aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_conn.c38
-rw-r--r--net/bluetooth/hci_core.c239
-rw-r--r--net/bluetooth/hci_event.c184
-rw-r--r--net/bluetooth/hci_sysfs.c17
-rw-r--r--net/bluetooth/hidp/core.c992
-rw-r--r--net/bluetooth/hidp/hidp.h67
-rw-r--r--net/bluetooth/hidp/sock.c22
-rw-r--r--net/bluetooth/l2cap_core.c127
-rw-r--r--net/bluetooth/l2cap_sock.c6
-rw-r--r--net/bluetooth/mgmt.c17
-rw-r--r--net/bluetooth/sco.c49
-rw-r--r--net/bluetooth/smp.c2
-rw-r--r--net/nfc/core.c43
-rw-r--r--net/nfc/llcp/commands.c30
-rw-r--r--net/nfc/llcp/llcp.c127
-rw-r--r--net/nfc/llcp/llcp.h5
-rw-r--r--net/nfc/llcp/sock.c43
-rw-r--r--net/rfkill/core.c4
18 files changed, 1280 insertions, 732 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b9f90169940b..6c7f36379722 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -117,6 +117,16 @@ static void hci_acl_create_connection_cancel(struct hci_conn *conn)
117 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp); 117 hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
118} 118}
119 119
120static void hci_reject_sco(struct hci_conn *conn)
121{
122 struct hci_cp_reject_sync_conn_req cp;
123
124 cp.reason = HCI_ERROR_REMOTE_USER_TERM;
125 bacpy(&cp.bdaddr, &conn->dst);
126
127 hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
128}
129
120void hci_disconnect(struct hci_conn *conn, __u8 reason) 130void hci_disconnect(struct hci_conn *conn, __u8 reason)
121{ 131{
122 struct hci_cp_disconnect cp; 132 struct hci_cp_disconnect cp;
@@ -276,6 +286,8 @@ static void hci_conn_timeout(struct work_struct *work)
276 hci_acl_create_connection_cancel(conn); 286 hci_acl_create_connection_cancel(conn);
277 else if (conn->type == LE_LINK) 287 else if (conn->type == LE_LINK)
278 hci_le_create_connection_cancel(conn); 288 hci_le_create_connection_cancel(conn);
289 } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
290 hci_reject_sco(conn);
279 } 291 }
280 break; 292 break;
281 case BT_CONFIG: 293 case BT_CONFIG:
@@ -398,8 +410,6 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
398 if (hdev->notify) 410 if (hdev->notify)
399 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD); 411 hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
400 412
401 atomic_set(&conn->devref, 0);
402
403 hci_conn_init_sysfs(conn); 413 hci_conn_init_sysfs(conn);
404 414
405 return conn; 415 return conn;
@@ -433,7 +443,7 @@ int hci_conn_del(struct hci_conn *conn)
433 struct hci_conn *acl = conn->link; 443 struct hci_conn *acl = conn->link;
434 if (acl) { 444 if (acl) {
435 acl->link = NULL; 445 acl->link = NULL;
436 hci_conn_put(acl); 446 hci_conn_drop(acl);
437 } 447 }
438 } 448 }
439 449
@@ -448,12 +458,11 @@ int hci_conn_del(struct hci_conn *conn)
448 458
449 skb_queue_purge(&conn->data_q); 459 skb_queue_purge(&conn->data_q);
450 460
451 hci_conn_put_device(conn); 461 hci_conn_del_sysfs(conn);
452 462
453 hci_dev_put(hdev); 463 hci_dev_put(hdev);
454 464
455 if (conn->handle == 0) 465 hci_conn_put(conn);
456 kfree(conn);
457 466
458 return 0; 467 return 0;
459} 468}
@@ -565,7 +574,7 @@ static struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type,
565 if (!sco) { 574 if (!sco) {
566 sco = hci_conn_add(hdev, type, dst); 575 sco = hci_conn_add(hdev, type, dst);
567 if (!sco) { 576 if (!sco) {
568 hci_conn_put(acl); 577 hci_conn_drop(acl);
569 return ERR_PTR(-ENOMEM); 578 return ERR_PTR(-ENOMEM);
570 } 579 }
571 } 580 }
@@ -835,19 +844,6 @@ void hci_conn_check_pending(struct hci_dev *hdev)
835 hci_dev_unlock(hdev); 844 hci_dev_unlock(hdev);
836} 845}
837 846
838void hci_conn_hold_device(struct hci_conn *conn)
839{
840 atomic_inc(&conn->devref);
841}
842EXPORT_SYMBOL(hci_conn_hold_device);
843
844void hci_conn_put_device(struct hci_conn *conn)
845{
846 if (atomic_dec_and_test(&conn->devref))
847 hci_conn_del_sysfs(conn);
848}
849EXPORT_SYMBOL(hci_conn_put_device);
850
851int hci_get_conn_list(void __user *arg) 847int hci_get_conn_list(void __user *arg)
852{ 848{
853 struct hci_conn *c; 849 struct hci_conn *c;
@@ -980,7 +976,7 @@ void hci_chan_del(struct hci_chan *chan)
980 976
981 synchronize_rcu(); 977 synchronize_rcu();
982 978
983 hci_conn_put(conn); 979 hci_conn_drop(conn);
984 980
985 skb_queue_purge(&chan->data_q); 981 skb_queue_purge(&chan->data_q);
986 kfree(chan); 982 kfree(chan);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index cfcad5423f1c..ce82265f5619 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -79,6 +79,121 @@ static void hci_req_cancel(struct hci_dev *hdev, int err)
79 } 79 }
80} 80}
81 81
82struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 event)
83{
84 struct hci_ev_cmd_complete *ev;
85 struct hci_event_hdr *hdr;
86 struct sk_buff *skb;
87
88 hci_dev_lock(hdev);
89
90 skb = hdev->recv_evt;
91 hdev->recv_evt = NULL;
92
93 hci_dev_unlock(hdev);
94
95 if (!skb)
96 return ERR_PTR(-ENODATA);
97
98 if (skb->len < sizeof(*hdr)) {
99 BT_ERR("Too short HCI event");
100 goto failed;
101 }
102
103 hdr = (void *) skb->data;
104 skb_pull(skb, HCI_EVENT_HDR_SIZE);
105
106 if (event) {
107 if (hdr->evt != event)
108 goto failed;
109 return skb;
110 }
111
112 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
113 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
114 goto failed;
115 }
116
117 if (skb->len < sizeof(*ev)) {
118 BT_ERR("Too short cmd_complete event");
119 goto failed;
120 }
121
122 ev = (void *) skb->data;
123 skb_pull(skb, sizeof(*ev));
124
125 if (opcode == __le16_to_cpu(ev->opcode))
126 return skb;
127
128 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
129 __le16_to_cpu(ev->opcode));
130
131failed:
132 kfree_skb(skb);
133 return ERR_PTR(-ENODATA);
134}
135
136struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
137 void *param, u8 event, u32 timeout)
138{
139 DECLARE_WAITQUEUE(wait, current);
140 struct hci_request req;
141 int err = 0;
142
143 BT_DBG("%s", hdev->name);
144
145 hci_req_init(&req, hdev);
146
147 hci_req_add_ev(&req, opcode, plen, param, event);
148
149 hdev->req_status = HCI_REQ_PEND;
150
151 err = hci_req_run(&req, hci_req_sync_complete);
152 if (err < 0)
153 return ERR_PTR(err);
154
155 add_wait_queue(&hdev->req_wait_q, &wait);
156 set_current_state(TASK_INTERRUPTIBLE);
157
158 schedule_timeout(timeout);
159
160 remove_wait_queue(&hdev->req_wait_q, &wait);
161
162 if (signal_pending(current))
163 return ERR_PTR(-EINTR);
164
165 switch (hdev->req_status) {
166 case HCI_REQ_DONE:
167 err = -bt_to_errno(hdev->req_result);
168 break;
169
170 case HCI_REQ_CANCELED:
171 err = -hdev->req_result;
172 break;
173
174 default:
175 err = -ETIMEDOUT;
176 break;
177 }
178
179 hdev->req_status = hdev->req_result = 0;
180
181 BT_DBG("%s end: err %d", hdev->name, err);
182
183 if (err < 0)
184 return ERR_PTR(err);
185
186 return hci_get_cmd_complete(hdev, opcode, event);
187}
188EXPORT_SYMBOL(__hci_cmd_sync_ev);
189
190struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
191 void *param, u32 timeout)
192{
193 return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
194}
195EXPORT_SYMBOL(__hci_cmd_sync);
196
82/* Execute request and wait for completion. */ 197/* Execute request and wait for completion. */
83static int __hci_req_sync(struct hci_dev *hdev, 198static int __hci_req_sync(struct hci_dev *hdev,
84 void (*func)(struct hci_request *req, 199 void (*func)(struct hci_request *req,
@@ -201,29 +316,9 @@ static void amp_init(struct hci_request *req)
201static void hci_init1_req(struct hci_request *req, unsigned long opt) 316static void hci_init1_req(struct hci_request *req, unsigned long opt)
202{ 317{
203 struct hci_dev *hdev = req->hdev; 318 struct hci_dev *hdev = req->hdev;
204 struct hci_request init_req;
205 struct sk_buff *skb;
206 319
207 BT_DBG("%s %ld", hdev->name, opt); 320 BT_DBG("%s %ld", hdev->name, opt);
208 321
209 /* Driver initialization */
210
211 hci_req_init(&init_req, hdev);
212
213 /* Special commands */
214 while ((skb = skb_dequeue(&hdev->driver_init))) {
215 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
216 skb->dev = (void *) hdev;
217
218 if (skb_queue_empty(&init_req.cmd_q))
219 bt_cb(skb)->req.start = true;
220
221 skb_queue_tail(&init_req.cmd_q, skb);
222 }
223 skb_queue_purge(&hdev->driver_init);
224
225 hci_req_run(&init_req, NULL);
226
227 /* Reset */ 322 /* Reset */
228 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) 323 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
229 hci_reset_req(req, 0); 324 hci_reset_req(req, 0);
@@ -494,6 +589,7 @@ static void hci_set_le_support(struct hci_request *req)
494static void hci_init3_req(struct hci_request *req, unsigned long opt) 589static void hci_init3_req(struct hci_request *req, unsigned long opt)
495{ 590{
496 struct hci_dev *hdev = req->hdev; 591 struct hci_dev *hdev = req->hdev;
592 u8 p;
497 593
498 if (hdev->commands[5] & 0x10) 594 if (hdev->commands[5] & 0x10)
499 hci_setup_link_policy(req); 595 hci_setup_link_policy(req);
@@ -502,6 +598,15 @@ static void hci_init3_req(struct hci_request *req, unsigned long opt)
502 hci_set_le_support(req); 598 hci_set_le_support(req);
503 hci_update_ad(req); 599 hci_update_ad(req);
504 } 600 }
601
602 /* Read features beyond page 1 if available */
603 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
604 struct hci_cp_read_local_ext_features cp;
605
606 cp.page = p;
607 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
608 sizeof(cp), &cp);
609 }
505} 610}
506 611
507static int __hci_init(struct hci_dev *hdev) 612static int __hci_init(struct hci_dev *hdev)
@@ -818,6 +923,12 @@ static void hci_inq_req(struct hci_request *req, unsigned long opt)
818 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp); 923 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
819} 924}
820 925
926static int wait_inquiry(void *word)
927{
928 schedule();
929 return signal_pending(current);
930}
931
821int hci_inquiry(void __user *arg) 932int hci_inquiry(void __user *arg)
822{ 933{
823 __u8 __user *ptr = arg; 934 __u8 __user *ptr = arg;
@@ -849,6 +960,13 @@ int hci_inquiry(void __user *arg)
849 timeo); 960 timeo);
850 if (err < 0) 961 if (err < 0)
851 goto done; 962 goto done;
963
964 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
965 * cleared). If it is interrupted by a signal, return -EINTR.
966 */
967 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
968 TASK_INTERRUPTIBLE))
969 return -EINTR;
852 } 970 }
853 971
854 /* for unlimited number of responses we will use buffer with 972 /* for unlimited number of responses we will use buffer with
@@ -999,26 +1117,33 @@ int hci_dev_open(__u16 dev)
999 goto done; 1117 goto done;
1000 } 1118 }
1001 1119
1002 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1003 set_bit(HCI_RAW, &hdev->flags);
1004
1005 /* Treat all non BR/EDR controllers as raw devices if
1006 enable_hs is not set */
1007 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1008 set_bit(HCI_RAW, &hdev->flags);
1009
1010 if (hdev->open(hdev)) { 1120 if (hdev->open(hdev)) {
1011 ret = -EIO; 1121 ret = -EIO;
1012 goto done; 1122 goto done;
1013 } 1123 }
1014 1124
1015 if (!test_bit(HCI_RAW, &hdev->flags)) { 1125 atomic_set(&hdev->cmd_cnt, 1);
1016 atomic_set(&hdev->cmd_cnt, 1); 1126 set_bit(HCI_INIT, &hdev->flags);
1017 set_bit(HCI_INIT, &hdev->flags); 1127
1018 ret = __hci_init(hdev); 1128 if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1019 clear_bit(HCI_INIT, &hdev->flags); 1129 ret = hdev->setup(hdev);
1130
1131 if (!ret) {
1132 /* Treat all non BR/EDR controllers as raw devices if
1133 * enable_hs is not set.
1134 */
1135 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1136 set_bit(HCI_RAW, &hdev->flags);
1137
1138 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1139 set_bit(HCI_RAW, &hdev->flags);
1140
1141 if (!test_bit(HCI_RAW, &hdev->flags))
1142 ret = __hci_init(hdev);
1020 } 1143 }
1021 1144
1145 clear_bit(HCI_INIT, &hdev->flags);
1146
1022 if (!ret) { 1147 if (!ret) {
1023 hci_dev_hold(hdev); 1148 hci_dev_hold(hdev);
1024 set_bit(HCI_UP, &hdev->flags); 1149 set_bit(HCI_UP, &hdev->flags);
@@ -1123,6 +1248,9 @@ static int hci_dev_do_close(struct hci_dev *hdev)
1123 hdev->sent_cmd = NULL; 1248 hdev->sent_cmd = NULL;
1124 } 1249 }
1125 1250
1251 kfree_skb(hdev->recv_evt);
1252 hdev->recv_evt = NULL;
1253
1126 /* After this point our queues are empty 1254 /* After this point our queues are empty
1127 * and no tasks are scheduled. */ 1255 * and no tasks are scheduled. */
1128 hdev->close(hdev); 1256 hdev->close(hdev);
@@ -1861,8 +1989,8 @@ static void le_scan_enable_req(struct hci_request *req, unsigned long opt)
1861 struct hci_cp_le_set_scan_enable cp; 1989 struct hci_cp_le_set_scan_enable cp;
1862 1990
1863 memset(&cp, 0, sizeof(cp)); 1991 memset(&cp, 0, sizeof(cp));
1864 cp.enable = 1; 1992 cp.enable = LE_SCAN_ENABLE;
1865 cp.filter_dup = 1; 1993 cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
1866 1994
1867 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp); 1995 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1868} 1996}
@@ -1896,7 +2024,7 @@ static int hci_do_le_scan(struct hci_dev *hdev, u8 type, u16 interval,
1896 return err; 2024 return err;
1897 2025
1898 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable, 2026 queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable,
1899 msecs_to_jiffies(timeout)); 2027 timeout);
1900 2028
1901 return 0; 2029 return 0;
1902} 2030}
@@ -2006,7 +2134,6 @@ struct hci_dev *hci_alloc_dev(void)
2006 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off); 2134 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2007 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work); 2135 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2008 2136
2009 skb_queue_head_init(&hdev->driver_init);
2010 skb_queue_head_init(&hdev->rx_q); 2137 skb_queue_head_init(&hdev->rx_q);
2011 skb_queue_head_init(&hdev->cmd_q); 2138 skb_queue_head_init(&hdev->cmd_q);
2012 skb_queue_head_init(&hdev->raw_q); 2139 skb_queue_head_init(&hdev->raw_q);
@@ -2025,8 +2152,6 @@ EXPORT_SYMBOL(hci_alloc_dev);
2025/* Free HCI device */ 2152/* Free HCI device */
2026void hci_free_dev(struct hci_dev *hdev) 2153void hci_free_dev(struct hci_dev *hdev)
2027{ 2154{
2028 skb_queue_purge(&hdev->driver_init);
2029
2030 /* will free via device release */ 2155 /* will free via device release */
2031 put_device(&hdev->dev); 2156 put_device(&hdev->dev);
2032} 2157}
@@ -2527,7 +2652,8 @@ int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
2527} 2652}
2528 2653
2529/* Queue a command to an asynchronous HCI request */ 2654/* Queue a command to an asynchronous HCI request */
2530void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param) 2655void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen, void *param,
2656 u8 event)
2531{ 2657{
2532 struct hci_dev *hdev = req->hdev; 2658 struct hci_dev *hdev = req->hdev;
2533 struct sk_buff *skb; 2659 struct sk_buff *skb;
@@ -2551,9 +2677,16 @@ void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2551 if (skb_queue_empty(&req->cmd_q)) 2677 if (skb_queue_empty(&req->cmd_q))
2552 bt_cb(skb)->req.start = true; 2678 bt_cb(skb)->req.start = true;
2553 2679
2680 bt_cb(skb)->req.event = event;
2681
2554 skb_queue_tail(&req->cmd_q, skb); 2682 skb_queue_tail(&req->cmd_q, skb);
2555} 2683}
2556 2684
2685void hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2686{
2687 hci_req_add_ev(req, opcode, plen, param, 0);
2688}
2689
2557/* Get data from the previously sent command */ 2690/* Get data from the previously sent command */
2558void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode) 2691void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2559{ 2692{
@@ -3309,32 +3442,6 @@ call_complete:
3309 req_complete(hdev, status); 3442 req_complete(hdev, status);
3310} 3443}
3311 3444
3312void hci_req_cmd_status(struct hci_dev *hdev, u16 opcode, u8 status)
3313{
3314 hci_req_complete_t req_complete = NULL;
3315
3316 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3317
3318 if (status) {
3319 hci_req_cmd_complete(hdev, opcode, status);
3320 return;
3321 }
3322
3323 /* No need to handle success status if there are more commands */
3324 if (!hci_req_is_complete(hdev))
3325 return;
3326
3327 if (hdev->sent_cmd)
3328 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3329
3330 /* If the request doesn't have a complete callback or there
3331 * are other commands/requests in the hdev queue we consider
3332 * this request as completed.
3333 */
3334 if (!req_complete || !skb_queue_empty(&hdev->cmd_q))
3335 hci_req_cmd_complete(hdev, opcode, status);
3336}
3337
3338static void hci_rx_work(struct work_struct *work) 3445static void hci_rx_work(struct work_struct *work)
3339{ 3446{
3340 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work); 3447 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 138580745c2c..b93cd2eb5d58 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -48,13 +48,13 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
48 } 48 }
49 49
50 clear_bit(HCI_INQUIRY, &hdev->flags); 50 clear_bit(HCI_INQUIRY, &hdev->flags);
51 smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
52 wake_up_bit(&hdev->flags, HCI_INQUIRY);
51 53
52 hci_dev_lock(hdev); 54 hci_dev_lock(hdev);
53 hci_discovery_set_state(hdev, DISCOVERY_STOPPED); 55 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
54 hci_dev_unlock(hdev); 56 hci_dev_unlock(hdev);
55 57
56 hci_req_cmd_complete(hdev, HCI_OP_INQUIRY, status);
57
58 hci_conn_check_pending(hdev); 58 hci_conn_check_pending(hdev);
59} 59}
60 60
@@ -433,9 +433,9 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
433 433
434 if (!status) { 434 if (!status) {
435 if (sent->mode) 435 if (sent->mode)
436 hdev->host_features[0] |= LMP_HOST_SSP; 436 hdev->features[1][0] |= LMP_HOST_SSP;
437 else 437 else
438 hdev->host_features[0] &= ~LMP_HOST_SSP; 438 hdev->features[1][0] &= ~LMP_HOST_SSP;
439 } 439 }
440 440
441 if (test_bit(HCI_MGMT, &hdev->dev_flags)) 441 if (test_bit(HCI_MGMT, &hdev->dev_flags))
@@ -493,18 +493,18 @@ static void hci_cc_read_local_features(struct hci_dev *hdev,
493 /* Adjust default settings according to features 493 /* Adjust default settings according to features
494 * supported by device. */ 494 * supported by device. */
495 495
496 if (hdev->features[0] & LMP_3SLOT) 496 if (hdev->features[0][0] & LMP_3SLOT)
497 hdev->pkt_type |= (HCI_DM3 | HCI_DH3); 497 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
498 498
499 if (hdev->features[0] & LMP_5SLOT) 499 if (hdev->features[0][0] & LMP_5SLOT)
500 hdev->pkt_type |= (HCI_DM5 | HCI_DH5); 500 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
501 501
502 if (hdev->features[1] & LMP_HV2) { 502 if (hdev->features[0][1] & LMP_HV2) {
503 hdev->pkt_type |= (HCI_HV2); 503 hdev->pkt_type |= (HCI_HV2);
504 hdev->esco_type |= (ESCO_HV2); 504 hdev->esco_type |= (ESCO_HV2);
505 } 505 }
506 506
507 if (hdev->features[1] & LMP_HV3) { 507 if (hdev->features[0][1] & LMP_HV3) {
508 hdev->pkt_type |= (HCI_HV3); 508 hdev->pkt_type |= (HCI_HV3);
509 hdev->esco_type |= (ESCO_HV3); 509 hdev->esco_type |= (ESCO_HV3);
510 } 510 }
@@ -512,26 +512,26 @@ static void hci_cc_read_local_features(struct hci_dev *hdev,
512 if (lmp_esco_capable(hdev)) 512 if (lmp_esco_capable(hdev))
513 hdev->esco_type |= (ESCO_EV3); 513 hdev->esco_type |= (ESCO_EV3);
514 514
515 if (hdev->features[4] & LMP_EV4) 515 if (hdev->features[0][4] & LMP_EV4)
516 hdev->esco_type |= (ESCO_EV4); 516 hdev->esco_type |= (ESCO_EV4);
517 517
518 if (hdev->features[4] & LMP_EV5) 518 if (hdev->features[0][4] & LMP_EV5)
519 hdev->esco_type |= (ESCO_EV5); 519 hdev->esco_type |= (ESCO_EV5);
520 520
521 if (hdev->features[5] & LMP_EDR_ESCO_2M) 521 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
522 hdev->esco_type |= (ESCO_2EV3); 522 hdev->esco_type |= (ESCO_2EV3);
523 523
524 if (hdev->features[5] & LMP_EDR_ESCO_3M) 524 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
525 hdev->esco_type |= (ESCO_3EV3); 525 hdev->esco_type |= (ESCO_3EV3);
526 526
527 if (hdev->features[5] & LMP_EDR_3S_ESCO) 527 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
528 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5); 528 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
529 529
530 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name, 530 BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
531 hdev->features[0], hdev->features[1], 531 hdev->features[0][0], hdev->features[0][1],
532 hdev->features[2], hdev->features[3], 532 hdev->features[0][2], hdev->features[0][3],
533 hdev->features[4], hdev->features[5], 533 hdev->features[0][4], hdev->features[0][5],
534 hdev->features[6], hdev->features[7]); 534 hdev->features[0][6], hdev->features[0][7]);
535} 535}
536 536
537static void hci_cc_read_local_ext_features(struct hci_dev *hdev, 537static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
@@ -544,14 +544,10 @@ static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
544 if (rp->status) 544 if (rp->status)
545 return; 545 return;
546 546
547 switch (rp->page) { 547 hdev->max_page = rp->max_page;
548 case 0: 548
549 memcpy(hdev->features, rp->features, 8); 549 if (rp->page < HCI_MAX_PAGES)
550 break; 550 memcpy(hdev->features[rp->page], rp->features, 8);
551 case 1:
552 memcpy(hdev->host_features, rp->features, 8);
553 break;
554 }
555} 551}
556 552
557static void hci_cc_read_flow_control_mode(struct hci_dev *hdev, 553static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
@@ -968,7 +964,7 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
968 return; 964 return;
969 965
970 switch (cp->enable) { 966 switch (cp->enable) {
971 case LE_SCANNING_ENABLED: 967 case LE_SCAN_ENABLE:
972 if (status) { 968 if (status) {
973 hci_dev_lock(hdev); 969 hci_dev_lock(hdev);
974 mgmt_start_discovery_failed(hdev, status); 970 mgmt_start_discovery_failed(hdev, status);
@@ -983,7 +979,7 @@ static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
983 hci_dev_unlock(hdev); 979 hci_dev_unlock(hdev);
984 break; 980 break;
985 981
986 case LE_SCANNING_DISABLED: 982 case LE_SCAN_DISABLE:
987 if (status) { 983 if (status) {
988 hci_dev_lock(hdev); 984 hci_dev_lock(hdev);
989 mgmt_stop_discovery_failed(hdev, status); 985 mgmt_stop_discovery_failed(hdev, status);
@@ -1046,14 +1042,14 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1046 1042
1047 if (!status) { 1043 if (!status) {
1048 if (sent->le) 1044 if (sent->le)
1049 hdev->host_features[0] |= LMP_HOST_LE; 1045 hdev->features[1][0] |= LMP_HOST_LE;
1050 else 1046 else
1051 hdev->host_features[0] &= ~LMP_HOST_LE; 1047 hdev->features[1][0] &= ~LMP_HOST_LE;
1052 1048
1053 if (sent->simul) 1049 if (sent->simul)
1054 hdev->host_features[0] |= LMP_HOST_LE_BREDR; 1050 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1055 else 1051 else
1056 hdev->host_features[0] &= ~LMP_HOST_LE_BREDR; 1052 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1057 } 1053 }
1058 1054
1059 if (test_bit(HCI_MGMT, &hdev->dev_flags) && 1055 if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
@@ -1190,7 +1186,7 @@ static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1190 if (conn) { 1186 if (conn) {
1191 if (conn->state == BT_CONFIG) { 1187 if (conn->state == BT_CONFIG) {
1192 hci_proto_connect_cfm(conn, status); 1188 hci_proto_connect_cfm(conn, status);
1193 hci_conn_put(conn); 1189 hci_conn_drop(conn);
1194 } 1190 }
1195 } 1191 }
1196 1192
@@ -1217,7 +1213,7 @@ static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1217 if (conn) { 1213 if (conn) {
1218 if (conn->state == BT_CONFIG) { 1214 if (conn->state == BT_CONFIG) {
1219 hci_proto_connect_cfm(conn, status); 1215 hci_proto_connect_cfm(conn, status);
1220 hci_conn_put(conn); 1216 hci_conn_drop(conn);
1221 } 1217 }
1222 } 1218 }
1223 1219
@@ -1379,7 +1375,7 @@ static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1379 if (conn) { 1375 if (conn) {
1380 if (conn->state == BT_CONFIG) { 1376 if (conn->state == BT_CONFIG) {
1381 hci_proto_connect_cfm(conn, status); 1377 hci_proto_connect_cfm(conn, status);
1382 hci_conn_put(conn); 1378 hci_conn_drop(conn);
1383 } 1379 }
1384 } 1380 }
1385 1381
@@ -1406,7 +1402,7 @@ static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1406 if (conn) { 1402 if (conn) {
1407 if (conn->state == BT_CONFIG) { 1403 if (conn->state == BT_CONFIG) {
1408 hci_proto_connect_cfm(conn, status); 1404 hci_proto_connect_cfm(conn, status);
1409 hci_conn_put(conn); 1405 hci_conn_drop(conn);
1410 } 1406 }
1411 } 1407 }
1412 1408
@@ -1600,13 +1596,14 @@ static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1600 1596
1601 BT_DBG("%s status 0x%2.2x", hdev->name, status); 1597 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1602 1598
1603 hci_req_cmd_complete(hdev, HCI_OP_INQUIRY, status);
1604
1605 hci_conn_check_pending(hdev); 1599 hci_conn_check_pending(hdev);
1606 1600
1607 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags)) 1601 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1608 return; 1602 return;
1609 1603
1604 smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
1605 wake_up_bit(&hdev->flags, HCI_INQUIRY);
1606
1610 if (!test_bit(HCI_MGMT, &hdev->dev_flags)) 1607 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1611 return; 1608 return;
1612 1609
@@ -1705,7 +1702,6 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1705 } else 1702 } else
1706 conn->state = BT_CONNECTED; 1703 conn->state = BT_CONNECTED;
1707 1704
1708 hci_conn_hold_device(conn);
1709 hci_conn_add_sysfs(conn); 1705 hci_conn_add_sysfs(conn);
1710 1706
1711 if (test_bit(HCI_AUTH, &hdev->flags)) 1707 if (test_bit(HCI_AUTH, &hdev->flags))
@@ -1752,42 +1748,6 @@ unlock:
1752 hci_conn_check_pending(hdev); 1748 hci_conn_check_pending(hdev);
1753} 1749}
1754 1750
1755void hci_conn_accept(struct hci_conn *conn, int mask)
1756{
1757 struct hci_dev *hdev = conn->hdev;
1758
1759 BT_DBG("conn %p", conn);
1760
1761 conn->state = BT_CONFIG;
1762
1763 if (!lmp_esco_capable(hdev)) {
1764 struct hci_cp_accept_conn_req cp;
1765
1766 bacpy(&cp.bdaddr, &conn->dst);
1767
1768 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
1769 cp.role = 0x00; /* Become master */
1770 else
1771 cp.role = 0x01; /* Remain slave */
1772
1773 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
1774 } else /* lmp_esco_capable(hdev)) */ {
1775 struct hci_cp_accept_sync_conn_req cp;
1776
1777 bacpy(&cp.bdaddr, &conn->dst);
1778 cp.pkt_type = cpu_to_le16(conn->pkt_type);
1779
1780 cp.tx_bandwidth = __constant_cpu_to_le32(0x00001f40);
1781 cp.rx_bandwidth = __constant_cpu_to_le32(0x00001f40);
1782 cp.max_latency = __constant_cpu_to_le16(0xffff);
1783 cp.content_format = cpu_to_le16(hdev->voice_setting);
1784 cp.retrans_effort = 0xff;
1785
1786 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1787 sizeof(cp), &cp);
1788 }
1789}
1790
1791static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 1751static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1792{ 1752{
1793 struct hci_ev_conn_request *ev = (void *) skb->data; 1753 struct hci_ev_conn_request *ev = (void *) skb->data;
@@ -1859,7 +1819,6 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1859 } else { 1819 } else {
1860 conn->state = BT_CONNECT2; 1820 conn->state = BT_CONNECT2;
1861 hci_proto_connect_cfm(conn, 0); 1821 hci_proto_connect_cfm(conn, 0);
1862 hci_conn_put(conn);
1863 } 1822 }
1864 } else { 1823 } else {
1865 /* Connection rejected */ 1824 /* Connection rejected */
@@ -1966,14 +1925,14 @@ static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1966 } else { 1925 } else {
1967 conn->state = BT_CONNECTED; 1926 conn->state = BT_CONNECTED;
1968 hci_proto_connect_cfm(conn, ev->status); 1927 hci_proto_connect_cfm(conn, ev->status);
1969 hci_conn_put(conn); 1928 hci_conn_drop(conn);
1970 } 1929 }
1971 } else { 1930 } else {
1972 hci_auth_cfm(conn, ev->status); 1931 hci_auth_cfm(conn, ev->status);
1973 1932
1974 hci_conn_hold(conn); 1933 hci_conn_hold(conn);
1975 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 1934 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1976 hci_conn_put(conn); 1935 hci_conn_drop(conn);
1977 } 1936 }
1978 1937
1979 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) { 1938 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
@@ -2057,7 +2016,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2057 2016
2058 if (ev->status && conn->state == BT_CONNECTED) { 2017 if (ev->status && conn->state == BT_CONNECTED) {
2059 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 2018 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2060 hci_conn_put(conn); 2019 hci_conn_drop(conn);
2061 goto unlock; 2020 goto unlock;
2062 } 2021 }
2063 2022
@@ -2066,7 +2025,7 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2066 conn->state = BT_CONNECTED; 2025 conn->state = BT_CONNECTED;
2067 2026
2068 hci_proto_connect_cfm(conn, ev->status); 2027 hci_proto_connect_cfm(conn, ev->status);
2069 hci_conn_put(conn); 2028 hci_conn_drop(conn);
2070 } else 2029 } else
2071 hci_encrypt_cfm(conn, ev->status, ev->encrypt); 2030 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2072 } 2031 }
@@ -2113,7 +2072,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
2113 goto unlock; 2072 goto unlock;
2114 2073
2115 if (!ev->status) 2074 if (!ev->status)
2116 memcpy(conn->features, ev->features, 8); 2075 memcpy(conn->features[0], ev->features, 8);
2117 2076
2118 if (conn->state != BT_CONFIG) 2077 if (conn->state != BT_CONFIG)
2119 goto unlock; 2078 goto unlock;
@@ -2141,7 +2100,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev,
2141 if (!hci_outgoing_auth_needed(hdev, conn)) { 2100 if (!hci_outgoing_auth_needed(hdev, conn)) {
2142 conn->state = BT_CONNECTED; 2101 conn->state = BT_CONNECTED;
2143 hci_proto_connect_cfm(conn, ev->status); 2102 hci_proto_connect_cfm(conn, ev->status);
2144 hci_conn_put(conn); 2103 hci_conn_drop(conn);
2145 } 2104 }
2146 2105
2147unlock: 2106unlock:
@@ -2462,7 +2421,9 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2462 if (opcode != HCI_OP_NOP) 2421 if (opcode != HCI_OP_NOP)
2463 del_timer(&hdev->cmd_timer); 2422 del_timer(&hdev->cmd_timer);
2464 2423
2465 hci_req_cmd_status(hdev, opcode, ev->status); 2424 if (ev->status ||
2425 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2426 hci_req_cmd_complete(hdev, opcode, ev->status);
2466 2427
2467 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { 2428 if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2468 atomic_set(&hdev->cmd_cnt, 1); 2429 atomic_set(&hdev->cmd_cnt, 1);
@@ -2679,7 +2640,7 @@ static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2679 if (conn->state == BT_CONNECTED) { 2640 if (conn->state == BT_CONNECTED) {
2680 hci_conn_hold(conn); 2641 hci_conn_hold(conn);
2681 conn->disc_timeout = HCI_PAIRING_TIMEOUT; 2642 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2682 hci_conn_put(conn); 2643 hci_conn_drop(conn);
2683 } 2644 }
2684 2645
2685 if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags)) 2646 if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
@@ -2782,7 +2743,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2782 if (ev->key_type != HCI_LK_CHANGED_COMBINATION) 2743 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2783 conn->key_type = ev->key_type; 2744 conn->key_type = ev->key_type;
2784 2745
2785 hci_conn_put(conn); 2746 hci_conn_drop(conn);
2786 } 2747 }
2787 2748
2788 if (test_bit(HCI_LINK_KEYS, &hdev->dev_flags)) 2749 if (test_bit(HCI_LINK_KEYS, &hdev->dev_flags))
@@ -2923,6 +2884,9 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2923 if (!conn) 2884 if (!conn)
2924 goto unlock; 2885 goto unlock;
2925 2886
2887 if (ev->page < HCI_MAX_PAGES)
2888 memcpy(conn->features[ev->page], ev->features, 8);
2889
2926 if (!ev->status && ev->page == 0x01) { 2890 if (!ev->status && ev->page == 0x01) {
2927 struct inquiry_entry *ie; 2891 struct inquiry_entry *ie;
2928 2892
@@ -2930,8 +2894,19 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2930 if (ie) 2894 if (ie)
2931 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 2895 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
2932 2896
2933 if (ev->features[0] & LMP_HOST_SSP) 2897 if (ev->features[0] & LMP_HOST_SSP) {
2934 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags); 2898 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2899 } else {
2900 /* It is mandatory by the Bluetooth specification that
2901 * Extended Inquiry Results are only used when Secure
2902 * Simple Pairing is enabled, but some devices violate
2903 * this.
2904 *
2905 * To make these devices work, the internal SSP
2906 * enabled flag needs to be cleared if the remote host
2907 * features do not indicate SSP support */
2908 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2909 }
2935 } 2910 }
2936 2911
2937 if (conn->state != BT_CONFIG) 2912 if (conn->state != BT_CONFIG)
@@ -2951,7 +2926,7 @@ static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2951 if (!hci_outgoing_auth_needed(hdev, conn)) { 2926 if (!hci_outgoing_auth_needed(hdev, conn)) {
2952 conn->state = BT_CONNECTED; 2927 conn->state = BT_CONNECTED;
2953 hci_proto_connect_cfm(conn, ev->status); 2928 hci_proto_connect_cfm(conn, ev->status);
2954 hci_conn_put(conn); 2929 hci_conn_drop(conn);
2955 } 2930 }
2956 2931
2957unlock: 2932unlock:
@@ -2985,7 +2960,6 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
2985 conn->handle = __le16_to_cpu(ev->handle); 2960 conn->handle = __le16_to_cpu(ev->handle);
2986 conn->state = BT_CONNECTED; 2961 conn->state = BT_CONNECTED;
2987 2962
2988 hci_conn_hold_device(conn);
2989 hci_conn_add_sysfs(conn); 2963 hci_conn_add_sysfs(conn);
2990 break; 2964 break;
2991 2965
@@ -3084,7 +3058,7 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3084 3058
3085 if (ev->status && conn->state == BT_CONNECTED) { 3059 if (ev->status && conn->state == BT_CONNECTED) {
3086 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE); 3060 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3087 hci_conn_put(conn); 3061 hci_conn_drop(conn);
3088 goto unlock; 3062 goto unlock;
3089 } 3063 }
3090 3064
@@ -3093,13 +3067,13 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3093 conn->state = BT_CONNECTED; 3067 conn->state = BT_CONNECTED;
3094 3068
3095 hci_proto_connect_cfm(conn, ev->status); 3069 hci_proto_connect_cfm(conn, ev->status);
3096 hci_conn_put(conn); 3070 hci_conn_drop(conn);
3097 } else { 3071 } else {
3098 hci_auth_cfm(conn, ev->status); 3072 hci_auth_cfm(conn, ev->status);
3099 3073
3100 hci_conn_hold(conn); 3074 hci_conn_hold(conn);
3101 conn->disc_timeout = HCI_DISCONN_TIMEOUT; 3075 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3102 hci_conn_put(conn); 3076 hci_conn_drop(conn);
3103 } 3077 }
3104 3078
3105unlock: 3079unlock:
@@ -3360,7 +3334,7 @@ static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3360 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type, 3334 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3361 ev->status); 3335 ev->status);
3362 3336
3363 hci_conn_put(conn); 3337 hci_conn_drop(conn);
3364 3338
3365unlock: 3339unlock:
3366 hci_dev_unlock(hdev); 3340 hci_dev_unlock(hdev);
@@ -3371,11 +3345,16 @@ static void hci_remote_host_features_evt(struct hci_dev *hdev,
3371{ 3345{
3372 struct hci_ev_remote_host_features *ev = (void *) skb->data; 3346 struct hci_ev_remote_host_features *ev = (void *) skb->data;
3373 struct inquiry_entry *ie; 3347 struct inquiry_entry *ie;
3348 struct hci_conn *conn;
3374 3349
3375 BT_DBG("%s", hdev->name); 3350 BT_DBG("%s", hdev->name);
3376 3351
3377 hci_dev_lock(hdev); 3352 hci_dev_lock(hdev);
3378 3353
3354 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3355 if (conn)
3356 memcpy(conn->features[1], ev->features, 8);
3357
3379 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr); 3358 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3380 if (ie) 3359 if (ie)
3381 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP); 3360 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
@@ -3448,9 +3427,8 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3448 3427
3449 hci_conn_hold(hcon); 3428 hci_conn_hold(hcon);
3450 hcon->disc_timeout = HCI_DISCONN_TIMEOUT; 3429 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3451 hci_conn_put(hcon); 3430 hci_conn_drop(hcon);
3452 3431
3453 hci_conn_hold_device(hcon);
3454 hci_conn_add_sysfs(hcon); 3432 hci_conn_add_sysfs(hcon);
3455 3433
3456 amp_physical_cfm(bredr_hcon, hcon); 3434 amp_physical_cfm(bredr_hcon, hcon);
@@ -3584,7 +3562,6 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3584 conn->handle = __le16_to_cpu(ev->handle); 3562 conn->handle = __le16_to_cpu(ev->handle);
3585 conn->state = BT_CONNECTED; 3563 conn->state = BT_CONNECTED;
3586 3564
3587 hci_conn_hold_device(conn);
3588 hci_conn_add_sysfs(conn); 3565 hci_conn_add_sysfs(conn);
3589 3566
3590 hci_proto_connect_cfm(conn, ev->status); 3567 hci_proto_connect_cfm(conn, ev->status);
@@ -3698,8 +3675,27 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
3698 struct hci_event_hdr *hdr = (void *) skb->data; 3675 struct hci_event_hdr *hdr = (void *) skb->data;
3699 __u8 event = hdr->evt; 3676 __u8 event = hdr->evt;
3700 3677
3678 hci_dev_lock(hdev);
3679
3680 /* Received events are (currently) only needed when a request is
3681 * ongoing so avoid unnecessary memory allocation.
3682 */
3683 if (hdev->req_status == HCI_REQ_PEND) {
3684 kfree_skb(hdev->recv_evt);
3685 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
3686 }
3687
3688 hci_dev_unlock(hdev);
3689
3701 skb_pull(skb, HCI_EVENT_HDR_SIZE); 3690 skb_pull(skb, HCI_EVENT_HDR_SIZE);
3702 3691
3692 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
3693 struct hci_command_hdr *hdr = (void *) hdev->sent_cmd->data;
3694 u16 opcode = __le16_to_cpu(hdr->opcode);
3695
3696 hci_req_cmd_complete(hdev, opcode, 0);
3697 }
3698
3703 switch (event) { 3699 switch (event) {
3704 case HCI_EV_INQUIRY_COMPLETE: 3700 case HCI_EV_INQUIRY_COMPLETE:
3705 hci_inquiry_complete_evt(hdev, skb); 3701 hci_inquiry_complete_evt(hdev, skb);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index ff38561385de..7ad6ecf36f20 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -48,10 +48,10 @@ static ssize_t show_link_features(struct device *dev,
48 struct hci_conn *conn = to_hci_conn(dev); 48 struct hci_conn *conn = to_hci_conn(dev);
49 49
50 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n", 50 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n",
51 conn->features[0], conn->features[1], 51 conn->features[0][0], conn->features[0][1],
52 conn->features[2], conn->features[3], 52 conn->features[0][2], conn->features[0][3],
53 conn->features[4], conn->features[5], 53 conn->features[0][4], conn->features[0][5],
54 conn->features[6], conn->features[7]); 54 conn->features[0][6], conn->features[0][7]);
55} 55}
56 56
57#define LINK_ATTR(_name, _mode, _show, _store) \ 57#define LINK_ATTR(_name, _mode, _show, _store) \
@@ -146,7 +146,6 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
146 } 146 }
147 147
148 device_del(&conn->dev); 148 device_del(&conn->dev);
149 put_device(&conn->dev);
150 149
151 hci_dev_put(hdev); 150 hci_dev_put(hdev);
152} 151}
@@ -234,10 +233,10 @@ static ssize_t show_features(struct device *dev,
234 struct hci_dev *hdev = to_hci_dev(dev); 233 struct hci_dev *hdev = to_hci_dev(dev);
235 234
236 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n", 235 return sprintf(buf, "0x%02x%02x%02x%02x%02x%02x%02x%02x\n",
237 hdev->features[0], hdev->features[1], 236 hdev->features[0][0], hdev->features[0][1],
238 hdev->features[2], hdev->features[3], 237 hdev->features[0][2], hdev->features[0][3],
239 hdev->features[4], hdev->features[5], 238 hdev->features[0][4], hdev->features[0][5],
240 hdev->features[6], hdev->features[7]); 239 hdev->features[0][6], hdev->features[0][7]);
241} 240}
242 241
243static ssize_t show_manufacturer(struct device *dev, 242static ssize_t show_manufacturer(struct device *dev,
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 2342327f3335..940f5acb6694 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1,6 +1,7 @@
1/* 1/*
2 HIDP implementation for Linux Bluetooth stack (BlueZ). 2 HIDP implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org> 3 Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4 Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
4 5
5 This program is free software; you can redistribute it and/or modify 6 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as 7 it under the terms of the GNU General Public License version 2 as
@@ -20,6 +21,7 @@
20 SOFTWARE IS DISCLAIMED. 21 SOFTWARE IS DISCLAIMED.
21*/ 22*/
22 23
24#include <linux/kref.h>
23#include <linux/module.h> 25#include <linux/module.h>
24#include <linux/file.h> 26#include <linux/file.h>
25#include <linux/kthread.h> 27#include <linux/kthread.h>
@@ -59,39 +61,20 @@ static unsigned char hidp_keycode[256] = {
59 61
60static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; 62static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
61 63
62static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr) 64static int hidp_session_probe(struct l2cap_conn *conn,
63{ 65 struct l2cap_user *user);
64 struct hidp_session *session; 66static void hidp_session_remove(struct l2cap_conn *conn,
65 67 struct l2cap_user *user);
66 BT_DBG(""); 68static int hidp_session_thread(void *arg);
69static void hidp_session_terminate(struct hidp_session *s);
67 70
68 list_for_each_entry(session, &hidp_session_list, list) { 71static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
69 if (!bacmp(bdaddr, &session->bdaddr))
70 return session;
71 }
72
73 return NULL;
74}
75
76static void __hidp_link_session(struct hidp_session *session)
77{
78 list_add(&session->list, &hidp_session_list);
79}
80
81static void __hidp_unlink_session(struct hidp_session *session)
82{
83 hci_conn_put_device(session->conn);
84
85 list_del(&session->list);
86}
87
88static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
89{ 72{
90 memset(ci, 0, sizeof(*ci)); 73 memset(ci, 0, sizeof(*ci));
91 bacpy(&ci->bdaddr, &session->bdaddr); 74 bacpy(&ci->bdaddr, &session->bdaddr);
92 75
93 ci->flags = session->flags; 76 ci->flags = session->flags;
94 ci->state = session->state; 77 ci->state = BT_CONNECTED;
95 78
96 ci->vendor = 0x0000; 79 ci->vendor = 0x0000;
97 ci->product = 0x0000; 80 ci->product = 0x0000;
@@ -115,58 +98,80 @@ static void __hidp_copy_session(struct hidp_session *session, struct hidp_connin
115 } 98 }
116} 99}
117 100
118static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev, 101/* assemble skb, queue message on @transmit and wake up the session thread */
119 unsigned int type, unsigned int code, int value) 102static int hidp_send_message(struct hidp_session *session, struct socket *sock,
103 struct sk_buff_head *transmit, unsigned char hdr,
104 const unsigned char *data, int size)
120{ 105{
121 unsigned char newleds;
122 struct sk_buff *skb; 106 struct sk_buff *skb;
107 struct sock *sk = sock->sk;
123 108
124 BT_DBG("session %p type %d code %d value %d", session, type, code, value); 109 BT_DBG("session %p data %p size %d", session, data, size);
125
126 if (type != EV_LED)
127 return -1;
128
129 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
130 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
131 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
132 (!!test_bit(LED_CAPSL, dev->led) << 1) |
133 (!!test_bit(LED_NUML, dev->led));
134
135 if (session->leds == newleds)
136 return 0;
137 110
138 session->leds = newleds; 111 if (atomic_read(&session->terminate))
112 return -EIO;
139 113
140 skb = alloc_skb(3, GFP_ATOMIC); 114 skb = alloc_skb(size + 1, GFP_ATOMIC);
141 if (!skb) { 115 if (!skb) {
142 BT_ERR("Can't allocate memory for new frame"); 116 BT_ERR("Can't allocate memory for new frame");
143 return -ENOMEM; 117 return -ENOMEM;
144 } 118 }
145 119
146 *skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT; 120 *skb_put(skb, 1) = hdr;
147 *skb_put(skb, 1) = 0x01; 121 if (data && size > 0)
148 *skb_put(skb, 1) = newleds; 122 memcpy(skb_put(skb, size), data, size);
149
150 skb_queue_tail(&session->intr_transmit, skb);
151 123
152 hidp_schedule(session); 124 skb_queue_tail(transmit, skb);
125 wake_up_interruptible(sk_sleep(sk));
153 126
154 return 0; 127 return 0;
155} 128}
156 129
157static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 130static int hidp_send_ctrl_message(struct hidp_session *session,
131 unsigned char hdr, const unsigned char *data,
132 int size)
158{ 133{
159 struct hid_device *hid = input_get_drvdata(dev); 134 return hidp_send_message(session, session->ctrl_sock,
160 struct hidp_session *session = hid->driver_data; 135 &session->ctrl_transmit, hdr, data, size);
136}
161 137
162 return hidp_queue_event(session, dev, type, code, value); 138static int hidp_send_intr_message(struct hidp_session *session,
139 unsigned char hdr, const unsigned char *data,
140 int size)
141{
142 return hidp_send_message(session, session->intr_sock,
143 &session->intr_transmit, hdr, data, size);
163} 144}
164 145
165static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) 146static int hidp_input_event(struct input_dev *dev, unsigned int type,
147 unsigned int code, int value)
166{ 148{
167 struct hidp_session *session = input_get_drvdata(dev); 149 struct hidp_session *session = input_get_drvdata(dev);
150 unsigned char newleds;
151 unsigned char hdr, data[2];
152
153 BT_DBG("session %p type %d code %d value %d",
154 session, type, code, value);
155
156 if (type != EV_LED)
157 return -1;
158
159 newleds = (!!test_bit(LED_KANA, dev->led) << 3) |
160 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
161 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
162 (!!test_bit(LED_CAPSL, dev->led) << 1) |
163 (!!test_bit(LED_NUML, dev->led));
168 164
169 return hidp_queue_event(session, dev, type, code, value); 165 if (session->leds == newleds)
166 return 0;
167
168 session->leds = newleds;
169
170 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
171 data[0] = 0x01;
172 data[1] = newleds;
173
174 return hidp_send_intr_message(session, hdr, data, 2);
170} 175}
171 176
172static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb) 177static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
@@ -224,71 +229,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
224 input_sync(dev); 229 input_sync(dev);
225} 230}
226 231
227static int __hidp_send_ctrl_message(struct hidp_session *session,
228 unsigned char hdr, unsigned char *data,
229 int size)
230{
231 struct sk_buff *skb;
232
233 BT_DBG("session %p data %p size %d", session, data, size);
234
235 if (atomic_read(&session->terminate))
236 return -EIO;
237
238 skb = alloc_skb(size + 1, GFP_ATOMIC);
239 if (!skb) {
240 BT_ERR("Can't allocate memory for new frame");
241 return -ENOMEM;
242 }
243
244 *skb_put(skb, 1) = hdr;
245 if (data && size > 0)
246 memcpy(skb_put(skb, size), data, size);
247
248 skb_queue_tail(&session->ctrl_transmit, skb);
249
250 return 0;
251}
252
253static int hidp_send_ctrl_message(struct hidp_session *session,
254 unsigned char hdr, unsigned char *data, int size)
255{
256 int err;
257
258 err = __hidp_send_ctrl_message(session, hdr, data, size);
259
260 hidp_schedule(session);
261
262 return err;
263}
264
265static int hidp_queue_report(struct hidp_session *session,
266 unsigned char *data, int size)
267{
268 struct sk_buff *skb;
269
270 BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
271
272 skb = alloc_skb(size + 1, GFP_ATOMIC);
273 if (!skb) {
274 BT_ERR("Can't allocate memory for new frame");
275 return -ENOMEM;
276 }
277
278 *skb_put(skb, 1) = 0xa2;
279 if (size > 0)
280 memcpy(skb_put(skb, size), data, size);
281
282 skb_queue_tail(&session->intr_transmit, skb);
283
284 hidp_schedule(session);
285
286 return 0;
287}
288
289static int hidp_send_report(struct hidp_session *session, struct hid_report *report) 232static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
290{ 233{
291 unsigned char buf[32]; 234 unsigned char buf[32], hdr;
292 int rsize; 235 int rsize;
293 236
294 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0); 237 rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
@@ -296,8 +239,9 @@ static int hidp_send_report(struct hidp_session *session, struct hid_report *rep
296 return -EIO; 239 return -EIO;
297 240
298 hid_output_report(report, buf); 241 hid_output_report(report, buf);
242 hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
299 243
300 return hidp_queue_report(session, buf, rsize); 244 return hidp_send_intr_message(session, hdr, buf, rsize);
301} 245}
302 246
303static int hidp_get_raw_report(struct hid_device *hid, 247static int hidp_get_raw_report(struct hid_device *hid,
@@ -336,17 +280,19 @@ static int hidp_get_raw_report(struct hid_device *hid,
336 session->waiting_report_number = numbered_reports ? report_number : -1; 280 session->waiting_report_number = numbered_reports ? report_number : -1;
337 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags); 281 set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
338 data[0] = report_number; 282 data[0] = report_number;
339 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1); 283 ret = hidp_send_ctrl_message(session, report_type, data, 1);
340 if (ret) 284 if (ret)
341 goto err; 285 goto err;
342 286
343 /* Wait for the return of the report. The returned report 287 /* Wait for the return of the report. The returned report
344 gets put in session->report_return. */ 288 gets put in session->report_return. */
345 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) { 289 while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
290 !atomic_read(&session->terminate)) {
346 int res; 291 int res;
347 292
348 res = wait_event_interruptible_timeout(session->report_queue, 293 res = wait_event_interruptible_timeout(session->report_queue,
349 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags), 294 !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
295 || atomic_read(&session->terminate),
350 5*HZ); 296 5*HZ);
351 if (res == 0) { 297 if (res == 0) {
352 /* timeout */ 298 /* timeout */
@@ -389,14 +335,11 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
389 struct hidp_session *session = hid->driver_data; 335 struct hidp_session *session = hid->driver_data;
390 int ret; 336 int ret;
391 337
392 switch (report_type) { 338 if (report_type == HID_OUTPUT_REPORT) {
393 case HID_FEATURE_REPORT: 339 report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
394 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE; 340 return hidp_send_intr_message(session, report_type,
395 break; 341 data, count);
396 case HID_OUTPUT_REPORT: 342 } else if (report_type != HID_FEATURE_REPORT) {
397 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
398 break;
399 default:
400 return -EINVAL; 343 return -EINVAL;
401 } 344 }
402 345
@@ -405,17 +348,19 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
405 348
406 /* Set up our wait, and send the report request to the device. */ 349 /* Set up our wait, and send the report request to the device. */
407 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags); 350 set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
408 ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 351 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
409 count); 352 ret = hidp_send_ctrl_message(session, report_type, data, count);
410 if (ret) 353 if (ret)
411 goto err; 354 goto err;
412 355
413 /* Wait for the ACK from the device. */ 356 /* Wait for the ACK from the device. */
414 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) { 357 while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
358 !atomic_read(&session->terminate)) {
415 int res; 359 int res;
416 360
417 res = wait_event_interruptible_timeout(session->report_queue, 361 res = wait_event_interruptible_timeout(session->report_queue,
418 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags), 362 !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
363 || atomic_read(&session->terminate),
419 10*HZ); 364 10*HZ);
420 if (res == 0) { 365 if (res == 0) {
421 /* timeout */ 366 /* timeout */
@@ -446,8 +391,7 @@ static void hidp_idle_timeout(unsigned long arg)
446{ 391{
447 struct hidp_session *session = (struct hidp_session *) arg; 392 struct hidp_session *session = (struct hidp_session *) arg;
448 393
449 atomic_inc(&session->terminate); 394 hidp_session_terminate(session);
450 wake_up_process(session->task);
451} 395}
452 396
453static void hidp_set_timer(struct hidp_session *session) 397static void hidp_set_timer(struct hidp_session *session)
@@ -490,12 +434,12 @@ static void hidp_process_handshake(struct hidp_session *session,
490 case HIDP_HSHK_ERR_FATAL: 434 case HIDP_HSHK_ERR_FATAL:
491 /* Device requests a reboot, as this is the only way this error 435 /* Device requests a reboot, as this is the only way this error
492 * can be recovered. */ 436 * can be recovered. */
493 __hidp_send_ctrl_message(session, 437 hidp_send_ctrl_message(session,
494 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0); 438 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
495 break; 439 break;
496 440
497 default: 441 default:
498 __hidp_send_ctrl_message(session, 442 hidp_send_ctrl_message(session,
499 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 443 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
500 break; 444 break;
501 } 445 }
@@ -515,8 +459,7 @@ static void hidp_process_hid_control(struct hidp_session *session,
515 skb_queue_purge(&session->ctrl_transmit); 459 skb_queue_purge(&session->ctrl_transmit);
516 skb_queue_purge(&session->intr_transmit); 460 skb_queue_purge(&session->intr_transmit);
517 461
518 atomic_inc(&session->terminate); 462 hidp_session_terminate(session);
519 wake_up_process(current);
520 } 463 }
521} 464}
522 465
@@ -544,7 +487,7 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
544 break; 487 break;
545 488
546 default: 489 default:
547 __hidp_send_ctrl_message(session, 490 hidp_send_ctrl_message(session,
548 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0); 491 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
549 } 492 }
550 493
@@ -591,7 +534,7 @@ static void hidp_recv_ctrl_frame(struct hidp_session *session,
591 break; 534 break;
592 535
593 default: 536 default:
594 __hidp_send_ctrl_message(session, 537 hidp_send_ctrl_message(session,
595 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0); 538 HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
596 break; 539 break;
597 } 540 }
@@ -642,32 +585,24 @@ static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
642 return kernel_sendmsg(sock, &msg, &iv, 1, len); 585 return kernel_sendmsg(sock, &msg, &iv, 1, len);
643} 586}
644 587
645static void hidp_process_intr_transmit(struct hidp_session *session) 588/* dequeue message from @transmit and send via @sock */
589static void hidp_process_transmit(struct hidp_session *session,
590 struct sk_buff_head *transmit,
591 struct socket *sock)
646{ 592{
647 struct sk_buff *skb; 593 struct sk_buff *skb;
594 int ret;
648 595
649 BT_DBG("session %p", session); 596 BT_DBG("session %p", session);
650 597
651 while ((skb = skb_dequeue(&session->intr_transmit))) { 598 while ((skb = skb_dequeue(transmit))) {
652 if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) { 599 ret = hidp_send_frame(sock, skb->data, skb->len);
653 skb_queue_head(&session->intr_transmit, skb); 600 if (ret == -EAGAIN) {
601 skb_queue_head(transmit, skb);
654 break; 602 break;
655 } 603 } else if (ret < 0) {
656 604 hidp_session_terminate(session);
657 hidp_set_timer(session); 605 kfree_skb(skb);
658 kfree_skb(skb);
659 }
660}
661
662static void hidp_process_ctrl_transmit(struct hidp_session *session)
663{
664 struct sk_buff *skb;
665
666 BT_DBG("session %p", session);
667
668 while ((skb = skb_dequeue(&session->ctrl_transmit))) {
669 if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
670 skb_queue_head(&session->ctrl_transmit, skb);
671 break; 606 break;
672 } 607 }
673 608
@@ -676,122 +611,6 @@ static void hidp_process_ctrl_transmit(struct hidp_session *session)
676 } 611 }
677} 612}
678 613
679static int hidp_session(void *arg)
680{
681 struct hidp_session *session = arg;
682 struct sock *ctrl_sk = session->ctrl_sock->sk;
683 struct sock *intr_sk = session->intr_sock->sk;
684 struct sk_buff *skb;
685 wait_queue_t ctrl_wait, intr_wait;
686
687 BT_DBG("session %p", session);
688
689 __module_get(THIS_MODULE);
690 set_user_nice(current, -15);
691
692 init_waitqueue_entry(&ctrl_wait, current);
693 init_waitqueue_entry(&intr_wait, current);
694 add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
695 add_wait_queue(sk_sleep(intr_sk), &intr_wait);
696 session->waiting_for_startup = 0;
697 wake_up_interruptible(&session->startup_queue);
698 set_current_state(TASK_INTERRUPTIBLE);
699 while (!atomic_read(&session->terminate)) {
700 if (ctrl_sk->sk_state != BT_CONNECTED ||
701 intr_sk->sk_state != BT_CONNECTED)
702 break;
703
704 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
705 skb_orphan(skb);
706 if (!skb_linearize(skb))
707 hidp_recv_intr_frame(session, skb);
708 else
709 kfree_skb(skb);
710 }
711
712 hidp_process_intr_transmit(session);
713
714 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
715 skb_orphan(skb);
716 if (!skb_linearize(skb))
717 hidp_recv_ctrl_frame(session, skb);
718 else
719 kfree_skb(skb);
720 }
721
722 hidp_process_ctrl_transmit(session);
723
724 schedule();
725 set_current_state(TASK_INTERRUPTIBLE);
726 }
727 set_current_state(TASK_RUNNING);
728 atomic_inc(&session->terminate);
729 remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
730 remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
731
732 clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
733 clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
734 wake_up_interruptible(&session->report_queue);
735
736 down_write(&hidp_session_sem);
737
738 hidp_del_timer(session);
739
740 if (session->input) {
741 input_unregister_device(session->input);
742 session->input = NULL;
743 }
744
745 if (session->hid) {
746 hid_destroy_device(session->hid);
747 session->hid = NULL;
748 }
749
750 /* Wakeup user-space polling for socket errors */
751 session->intr_sock->sk->sk_err = EUNATCH;
752 session->ctrl_sock->sk->sk_err = EUNATCH;
753
754 hidp_schedule(session);
755
756 fput(session->intr_sock->file);
757
758 wait_event_timeout(*(sk_sleep(ctrl_sk)),
759 (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
760
761 fput(session->ctrl_sock->file);
762
763 __hidp_unlink_session(session);
764
765 up_write(&hidp_session_sem);
766
767 kfree(session->rd_data);
768 kfree(session);
769 module_put_and_exit(0);
770 return 0;
771}
772
773static struct hci_conn *hidp_get_connection(struct hidp_session *session)
774{
775 bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
776 bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
777 struct hci_conn *conn;
778 struct hci_dev *hdev;
779
780 hdev = hci_get_route(dst, src);
781 if (!hdev)
782 return NULL;
783
784 hci_dev_lock(hdev);
785 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
786 if (conn)
787 hci_conn_hold_device(conn);
788 hci_dev_unlock(hdev);
789
790 hci_dev_put(hdev);
791
792 return conn;
793}
794
795static int hidp_setup_input(struct hidp_session *session, 614static int hidp_setup_input(struct hidp_session *session,
796 struct hidp_connadd_req *req) 615 struct hidp_connadd_req *req)
797{ 616{
@@ -839,7 +658,7 @@ static int hidp_setup_input(struct hidp_session *session,
839 input->relbit[0] |= BIT_MASK(REL_WHEEL); 658 input->relbit[0] |= BIT_MASK(REL_WHEEL);
840 } 659 }
841 660
842 input->dev.parent = &session->conn->dev; 661 input->dev.parent = &session->conn->hcon->dev;
843 662
844 input->event = hidp_input_event; 663 input->event = hidp_input_event;
845 664
@@ -898,7 +717,6 @@ static struct hid_ll_driver hidp_hid_driver = {
898 .stop = hidp_stop, 717 .stop = hidp_stop,
899 .open = hidp_open, 718 .open = hidp_open,
900 .close = hidp_close, 719 .close = hidp_close,
901 .hidinput_input_event = hidp_hidinput_event,
902}; 720};
903 721
904/* This function sets up the hid device. It does not add it 722/* This function sets up the hid device. It does not add it
@@ -943,7 +761,7 @@ static int hidp_setup_hid(struct hidp_session *session,
943 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR", 761 snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
944 &bt_sk(session->ctrl_sock->sk)->dst); 762 &bt_sk(session->ctrl_sock->sk)->dst);
945 763
946 hid->dev.parent = &session->conn->dev; 764 hid->dev.parent = &session->conn->hcon->dev;
947 hid->ll_driver = &hidp_hid_driver; 765 hid->ll_driver = &hidp_hid_driver;
948 766
949 hid->hid_get_raw_report = hidp_get_raw_report; 767 hid->hid_get_raw_report = hidp_get_raw_report;
@@ -965,80 +783,217 @@ fault:
965 return err; 783 return err;
966} 784}
967 785
968int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock) 786/* initialize session devices */
787static int hidp_session_dev_init(struct hidp_session *session,
788 struct hidp_connadd_req *req)
969{ 789{
970 struct hidp_session *session, *s; 790 int ret;
971 int vendor, product;
972 int err;
973 791
974 BT_DBG(""); 792 if (req->rd_size > 0) {
793 ret = hidp_setup_hid(session, req);
794 if (ret && ret != -ENODEV)
795 return ret;
796 }
975 797
976 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) || 798 if (!session->hid) {
977 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst)) 799 ret = hidp_setup_input(session, req);
978 return -ENOTUNIQ; 800 if (ret < 0)
801 return ret;
802 }
979 803
980 BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size); 804 return 0;
805}
981 806
982 down_write(&hidp_session_sem); 807/* destroy session devices */
808static void hidp_session_dev_destroy(struct hidp_session *session)
809{
810 if (session->hid)
811 put_device(&session->hid->dev);
812 else if (session->input)
813 input_put_device(session->input);
983 814
984 s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst); 815 kfree(session->rd_data);
985 if (s && s->state == BT_CONNECTED) { 816 session->rd_data = NULL;
986 up_write(&hidp_session_sem); 817}
987 return -EEXIST;
988 }
989 818
990 session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL); 819/* add HID/input devices to their underlying bus systems */
991 if (!session) { 820static int hidp_session_dev_add(struct hidp_session *session)
992 up_write(&hidp_session_sem); 821{
993 return -ENOMEM; 822 int ret;
994 }
995 823
996 bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst); 824 /* Both HID and input systems drop a ref-count when unregistering the
825 * device but they don't take a ref-count when registering them. Work
826 * around this by explicitly taking a refcount during registration
827 * which is dropped automatically by unregistering the devices. */
997 828
998 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu, 829 if (session->hid) {
999 l2cap_pi(ctrl_sock->sk)->chan->imtu); 830 ret = hid_add_device(session->hid);
1000 session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu, 831 if (ret)
1001 l2cap_pi(intr_sock->sk)->chan->imtu); 832 return ret;
833 get_device(&session->hid->dev);
834 } else if (session->input) {
835 ret = input_register_device(session->input);
836 if (ret)
837 return ret;
838 input_get_device(session->input);
839 }
1002 840
1003 BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu); 841 return 0;
842}
1004 843
1005 session->ctrl_sock = ctrl_sock; 844/* remove HID/input devices from their bus systems */
1006 session->intr_sock = intr_sock; 845static void hidp_session_dev_del(struct hidp_session *session)
1007 session->state = BT_CONNECTED; 846{
847 if (session->hid)
848 hid_destroy_device(session->hid);
849 else if (session->input)
850 input_unregister_device(session->input);
851}
1008 852
1009 session->conn = hidp_get_connection(session); 853/*
1010 if (!session->conn) { 854 * Create new session object
1011 err = -ENOTCONN; 855 * Allocate session object, initialize static fields, copy input data into the
1012 goto failed; 856 * object and take a reference to all sub-objects.
1013 } 857 * This returns 0 on success and puts a pointer to the new session object in
858 * \out. Otherwise, an error code is returned.
859 * The new session object has an initial ref-count of 1.
860 */
861static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
862 struct socket *ctrl_sock,
863 struct socket *intr_sock,
864 struct hidp_connadd_req *req,
865 struct l2cap_conn *conn)
866{
867 struct hidp_session *session;
868 int ret;
869 struct bt_sock *ctrl, *intr;
870
871 ctrl = bt_sk(ctrl_sock->sk);
872 intr = bt_sk(intr_sock->sk);
1014 873
1015 setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session); 874 session = kzalloc(sizeof(*session), GFP_KERNEL);
875 if (!session)
876 return -ENOMEM;
1016 877
878 /* object and runtime management */
879 kref_init(&session->ref);
880 atomic_set(&session->state, HIDP_SESSION_IDLING);
881 init_waitqueue_head(&session->state_queue);
882 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
883
884 /* connection management */
885 bacpy(&session->bdaddr, bdaddr);
886 session->conn = conn;
887 session->user.probe = hidp_session_probe;
888 session->user.remove = hidp_session_remove;
889 session->ctrl_sock = ctrl_sock;
890 session->intr_sock = intr_sock;
1017 skb_queue_head_init(&session->ctrl_transmit); 891 skb_queue_head_init(&session->ctrl_transmit);
1018 skb_queue_head_init(&session->intr_transmit); 892 skb_queue_head_init(&session->intr_transmit);
893 session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
894 l2cap_pi(ctrl)->chan->imtu);
895 session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
896 l2cap_pi(intr)->chan->imtu);
897 session->idle_to = req->idle_to;
898
899 /* device management */
900 setup_timer(&session->timer, hidp_idle_timeout,
901 (unsigned long)session);
1019 902
903 /* session data */
1020 mutex_init(&session->report_mutex); 904 mutex_init(&session->report_mutex);
1021 init_waitqueue_head(&session->report_queue); 905 init_waitqueue_head(&session->report_queue);
1022 init_waitqueue_head(&session->startup_queue);
1023 session->waiting_for_startup = 1;
1024 session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
1025 session->idle_to = req->idle_to;
1026 906
1027 __hidp_link_session(session); 907 ret = hidp_session_dev_init(session, req);
908 if (ret)
909 goto err_free;
1028 910
1029 if (req->rd_size > 0) { 911 l2cap_conn_get(session->conn);
1030 err = hidp_setup_hid(session, req); 912 get_file(session->intr_sock->file);
1031 if (err && err != -ENODEV) 913 get_file(session->ctrl_sock->file);
1032 goto purge; 914 *out = session;
1033 } 915 return 0;
1034 916
1035 if (!session->hid) { 917err_free:
1036 err = hidp_setup_input(session, req); 918 kfree(session);
1037 if (err < 0) 919 return ret;
1038 goto purge; 920}
921
922/* increase ref-count of the given session by one */
923static void hidp_session_get(struct hidp_session *session)
924{
925 kref_get(&session->ref);
926}
927
928/* release callback */
929static void session_free(struct kref *ref)
930{
931 struct hidp_session *session = container_of(ref, struct hidp_session,
932 ref);
933
934 hidp_session_dev_destroy(session);
935 skb_queue_purge(&session->ctrl_transmit);
936 skb_queue_purge(&session->intr_transmit);
937 fput(session->intr_sock->file);
938 fput(session->ctrl_sock->file);
939 l2cap_conn_put(session->conn);
940 kfree(session);
941}
942
943/* decrease ref-count of the given session by one */
944static void hidp_session_put(struct hidp_session *session)
945{
946 kref_put(&session->ref, session_free);
947}
948
949/*
950 * Search the list of active sessions for a session with target address
951 * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
952 * you do not release this lock, the session objects cannot vanish and you can
953 * safely take a reference to the session yourself.
954 */
955static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
956{
957 struct hidp_session *session;
958
959 list_for_each_entry(session, &hidp_session_list, list) {
960 if (!bacmp(bdaddr, &session->bdaddr))
961 return session;
1039 } 962 }
1040 963
1041 hidp_set_timer(session); 964 return NULL;
965}
966
967/*
968 * Same as __hidp_session_find() but no locks must be held. This also takes a
969 * reference of the returned session (if non-NULL) so you must drop this
970 * reference if you no longer use the object.
971 */
972static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
973{
974 struct hidp_session *session;
975
976 down_read(&hidp_session_sem);
977
978 session = __hidp_session_find(bdaddr);
979 if (session)
980 hidp_session_get(session);
981
982 up_read(&hidp_session_sem);
983
984 return session;
985}
986
987/*
988 * Start session synchronously
989 * This starts a session thread and waits until initialization
990 * is done or returns an error if it couldn't be started.
991 * If this returns 0 the session thread is up and running. You must call
992 * hipd_session_stop_sync() before deleting any runtime resources.
993 */
994static int hidp_session_start_sync(struct hidp_session *session)
995{
996 unsigned int vendor, product;
1042 997
1043 if (session->hid) { 998 if (session->hid) {
1044 vendor = session->hid->vendor; 999 vendor = session->hid->vendor;
@@ -1051,98 +1006,320 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
1051 product = 0x0000; 1006 product = 0x0000;
1052 } 1007 }
1053 1008
1054 session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x", 1009 session->task = kthread_run(hidp_session_thread, session,
1055 vendor, product); 1010 "khidpd_%04x%04x", vendor, product);
1056 if (IS_ERR(session->task)) { 1011 if (IS_ERR(session->task))
1057 err = PTR_ERR(session->task); 1012 return PTR_ERR(session->task);
1058 goto unlink;
1059 }
1060 1013
1061 while (session->waiting_for_startup) { 1014 while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1062 wait_event_interruptible(session->startup_queue, 1015 wait_event(session->state_queue,
1063 !session->waiting_for_startup); 1016 atomic_read(&session->state) > HIDP_SESSION_IDLING);
1064 }
1065 1017
1066 if (session->hid) 1018 return 0;
1067 err = hid_add_device(session->hid); 1019}
1068 else
1069 err = input_register_device(session->input);
1070 1020
1071 if (err < 0) { 1021/*
1072 atomic_inc(&session->terminate); 1022 * Terminate session thread
1073 wake_up_process(session->task); 1023 * Wake up session thread and notify it to stop. This is asynchronous and
1074 up_write(&hidp_session_sem); 1024 * returns immediately. Call this whenever a runtime error occurs and you want
1075 return err; 1025 * the session to stop.
1076 } 1026 * Note: wake_up_process() performs any necessary memory-barriers for us.
1027 */
1028static void hidp_session_terminate(struct hidp_session *session)
1029{
1030 atomic_inc(&session->terminate);
1031 wake_up_process(session->task);
1032}
1077 1033
1078 if (session->input) { 1034/*
1079 hidp_send_ctrl_message(session, 1035 * Probe HIDP session
1080 HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0); 1036 * This is called from the l2cap_conn core when our l2cap_user object is bound
1081 session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE); 1037 * to the hci-connection. We get the session via the \user object and can now
1038 * start the session thread, register the HID/input devices and link it into
1039 * the global session list.
1040 * The global session-list owns its own reference to the session object so you
1041 * can drop your own reference after registering the l2cap_user object.
1042 */
1043static int hidp_session_probe(struct l2cap_conn *conn,
1044 struct l2cap_user *user)
1045{
1046 struct hidp_session *session = container_of(user,
1047 struct hidp_session,
1048 user);
1049 struct hidp_session *s;
1050 int ret;
1051
1052 down_write(&hidp_session_sem);
1082 1053
1083 session->leds = 0xff; 1054 /* check that no other session for this device exists */
1084 hidp_input_event(session->input, EV_LED, 0, 0); 1055 s = __hidp_session_find(&session->bdaddr);
1056 if (s) {
1057 ret = -EEXIST;
1058 goto out_unlock;
1085 } 1059 }
1086 1060
1061 ret = hidp_session_start_sync(session);
1062 if (ret)
1063 goto out_unlock;
1064
1065 ret = hidp_session_dev_add(session);
1066 if (ret)
1067 goto out_stop;
1068
1069 hidp_session_get(session);
1070 list_add(&session->list, &hidp_session_list);
1071 ret = 0;
1072 goto out_unlock;
1073
1074out_stop:
1075 hidp_session_terminate(session);
1076out_unlock:
1087 up_write(&hidp_session_sem); 1077 up_write(&hidp_session_sem);
1088 return 0; 1078 return ret;
1079}
1080
1081/*
1082 * Remove HIDP session
1083 * Called from the l2cap_conn core when either we explicitly unregistered
1084 * the l2cap_user object or if the underlying connection is shut down.
1085 * We signal the hidp-session thread to shut down, unregister the HID/input
1086 * devices and unlink the session from the global list.
1087 * This drops the reference to the session that is owned by the global
1088 * session-list.
1089 * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1090 * This is, because the session-thread might be waiting for an HCI lock that is
1091 * held while we are called. Therefore, we only unregister the devices and
1092 * notify the session-thread to terminate. The thread itself owns a reference
1093 * to the session object so it can safely shut down.
1094 */
1095static void hidp_session_remove(struct l2cap_conn *conn,
1096 struct l2cap_user *user)
1097{
1098 struct hidp_session *session = container_of(user,
1099 struct hidp_session,
1100 user);
1101
1102 down_write(&hidp_session_sem);
1103
1104 hidp_session_terminate(session);
1105 hidp_session_dev_del(session);
1106 list_del(&session->list);
1107
1108 up_write(&hidp_session_sem);
1109
1110 hidp_session_put(session);
1111}
1112
1113/*
1114 * Session Worker
1115 * This performs the actual main-loop of the HIDP worker. We first check
1116 * whether the underlying connection is still alive, then parse all pending
1117 * messages and finally send all outstanding messages.
1118 */
1119static void hidp_session_run(struct hidp_session *session)
1120{
1121 struct sock *ctrl_sk = session->ctrl_sock->sk;
1122 struct sock *intr_sk = session->intr_sock->sk;
1123 struct sk_buff *skb;
1124
1125 for (;;) {
1126 /*
1127 * This thread can be woken up two ways:
1128 * - You call hidp_session_terminate() which sets the
1129 * session->terminate flag and wakes this thread up.
1130 * - Via modifying the socket state of ctrl/intr_sock. This
1131 * thread is woken up by ->sk_state_changed().
1132 *
1133 * Note: set_current_state() performs any necessary
1134 * memory-barriers for us.
1135 */
1136 set_current_state(TASK_INTERRUPTIBLE);
1137
1138 if (atomic_read(&session->terminate))
1139 break;
1140
1141 if (ctrl_sk->sk_state != BT_CONNECTED ||
1142 intr_sk->sk_state != BT_CONNECTED)
1143 break;
1144
1145 /* parse incoming intr-skbs */
1146 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1147 skb_orphan(skb);
1148 if (!skb_linearize(skb))
1149 hidp_recv_intr_frame(session, skb);
1150 else
1151 kfree_skb(skb);
1152 }
1153
1154 /* send pending intr-skbs */
1155 hidp_process_transmit(session, &session->intr_transmit,
1156 session->intr_sock);
1089 1157
1090unlink: 1158 /* parse incoming ctrl-skbs */
1159 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1160 skb_orphan(skb);
1161 if (!skb_linearize(skb))
1162 hidp_recv_ctrl_frame(session, skb);
1163 else
1164 kfree_skb(skb);
1165 }
1166
1167 /* send pending ctrl-skbs */
1168 hidp_process_transmit(session, &session->ctrl_transmit,
1169 session->ctrl_sock);
1170
1171 schedule();
1172 }
1173
1174 atomic_inc(&session->terminate);
1175 set_current_state(TASK_RUNNING);
1176}
1177
1178/*
1179 * HIDP session thread
1180 * This thread runs the I/O for a single HIDP session. Startup is synchronous
1181 * which allows us to take references to ourself here instead of doing that in
1182 * the caller.
1183 * When we are ready to run we notify the caller and call hidp_session_run().
1184 */
1185static int hidp_session_thread(void *arg)
1186{
1187 struct hidp_session *session = arg;
1188 wait_queue_t ctrl_wait, intr_wait;
1189
1190 BT_DBG("session %p", session);
1191
1192 /* initialize runtime environment */
1193 hidp_session_get(session);
1194 __module_get(THIS_MODULE);
1195 set_user_nice(current, -15);
1196 hidp_set_timer(session);
1197
1198 init_waitqueue_entry(&ctrl_wait, current);
1199 init_waitqueue_entry(&intr_wait, current);
1200 add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1201 add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1202 /* This memory barrier is paired with wq_has_sleeper(). See
1203 * sock_poll_wait() for more information why this is needed. */
1204 smp_mb();
1205
1206 /* notify synchronous startup that we're ready */
1207 atomic_inc(&session->state);
1208 wake_up(&session->state_queue);
1209
1210 /* run session */
1211 hidp_session_run(session);
1212
1213 /* cleanup runtime environment */
1214 remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1215 remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1216 wake_up_interruptible(&session->report_queue);
1091 hidp_del_timer(session); 1217 hidp_del_timer(session);
1092 1218
1093 if (session->input) { 1219 /*
1094 input_unregister_device(session->input); 1220 * If we stopped ourself due to any internal signal, we should try to
1095 session->input = NULL; 1221 * unregister our own session here to avoid having it linger until the
1222 * parent l2cap_conn dies or user-space cleans it up.
1223 * This does not deadlock as we don't do any synchronous shutdown.
1224 * Instead, this call has the same semantics as if user-space tried to
1225 * delete the session.
1226 */
1227 l2cap_unregister_user(session->conn, &session->user);
1228 hidp_session_put(session);
1229
1230 module_put_and_exit(0);
1231 return 0;
1232}
1233
1234static int hidp_verify_sockets(struct socket *ctrl_sock,
1235 struct socket *intr_sock)
1236{
1237 struct bt_sock *ctrl, *intr;
1238 struct hidp_session *session;
1239
1240 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1241 return -EINVAL;
1242
1243 ctrl = bt_sk(ctrl_sock->sk);
1244 intr = bt_sk(intr_sock->sk);
1245
1246 if (bacmp(&ctrl->src, &intr->src) || bacmp(&ctrl->dst, &intr->dst))
1247 return -ENOTUNIQ;
1248 if (ctrl->sk.sk_state != BT_CONNECTED ||
1249 intr->sk.sk_state != BT_CONNECTED)
1250 return -EBADFD;
1251
1252 /* early session check, we check again during session registration */
1253 session = hidp_session_find(&ctrl->dst);
1254 if (session) {
1255 hidp_session_put(session);
1256 return -EEXIST;
1096 } 1257 }
1097 1258
1098 if (session->hid) { 1259 return 0;
1099 hid_destroy_device(session->hid); 1260}
1100 session->hid = NULL; 1261
1262int hidp_connection_add(struct hidp_connadd_req *req,
1263 struct socket *ctrl_sock,
1264 struct socket *intr_sock)
1265{
1266 struct hidp_session *session;
1267 struct l2cap_conn *conn;
1268 struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
1269 int ret;
1270
1271 ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1272 if (ret)
1273 return ret;
1274
1275 conn = NULL;
1276 l2cap_chan_lock(chan);
1277 if (chan->conn) {
1278 l2cap_conn_get(chan->conn);
1279 conn = chan->conn;
1101 } 1280 }
1281 l2cap_chan_unlock(chan);
1102 1282
1103 kfree(session->rd_data); 1283 if (!conn)
1104 session->rd_data = NULL; 1284 return -EBADFD;
1105 1285
1106purge: 1286 ret = hidp_session_new(&session, &bt_sk(ctrl_sock->sk)->dst, ctrl_sock,
1107 __hidp_unlink_session(session); 1287 intr_sock, req, conn);
1288 if (ret)
1289 goto out_conn;
1108 1290
1109 skb_queue_purge(&session->ctrl_transmit); 1291 ret = l2cap_register_user(conn, &session->user);
1110 skb_queue_purge(&session->intr_transmit); 1292 if (ret)
1293 goto out_session;
1111 1294
1112failed: 1295 ret = 0;
1113 up_write(&hidp_session_sem);
1114 1296
1115 kfree(session); 1297out_session:
1116 return err; 1298 hidp_session_put(session);
1299out_conn:
1300 l2cap_conn_put(conn);
1301 return ret;
1117} 1302}
1118 1303
1119int hidp_del_connection(struct hidp_conndel_req *req) 1304int hidp_connection_del(struct hidp_conndel_req *req)
1120{ 1305{
1121 struct hidp_session *session; 1306 struct hidp_session *session;
1122 int err = 0;
1123 1307
1124 BT_DBG(""); 1308 session = hidp_session_find(&req->bdaddr);
1309 if (!session)
1310 return -ENOENT;
1125 1311
1126 down_read(&hidp_session_sem); 1312 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG))
1313 hidp_send_ctrl_message(session,
1314 HIDP_TRANS_HID_CONTROL |
1315 HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1316 NULL, 0);
1317 else
1318 l2cap_unregister_user(session->conn, &session->user);
1127 1319
1128 session = __hidp_get_session(&req->bdaddr); 1320 hidp_session_put(session);
1129 if (session) {
1130 if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
1131 hidp_send_ctrl_message(session,
1132 HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
1133 } else {
1134 /* Flush the transmit queues */
1135 skb_queue_purge(&session->ctrl_transmit);
1136 skb_queue_purge(&session->intr_transmit);
1137
1138 atomic_inc(&session->terminate);
1139 wake_up_process(session->task);
1140 }
1141 } else
1142 err = -ENOENT;
1143 1321
1144 up_read(&hidp_session_sem); 1322 return 0;
1145 return err;
1146} 1323}
1147 1324
1148int hidp_get_connlist(struct hidp_connlist_req *req) 1325int hidp_get_connlist(struct hidp_connlist_req *req)
@@ -1157,7 +1334,7 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
1157 list_for_each_entry(session, &hidp_session_list, list) { 1334 list_for_each_entry(session, &hidp_session_list, list) {
1158 struct hidp_conninfo ci; 1335 struct hidp_conninfo ci;
1159 1336
1160 __hidp_copy_session(session, &ci); 1337 hidp_copy_session(session, &ci);
1161 1338
1162 if (copy_to_user(req->ci, &ci, sizeof(ci))) { 1339 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1163 err = -EFAULT; 1340 err = -EFAULT;
@@ -1178,18 +1355,14 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
1178int hidp_get_conninfo(struct hidp_conninfo *ci) 1355int hidp_get_conninfo(struct hidp_conninfo *ci)
1179{ 1356{
1180 struct hidp_session *session; 1357 struct hidp_session *session;
1181 int err = 0;
1182
1183 down_read(&hidp_session_sem);
1184 1358
1185 session = __hidp_get_session(&ci->bdaddr); 1359 session = hidp_session_find(&ci->bdaddr);
1186 if (session) 1360 if (session) {
1187 __hidp_copy_session(session, ci); 1361 hidp_copy_session(session, ci);
1188 else 1362 hidp_session_put(session);
1189 err = -ENOENT; 1363 }
1190 1364
1191 up_read(&hidp_session_sem); 1365 return session ? 0 : -ENOENT;
1192 return err;
1193} 1366}
1194 1367
1195static int __init hidp_init(void) 1368static int __init hidp_init(void)
@@ -1208,6 +1381,7 @@ module_init(hidp_init);
1208module_exit(hidp_exit); 1381module_exit(hidp_exit);
1209 1382
1210MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 1383MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1384MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1211MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION); 1385MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1212MODULE_VERSION(VERSION); 1386MODULE_VERSION(VERSION);
1213MODULE_LICENSE("GPL"); 1387MODULE_LICENSE("GPL");
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index af1bcc823f26..6162ce8606ac 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -24,7 +24,9 @@
24#define __HIDP_H 24#define __HIDP_H
25 25
26#include <linux/types.h> 26#include <linux/types.h>
27#include <linux/kref.h>
27#include <net/bluetooth/bluetooth.h> 28#include <net/bluetooth/bluetooth.h>
29#include <net/bluetooth/l2cap.h>
28 30
29/* HIDP header masks */ 31/* HIDP header masks */
30#define HIDP_HEADER_TRANS_MASK 0xf0 32#define HIDP_HEADER_TRANS_MASK 0xf0
@@ -119,43 +121,52 @@ struct hidp_connlist_req {
119 struct hidp_conninfo __user *ci; 121 struct hidp_conninfo __user *ci;
120}; 122};
121 123
122int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock); 124int hidp_connection_add(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock);
123int hidp_del_connection(struct hidp_conndel_req *req); 125int hidp_connection_del(struct hidp_conndel_req *req);
124int hidp_get_connlist(struct hidp_connlist_req *req); 126int hidp_get_connlist(struct hidp_connlist_req *req);
125int hidp_get_conninfo(struct hidp_conninfo *ci); 127int hidp_get_conninfo(struct hidp_conninfo *ci);
126 128
129enum hidp_session_state {
130 HIDP_SESSION_IDLING,
131 HIDP_SESSION_RUNNING,
132};
133
127/* HIDP session defines */ 134/* HIDP session defines */
128struct hidp_session { 135struct hidp_session {
129 struct list_head list; 136 struct list_head list;
137 struct kref ref;
130 138
131 struct hci_conn *conn; 139 /* runtime management */
140 atomic_t state;
141 wait_queue_head_t state_queue;
142 atomic_t terminate;
143 struct task_struct *task;
144 unsigned long flags;
132 145
146 /* connection management */
147 bdaddr_t bdaddr;
148 struct l2cap_conn *conn;
149 struct l2cap_user user;
133 struct socket *ctrl_sock; 150 struct socket *ctrl_sock;
134 struct socket *intr_sock; 151 struct socket *intr_sock;
135 152 struct sk_buff_head ctrl_transmit;
136 bdaddr_t bdaddr; 153 struct sk_buff_head intr_transmit;
137
138 unsigned long state;
139 unsigned long flags;
140 unsigned long idle_to;
141
142 uint ctrl_mtu; 154 uint ctrl_mtu;
143 uint intr_mtu; 155 uint intr_mtu;
156 unsigned long idle_to;
144 157
145 atomic_t terminate; 158 /* device management */
146 struct task_struct *task;
147
148 unsigned char keys[8];
149 unsigned char leds;
150
151 struct input_dev *input; 159 struct input_dev *input;
152
153 struct hid_device *hid; 160 struct hid_device *hid;
154
155 struct timer_list timer; 161 struct timer_list timer;
156 162
157 struct sk_buff_head ctrl_transmit; 163 /* Report descriptor */
158 struct sk_buff_head intr_transmit; 164 __u8 *rd_data;
165 uint rd_size;
166
167 /* session data */
168 unsigned char keys[8];
169 unsigned char leds;
159 170
160 /* Used in hidp_get_raw_report() */ 171 /* Used in hidp_get_raw_report() */
161 int waiting_report_type; /* HIDP_DATA_RTYPE_* */ 172 int waiting_report_type; /* HIDP_DATA_RTYPE_* */
@@ -166,24 +177,8 @@ struct hidp_session {
166 177
167 /* Used in hidp_output_raw_report() */ 178 /* Used in hidp_output_raw_report() */
168 int output_report_success; /* boolean */ 179 int output_report_success; /* boolean */
169
170 /* Report descriptor */
171 __u8 *rd_data;
172 uint rd_size;
173
174 wait_queue_head_t startup_queue;
175 int waiting_for_startup;
176}; 180};
177 181
178static inline void hidp_schedule(struct hidp_session *session)
179{
180 struct sock *ctrl_sk = session->ctrl_sock->sk;
181 struct sock *intr_sk = session->intr_sock->sk;
182
183 wake_up_interruptible(sk_sleep(ctrl_sk));
184 wake_up_interruptible(sk_sleep(intr_sk));
185}
186
187/* HIDP init defines */ 182/* HIDP init defines */
188extern int __init hidp_init_sockets(void); 183extern int __init hidp_init_sockets(void);
189extern void __exit hidp_cleanup_sockets(void); 184extern void __exit hidp_cleanup_sockets(void);
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 5d0f1ca0a314..2f4cbb0865ca 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -77,21 +77,12 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
77 return err; 77 return err;
78 } 78 }
79 79
80 if (csock->sk->sk_state != BT_CONNECTED || 80 err = hidp_connection_add(&ca, csock, isock);
81 isock->sk->sk_state != BT_CONNECTED) { 81 if (!err && copy_to_user(argp, &ca, sizeof(ca)))
82 sockfd_put(csock); 82 err = -EFAULT;
83 sockfd_put(isock);
84 return -EBADFD;
85 }
86 83
87 err = hidp_add_connection(&ca, csock, isock); 84 sockfd_put(csock);
88 if (!err) { 85 sockfd_put(isock);
89 if (copy_to_user(argp, &ca, sizeof(ca)))
90 err = -EFAULT;
91 } else {
92 sockfd_put(csock);
93 sockfd_put(isock);
94 }
95 86
96 return err; 87 return err;
97 88
@@ -102,7 +93,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
102 if (copy_from_user(&cd, argp, sizeof(cd))) 93 if (copy_from_user(&cd, argp, sizeof(cd)))
103 return -EFAULT; 94 return -EFAULT;
104 95
105 return hidp_del_connection(&cd); 96 return hidp_connection_del(&cd);
106 97
107 case HIDPGETCONNLIST: 98 case HIDPGETCONNLIST:
108 if (copy_from_user(&cl, argp, sizeof(cl))) 99 if (copy_from_user(&cl, argp, sizeof(cl)))
@@ -296,7 +287,6 @@ int __init hidp_init_sockets(void)
296 return 0; 287 return 0;
297 288
298error: 289error:
299 BT_ERR("Can't register HIDP socket");
300 proto_unregister(&hidp_proto); 290 proto_unregister(&hidp_proto);
301 return err; 291 return err;
302} 292}
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7c7e9321f1ea..eae1d9f90b68 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -571,7 +571,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
571 chan->conn = NULL; 571 chan->conn = NULL;
572 572
573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP) 573 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
574 hci_conn_put(conn->hcon); 574 hci_conn_drop(conn->hcon);
575 575
576 if (mgr && mgr->bredr_chan == chan) 576 if (mgr && mgr->bredr_chan == chan)
577 mgr->bredr_chan = NULL; 577 mgr->bredr_chan = NULL;
@@ -1446,6 +1446,89 @@ static void l2cap_info_timeout(struct work_struct *work)
1446 l2cap_conn_start(conn); 1446 l2cap_conn_start(conn);
1447} 1447}
1448 1448
1449/*
1450 * l2cap_user
1451 * External modules can register l2cap_user objects on l2cap_conn. The ->probe
1452 * callback is called during registration. The ->remove callback is called
1453 * during unregistration.
1454 * An l2cap_user object can either be explicitly unregistered or when the
1455 * underlying l2cap_conn object is deleted. This guarantees that l2cap->hcon,
1456 * l2cap->hchan, .. are valid as long as the remove callback hasn't been called.
1457 * External modules must own a reference to the l2cap_conn object if they intend
1458 * to call l2cap_unregister_user(). The l2cap_conn object might get destroyed at
1459 * any time if they don't.
1460 */
1461
1462int l2cap_register_user(struct l2cap_conn *conn, struct l2cap_user *user)
1463{
1464 struct hci_dev *hdev = conn->hcon->hdev;
1465 int ret;
1466
1467 /* We need to check whether l2cap_conn is registered. If it is not, we
1468 * must not register the l2cap_user. l2cap_conn_del() is unregisters
1469 * l2cap_conn objects, but doesn't provide its own locking. Instead, it
1470 * relies on the parent hci_conn object to be locked. This itself relies
1471 * on the hci_dev object to be locked. So we must lock the hci device
1472 * here, too. */
1473
1474 hci_dev_lock(hdev);
1475
1476 if (user->list.next || user->list.prev) {
1477 ret = -EINVAL;
1478 goto out_unlock;
1479 }
1480
1481 /* conn->hchan is NULL after l2cap_conn_del() was called */
1482 if (!conn->hchan) {
1483 ret = -ENODEV;
1484 goto out_unlock;
1485 }
1486
1487 ret = user->probe(conn, user);
1488 if (ret)
1489 goto out_unlock;
1490
1491 list_add(&user->list, &conn->users);
1492 ret = 0;
1493
1494out_unlock:
1495 hci_dev_unlock(hdev);
1496 return ret;
1497}
1498EXPORT_SYMBOL(l2cap_register_user);
1499
1500void l2cap_unregister_user(struct l2cap_conn *conn, struct l2cap_user *user)
1501{
1502 struct hci_dev *hdev = conn->hcon->hdev;
1503
1504 hci_dev_lock(hdev);
1505
1506 if (!user->list.next || !user->list.prev)
1507 goto out_unlock;
1508
1509 list_del(&user->list);
1510 user->list.next = NULL;
1511 user->list.prev = NULL;
1512 user->remove(conn, user);
1513
1514out_unlock:
1515 hci_dev_unlock(hdev);
1516}
1517EXPORT_SYMBOL(l2cap_unregister_user);
1518
1519static void l2cap_unregister_all_users(struct l2cap_conn *conn)
1520{
1521 struct l2cap_user *user;
1522
1523 while (!list_empty(&conn->users)) {
1524 user = list_first_entry(&conn->users, struct l2cap_user, list);
1525 list_del(&user->list);
1526 user->list.next = NULL;
1527 user->list.prev = NULL;
1528 user->remove(conn, user);
1529 }
1530}
1531
1449static void l2cap_conn_del(struct hci_conn *hcon, int err) 1532static void l2cap_conn_del(struct hci_conn *hcon, int err)
1450{ 1533{
1451 struct l2cap_conn *conn = hcon->l2cap_data; 1534 struct l2cap_conn *conn = hcon->l2cap_data;
@@ -1458,6 +1541,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1458 1541
1459 kfree_skb(conn->rx_skb); 1542 kfree_skb(conn->rx_skb);
1460 1543
1544 l2cap_unregister_all_users(conn);
1545
1461 mutex_lock(&conn->chan_lock); 1546 mutex_lock(&conn->chan_lock);
1462 1547
1463 /* Kill channels */ 1548 /* Kill channels */
@@ -1486,7 +1571,8 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
1486 } 1571 }
1487 1572
1488 hcon->l2cap_data = NULL; 1573 hcon->l2cap_data = NULL;
1489 kfree(conn); 1574 conn->hchan = NULL;
1575 l2cap_conn_put(conn);
1490} 1576}
1491 1577
1492static void security_timeout(struct work_struct *work) 1578static void security_timeout(struct work_struct *work)
@@ -1502,12 +1588,12 @@ static void security_timeout(struct work_struct *work)
1502 } 1588 }
1503} 1589}
1504 1590
1505static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status) 1591static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
1506{ 1592{
1507 struct l2cap_conn *conn = hcon->l2cap_data; 1593 struct l2cap_conn *conn = hcon->l2cap_data;
1508 struct hci_chan *hchan; 1594 struct hci_chan *hchan;
1509 1595
1510 if (conn || status) 1596 if (conn)
1511 return conn; 1597 return conn;
1512 1598
1513 hchan = hci_chan_create(hcon); 1599 hchan = hci_chan_create(hcon);
@@ -1520,8 +1606,10 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1520 return NULL; 1606 return NULL;
1521 } 1607 }
1522 1608
1609 kref_init(&conn->ref);
1523 hcon->l2cap_data = conn; 1610 hcon->l2cap_data = conn;
1524 conn->hcon = hcon; 1611 conn->hcon = hcon;
1612 hci_conn_get(conn->hcon);
1525 conn->hchan = hchan; 1613 conn->hchan = hchan;
1526 1614
1527 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan); 1615 BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
@@ -1547,6 +1635,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1547 mutex_init(&conn->chan_lock); 1635 mutex_init(&conn->chan_lock);
1548 1636
1549 INIT_LIST_HEAD(&conn->chan_l); 1637 INIT_LIST_HEAD(&conn->chan_l);
1638 INIT_LIST_HEAD(&conn->users);
1550 1639
1551 if (hcon->type == LE_LINK) 1640 if (hcon->type == LE_LINK)
1552 INIT_DELAYED_WORK(&conn->security_timer, security_timeout); 1641 INIT_DELAYED_WORK(&conn->security_timer, security_timeout);
@@ -1558,6 +1647,26 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
1558 return conn; 1647 return conn;
1559} 1648}
1560 1649
1650static void l2cap_conn_free(struct kref *ref)
1651{
1652 struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
1653
1654 hci_conn_put(conn->hcon);
1655 kfree(conn);
1656}
1657
1658void l2cap_conn_get(struct l2cap_conn *conn)
1659{
1660 kref_get(&conn->ref);
1661}
1662EXPORT_SYMBOL(l2cap_conn_get);
1663
1664void l2cap_conn_put(struct l2cap_conn *conn)
1665{
1666 kref_put(&conn->ref, l2cap_conn_free);
1667}
1668EXPORT_SYMBOL(l2cap_conn_put);
1669
1561/* ---- Socket interface ---- */ 1670/* ---- Socket interface ---- */
1562 1671
1563/* Find socket with psm and source / destination bdaddr. 1672/* Find socket with psm and source / destination bdaddr.
@@ -1695,9 +1804,9 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1695 goto done; 1804 goto done;
1696 } 1805 }
1697 1806
1698 conn = l2cap_conn_add(hcon, 0); 1807 conn = l2cap_conn_add(hcon);
1699 if (!conn) { 1808 if (!conn) {
1700 hci_conn_put(hcon); 1809 hci_conn_drop(hcon);
1701 err = -ENOMEM; 1810 err = -ENOMEM;
1702 goto done; 1811 goto done;
1703 } 1812 }
@@ -1707,7 +1816,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
1707 1816
1708 if (!list_empty(&conn->chan_l)) { 1817 if (!list_empty(&conn->chan_l)) {
1709 err = -EBUSY; 1818 err = -EBUSY;
1710 hci_conn_put(hcon); 1819 hci_conn_drop(hcon);
1711 } 1820 }
1712 1821
1713 if (err) 1822 if (err)
@@ -6313,7 +6422,7 @@ void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
6313 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status); 6422 BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
6314 6423
6315 if (!status) { 6424 if (!status) {
6316 conn = l2cap_conn_add(hcon, status); 6425 conn = l2cap_conn_add(hcon);
6317 if (conn) 6426 if (conn)
6318 l2cap_conn_ready(conn); 6427 l2cap_conn_ready(conn);
6319 } else { 6428 } else {
@@ -6482,7 +6591,7 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
6482 goto drop; 6591 goto drop;
6483 6592
6484 if (!conn) 6593 if (!conn)
6485 conn = l2cap_conn_add(hcon, 0); 6594 conn = l2cap_conn_add(hcon);
6486 6595
6487 if (!conn) 6596 if (!conn)
6488 goto drop; 6597 goto drop;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 7f9704993b74..141e7b058b7e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -43,6 +43,12 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent);
43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
44 int proto, gfp_t prio); 44 int proto, gfp_t prio);
45 45
46bool l2cap_is_socket(struct socket *sock)
47{
48 return sock && sock->ops == &l2cap_sock_ops;
49}
50EXPORT_SYMBOL(l2cap_is_socket);
51
46static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 52static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
47{ 53{
48 struct sock *sk = sock->sk; 54 struct sock *sk = sock->sk;
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 03e7e732215f..4c830c62ef74 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -106,11 +106,10 @@ static const u16 mgmt_events[] = {
106 * These LE scan and inquiry parameters were chosen according to LE General 106 * These LE scan and inquiry parameters were chosen according to LE General
107 * Discovery Procedure specification. 107 * Discovery Procedure specification.
108 */ 108 */
109#define LE_SCAN_TYPE 0x01
110#define LE_SCAN_WIN 0x12 109#define LE_SCAN_WIN 0x12
111#define LE_SCAN_INT 0x12 110#define LE_SCAN_INT 0x12
112#define LE_SCAN_TIMEOUT_LE_ONLY 10240 /* TGAP(gen_disc_scan_min) */ 111#define LE_SCAN_TIMEOUT_LE_ONLY msecs_to_jiffies(10240)
113#define LE_SCAN_TIMEOUT_BREDR_LE 5120 /* TGAP(100)/2 */ 112#define LE_SCAN_TIMEOUT_BREDR_LE msecs_to_jiffies(5120)
114 113
115#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */ 114#define INQUIRY_LEN_BREDR 0x08 /* TGAP(100) */
116#define INQUIRY_LEN_BREDR_LE 0x04 /* TGAP(100)/2 */ 115#define INQUIRY_LEN_BREDR_LE 0x04 /* TGAP(100)/2 */
@@ -2131,7 +2130,7 @@ static void pairing_complete(struct pending_cmd *cmd, u8 status)
2131 conn->security_cfm_cb = NULL; 2130 conn->security_cfm_cb = NULL;
2132 conn->disconn_cfm_cb = NULL; 2131 conn->disconn_cfm_cb = NULL;
2133 2132
2134 hci_conn_put(conn); 2133 hci_conn_drop(conn);
2135 2134
2136 mgmt_pending_remove(cmd); 2135 mgmt_pending_remove(cmd);
2137} 2136}
@@ -2222,7 +2221,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2222 } 2221 }
2223 2222
2224 if (conn->connect_cfm_cb) { 2223 if (conn->connect_cfm_cb) {
2225 hci_conn_put(conn); 2224 hci_conn_drop(conn);
2226 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE, 2225 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2227 MGMT_STATUS_BUSY, &rp, sizeof(rp)); 2226 MGMT_STATUS_BUSY, &rp, sizeof(rp));
2228 goto unlock; 2227 goto unlock;
@@ -2231,7 +2230,7 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2231 cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len); 2230 cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2232 if (!cmd) { 2231 if (!cmd) {
2233 err = -ENOMEM; 2232 err = -ENOMEM;
2234 hci_conn_put(conn); 2233 hci_conn_drop(conn);
2235 goto unlock; 2234 goto unlock;
2236 } 2235 }
2237 2236
@@ -2703,7 +2702,7 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2703 goto failed; 2702 goto failed;
2704 } 2703 }
2705 2704
2706 err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT, 2705 err = hci_le_scan(hdev, LE_SCAN_ACTIVE, LE_SCAN_INT,
2707 LE_SCAN_WIN, LE_SCAN_TIMEOUT_LE_ONLY); 2706 LE_SCAN_WIN, LE_SCAN_TIMEOUT_LE_ONLY);
2708 break; 2707 break;
2709 2708
@@ -2715,8 +2714,8 @@ static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2715 goto failed; 2714 goto failed;
2716 } 2715 }
2717 2716
2718 err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT, LE_SCAN_WIN, 2717 err = hci_le_scan(hdev, LE_SCAN_ACTIVE, LE_SCAN_INT,
2719 LE_SCAN_TIMEOUT_BREDR_LE); 2718 LE_SCAN_WIN, LE_SCAN_TIMEOUT_BREDR_LE);
2720 break; 2719 break;
2721 2720
2722 default: 2721 default:
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index d919d1161ab4..9e62102443dc 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -83,7 +83,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
83 if (conn) 83 if (conn)
84 return conn; 84 return conn;
85 85
86 conn = kzalloc(sizeof(struct sco_conn), GFP_ATOMIC); 86 conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
87 if (!conn) 87 if (!conn)
88 return NULL; 88 return NULL;
89 89
@@ -185,7 +185,7 @@ static int sco_connect(struct sock *sk)
185 185
186 conn = sco_conn_add(hcon); 186 conn = sco_conn_add(hcon);
187 if (!conn) { 187 if (!conn) {
188 hci_conn_put(hcon); 188 hci_conn_drop(hcon);
189 err = -ENOMEM; 189 err = -ENOMEM;
190 goto done; 190 goto done;
191 } 191 }
@@ -353,7 +353,7 @@ static void __sco_sock_close(struct sock *sk)
353 if (sco_pi(sk)->conn->hcon) { 353 if (sco_pi(sk)->conn->hcon) {
354 sk->sk_state = BT_DISCONN; 354 sk->sk_state = BT_DISCONN;
355 sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT); 355 sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
356 hci_conn_put(sco_pi(sk)->conn->hcon); 356 hci_conn_drop(sco_pi(sk)->conn->hcon);
357 sco_pi(sk)->conn->hcon = NULL; 357 sco_pi(sk)->conn->hcon = NULL;
358 } else 358 } else
359 sco_chan_del(sk, ECONNRESET); 359 sco_chan_del(sk, ECONNRESET);
@@ -481,8 +481,7 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen
481{ 481{
482 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr; 482 struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
483 struct sock *sk = sock->sk; 483 struct sock *sk = sock->sk;
484 int err = 0; 484 int err;
485
486 485
487 BT_DBG("sk %p", sk); 486 BT_DBG("sk %p", sk);
488 487
@@ -653,6 +652,42 @@ static int sco_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
653 return err; 652 return err;
654} 653}
655 654
655static void sco_conn_defer_accept(struct hci_conn *conn, int mask)
656{
657 struct hci_dev *hdev = conn->hdev;
658
659 BT_DBG("conn %p", conn);
660
661 conn->state = BT_CONFIG;
662
663 if (!lmp_esco_capable(hdev)) {
664 struct hci_cp_accept_conn_req cp;
665
666 bacpy(&cp.bdaddr, &conn->dst);
667
668 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
669 cp.role = 0x00; /* Become master */
670 else
671 cp.role = 0x01; /* Remain slave */
672
673 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
674 } else {
675 struct hci_cp_accept_sync_conn_req cp;
676
677 bacpy(&cp.bdaddr, &conn->dst);
678 cp.pkt_type = cpu_to_le16(conn->pkt_type);
679
680 cp.tx_bandwidth = __constant_cpu_to_le32(0x00001f40);
681 cp.rx_bandwidth = __constant_cpu_to_le32(0x00001f40);
682 cp.max_latency = __constant_cpu_to_le16(0xffff);
683 cp.content_format = cpu_to_le16(hdev->voice_setting);
684 cp.retrans_effort = 0xff;
685
686 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
687 sizeof(cp), &cp);
688 }
689}
690
656static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, 691static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
657 struct msghdr *msg, size_t len, int flags) 692 struct msghdr *msg, size_t len, int flags)
658{ 693{
@@ -663,7 +698,7 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
663 698
664 if (sk->sk_state == BT_CONNECT2 && 699 if (sk->sk_state == BT_CONNECT2 &&
665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 700 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
666 hci_conn_accept(pi->conn->hcon, 0); 701 sco_conn_defer_accept(pi->conn->hcon, 0);
667 sk->sk_state = BT_CONFIG; 702 sk->sk_state = BT_CONFIG;
668 703
669 release_sock(sk); 704 release_sock(sk);
@@ -882,7 +917,7 @@ static void sco_chan_del(struct sock *sk, int err)
882 sco_conn_unlock(conn); 917 sco_conn_unlock(conn);
883 918
884 if (conn->hcon) 919 if (conn->hcon)
885 hci_conn_put(conn->hcon); 920 hci_conn_drop(conn->hcon);
886 } 921 }
887 922
888 sk->sk_state = BT_CLOSED; 923 sk->sk_state = BT_CLOSED;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 5abefb12891d..b2296d3857a0 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -522,7 +522,7 @@ void smp_chan_destroy(struct l2cap_conn *conn)
522 kfree(smp); 522 kfree(smp);
523 conn->smp_chan = NULL; 523 conn->smp_chan = NULL;
524 conn->hcon->smp_conn = NULL; 524 conn->hcon->smp_conn = NULL;
525 hci_conn_put(conn->hcon); 525 hci_conn_drop(conn->hcon);
526} 526}
527 527
528int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 528int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 6ceee8e181ca..40d2527693da 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -27,6 +27,7 @@
27#include <linux/kernel.h> 27#include <linux/kernel.h>
28#include <linux/module.h> 28#include <linux/module.h>
29#include <linux/slab.h> 29#include <linux/slab.h>
30#include <linux/rfkill.h>
30#include <linux/nfc.h> 31#include <linux/nfc.h>
31 32
32#include <net/genetlink.h> 33#include <net/genetlink.h>
@@ -58,6 +59,11 @@ int nfc_dev_up(struct nfc_dev *dev)
58 59
59 device_lock(&dev->dev); 60 device_lock(&dev->dev);
60 61
62 if (dev->rfkill && rfkill_blocked(dev->rfkill)) {
63 rc = -ERFKILL;
64 goto error;
65 }
66
61 if (!device_is_registered(&dev->dev)) { 67 if (!device_is_registered(&dev->dev)) {
62 rc = -ENODEV; 68 rc = -ENODEV;
63 goto error; 69 goto error;
@@ -117,6 +123,24 @@ error:
117 return rc; 123 return rc;
118} 124}
119 125
126static int nfc_rfkill_set_block(void *data, bool blocked)
127{
128 struct nfc_dev *dev = data;
129
130 pr_debug("%s blocked %d", dev_name(&dev->dev), blocked);
131
132 if (!blocked)
133 return 0;
134
135 nfc_dev_down(dev);
136
137 return 0;
138}
139
140static const struct rfkill_ops nfc_rfkill_ops = {
141 .set_block = nfc_rfkill_set_block,
142};
143
120/** 144/**
121 * nfc_start_poll - start polling for nfc targets 145 * nfc_start_poll - start polling for nfc targets
122 * 146 *
@@ -143,6 +167,11 @@ int nfc_start_poll(struct nfc_dev *dev, u32 im_protocols, u32 tm_protocols)
143 goto error; 167 goto error;
144 } 168 }
145 169
170 if (!dev->dev_up) {
171 rc = -ENODEV;
172 goto error;
173 }
174
146 if (dev->polling) { 175 if (dev->polling) {
147 rc = -EBUSY; 176 rc = -EBUSY;
148 goto error; 177 goto error;
@@ -835,6 +864,15 @@ int nfc_register_device(struct nfc_dev *dev)
835 pr_debug("The userspace won't be notified that the device %s was added\n", 864 pr_debug("The userspace won't be notified that the device %s was added\n",
836 dev_name(&dev->dev)); 865 dev_name(&dev->dev));
837 866
867 dev->rfkill = rfkill_alloc(dev_name(&dev->dev), &dev->dev,
868 RFKILL_TYPE_NFC, &nfc_rfkill_ops, dev);
869 if (dev->rfkill) {
870 if (rfkill_register(dev->rfkill) < 0) {
871 rfkill_destroy(dev->rfkill);
872 dev->rfkill = NULL;
873 }
874 }
875
838 return 0; 876 return 0;
839} 877}
840EXPORT_SYMBOL(nfc_register_device); 878EXPORT_SYMBOL(nfc_register_device);
@@ -852,6 +890,11 @@ void nfc_unregister_device(struct nfc_dev *dev)
852 890
853 id = dev->idx; 891 id = dev->idx;
854 892
893 if (dev->rfkill) {
894 rfkill_unregister(dev->rfkill);
895 rfkill_destroy(dev->rfkill);
896 }
897
855 if (dev->ops->check_presence) { 898 if (dev->ops->check_presence) {
856 device_lock(&dev->dev); 899 device_lock(&dev->dev);
857 dev->shutting_down = true; 900 dev->shutting_down = true;
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index b75a9b3f9e89..094f7e27e910 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -420,7 +420,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
420 } 420 }
421 421
422 /* If the socket parameters are not set, use the local ones */ 422 /* If the socket parameters are not set, use the local ones */
423 miux = sock->miux > LLCP_MAX_MIUX ? local->miux : sock->miux; 423 miux = be16_to_cpu(sock->miux) > LLCP_MAX_MIUX ?
424 local->miux : sock->miux;
424 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw; 425 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw;
425 426
426 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, 427 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
@@ -475,7 +476,8 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
475 return -ENODEV; 476 return -ENODEV;
476 477
477 /* If the socket parameters are not set, use the local ones */ 478 /* If the socket parameters are not set, use the local ones */
478 miux = sock->miux > LLCP_MAX_MIUX ? local->miux : sock->miux; 479 miux = be16_to_cpu(sock->miux) > LLCP_MAX_MIUX ?
480 local->miux : sock->miux;
479 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw; 481 rw = sock->rw > LLCP_MAX_RW ? local->rw : sock->rw;
480 482
481 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, 483 miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
@@ -656,6 +658,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
656 struct nfc_llcp_local *local; 658 struct nfc_llcp_local *local;
657 size_t frag_len = 0, remaining_len; 659 size_t frag_len = 0, remaining_len;
658 u8 *msg_data, *msg_ptr; 660 u8 *msg_data, *msg_ptr;
661 u16 remote_miu;
659 662
660 pr_debug("Send I frame len %zd\n", len); 663 pr_debug("Send I frame len %zd\n", len);
661 664
@@ -692,9 +695,11 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
692 remaining_len = len; 695 remaining_len = len;
693 msg_ptr = msg_data; 696 msg_ptr = msg_data;
694 697
695 while (remaining_len > 0) { 698 do {
699 remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
700 local->remote_miu : sock->remote_miu;
696 701
697 frag_len = min_t(size_t, sock->remote_miu, remaining_len); 702 frag_len = min_t(size_t, remote_miu, remaining_len);
698 703
699 pr_debug("Fragment %zd bytes remaining %zd", 704 pr_debug("Fragment %zd bytes remaining %zd",
700 frag_len, remaining_len); 705 frag_len, remaining_len);
@@ -706,7 +711,8 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
706 711
707 skb_put(pdu, LLCP_SEQUENCE_SIZE); 712 skb_put(pdu, LLCP_SEQUENCE_SIZE);
708 713
709 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len); 714 if (likely(frag_len > 0))
715 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len);
710 716
711 skb_queue_tail(&sock->tx_queue, pdu); 717 skb_queue_tail(&sock->tx_queue, pdu);
712 718
@@ -718,7 +724,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
718 724
719 remaining_len -= frag_len; 725 remaining_len -= frag_len;
720 msg_ptr += frag_len; 726 msg_ptr += frag_len;
721 } 727 } while (remaining_len > 0);
722 728
723 kfree(msg_data); 729 kfree(msg_data);
724 730
@@ -732,6 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
732 struct nfc_llcp_local *local; 738 struct nfc_llcp_local *local;
733 size_t frag_len = 0, remaining_len; 739 size_t frag_len = 0, remaining_len;
734 u8 *msg_ptr, *msg_data; 740 u8 *msg_ptr, *msg_data;
741 u16 remote_miu;
735 int err; 742 int err;
736 743
737 pr_debug("Send UI frame len %zd\n", len); 744 pr_debug("Send UI frame len %zd\n", len);
@@ -752,9 +759,11 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
752 remaining_len = len; 759 remaining_len = len;
753 msg_ptr = msg_data; 760 msg_ptr = msg_data;
754 761
755 while (remaining_len > 0) { 762 do {
763 remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
764 local->remote_miu : sock->remote_miu;
756 765
757 frag_len = min_t(size_t, sock->remote_miu, remaining_len); 766 frag_len = min_t(size_t, remote_miu, remaining_len);
758 767
759 pr_debug("Fragment %zd bytes remaining %zd", 768 pr_debug("Fragment %zd bytes remaining %zd",
760 frag_len, remaining_len); 769 frag_len, remaining_len);
@@ -768,14 +777,15 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
768 777
769 pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI); 778 pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);
770 779
771 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len); 780 if (likely(frag_len > 0))
781 memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len);
772 782
773 /* No need to check for the peer RW for UI frames */ 783 /* No need to check for the peer RW for UI frames */
774 skb_queue_tail(&local->tx_queue, pdu); 784 skb_queue_tail(&local->tx_queue, pdu);
775 785
776 remaining_len -= frag_len; 786 remaining_len -= frag_len;
777 msg_ptr += frag_len; 787 msg_ptr += frag_len;
778 } 788 } while (remaining_len > 0);
779 789
780 kfree(msg_data); 790 kfree(msg_data);
781 791
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7de0368aff0c..9e483c8e52f8 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -31,6 +31,8 @@ static u8 llcp_magic[3] = {0x46, 0x66, 0x6d};
31 31
32static struct list_head llcp_devices; 32static struct list_head llcp_devices;
33 33
34static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb);
35
34void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk) 36void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *sk)
35{ 37{
36 write_lock(&l->lock); 38 write_lock(&l->lock);
@@ -45,6 +47,12 @@ void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
45 write_unlock(&l->lock); 47 write_unlock(&l->lock);
46} 48}
47 49
50void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock)
51{
52 sock->remote_rw = LLCP_DEFAULT_RW;
53 sock->remote_miu = LLCP_MAX_MIU + 1;
54}
55
48static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock) 56static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
49{ 57{
50 struct nfc_llcp_local *local = sock->local; 58 struct nfc_llcp_local *local = sock->local;
@@ -68,7 +76,7 @@ static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
68 } 76 }
69} 77}
70 78
71static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen, 79static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
72 int err) 80 int err)
73{ 81{
74 struct sock *sk; 82 struct sock *sk;
@@ -108,21 +116,6 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
108 116
109 bh_unlock_sock(accept_sk); 117 bh_unlock_sock(accept_sk);
110 } 118 }
111
112 if (listen == true) {
113 bh_unlock_sock(sk);
114 continue;
115 }
116 }
117
118 /*
119 * If we have a connection less socket bound, we keep it alive
120 * if the device is still present.
121 */
122 if (sk->sk_state == LLCP_BOUND && sk->sk_type == SOCK_DGRAM &&
123 listen == true) {
124 bh_unlock_sock(sk);
125 continue;
126 } 119 }
127 120
128 if (err) 121 if (err)
@@ -137,11 +130,8 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
137 130
138 write_unlock(&local->sockets.lock); 131 write_unlock(&local->sockets.lock);
139 132
140 /* 133 /* If we still have a device, we keep the RAW sockets alive */
141 * If we want to keep the listening sockets alive, 134 if (device == true)
142 * we don't touch the RAW ones.
143 */
144 if (listen == true)
145 return; 135 return;
146 136
147 write_lock(&local->raw_sockets.lock); 137 write_lock(&local->raw_sockets.lock);
@@ -173,9 +163,9 @@ struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
173 return local; 163 return local;
174} 164}
175 165
176static void local_cleanup(struct nfc_llcp_local *local, bool listen) 166static void local_cleanup(struct nfc_llcp_local *local)
177{ 167{
178 nfc_llcp_socket_release(local, listen, ENXIO); 168 nfc_llcp_socket_release(local, false, ENXIO);
179 del_timer_sync(&local->link_timer); 169 del_timer_sync(&local->link_timer);
180 skb_queue_purge(&local->tx_queue); 170 skb_queue_purge(&local->tx_queue);
181 cancel_work_sync(&local->tx_work); 171 cancel_work_sync(&local->tx_work);
@@ -194,7 +184,7 @@ static void local_release(struct kref *ref)
194 local = container_of(ref, struct nfc_llcp_local, ref); 184 local = container_of(ref, struct nfc_llcp_local, ref);
195 185
196 list_del(&local->list); 186 list_del(&local->list);
197 local_cleanup(local, false); 187 local_cleanup(local);
198 kfree(local); 188 kfree(local);
199} 189}
200 190
@@ -1116,6 +1106,12 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
1116 dsap = nfc_llcp_dsap(skb); 1106 dsap = nfc_llcp_dsap(skb);
1117 ssap = nfc_llcp_ssap(skb); 1107 ssap = nfc_llcp_ssap(skb);
1118 1108
1109 if ((dsap == 0) && (ssap == 0)) {
1110 pr_debug("Connection termination");
1111 nfc_dep_link_down(local->dev);
1112 return;
1113 }
1114
1119 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap); 1115 llcp_sock = nfc_llcp_sock_get(local, dsap, ssap);
1120 if (llcp_sock == NULL) { 1116 if (llcp_sock == NULL) {
1121 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN); 1117 nfc_llcp_send_dm(local, dsap, ssap, LLCP_DM_NOCONN);
@@ -1349,19 +1345,54 @@ exit:
1349 nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len); 1345 nfc_llcp_send_snl_sdres(local, &llc_sdres_list, sdres_tlvs_len);
1350} 1346}
1351 1347
1352static void nfc_llcp_rx_work(struct work_struct *work) 1348static void nfc_llcp_recv_agf(struct nfc_llcp_local *local, struct sk_buff *skb)
1353{ 1349{
1354 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local, 1350 u8 ptype;
1355 rx_work); 1351 u16 pdu_len;
1356 u8 dsap, ssap, ptype; 1352 struct sk_buff *new_skb;
1357 struct sk_buff *skb;
1358 1353
1359 skb = local->rx_pending; 1354 if (skb->len <= LLCP_HEADER_SIZE) {
1360 if (skb == NULL) { 1355 pr_err("Malformed AGF PDU\n");
1361 pr_debug("No pending SKB\n");
1362 return; 1356 return;
1363 } 1357 }
1364 1358
1359 skb_pull(skb, LLCP_HEADER_SIZE);
1360
1361 while (skb->len > LLCP_AGF_PDU_HEADER_SIZE) {
1362 pdu_len = skb->data[0] << 8 | skb->data[1];
1363
1364 skb_pull(skb, LLCP_AGF_PDU_HEADER_SIZE);
1365
1366 if (pdu_len < LLCP_HEADER_SIZE || pdu_len > skb->len) {
1367 pr_err("Malformed AGF PDU\n");
1368 return;
1369 }
1370
1371 ptype = nfc_llcp_ptype(skb);
1372
1373 if (ptype == LLCP_PDU_SYMM || ptype == LLCP_PDU_AGF)
1374 goto next;
1375
1376 new_skb = nfc_alloc_recv_skb(pdu_len, GFP_KERNEL);
1377 if (new_skb == NULL) {
1378 pr_err("Could not allocate PDU\n");
1379 return;
1380 }
1381
1382 memcpy(skb_put(new_skb, pdu_len), skb->data, pdu_len);
1383
1384 nfc_llcp_rx_skb(local, new_skb);
1385
1386 kfree_skb(new_skb);
1387next:
1388 skb_pull(skb, pdu_len);
1389 }
1390}
1391
1392static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb)
1393{
1394 u8 dsap, ssap, ptype;
1395
1365 ptype = nfc_llcp_ptype(skb); 1396 ptype = nfc_llcp_ptype(skb);
1366 dsap = nfc_llcp_dsap(skb); 1397 dsap = nfc_llcp_dsap(skb);
1367 ssap = nfc_llcp_ssap(skb); 1398 ssap = nfc_llcp_ssap(skb);
@@ -1372,10 +1403,6 @@ static void nfc_llcp_rx_work(struct work_struct *work)
1372 print_hex_dump(KERN_DEBUG, "LLCP Rx: ", DUMP_PREFIX_OFFSET, 1403 print_hex_dump(KERN_DEBUG, "LLCP Rx: ", DUMP_PREFIX_OFFSET,
1373 16, 1, skb->data, skb->len, true); 1404 16, 1, skb->data, skb->len, true);
1374 1405
1375 __net_timestamp(skb);
1376
1377 nfc_llcp_send_to_raw_sock(local, skb, NFC_LLCP_DIRECTION_RX);
1378
1379 switch (ptype) { 1406 switch (ptype) {
1380 case LLCP_PDU_SYMM: 1407 case LLCP_PDU_SYMM:
1381 pr_debug("SYMM\n"); 1408 pr_debug("SYMM\n");
@@ -1418,7 +1445,30 @@ static void nfc_llcp_rx_work(struct work_struct *work)
1418 nfc_llcp_recv_hdlc(local, skb); 1445 nfc_llcp_recv_hdlc(local, skb);
1419 break; 1446 break;
1420 1447
1448 case LLCP_PDU_AGF:
1449 pr_debug("AGF frame\n");
1450 nfc_llcp_recv_agf(local, skb);
1451 break;
1421 } 1452 }
1453}
1454
1455static void nfc_llcp_rx_work(struct work_struct *work)
1456{
1457 struct nfc_llcp_local *local = container_of(work, struct nfc_llcp_local,
1458 rx_work);
1459 struct sk_buff *skb;
1460
1461 skb = local->rx_pending;
1462 if (skb == NULL) {
1463 pr_debug("No pending SKB\n");
1464 return;
1465 }
1466
1467 __net_timestamp(skb);
1468
1469 nfc_llcp_send_to_raw_sock(local, skb, NFC_LLCP_DIRECTION_RX);
1470
1471 nfc_llcp_rx_skb(local, skb);
1422 1472
1423 schedule_work(&local->tx_work); 1473 schedule_work(&local->tx_work);
1424 kfree_skb(local->rx_pending); 1474 kfree_skb(local->rx_pending);
@@ -1466,6 +1516,9 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev)
1466 if (local == NULL) 1516 if (local == NULL)
1467 return; 1517 return;
1468 1518
1519 local->remote_miu = LLCP_DEFAULT_MIU;
1520 local->remote_lto = LLCP_DEFAULT_LTO;
1521
1469 /* Close and purge all existing sockets */ 1522 /* Close and purge all existing sockets */
1470 nfc_llcp_socket_release(local, true, 0); 1523 nfc_llcp_socket_release(local, true, 0);
1471} 1524}
@@ -1553,7 +1606,7 @@ void nfc_llcp_unregister_device(struct nfc_dev *dev)
1553 return; 1606 return;
1554 } 1607 }
1555 1608
1556 local_cleanup(local, false); 1609 local_cleanup(local);
1557 1610
1558 nfc_llcp_local_put(local); 1611 nfc_llcp_local_put(local);
1559} 1612}
diff --git a/net/nfc/llcp/llcp.h b/net/nfc/llcp/llcp.h
index 7e87a66b02ec..ff8c434f7df8 100644
--- a/net/nfc/llcp/llcp.h
+++ b/net/nfc/llcp/llcp.h
@@ -31,6 +31,7 @@ enum llcp_state {
31#define LLCP_MAX_LTO 0xff 31#define LLCP_MAX_LTO 0xff
32#define LLCP_MAX_RW 15 32#define LLCP_MAX_RW 15
33#define LLCP_MAX_MIUX 0x7ff 33#define LLCP_MAX_MIUX 0x7ff
34#define LLCP_MAX_MIU (LLCP_MAX_MIUX + 128)
34 35
35#define LLCP_WKS_NUM_SAP 16 36#define LLCP_WKS_NUM_SAP 16
36#define LLCP_SDP_NUM_SAP 16 37#define LLCP_SDP_NUM_SAP 16
@@ -124,7 +125,7 @@ struct nfc_llcp_sock {
124 char *service_name; 125 char *service_name;
125 size_t service_name_len; 126 size_t service_name_len;
126 u8 rw; 127 u8 rw;
127 u16 miux; 128 __be16 miux;
128 129
129 130
130 /* Remote link parameters */ 131 /* Remote link parameters */
@@ -162,6 +163,7 @@ struct nfc_llcp_ui_cb {
162 163
163#define LLCP_HEADER_SIZE 2 164#define LLCP_HEADER_SIZE 2
164#define LLCP_SEQUENCE_SIZE 1 165#define LLCP_SEQUENCE_SIZE 1
166#define LLCP_AGF_PDU_HEADER_SIZE 2
165 167
166/* LLCP versions: 1.1 is 1.0 plus SDP */ 168/* LLCP versions: 1.1 is 1.0 plus SDP */
167#define LLCP_VERSION_10 0x10 169#define LLCP_VERSION_10 0x10
@@ -210,6 +212,7 @@ struct nfc_llcp_ui_cb {
210 212
211void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s); 213void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s);
212void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s); 214void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s);
215void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock);
213struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); 216struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
214struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local); 217struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local);
215int nfc_llcp_local_put(struct nfc_llcp_local *local); 218int nfc_llcp_local_put(struct nfc_llcp_local *local);
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 6fa76704cb13..fd01ac6e0bf4 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -279,7 +279,7 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
279 break; 279 break;
280 } 280 }
281 281
282 llcp_sock->miux = (u16) opt; 282 llcp_sock->miux = cpu_to_be16((u16) opt);
283 283
284 break; 284 break;
285 285
@@ -299,9 +299,12 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
299static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname, 299static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
300 char __user *optval, int __user *optlen) 300 char __user *optval, int __user *optlen)
301{ 301{
302 struct nfc_llcp_local *local;
302 struct sock *sk = sock->sk; 303 struct sock *sk = sock->sk;
303 struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk); 304 struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk);
304 int len, err = 0; 305 int len, err = 0;
306 u16 miux, remote_miu;
307 u8 rw;
305 308
306 pr_debug("%p optname %d\n", sk, optname); 309 pr_debug("%p optname %d\n", sk, optname);
307 310
@@ -311,19 +314,48 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
311 if (get_user(len, optlen)) 314 if (get_user(len, optlen))
312 return -EFAULT; 315 return -EFAULT;
313 316
317 local = llcp_sock->local;
318 if (!local)
319 return -ENODEV;
320
314 len = min_t(u32, len, sizeof(u32)); 321 len = min_t(u32, len, sizeof(u32));
315 322
316 lock_sock(sk); 323 lock_sock(sk);
317 324
318 switch (optname) { 325 switch (optname) {
319 case NFC_LLCP_RW: 326 case NFC_LLCP_RW:
320 if (put_user(llcp_sock->rw, (u32 __user *) optval)) 327 rw = llcp_sock->rw > LLCP_MAX_RW ? local->rw : llcp_sock->rw;
328 if (put_user(rw, (u32 __user *) optval))
321 err = -EFAULT; 329 err = -EFAULT;
322 330
323 break; 331 break;
324 332
325 case NFC_LLCP_MIUX: 333 case NFC_LLCP_MIUX:
326 if (put_user(llcp_sock->miux, (u32 __user *) optval)) 334 miux = be16_to_cpu(llcp_sock->miux) > LLCP_MAX_MIUX ?
335 be16_to_cpu(local->miux) : be16_to_cpu(llcp_sock->miux);
336
337 if (put_user(miux, (u32 __user *) optval))
338 err = -EFAULT;
339
340 break;
341
342 case NFC_LLCP_REMOTE_MIU:
343 remote_miu = llcp_sock->remote_miu > LLCP_MAX_MIU ?
344 local->remote_miu : llcp_sock->remote_miu;
345
346 if (put_user(remote_miu, (u32 __user *) optval))
347 err = -EFAULT;
348
349 break;
350
351 case NFC_LLCP_REMOTE_LTO:
352 if (put_user(local->remote_lto / 10, (u32 __user *) optval))
353 err = -EFAULT;
354
355 break;
356
357 case NFC_LLCP_REMOTE_RW:
358 if (put_user(llcp_sock->remote_rw, (u32 __user *) optval))
327 err = -EFAULT; 359 err = -EFAULT;
328 360
329 break; 361 break;
@@ -921,13 +953,12 @@ struct sock *nfc_llcp_sock_alloc(struct socket *sock, int type, gfp_t gfp)
921 llcp_sock->ssap = 0; 953 llcp_sock->ssap = 0;
922 llcp_sock->dsap = LLCP_SAP_SDP; 954 llcp_sock->dsap = LLCP_SAP_SDP;
923 llcp_sock->rw = LLCP_MAX_RW + 1; 955 llcp_sock->rw = LLCP_MAX_RW + 1;
924 llcp_sock->miux = LLCP_MAX_MIUX + 1; 956 llcp_sock->miux = cpu_to_be16(LLCP_MAX_MIUX + 1);
925 llcp_sock->remote_rw = LLCP_DEFAULT_RW;
926 llcp_sock->remote_miu = LLCP_DEFAULT_MIU;
927 llcp_sock->send_n = llcp_sock->send_ack_n = 0; 957 llcp_sock->send_n = llcp_sock->send_ack_n = 0;
928 llcp_sock->recv_n = llcp_sock->recv_ack_n = 0; 958 llcp_sock->recv_n = llcp_sock->recv_ack_n = 0;
929 llcp_sock->remote_ready = 1; 959 llcp_sock->remote_ready = 1;
930 llcp_sock->reserved_ssap = LLCP_SAP_MAX; 960 llcp_sock->reserved_ssap = LLCP_SAP_MAX;
961 nfc_llcp_socket_remote_param_init(llcp_sock);
931 skb_queue_head_init(&llcp_sock->tx_queue); 962 skb_queue_head_init(&llcp_sock->tx_queue);
932 skb_queue_head_init(&llcp_sock->tx_pending_queue); 963 skb_queue_head_init(&llcp_sock->tx_pending_queue);
933 INIT_LIST_HEAD(&llcp_sock->accept_queue); 964 INIT_LIST_HEAD(&llcp_sock->accept_queue);
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 9b9be5279f5d..1cec5e4f3a5e 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -587,7 +587,7 @@ static ssize_t rfkill_name_show(struct device *dev,
587 587
588static const char *rfkill_get_type_str(enum rfkill_type type) 588static const char *rfkill_get_type_str(enum rfkill_type type)
589{ 589{
590 BUILD_BUG_ON(NUM_RFKILL_TYPES != RFKILL_TYPE_FM + 1); 590 BUILD_BUG_ON(NUM_RFKILL_TYPES != RFKILL_TYPE_NFC + 1);
591 591
592 switch (type) { 592 switch (type) {
593 case RFKILL_TYPE_WLAN: 593 case RFKILL_TYPE_WLAN:
@@ -604,6 +604,8 @@ static const char *rfkill_get_type_str(enum rfkill_type type)
604 return "gps"; 604 return "gps";
605 case RFKILL_TYPE_FM: 605 case RFKILL_TYPE_FM:
606 return "fm"; 606 return "fm";
607 case RFKILL_TYPE_NFC:
608 return "nfc";
607 default: 609 default:
608 BUG(); 610 BUG();
609 } 611 }