xref: /openbmc/linux/net/bluetooth/hidp/core.c (revision 612a462a)
1 /*
2    HIDP implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4    Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 #include <linux/kref.h>
25 #include <linux/module.h>
26 #include <linux/file.h>
27 #include <linux/kthread.h>
28 #include <linux/hidraw.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 
34 #include "hidp.h"
35 
36 #define VERSION "1.2"
37 
38 static DECLARE_RWSEM(hidp_session_sem);
39 static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
40 static LIST_HEAD(hidp_session_list);
41 
42 static unsigned char hidp_keycode[256] = {
43 	  0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
44 	 37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
45 	 21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
46 	 14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
47 	 53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
48 	 99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
49 	 98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
50 	 82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
51 	191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
52 	136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
53 	 95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
54 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
55 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
56 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
57 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
58 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
59 	 29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
60 	114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
61 };
62 
63 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
64 
65 static int hidp_session_probe(struct l2cap_conn *conn,
66 			      struct l2cap_user *user);
67 static void hidp_session_remove(struct l2cap_conn *conn,
68 				struct l2cap_user *user);
69 static int hidp_session_thread(void *arg);
70 static void hidp_session_terminate(struct hidp_session *s);
71 
72 static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
73 {
74 	u32 valid_flags = 0;
75 	memset(ci, 0, sizeof(*ci));
76 	bacpy(&ci->bdaddr, &session->bdaddr);
77 
78 	ci->flags = session->flags & valid_flags;
79 	ci->state = BT_CONNECTED;
80 
81 	if (session->input) {
82 		ci->vendor  = session->input->id.vendor;
83 		ci->product = session->input->id.product;
84 		ci->version = session->input->id.version;
85 		if (session->input->name)
86 			strlcpy(ci->name, session->input->name, 128);
87 		else
88 			strlcpy(ci->name, "HID Boot Device", 128);
89 	} else if (session->hid) {
90 		ci->vendor  = session->hid->vendor;
91 		ci->product = session->hid->product;
92 		ci->version = session->hid->version;
93 		strlcpy(ci->name, session->hid->name, 128);
94 	}
95 }
96 
97 /* assemble skb, queue message on @transmit and wake up the session thread */
98 static int hidp_send_message(struct hidp_session *session, struct socket *sock,
99 			     struct sk_buff_head *transmit, unsigned char hdr,
100 			     const unsigned char *data, int size)
101 {
102 	struct sk_buff *skb;
103 	struct sock *sk = sock->sk;
104 
105 	BT_DBG("session %p data %p size %d", session, data, size);
106 
107 	if (atomic_read(&session->terminate))
108 		return -EIO;
109 
110 	skb = alloc_skb(size + 1, GFP_ATOMIC);
111 	if (!skb) {
112 		BT_ERR("Can't allocate memory for new frame");
113 		return -ENOMEM;
114 	}
115 
116 	skb_put_u8(skb, hdr);
117 	if (data && size > 0)
118 		skb_put_data(skb, data, size);
119 
120 	skb_queue_tail(transmit, skb);
121 	wake_up_interruptible(sk_sleep(sk));
122 
123 	return 0;
124 }
125 
126 static int hidp_send_ctrl_message(struct hidp_session *session,
127 				  unsigned char hdr, const unsigned char *data,
128 				  int size)
129 {
130 	return hidp_send_message(session, session->ctrl_sock,
131 				 &session->ctrl_transmit, hdr, data, size);
132 }
133 
134 static int hidp_send_intr_message(struct hidp_session *session,
135 				  unsigned char hdr, const unsigned char *data,
136 				  int size)
137 {
138 	return hidp_send_message(session, session->intr_sock,
139 				 &session->intr_transmit, hdr, data, size);
140 }
141 
142 static int hidp_input_event(struct input_dev *dev, unsigned int type,
143 			    unsigned int code, int value)
144 {
145 	struct hidp_session *session = input_get_drvdata(dev);
146 	unsigned char newleds;
147 	unsigned char hdr, data[2];
148 
149 	BT_DBG("session %p type %d code %d value %d",
150 	       session, type, code, value);
151 
152 	if (type != EV_LED)
153 		return -1;
154 
155 	newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
156 		  (!!test_bit(LED_COMPOSE, dev->led) << 3) |
157 		  (!!test_bit(LED_SCROLLL, dev->led) << 2) |
158 		  (!!test_bit(LED_CAPSL,   dev->led) << 1) |
159 		  (!!test_bit(LED_NUML,    dev->led) << 0);
160 
161 	if (session->leds == newleds)
162 		return 0;
163 
164 	session->leds = newleds;
165 
166 	hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
167 	data[0] = 0x01;
168 	data[1] = newleds;
169 
170 	return hidp_send_intr_message(session, hdr, data, 2);
171 }
172 
173 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
174 {
175 	struct input_dev *dev = session->input;
176 	unsigned char *keys = session->keys;
177 	unsigned char *udata = skb->data + 1;
178 	signed char *sdata = skb->data + 1;
179 	int i, size = skb->len - 1;
180 
181 	switch (skb->data[0]) {
182 	case 0x01:	/* Keyboard report */
183 		for (i = 0; i < 8; i++)
184 			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
185 
186 		/* If all the key codes have been set to 0x01, it means
187 		 * too many keys were pressed at the same time. */
188 		if (!memcmp(udata + 2, hidp_mkeyspat, 6))
189 			break;
190 
191 		for (i = 2; i < 8; i++) {
192 			if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
193 				if (hidp_keycode[keys[i]])
194 					input_report_key(dev, hidp_keycode[keys[i]], 0);
195 				else
196 					BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
197 			}
198 
199 			if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
200 				if (hidp_keycode[udata[i]])
201 					input_report_key(dev, hidp_keycode[udata[i]], 1);
202 				else
203 					BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
204 			}
205 		}
206 
207 		memcpy(keys, udata, 8);
208 		break;
209 
210 	case 0x02:	/* Mouse report */
211 		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
212 		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
213 		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
214 		input_report_key(dev, BTN_SIDE,   sdata[0] & 0x08);
215 		input_report_key(dev, BTN_EXTRA,  sdata[0] & 0x10);
216 
217 		input_report_rel(dev, REL_X, sdata[1]);
218 		input_report_rel(dev, REL_Y, sdata[2]);
219 
220 		if (size > 3)
221 			input_report_rel(dev, REL_WHEEL, sdata[3]);
222 		break;
223 	}
224 
225 	input_sync(dev);
226 }
227 
228 static int hidp_get_raw_report(struct hid_device *hid,
229 		unsigned char report_number,
230 		unsigned char *data, size_t count,
231 		unsigned char report_type)
232 {
233 	struct hidp_session *session = hid->driver_data;
234 	struct sk_buff *skb;
235 	size_t len;
236 	int numbered_reports = hid->report_enum[report_type].numbered;
237 	int ret;
238 
239 	if (atomic_read(&session->terminate))
240 		return -EIO;
241 
242 	switch (report_type) {
243 	case HID_FEATURE_REPORT:
244 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
245 		break;
246 	case HID_INPUT_REPORT:
247 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
248 		break;
249 	case HID_OUTPUT_REPORT:
250 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
251 		break;
252 	default:
253 		return -EINVAL;
254 	}
255 
256 	if (mutex_lock_interruptible(&session->report_mutex))
257 		return -ERESTARTSYS;
258 
259 	/* Set up our wait, and send the report request to the device. */
260 	session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
261 	session->waiting_report_number = numbered_reports ? report_number : -1;
262 	set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
263 	data[0] = report_number;
264 	ret = hidp_send_ctrl_message(session, report_type, data, 1);
265 	if (ret)
266 		goto err;
267 
268 	/* Wait for the return of the report. The returned report
269 	   gets put in session->report_return.  */
270 	while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
271 	       !atomic_read(&session->terminate)) {
272 		int res;
273 
274 		res = wait_event_interruptible_timeout(session->report_queue,
275 			!test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
276 				|| atomic_read(&session->terminate),
277 			5*HZ);
278 		if (res == 0) {
279 			/* timeout */
280 			ret = -EIO;
281 			goto err;
282 		}
283 		if (res < 0) {
284 			/* signal */
285 			ret = -ERESTARTSYS;
286 			goto err;
287 		}
288 	}
289 
290 	skb = session->report_return;
291 	if (skb) {
292 		len = skb->len < count ? skb->len : count;
293 		memcpy(data, skb->data, len);
294 
295 		kfree_skb(skb);
296 		session->report_return = NULL;
297 	} else {
298 		/* Device returned a HANDSHAKE, indicating  protocol error. */
299 		len = -EIO;
300 	}
301 
302 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
303 	mutex_unlock(&session->report_mutex);
304 
305 	return len;
306 
307 err:
308 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
309 	mutex_unlock(&session->report_mutex);
310 	return ret;
311 }
312 
313 static int hidp_set_raw_report(struct hid_device *hid, unsigned char reportnum,
314 			       unsigned char *data, size_t count,
315 			       unsigned char report_type)
316 {
317 	struct hidp_session *session = hid->driver_data;
318 	int ret;
319 
320 	switch (report_type) {
321 	case HID_FEATURE_REPORT:
322 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
323 		break;
324 	case HID_INPUT_REPORT:
325 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_INPUT;
326 		break;
327 	case HID_OUTPUT_REPORT:
328 		report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
329 		break;
330 	default:
331 		return -EINVAL;
332 	}
333 
334 	if (mutex_lock_interruptible(&session->report_mutex))
335 		return -ERESTARTSYS;
336 
337 	/* Set up our wait, and send the report request to the device. */
338 	data[0] = reportnum;
339 	set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
340 	ret = hidp_send_ctrl_message(session, report_type, data, count);
341 	if (ret)
342 		goto err;
343 
344 	/* Wait for the ACK from the device. */
345 	while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
346 	       !atomic_read(&session->terminate)) {
347 		int res;
348 
349 		res = wait_event_interruptible_timeout(session->report_queue,
350 			!test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
351 				|| atomic_read(&session->terminate),
352 			10*HZ);
353 		if (res == 0) {
354 			/* timeout */
355 			ret = -EIO;
356 			goto err;
357 		}
358 		if (res < 0) {
359 			/* signal */
360 			ret = -ERESTARTSYS;
361 			goto err;
362 		}
363 	}
364 
365 	if (!session->output_report_success) {
366 		ret = -EIO;
367 		goto err;
368 	}
369 
370 	ret = count;
371 
372 err:
373 	clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
374 	mutex_unlock(&session->report_mutex);
375 	return ret;
376 }
377 
378 static int hidp_output_report(struct hid_device *hid, __u8 *data, size_t count)
379 {
380 	struct hidp_session *session = hid->driver_data;
381 
382 	return hidp_send_intr_message(session,
383 				      HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT,
384 				      data, count);
385 }
386 
387 static int hidp_raw_request(struct hid_device *hid, unsigned char reportnum,
388 			    __u8 *buf, size_t len, unsigned char rtype,
389 			    int reqtype)
390 {
391 	switch (reqtype) {
392 	case HID_REQ_GET_REPORT:
393 		return hidp_get_raw_report(hid, reportnum, buf, len, rtype);
394 	case HID_REQ_SET_REPORT:
395 		return hidp_set_raw_report(hid, reportnum, buf, len, rtype);
396 	default:
397 		return -EIO;
398 	}
399 }
400 
401 static void hidp_idle_timeout(unsigned long arg)
402 {
403 	struct hidp_session *session = (struct hidp_session *) arg;
404 
405 	/* The HIDP user-space API only contains calls to add and remove
406 	 * devices. There is no way to forward events of any kind. Therefore,
407 	 * we have to forcefully disconnect a device on idle-timeouts. This is
408 	 * unfortunate and weird API design, but it is spec-compliant and
409 	 * required for backwards-compatibility. Hence, on idle-timeout, we
410 	 * signal driver-detach events, so poll() will be woken up with an
411 	 * error-condition on both sockets.
412 	 */
413 
414 	session->intr_sock->sk->sk_err = EUNATCH;
415 	session->ctrl_sock->sk->sk_err = EUNATCH;
416 	wake_up_interruptible(sk_sleep(session->intr_sock->sk));
417 	wake_up_interruptible(sk_sleep(session->ctrl_sock->sk));
418 
419 	hidp_session_terminate(session);
420 }
421 
422 static void hidp_set_timer(struct hidp_session *session)
423 {
424 	if (session->idle_to > 0)
425 		mod_timer(&session->timer, jiffies + HZ * session->idle_to);
426 }
427 
428 static void hidp_del_timer(struct hidp_session *session)
429 {
430 	if (session->idle_to > 0)
431 		del_timer(&session->timer);
432 }
433 
434 static void hidp_process_report(struct hidp_session *session,
435 				int type, const u8 *data, int len, int intr)
436 {
437 	if (len > HID_MAX_BUFFER_SIZE)
438 		len = HID_MAX_BUFFER_SIZE;
439 
440 	memcpy(session->input_buf, data, len);
441 	hid_input_report(session->hid, type, session->input_buf, len, intr);
442 }
443 
444 static void hidp_process_handshake(struct hidp_session *session,
445 					unsigned char param)
446 {
447 	BT_DBG("session %p param 0x%02x", session, param);
448 	session->output_report_success = 0; /* default condition */
449 
450 	switch (param) {
451 	case HIDP_HSHK_SUCCESSFUL:
452 		/* FIXME: Call into SET_ GET_ handlers here */
453 		session->output_report_success = 1;
454 		break;
455 
456 	case HIDP_HSHK_NOT_READY:
457 	case HIDP_HSHK_ERR_INVALID_REPORT_ID:
458 	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
459 	case HIDP_HSHK_ERR_INVALID_PARAMETER:
460 		if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
461 			wake_up_interruptible(&session->report_queue);
462 
463 		/* FIXME: Call into SET_ GET_ handlers here */
464 		break;
465 
466 	case HIDP_HSHK_ERR_UNKNOWN:
467 		break;
468 
469 	case HIDP_HSHK_ERR_FATAL:
470 		/* Device requests a reboot, as this is the only way this error
471 		 * can be recovered. */
472 		hidp_send_ctrl_message(session,
473 			HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
474 		break;
475 
476 	default:
477 		hidp_send_ctrl_message(session,
478 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
479 		break;
480 	}
481 
482 	/* Wake up the waiting thread. */
483 	if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
484 		wake_up_interruptible(&session->report_queue);
485 }
486 
487 static void hidp_process_hid_control(struct hidp_session *session,
488 					unsigned char param)
489 {
490 	BT_DBG("session %p param 0x%02x", session, param);
491 
492 	if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
493 		/* Flush the transmit queues */
494 		skb_queue_purge(&session->ctrl_transmit);
495 		skb_queue_purge(&session->intr_transmit);
496 
497 		hidp_session_terminate(session);
498 	}
499 }
500 
501 /* Returns true if the passed-in skb should be freed by the caller. */
502 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
503 				unsigned char param)
504 {
505 	int done_with_skb = 1;
506 	BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
507 
508 	switch (param) {
509 	case HIDP_DATA_RTYPE_INPUT:
510 		hidp_set_timer(session);
511 
512 		if (session->input)
513 			hidp_input_report(session, skb);
514 
515 		if (session->hid)
516 			hidp_process_report(session, HID_INPUT_REPORT,
517 					    skb->data, skb->len, 0);
518 		break;
519 
520 	case HIDP_DATA_RTYPE_OTHER:
521 	case HIDP_DATA_RTYPE_OUPUT:
522 	case HIDP_DATA_RTYPE_FEATURE:
523 		break;
524 
525 	default:
526 		hidp_send_ctrl_message(session,
527 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
528 	}
529 
530 	if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
531 				param == session->waiting_report_type) {
532 		if (session->waiting_report_number < 0 ||
533 		    session->waiting_report_number == skb->data[0]) {
534 			/* hidp_get_raw_report() is waiting on this report. */
535 			session->report_return = skb;
536 			done_with_skb = 0;
537 			clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
538 			wake_up_interruptible(&session->report_queue);
539 		}
540 	}
541 
542 	return done_with_skb;
543 }
544 
545 static void hidp_recv_ctrl_frame(struct hidp_session *session,
546 					struct sk_buff *skb)
547 {
548 	unsigned char hdr, type, param;
549 	int free_skb = 1;
550 
551 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
552 
553 	hdr = skb->data[0];
554 	skb_pull(skb, 1);
555 
556 	type = hdr & HIDP_HEADER_TRANS_MASK;
557 	param = hdr & HIDP_HEADER_PARAM_MASK;
558 
559 	switch (type) {
560 	case HIDP_TRANS_HANDSHAKE:
561 		hidp_process_handshake(session, param);
562 		break;
563 
564 	case HIDP_TRANS_HID_CONTROL:
565 		hidp_process_hid_control(session, param);
566 		break;
567 
568 	case HIDP_TRANS_DATA:
569 		free_skb = hidp_process_data(session, skb, param);
570 		break;
571 
572 	default:
573 		hidp_send_ctrl_message(session,
574 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
575 		break;
576 	}
577 
578 	if (free_skb)
579 		kfree_skb(skb);
580 }
581 
582 static void hidp_recv_intr_frame(struct hidp_session *session,
583 				struct sk_buff *skb)
584 {
585 	unsigned char hdr;
586 
587 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
588 
589 	hdr = skb->data[0];
590 	skb_pull(skb, 1);
591 
592 	if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
593 		hidp_set_timer(session);
594 
595 		if (session->input)
596 			hidp_input_report(session, skb);
597 
598 		if (session->hid) {
599 			hidp_process_report(session, HID_INPUT_REPORT,
600 					    skb->data, skb->len, 1);
601 			BT_DBG("report len %d", skb->len);
602 		}
603 	} else {
604 		BT_DBG("Unsupported protocol header 0x%02x", hdr);
605 	}
606 
607 	kfree_skb(skb);
608 }
609 
610 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
611 {
612 	struct kvec iv = { data, len };
613 	struct msghdr msg;
614 
615 	BT_DBG("sock %p data %p len %d", sock, data, len);
616 
617 	if (!len)
618 		return 0;
619 
620 	memset(&msg, 0, sizeof(msg));
621 
622 	return kernel_sendmsg(sock, &msg, &iv, 1, len);
623 }
624 
625 /* dequeue message from @transmit and send via @sock */
626 static void hidp_process_transmit(struct hidp_session *session,
627 				  struct sk_buff_head *transmit,
628 				  struct socket *sock)
629 {
630 	struct sk_buff *skb;
631 	int ret;
632 
633 	BT_DBG("session %p", session);
634 
635 	while ((skb = skb_dequeue(transmit))) {
636 		ret = hidp_send_frame(sock, skb->data, skb->len);
637 		if (ret == -EAGAIN) {
638 			skb_queue_head(transmit, skb);
639 			break;
640 		} else if (ret < 0) {
641 			hidp_session_terminate(session);
642 			kfree_skb(skb);
643 			break;
644 		}
645 
646 		hidp_set_timer(session);
647 		kfree_skb(skb);
648 	}
649 }
650 
651 static int hidp_setup_input(struct hidp_session *session,
652 				struct hidp_connadd_req *req)
653 {
654 	struct input_dev *input;
655 	int i;
656 
657 	input = input_allocate_device();
658 	if (!input)
659 		return -ENOMEM;
660 
661 	session->input = input;
662 
663 	input_set_drvdata(input, session);
664 
665 	input->name = "Bluetooth HID Boot Protocol Device";
666 
667 	input->id.bustype = BUS_BLUETOOTH;
668 	input->id.vendor  = req->vendor;
669 	input->id.product = req->product;
670 	input->id.version = req->version;
671 
672 	if (req->subclass & 0x40) {
673 		set_bit(EV_KEY, input->evbit);
674 		set_bit(EV_LED, input->evbit);
675 		set_bit(EV_REP, input->evbit);
676 
677 		set_bit(LED_NUML,    input->ledbit);
678 		set_bit(LED_CAPSL,   input->ledbit);
679 		set_bit(LED_SCROLLL, input->ledbit);
680 		set_bit(LED_COMPOSE, input->ledbit);
681 		set_bit(LED_KANA,    input->ledbit);
682 
683 		for (i = 0; i < sizeof(hidp_keycode); i++)
684 			set_bit(hidp_keycode[i], input->keybit);
685 		clear_bit(0, input->keybit);
686 	}
687 
688 	if (req->subclass & 0x80) {
689 		input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
690 		input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
691 			BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
692 		input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
693 		input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
694 			BIT_MASK(BTN_EXTRA);
695 		input->relbit[0] |= BIT_MASK(REL_WHEEL);
696 	}
697 
698 	input->dev.parent = &session->conn->hcon->dev;
699 
700 	input->event = hidp_input_event;
701 
702 	return 0;
703 }
704 
705 static int hidp_open(struct hid_device *hid)
706 {
707 	return 0;
708 }
709 
710 static void hidp_close(struct hid_device *hid)
711 {
712 }
713 
714 static int hidp_parse(struct hid_device *hid)
715 {
716 	struct hidp_session *session = hid->driver_data;
717 
718 	return hid_parse_report(session->hid, session->rd_data,
719 			session->rd_size);
720 }
721 
722 static int hidp_start(struct hid_device *hid)
723 {
724 	return 0;
725 }
726 
727 static void hidp_stop(struct hid_device *hid)
728 {
729 	struct hidp_session *session = hid->driver_data;
730 
731 	skb_queue_purge(&session->ctrl_transmit);
732 	skb_queue_purge(&session->intr_transmit);
733 
734 	hid->claimed = 0;
735 }
736 
737 struct hid_ll_driver hidp_hid_driver = {
738 	.parse = hidp_parse,
739 	.start = hidp_start,
740 	.stop = hidp_stop,
741 	.open  = hidp_open,
742 	.close = hidp_close,
743 	.raw_request = hidp_raw_request,
744 	.output_report = hidp_output_report,
745 };
746 EXPORT_SYMBOL_GPL(hidp_hid_driver);
747 
748 /* This function sets up the hid device. It does not add it
749    to the HID system. That is done in hidp_add_connection(). */
750 static int hidp_setup_hid(struct hidp_session *session,
751 				struct hidp_connadd_req *req)
752 {
753 	struct hid_device *hid;
754 	int err;
755 
756 	session->rd_data = memdup_user(req->rd_data, req->rd_size);
757 	if (IS_ERR(session->rd_data))
758 		return PTR_ERR(session->rd_data);
759 
760 	session->rd_size = req->rd_size;
761 
762 	hid = hid_allocate_device();
763 	if (IS_ERR(hid)) {
764 		err = PTR_ERR(hid);
765 		goto fault;
766 	}
767 
768 	session->hid = hid;
769 
770 	hid->driver_data = session;
771 
772 	hid->bus     = BUS_BLUETOOTH;
773 	hid->vendor  = req->vendor;
774 	hid->product = req->product;
775 	hid->version = req->version;
776 	hid->country = req->country;
777 
778 	strncpy(hid->name, req->name, sizeof(req->name) - 1);
779 
780 	snprintf(hid->phys, sizeof(hid->phys), "%pMR",
781 		 &l2cap_pi(session->ctrl_sock->sk)->chan->src);
782 
783 	/* NOTE: Some device modules depend on the dst address being stored in
784 	 * uniq. Please be aware of this before making changes to this behavior.
785 	 */
786 	snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
787 		 &l2cap_pi(session->ctrl_sock->sk)->chan->dst);
788 
789 	hid->dev.parent = &session->conn->hcon->dev;
790 	hid->ll_driver = &hidp_hid_driver;
791 
792 	/* True if device is blacklisted in drivers/hid/hid-core.c */
793 	if (hid_ignore(hid)) {
794 		hid_destroy_device(session->hid);
795 		session->hid = NULL;
796 		return -ENODEV;
797 	}
798 
799 	return 0;
800 
801 fault:
802 	kfree(session->rd_data);
803 	session->rd_data = NULL;
804 
805 	return err;
806 }
807 
808 /* initialize session devices */
809 static int hidp_session_dev_init(struct hidp_session *session,
810 				 struct hidp_connadd_req *req)
811 {
812 	int ret;
813 
814 	if (req->rd_size > 0) {
815 		ret = hidp_setup_hid(session, req);
816 		if (ret && ret != -ENODEV)
817 			return ret;
818 	}
819 
820 	if (!session->hid) {
821 		ret = hidp_setup_input(session, req);
822 		if (ret < 0)
823 			return ret;
824 	}
825 
826 	return 0;
827 }
828 
829 /* destroy session devices */
830 static void hidp_session_dev_destroy(struct hidp_session *session)
831 {
832 	if (session->hid)
833 		put_device(&session->hid->dev);
834 	else if (session->input)
835 		input_put_device(session->input);
836 
837 	kfree(session->rd_data);
838 	session->rd_data = NULL;
839 }
840 
841 /* add HID/input devices to their underlying bus systems */
842 static int hidp_session_dev_add(struct hidp_session *session)
843 {
844 	int ret;
845 
846 	/* Both HID and input systems drop a ref-count when unregistering the
847 	 * device but they don't take a ref-count when registering them. Work
848 	 * around this by explicitly taking a refcount during registration
849 	 * which is dropped automatically by unregistering the devices. */
850 
851 	if (session->hid) {
852 		ret = hid_add_device(session->hid);
853 		if (ret)
854 			return ret;
855 		get_device(&session->hid->dev);
856 	} else if (session->input) {
857 		ret = input_register_device(session->input);
858 		if (ret)
859 			return ret;
860 		input_get_device(session->input);
861 	}
862 
863 	return 0;
864 }
865 
866 /* remove HID/input devices from their bus systems */
867 static void hidp_session_dev_del(struct hidp_session *session)
868 {
869 	if (session->hid)
870 		hid_destroy_device(session->hid);
871 	else if (session->input)
872 		input_unregister_device(session->input);
873 }
874 
875 /*
876  * Asynchronous device registration
877  * HID device drivers might want to perform I/O during initialization to
878  * detect device types. Therefore, call device registration in a separate
879  * worker so the HIDP thread can schedule I/O operations.
880  * Note that this must be called after the worker thread was initialized
881  * successfully. This will then add the devices and increase session state
882  * on success, otherwise it will terminate the session thread.
883  */
884 static void hidp_session_dev_work(struct work_struct *work)
885 {
886 	struct hidp_session *session = container_of(work,
887 						    struct hidp_session,
888 						    dev_init);
889 	int ret;
890 
891 	ret = hidp_session_dev_add(session);
892 	if (!ret)
893 		atomic_inc(&session->state);
894 	else
895 		hidp_session_terminate(session);
896 }
897 
898 /*
899  * Create new session object
900  * Allocate session object, initialize static fields, copy input data into the
901  * object and take a reference to all sub-objects.
902  * This returns 0 on success and puts a pointer to the new session object in
903  * \out. Otherwise, an error code is returned.
904  * The new session object has an initial ref-count of 1.
905  */
906 static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
907 			    struct socket *ctrl_sock,
908 			    struct socket *intr_sock,
909 			    struct hidp_connadd_req *req,
910 			    struct l2cap_conn *conn)
911 {
912 	struct hidp_session *session;
913 	int ret;
914 	struct bt_sock *ctrl, *intr;
915 
916 	ctrl = bt_sk(ctrl_sock->sk);
917 	intr = bt_sk(intr_sock->sk);
918 
919 	session = kzalloc(sizeof(*session), GFP_KERNEL);
920 	if (!session)
921 		return -ENOMEM;
922 
923 	/* object and runtime management */
924 	kref_init(&session->ref);
925 	atomic_set(&session->state, HIDP_SESSION_IDLING);
926 	init_waitqueue_head(&session->state_queue);
927 	session->flags = req->flags & BIT(HIDP_BLUETOOTH_VENDOR_ID);
928 
929 	/* connection management */
930 	bacpy(&session->bdaddr, bdaddr);
931 	session->conn = l2cap_conn_get(conn);
932 	session->user.probe = hidp_session_probe;
933 	session->user.remove = hidp_session_remove;
934 	INIT_LIST_HEAD(&session->user.list);
935 	session->ctrl_sock = ctrl_sock;
936 	session->intr_sock = intr_sock;
937 	skb_queue_head_init(&session->ctrl_transmit);
938 	skb_queue_head_init(&session->intr_transmit);
939 	session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
940 					l2cap_pi(ctrl)->chan->imtu);
941 	session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
942 					l2cap_pi(intr)->chan->imtu);
943 	session->idle_to = req->idle_to;
944 
945 	/* device management */
946 	INIT_WORK(&session->dev_init, hidp_session_dev_work);
947 	setup_timer(&session->timer, hidp_idle_timeout,
948 		    (unsigned long)session);
949 
950 	/* session data */
951 	mutex_init(&session->report_mutex);
952 	init_waitqueue_head(&session->report_queue);
953 
954 	ret = hidp_session_dev_init(session, req);
955 	if (ret)
956 		goto err_free;
957 
958 	get_file(session->intr_sock->file);
959 	get_file(session->ctrl_sock->file);
960 	*out = session;
961 	return 0;
962 
963 err_free:
964 	l2cap_conn_put(session->conn);
965 	kfree(session);
966 	return ret;
967 }
968 
969 /* increase ref-count of the given session by one */
970 static void hidp_session_get(struct hidp_session *session)
971 {
972 	kref_get(&session->ref);
973 }
974 
975 /* release callback */
976 static void session_free(struct kref *ref)
977 {
978 	struct hidp_session *session = container_of(ref, struct hidp_session,
979 						    ref);
980 
981 	hidp_session_dev_destroy(session);
982 	skb_queue_purge(&session->ctrl_transmit);
983 	skb_queue_purge(&session->intr_transmit);
984 	fput(session->intr_sock->file);
985 	fput(session->ctrl_sock->file);
986 	l2cap_conn_put(session->conn);
987 	kfree(session);
988 }
989 
990 /* decrease ref-count of the given session by one */
991 static void hidp_session_put(struct hidp_session *session)
992 {
993 	kref_put(&session->ref, session_free);
994 }
995 
996 /*
997  * Search the list of active sessions for a session with target address
998  * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
999  * you do not release this lock, the session objects cannot vanish and you can
1000  * safely take a reference to the session yourself.
1001  */
1002 static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
1003 {
1004 	struct hidp_session *session;
1005 
1006 	list_for_each_entry(session, &hidp_session_list, list) {
1007 		if (!bacmp(bdaddr, &session->bdaddr))
1008 			return session;
1009 	}
1010 
1011 	return NULL;
1012 }
1013 
1014 /*
1015  * Same as __hidp_session_find() but no locks must be held. This also takes a
1016  * reference of the returned session (if non-NULL) so you must drop this
1017  * reference if you no longer use the object.
1018  */
1019 static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
1020 {
1021 	struct hidp_session *session;
1022 
1023 	down_read(&hidp_session_sem);
1024 
1025 	session = __hidp_session_find(bdaddr);
1026 	if (session)
1027 		hidp_session_get(session);
1028 
1029 	up_read(&hidp_session_sem);
1030 
1031 	return session;
1032 }
1033 
1034 /*
1035  * Start session synchronously
1036  * This starts a session thread and waits until initialization
1037  * is done or returns an error if it couldn't be started.
1038  * If this returns 0 the session thread is up and running. You must call
1039  * hipd_session_stop_sync() before deleting any runtime resources.
1040  */
1041 static int hidp_session_start_sync(struct hidp_session *session)
1042 {
1043 	unsigned int vendor, product;
1044 
1045 	if (session->hid) {
1046 		vendor  = session->hid->vendor;
1047 		product = session->hid->product;
1048 	} else if (session->input) {
1049 		vendor  = session->input->id.vendor;
1050 		product = session->input->id.product;
1051 	} else {
1052 		vendor = 0x0000;
1053 		product = 0x0000;
1054 	}
1055 
1056 	session->task = kthread_run(hidp_session_thread, session,
1057 				    "khidpd_%04x%04x", vendor, product);
1058 	if (IS_ERR(session->task))
1059 		return PTR_ERR(session->task);
1060 
1061 	while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1062 		wait_event(session->state_queue,
1063 			   atomic_read(&session->state) > HIDP_SESSION_IDLING);
1064 
1065 	return 0;
1066 }
1067 
1068 /*
1069  * Terminate session thread
1070  * Wake up session thread and notify it to stop. This is asynchronous and
1071  * returns immediately. Call this whenever a runtime error occurs and you want
1072  * the session to stop.
1073  * Note: wake_up_interruptible() performs any necessary memory-barriers for us.
1074  */
1075 static void hidp_session_terminate(struct hidp_session *session)
1076 {
1077 	atomic_inc(&session->terminate);
1078 	wake_up_interruptible(&hidp_session_wq);
1079 }
1080 
1081 /*
1082  * Probe HIDP session
1083  * This is called from the l2cap_conn core when our l2cap_user object is bound
1084  * to the hci-connection. We get the session via the \user object and can now
1085  * start the session thread, link it into the global session list and
1086  * schedule HID/input device registration.
1087  * The global session-list owns its own reference to the session object so you
1088  * can drop your own reference after registering the l2cap_user object.
1089  */
1090 static int hidp_session_probe(struct l2cap_conn *conn,
1091 			      struct l2cap_user *user)
1092 {
1093 	struct hidp_session *session = container_of(user,
1094 						    struct hidp_session,
1095 						    user);
1096 	struct hidp_session *s;
1097 	int ret;
1098 
1099 	down_write(&hidp_session_sem);
1100 
1101 	/* check that no other session for this device exists */
1102 	s = __hidp_session_find(&session->bdaddr);
1103 	if (s) {
1104 		ret = -EEXIST;
1105 		goto out_unlock;
1106 	}
1107 
1108 	if (session->input) {
1109 		ret = hidp_session_dev_add(session);
1110 		if (ret)
1111 			goto out_unlock;
1112 	}
1113 
1114 	ret = hidp_session_start_sync(session);
1115 	if (ret)
1116 		goto out_del;
1117 
1118 	/* HID device registration is async to allow I/O during probe */
1119 	if (session->input)
1120 		atomic_inc(&session->state);
1121 	else
1122 		schedule_work(&session->dev_init);
1123 
1124 	hidp_session_get(session);
1125 	list_add(&session->list, &hidp_session_list);
1126 	ret = 0;
1127 	goto out_unlock;
1128 
1129 out_del:
1130 	if (session->input)
1131 		hidp_session_dev_del(session);
1132 out_unlock:
1133 	up_write(&hidp_session_sem);
1134 	return ret;
1135 }
1136 
1137 /*
1138  * Remove HIDP session
1139  * Called from the l2cap_conn core when either we explicitly unregistered
1140  * the l2cap_user object or if the underlying connection is shut down.
1141  * We signal the hidp-session thread to shut down, unregister the HID/input
1142  * devices and unlink the session from the global list.
1143  * This drops the reference to the session that is owned by the global
1144  * session-list.
1145  * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1146  * This is, because the session-thread might be waiting for an HCI lock that is
1147  * held while we are called. Therefore, we only unregister the devices and
1148  * notify the session-thread to terminate. The thread itself owns a reference
1149  * to the session object so it can safely shut down.
1150  */
1151 static void hidp_session_remove(struct l2cap_conn *conn,
1152 				struct l2cap_user *user)
1153 {
1154 	struct hidp_session *session = container_of(user,
1155 						    struct hidp_session,
1156 						    user);
1157 
1158 	down_write(&hidp_session_sem);
1159 
1160 	hidp_session_terminate(session);
1161 
1162 	cancel_work_sync(&session->dev_init);
1163 	if (session->input ||
1164 	    atomic_read(&session->state) > HIDP_SESSION_PREPARING)
1165 		hidp_session_dev_del(session);
1166 
1167 	list_del(&session->list);
1168 
1169 	up_write(&hidp_session_sem);
1170 
1171 	hidp_session_put(session);
1172 }
1173 
1174 /*
1175  * Session Worker
1176  * This performs the actual main-loop of the HIDP worker. We first check
1177  * whether the underlying connection is still alive, then parse all pending
1178  * messages and finally send all outstanding messages.
1179  */
1180 static void hidp_session_run(struct hidp_session *session)
1181 {
1182 	struct sock *ctrl_sk = session->ctrl_sock->sk;
1183 	struct sock *intr_sk = session->intr_sock->sk;
1184 	struct sk_buff *skb;
1185 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
1186 
1187 	add_wait_queue(&hidp_session_wq, &wait);
1188 	for (;;) {
1189 		/*
1190 		 * This thread can be woken up two ways:
1191 		 *  - You call hidp_session_terminate() which sets the
1192 		 *    session->terminate flag and wakes this thread up.
1193 		 *  - Via modifying the socket state of ctrl/intr_sock. This
1194 		 *    thread is woken up by ->sk_state_changed().
1195 		 */
1196 
1197 		/* Ensure session->terminate is updated */
1198 		smp_mb__before_atomic();
1199 		if (atomic_read(&session->terminate))
1200 			break;
1201 
1202 		if (ctrl_sk->sk_state != BT_CONNECTED ||
1203 		    intr_sk->sk_state != BT_CONNECTED)
1204 			break;
1205 
1206 		/* parse incoming intr-skbs */
1207 		while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1208 			skb_orphan(skb);
1209 			if (!skb_linearize(skb))
1210 				hidp_recv_intr_frame(session, skb);
1211 			else
1212 				kfree_skb(skb);
1213 		}
1214 
1215 		/* send pending intr-skbs */
1216 		hidp_process_transmit(session, &session->intr_transmit,
1217 				      session->intr_sock);
1218 
1219 		/* parse incoming ctrl-skbs */
1220 		while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1221 			skb_orphan(skb);
1222 			if (!skb_linearize(skb))
1223 				hidp_recv_ctrl_frame(session, skb);
1224 			else
1225 				kfree_skb(skb);
1226 		}
1227 
1228 		/* send pending ctrl-skbs */
1229 		hidp_process_transmit(session, &session->ctrl_transmit,
1230 				      session->ctrl_sock);
1231 
1232 		wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
1233 	}
1234 	remove_wait_queue(&hidp_session_wq, &wait);
1235 
1236 	atomic_inc(&session->terminate);
1237 
1238 	/* Ensure session->terminate is updated */
1239 	smp_mb__after_atomic();
1240 }
1241 
1242 static int hidp_session_wake_function(wait_queue_entry_t *wait,
1243 				      unsigned int mode,
1244 				      int sync, void *key)
1245 {
1246 	wake_up_interruptible(&hidp_session_wq);
1247 	return false;
1248 }
1249 
1250 /*
1251  * HIDP session thread
1252  * This thread runs the I/O for a single HIDP session. Startup is synchronous
1253  * which allows us to take references to ourself here instead of doing that in
1254  * the caller.
1255  * When we are ready to run we notify the caller and call hidp_session_run().
1256  */
1257 static int hidp_session_thread(void *arg)
1258 {
1259 	struct hidp_session *session = arg;
1260 	DEFINE_WAIT_FUNC(ctrl_wait, hidp_session_wake_function);
1261 	DEFINE_WAIT_FUNC(intr_wait, hidp_session_wake_function);
1262 
1263 	BT_DBG("session %p", session);
1264 
1265 	/* initialize runtime environment */
1266 	hidp_session_get(session);
1267 	__module_get(THIS_MODULE);
1268 	set_user_nice(current, -15);
1269 	hidp_set_timer(session);
1270 
1271 	add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1272 	add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1273 	/* This memory barrier is paired with wq_has_sleeper(). See
1274 	 * sock_poll_wait() for more information why this is needed. */
1275 	smp_mb();
1276 
1277 	/* notify synchronous startup that we're ready */
1278 	atomic_inc(&session->state);
1279 	wake_up(&session->state_queue);
1280 
1281 	/* run session */
1282 	hidp_session_run(session);
1283 
1284 	/* cleanup runtime environment */
1285 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1286 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1287 	wake_up_interruptible(&session->report_queue);
1288 	hidp_del_timer(session);
1289 
1290 	/*
1291 	 * If we stopped ourself due to any internal signal, we should try to
1292 	 * unregister our own session here to avoid having it linger until the
1293 	 * parent l2cap_conn dies or user-space cleans it up.
1294 	 * This does not deadlock as we don't do any synchronous shutdown.
1295 	 * Instead, this call has the same semantics as if user-space tried to
1296 	 * delete the session.
1297 	 */
1298 	l2cap_unregister_user(session->conn, &session->user);
1299 	hidp_session_put(session);
1300 
1301 	module_put_and_exit(0);
1302 	return 0;
1303 }
1304 
1305 static int hidp_verify_sockets(struct socket *ctrl_sock,
1306 			       struct socket *intr_sock)
1307 {
1308 	struct l2cap_chan *ctrl_chan, *intr_chan;
1309 	struct bt_sock *ctrl, *intr;
1310 	struct hidp_session *session;
1311 
1312 	if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1313 		return -EINVAL;
1314 
1315 	ctrl_chan = l2cap_pi(ctrl_sock->sk)->chan;
1316 	intr_chan = l2cap_pi(intr_sock->sk)->chan;
1317 
1318 	if (bacmp(&ctrl_chan->src, &intr_chan->src) ||
1319 	    bacmp(&ctrl_chan->dst, &intr_chan->dst))
1320 		return -ENOTUNIQ;
1321 
1322 	ctrl = bt_sk(ctrl_sock->sk);
1323 	intr = bt_sk(intr_sock->sk);
1324 
1325 	if (ctrl->sk.sk_state != BT_CONNECTED ||
1326 	    intr->sk.sk_state != BT_CONNECTED)
1327 		return -EBADFD;
1328 
1329 	/* early session check, we check again during session registration */
1330 	session = hidp_session_find(&ctrl_chan->dst);
1331 	if (session) {
1332 		hidp_session_put(session);
1333 		return -EEXIST;
1334 	}
1335 
1336 	return 0;
1337 }
1338 
1339 int hidp_connection_add(struct hidp_connadd_req *req,
1340 			struct socket *ctrl_sock,
1341 			struct socket *intr_sock)
1342 {
1343 	u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG) |
1344 			  BIT(HIDP_BOOT_PROTOCOL_MODE);
1345 	struct hidp_session *session;
1346 	struct l2cap_conn *conn;
1347 	struct l2cap_chan *chan;
1348 	int ret;
1349 
1350 	ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1351 	if (ret)
1352 		return ret;
1353 
1354 	if (req->flags & ~valid_flags)
1355 		return -EINVAL;
1356 
1357 	chan = l2cap_pi(ctrl_sock->sk)->chan;
1358 	conn = NULL;
1359 	l2cap_chan_lock(chan);
1360 	if (chan->conn)
1361 		conn = l2cap_conn_get(chan->conn);
1362 	l2cap_chan_unlock(chan);
1363 
1364 	if (!conn)
1365 		return -EBADFD;
1366 
1367 	ret = hidp_session_new(&session, &chan->dst, ctrl_sock,
1368 			       intr_sock, req, conn);
1369 	if (ret)
1370 		goto out_conn;
1371 
1372 	ret = l2cap_register_user(conn, &session->user);
1373 	if (ret)
1374 		goto out_session;
1375 
1376 	ret = 0;
1377 
1378 out_session:
1379 	hidp_session_put(session);
1380 out_conn:
1381 	l2cap_conn_put(conn);
1382 	return ret;
1383 }
1384 
1385 int hidp_connection_del(struct hidp_conndel_req *req)
1386 {
1387 	u32 valid_flags = BIT(HIDP_VIRTUAL_CABLE_UNPLUG);
1388 	struct hidp_session *session;
1389 
1390 	if (req->flags & ~valid_flags)
1391 		return -EINVAL;
1392 
1393 	session = hidp_session_find(&req->bdaddr);
1394 	if (!session)
1395 		return -ENOENT;
1396 
1397 	if (req->flags & BIT(HIDP_VIRTUAL_CABLE_UNPLUG))
1398 		hidp_send_ctrl_message(session,
1399 				       HIDP_TRANS_HID_CONTROL |
1400 				         HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1401 				       NULL, 0);
1402 	else
1403 		l2cap_unregister_user(session->conn, &session->user);
1404 
1405 	hidp_session_put(session);
1406 
1407 	return 0;
1408 }
1409 
1410 int hidp_get_connlist(struct hidp_connlist_req *req)
1411 {
1412 	struct hidp_session *session;
1413 	int err = 0, n = 0;
1414 
1415 	BT_DBG("");
1416 
1417 	down_read(&hidp_session_sem);
1418 
1419 	list_for_each_entry(session, &hidp_session_list, list) {
1420 		struct hidp_conninfo ci;
1421 
1422 		hidp_copy_session(session, &ci);
1423 
1424 		if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1425 			err = -EFAULT;
1426 			break;
1427 		}
1428 
1429 		if (++n >= req->cnum)
1430 			break;
1431 
1432 		req->ci++;
1433 	}
1434 	req->cnum = n;
1435 
1436 	up_read(&hidp_session_sem);
1437 	return err;
1438 }
1439 
1440 int hidp_get_conninfo(struct hidp_conninfo *ci)
1441 {
1442 	struct hidp_session *session;
1443 
1444 	session = hidp_session_find(&ci->bdaddr);
1445 	if (session) {
1446 		hidp_copy_session(session, ci);
1447 		hidp_session_put(session);
1448 	}
1449 
1450 	return session ? 0 : -ENOENT;
1451 }
1452 
1453 static int __init hidp_init(void)
1454 {
1455 	BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1456 
1457 	return hidp_init_sockets();
1458 }
1459 
1460 static void __exit hidp_exit(void)
1461 {
1462 	hidp_cleanup_sockets();
1463 }
1464 
1465 module_init(hidp_init);
1466 module_exit(hidp_exit);
1467 
1468 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1469 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1470 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1471 MODULE_VERSION(VERSION);
1472 MODULE_LICENSE("GPL");
1473 MODULE_ALIAS("bt-proto-6");
1474