR_3S_ESCO) 527 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
528 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 528 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
529 529
530 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name, 530 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
531 hdev->features[0], hdev->features[1], 531 hdev->features[0][0], hdev->features[0][1],
532 hdev->features[2], hdev->features[3], 532 hdev->features[0][2], hdev->features[0][3],
533 hdev->features[4], hdev->features[5], 533 hdev->features[0][4], hdev->features[0][5],
534 hdev->features[6], hdev->features[7]); 534 hdev->features[0][6], hdev->features[0][7]);
535} 535}
536 536
537static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 537static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
@@ -544,14 +544,10 @@ static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
544 if (rp->status) 544 if (rp->status)
545 return; 545 return;
546 546
547 switch (rp->page) { 547 hdev->max_page = rp->max_page;
548 case 0: 548
549 memcpy(hdev->features, rp->features, 8); 549 if (rp->page < HCI_MAX_PAGES)
550 break; 550 memcpy(hdev->features[rp->page], rp->features, 8);
551 case 1:
552 memcpy(hdev->host_features, rp->features, 8);
553 break;
554 }
555} 551}
556 552
557static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 553static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
@@ -968,7 +964,7 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
968 return; 964 return;
969 965
970 switch (cp->enable) { 966 switch (cp->enable) {
971 case LE_SCANNING_ENABLED: 967 case LE_SCAN_ENABLE:
972 if (status) { 968 if (status) {
973 hci_dev_lock(hdev); 969 hci_dev_lock(hdev);
974 mgmt_start_discovery_failed(hdev, status); 970 mgmt_start_discovery_failed(hdev, status);
@@ -983,7 +979,7 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
983 hci_dev_unlock(hdev); 979 hci_dev_unlock(hdev);
984 break; 980 break;
985 981
986 case LE_SCANNING_DISABLED: 982 case LE_SCAN_DISABLE:
987 if (status) { 983 if (status) {
988 hci_dev_lock(hdev); 984 hci_dev_lock(hdev);
989 mgmt_stop_discovery_failed(hdev, status); 985 mgmt_stop_discovery_failed(hdev, status);
@@ -1046,14 +1042,14 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1046 1042
1047 if (!status) { 1043 if (!status) {
1048 if (sent->le) 1044 if (sent->le)
1049 hdev->host_features[0] |= LMP_HOST_LE; 1045 hdev->features[1][0] |= LMP_HOST_LE;
1050 else 1046 else
1051 hdev->host_features[0] &= ~LMP_HOST_LE; 1047 hdev->features[1][0] &= ~LMP_HOST_LE;
1052 1048
1053 if (sent->simul) 1049 if (sent->simul)
1054 hdev->host_features[0] |= LMP_HOST_LE_BREDR; 1050 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1055 else 1051 else
1056 hdev->host_features[0] &= ~LMP_HOST_LE_BREDR; 1052 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1057 } 1053 }
1058 1054
1059 if (test_bit(HCI_MGMT, &hdev->dev_flags) && 1055 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
@@ -1190,7 +1186,7 @@ static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1190 if (conn) { 1186 if (conn) {
1191 if (conn->state == BT_CONFIG) { 1187 if (conn->state == BT_CONFIG) {
1192 hci_proto_connect_cfm(conn, status); 1188 hci_proto_connect_cfm(conn, status);
1193 hci_conn_put(conn); 1189 hci_conn_drop(conn);
1194 } 1190 }
1195 } 1191 }
1196 1192
@@ -1217,7 +1213,7 @@ static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1217 if (conn) { 1213 if (conn) {
1218 if (conn->state == BT_CONFIG) { 1214 if (conn->state == BT_CONFIG) {
1219 hci_proto_connect_cfm(conn, status); 1215 hci_proto_connect_cfm(conn, status);
1220 hci_conn_put(conn); 1216 hci_conn_drop(conn);
1221 } 1217 }
1222 } 1218 }
1223 1219
@@ -1379,7 +1375,7 @@ static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1379 if (conn) { 1375 if (conn) {
1380 if (conn->state == BT_CONFIG) { 1376 if (conn->state == BT_CONFIG) {
1381 hci_proto_connect_cfm(conn, status); 1377 hci_proto_connect_cfm(conn, status);
1382 hci_conn_put(conn); 1378 hci_conn_drop(conn);
1383 } 1379 }
1384 } 1380 }
1385 1381
@@ -1406,7 +1402,7 @@ static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1406 if (conn) { 1402 if (conn) {
1407 if (conn->state == BT_CONFIG) { 1403 if (conn->state == BT_CONFIG) {
1408 hci_proto_connect_cfm(conn, status); 1404 hci_proto_connect_cfm(conn, status);
1409 hci_conn_put(conn); 1405 hci_conn_drop(conn);
1410 } 1406 }
1411 } 1407 }
1412 1408
@@ -1600,13 +1596,14 @@ static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1600 1596
1601 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1597 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1602 1598
1603 hci_req_cmd_complete(hdev, HCI_OP_INQUIRY, status);
1604
1605 hci_conn_check_pending(hdev); 1599 hci_conn_check_pending(hdev);
1606 1600
1607 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 1601 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1608 return; 1602 return;
1609 1603
1604 smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
1605 wake_up_bit(&hdev->flags, HCI_INQUIRY);
1606
1610 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 1607 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1611 return; 1608 return;
1612 1609
@@ -1705,7 +1702,6 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1705 } else 1702 } else
1706 conn->state = BT_CONNECTED; 1703 conn->state = BT_CONNECTED;
1707 1704
1708 hci_conn_hold_device(conn);
1709 hci_conn_add_sysfs(conn); 1705 hci_conn_add_sysfs(conn);
1710 1706
1711 if (test_bit(HCI_AUTH, &hdev->flags)) 1707 if (test_bit(HCI_AUTH, &hdev->flags))
@@ -1752,42 +1748,6 @@ unlock:
1752 hci_conn_check_pending(hdev); 1748 hci_conn_check_pending(hdev);
1753} 1749}
1754 1750
1755void hci_conn_accept(struct hci_conn *conn, int mask)
1756{
1757 struct hci_dev *hdev = conn->hdev;
1758
1759 BT_DBG("conn %p", conn);
1760
1761 conn->state = BT_CONFIG;
1762
1763 if (!lmp_esco_capable(hdev)) {
1764 struct hci_cp_accept_conn_req cp;
1765
1766 bacpy(&cp.bdaddr, &conn->dst);
1767
1768 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
1769 cp.role = 0x00; /* Become master */
1770 else
1771 cp.role = 0x01; /* Remain slave */
1772
1773 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
1774 } else /* lmp_esco_capable(hdev)) */ {
1775 struct hci_cp_accept_sync_conn_req cp;
1776
1777 bacpy(&cp.bdaddr, &conn->dst);
1778 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1779
1780 cp.tx_bandwidth = __constant_cpu_to_le32(0x00001f40);
1781 cp.rx_bandwidth = __constant_cpu_to_le32(0x00001f40);
1782 cp.max_latency = __constant_cpu_to_le16(0xffff);
1783 cp.content_format = cpu_to_le16(hdev->voice_setting);
1784 cp.retrans_effort = 0xff;
1785
1786 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1787 sizeof(cp), &cp);
1788 }
1789}
1790
1791static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 1751static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1792{ 1752{
1793 struct hci_ev_conn_request *ev = (void *) skb->data; 1753 struct hci_ev_conn_request *ev = (void *) skb->data;
@@ -1859,7 +1819,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1859 } else { 1819 } else {
1860 conn->state = BT_CONNECT2; 1820 conn->state = BT_CONNECT2;
1861 hci_proto_connect_cfm(conn, 0); 1821 hci_proto_connect_cfm(conn, 0);
1862 hci_conn_put(conn);
1863 } 1822 }
1864 } else { 1823 } else {
1865 /* Connection rejected */ 1824 /* Connection rejected */
@@ -1966,14 +1925,14 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1966 } else { 1925 } else {
1967 conn->state = BT_CONNECTED; 1926 conn->state = BT_CONNECTED;
1968 hci_proto_connect_cfm(conn, ev->status); 1927 hci_proto_connect_cfm(conn, ev->status);
1969 hci_conn_put(conn); 1928 hci_conn_drop(conn);
1970 } 1929 }
1971 } else { 1930 } else {
1972 hci_auth_cfm(conn, ev->status); 1931 hci_auth_cfm(conn, ev->status);
1973 1932
1974 hci_conn_hold(conn); 1933 hci_conn_hold(conn);
1975 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1934 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1976 hci_conn_put(conn); 1935 hci_conn_drop(conn);
1977 } 1936 }
1978 1937
1979 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 1938 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
@@ -2057,7 +2016,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2057 2016
2058 if (ev->status && conn->state == BT_CONNECTED) { 2017 if (ev->status && conn->state == BT_CONNECTED) {
2059 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2018 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2060 hci_conn_put(conn); 2019 hci_conn_drop(conn);
2061 goto unlock; 2020 goto unlock;
2062 } 2021 }
2063 2022
@@ -2066,7 +2025,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2066 conn->state = BT_CONNECTED; 2025 conn->state = BT_CONNECTED;
2067 2026
2068 hci_proto_connect_cfm(conn, ev->status); 2027 hci_proto_connect_cfm(conn, ev->status);
2069 hci_conn_put(conn); 2028 hci_conn_drop(conn);
2070 } else 2029 } else
2071 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2030 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2072 } 2031 }
@@ -2113,7 +2072,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
2113 goto unlock; 2072 goto unlock;
2114 2073
2115 if (!ev->status) 2074 if (!ev->status)
2116 memcpy(conn->features, ev->features, 8); 2075 memcpy(conn->features[0], ev->features, 8);
2117 2076
2118 if (conn->state != BT_CONFIG) 2077 if (conn->state != BT_CONFIG)
2119 goto unlock; 2078 goto unlock;
@@ -2141,7 +2100,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
2141 if (!hci_outgoing_auth_needed(hdev, conn)) { 2100 if (!hci_outgoing_auth_needed(hdev, conn)) {
2142 conn->state = BT_CONNECTED; 2101 conn->state = BT_CONNECTED;
2143 hci_proto_connect_cfm(conn, ev->status); 2102 hci_proto_connect_cfm(conn, ev->status);
2144 hci_conn_put(conn); 2103 hci_conn_drop(conn);
2145 } 2104 }
2146 2105
2147unlock: 2106unlock:
@@ -2462,7 +2421,9 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2462 if (opcode != HCI_OP_NOP) 2421 if (opcode != HCI_OP_NOP)
2463 del_timer(&hdev->cmd_timer); 2422 del_timer(&hdev->cmd_timer);
2464 2423
2465 hci_req_cmd_status(hdev, opcode, ev->status); 2424 if (ev->status ||
2425 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2426 hci_req_cmd_complete(hdev, opcode, ev->status);
2466 2427
2467 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2428 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2468 atomic_set(&hdev->cmd_cnt, 1); 2429 atomic_set(&hdev->cmd_cnt, 1);
@@ -2679,7 +2640,7 @@ static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2679 if (conn->state == BT_CONNECTED) { 2640 if (conn->state == BT_CONNECTED) {
2680 hci_conn_hold(conn); 2641 hci_conn_hold(conn);
2681 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2642 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2682 hci_conn_put(conn); 2643 hci_conn_drop(conn);
2683 } 2644 }
2684 2645
2685 if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags)) 2646 if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
@@ -2782,7 +2743,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2782 if (ev->key_type != HCI_LK_CHANGED_COMBINATION) 2743 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2783 conn->key_type = ev->key_type; 2744 conn->key_type = ev->key_type;
2784 2745
2785 hci_conn_put(conn); 2746 hci_conn_drop(conn);
2786 } 2747 }
2787 2748
2788 if (test_bit(HCI_LINK_KEYS, &hdev->dev_flags)) 2749 if (test_bit(HCI_LINK_KEYS, &hdev->dev_flags))
@@ -2923,6 +2884,9 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2923 if (!conn) 2884 if (!conn)
2924 goto unlock; 2885 goto unlock;
2925 2886
2887 if (ev->page < HCI_MAX_PAGES)
2888 memcpy(conn->features[ev->page], ev->features, 8);
2889
2926 if (!ev->status && ev->page == 0x01) { 2890 if (!ev->status && ev->page == 0x01) {
2927 struct inquiry_entry *ie; 2891 struct inquiry_entry *ie;
2928 2892
@@ -2930,8 +2894,19 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2930 if (ie) 2894 if (ie)
2931 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 2895 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
2932 2896
2933 if (ev->features[0] & LMP_HOST_SSP) 2897 if (ev->features[0] & LMP_HOST_SSP) {
2934 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 2898 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2899 } else {
2900 /* It is mandatory by the Bluetooth specification that
2901 * Extended Inquiry Results are only used when Secure
2902 * Simple Pairing is enabled, but some devices violate
2903 * this.
2904 *
2905 * To make these devices work, the internal SSP
2906 * enabled flag needs to be cleared if the remote host
2907 * features do not indicate SSP support */
2908 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2909 }
2935 } 2910 }
2936 2911
2937 if (conn->state != BT_CONFIG) 2912 if (conn->state != BT_CONFIG)
@@ -2951,7 +2926,7 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2951 if (!hci_outgoing_auth_needed(hdev, conn)) { 2926 if (!hci_outgoing_auth_needed(hdev, conn)) {
2952 conn->state = BT_CONNECTED; 2927 conn->state = BT_CONNECTED;
2953 hci_proto_connect_cfm(conn, ev->status); 2928 hci_proto_connect_cfm(conn, ev->status);
2954 hci_conn_put(conn); 2929 hci_conn_drop(conn);
2955 } 2930 }
2956 2931
2957unlock: 2932unlock:
@@ -2985,7 +2960,6 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
2985 conn->handle = __le16_to_cpu(ev->handle); 2960 conn->handle = __le16_to_cpu(ev->handle);
2986 conn->state = BT_CONNECTED; 2961 conn->state = BT_CONNECTED;
2987 2962
2988 hci_conn_hold_device(conn);
2989 hci_conn_add_sysfs(conn); 2963 hci_conn_add_sysfs(conn);
2990 break; 2964 break;
2991 2965
@@ -3084,7 +3058,7 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3084 3058
3085 if (ev->status && conn->state == BT_CONNECTED) { 3059 if (ev->status && conn->state == BT_CONNECTED) {
3086 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3060 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3087 hci_conn_put(conn); 3061 hci_conn_drop(conn);
3088 goto unlock; 3062 goto unlock;
3089 } 3063 }
3090 3064
@@ -3093,13 +3067,13 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3093 conn->state = BT_CONNECTED; 3067 conn->state = BT_CONNECTED;
3094 3068
3095 hci_proto_connect_cfm(conn, ev->status); 3069 hci_proto_connect_cfm(conn, ev->status);
3096 hci_conn_put(conn); 3070 hci_conn_drop(conn);
3097 } else { 3071 } else {
3098 hci_auth_cfm(conn, ev->status); 3072 hci_auth_cfm(conn, ev->status);
3099 3073
3100 hci_conn_hold(conn); 3074 hci_conn_hold(conn);
3101 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3075 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3102 hci_conn_put(conn); 3076 hci_conn_drop(conn);
3103 } 3077 }
3104 3078
3105unlock: 3079unlock:
@@ -3360,7 +3334,7 @@ static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3360 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type, 3334 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3361 ev->status); 3335 ev->status);
3362 3336
3363 hci_conn_put(conn); 3337 hci_conn_drop(conn);
3364 3338
3365unlock: 3339unlock:
3366 hci_dev_unlock(hdev); 3340 hci_dev_unlock(hdev);
@@ -3371,11 +3345,16 @@ static void hci_remote_host_features_evt(struct hci_dev *hdev,
3371{ 3345{
3372 struct hci_ev_remote_host_features *ev = (void *) skb->data; 3346 struct hci_ev_remote_host_features *ev = (void *) skb->data;
3373 struct inquiry_entry *ie; 3347 struct inquiry_entry *ie;
3348 struct hci_conn *conn;
3374 3349
3375 BT_DBG("%s", hdev->name); 3350 BT_DBG("%s", hdev->name);
3376 3351
3377 hci_dev_lock(hdev); 3352 hci_dev_lock(hdev);
3378 3353
3354 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3355 if (conn)
3356 memcpy(conn->features[1], ev->features, 8);
3357
3379 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3358 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3380 if (ie) 3359 if (ie)
3381 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3360 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
@@ -3448,9 +3427,8 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3448 3427
3449 hci_conn_hold(hcon); 3428 hci_conn_hold(hcon);
3450 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 3429 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3451 hci_conn_put(hcon); 3430 hci_conn_drop(hcon);
3452 3431
3453 hci_conn_hold_device(hcon);
3454 hci_conn_add_sysfs(hcon); 3432 hci_conn_add_sysfs(hcon);
3455 3433
3456 amp_physical_cfm(bredr_hcon, hcon); 3434 amp_physical_cfm(bredr_hcon, hcon);
@@ -3584,7 +3562,6 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3584 conn->handle = __le16_to_cpu(ev->handle); 3562 conn->handle = __le16_to_cpu(ev->handle);
3585 conn->state = BT_CONNECTED; 3563 conn->state = BT_CONNECTED;
3586 3564
3587 hci_conn_hold_device(conn);
3588 hci_conn_add_sysfs(conn); 3565 hci_conn_add_sysfs(conn);
3589 3566
3590 hci_proto_connect_cfm(conn, ev->status); 3567 hci_proto_connect_cfm(conn, ev->status);
@@ -3698,8 +3675,27 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
3698 struct hci_event_hdr *hdr = (void *) skb->data; 3675 struct hci_event_hdr *hdr = (void *) skb->data;
3699 __u8 event = hdr->evt; 3676 __u8 event = hdr->evt;
3700 3677
3678 hci_dev_lock(hdev);
3679
3680 /* Received events are (currently) only needed when a request is
3681 * ongoing so avoid unnecessary memory allocation.
3682 */
3683 if (hdev->req_status == HCI_REQ_PEND) {
3684 kfree_skb(hdev->recv_evt);
3685 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
3686 }
3687
3688 hci_dev_unlock(hdev);
3689
3701 skb_pull(skb, HCI_EVENT_HDR_SIZE); 3690 skb_pull(skb, HCI_EVENT_HDR_SIZE);
3702 3691
3692 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
3693 struct hci_command_hdr *hdr = (void *) hdev->sent_cmd->data;
3694 u16 opcode = __le16_to_cpu(hdr->opcode);
3695
3696 hci_req_cmd_complete(hdev, opcode, 0);
3697 }
3698
3703 switch (event) { 3699 switch (event) {
3704 case HCI_EV_INQUIRY_COMPLETE: 3700 case HCI_EV_INQUIRY_COMPLETE:
3705 hci_inquiry_complete_evt(hdev, skb); 3701 hci_inquiry_complete_evt(hdev, skb);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index ff38561385de..7ad6ecf36f20 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -48,10 +48,10 @@ static ssize_t show_link_features(struct device *dev,
48 struct hci_conn *conn = to_hci_conn(dev); 48 struct hci_conn *conn = to_hci_conn(dev);
49 49
50 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n", 50 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n",
51 conn->features[0], conn->features[1], 51 conn->features[0][0], conn->features[0][1],
52 conn->features[2], conn->features[3], 52 conn->features[0][2], conn->features[0][3],
53 conn->features[4], conn->features[5], 53 conn->features[0][4], conn->features[0][5],
54 conn->features[6], conn->features[7]); 54 conn->features[0][6], conn->features[0][7]);
55} 55}
56 56
57#define LINK_ATTR(_name, _mode, _show, _store) \ 57#define LINK_ATTR(_name, _mode, _show, _store) \
@@ -146,7 +146,6 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
146 } 146 }
147 147
148 device_del(&conn->dev); 148 device_del(&conn->dev);
149 put_device(&conn->dev);
150 149
151 hci_dev_put(hdev); 150 hci_dev_put(hdev);
152} 151}
@@ -234,10 +233,10 @@ static ssize_t show_features(struct device *dev,
234 struct hci_dev *hdev = to_hci_dev(dev); 233 struct hci_dev *hdev = to_hci_dev(dev);
235 234
236 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n", 235 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n",
237 hdev->features[0], hdev->features[1], 236 hdev->features[0][0], hdev->features[0][1],
238 hdev->features[2], hdev->features[3], 237 hdev->features[0][2], hdev->features[0][3],
239 hdev->features[4], hdev->features[5], 238 hdev->features[0][4], hdev->features[0][5],
240 hdev->features[6], hdev->features[7]); 239 hdev->features[0][6], hdev->features[0][7]);
241} 240}
242 241
243static ssize_t show_manufacturer(struct device *dev, 242static ssize_t show_manufacturer(struct device *dev,
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 2342327f3335..940f5acb6694 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1,6 +1,7 @@
1/* 1/*
2 HIDP implementation for Linux Bluetooth stack (BlueZ). 2 HIDP implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org> 3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4 Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
4 5
5 This program is free software; you can redistribute it and/or modify 6 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as 7 it under the terms of the GNU General Public License version 2 as
@@ -20,6 +21,7 @@
20 SOFTWARE IS DISCLAIMED. 21 SOFTWARE IS DISCLAIMED.
21*/ 22*/
22 23
24#include <linux/kref.h>
23#include <linux/module.h> 25#include <linux/module.h>
24#include <linux/file.h> 26#include <linux/file.h>
25#include <linux/kthread.h> 27#include <linux/kthread.h>
@@ -59,39 +61,20 @@ static unsigned char hidp_keycode[256] = {
59 61
60static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 62static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
61 63
62static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr) 64static int hidp_session_probe(struct l2cap_conn *conn,
63{ 65 struct l2cap_user *user);
64 struct hidp_session *session; 66static void hidp_session_remove(struct l2cap_conn *conn,
65 67 struct l2cap_user *user);
66 BT_DBG(""); 68static int hidp_session_thread(void *arg);
69static void hidp_session_terminate(struct hidp_session *s);
67 70
68 list_for_each_entry(session, &hidp_session_list, list) { 71static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
69 if (!bacmp(bdaddr, &session->bdaddr))
70 return session;
71 }
72
73 return NULL;
74}
75
76static void __hidp_link_session(struct hidp_session *session)
77{
78 list_add(&session->list, &hidp_session_list);
79}
80
81static void __hidp_unlink_session(struct hidp_session *session)
82{
83 hci_conn_put_device(session->conn);
84
85 list_del(&session->list);
86}
87
88static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
89{ 72{
90 memset(ci, 0, sizeof(*ci)); 73 memset(ci, 0, sizeof(*ci));
91 bacpy(&ci->bdaddr, &session->bdaddr); 74 bacpy(&ci->bdaddr, &session->bdaddr);
92 75
93 ci->flags = session->flags; 76 ci->flags = session->flags;
94 ci->state = session->state; 77 ci->state = BT_CONNECTED;
95 78
96 ci->vendor = 0x0000; 79 ci->vendor = 0x0000;
97 ci->product = 0x0000; 80 ci->product = 0x0000;
@@ -115,58 +98,80 @@ static void __hidp_copy_session(struct hidp_session *session, struct hidp_connin
115 } 98 }
116} 99}
117 100
118static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev, 101/* assemble skb, queue message on @transmit and wake up the session thread */
119 unsigned int type, unsigned int code, int value) 102static int hidp_send_message(struct hidp_session *session, struct socket *sock,
103 struct sk_buff_head *transmit, unsigned char hdr,
104 const unsigned char *data, int size)
120{ 105{
121 unsigned char newleds;
122 struct sk_buff *skb; 106 struct sk_buff *skb;
107 struct sock *sk = sock->sk;
123 108
124 BT_DBG("session %p type %d code %d value %d", session, type, code, value); 109 BT_DBG("session %p data %p size %d", session, data, size);
125
126 if (type != EV_LED)
127 return -1;
128
129 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
130 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
131 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
132 (!!test_bit(LED_CAPSL, dev->led) << 1) |
133 (!!test_bit(LED_NUML, dev->led));
134
135 if (session->leds == newleds)
136 return 0;
137 110
138 session->leds = newleds; 111 if (atomic_read(&session->terminate))
112 return -EIO;
139 113
140 skb = alloc_skb(3, GFP_ATOMIC); 114 skb = alloc_skb(size + 1, GFP_ATOMIC);
141 if (!skb) { 115 if (!skb) {
142 BT_ERR("Can't allocate memory for new frame"); 116 BT_ERR("Can't allocate memory for new frame");
143 return -ENOMEM; 117 return -ENOMEM;
144 } 118 }
145 119
146 *skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 120 *skb_put(skb, 1) = hdr;
147 *skb_put(skb, 1) = 0x01; 121 if (data && size > 0)
148 *skb_put(skb, 1) = newleds; 122 memcpy(skb_put(skb, size), data, size);
149
150 skb_queue_tail(&session->intr_transmit, skb);
151 123
152 hidp_schedule(session); 124 skb_queue_tail(transmit, skb);
125 wake_up_interruptible(sk_sleep(sk));
153 126
154 return 0; 127 return 0;
155} 128}
156 129
157static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 130static int hidp_send_ctrl_message(struct hidp_session *session,
131 unsigned char hdr, const unsigned char *data,
132 int size)
158{ 133{
159 struct hid_device *hid = input_get_drvdata(dev); 134 return hidp_send_message(session, session->ctrl_sock,
160 struct hidp_session *session = hid->driver_data; 135 &session->ctrl_transmit, hdr, data, size);
136}
161 137
162 return hidp_queue_event(session, dev, type, code, value); 138static int hidp_send_intr_message(struct hidp_session *session,
139 unsigned char hdr, const unsigned char *data,
140 int size)
141{
142 return hidp_send_message(session, session->intr_sock,
143 &session->intr_transmit, hdr, data, size);
163} 144}
164 145
165static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 146static int hidp_input_event(struct input_dev *dev, unsigned int type,
147 unsigned int code, int value)
166{ 148{
167 struct hidp_session *session = input_get_drvdata(dev); 149 struct hidp_session *session = input_get_drvdata(dev);
150 unsigned char newleds;
151 unsigned char hdr, data[2];
152
153 BT_DBG("session %p type %d code %d value %d",
154 session, type, code, value);
155
156 if (type != EV_LED)
157 return -1;
158
159 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
160 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
161 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
162 (!!test_bit(LED_CAPSL, dev->led) << 1) |
163 (!!test_bit(LED_NUML, dev->led));
168 164
169 return hidp_queue_event(session, dev, type, code, value); 165 if (session->leds == newleds)
166 return 0;
167
168 session->leds = newleds;
169
170 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
171 data[0] = 0x01;
172 data[1] = newleds;
173
174 return hidp_send_intr_message(session, hdr, data, 2);
170} 175}
171 176
172static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb) 177static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
@@ -224,71 +229,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
224 input_sync(dev); 229 input_sync(dev);
225} 230}
226 231
227static int __hidp_send_ctrl_message(struct hidp_session *session,
228 unsigned char hdr, unsigned char *data,
229 int size)
230{
231 struct sk_buff *skb;
232
233 BT_DBG("session %p data %p size %d", session, data, size);
234
235 if (atomic_read(&session->terminate))
236 return -EIO;
237
238 skb = alloc_skb(size + 1, GFP_ATOMIC);
239 if (!skb) {
240 BT_ERR("Can't allocate memory for new frame");
241 return -ENOMEM;
242 }
243
244 *skb_put(skb, 1) = hdr;
245 if (data && size > 0)
246 memcpy(skb_put(skb, size), data, size);
247
248 skb_queue_tail(&session->ctrl_transmit, skb);
249
250 return 0;
251}
252
253static int hidp_send_ctrl_message(struct hidp_session *session,
254 unsigned char hdr, unsigned char *data, int size)
255{
256 int err;
257
258 err = __hidp_send_ctrl_message(session, hdr, data, size);
259
260 hidp_schedule(session);
261
262 return err;
263}
264
265static int hidp_queue_report(struct hidp_session *session,
266 unsigned char *data, int size)
267{
268 struct sk_buff *skb;
269
270 BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
271
272 skb = alloc_skb(size + 1, GFP_ATOMIC);
273 if (!skb) {
274 BT_ERR("Can't allocate memory for new frame");
275 return -ENOMEM;
276 }
277
278 *skb_put(skb, 1) = 0xa2;
279 if (size > 0)
280 memcpy(skb_put(skb, size), data, size);
281
282 skb_queue_tail(&session->intr_transmit, skb);
283
284 hidp_schedule(session);
285
286 return 0;
287}
288
289static int hidp_send_report(struct hidp_session *session, struct hid_report *report) 232static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
290{ 233{
291 unsigned char buf[32]; 234 unsigned char buf[32], hdr;
292 int rsize; 235 int rsize;
293 236
294 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0); 237 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
@@ -296,8 +239,9 @@ static int hidp_send_report(struct hidp_session *session, struct hid_report *rep
296 return -EIO; 239 return -EIO;
297 240
298 hid_output_report(report, buf); 241 hid_output_report(report, buf);
242 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
299 243
300 return hidp_queue_report(session, buf, rsize); 244 return hidp_send_intr_message(session, hdr, buf, rsize);
301} 245}
302 246
303static int hidp_get_raw_report(struct hid_device *hid, 247static int hidp_get_raw_report(struct hid_device *hid,
@@ -336,17 +280,19 @@ static int hidp_get_raw_report(struct hid_device *hid,
336 session->waiting_report_number = numbered_reports ? report_number : -1; 280 session->waiting_report_number = numbered_reports ? report_number : -1;
337 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 281 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
338 data[0] = report_number; 282 data[0] = report_number;
339 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1); 283 ret = hidp_send_ctrl_message(session, report_type, data, 1);
340 if (ret) 284 if (ret)
341 goto err; 285 goto err;
342 286
343 /* Wait for the return of the report. The returned report 287 /* Wait for the return of the report. The returned report
344 gets put in session->report_return. */ 288 gets put in session->report_return. */
345 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) { 289 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
290 !atomic_read(&session->terminate)) {
346 int res; 291 int res;
347 292
348 res = wait_event_interruptible_timeout(session->report_queue, 293 res = wait_event_interruptible_timeout(session->report_queue,
349 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags), 294 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
295 || atomic_read(&session->terminate),
350 5*HZ); 296 5*HZ);
351 if (res == 0) { 297 if (res == 0) {
352 /* timeout */ 298 /* timeout */
@@ -389,14 +335,11 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
389 struct hidp_session *session = hid->driver_data; 335 struct hidp_session *session = hid->driver_data;
390 int ret; 336 int ret;
391 337
392 switch (report_type) { 338 if (report_type == HID_OUTPUT_REPORT) {
393 case HID_FEATURE_REPORT: 339 report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
394 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE; 340 return hidp_send_intr_message(session, report_type,
395 break; 341 data, count);
396 case HID_OUTPUT_REPORT: 342 } else if (report_type != HID_FEATURE_REPORT) {
397 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
398 break;
399 default:
400 return -EINVAL; 343 return -EINVAL;
401 } 344 }
402 345
@@ -405,17 +348,19 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
405 348
406 /* Set up our wait, and send the report request to the device. */ 349 /* Set up our wait, and send the report request to the device. */
407 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 350 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
408 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 351 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
409 count); 352 ret = hidp_send_ctrl_message(session, report_type, data, count);
410 if (ret) 353 if (ret)
411 goto err; 354 goto err;
412 355
413 /* Wait for the ACK from the device. */ 356 /* Wait for the ACK from the device. */
414 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) { 357 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
358 !atomic_read(&session->terminate)) {
415 int res; 359 int res;
416 360
417 res = wait_event_interruptible_timeout(session->report_queue, 361 res = wait_event_interruptible_timeout(session->report_queue,
418 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags), 362 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
363 || atomic_read(&session->terminate),
419 10*HZ); 364 10*HZ);
420 if (res == 0) { 365 if (res == 0) {
421 /* timeout */ 366 /* timeout */
@@ -446,8 +391,7 @@ static void hidp_idle_timeout(unsigned long arg)
446{ 391{
447 struct hidp_session *session = (struct hidp_session *) arg; 392 struct hidp_session *session = (struct hidp_session *) arg;
448 393
449 atomic_inc(&session->terminate); 394 hidp_session_terminate(session);
450 wake_up_process(session->task);
451} 395}
452 396
453static void hidp_set_timer(struct hidp_session *session) 397static void hidp_set_timer(struct hidp_session *session)
@@ -490,12 +434,12 @@ static void hidp_process_handshake(struct hidp_session *session,
490 case HIDP_HSHK_ERR_FATAL: 434 case HIDP_HSHK_ERR_FATAL:
491 /* Device requests a reboot, as this is the only way this error 435 /* Device requests a reboot, as this is the only way this error
492 * can be recovered. */ 436 * can be recovered. */
493 __hidp_send_ctrl_message(session, 437 hidp_send_ctrl_message(session,
494 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0); 438 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
495 break; 439 break;
496 440
497 default: 441 default:
498 __hidp_send_ctrl_message(session, 442 hidp_send_ctrl_message(session,
499 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 443 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
500 break; 444 break;
501 } 445 }
@@ -515,8 +459,7 @@ static void hidp_process_hid_control(struct hidp_session *session,
515 skb_queue_purge(&session->ctrl_transmit); 459 skb_queue_purge(&session->ctrl_transmit);
516 skb_queue_purge(&session->intr_transmit); 460 skb_queue_purge(&session->intr_transmit);
517 461
518 atomic_inc(&session->terminate); 462 hidp_session_terminate(session);
519 wake_up_process(current);
520 } 463 }
521} 464}
522 465
@@ -544,7 +487,7 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
544 break; 487 break;
545 488
546 default: 489 default:
547 __hidp_send_ctrl_message(session, 490 hidp_send_ctrl_message(session,
548 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 491 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
549 } 492 }
550 493
@@ -591,7 +534,7 @@ static void hidp_recv_ctrl_frame(struct hidp_session *session,
591 break; 534 break;
592 535
593 default: 536 default:
594 __hidp_send_ctrl_message(session, 537 hidp_send_ctrl_message(session,
595 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0); 538 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
596 break; 539 break;
597 } 540 }
@@ -642,32 +585,24 @@ static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
642 return kernel_sendmsg(sock, &msg, &iv, 1, len); 585 return kernel_sendmsg(sock, &msg, &iv, 1, len);
643} 586}
644 587
645static void hidp_process_intr_transmit(struct hidp_session *session) 588/* dequeue message from @transmit and send via @sock */
589static void hidp_process_transmit(struct hidp_session *session,
590 struct sk_buff_head *transmit,
591 struct socket *sock)
646{ 592{
647 struct sk_buff *skb; 593 struct sk_buff *skb;
594 int ret;
648 595
649 BT_DBG("session %p", session); 596 BT_DBG("session %p", session);
650 597
651 while ((skb = skb_dequeue(&session->intr_transmit))) { 598 while ((skb = skb_dequeue(transmit))) {
652 if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) { 599 ret = hidp_send_frame(sock, skb->data, skb->len);
653 skb_queue_head(&session->intr_transmit, skb); 600 if (ret == -EAGAIN) {
601 skb_queue_head(transmit, skb);
654 break; 602 break;
655 } 603 } else if (ret < 0) {
656 604 hidp_session_terminate(session);
657 hidp_set_timer(session); 605 kfree_skb(skb);
658 kfree_skb(skb);
659 }
660}
661
662static void hidp_process_ctrl_transmit(struct hidp_session *session)
663{
664 struct sk_buff *skb;
665
666 BT_DBG("session %p", session);
667
668 while ((skb = skb_dequeue(&session->ctrl_transmit))) {
669 if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
670 skb_queue_head(&session->ctrl_transmit, skb);
671 break; 606 break;
672 } 607 }
673 608
@@ -676,122 +611,6 @@ static void hidp_process_ctrl_transmit(struct hidp_session *session)
676 } 611 }
677} 612}
678 613
679static int hidp_session(void *arg)
680{
681 struct hidp_session *session = arg;
682 struct sock *ctrl_sk = session->ctrl_sock->sk;
683 struct sock *intr_sk = session->intr_sock->sk;
684 struct sk_buff *skb;
685 wait_queue_t ctrl_wait, intr_wait;
686
687 BT_DBG("session %p", session);
688
689 __module_get(THIS_MODULE);
690 set_user_nice(current, -15);
691
692 init_waitqueue_entry(&ctrl_wait, current);
693 init_waitqueue_entry(&intr_wait, current);
694 add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
695 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
696 session->waiting_for_startup = 0;
697 wake_up_interruptible(&session->startup_queue);
698 set_current_state(TASK_INTERRUPTIBLE);
699 while (!atomic_read(&session->terminate)) {
700 if (ctrl_sk->sk_state != BT_CONNECTED ||
701 intr_sk->sk_state != BT_CONNECTED)
702 break;
703
704 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
705 skb_orphan(skb);
706 if (!skb_linearize(skb))
707 hidp_recv_intr_frame(session, skb);
708 else
709 kfree_skb(skb);
710 }
711
712 hidp_process_intr_transmit(session);
713
714 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
715 skb_orphan(skb);
716 if (!skb_linearize(skb))
717 hidp_recv_ctrl_frame(session, skb);
718 else
719 kfree_skb(skb);
720 }
721
722 hidp_process_ctrl_transmit(session);
723
724 schedule();
725 set_current_state(TASK_INTERRUPTIBLE);
726 }
727 set_current_state(TASK_RUNNING);
728 atomic_inc(&session->terminate);
729 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
730 remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
731
732 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
733 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
734 wake_up_interruptible(&session->report_queue);
735
736 down_write(&hidp_session_sem);
737
738 hidp_del_timer(session);
739
740 if (session->input) {
741 input_unregister_device(session->input);
742 session->input = NULL;
743 }
744
745 if (session->hid) {
746 hid_destroy_device(session->hid);
747 session->hid = NULL;
748 }
749
750 /* Wakeup user-space polling for socket errors */
751 session->intr_sock->sk->sk_err = EUNATCH;
752 session->ctrl_sock->sk->sk_err = EUNATCH;
753
754 hidp_schedule(session);
755
756 fput(session->intr_sock->file);
757
758 wait_event_timeout(*(sk_sleep(ctrl_sk)),
759 (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
760
761 fput(session->ctrl_sock->file);
762
763 __hidp_unlink_session(session);
764
765 up_write(&hidp_session_sem);
766
767 kfree(session->rd_data);
768 kfree(session);
769 module_put_and_exit(0);
770 return 0;
771}
772
773static struct hci_conn *hidp_get_connection(struct hidp_session *session)
774{
775 bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
776 bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
777 struct hci_conn *conn;
778 struct hci_dev *hdev;
779
780 hdev = hci_get_route(dst, src);
781 if (!hdev)
782 return NULL;
783
784 hci_dev_lock(hdev);
785 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
786 if (conn)
787 hci_conn_hold_device(conn);
788 hci_dev_unlock(hdev);
789
790 hci_dev_put(hdev);
791
792 return conn;
793}
794
795static int hidp_setup_input(struct hidp_session *session, 614static int hidp_setup_input(struct hidp_session *session,
796 struct hidp_connadd_req *req) 615 struct hidp_connadd_req *req)
797{ 616{
@@ -839,7 +658,7 @@ static int hidp_setup_input(struct hidp_session *session,
839 input->relbit[0] |= BIT_MASK(REL_WHEEL); 658 input->relbit[0] |= BIT_MASK(REL_WHEEL);
840 } 659 }
841 660
842 input->dev.parent = &session->conn->dev; 661 input->dev.parent = &session->conn->hcon->dev;
843 662
844 input->event = hidp_input_event; 663 input->event = hidp_input_event;
845 664
@@ -898,7 +717,6 @@ static struct hid_ll_driver hidp_hid_driver = {
898 .stop = hidp_stop, 717 .stop = hidp_stop,
899 .open = hidp_open, 718 .open = hidp_open,
900 .close = hidp_close, 719 .close = hidp_close,
901 .hidinput_input_event = hidp_hidinput_event,
902}; 720};
903 721
904/* This function sets up the hid device. It does not add it 722/* This function sets up the hid device. It does not add it
@@ -943,7 +761,7 @@ static int hidp_setup_hid(struct hidp_session *session,
943 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR", 761 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
944 &bt_sk(session->ctrl_sock->sk)->dst); 762 &bt_sk(session->ctrl_sock->sk)->dst);
945 763
946 hid->dev.parent = &session->conn->dev; 764 hid->dev.parent = &session->conn->hcon->dev;
947 hid->ll_driver = &hidp_hid_driver; 765 hid->ll_driver = &hidp_hid_driver;
948 766
949 hid->hid_get_raw_report = hidp_get_raw_report; 767 hid->hid_get_raw_report = hidp_get_raw_report;
@@ -965,80 +783,217 @@ fault:
965 return err; 783 return err;
966} 784}
967 785
968int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock) 786/* initialize session devices */
787static int hidp_session_dev_init(struct hidp_session *session,
788 struct hidp_connadd_req *req)
969{ 789{
970 struct hidp_session *session, *s; 790 int ret;
971 int vendor, product;
972 int err;
973 791
974 BT_DBG(""); 792 if (req->rd_size > 0) {
793 ret = hidp_setup_hid(session, req);
794 if (ret && ret != -ENODEV)
795 return ret;
796 }
975 797
976 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) || 798 if (!session->hid) {
977 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst)) 799 ret = hidp_setup_input(session, req);
978 return -ENOTUNIQ; 800 if (ret < 0)
801 return ret;
802 }
979 803
980 BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size); 804 return 0;
805}
981 806
982 down_write(&hidp_session_sem); 807/* destroy session devices */
808static void hidp_session_dev_destroy(struct hidp_session *session)
809{
810 if (session->hid)
811 put_device(&session->hid->dev);
812 else if (session->input)
813 input_put_device(session->input);
983 814
984 s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst); 815 kfree(session->rd_data);
985 if (s && s->state == BT_CONNECTED) { 816 session->rd_data = NULL;
986 up_write(&hidp_session_sem); 817}
987 return -EEXIST;
988 }
989 818
990 session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL); 819/* add HID/input devices to their underlying bus systems */
991 if (!session) { 820static int hidp_session_dev_add(struct hidp_session *session)
992 up_write(&hidp_session_sem); 821{
993 return -ENOMEM; 822 int ret;
994 }
995 823
996 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst); 824 /* Both HID and input systems drop a ref-count when unregistering the
825 * device but they don't take a ref-count when registering them. Work
826 * around this by explicitly taking a refcount during registration
827 * which is dropped automatically by unregistering the devices. */
997 828
998 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu, 829 if (session->hid) {
999 l2cap_pi(ctrl_sock->sk)->chan->imtu); 830 ret = hid_add_device(session->hid);
1000 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu, 831 if (ret)
1001 l2cap_pi(intr_sock->sk)->chan->imtu); 832 return ret;
833 get_device(&session->hid->dev);
834 } else if (session->input) {
835 ret = input_register_device(session->input);
836 if (ret)
837 return ret;
838 input_get_device(session->input);
839 }
1002 840
1003 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu); 841 return 0;
842}
1004 843
1005 session->ctrl_sock = ctrl_sock; 844/* remove HID/input devices from their bus systems */
1006 session->intr_sock = intr_sock; 845static void hidp_session_dev_del(struct hidp_session *session)
1007 session->state = BT_CONNECTED; 846{
847 if (session->hid)
848 hid_destroy_device(session->hid);
849 else if (session->input)
850 input_unregister_device(session->input);
851}
1008 852
1009 session->conn = hidp_get_connection(session); 853/*
1010 if (!session->conn) { 854 * Create new session object
1011 err = -ENOTCONN; 855 * Allocate session object, initialize static fields, copy input data into the
1012 goto failed; 856 * object and take a reference to all sub-objects.
1013 } 857 * This returns 0 on success and puts a pointer to the new session object in
858 * \out. Otherwise, an error code is returned.
859 * The new session object has an initial ref-count of 1.
860 */
861static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
862 struct socket *ctrl_sock,
863 struct socket *intr_sock,
864 struct hidp_connadd_req *req,
865 struct l2cap_conn *conn)
866{
867 struct hidp_session *session;
868 int ret;
869 struct bt_sock *ctrl, *intr;
870
871 ctrl = bt_sk(ctrl_sock->sk);
872 intr = bt_sk(intr_sock->sk);
1014 873
1015 setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session); 874 session = kzalloc(sizeof(*session), GFP_KERNEL);
875 if (!session)
876 return -ENOMEM;
1016 877
878 /* object and runtime management */
879 kref_init(&session->ref);
880 atomic_set(&session->state, HIDP_SESSION_IDLING);
881 init_waitqueue_head(&session->state_queue);
882 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
883
884 /* connection management */
885 bacpy(&session->bdaddr, bdaddr);
886 session->conn = conn;
887 session->user.probe = hidp_session_probe;
888 session->user.remove = hidp_session_remove;
889 session->ctrl_sock = ctrl_sock;
890 session->intr_sock = intr_sock;
1017 skb_queue_head_init(&session->ctrl_transmit); 891 skb_queue_head_init(&session->ctrl_transmit);
1018 skb_queue_head_init(&session->intr_transmit); 892 skb_queue_head_init(&session->intr_transmit);
893 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
894 l2cap_pi(ctrl)->chan->imtu);
895 session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
896 l2cap_pi(intr)->chan->imtu);
897 session->idle_to = req->idle_to;
898
899 /* device management */
900 setup_timer(&session->timer, hidp_idle_timeout,
901 (unsigned long)session);
1019 902
903 /* session data */
1020 mutex_init(&session->report_mutex); 904 mutex_init(&session->report_mutex);
1021 init_waitqueue_head(&session->report_queue); 905 init_waitqueue_head(&session->report_queue);
1022 init_waitqueue_head(&session->startup_queue);
1023 session->waiting_for_startup = 1;
1024 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
1025 session->idle_to = req->idle_to;
1026 906
1027 __hidp_link_session(session); 907 ret = hidp_session_dev_init(session, req);
908 if (ret)
909 goto err_free;
1028 910
1029 if (req->rd_size > 0) { 911 l2cap_conn_get(session->conn);
1030 err = hidp_setup_hid(session, req); 912 get_file(session->intr_sock->file);
1031 if (err && err != -ENODEV) 913 get_file(session->ctrl_sock->file);
1032 goto purge; 914 *out = session;
1033 } 915 return 0;
1034 916
1035 if (!session->hid) { 917err_free:
1036 err = hidp_setup_input(session, req); 918 kfree(session);
1037 if (err < 0) 919 return ret;
1038 goto purge; 920}
921
922/* increase ref-count of the given session by one */
923static void hidp_session_get(struct hidp_session *session)
924{
925 kref_get(&session->ref);
926}
927
928/* release callback */
929static void session_free(struct kref *ref)
930{
931 struct hidp_session *session = container_of(ref, struct hidp_session,
932 ref);
933
934 hidp_session_dev_destroy(session);
935 skb_queue_purge(&session->ctrl_transmit);
936 skb_queue_purge(&session->intr_transmit);
937 fput(session->intr_sock->file);
938 fput(session->ctrl_sock->file);
939 l2cap_conn_put(session->conn);
940 kfree(session);
941}
942
943/* decrease ref-count of the given session by one */
944static void hidp_session_put(struct hidp_session *session)
945{
946 kref_put(&session->ref, session_free);
947}
948
949/*
950 * Search the list of active sessions for a session with target address
951 * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
952 * you do not release this lock, the session objects cannot vanish and you can
953 * safely take a reference to the session yourself.
954 */
955static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
956{
957 struct hidp_session *session;
958
959 list_for_each_entry(session, &hidp_session_list, list) {
960 if (!bacmp(bdaddr, &session->bdaddr))
961 return session;
1039 } 962 }
1040 963
1041 hidp_set_timer(session); 964 return NULL;
965}
966
967/*
968 * Same as __hidp_session_find() but no locks must be held. This also takes a
969 * reference of the returned session (if non-NULL) so you must drop this
970 * reference if you no longer use the object.
971 */
972static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
973{
974 struct hidp_session *session;
975
976 down_read(&hidp_session_sem);
977
978 session = __hidp_session_find(bdaddr);
979 if (session)
980 hidp_session_get(session);
981
982 up_read(&hidp_session_sem);
983
984 return session;
985}
986
987/*
988 * Start session synchronously
989 * This starts a session thread and waits until initialization
990 * is done or returns an error if it couldn't be started.
991 * If this returns 0 the session thread is up and running. You must call
992 * hipd_session_stop_sync() before deleting any runtime resources.
993 */
994static int hidp_session_start_sync(struct hidp_session *session)
995{
996 unsigned int vendor, product;
1042 997
1043 if (session->hid) { 998 if (session->hid) {
1044 vendor = session->hid->vendor; 999 vendor = session->hid->vendor;
@@ -1051,98 +1006,320 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1051 product = 0x0000; 1006 product = 0x0000;
1052 } 1007 }
1053 1008
1054 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x", 1009 session->task = kthread_run(hidp_session_thread, session,
1055 vendor, product); 1010 "khidpd_%04x%04x", vendor, product);
1056 if (IS_ERR(session->task)) { 1011 if (IS_ERR(session->task))
1057 err = PTR_ERR(session->task); 1012 return PTR_ERR(session->task);
1058 goto unlink;
1059 }
1060 1013
1061 while (session->waiting_for_startup) { 1014 while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1062 wait_event_interruptible(session->startup_queue, 1015 wait_event(session->state_queue,
1063 !session->waiting_for_startup); 1016 atomic_read(&session->state) > HIDP_SESSION_IDLING);
1064 }
1065 1017
1066 if (session->hid) 1018 return 0;
1067 err = hid_add_device(session->hid); 1019}
1068 else
1069 err = input_register_device(session->input);
1070 1020
1071 if (err < 0) { 1021/*
1072 atomic_inc(&session->terminate); 1022 * Terminate session thread
1073 wake_up_process(session->task); 1023 * Wake up session thread and notify it to stop. This is asynchronous and
1074 up_write(&hidp_session_sem); 1024 * returns immediately. Call this whenever a runtime error occurs and you want
1075 return err; 1025 * the session to stop.
1076 } 1026 * Note: wake_up_process() performs any necessary memory-barriers for us.
1027 */
1028static void hidp_session_terminate(struct hidp_session *session)
1029{
1030 atomic_inc(&session->terminate);
1031 wake_up_process(session->task);
1032}
1077 1033
1078 if (session->input) { 1034/*
1079 hidp_send_ctrl_message(session, 1035 * Probe HIDP session
1080 HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0); 1036 * This is called from the l2cap_conn core when our l2cap_user object is bound
1081 session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE); 1037 * to the hci-connection. We get the session via the \user object and can now
1038 * start the session thread, register the HID/input devices and link it into
1039 * the global session list.
1040 * The global session-list owns its own reference to the session object so you
1041 * can drop your own reference after registering the l2cap_user object.
1042 */
1043static int hidp_session_probe(struct l2cap_conn *conn,
1044 struct l2cap_user *user)
1045{
1046 struct hidp_session *session = container_of(user,
1047 struct hidp_session,
1048 user);
1049 struct hidp_session *s;
1050 int ret;
1051
1052 down_write(&hidp_session_sem);
1082 1053
1083 session->leds = 0xff; 1054 /* check that no other session for this device exists */
1084 hidp_input_event(session->input, EV_LED, 0, 0); 1055 s = __hidp_session_find(&session->bdaddr);
1056 if (s) {
1057 ret = -EEXIST;
1058 goto out_unlock;
1085 } 1059 }
1086 1060
1061 ret = hidp_session_start_sync(session);
1062 if (ret)
1063 goto out_unlock;
1064
1065 ret = hidp_session_dev_add(session);
1066 if (ret)
1067 goto out_stop;
1068
1069 hidp_session_get(session);
1070 list_add(&session->list, &hidp_session_list);
1071 ret = 0;
1072 goto out_unlock;
1073
1074out_stop:
1075 hidp_session_terminate(session);
1076out_unlock:
1087 up_write(&hidp_session_sem); 1077 up_write(&hidp_session_sem);
1088 return 0; 1078 return ret;
1079}
1080
1081/*
1082 * Remove HIDP session
1083 * Called from the l2cap_conn core when either we explicitly unregistered
1084 * the l2cap_user object or if the underlying connection is shut down.
1085 * We signal the hidp-session thread to shut down, unregister the HID/input
1086 * devices and unlink the session from the global list.
1087 * This drops the reference to the session that is owned by the global
1088 * session-list.
1089 * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1090 * This is, because the session-thread might be waiting for an HCI lock that is
1091 * held while we are called. Therefore, we only unregister the devices and
1092 * notify the session-thread to terminate. The thread itself owns a reference
1093 * to the session object so it can safely shut down.
1094 */
1095static void hidp_session_remove(struct l2cap_conn *conn,
1096 struct l2cap_user *user)
1097{
1098 struct hidp_session *session = container_of(user,
1099 struct hidp_session,
1100 user);
1101
1102 down_write(&hidp_session_sem);
1103
1104 hidp_session_terminate(session);
1105 hidp_session_dev_del(session);
1106 list_del(&session->list);
1107
1108 up_write(&hidp_session_sem);
1109
1110 hidp_session_put(session);
1111}
1112
1113/*
1114 * Session Worker
1115 * This performs the actual main-loop of the HIDP worker. We first check
1116 * whether the underlying connection is still alive, then parse all pending
1117 * messages and finally send all outstanding messages.
1118 */
1119static void hidp_session_run(struct hidp_session *session)
1120{
1121 struct sock *ctrl_sk = session->ctrl_sock->sk;
1122 struct sock *intr_sk = session->intr_sock->sk;
1123 struct sk_buff *skb;
1124
1125 for (;;) {
1126 /*
1127 * This thread can be woken up two ways:
1128 * - You call hidp_session_terminate() which sets the
1129 * session->terminate flag and wakes this thread up.
1130 * - Via modifying the socket state of ctrl/intr_sock. This
1131 * thread is woken up by ->sk_state_changed().
1132 *
1133 * Note: set_current_state() performs any necessary
1134 * memory-barriers for us.
1135 */
1136 set_current_state(TASK_INTERRUPTIBLE);
1137
1138 if (atomic_read(&session->terminate))
1139 break;
1140
1141 if (ctrl_sk->sk_state != BT_CONNECTED ||
1142 intr_sk->sk_state != BT_CONNECTED)
1143 break;
1144
1145 /* parse incoming intr-skbs */
1146 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1147 skb_orphan(skb);
1148 if (!skb_linearize(skb))
1149 hidp_recv_intr_frame(session, skb);
1150 else
1151 kfree_skb(skb);
1152 }
1153
1154 /* send pending intr-skbs */
1155 hidp_process_transmit(session, &session->intr_transmit,
1156 session->intr_sock);
1089 1157
1090unlink: 1158 /* parse incoming ctrl-skbs */
1159 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1160 skb_orphan(skb);
1161 if (!skb_linearize(skb))
1162 hidp_recv_ctrl_frame(session, skb);
1163 else
1164 kfree_skb(skb);
1165 }
1166
1167 /* send pending ctrl-skbs */
1168 hidp_process_transmit(session, &session->ctrl_transmit,
1169 session->ctrl_sock);
1170
1171 schedule();
1172 }
1173
1174 atomic_inc(&session->terminate);
1175 set_current_state(TASK_RUNNING);
1176}
1177
1178/*
1179 * HIDP session thread
1180 * This thread runs the I/O for a single HIDP session. Startup is synchronous
1181 * which allows us to take references to ourself here instead of doing that in
1182 * the caller.
1183 * When we are ready to run we notify the caller and call hidp_session_run().
1184 */
1185static int hidp_session_thread(void *arg)
1186{
1187 struct hidp_session *session = arg;
1188 wait_queue_t ctrl_wait, intr_wait;
1189
1190 BT_DBG("session %p", session);
1191
1192 /* initialize runtime environment */
1193 hidp_session_get(session);
1194 __module_get(THIS_MODULE);
1195 set_user_nice(current, -15);
1196 hidp_set_timer(session);
1197
1198 init_waitqueue_entry(&ctrl_wait, current);
1199 init_waitqueue_entry(&intr_wait, current);
1200 add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1201 add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1202 /* This memory barrier is paired with wq_has_sleeper(). See
1203 * sock_poll_wait() for more information why this is needed. */
1204 smp_mb();
1205
1206 /* notify synchronous startup that we're ready */
1207 atomic_inc(&session->state);
1208 wake_up(&session->state_queue);
1209
1210 /* run session */
1211 hidp_session_run(session);
1212
1213 /* cleanup runtime environment */
1214 remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1215 remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1216 wake_up_interruptible(&session->report_queue);
1091 hidp_del_timer(session); 1217 hidp_del_timer(session);
1092 1218
1093 if (session->input) { 1219 /*
1094 input_unregister_device(session->input); 1220 * If we stopped ourself due to any internal signal, we should try to
1095 session->input = NULL; 1221 * unregister our own session here to avoid having it linger until the
1222 * parent l2cap_conn dies or user-space cleans it up.
1223 * This does not deadlock as we don't do any synchronous shutdown.
1224 * Instead, this call has the same semantics as if user-space tried to
1225 * delete the session.
1226 */
1227 l2cap_unregister_user(session->conn, &session->user);
1228 hidp_session_put(session);
1229
1230 module_put_and_exit(0);
1231 return 0;
1232}
1233
1234static int hidp_verify_sockets(struct socket *ctrl_sock,
1235 struct socket *intr_sock)
1236{
1237 struct bt_sock *ctrl, *intr;
1238 struct hidp_session *session;
1239
1240 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1241 return -EINVAL;
1242
1243 ctrl = bt_sk(ctrl_sock->sk);
1244 intr = bt_sk(intr_sock->sk);
1245
1246 if (bacmp(&ctrl->src, &intr->src) || bacmp(&ctrl->dst, &intr->dst))
1247 return -ENOTUNIQ;
1248 if (ctrl->sk.sk_state != BT_CONNECTED ||
1249 intr->sk.sk_state != BT_CONNECTED)
1250 return -EBADFD;
1251
1252 /* early session check, we check again during session registration */
1253 session = hidp_session_find(&ctrl->dst);
1254 if (session) {
1255 hidp_session_put(session);
1256 return -EEXIST;
1096 } 1257 }
1097 1258
1098 if (session->hid) { 1259 return 0;
1099 hid_destroy_device(session->hid); 1260}
1100 session->hid = NULL; 1261
1262int hidp_connection_add(struct hidp_connadd_req *req,
1263 struct socket *ctrl_sock,
1264 struct socket *intr_sock)
1265{
1266 struct hidp_session *session;
1267 struct l2cap_conn *conn;
1268 struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
1269 int ret;
1270
1271 ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1272 if (ret)
1273 return ret;
1274
1275 conn = NULL;
1276 l2cap_chan_lock(chan);
1277 if (chan->conn) {
1278 l2cap_conn_get(chan->conn);
1279 conn = chan->conn;
1101 } 1280 }
1281 l2cap_chan_unlock(chan);
1102 1282
1103 kfree(session->rd_data); 1283 if (!conn)
1104 session->rd_data = NULL; 1284 return -EBADFD;
1105 1285
1106purge: 1286 ret = hidp_session_new(&session, &bt_sk(ctrl_sock->sk)->dst, ctrl_sock,
1107 __hidp_unlink_session(session); 1287 intr_sock, req, conn);
1288 if (ret)
1289 goto out_conn;
1108 1290
1109 skb_queue_purge(&session->ctrl_transmit); 1291 ret = l2cap_register_user(conn, &session->user);
1110 skb_queue_purge(&session->intr_transmit); 1292 if (ret)
1293 goto out_session;
1111 1294
1112failed: 1295 ret = 0;
1113 up_write(&hidp_session_sem);
1114 1296
1115 kfree(session); 1297out_session:
1116 return err; 1298 hidp_session_put(session);
1299out_conn:
1300 l2cap_conn_put(conn);
1301 return ret;
1117} 1302}
1118 1303
1119int hidp_del_connection(struct hidp_conndel_req *req) 1304int hidp_connection_del(struct hidp_conndel_req *req)
1120{ 1305{
1121 struct hidp_session *session; 1306 struct hidp_session *session;
1122 int err = 0;
1123 1307
1124 BT_DBG(""); 1308 session = hidp_session_find(&req->bdaddr);
1309 if (!session)
1310 return -ENOENT;
1125 1311
1126 down_read(&hidp_session_sem); 1312 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG))
1313 hidp_send_ctrl_message(session,
1314 HIDP_TRANS_HID_CONTROL |
1315 HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1316 NULL, 0);
1317 else
1318 l2cap_unregister_user(session->conn, &session->user);
1127 1319
1128 session = __hidp_get_session(&req->bdaddr); 1320 hidp_session_put(session);
1129 if (session) {
1130 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
1131 hidp_send_ctrl_message(session,
1132 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
1133 } else {
1134 /* Flush the transmit queues */
1135 skb_queue_purge(&session->ctrl_transmit);
1136 skb_queue_purge(&session->intr_transmit);
1137
1138 atomic_inc(&session->terminate);
1139 wake_up_process(session->task);
1140 }
1141 } else
1142 err = -ENOENT;
1143 1321
1144 up_read(&hidp_session_sem); 1322 return 0;
1145 return err;
1146} 1323}
1147 1324
1148int hidp_get_connlist(struct hidp_connlist_req *req) 1325int hidp_get_connlist(struct hidp_connlist_req *req)
@@ -1157,7 +1334,7 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
1157 list_for_each_entry(session, &hidp_session_list, list) { 1334 list_for_each_entry(session, &hidp_session_list, list) {
1158 struct hidp_conninfo ci; 1335 struct hidp_conninfo ci;
1159 1336
1160 __hidp_copy_session(session, &ci); 1337 hidp_copy_session(session, &ci);
1161 1338
1162 if (copy_to_user(req->ci, &ci, sizeof(ci))) { 1339 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1163 err = -EFAULT; 1340 err = -EFAULT;
@@ -1178,18 +1355,14 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
1178int hidp_get_conninfo(struct hidp_conninfo *ci) 1355int hidp_get_conninfo(struct hidp_conninfo *ci)
1179{ 1356{
1180 struct hidp_session *session; 1357 struct hidp_session *session;
1181 int err = 0;
1182
1183 down_read(&hidp_session_sem);
1184 1358
1185 session = __hidp_get_session(&ci->bdaddr); 1359 session = hidp_session_find(&ci->bdaddr);
1186 if (session) 1360 if (session) {
1187 __hidp_copy_session(session, ci); 1361 hidp_copy_session(session, ci);
1188 else 1362 hidp_session_put(session);
1189 err = -ENOENT; 1363 }
1190 1364
1191 up_read(&hidp_session_sem); 1365 return session ? 0 : -ENOENT;
1192 return err;
1193} 1366}
1194 1367
1195static int __init hidp_init(void) 1368static int __init hidp_init(void)
@@ -1208,6 +1381,7 @@ module_init(hidp_init);
1208module_exit(hidp_exit); 1381module_exit(hidp_exit);
1209 1382
1210MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 1383MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1384MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1211MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION); 1385MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1212MODULE_VERSION(VERSION); 1386MODULE_VERSION(VERSION);
1213MODULE_LICENSE("GPL"); 1387MODULE_LICENSE("GPL");
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index af1bcc823f26..6162ce8606ac 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -24,7 +24,9 @@
24#define __HIDP_H 24#define __HIDP_H
25 25
26#include <linux/types.h> 26#include <linux/types.h>
27#include <linux/kref.h>
27#include <net/bluetooth/bluetooth.h> 28#include <net/bluetooth/bluetooth.h>
29#include <net/bluetooth/l2cap.h>
28 30
29/* HIDP header masks */ 31/* HIDP header masks */
30#define HIDP_HEADER_TRANS_MASK 0xf0 32#define HIDP_HEADER_TRANS_MASK 0xf0
@@ -119,43 +121,52 @@ struct hidp_connlist_req {
119 struct hidp_conninfo __user *ci; 121 struct hidp_conninfo __user *ci;
120}; 122};
121 123
122int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock); 124int hidp_connection_add(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock);
123int hidp_del_connection(struct hidp_conndel_req *req); 125int hidp_connection_del(struct hidp_conndel_req *req);
124int hidp_get_connlist(struct hidp_connlist_req *req); 126int hidp_get_connlist(struct hidp_connlist_req *req);
125int hidp_get_conninfo(struct hidp_conninfo *ci); 127int hidp_get_conninfo(struct hidp_conninfo *ci);
126 128
129enum hidp_session_state {
130 HIDP_SESSION_IDLING,
131 HIDP_SESSION_RUNNING,
132};
133
127/* HIDP session defines */ 134/* HIDP session defines */
128struct hidp_session { 135struct hidp_session {
129 struct list_head list; 136 struct list_head list;
137 struct kref ref;
130 138
131 struct hci_conn *conn; 139 /* runtime management */
140 atomic_t state;
141 wait_queue_head_t state_queue;
142 atomic_t terminate;
143 struct task_struct *task;
144 unsigned long flags;
132 145
146 /* connection management */
147 bdaddr_t bdaddr;
148 struct l2cap_conn *conn;
149 struct l2cap_user user;
133 struct socket *ctrl_sock; 150 struct socket *ctrl_sock;
134 struct socket *intr_sock; 151 struct socket *intr_sock;
135 152 struct sk_buff_head ctrl_transmit;
136 bdaddr_t bdaddr; 153 struct sk_buff_head intr_transmit;
137
138 unsigned long state;
139 unsigned long flags;
140 unsigned long idle_to;
141
142 uint ctrl_mtu; 154 uint ctrl_mtu;
143 uint intr_mtu; 155 uint intr_mtu;
156 unsigned long idle_to;
144 157
145 atomic_t terminate; 158 /* device management */
146 struct task_struct *task;
147
148 unsigned char keys[8];
149 unsigned char leds;
150
151 struct input_dev *input; 159 struct input_dev *input;
152
153 struct hid_device *hid; 160 struct hid_device *hid;
154
155 struct timer_list timer; 161 struct timer_list timer;
156 162
157 struct sk_buff_head ctrl_transmit; 163 /* Report descriptor */
158 struct sk_buff_head intr_transmit; 164 __u8 *rd_data;
165 uint rd_size;
166
167 /* session data */
168 unsigned char keys[8];
169 unsigned char leds;
159 170
160 /* Used in hidp_get_raw_report() */ 171 /* Used in hidp_get_raw_report() */
161 int waiting_report_type; /* HIDP_DATA_RTYPE_* */ 172 int waiting_report_type; /* HIDP_DATA_RTYPE_* */
@@ -166,24 +177,8 @@ struct hidp_session {
166 177
167 /* Used in hidp_output_raw_report() */ 178 /* Used in hidp_output_raw_report() */
168 int output_report_success; /* boolean */ 179 int output_report_success; /* boolean */
169
170 /* Report descriptor */
171 __u8 *rd_data;
172 uint rd_size;
173
174 wait_queue_head_t startup_queue;
175 int waiting_for_startup;
176}; 180};
177 181
178static inline void hidp_schedule(struct hidp_session *session)
179{
180 struct sock *ctrl_sk = session->ctrl_sock->sk;
181 struct sock *intr_sk = session->intr_sock->sk;
182
183 wake_up_interruptible(sk_sleep(ctrl_sk));
184 wake_up_interruptible(sk_sleep(intr_sk));
185}
186
187/* HIDP init defines */ 182/* HIDP init defines */
188extern int __init hidp_init_sockets(void); 183extern int __init hidp_init_sockets(void);
189extern void __exit hidp_cleanup_sockets(void); 184extern void __exit hidp_cleanup_sockets(void);
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 5d0f1ca0a314..2f4cbb0865ca 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -77,21 +77,12 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
77 return err; 77 return err;
78 } 78 }
79 79
80 if (csock->sk->sk_state != BT_CONNECTED || 80 err = hidp_connection_add(&ca, csock, isock);
81 isock->sk->sk_state != BT_CONNECTED) { 81 if (!err && copy_to_user(argp, &ca, sizeof(ca)))
82 sockfd_put(csock); 82 err = -EFAULT;
83 sockfd_put(isock);
84 return -EBADFD;
85 }
86 83
87 err = hidp_add_connection(&ca, csock, isock); 84 sockfd_put(csock);
88 if (!err) { 85 sockfd_put(isock);
89 if (copy_to_user(argp, &ca, sizeof(ca)))
90 err = -EFAULT;
91 } else {
92 sockfd_put(csock);
93 sockfd_put(isock);
94 }
95 86
96 return err; 87 return err;
97 88
@@ -102,7 +93,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
102 if (copy_from_user(&cd, argp, sizeof(cd))) 93 if (copy_from_user(&cd, argp, sizeof(cd)))
103 return -EFAULT; 94 return -EFAULT;
104 95
105 return hidp_del_connection(&cd); 96 return hidp_connection_del(&cd);
106 97
107 case HIDPGETCONNLIST: 98 case HIDPGETCONNLIST:
108 if (copy_from_user(&cl, argp, sizeof(cl))) 99 if (copy_from_user(&cl, argp, sizeof(cl)))
@@ -296,7 +287,6 @@ int __init hidp_init_sockets(void)
296 return 0; 287 return 0;
297 288
298error: 289error:
299 BT_ERR("Can't register HIDP socket");
300 proto_unregister(&hidp_proto); 290 proto_unregister(&hidp_proto);
301 return err; 291 return err;
302} 292}
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7c7e9321f1ea..eae1d9f90b68 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -571,7 +571,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
571 chan->conn = NULL; 571 chan->conn = NULL;
572 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP) 573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon); 574 hci_conn_drop(conn->hcon);
575 575
576 if (mgr && mgr->bredr_chan == chan) 576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL; 577 mgr->bredr_chan = NULL;
@@ -1446,6 +1446,89 @@ static void l2cap_info_timeout(struct work_struct *work)
1446 l2cap_conn_start(conn); 1446 l2cap_conn_start(conn);
1447} 1447}
1448 1448
1449/*
1450 * l2cap_user
1451 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1452 * callback is called during registration. The ->remove callback is called
1453 * during unregistration.
1454 * An l2cap_user object can either be explicitly unregistered or when the
1455 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1456 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1457 * External modules must own a reference to the l2cap_conn object if they intend
1458 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1459 * any time if they don't.
1460 */
1461
1462int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1463{
1464 struct hci_dev *hdev = conn->hcon->hdev;
1465 int ret;
1466
1467 /* We need to check whether l2cap_conn is registered. If it is not, we
1468 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1469 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1470 * relies on the parent hci_conn object to be locked. This itself relies
1471 * on the hci_dev object to be locked. So we must lock the hci device
1472 * here, too. */
1473
1474 hci_dev_lock(hdev);
1475
1476 if (user->list.next || user->list.prev) {
1477 ret = -EINVAL;
1478 goto out_unlock;
1479 }
1480
1481 /* conn->hchan is NULL after l2cap_conn_del() was called */
1482 if (!conn->hchan) {
1483 ret = -ENODEV;
1484 goto out_unlock;
1485 }
1486
1487 ret = user->probe(conn, user);
1488 if (ret)
1489 goto out_unlock;
1490
1491 list_add(&user->list, &conn->users);
1492 ret = 0;
1493
1494out_unlock:
1495 hci_dev_unlock(hdev);
1496 return ret;
1497}
1498EXPORT_SYMBOL(l2cap_register_user);
1499
1500void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1501{
1502 struct hci_dev *hdev = conn->hcon->hdev;
1503
1504 hci_dev_lock(hdev);
1505
1506 if (!user->list.next || !user->list.prev)
1507 goto out_unlock;
1508
1509 list_del(&user->list);
1510 user->list.next = NULL;
1511 user->list.prev = NULL;
1512 user->remove(conn, user);
1513
1514out_unlock:
1515 hci_dev_unlock(hdev);
1516}
1517EXPORT_SYMBOL(l2cap_unregister_user);
1518
1519static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1520{
1521 struct l2cap_user *user;
1522
1523 while (!list_empty(&conn->users)) {
1524 user = list_first_entry(&conn->users, struct l2cap_user, list);
1525 list_del(&user->list);
1526 user->list.next = NULL;
1527 user->list.prev = NULL;
1528 user->remove(conn, user);
1529 }
1530}
1531
1449static void l2cap_conn_del(struct hci_conn *hcon, int err) 1532static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{ 1533{
1451 struct l2cap_conn *conn = hcon->l2cap_data; 1534 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -1458,6 +1541,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1458 1541
1459 kfree_skb(conn->rx_skb); 1542 kfree_skb(conn->rx_skb);
1460 1543
1544 l2cap_unregister_all_users(conn);
1545
1461 mutex_lock(&conn->chan_lock); 1546 mutex_lock(&conn->chan_lock);
1462 1547
1463 /* Kill channels */ 1548 /* Kill channels */
@@ -1486,7 +1571,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1486 } 1571 }
1487 1572
1488 hcon->l2cap_data = NULL; 1573 hcon->l2cap_data = NULL;
1489 kfree(conn); 1574 conn->hchan = NULL;
1575 l2cap_conn_put(conn);
1490} 1576}
1491 1577
1492static void security_timeout(struct work_struct *work) 1578static void security_timeout(struct work_struct *work)
@@ -1502,12 +1588,12 @@ static void security_timeout(struct work_struct *work)
1502 } 1588 }
1503} 1589}
1504 1590
1505static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1591static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1506{ 1592{
1507 struct l2cap_conn *conn = hcon->l2cap_data; 1593 struct l2cap_conn *conn = hcon->l2cap_data;
1508 struct hci_chan *hchan; 1594 struct hci_chan *hchan;
1509 1595
1510 if (conn || status) 1596 if (conn)
1511 return conn; 1597 return conn;
1512 1598
1513 hchan = hci_chan_create(hcon); 1599 hchan = hci_chan_create(hcon);
@@ -1520,8 +1606,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1520 return NULL; 1606 return NULL;
1521 } 1607 }
1522 1608
1609 kref_init(&conn->ref);
1523 hcon->l2cap_data = conn; 1610 hcon->l2cap_data = conn;
1524 conn->hcon = hcon; 1611 conn->hcon = hcon;
1612 hci_conn_get(conn->hcon);
1525 conn->hchan = hchan; 1613 conn->hchan = hchan;
1526 1614
1527 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 1615 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
@@ -1547,6 +1635,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1547 mutex_init(&conn->chan_lock); 1635 mutex_init(&conn->chan_lock);
1548 1636
1549 INIT_LIST_HEAD(&conn->chan_l); 1637 INIT_LIST_HEAD(&conn->chan_l);
1638 INIT_LIST_HEAD(&conn->users);
1550 1639
1551 if (hcon->type == LE_LINK) 1640 if (hcon->type == LE_LINK)
1552 INIT_DELAYED_WORK(&conn->security_timer, security_timeout); 1641 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
@@ -1558,6 +1647,26 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1558 return conn; 1647 return conn;
1559} 1648}
1560 1649
1650static void l2cap_conn_free(struct kref *ref)
1651{
1652 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1653
1654 hci_conn_put(conn->hcon);
1655 kfree(conn);
1656}
1657
1658void l2cap_conn_get(struct l2cap_conn *conn)
1659{
1660 kref_get(&conn->ref);
1661}
1662EXPORT_SYMBOL(l2cap_conn_get);
1663
1664void l2cap_conn_put(struct l2cap_conn *conn)
1665{
1666 kref_put(&conn->ref, l2cap_conn_free);
1667}
1668EXPORT_SYMBOL(l2cap_conn_put);
1669
1561/* ---- Socket interface ---- */ 1670/* ---- Socket interface ---- */
1562 1671
1563/* Find socket with psm and source / destination bdaddr. 1672/* Find socket with psm and source / destination bdaddr.
@@ -1695,9 +1804,9 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1695 goto done; 1804 goto done;
1696 } 1805 }
1697 1806
1698 conn = l2cap_conn_add(hcon, 0); 1807 conn = l2cap_conn_add(hcon);
1699 if (!conn) { 1808 if (!conn) {
1700 hci_conn_put(hcon); 1809 hci_conn_drop(hcon);
1701 err = -ENOMEM; 1810 err = -ENOMEM;
1702 goto done; 1811 goto done;
1703 } 1812 }
@@ -1707,7 +1816,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1707 1816
1708 if (!list_empty(&conn->chan_l)) { 1817 if (!list_empty(&conn->chan_l)) {
1709 err = -EBUSY; 1818 err = -EBUSY;
1710 hci_conn_put(hcon); 1819 hci_conn_drop(hcon);
1711 } 1820 }
1712 1821
1713 if (err) 1822 if (err)
@@ -6313,7 +6422,7 @@ void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
6313 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 6422 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
6314 6423
6315 if (!status) { 6424 if (!status) {
6316 conn = l2cap_conn_add(hcon, status); 6425 conn = l2cap_conn_add(hcon);
6317 if (conn) 6426 if (conn)
6318 l2cap_conn_ready(conn); 6427 l2cap_conn_ready(conn);
6319 } else { 6428 } else {
@@ -6482,7 +6591,7 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
6482 goto drop; 6591 goto drop;
6483 6592
6484 if (!conn) 6593 if (!conn)
6485 conn = l2cap_conn_add(hcon, 0); 6594 conn = l2cap_conn_add(hcon);
6486 6595
6487 if (!conn) 6596 if (!conn)
6488 goto drop; 6597 goto drop;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 7f9704993b74..141e7b058b7e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -43,6 +43,12 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent);
43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
44 int proto, gfp_t prio); 44 int proto, gfp_t prio);
45 45
46bool l2cap_is_socket(struct socket *sock)
47{
48 return sock && sock->ops == &l2cap_sock_ops;
49}
50EXPORT_SYMBOL(l2cap_is_socket);
51
46static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 52static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
47{ 53{
48 struct sock *sk = sock->sk; 54 struct sock *sk = sock->sk;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 03e7e732215f..4c830c62ef74 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -106,11 +106,10 @@ static const u16 mgmt_events[] = {
106 * These LE scan and inquiry parameters were chosen according to LE General 106 * These LE scan and inquiry parameters were chosen according to LE General
107 * Discovery Procedure specification. 107 * Discovery Procedure specification.
108 */ 108 */
109#define LE_SCAN_TYPE 0x01
110#define LE_SCAN_WIN 0x12 109#define LE_SCAN_WIN 0x12
111#define LE_SCAN_INT 0x12 110#define LE_SCAN_INT 0x12
112#define LE_SCAN_TIMEOUT_LE_ONLY 10240 /* TGAP(gen_disc_scan_min) */ 111#define LE_SCAN_TIMEOUT_LE_ONLY msecs_to_jiffies(10240)
113#define LE_SCAN_TIMEOUT_BREDR_LE 5120 /* TGAP(100)/2 */ 112#define LE_SCAN_TIMEOUT_BREDR_LE msecs_to_jiffies(5120)
114 113
115#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */ 114#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */
116#define INQUIRY_LEN_BREDR_LE 0x04 /* TGAP(100)/2 */ 115#define INQUIRY_LEN_BREDR_LE 0x04 /* TGAP(100)/2 */
@@ -2131,7 +2130,7 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status)
2131 conn->security_cfm_cb = NULL; 2130 conn->security_cfm_cb = NULL;
2132 conn->disconn_cfm_cb = NULL; 2131 conn->disconn_cfm_cb = NULL;
2133 2132
2134 hci_conn_put(conn); 2133 hci_conn_drop(conn);
2135 2134
2136 mgmt_pending_remove(cmd); 2135 mgmt_pending_remove(cmd);
2137} 2136}
@@ -2222,7 +2221,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2222 } 2221 }
2223 2222
2224 if (conn->connect_cfm_cb) { 2223 if (conn->connect_cfm_cb) {
2225 hci_conn_put(conn); 2224 hci_conn_drop(conn);
2226 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE, 2225 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2227 MGMT_STATUS_BUSY, &rp, sizeof(rp)); 2226 MGMT_STATUS_BUSY, &rp, sizeof(rp));
2228 goto unlock; 2227 goto unlock;
@@ -2231,7 +2230,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2231 cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len); 2230 cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2232 if (!cmd) { 2231 if (!cmd) {
2233 err = -ENOMEM; 2232 err = -ENOMEM;
2234 hci_conn_put(conn); 2233 hci_conn_drop(conn);
2235 goto unlock; 2234 goto unlock;
2236 } 2235 }
2237 2236
@@ -2703,7 +2702,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2703 goto failed; 2702 goto failed;
2704 } 2703 }
2705 2704
2706 err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT, 2705 err = hci_le_scan(hdev, LE_SCAN_ACTIVE, LE_SCAN_INT,
2707 LE_SCAN_WIN, LE_SCAN_TIMEOUT_LE_ONLY); 2706 LE_SCAN_WIN, LE_SCAN_TIMEOUT_LE_ONLY);
2708 break; 2707 break;
2709 2708
@@ -2715,8 +2714,8 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2715 goto failed; 2714 goto failed;
2716 } 2715 }
2717 2716
2718 err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT, LE_SCAN_WIN, 2717 err = hci_le_scan(hdev, LE_SCAN_ACTIVE, LE_SCAN_INT,
2719 LE_SCAN_TIMEOUT_BREDR_LE); 2718 LE_SCAN_WIN, LE_SCAN_TIMEOUT_BREDR_LE);
2720 break; 2719 break;
2721 2720
2722 default: 2721 default:
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index d919d1161ab4..9e62102443dc 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -83,7 +83,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
83 if (conn) 83 if (conn)
84 return conn; 84 return conn;
85 85
86 conn = kzalloc(sizeof(struct sco_conn), GFP_ATOMIC); 86 conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
87 if (!conn) 87 if (!conn)
88 return NULL; 88 return NULL;
89 89
@@ -185,7 +185,7 @@ static int sco_connect(struct sock *sk)
185 185
186 conn = sco_conn_add(hcon); 186 conn = sco_conn_add(hcon);
187 if (!conn) { 187 if (!conn) {
188 hci_conn_put(hcon); 188 hci_conn_drop(hcon);
189 err = -ENOMEM; 189 err = -ENOMEM;
190 goto done; 190 goto done;
191 } 191 }
@@ -353,7 +353,7 @@ static void __sco_sock_close(struct sock *sk)
353 if (sco_pi(sk)->conn->hcon) { 353 if (sco_pi(sk)->conn->hcon) {
354 sk->sk_state = BT_DISCONN; 354 sk->sk_state = BT_DISCONN;
355 sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); 355 sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
356 hci_conn_put(sco_pi(sk)->conn->hcon); 356 hci_conn_drop(sco_pi(sk)->conn->hcon);
357 sco_pi(sk)->conn->hcon = NULL; 357 sco_pi(sk)->conn->hcon = NULL;
358 } else 358 } else
359 sco_chan_del(sk, ECONNRESET); 359 sco_chan_del(sk, ECONNRESET);
@@ -481,8 +481,7 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
481{ 481{
482 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr; 482 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
483 struct sock *sk = sock->sk; 483 struct sock *sk = sock->sk;
484 int err = 0; 484 int err;
485
486 485
487 BT_DBG("sk %p", sk); 486 BT_DBG("sk %p", sk);
488 487
@@ -653,6 +652,42 @@ static int sco_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
653 return err; 652 return err;
654} 653}
655 654
655static void sco_conn_defer_accept(struct hci_conn *conn, int mask)
656{
657 struct hci_dev *hdev = conn->hdev;
658
659 BT_DBG("conn %p", conn);
660
661 conn->state = BT_CONFIG;
662
663 if (!lmp_esco_capable(hdev)) {
664 struct hci_cp_accept_conn_req cp;
665
666 bacpy(&cp.bdaddr, &conn->dst);
667
668 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
669 cp.role = 0x00; /* Become master */
670 else
671 cp.role = 0x01; /* Remain slave */
672
673 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
674 } else {
675 struct hci_cp_accept_sync_conn_req cp;
676
677 bacpy(&cp.bdaddr, &conn->dst);
678 cp.pkt_type = cpu_to_le16(conn->pkt_type);
679
680 cp.tx_bandwidth = __constant_cpu_to_le32(0x00001f40);
681 cp.rx_bandwidth = __constant_cpu_to_le32(0x00001f40);
682 cp.max_latency = __constant_cpu_to_le16(0xffff);
683 cp.content_format = cpu_to_le16(hdev->voice_setting);
684 cp.retrans_effort = 0xff;
685
686 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
687 sizeof(cp), &cp);
688 }
689}
690
656static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 691static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
657 struct msghdr *msg, size_t len, int flags) 692 struct msghdr *msg, size_t len, int flags)
658{ 693{
@@ -663,7 +698,7 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
663 698
664 if (sk->sk_state == BT_CONNECT2 && 699 if (sk->sk_state == BT_CONNECT2 &&
665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 700 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
666 hci_conn_accept(pi->conn->hcon, 0); 701 sco_conn_defer_accept(pi->conn->hcon, 0);
667 sk->sk_state = BT_CONFIG; 702 sk->sk_state = BT_CONFIG;
668 703
669 release_sock(sk); 704 release_sock(sk);
@@ -882,7 +917,7 @@ static void sco_chan_del(struct sock *sk, int err)
882 sco_conn_unlock(conn); 917 sco_conn_unlock(conn);
883 918
884 if (conn->hcon) 919 if (conn->hcon)
885 hci_conn_put(conn->hcon); 920 hci_conn_drop(conn->hcon);
886 } 921 }
887 922
888 sk->sk_state = BT_CLOSED; 923 sk->sk_state = BT_CLOSED;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 5abefb12891d..b2296d3857a0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -522,7 +522,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
522 kfree(smp); 522 kfree(smp);
523 conn->smp_chan = NULL; 523 conn->smp_chan = NULL;
524 conn->hcon->smp_conn = NULL; 524 conn->hcon->smp_conn = NULL;
525 hci_conn_put(conn->hcon); 525 hci_conn_drop(conn->hcon);
526} 526}
527 527
528int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 528int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 6ceee8e181ca..40d2527693da 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -27,6 +27,7 @@
27#include <linux/kernel.h> 27#include <linux/kernel.h>
28#include <linux/module.h> 28#include <linux/module.h>
29#include <linux/slab.h> 29#include <linux/slab.h>
30#include <linux/rfkill.h>
30#include <linux/nfc.h> 31#include <linux/nfc.h>
31 32
32#include <net/genetlink.h> 33#include <net/genetlink.h>
@@ -58,6 +59,11 @@ int nfc_dev_up(struct nfc_dev *dev)
58 59
59 device_lock(&dev->dev); 60 device_lock(&dev->dev);
60 61
62 if (dev->rfkill && rfkill_blocked(dev->rfkill)) {
63 rc = -ERFKILL;
64 goto error;
65 }
66
61 if (!device_is_registered(&dev->dev)) { 67 if (!device_is_registered(&dev->dev)) {
62 rc = -ENODEV; 68 rc = -ENODEV;
63 goto error; 69 goto error;
@@ -117,6 +123,24 @@ error:
117 return rc; 123 return rc;
118} 124}
119 125
126static int nfc_rfkill_set_block(void *data, bool blocked)
127{
128 struct nfc_dev *dev = data;
129
130 pr_debug("%s blocked %d", dev_name(&dev->dev), blocked);
131
132 if (!blocked)
133 return 0;
134
135 nfc_dev_down(dev);
136
137 return 0;
138}
139
140static const struct rfkill_ops nfc_rfkill_ops = {
141 .set_block = nfc_rfkill_set_block,
142};
143
120/** 144/**
121 * nfc_start_poll - start polling for nfc targets 145 * nfc_start_poll - start polling for nfc targets
122 * 146 *
@@ -143,6 +167,11 @@ int nfc_start_poll(struct nfc_dev *dev, u32 im_protocols, u32 tm_protocols)
143 goto error; 167 goto error;
144 } 168 }
145 169
170 if (!dev->dev_up) {
171 rc = -ENODEV;
172 goto error;
173 }
174
146 if (dev->polling) { 175 if (dev->polling) {
147 rc = -EBUSY; 176 rc = -EBUSY;
148 goto error; 177 goto error;
@@ -835,6 +864,15 @@ int nfc_register_device(struct nfc_dev *dev)
835 pr_debug("The userspace won't be notified that the device %s was added\n", 864 pr_debug("The userspace won't be notified that the device %s was added\n",
836 dev_name(&dev->dev)); 865 dev_name(&dev->dev));
837 866
867 dev->rfkill = rfkill_alloc(dev_name(&dev->dev), &dev->dev,
868 RFKILL_TYPE_NFC, &nfc_rfkill_ops, dev);
869 if (dev->rfkill) {
870 if (rfkill_register(dev->rfkill) < 0) {
871 rfkill_destroy(dev->rfkill);
872 dev->rfkill = NULL;
873 }
874 }
875
838 return 0; 876 return 0;
839} 877}
840EXPORT_SYMBOL(nfc_register_device); 878EXPORT_SYMBOL(nfc_register_device);
@@ -852,6 +890,11 @@ void nfc_unregister_device(struct nfc_dev *dev)
852 890
853 id = dev->idx; 891 id = dev->idx;
854 892
893 if (dev->rfkill) {
894 rfkill_unregister(dev->rfkill);
895 rfkill_destroy(dev->rfkill);
896 }
897
855 if (dev->ops->check_presence) { 898 if (dev->ops->check_presence) {
856 device_lock(&dev->dev); 899 device_lock(&dev->dev);
857 dev->shutting_down = true; 900 dev->shutting_down = true;
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index b75a9b3f9e89..094f7e27e910 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -420,7 +420,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
420 } 420 }
421 421
422 /* If the socket parameters are not set, use the local ones */ 422 /* If the socket parameters are not set, use the local ones */
423 miux = sock->miux > LLCP_MAX_MIUX ? local->miux : sock->miux; 423 miux = be16_to_cpu(sock->miux) > LLCP_MAX_MIUX ?
424 local->miux : sock->miux;
424 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw; 425 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw;
425 426
426 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, 427 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
@@ -475,7 +476,8 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
475 return -ENODEV; 476 return -ENODEV;
476 477
477 /* If the socket parameters are not set, use the local ones */ 478 /* If the socket parameters are not set, use the local ones */
478 miux = sock->miux > LLCP_MAX_MIUX ? local->miux : sock->miux; 479 miux = be16_to_cpu(sock->miux) > LLCP_MAX_MIUX ?
480 local->miux : sock->miux;
479 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw; 481 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw;
480 482
481 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, 483 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
@@ -656,6 +658,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
656 struct nfc_llcp_local *local; 658 struct nfc_llcp_local *local;
657 size_t frag_len = 0, remaining_len; 659 size_t frag_len = 0, remaining_len;
658 u8 *msg_data, *msg_ptr; 660 u8 *msg_data, *msg_ptr;
661 u16 remote_miu;
659 662
660 pr_debug("Send I frame len %zd\n", len); 663 pr_debug("Send I frame len %zd\n", len);
661 664
@@ -692,9 +695,11 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
692 remaining_len = len; 695 remaining_len = len;
693 msg_ptr = msg_data; 696 msg_ptr = msg_data;
694 697
695 while (remaining_len > 0) { 698 do {
699 remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
700 local->remote_miu : sock->remote_miu;
696 701
697 frag_len = min_t(size_t, sock->remote_miu, remaining_len); 702 frag_len = min_t(size_t, remote_miu, remaining_len);
698 703
699 pr_debug("Fragment %zd bytes remaining %zd", 704 pr_debug("Fragment %zd bytes remaining %zd",
700 frag_len, remaining_len); 705 frag_len, remaining_len);
@@ -706,7 +711,8 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
706 711
707 skb_put(pdu, LLCP_SEQUENCE_SIZE); 712 skb_put(pdu, LLCP_SEQUENCE_SIZE);
708 713
709 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len); 714 if (likely(frag_len > 0))
715 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len);
710 716
711 skb_queue_tail(&sock->tx_queue, pdu); 717 skb_queue_tail(&sock->tx_queue, pdu);
712 718
@@ -718,7 +724,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
718 724
719 remaining_len -= frag_len; 725 remaining_len -= frag_len;
720 msg_ptr += frag_len; 726 msg_ptr += frag_len;
721 } 727 } while (remaining_len > 0);
722 728
723 kfree(msg_data); 729 kfree(msg_data);
724 730
@@ -732,6 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
732 struct nfc_llcp_local *local; 738 struct nfc_llcp_local *local;
733 size_t frag_len = 0, remaining_len; 739 size_t frag_len = 0, remaining_len;
734 u8 *msg_ptr, *msg_data; 740 u8 *msg_ptr, *msg_data;
741 u16 remote_miu;
735 int err; 742 int err;
736 743
737 pr_debug("Send UI frame len %zd\n", len); 744 pr_debug("Send UI frame len %zd\n", len);
@@ -752,9 +759,11 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
752 remaining_len = len; 759 remaining_len = len;
753 msg_ptr = msg_data; 760 msg_ptr = msg_data;
754 761
755 while (remaining_len > 0) { 762 do {
763 remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
764 local->remote_miu : sock->remote_miu;
756 765
757 frag_len = min_t(size_t, sock->remote_miu, remaining_len); 766 frag_len = min_t(size_t, remote_miu, remaining_len);
758 767
759 pr_debug("Fragment %zd bytes remaining %zd", 768 pr_debug("Fragment %zd bytes remaining %zd",
760 frag_len, remaining_len); 769 frag_len, remaining_len);
@@ -768,14 +777,15 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
768 777
769 pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI); 778 pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);
770 779
771 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len); 780 if (likely(frag_len > 0))
781 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len);
772 782
773 /* No need to check for the peer RW for UI frames */ 783 /* No need to check for the peer RW for UI frames */
774 skb_queue_tail(&local->tx_queue, pdu); 784 skb_queue_tail(&local->tx_queue, pdu);
775 785
776 remaining_len -= frag_len; 786 remaining_len -= frag_len;
777 msg_ptr += frag_len; 787 msg_ptr += frag_len;
778 } 788 } while (remaining_len > 0);
779 789
780 kfree(msg_data); 790 kfree(msg_data);
781 791
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7de0368aff0c..9e483c8e52f8 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -31,6 +31,8 @@ static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
31 31
32static struct list_head llcp_devices; 32static struct list_head llcp_devices;
33 33
34static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
35
34void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk) 36void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
35{ 37{
36 write_lock(&l->lock); 38 write_lock(&l->lock);
@@ -45,6 +47,12 @@ void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
45 write_unlock(&l->lock); 47 write_unlock(&l->lock);
46} 48}
47 49
50void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock)
51{
52 sock->remote_rw = LLCP_DEFAULT_RW;
53 sock->remote_miu = LLCP_MAX_MIU + 1;
54}
55
48static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock) 56static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
49{ 57{
50 struct nfc_llcp_local *local = sock->local; 58 struct nfc_llcp_local *local = sock->local;
@@ -68,7 +76,7 @@ static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
68 } 76 }
69} 77}
70 78
71static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen, 79static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
72 int err) 80 int err)
73{ 81{
74 struct sock *sk; 82 struct sock *sk;
@@ -108,21 +116,6 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
108 116
109 bh_unlock_sock(accept_sk); 117 bh_unlock_sock(accept_sk);
110 } 118 }
111
112 if (listen == true) {
113 bh_unlock_sock(sk);
114 continue;
115 }
116 }
117
118 /*
119 * If we have a connection less socket bound, we keep it alive
120 * if the device is still present.
121 */
122 if (sk->sk_state == LLCP_BOUND && sk->sk_type == SOCK_DGRAM &&
123 listen == true) {
124 bh_unlock_sock(sk);
125 continue;
126 } 119 }
127 120
128 if (err) 121 if (err)
@@ -137,11 +130,8 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
137 130
138 write_unlock(&local->sockets.lock); 131 write_unlock(&local->sockets.lock);
139 132
140 /* 133 /* If we still have a device, we keep the RAW sockets alive */
141 * If we want to keep the listening sockets alive, 134 if (device == true)
142 * we don't touch the RAW ones.
143 */
144 if (listen == true)
145 return; 135 return;
146 136
147 write_lock(&local->raw_sockets.lock); 137 write_lock(&local->raw_sockets.lock);
@@ -173,9 +163,9 @@ struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
173 return local; 163 return local;
174} 164}
175 165
176static void local_cleanup(struct nfc_llcp_local *local, bool listen) 166static void local_cleanup(struct nfc_llcp_local *local)
177{ 167{
178 nfc_llcp_socket_release(local, listen, ENXIO); 168 nfc_llcp_socket_release(local, false, ENXIO);
179 del_timer_sync(&local->link_timer); 169 del_timer_sync(&local->link_timer);
180 skb_queue_purge(&local->tx_queue); 170 skb_queue_purge(&local->tx_queue);
181 cancel_work_sync(&local->tx_work); 171 cancel_work_sync(&local->tx_work);
@@ -194,7 +184,7 @@ static void local_release(struct kref *ref)
194 local = container_of(ref, struct nfc_llcp_local, ref); 184 local = container_of(ref, struct nfc_llcp_local, ref);
195 185
196 list_del(&local->list); 186 list_del(&local->list);
197 local_cleanup(local, false); 187 local_cleanup(local);
198 kfree(local); 188 kfree(local);
199} 189}
200 190
@@ -1116,6 +1106,12 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
1116 dsap = nfc_llcp_dsap(skb); 1106 dsap = nfc_llcp_dsap(skb);
1117 ssap = nfc_llcp_ssap(skb); 1107 ssap = nfc_llcp_ssap(skb);
1118 1108
1109 if ((dsap == 0) && (ssap == 0)) {
1110 pr_debug("Connection termination");
1111 nfc_dep_link_down(local->dev);
1112 return;
1113 }
1114
1119 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap); 1115 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1120 if (llcp_sock == NULL) { 1116 if (llcp_sock == NULL) {
1121 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN); 1117 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
@@ -1349,19 +1345,54 @@ exit:
1349 nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len); 1345 nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len);
1350} 1346}
1351 1347
1352static void nfc_llcp_rx_work(struct work_struct *work) 1348static void nfc_llcp_recv_agf(struct nfc_llcp_local *local, struct sk_buff *skb)
1353{ 1349{
1354 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local, 1350 u8 ptype;
1355 rx_work); 1351 u16 pdu_len;
1356 u8 dsap, ssap, ptype; 1352 struct sk_buff *new_skb;
1357 struct sk_buff *skb;
1358 1353
1359 skb = local->rx_pending; 1354 if (skb->len <= LLCP_HEADER_SIZE) {
1360 if (skb == NULL) { 1355 pr_err("Malformed AGF PDU\n");
1361 pr_debug("No pending SKB\n");
1362 return; 1356 return;
1363 } 1357 }
1364 1358
1359 skb_pull(skb, LLCP_HEADER_SIZE);
1360
1361 while (skb->len > LLCP_AGF_PDU_HEADER_SIZE) {
1362 pdu_len = skb->data[0] << 8 | skb->data[1];
1363
1364 skb_pull(skb, LLCP_AGF_PDU_HEADER_SIZE);
1365
1366 if (pdu_len < LLCP_HEADER_SIZE || pdu_len > skb->len) {
1367 pr_err("Malformed AGF PDU\n");
1368 return;
1369 }
1370
1371 ptype = nfc_llcp_ptype(skb);
1372
1373 if (ptype == LLCP_PDU_SYMM || ptype == LLCP_PDU_AGF)
1374 goto next;
1375
1376 new_skb = nfc_alloc_recv_skb(pdu_len, GFP_KERNEL);
1377 if (new_skb == NULL) {
1378 pr_err("Could not allocate PDU\n");
1379 return;
1380 }
1381
1382 memcpy(skb_put(new_skb, pdu_len), skb->data, pdu_len);
1383
1384 nfc_llcp_rx_skb(local, new_skb);
1385
1386 kfree_skb(new_skb);
1387next:
1388 skb_pull(skb, pdu_len);
1389 }
1390}
1391
1392static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb)
1393{
1394 u8 dsap, ssap, ptype;
1395
1365 ptype = nfc_llcp_ptype(skb); 1396 ptype = nfc_llcp_ptype(skb);
1366 dsap = nfc_llcp_dsap(skb); 1397 dsap = nfc_llcp_dsap(skb);
1367 ssap = nfc_llcp_ssap(skb); 1398 ssap = nfc_llcp_ssap(skb);
@@ -1372,10 +1403,6 @@ static void nfc_llcp_rx_work(struct work_struct *work)
1372 print_hex_dump(KERN_DEBUG, "LLCP Rx: ", DUMP_PREFIX_OFFSET, 1403 print_hex_dump(KERN_DEBUG, "LLCP Rx: ", DUMP_PREFIX_OFFSET,
1373 16, 1, skb->data, skb->len, true); 1404 16, 1, skb->data, skb->len, true);
1374 1405
1375 __net_timestamp(skb);
1376
1377 nfc_llcp_send_to_raw_sock(local, skb, NFC_LLCP_DIRECTION_RX);
1378
1379 switch (ptype) { 1406 switch (ptype) {
1380 case LLCP_PDU_SYMM: 1407 case LLCP_PDU_SYMM:
1381 pr_debug("SYMM\n"); 1408 pr_debug("SYMM\n");
@@ -1418,7 +1445,30 @@ static void nfc_llcp_rx_work(struct work_struct *work)
1418 nfc_llcp_recv_hdlc(local, skb); 1445 nfc_llcp_recv_hdlc(local, skb);
1419 break; 1446 break;
1420 1447
1448 case LLCP_PDU_AGF:
1449 pr_debug("AGF frame\n");
1450 nfc_llcp_recv_agf(local, skb);
1451 break;
1421 } 1452 }
1453}
1454
1455static void nfc_llcp_rx_work(struct work_struct *work)
1456{
1457 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
1458 rx_work);
1459 struct sk_buff *skb;
1460
1461 skb = local->rx_pending;
1462 if (skb == NULL) {
1463 pr_debug("No pending SKB\n");
1464 return;
1465 }
1466
1467 __net_timestamp(skb);
1468
1469 nfc_llcp_send_to_raw_sock(local, skb, NFC_LLCP_DIRECTION_RX);
1470
1471 nfc_llcp_rx_skb(local, skb);
1422 1472
1423 schedule_work(&local->tx_work); 1473 schedule_work(&local->tx_work);
1424 kfree_skb(local->rx_pending); 1474 kfree_skb(local->rx_pending);
@@ -1466,6 +1516,9 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev)
1466 if (local == NULL) 1516 if (local == NULL)
1467 return; 1517 return;
1468 1518
1519 local->remote_miu = LLCP_DEFAULT_MIU;
1520 local->remote_lto = LLCP_DEFAULT_LTO;
1521
1469 /* Close and purge all existing sockets */ 1522 /* Close and purge all existing sockets */
1470 nfc_llcp_socket_release(local, true, 0); 1523 nfc_llcp_socket_release(local, true, 0);
1471} 1524}
@@ -1553,7 +1606,7 @@ void nfc_llcp_unregister_device(struct nfc_dev *dev)
1553 return; 1606 return;
1554 } 1607 }
1555 1608
1556 local_cleanup(local, false); 1609 local_cleanup(local);
1557 1610
1558 nfc_llcp_local_put(local); 1611 nfc_llcp_local_put(local);
1559} 1612}
diff --git a/net/nfc/llcp/llcp.h b/net/nfc/llcp/llcp.h
index 7e87a66b02ec..ff8c434f7df8 100644
--- a/net/nfc/llcp/llcp.h
+++ b/net/nfc/llcp/llcp.h
@@ -31,6 +31,7 @@ enum llcp_state {
31#define LLCP_MAX_LTO 0xff 31#define LLCP_MAX_LTO 0xff
32#define LLCP_MAX_RW 15 32#define LLCP_MAX_RW 15
33#define LLCP_MAX_MIUX 0x7ff 33#define LLCP_MAX_MIUX 0x7ff
34#define LLCP_MAX_MIU (LLCP_MAX_MIUX + 128)
34 35
35#define LLCP_WKS_NUM_SAP 16 36#define LLCP_WKS_NUM_SAP 16
36#define LLCP_SDP_NUM_SAP 16 37#define LLCP_SDP_NUM_SAP 16
@@ -124,7 +125,7 @@ struct nfc_llcp_sock {
124 char *service_name; 125 char *service_name;
125 size_t service_name_len; 126 size_t service_name_len;
126 u8 rw; 127 u8 rw;
127 u16 miux; 128 __be16 miux;
128 129
129 130
130 /* Remote link parameters */ 131 /* Remote link parameters */
@@ -162,6 +163,7 @@ struct nfc_llcp_ui_cb {
162 163
163#define LLCP_HEADER_SIZE 2 164#define LLCP_HEADER_SIZE 2
164#define LLCP_SEQUENCE_SIZE 1 165#define LLCP_SEQUENCE_SIZE 1
166#define LLCP_AGF_PDU_HEADER_SIZE 2
165 167
166/* LLCP versions: 1.1 is 1.0 plus SDP */ 168/* LLCP versions: 1.1 is 1.0 plus SDP */
167#define LLCP_VERSION_10 0x10 169#define LLCP_VERSION_10 0x10
@@ -210,6 +212,7 @@ struct nfc_llcp_ui_cb {
210 212
211void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s); 213void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s);
212void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s); 214void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s);
215void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock);
213struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); 216struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
214struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local); 217struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local);
215int nfc_llcp_local_put(struct nfc_llcp_local *local); 218int nfc_llcp_local_put(struct nfc_llcp_local *local);
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 6fa76704cb13..fd01ac6e0bf4 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -279,7 +279,7 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
279 break; 279 break;
280 } 280 }
281 281
282 llcp_sock->miux = (u16) opt; 282 llcp_sock->miux = cpu_to_be16((u16) opt);
283 283
284 break; 284 break;
285 285
@@ -299,9 +299,12 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
299static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname, 299static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
300 char __user *optval, int __user *optlen) 300 char __user *optval, int __user *optlen)
301{ 301{
302 struct nfc_llcp_local *local;
302 struct sock *sk = sock->sk; 303 struct sock *sk = sock->sk;
303 struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk); 304 struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk);
304 int len, err = 0; 305 int len, err = 0;
306 u16 miux, remote_miu;
307 u8 rw;
305 308
306 pr_debug("%p optname %d\n", sk, optname); 309 pr_debug("%p optname %d\n", sk, optname);
307 310
@@ -311,19 +314,48 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
311 if (get_user(len, optlen)) 314 if (get_user(len, optlen))
312 return -EFAULT; 315 return -EFAULT;
313 316
317 local = llcp_sock->local;
318 if (!local)
319 return -ENODEV;
320
314 len = min_t(u32, len, sizeof(u32)); 321 len = min_t(u32, len, sizeof(u32));
315 322
316 lock_sock(sk); 323 lock_sock(sk);
317 324
318 switch (optname) { 325 switch (optname) {
319 case NFC_LLCP_RW: 326 case NFC_LLCP_RW:
320 if (put_user(llcp_sock->rw, (u32 __user *) optval)) 327 rw = llcp_sock->rw > LLCP_MAX_RW ? local->rw : llcp_sock->rw;
328 if (put_user(rw, (u32 __user *) optval))
321 err = -EFAULT; 329 err = -EFAULT;
322 330
323 break; 331 break;
324 332
325 case NFC_LLCP_MIUX: 333 case NFC_LLCP_MIUX:
326 if (put_user(llcp_sock->miux, (u32 __user *) optval)) 334 miux = be16_to_cpu(llcp_sock->miux) > LLCP_MAX_MIUX ?
335 be16_to_cpu(local->miux) : be16_to_cpu(llcp_sock->miux);
336
337 if (put_user(miux, (u32 __user *) optval))
338 err = -EFAULT;
339
340 break;
341
342 case NFC_LLCP_REMOTE_MIU:
343 remote_miu = llcp_sock->remote_miu > LLCP_MAX_MIU ?
344 local->remote_miu : llcp_sock->remote_miu;
345
346 if (put_user(remote_miu, (u32 __user *) optval))
347 err = -EFAULT;
348
349 break;
350
351 case NFC_LLCP_REMOTE_LTO:
352 if (put_user(local->remote_lto / 10, (u32 __user *) optval))
353 err = -EFAULT;
354
355 break;
356
357 case NFC_LLCP_REMOTE_RW:
358 if (put_user(llcp_sock->remote_rw, (u32 __user *) optval))
327 err = -EFAULT; 359 err = -EFAULT;
328 360
329 break; 361 break;
@@ -921,13 +953,12 @@ struct sock *nfc_llcp_sock_alloc(struct socket *sock, int type, gfp_t gfp)
921 llcp_sock->ssap = 0; 953 llcp_sock->ssap = 0;
922 llcp_sock->dsap = LLCP_SAP_SDP; 954 llcp_sock->dsap = LLCP_SAP_SDP;
923 llcp_sock->rw = LLCP_MAX_RW + 1; 955 llcp_sock->rw = LLCP_MAX_RW + 1;
924 llcp_sock->miux = LLCP_MAX_MIUX + 1; 956 llcp_sock->miux = cpu_to_be16(LLCP_MAX_MIUX + 1);
925 llcp_sock->remote_rw = LLCP_DEFAULT_RW;
926 llcp_sock->remote_miu = LLCP_DEFAULT_MIU;
927 llcp_sock->send_n = llcp_sock->send_ack_n = 0; 957 llcp_sock->send_n = llcp_sock->send_ack_n = 0;
928 llcp_sock->recv_n = llcp_sock->recv_ack_n = 0; 958 llcp_sock->recv_n = llcp_sock->recv_ack_n = 0;
929 llcp_sock->remote_ready = 1; 959 llcp_sock->remote_ready = 1;
930 llcp_sock->reserved_ssap = LLCP_SAP_MAX; 960 llcp_sock->reserved_ssap = LLCP_SAP_MAX;
961 nfc_llcp_socket_remote_param_init(llcp_sock);
931 skb_queue_head_init(&llcp_sock->tx_queue); 962 skb_queue_head_init(&llcp_sock->tx_queue);
932 skb_queue_head_init(&llcp_sock->tx_pending_queue); 963 skb_queue_head_init(&llcp_sock->tx_pending_queue);
933 INIT_LIST_HEAD(&llcp_sock->accept_queue); 964 INIT_LIST_HEAD(&llcp_sock->accept_queue);
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 9b9be5279f5d..1cec5e4f3a5e 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -587,7 +587,7 @@ static ssize_t rfkill_name_show(struct device *dev,
587 587
588static const char *rfkill_get_type_str(enum rfkill_type type) 588static const char *rfkill_get_type_str(enum rfkill_type type)
589{ 589{
590 BUILD_BUG_ON(NUM_RFKILL_TYPES != RFKILL_TYPE_FM + 1); 590 BUILD_BUG_ON(NUM_RFKILL_TYPES != RFKILL_TYPE_NFC + 1);
591 591
592 switch (type) { 592 switch (type) {
593 case RFKILL_TYPE_WLAN: 593 case RFKILL_TYPE_WLAN:
@@ -604,6 +604,8 @@ static const char *rfkill_get_type_str(enum rfkill_type type)
604 return "gps"; 604 return "gps";
605 case RFKILL_TYPE_FM: 605 case RFKILL_TYPE_FM:
606 return "fm"; 606 return "fm";
607 case RFKILL_TYPE_NFC:
608 return "nfc";
607 default: 609 default:
608 BUG(); 610 BUG();
609 } 611 }