Version:  2.0.40 2.2.26 2.4.37 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5

Linux/net/bluetooth/hidp/core.c

  1 /*
  2    HIDP implementation for Linux Bluetooth stack (BlueZ).
  3    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
  4    Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
  5 
  6    This program is free software; you can redistribute it and/or modify
  7    it under the terms of the GNU General Public License version 2 as
  8    published by the Free Software Foundation;
  9 
 10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 18 
 19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 21    SOFTWARE IS DISCLAIMED.
 22 */
 23 
 24 #include <linux/kref.h>
 25 #include <linux/module.h>
 26 #include <linux/file.h>
 27 #include <linux/kthread.h>
 28 #include <linux/hidraw.h>
 29 
 30 #include <net/bluetooth/bluetooth.h>
 31 #include <net/bluetooth/hci_core.h>
 32 #include <net/bluetooth/l2cap.h>
 33 
 34 #include "hidp.h"
 35 
 36 #define VERSION "1.2"
 37 
 38 static DECLARE_RWSEM(hidp_session_sem);
 39 static LIST_HEAD(hidp_session_list);
 40 
 41 static unsigned char hidp_keycode[256] = {
 42           0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
 43          37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
 44          21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
 45          14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
 46          53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
 47          99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
 48          98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
 49          82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
 50         191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
 51         136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
 52          95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
 53           0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
 54           0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
 55           0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
 56           0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
 57           0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
 58          29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
 59         114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
 60 };
 61 
 62 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
 63 
 64 static int hidp_session_probe(struct l2cap_conn *conn,
 65                               struct l2cap_user *user);
 66 static void hidp_session_remove(struct l2cap_conn *conn,
 67                                 struct l2cap_user *user);
 68 static int hidp_session_thread(void *arg);
 69 static void hidp_session_terminate(struct hidp_session *s);
 70 
 71 static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
 72 {
 73         u32 valid_flags = 0;
 74         memset(ci, 0, sizeof(*ci));
 75         bacpy(&ci->bdaddr, &session->bdaddr);
 76 
 77         ci->flags = session->flags & valid_flags;
 78         ci->state = BT_CONNECTED;
 79 
 80         if (session->input) {
 81                 ci->vendor  = session->input->id.vendor;
 82                 ci->product = session->input->id.product;
 83                 ci->version = session->input->id.version;
 84                 if (session->input->name)
 85                         strlcpy(ci->name, session->input->name, 128);
 86                 else
 87                         strlcpy(ci->name, "HID Boot Device", 128);
 88         } else if (session->hid) {
 89                 ci->vendor  = session->hid->vendor;
 90                 ci->product = session->hid->product;
 91                 ci->version = session->hid->version;
 92                 strlcpy(ci->name, session->hid->name, 128);
 93         }
 94 }
 95 
 96 /* assemble skb, queue message on @transmit and wake up the session thread */
 97 static int hidp_send_message(struct hidp_session *session, struct socket *sock,
 98                              struct sk_buff_head *transmit, unsigned char hdr,
 99                              const unsigned char *data, int size)
100 {
101         struct sk_buff *skb;
102         struct sock *sk = sock->sk;
103 
104         BT_DBG("session %p data %p size %d", session, data, size);
105 
106         if (atomic_read(&session->terminate))
107                 return -EIO;
108 
109         skb = alloc_skb(size + 1, GFP_ATOMIC);
110         if (!skb) {
111                 BT_ERR("Can't allocate memory for new frame");
112                 return -ENOMEM;
113         }
114 
115         *skb_put(skb, 1) = hdr;
116         if (data && size > 0)
117                 memcpy(skb_put(skb, size), data, size);
118 
119         skb_queue_tail(transmit, skb);
120         wake_up_interruptible(sk_sleep(sk));
121 
122         return 0;
123 }
124 
125 static int hidp_send_ctrl_message(struct hidp_session *session,
126                                   unsigned char hdr, const unsigned char *data,
127                                   int size)
128 {
129         return hidp_send_message(session, session->ctrl_sock,
130                                  &session->ctrl_transmit, hdr, data, size);
131 }
132 
133 static int hidp_send_intr_message(struct hidp_session *session,
134                                   unsigned char hdr, const unsigned char *data,
135                                   int size)
136 {
137         return hidp_send_message(session, session->intr_sock,
138                                  &session->intr_transmit, hdr, data, size);
139 }
140 
141 static int hidp_input_event(struct input_dev *dev, unsigned int type,
142                             unsigned int code, int value)
143 {
144         struct hidp_session *session = input_get_drvdata(dev);
145         unsigned char newleds;
146         unsigned char hdr, data[2];
147 
148         BT_DBG("session %p type %d code %d value %d",
149                session, type, code, value);
150 
151         if (type != EV_LED)
152                 return -1;
153 
154         newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
155                   (!!test_bit(LED_COMPOSE, dev->led) << 3) |
156                   (!!test_bit(LED_SCROLLL, dev->led) << 2) |
157                   (!!test_bit(LED_CAPSL,   dev->led) << 1) |
158                   (!!test_bit(LED_NUML,    dev->led) << 0);
159 
160         if (session->leds == newleds)
161                 return 0;
162 
163         session->leds = newleds;
164 
165         hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
166         data[0] = 0x01;
167         data[1] = newleds;
168 
169         return hidp_send_intr_message(session, hdr, data, 2);
170 }
171 
172 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
173 {
174         struct input_dev *dev = session->input;
175         unsigned char *keys = session->keys;
176         unsigned char *udata = skb->data + 1;
177         signed char *sdata = skb->data + 1;
178         int i, size = skb->len - 1;
179 
180         switch (skb->data[0]) {
181         case 0x01:      /* Keyboard report */
182                 for (i = 0; i < 8; i++)
183                         input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
184 
185                 /* If all the key codes have been set to 0x01, it means
186                  * too many keys were pressed at the same time. */
187                 if (!memcmp(udata + 2, hidp_mkeyspat, 6))
188                         break;
189 
190                 for (i = 2; i < 8; i++) {
191                         if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
192                                 if (hidp_keycode[keys[i]])
193                                         input_report_key(dev, hidp_keycode[keys[i]], 0);
194                                 else
195                                         BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
196                         }
197 
198                         if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
199                                 if (hidp_keycode[udata[i]])
200                                         input_report_key(dev, hidp_keycode[udata[i]], 1);
201                                 else
202                                         BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
203                         }
204                 }
205 
206                 memcpy(keys, udata, 8);
207                 break;
208 
209         case 0x02:      /* Mouse report */
210                 input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
211                 input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
212                 input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
213                 input_report_key(dev, BTN_SIDE,   sdata[0] & 0x08);
214                 input_report_key(dev, BTN_EXTRA,  sdata[0] & 0x10);
215 
216                 input_report_rel(dev, REL_X, sdata[1]);
217                 input_report_rel(dev, REL_Y, sdata[2]);
218 
219                 if (size > 3)
220                         input_report_rel(dev, REL_WHEEL, sdata[3]);
221                 break;
222         }
223 
224         input_sync(dev);
225 }
226 
227 static int hidp_get_raw_report(struct hid_device *hid,
228                 unsigned char report_number,
229                 unsigned char *data, size_t count,
230                 unsigned char report_type)
231 {
232         struct hidp_session *session = hid->driver_data;
233         struct sk_buff *skb;
234         size_t len;
235         int numbered_reports = hid->report_enum[report_type].numbered;
236         int ret;
237 
238         if (atomic_read(&session->terminate))
239                 return -EIO;
240 
241         switch (report_type) {
242         case HID_FEATURE_REPORT:
243                 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
244                 break;
245         case HID_INPUT_REPORT:
246                 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
247                 break;
248         case HID_OUTPUT_REPORT:
249                 report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
250                 break;
251         default:
252                 return -EINVAL;
253         }
254 
255         if (mutex_lock_interruptible(&session->report_mutex))
256                 return -ERESTARTSYS;
257 
258         /* Set up our wait, and send the report request to the device. */
259         session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
260         session->waiting_report_number = numbered_reports ? report_number : -1;
261         set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
262         data[0] = report_number;
263         ret = hidp_send_ctrl_message(session, report_type, data, 1);
264         if (ret)
265                 goto err;
266 
267         /* Wait for the return of the report. The returned report
268            gets put in session->report_return.  */
269         while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
270                !atomic_read(&session->terminate)) {
271                 int res;
272 
273                 res = wait_event_interruptible_timeout(session->report_queue,
274                         !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
275                                 || atomic_read(&session->terminate),
276                         5*HZ);
277                 if (res == 0) {
278                         /* timeout */
279                         ret = -EIO;
280                         goto err;
281                 }
282                 if (res < 0) {
283                         /* signal */
284                         ret = -ERESTARTSYS;
285                         goto err;
286                 }
287         }
288 
289         skb = session->report_return;
290         if (skb) {
291                 len = skb->len < count ? skb->len : count;
292                 memcpy(data, skb->data, len);
293 
294                 kfree_skb(skb);
295                 session->report_return = NULL;
296         } else {
297                 /* Device returned a HANDSHAKE, indicating  protocol error. */
298                 len = -EIO;
299         }
300 
301         clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
302         mutex_unlock(&session->report_mutex);
303 
304         return len;
305 
306 err:
307         clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
308         mutex_unlock(&session->report_mutex);
309         return ret;
310 }
311 
312 static int hidp_set_raw_report(struct hid_device *hid, unsigned char reportnum,
313                                unsigned char *data, size_t count,
314                                unsigned char report_type)
315 {
316         struct hidp_session *session = hid->driver_data;
317         int ret;
318 
319         switch (report_type) {
320         case HID_FEATURE_REPORT:
321                 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
322                 break;
323         case HID_INPUT_REPORT:
324                 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_INPUT;
325                 break;
326         case HID_OUTPUT_REPORT:
327                 report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
328                 break;
329         default:
330                 return -EINVAL;
331         }
332 
333         if (mutex_lock_interruptible(&session->report_mutex))
334                 return -ERESTARTSYS;
335 
336         /* Set up our wait, and send the report request to the device. */
337         data[0] = reportnum;
338         set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
339         ret = hidp_send_ctrl_message(session, report_type, data, count);
340         if (ret)
341                 goto err;
342 
343         /* Wait for the ACK from the device. */
344         while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
345                !atomic_read(&session->terminate)) {
346                 int res;
347 
348                 res = wait_event_interruptible_timeout(session->report_queue,
349                         !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
350                                 || atomic_read(&session->terminate),
351                         10*HZ);
352                 if (res == 0) {
353                         /* timeout */
354                         ret = -EIO;
355                         goto err;
356                 }
357                 if (res < 0) {
358                         /* signal */
359                         ret = -ERESTARTSYS;
360                         goto err;
361                 }
362         }
363 
364         if (!session->output_report_success) {
365                 ret = -EIO;
366                 goto err;
367         }
368 
369         ret = count;
370 
371 err:
372         clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
373         mutex_unlock(&session->report_mutex);
374         return ret;
375 }
376 
377 static int hidp_output_report(struct hid_device *hid, __u8 *data, size_t count)
378 {
379         struct hidp_session *session = hid->driver_data;
380 
381         return hidp_send_intr_message(session,
382                                       HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT,
383                                       data, count);
384 }
385 
386 static int hidp_raw_request(struct hid_device *hid, unsigned char reportnum,
387                             __u8 *buf, size_t len, unsigned char rtype,
388                             int reqtype)
389 {
390         switch (reqtype) {
391         case HID_REQ_GET_REPORT:
392                 return hidp_get_raw_report(hid, reportnum, buf, len, rtype);
393         case HID_REQ_SET_REPORT:
394                 return hidp_set_raw_report(hid, reportnum, buf, len, rtype);
395         default:
396                 return -EIO;
397         }
398 }
399 
400 static void hidp_idle_timeout(unsigned long arg)
401 {
402         struct hidp_session *session = (struct hidp_session *) arg;
403 
404         /* The HIDP user-space API only contains calls to add and remove
405          * devices. There is no way to forward events of any kind. Therefore,
406          * we have to forcefully disconnect a device on idle-timeouts. This is
407          * unfortunate and weird API design, but it is spec-compliant and
408          * required for backwards-compatibility. Hence, on idle-timeout, we
409          * signal driver-detach events, so poll() will be woken up with an
410          * error-condition on both sockets.
411          */
412 
413         session->intr_sock->sk->sk_err = EUNATCH;
414         session->ctrl_sock->sk->sk_err = EUNATCH;
415         wake_up_interruptible(sk_sleep(session->intr_sock->sk));
416         wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
417 
418         hidp_session_terminate(session);
419 }
420 
421 static void hidp_set_timer(struct hidp_session *session)
422 {
423         if (session->idle_to > 0)
424                 mod_timer(&session->timer, jiffies + HZ * session->idle_to);
425 }
426 
427 static void hidp_del_timer(struct hidp_session *session)
428 {
429         if (session->idle_to > 0)
430                 del_timer(&session->timer);
431 }
432 
433 static void hidp_process_report(struct hidp_session *session,
434                                 int type, const u8 *data, int len, int intr)
435 {
436         if (len > HID_MAX_BUFFER_SIZE)
437                 len = HID_MAX_BUFFER_SIZE;
438 
439         memcpy(session->input_buf, data, len);
440         hid_input_report(session->hid, type, session->input_buf, len, intr);
441 }
442 
443 static void hidp_process_handshake(struct hidp_session *session,
444                                         unsigned char param)
445 {
446         BT_DBG("session %p param 0x%02x", session, param);
447         session->output_report_success = 0; /* default condition */
448 
449         switch (param) {
450         case HIDP_HSHK_SUCCESSFUL:
451                 /* FIXME: Call into SET_ GET_ handlers here */
452                 session->output_report_success = 1;
453                 break;
454 
455         case HIDP_HSHK_NOT_READY:
456         case HIDP_HSHK_ERR_INVALID_REPORT_ID:
457         case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
458         case HIDP_HSHK_ERR_INVALID_PARAMETER:
459                 if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
460                         wake_up_interruptible(&session->report_queue);
461 
462                 /* FIXME: Call into SET_ GET_ handlers here */
463                 break;
464 
465         case HIDP_HSHK_ERR_UNKNOWN:
466                 break;
467 
468         case HIDP_HSHK_ERR_FATAL:
469                 /* Device requests a reboot, as this is the only way this error
470                  * can be recovered. */
471                 hidp_send_ctrl_message(session,
472                         HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
473                 break;
474 
475         default:
476                 hidp_send_ctrl_message(session,
477                         HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
478                 break;
479         }
480 
481         /* Wake up the waiting thread. */
482         if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
483                 wake_up_interruptible(&session->report_queue);
484 }
485 
486 static void hidp_process_hid_control(struct hidp_session *session,
487                                         unsigned char param)
488 {
489         BT_DBG("session %p param 0x%02x", session, param);
490 
491         if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
492                 /* Flush the transmit queues */
493                 skb_queue_purge(&session->ctrl_transmit);
494                 skb_queue_purge(&session->intr_transmit);
495 
496                 hidp_session_terminate(session);
497         }
498 }
499 
500 /* Returns true if the passed-in skb should be freed by the caller. */
501 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
502                                 unsigned char param)
503 {
504         int done_with_skb = 1;
505         BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
506 
507         switch (param) {
508         case HIDP_DATA_RTYPE_INPUT:
509                 hidp_set_timer(session);
510 
511                 if (session->input)
512                         hidp_input_report(session, skb);
513 
514                 if (session->hid)
515                         hidp_process_report(session, HID_INPUT_REPORT,
516                                             skb->data, skb->len, 0);
517                 break;
518 
519         case HIDP_DATA_RTYPE_OTHER:
520         case HIDP_DATA_RTYPE_OUPUT:
521         case HIDP_DATA_RTYPE_FEATURE:
522                 break;
523 
524         default:
525                 hidp_send_ctrl_message(session,
526                         HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
527         }
528 
529         if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
530                                 param == session->waiting_report_type) {
531                 if (session->waiting_report_number < 0 ||
532                     session->waiting_report_number == skb->data[0]) {
533                         /* hidp_get_raw_report() is waiting on this report. */
534                         session->report_return = skb;
535                         done_with_skb = 0;
536                         clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
537                         wake_up_interruptible(&session->report_queue);
538                 }
539         }
540 
541         return done_with_skb;
542 }
543 
544 static void hidp_recv_ctrl_frame(struct hidp_session *session,
545                                         struct sk_buff *skb)
546 {
547         unsigned char hdr, type, param;
548         int free_skb = 1;
549 
550         BT_DBG("session %p skb %p len %d", session, skb, skb->len);
551 
552         hdr = skb->data[0];
553         skb_pull(skb, 1);
554 
555         type = hdr & HIDP_HEADER_TRANS_MASK;
556         param = hdr & HIDP_HEADER_PARAM_MASK;
557 
558         switch (type) {
559         case HIDP_TRANS_HANDSHAKE:
560                 hidp_process_handshake(session, param);
561                 break;
562 
563         case HIDP_TRANS_HID_CONTROL:
564                 hidp_process_hid_control(session, param);
565                 break;
566 
567         case HIDP_TRANS_DATA:
568                 free_skb = hidp_process_data(session, skb, param);
569                 break;
570 
571         default:
572                 hidp_send_ctrl_message(session,
573                         HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
574                 break;
575         }
576 
577         if (free_skb)
578                 kfree_skb(skb);
579 }
580 
581 static void hidp_recv_intr_frame(struct hidp_session *session,
582                                 struct sk_buff *skb)
583 {
584         unsigned char hdr;
585 
586         BT_DBG("session %p skb %p len %d", session, skb, skb->len);
587 
588         hdr = skb->data[0];
589         skb_pull(skb, 1);
590 
591         if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
592                 hidp_set_timer(session);
593 
594                 if (session->input)
595                         hidp_input_report(session, skb);
596 
597                 if (session->hid) {
598                         hidp_process_report(session, HID_INPUT_REPORT,
599                                             skb->data, skb->len, 1);
600                         BT_DBG("report len %d", skb->len);
601                 }
602         } else {
603                 BT_DBG("Unsupported protocol header 0x%02x", hdr);
604         }
605 
606         kfree_skb(skb);
607 }
608 
609 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
610 {
611         struct kvec iv = { data, len };
612         struct msghdr msg;
613 
614         BT_DBG("sock %p data %p len %d", sock, data, len);
615 
616         if (!len)
617                 return 0;
618 
619         memset(&msg, 0, sizeof(msg));
620 
621         return kernel_sendmsg(sock, &msg, &iv, 1, len);
622 }
623 
624 /* dequeue message from @transmit and send via @sock */
625 static void hidp_process_transmit(struct hidp_session *session,
626                                   struct sk_buff_head *transmit,
627                                   struct socket *sock)
628 {
629         struct sk_buff *skb;
630         int ret;
631 
632         BT_DBG("session %p", session);
633 
634         while ((skb = skb_dequeue(transmit))) {
635                 ret = hidp_send_frame(sock, skb->data, skb->len);
636                 if (ret == -EAGAIN) {
637                         skb_queue_head(transmit, skb);
638                         break;
639                 } else if (ret < 0) {
640                         hidp_session_terminate(session);
641                         kfree_skb(skb);
642                         break;
643                 }
644 
645                 hidp_set_timer(session);
646                 kfree_skb(skb);
647         }
648 }
649 
650 static int hidp_setup_input(struct hidp_session *session,
651                                 struct hidp_connadd_req *req)
652 {
653         struct input_dev *input;
654         int i;
655 
656         input = input_allocate_device();
657         if (!input)
658                 return -ENOMEM;
659 
660         session->input = input;
661 
662         input_set_drvdata(input, session);
663 
664         input->name = "Bluetooth HID Boot Protocol Device";
665 
666         input->id.bustype = BUS_BLUETOOTH;
667         input->id.vendor  = req->vendor;
668         input->id.product = req->product;
669         input->id.version = req->version;
670 
671         if (req->subclass & 0x40) {
672                 set_bit(EV_KEY, input->evbit);
673                 set_bit(EV_LED, input->evbit);
674                 set_bit(EV_REP, input->evbit);
675 
676                 set_bit(LED_NUML,    input->ledbit);
677                 set_bit(LED_CAPSL,   input->ledbit);
678                 set_bit(LED_SCROLLL, input->ledbit);
679                 set_bit(LED_COMPOSE, input->ledbit);
680                 set_bit(LED_KANA,    input->ledbit);
681 
682                 for (i = 0; i < sizeof(hidp_keycode); i++)
683                         set_bit(hidp_keycode[i], input->keybit);
684                 clear_bit(0, input->keybit);
685         }
686 
687         if (req->subclass & 0x80) {
688                 input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
689                 input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
690                         BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
691                 input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
692                 input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
693                         BIT_MASK(BTN_EXTRA);
694                 input->relbit[0] |= BIT_MASK(REL_WHEEL);
695         }
696 
697         input->dev.parent = &session->conn->hcon->dev;
698 
699         input->event = hidp_input_event;
700 
701         return 0;
702 }
703 
704 static int hidp_open(struct hid_device *hid)
705 {
706         return 0;
707 }
708 
709 static void hidp_close(struct hid_device *hid)
710 {
711 }
712 
713 static int hidp_parse(struct hid_device *hid)
714 {
715         struct hidp_session *session = hid->driver_data;
716 
717         return hid_parse_report(session->hid, session->rd_data,
718                         session->rd_size);
719 }
720 
721 static int hidp_start(struct hid_device *hid)
722 {
723         return 0;
724 }
725 
726 static void hidp_stop(struct hid_device *hid)
727 {
728         struct hidp_session *session = hid->driver_data;
729 
730         skb_queue_purge(&session->ctrl_transmit);
731         skb_queue_purge(&session->intr_transmit);
732 
733         hid->claimed = 0;
734 }
735 
736 static struct hid_ll_driver hidp_hid_driver = {
737         .parse = hidp_parse,
738         .start = hidp_start,
739         .stop = hidp_stop,
740         .open  = hidp_open,
741         .close = hidp_close,
742         .raw_request = hidp_raw_request,
743         .output_report = hidp_output_report,
744 };
745 
746 /* This function sets up the hid device. It does not add it
747    to the HID system. That is done in hidp_add_connection(). */
748 static int hidp_setup_hid(struct hidp_session *session,
749                                 struct hidp_connadd_req *req)
750 {
751         struct hid_device *hid;
752         int err;
753 
754         session->rd_data = memdup_user(req->rd_data, req->rd_size);
755         if (IS_ERR(session->rd_data))
756                 return PTR_ERR(session->rd_data);
757 
758         session->rd_size = req->rd_size;
759 
760         hid = hid_allocate_device();
761         if (IS_ERR(hid)) {
762                 err = PTR_ERR(hid);
763                 goto fault;
764         }
765 
766         session->hid = hid;
767 
768         hid->driver_data = session;
769 
770         hid->bus     = BUS_BLUETOOTH;
771         hid->vendor  = req->vendor;
772         hid->product = req->product;
773         hid->version = req->version;
774         hid->country = req->country;
775 
776         strncpy(hid->name, req->name, sizeof(req->name) - 1);
777 
778         snprintf(hid->phys, sizeof(hid->phys), "%pMR",
779                  &l2cap_pi(session->ctrl_sock->sk)->chan->src);
780 
781         /* NOTE: Some device modules depend on the dst address being stored in
782          * uniq. Please be aware of this before making changes to this behavior.
783          */
784         snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
785                  &l2cap_pi(session->ctrl_sock->sk)->chan->dst);
786 
787         hid->dev.parent = &session->conn->hcon->dev;
788         hid->ll_driver = &hidp_hid_driver;
789 
790         /* True if device is blacklisted in drivers/hid/hid-core.c */
791         if (hid_ignore(hid)) {
792                 hid_destroy_device(session->hid);
793                 session->hid = NULL;
794                 return -ENODEV;
795         }
796 
797         return 0;
798 
799 fault:
800         kfree(session->rd_data);
801         session->rd_data = NULL;
802 
803         return err;
804 }
805 
806 /* initialize session devices */
807 static int hidp_session_dev_init(struct hidp_session *session,
808                                  struct hidp_connadd_req *req)
809 {
810         int ret;
811 
812         if (req->rd_size > 0) {
813                 ret = hidp_setup_hid(session, req);
814                 if (ret && ret != -ENODEV)
815                         return ret;
816         }
817 
818         if (!session->hid) {
819                 ret = hidp_setup_input(session, req);
820                 if (ret < 0)
821                         return ret;
822         }
823 
824         return 0;
825 }
826 
827 /* destroy session devices */
828 static void hidp_session_dev_destroy(struct hidp_session *session)
829 {
830         if (session->hid)
831                 put_device(&session->hid->dev);
832         else if (session->input)
833                 input_put_device(session->input);
834 
835         kfree(session->rd_data);
836         session->rd_data = NULL;
837 }
838 
839 /* add HID/input devices to their underlying bus systems */
840 static int hidp_session_dev_add(struct hidp_session *session)
841 {
842         int ret;
843 
844         /* Both HID and input systems drop a ref-count when unregistering the
845          * device but they don't take a ref-count when registering them. Work
846          * around this by explicitly taking a refcount during registration
847          * which is dropped automatically by unregistering the devices. */
848 
849         if (session->hid) {
850                 ret = hid_add_device(session->hid);
851                 if (ret)
852                         return ret;
853                 get_device(&session->hid->dev);
854         } else if (session->input) {
855                 ret = input_register_device(session->input);
856                 if (ret)
857                         return ret;
858                 input_get_device(session->input);
859         }
860 
861         return 0;
862 }
863 
864 /* remove HID/input devices from their bus systems */
865 static void hidp_session_dev_del(struct hidp_session *session)
866 {
867         if (session->hid)
868                 hid_destroy_device(session->hid);
869         else if (session->input)
870                 input_unregister_device(session->input);
871 }
872 
873 /*
874  * Asynchronous device registration
875  * HID device drivers might want to perform I/O during initialization to
876  * detect device types. Therefore, call device registration in a separate
877  * worker so the HIDP thread can schedule I/O operations.
878  * Note that this must be called after the worker thread was initialized
879  * successfully. This will then add the devices and increase session state
880  * on success, otherwise it will terminate the session thread.
881  */
882 static void hidp_session_dev_work(struct work_struct *work)
883 {
884         struct hidp_session *session = container_of(work,
885                                                     struct hidp_session,
886                                                     dev_init);
887         int ret;
888 
889         ret = hidp_session_dev_add(session);
890         if (!ret)
891                 atomic_inc(&session->state);
892         else
893                 hidp_session_terminate(session);
894 }
895 
896 /*
897  * Create new session object
898  * Allocate session object, initialize static fields, copy input data into the
899  * object and take a reference to all sub-objects.
900  * This returns 0 on success and puts a pointer to the new session object in
901  * \out. Otherwise, an error code is returned.
902  * The new session object has an initial ref-count of 1.
903  */
904 static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
905                             struct socket *ctrl_sock,
906                             struct socket *intr_sock,
907                             struct hidp_connadd_req *req,
908                             struct l2cap_conn *conn)
909 {
910         struct hidp_session *session;
911         int ret;
912         struct bt_sock *ctrl, *intr;
913 
914         ctrl = bt_sk(ctrl_sock->sk);
915         intr = bt_sk(intr_sock->sk);
916 
917         session = kzalloc(sizeof(*session), GFP_KERNEL);
918         if (!session)
919                 return -ENOMEM;
920 
921         /* object and runtime management */
922         kref_init(&session->ref);
923         atomic_set(&session->state, HIDP_SESSION_IDLING);
924         init_waitqueue_head(&session->state_queue);
925         session->flags = req->flags & BIT(HIDP_BLUETOOTH_VENDOR_ID);
926 
927         /* connection management */
928         bacpy(&session->bdaddr, bdaddr);
929         session->conn = l2cap_conn_get(conn);
930         session->user.probe = hidp_session_probe;
931         session->user.remove = hidp_session_remove;
932         INIT_LIST_HEAD(&session->user.list);
933         session->ctrl_sock = ctrl_sock;
934         session->intr_sock = intr_sock;
935         skb_queue_head_init(&session->ctrl_transmit);
936         skb_queue_head_init(&session->intr_transmit);
937         session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
938                                         l2cap_pi(ctrl)->chan->imtu);
939         session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
940                                         l2cap_pi(intr)->chan->imtu);
941         session->idle_to = req->idle_to;
942 
943         /* device management */
944         INIT_WORK(&session->dev_init, hidp_session_dev_work);
945         setup_timer(&session->timer, hidp_idle_timeout,
946                     (unsigned long)session);
947 
948         /* session data */
949         mutex_init(&session->report_mutex);
950         init_waitqueue_head(&session->report_queue);
951 
952         ret = hidp_session_dev_init(session, req);
953         if (ret)
954                 goto err_free;
955 
956         get_file(session->intr_sock->file);
957         get_file(session->ctrl_sock->file);
958         *out = session;
959         return 0;
960 
961 err_free:
962         l2cap_conn_put(session->conn);
963         kfree(session);
964         return ret;
965 }
966 
967 /* increase ref-count of the given session by one */
968 static void hidp_session_get(struct hidp_session *session)
969 {
970         kref_get(&session->ref);
971 }
972 
973 /* release callback */
974 static void session_free(struct kref *ref)
975 {
976         struct hidp_session *session = container_of(ref, struct hidp_session,
977                                                     ref);
978 
979         hidp_session_dev_destroy(session);
980         skb_queue_purge(&session->ctrl_transmit);
981         skb_queue_purge(&session->intr_transmit);
982         fput(session->intr_sock->file);
983         fput(session->ctrl_sock->file);
984         l2cap_conn_put(session->conn);
985         kfree(session);
986 }
987 
988 /* decrease ref-count of the given session by one */
989 static void hidp_session_put(struct hidp_session *session)
990 {
991         kref_put(&session->ref, session_free);
992 }
993 
994 /*
995  * Search the list of active sessions for a session with target address
996  * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
997  * you do not release this lock, the session objects cannot vanish and you can
998  * safely take a reference to the session yourself.
999  */
1000 static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
1001 {
1002         struct hidp_session *session;
1003 
1004         list_for_each_entry(session, &hidp_session_list, list) {
1005                 if (!bacmp(bdaddr, &session->bdaddr))
1006                         return session;
1007         }
1008 
1009         return NULL;
1010 }
1011 
1012 /*
1013  * Same as __hidp_session_find() but no locks must be held. This also takes a
1014  * reference of the returned session (if non-NULL) so you must drop this
1015  * reference if you no longer use the object.
1016  */
1017 static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
1018 {
1019         struct hidp_session *session;
1020 
1021         down_read(&hidp_session_sem);
1022 
1023         session = __hidp_session_find(bdaddr);
1024         if (session)
1025                 hidp_session_get(session);
1026 
1027         up_read(&hidp_session_sem);
1028 
1029         return session;
1030 }
1031 
1032 /*
1033  * Start session synchronously
1034  * This starts a session thread and waits until initialization
1035  * is done or returns an error if it couldn't be started.
1036  * If this returns 0 the session thread is up and running. You must call
1037  * hipd_session_stop_sync() before deleting any runtime resources.
1038  */
1039 static int hidp_session_start_sync(struct hidp_session *session)
1040 {
1041         unsigned int vendor, product;
1042 
1043         if (session->hid) {
1044                 vendor  = session->hid->vendor;
1045                 product = session->hid->product;
1046         } else if (session->input) {
1047                 vendor  = session->input->id.vendor;
1048                 product = session->input->id.product;
1049         } else {
1050                 vendor = 0x0000;
1051                 product = 0x0000;
1052         }
1053 
1054         session->task = kthread_run(hidp_session_thread, session,
1055                                     "khidpd_%04x%04x", vendor, product);
1056         if (IS_ERR(session->task))
1057                 return PTR_ERR(session->task);
1058 
1059         while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1060                 wait_event(session->state_queue,
1061                            atomic_read(&session->state) > HIDP_SESSION_IDLING);
1062 
1063         return 0;
1064 }
1065 
1066 /*
1067  * Terminate session thread
1068  * Wake up session thread and notify it to stop. This is asynchronous and
1069  * returns immediately. Call this whenever a runtime error occurs and you want
1070  * the session to stop.
1071  * Note: wake_up_process() performs any necessary memory-barriers for us.
1072  */
1073 static void hidp_session_terminate(struct hidp_session *session)
1074 {
1075         atomic_inc(&session->terminate);
1076         wake_up_process(session->task);
1077 }
1078 
1079 /*
1080  * Probe HIDP session
1081  * This is called from the l2cap_conn core when our l2cap_user object is bound
1082  * to the hci-connection. We get the session via the \user object and can now
1083  * start the session thread, link it into the global session list and
1084  * schedule HID/input device registration.
1085  * The global session-list owns its own reference to the session object so you
1086  * can drop your own reference after registering the l2cap_user object.
1087  */
1088 static int hidp_session_probe(struct l2cap_conn *conn,
1089                               struct l2cap_user *user)
1090 {
1091         struct hidp_session *session = container_of(user,
1092                                                     struct hidp_session,
1093                                                     user);
1094         struct hidp_session *s;
1095         int ret;
1096 
1097         down_write(&hidp_session_sem);
1098 
1099         /* check that no other session for this device exists */
1100         s = __hidp_session_find(&session->bdaddr);
1101         if (s) {
1102                 ret = -EEXIST;
1103                 goto out_unlock;
1104         }
1105 
1106         if (session->input) {
1107                 ret = hidp_session_dev_add(session);
1108                 if (ret)
1109                         goto out_unlock;
1110         }
1111 
1112         ret = hidp_session_start_sync(session);
1113         if (ret)
1114                 goto out_del;
1115 
1116         /* HID device registration is async to allow I/O during probe */
1117         if (session->input)
1118                 atomic_inc(&session->state);
1119         else
1120                 schedule_work(&session->dev_init);
1121 
1122         hidp_session_get(session);
1123         list_add(&session->list, &hidp_session_list);
1124         ret = 0;
1125         goto out_unlock;
1126 
1127 out_del:
1128         if (session->input)
1129                 hidp_session_dev_del(session);
1130 out_unlock:
1131         up_write(&hidp_session_sem);
1132         return ret;
1133 }
1134 
1135 /*
1136  * Remove HIDP session
1137  * Called from the l2cap_conn core when either we explicitly unregistered
1138  * the l2cap_user object or if the underlying connection is shut down.
1139  * We signal the hidp-session thread to shut down, unregister the HID/input
1140  * devices and unlink the session from the global list.
1141  * This drops the reference to the session that is owned by the global
1142  * session-list.
1143  * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1144  * This is, because the session-thread might be waiting for an HCI lock that is
1145  * held while we are called. Therefore, we only unregister the devices and
1146  * notify the session-thread to terminate. The thread itself owns a reference
1147  * to the session object so it can safely shut down.
1148  */
1149 static void hidp_session_remove(struct l2cap_conn *conn,
1150                                 struct l2cap_user *user)
1151 {
1152         struct hidp_session *session = container_of(user,
1153                                                     struct hidp_session,
1154                                                     user);
1155 
1156         down_write(&hidp_session_sem);
1157 
1158         hidp_session_terminate(session);
1159 
1160         cancel_work_sync(&session->dev_init);
1161         if (session->input ||
1162             atomic_read(&session->state) > HIDP_SESSION_PREPARING)
1163                 hidp_session_dev_del(session);
1164 
1165         list_del(&session->list);
1166 
1167         up_write(&hidp_session_sem);
1168 
1169         hidp_session_put(session);
1170 }
1171 
1172 /*
1173  * Session Worker
1174  * This performs the actual main-loop of the HIDP worker. We first check
1175  * whether the underlying connection is still alive, then parse all pending
1176  * messages and finally send all outstanding messages.
1177  */
1178 static void hidp_session_run(struct hidp_session *session)
1179 {
1180         struct sock *ctrl_sk = session->ctrl_sock->sk;
1181         struct sock *intr_sk = session->intr_sock->sk;
1182         struct sk_buff *skb;
1183 
1184         for (;;) {
1185                 /*
1186                  * This thread can be woken up two ways:
1187                  *  - You call hidp_session_terminate() which sets the
1188                  *    session->terminate flag and wakes this thread up.
1189                  *  - Via modifying the socket state of ctrl/intr_sock. This
1190                  *    thread is woken up by ->sk_state_changed().
1191                  *
1192                  * Note: set_current_state() performs any necessary
1193                  * memory-barriers for us.
1194                  */
1195                 set_current_state(TASK_INTERRUPTIBLE);
1196 
1197                 if (atomic_read(&session->terminate))
1198                         break;
1199 
1200                 if (ctrl_sk->sk_state != BT_CONNECTED ||
1201                     intr_sk->sk_state != BT_CONNECTED)
1202                         break;
1203 
1204                 /* parse incoming intr-skbs */
1205                 while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1206                         skb_orphan(skb);
1207                         if (!skb_linearize(skb))
1208                                 hidp_recv_intr_frame(session, skb);
1209                         else
1210                                 kfree_skb(skb);
1211                 }
1212 
1213                 /* send pending intr-skbs */
1214                 hidp_process_transmit(session, &session->intr_transmit,
1215                                       session->intr_sock);
1216 
1217                 /* parse incoming ctrl-skbs */
1218                 while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1219                         skb_orphan(skb);
1220                         if (!skb_linearize(skb))
1221                                 hidp_recv_ctrl_frame(session, skb);
1222                         else
1223                                 kfree_skb(skb);
1224                 }
1225 
1226                 /* send pending ctrl-skbs */
1227                 hidp_process_transmit(session, &session->ctrl_transmit,
1228                                       session->ctrl_sock);
1229 
1230                 schedule();
1231         }
1232 
1233         atomic_inc(&session->terminate);
1234         set_current_state(TASK_RUNNING);
1235 }
1236 
1237 /*
1238  * HIDP session thread
1239  * This thread runs the I/O for a single HIDP session. Startup is synchronous
1240  * which allows us to take references to ourself here instead of doing that in
1241  * the caller.
1242  * When we are ready to run we notify the caller and call hidp_session_run().
1243  */
1244 static int hidp_session_thread(void *arg)
1245 {
1246         struct hidp_session *session = arg;
1247         wait_queue_t ctrl_wait, intr_wait;
1248 
1249         BT_DBG("session %p", session);
1250 
1251         /* initialize runtime environment */
1252         hidp_session_get(session);
1253         __module_get(THIS_MODULE);
1254         set_user_nice(current, -15);
1255         hidp_set_timer(session);
1256 
1257         init_waitqueue_entry(&ctrl_wait, current);
1258         init_waitqueue_entry(&intr_wait, current);
1259         add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1260         add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1261         /* This memory barrier is paired with wq_has_sleeper(). See
1262          * sock_poll_wait() for more information why this is needed. */
1263         smp_mb();
1264 
1265         /* notify synchronous startup that we're ready */
1266         atomic_inc(&session->state);
1267         wake_up(&session->state_queue);
1268 
1269         /* run session */
1270         hidp_session_run(session);
1271 
1272         /* cleanup runtime environment */
1273         remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1274         remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1275         wake_up_interruptible(&session->report_queue);
1276         hidp_del_timer(session);
1277 
1278         /*
1279          * If we stopped ourself due to any internal signal, we should try to
1280          * unregister our own session here to avoid having it linger until the
1281          * parent l2cap_conn dies or user-space cleans it up.
1282          * This does not deadlock as we don't do any synchronous shutdown.
1283          * Instead, this call has the same semantics as if user-space tried to
1284          * delete the session.
1285          */
1286         l2cap_unregister_user(session->conn, &session->user);
1287         hidp_session_put(session);
1288 
1289         module_put_and_exit(0);
1290         return 0;
1291 }
1292 
1293 static int hidp_verify_sockets(struct socket *ctrl_sock,
1294                                struct socket *intr_sock)
1295 {
1296         struct l2cap_chan *ctrl_chan, *intr_chan;
1297         struct bt_sock *ctrl, *intr;
1298         struct hidp_session *session;
1299 
1300         if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1301                 return -EINVAL;
1302 
1303         ctrl_chan = l2cap_pi(ctrl_sock->sk)->chan;
1304         intr_chan = l2cap_pi(intr_sock->sk)->chan;
1305 
1306         if (bacmp(&ctrl_chan->src, &intr_chan->src) ||
1307             bacmp(&ctrl_chan->dst, &intr_chan->dst))
1308                 return -ENOTUNIQ;
1309 
1310         ctrl = bt_sk(ctrl_sock->sk);
1311         intr = bt_sk(intr_sock->sk);
1312 
1313         if (ctrl->sk.sk_state != BT_CONNECTED ||
1314             intr->sk.sk_state != BT_CONNECTED)
1315                 return -EBADFD;
1316 
1317         /* early session check, we check again during session registration */
1318         session = hidp_session_find(&ctrl_chan->dst);
1319         if (session) {
1320                 hidp_session_put(session);
1321                 return -EEXIST;
1322         }
1323 
1324         return 0;
1325 }
1326 
1327 int hidp_connection_add(struct hidp_connadd_req *req,
1328                         struct socket *ctrl_sock,
1329                         struct socket *intr_sock)
1330 {
1331         u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG) |
1332                           BIT(HIDP_BOOT_PROTOCOL_MODE);
1333         struct hidp_session *session;
1334         struct l2cap_conn *conn;
1335         struct l2cap_chan *chan;
1336         int ret;
1337 
1338         ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1339         if (ret)
1340                 return ret;
1341 
1342         if (req->flags & ~valid_flags)
1343                 return -EINVAL;
1344 
1345         chan = l2cap_pi(ctrl_sock->sk)->chan;
1346         conn = NULL;
1347         l2cap_chan_lock(chan);
1348         if (chan->conn)
1349                 conn = l2cap_conn_get(chan->conn);
1350         l2cap_chan_unlock(chan);
1351 
1352         if (!conn)
1353                 return -EBADFD;
1354 
1355         ret = hidp_session_new(&session, &chan->dst, ctrl_sock,
1356                                intr_sock, req, conn);
1357         if (ret)
1358                 goto out_conn;
1359 
1360         ret = l2cap_register_user(conn, &session->user);
1361         if (ret)
1362                 goto out_session;
1363 
1364         ret = 0;
1365 
1366 out_session:
1367         hidp_session_put(session);
1368 out_conn:
1369         l2cap_conn_put(conn);
1370         return ret;
1371 }
1372 
1373 int hidp_connection_del(struct hidp_conndel_req *req)
1374 {
1375         u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG);
1376         struct hidp_session *session;
1377 
1378         if (req->flags & ~valid_flags)
1379                 return -EINVAL;
1380 
1381         session = hidp_session_find(&req->bdaddr);
1382         if (!session)
1383                 return -ENOENT;
1384 
1385         if (req->flags & BIT(HIDP_VIRTUAL_CABLE_UNPLUG))
1386                 hidp_send_ctrl_message(session,
1387                                        HIDP_TRANS_HID_CONTROL |
1388                                          HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1389                                        NULL, 0);
1390         else
1391                 l2cap_unregister_user(session->conn, &session->user);
1392 
1393         hidp_session_put(session);
1394 
1395         return 0;
1396 }
1397 
1398 int hidp_get_connlist(struct hidp_connlist_req *req)
1399 {
1400         struct hidp_session *session;
1401         int err = 0, n = 0;
1402 
1403         BT_DBG("");
1404 
1405         down_read(&hidp_session_sem);
1406 
1407         list_for_each_entry(session, &hidp_session_list, list) {
1408                 struct hidp_conninfo ci;
1409 
1410                 hidp_copy_session(session, &ci);
1411 
1412                 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1413                         err = -EFAULT;
1414                         break;
1415                 }
1416 
1417                 if (++n >= req->cnum)
1418                         break;
1419 
1420                 req->ci++;
1421         }
1422         req->cnum = n;
1423 
1424         up_read(&hidp_session_sem);
1425         return err;
1426 }
1427 
1428 int hidp_get_conninfo(struct hidp_conninfo *ci)
1429 {
1430         struct hidp_session *session;
1431 
1432         session = hidp_session_find(&ci->bdaddr);
1433         if (session) {
1434                 hidp_copy_session(session, ci);
1435                 hidp_session_put(session);
1436         }
1437 
1438         return session ? 0 : -ENOENT;
1439 }
1440 
1441 static int __init hidp_init(void)
1442 {
1443         BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1444 
1445         return hidp_init_sockets();
1446 }
1447 
1448 static void __exit hidp_exit(void)
1449 {
1450         hidp_cleanup_sockets();
1451 }
1452 
1453 module_init(hidp_init);
1454 module_exit(hidp_exit);
1455 
1456 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1457 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1458 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1459 MODULE_VERSION(VERSION);
1460 MODULE_LICENSE("GPL");
1461 MODULE_ALIAS("bt-proto-6");
1462 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us