xref: /openbmc/linux/net/bluetooth/sco.c (revision 76a4f7cc)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth SCO sockets. */
26 
27 #include <linux/module.h>
28 #include <linux/debugfs.h>
29 #include <linux/seq_file.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/sco.h>
35 
36 static bool disable_esco;
37 
38 static const struct proto_ops sco_sock_ops;
39 
40 static struct bt_sock_list sco_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(sco_sk_list.lock)
42 };
43 
44 /* ---- SCO connections ---- */
45 struct sco_conn {
46 	struct hci_conn	*hcon;
47 
48 	spinlock_t	lock;
49 	struct sock	*sk;
50 
51 	struct delayed_work	timeout_work;
52 
53 	unsigned int    mtu;
54 };
55 
56 #define sco_conn_lock(c)	spin_lock(&c->lock)
57 #define sco_conn_unlock(c)	spin_unlock(&c->lock)
58 
59 static void sco_sock_close(struct sock *sk);
60 static void sco_sock_kill(struct sock *sk);
61 
62 /* ----- SCO socket info ----- */
63 #define sco_pi(sk) ((struct sco_pinfo *) sk)
64 
65 struct sco_pinfo {
66 	struct bt_sock	bt;
67 	bdaddr_t	src;
68 	bdaddr_t	dst;
69 	__u32		flags;
70 	__u16		setting;
71 	__u8		cmsg_mask;
72 	struct sco_conn	*conn;
73 };
74 
75 /* ---- SCO timers ---- */
76 #define SCO_CONN_TIMEOUT	(HZ * 40)
77 #define SCO_DISCONN_TIMEOUT	(HZ * 2)
78 
79 static void sco_sock_timeout(struct work_struct *work)
80 {
81 	struct sco_conn *conn = container_of(work, struct sco_conn,
82 					     timeout_work.work);
83 	struct sock *sk;
84 
85 	sco_conn_lock(conn);
86 	sk = conn->sk;
87 	if (sk)
88 		sock_hold(sk);
89 	sco_conn_unlock(conn);
90 
91 	if (!sk)
92 		return;
93 
94 	BT_DBG("sock %p state %d", sk, sk->sk_state);
95 
96 	lock_sock(sk);
97 	sk->sk_err = ETIMEDOUT;
98 	sk->sk_state_change(sk);
99 	release_sock(sk);
100 	sock_put(sk);
101 }
102 
103 static void sco_sock_set_timer(struct sock *sk, long timeout)
104 {
105 	if (!sco_pi(sk)->conn)
106 		return;
107 
108 	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
109 	cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
110 	schedule_delayed_work(&sco_pi(sk)->conn->timeout_work, timeout);
111 }
112 
113 static void sco_sock_clear_timer(struct sock *sk)
114 {
115 	if (!sco_pi(sk)->conn)
116 		return;
117 
118 	BT_DBG("sock %p state %d", sk, sk->sk_state);
119 	cancel_delayed_work(&sco_pi(sk)->conn->timeout_work);
120 }
121 
122 /* ---- SCO connections ---- */
123 static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
124 {
125 	struct hci_dev *hdev = hcon->hdev;
126 	struct sco_conn *conn = hcon->sco_data;
127 
128 	if (conn)
129 		return conn;
130 
131 	conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
132 	if (!conn)
133 		return NULL;
134 
135 	spin_lock_init(&conn->lock);
136 
137 	hcon->sco_data = conn;
138 	conn->hcon = hcon;
139 
140 	if (hdev->sco_mtu > 0)
141 		conn->mtu = hdev->sco_mtu;
142 	else
143 		conn->mtu = 60;
144 
145 	BT_DBG("hcon %p conn %p", hcon, conn);
146 
147 	return conn;
148 }
149 
150 /* Delete channel.
151  * Must be called on the locked socket. */
152 static void sco_chan_del(struct sock *sk, int err)
153 {
154 	struct sco_conn *conn;
155 
156 	conn = sco_pi(sk)->conn;
157 
158 	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
159 
160 	if (conn) {
161 		sco_conn_lock(conn);
162 		conn->sk = NULL;
163 		sco_pi(sk)->conn = NULL;
164 		sco_conn_unlock(conn);
165 
166 		if (conn->hcon)
167 			hci_conn_drop(conn->hcon);
168 	}
169 
170 	sk->sk_state = BT_CLOSED;
171 	sk->sk_err   = err;
172 	sk->sk_state_change(sk);
173 
174 	sock_set_flag(sk, SOCK_ZAPPED);
175 }
176 
177 static void sco_conn_del(struct hci_conn *hcon, int err)
178 {
179 	struct sco_conn *conn = hcon->sco_data;
180 	struct sock *sk;
181 
182 	if (!conn)
183 		return;
184 
185 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
186 
187 	/* Kill socket */
188 	sco_conn_lock(conn);
189 	sk = conn->sk;
190 	sco_conn_unlock(conn);
191 
192 	if (sk) {
193 		sock_hold(sk);
194 		lock_sock(sk);
195 		sco_sock_clear_timer(sk);
196 		sco_chan_del(sk, err);
197 		release_sock(sk);
198 		sock_put(sk);
199 
200 		/* Ensure no more work items will run before freeing conn. */
201 		cancel_delayed_work_sync(&conn->timeout_work);
202 	}
203 
204 	hcon->sco_data = NULL;
205 	kfree(conn);
206 }
207 
208 static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
209 			   struct sock *parent)
210 {
211 	BT_DBG("conn %p", conn);
212 
213 	sco_pi(sk)->conn = conn;
214 	conn->sk = sk;
215 
216 	INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);
217 
218 	if (parent)
219 		bt_accept_enqueue(parent, sk, true);
220 }
221 
222 static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
223 			struct sock *parent)
224 {
225 	int err = 0;
226 
227 	sco_conn_lock(conn);
228 	if (conn->sk)
229 		err = -EBUSY;
230 	else
231 		__sco_chan_add(conn, sk, parent);
232 
233 	sco_conn_unlock(conn);
234 	return err;
235 }
236 
237 static int sco_connect(struct hci_dev *hdev, struct sock *sk)
238 {
239 	struct sco_conn *conn;
240 	struct hci_conn *hcon;
241 	int err, type;
242 
243 	BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
244 
245 	if (lmp_esco_capable(hdev) && !disable_esco)
246 		type = ESCO_LINK;
247 	else
248 		type = SCO_LINK;
249 
250 	if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
251 	    (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)))
252 		return -EOPNOTSUPP;
253 
254 	hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
255 			       sco_pi(sk)->setting);
256 	if (IS_ERR(hcon))
257 		return PTR_ERR(hcon);
258 
259 	conn = sco_conn_add(hcon);
260 	if (!conn) {
261 		hci_conn_drop(hcon);
262 		return -ENOMEM;
263 	}
264 
265 	/* Update source addr of the socket */
266 	bacpy(&sco_pi(sk)->src, &hcon->src);
267 
268 	err = sco_chan_add(conn, sk, NULL);
269 	if (err)
270 		return err;
271 
272 	if (hcon->state == BT_CONNECTED) {
273 		sco_sock_clear_timer(sk);
274 		sk->sk_state = BT_CONNECTED;
275 	} else {
276 		sk->sk_state = BT_CONNECT;
277 		sco_sock_set_timer(sk, sk->sk_sndtimeo);
278 	}
279 
280 	return err;
281 }
282 
283 static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
284 {
285 	struct sco_conn *conn = sco_pi(sk)->conn;
286 	struct sk_buff *skb;
287 	int err;
288 
289 	/* Check outgoing MTU */
290 	if (len > conn->mtu)
291 		return -EINVAL;
292 
293 	BT_DBG("sk %p len %d", sk, len);
294 
295 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
296 	if (!skb)
297 		return err;
298 
299 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
300 		kfree_skb(skb);
301 		return -EFAULT;
302 	}
303 
304 	hci_send_sco(conn->hcon, skb);
305 
306 	return len;
307 }
308 
309 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
310 {
311 	struct sock *sk;
312 
313 	sco_conn_lock(conn);
314 	sk = conn->sk;
315 	sco_conn_unlock(conn);
316 
317 	if (!sk)
318 		goto drop;
319 
320 	BT_DBG("sk %p len %u", sk, skb->len);
321 
322 	if (sk->sk_state != BT_CONNECTED)
323 		goto drop;
324 
325 	if (!sock_queue_rcv_skb(sk, skb))
326 		return;
327 
328 drop:
329 	kfree_skb(skb);
330 }
331 
332 /* -------- Socket interface ---------- */
333 static struct sock *__sco_get_sock_listen_by_addr(bdaddr_t *ba)
334 {
335 	struct sock *sk;
336 
337 	sk_for_each(sk, &sco_sk_list.head) {
338 		if (sk->sk_state != BT_LISTEN)
339 			continue;
340 
341 		if (!bacmp(&sco_pi(sk)->src, ba))
342 			return sk;
343 	}
344 
345 	return NULL;
346 }
347 
348 /* Find socket listening on source bdaddr.
349  * Returns closest match.
350  */
351 static struct sock *sco_get_sock_listen(bdaddr_t *src)
352 {
353 	struct sock *sk = NULL, *sk1 = NULL;
354 
355 	read_lock(&sco_sk_list.lock);
356 
357 	sk_for_each(sk, &sco_sk_list.head) {
358 		if (sk->sk_state != BT_LISTEN)
359 			continue;
360 
361 		/* Exact match. */
362 		if (!bacmp(&sco_pi(sk)->src, src))
363 			break;
364 
365 		/* Closest match */
366 		if (!bacmp(&sco_pi(sk)->src, BDADDR_ANY))
367 			sk1 = sk;
368 	}
369 
370 	read_unlock(&sco_sk_list.lock);
371 
372 	return sk ? sk : sk1;
373 }
374 
375 static void sco_sock_destruct(struct sock *sk)
376 {
377 	BT_DBG("sk %p", sk);
378 
379 	skb_queue_purge(&sk->sk_receive_queue);
380 	skb_queue_purge(&sk->sk_write_queue);
381 }
382 
383 static void sco_sock_cleanup_listen(struct sock *parent)
384 {
385 	struct sock *sk;
386 
387 	BT_DBG("parent %p", parent);
388 
389 	/* Close not yet accepted channels */
390 	while ((sk = bt_accept_dequeue(parent, NULL))) {
391 		sco_sock_close(sk);
392 		sco_sock_kill(sk);
393 	}
394 
395 	parent->sk_state  = BT_CLOSED;
396 	sock_set_flag(parent, SOCK_ZAPPED);
397 }
398 
399 /* Kill socket (only if zapped and orphan)
400  * Must be called on unlocked socket.
401  */
402 static void sco_sock_kill(struct sock *sk)
403 {
404 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
405 		return;
406 
407 	BT_DBG("sk %p state %d", sk, sk->sk_state);
408 
409 	/* Kill poor orphan */
410 	bt_sock_unlink(&sco_sk_list, sk);
411 	sock_set_flag(sk, SOCK_DEAD);
412 	sock_put(sk);
413 }
414 
415 static void __sco_sock_close(struct sock *sk)
416 {
417 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
418 
419 	switch (sk->sk_state) {
420 	case BT_LISTEN:
421 		sco_sock_cleanup_listen(sk);
422 		break;
423 
424 	case BT_CONNECTED:
425 	case BT_CONFIG:
426 		if (sco_pi(sk)->conn->hcon) {
427 			sk->sk_state = BT_DISCONN;
428 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
429 			sco_conn_lock(sco_pi(sk)->conn);
430 			hci_conn_drop(sco_pi(sk)->conn->hcon);
431 			sco_pi(sk)->conn->hcon = NULL;
432 			sco_conn_unlock(sco_pi(sk)->conn);
433 		} else
434 			sco_chan_del(sk, ECONNRESET);
435 		break;
436 
437 	case BT_CONNECT2:
438 	case BT_CONNECT:
439 	case BT_DISCONN:
440 		sco_chan_del(sk, ECONNRESET);
441 		break;
442 
443 	default:
444 		sock_set_flag(sk, SOCK_ZAPPED);
445 		break;
446 	}
447 }
448 
449 /* Must be called on unlocked socket. */
450 static void sco_sock_close(struct sock *sk)
451 {
452 	lock_sock(sk);
453 	sco_sock_clear_timer(sk);
454 	__sco_sock_close(sk);
455 	release_sock(sk);
456 }
457 
458 static void sco_skb_put_cmsg(struct sk_buff *skb, struct msghdr *msg,
459 			     struct sock *sk)
460 {
461 	if (sco_pi(sk)->cmsg_mask & SCO_CMSG_PKT_STATUS)
462 		put_cmsg(msg, SOL_BLUETOOTH, BT_SCM_PKT_STATUS,
463 			 sizeof(bt_cb(skb)->sco.pkt_status),
464 			 &bt_cb(skb)->sco.pkt_status);
465 }
466 
467 static void sco_sock_init(struct sock *sk, struct sock *parent)
468 {
469 	BT_DBG("sk %p", sk);
470 
471 	if (parent) {
472 		sk->sk_type = parent->sk_type;
473 		bt_sk(sk)->flags = bt_sk(parent)->flags;
474 		security_sk_clone(parent, sk);
475 	} else {
476 		bt_sk(sk)->skb_put_cmsg = sco_skb_put_cmsg;
477 	}
478 }
479 
480 static struct proto sco_proto = {
481 	.name		= "SCO",
482 	.owner		= THIS_MODULE,
483 	.obj_size	= sizeof(struct sco_pinfo)
484 };
485 
486 static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
487 				   int proto, gfp_t prio, int kern)
488 {
489 	struct sock *sk;
490 
491 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);
492 	if (!sk)
493 		return NULL;
494 
495 	sock_init_data(sock, sk);
496 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
497 
498 	sk->sk_destruct = sco_sock_destruct;
499 	sk->sk_sndtimeo = SCO_CONN_TIMEOUT;
500 
501 	sock_reset_flag(sk, SOCK_ZAPPED);
502 
503 	sk->sk_protocol = proto;
504 	sk->sk_state    = BT_OPEN;
505 
506 	sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
507 
508 	bt_sock_link(&sco_sk_list, sk);
509 	return sk;
510 }
511 
512 static int sco_sock_create(struct net *net, struct socket *sock, int protocol,
513 			   int kern)
514 {
515 	struct sock *sk;
516 
517 	BT_DBG("sock %p", sock);
518 
519 	sock->state = SS_UNCONNECTED;
520 
521 	if (sock->type != SOCK_SEQPACKET)
522 		return -ESOCKTNOSUPPORT;
523 
524 	sock->ops = &sco_sock_ops;
525 
526 	sk = sco_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
527 	if (!sk)
528 		return -ENOMEM;
529 
530 	sco_sock_init(sk, NULL);
531 	return 0;
532 }
533 
534 static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
535 			 int addr_len)
536 {
537 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
538 	struct sock *sk = sock->sk;
539 	int err = 0;
540 
541 	if (!addr || addr_len < sizeof(struct sockaddr_sco) ||
542 	    addr->sa_family != AF_BLUETOOTH)
543 		return -EINVAL;
544 
545 	BT_DBG("sk %p %pMR", sk, &sa->sco_bdaddr);
546 
547 	lock_sock(sk);
548 
549 	if (sk->sk_state != BT_OPEN) {
550 		err = -EBADFD;
551 		goto done;
552 	}
553 
554 	if (sk->sk_type != SOCK_SEQPACKET) {
555 		err = -EINVAL;
556 		goto done;
557 	}
558 
559 	bacpy(&sco_pi(sk)->src, &sa->sco_bdaddr);
560 
561 	sk->sk_state = BT_BOUND;
562 
563 done:
564 	release_sock(sk);
565 	return err;
566 }
567 
568 static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
569 {
570 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
571 	struct sock *sk = sock->sk;
572 	struct hci_dev  *hdev;
573 	int err;
574 
575 	BT_DBG("sk %p", sk);
576 
577 	if (alen < sizeof(struct sockaddr_sco) ||
578 	    addr->sa_family != AF_BLUETOOTH)
579 		return -EINVAL;
580 
581 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
582 		return -EBADFD;
583 
584 	if (sk->sk_type != SOCK_SEQPACKET)
585 		return -EINVAL;
586 
587 	hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR);
588 	if (!hdev)
589 		return -EHOSTUNREACH;
590 	hci_dev_lock(hdev);
591 
592 	lock_sock(sk);
593 
594 	/* Set destination address and psm */
595 	bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
596 
597 	err = sco_connect(hdev, sk);
598 	hci_dev_unlock(hdev);
599 	hci_dev_put(hdev);
600 	if (err)
601 		goto done;
602 
603 	err = bt_sock_wait_state(sk, BT_CONNECTED,
604 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
605 
606 done:
607 	release_sock(sk);
608 	return err;
609 }
610 
611 static int sco_sock_listen(struct socket *sock, int backlog)
612 {
613 	struct sock *sk = sock->sk;
614 	bdaddr_t *src = &sco_pi(sk)->src;
615 	int err = 0;
616 
617 	BT_DBG("sk %p backlog %d", sk, backlog);
618 
619 	lock_sock(sk);
620 
621 	if (sk->sk_state != BT_BOUND) {
622 		err = -EBADFD;
623 		goto done;
624 	}
625 
626 	if (sk->sk_type != SOCK_SEQPACKET) {
627 		err = -EINVAL;
628 		goto done;
629 	}
630 
631 	write_lock(&sco_sk_list.lock);
632 
633 	if (__sco_get_sock_listen_by_addr(src)) {
634 		err = -EADDRINUSE;
635 		goto unlock;
636 	}
637 
638 	sk->sk_max_ack_backlog = backlog;
639 	sk->sk_ack_backlog = 0;
640 
641 	sk->sk_state = BT_LISTEN;
642 
643 unlock:
644 	write_unlock(&sco_sk_list.lock);
645 
646 done:
647 	release_sock(sk);
648 	return err;
649 }
650 
651 static int sco_sock_accept(struct socket *sock, struct socket *newsock,
652 			   int flags, bool kern)
653 {
654 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
655 	struct sock *sk = sock->sk, *ch;
656 	long timeo;
657 	int err = 0;
658 
659 	lock_sock(sk);
660 
661 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
662 
663 	BT_DBG("sk %p timeo %ld", sk, timeo);
664 
665 	/* Wait for an incoming connection. (wake-one). */
666 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
667 	while (1) {
668 		if (sk->sk_state != BT_LISTEN) {
669 			err = -EBADFD;
670 			break;
671 		}
672 
673 		ch = bt_accept_dequeue(sk, newsock);
674 		if (ch)
675 			break;
676 
677 		if (!timeo) {
678 			err = -EAGAIN;
679 			break;
680 		}
681 
682 		if (signal_pending(current)) {
683 			err = sock_intr_errno(timeo);
684 			break;
685 		}
686 
687 		release_sock(sk);
688 
689 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
690 		lock_sock(sk);
691 	}
692 	remove_wait_queue(sk_sleep(sk), &wait);
693 
694 	if (err)
695 		goto done;
696 
697 	newsock->state = SS_CONNECTED;
698 
699 	BT_DBG("new socket %p", ch);
700 
701 done:
702 	release_sock(sk);
703 	return err;
704 }
705 
706 static int sco_sock_getname(struct socket *sock, struct sockaddr *addr,
707 			    int peer)
708 {
709 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
710 	struct sock *sk = sock->sk;
711 
712 	BT_DBG("sock %p, sk %p", sock, sk);
713 
714 	addr->sa_family = AF_BLUETOOTH;
715 
716 	if (peer)
717 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->dst);
718 	else
719 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->src);
720 
721 	return sizeof(struct sockaddr_sco);
722 }
723 
724 static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
725 			    size_t len)
726 {
727 	struct sock *sk = sock->sk;
728 	int err;
729 
730 	BT_DBG("sock %p, sk %p", sock, sk);
731 
732 	err = sock_error(sk);
733 	if (err)
734 		return err;
735 
736 	if (msg->msg_flags & MSG_OOB)
737 		return -EOPNOTSUPP;
738 
739 	lock_sock(sk);
740 
741 	if (sk->sk_state == BT_CONNECTED)
742 		err = sco_send_frame(sk, msg, len);
743 	else
744 		err = -ENOTCONN;
745 
746 	release_sock(sk);
747 	return err;
748 }
749 
750 static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
751 {
752 	struct hci_dev *hdev = conn->hdev;
753 
754 	BT_DBG("conn %p", conn);
755 
756 	conn->state = BT_CONFIG;
757 
758 	if (!lmp_esco_capable(hdev)) {
759 		struct hci_cp_accept_conn_req cp;
760 
761 		bacpy(&cp.bdaddr, &conn->dst);
762 		cp.role = 0x00; /* Ignored */
763 
764 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
765 	} else {
766 		struct hci_cp_accept_sync_conn_req cp;
767 
768 		bacpy(&cp.bdaddr, &conn->dst);
769 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
770 
771 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
772 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
773 		cp.content_format = cpu_to_le16(setting);
774 
775 		switch (setting & SCO_AIRMODE_MASK) {
776 		case SCO_AIRMODE_TRANSP:
777 			if (conn->pkt_type & ESCO_2EV3)
778 				cp.max_latency = cpu_to_le16(0x0008);
779 			else
780 				cp.max_latency = cpu_to_le16(0x000D);
781 			cp.retrans_effort = 0x02;
782 			break;
783 		case SCO_AIRMODE_CVSD:
784 			cp.max_latency = cpu_to_le16(0xffff);
785 			cp.retrans_effort = 0xff;
786 			break;
787 		default:
788 			/* use CVSD settings as fallback */
789 			cp.max_latency = cpu_to_le16(0xffff);
790 			cp.retrans_effort = 0xff;
791 			break;
792 		}
793 
794 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
795 			     sizeof(cp), &cp);
796 	}
797 }
798 
799 static int sco_sock_recvmsg(struct socket *sock, struct msghdr *msg,
800 			    size_t len, int flags)
801 {
802 	struct sock *sk = sock->sk;
803 	struct sco_pinfo *pi = sco_pi(sk);
804 
805 	lock_sock(sk);
806 
807 	if (sk->sk_state == BT_CONNECT2 &&
808 	    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
809 		sco_conn_defer_accept(pi->conn->hcon, pi->setting);
810 		sk->sk_state = BT_CONFIG;
811 
812 		release_sock(sk);
813 		return 0;
814 	}
815 
816 	release_sock(sk);
817 
818 	return bt_sock_recvmsg(sock, msg, len, flags);
819 }
820 
821 static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
822 			       sockptr_t optval, unsigned int optlen)
823 {
824 	struct sock *sk = sock->sk;
825 	int len, err = 0;
826 	struct bt_voice voice;
827 	u32 opt;
828 
829 	BT_DBG("sk %p", sk);
830 
831 	lock_sock(sk);
832 
833 	switch (optname) {
834 
835 	case BT_DEFER_SETUP:
836 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
837 			err = -EINVAL;
838 			break;
839 		}
840 
841 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
842 			err = -EFAULT;
843 			break;
844 		}
845 
846 		if (opt)
847 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
848 		else
849 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
850 		break;
851 
852 	case BT_VOICE:
853 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
854 		    sk->sk_state != BT_CONNECT2) {
855 			err = -EINVAL;
856 			break;
857 		}
858 
859 		voice.setting = sco_pi(sk)->setting;
860 
861 		len = min_t(unsigned int, sizeof(voice), optlen);
862 		if (copy_from_sockptr(&voice, optval, len)) {
863 			err = -EFAULT;
864 			break;
865 		}
866 
867 		/* Explicitly check for these values */
868 		if (voice.setting != BT_VOICE_TRANSPARENT &&
869 		    voice.setting != BT_VOICE_CVSD_16BIT) {
870 			err = -EINVAL;
871 			break;
872 		}
873 
874 		sco_pi(sk)->setting = voice.setting;
875 		break;
876 
877 	case BT_PKT_STATUS:
878 		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
879 			err = -EFAULT;
880 			break;
881 		}
882 
883 		if (opt)
884 			sco_pi(sk)->cmsg_mask |= SCO_CMSG_PKT_STATUS;
885 		else
886 			sco_pi(sk)->cmsg_mask &= SCO_CMSG_PKT_STATUS;
887 		break;
888 
889 	default:
890 		err = -ENOPROTOOPT;
891 		break;
892 	}
893 
894 	release_sock(sk);
895 	return err;
896 }
897 
898 static int sco_sock_getsockopt_old(struct socket *sock, int optname,
899 				   char __user *optval, int __user *optlen)
900 {
901 	struct sock *sk = sock->sk;
902 	struct sco_options opts;
903 	struct sco_conninfo cinfo;
904 	int len, err = 0;
905 
906 	BT_DBG("sk %p", sk);
907 
908 	if (get_user(len, optlen))
909 		return -EFAULT;
910 
911 	lock_sock(sk);
912 
913 	switch (optname) {
914 	case SCO_OPTIONS:
915 		if (sk->sk_state != BT_CONNECTED &&
916 		    !(sk->sk_state == BT_CONNECT2 &&
917 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
918 			err = -ENOTCONN;
919 			break;
920 		}
921 
922 		opts.mtu = sco_pi(sk)->conn->mtu;
923 
924 		BT_DBG("mtu %u", opts.mtu);
925 
926 		len = min_t(unsigned int, len, sizeof(opts));
927 		if (copy_to_user(optval, (char *)&opts, len))
928 			err = -EFAULT;
929 
930 		break;
931 
932 	case SCO_CONNINFO:
933 		if (sk->sk_state != BT_CONNECTED &&
934 		    !(sk->sk_state == BT_CONNECT2 &&
935 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
936 			err = -ENOTCONN;
937 			break;
938 		}
939 
940 		memset(&cinfo, 0, sizeof(cinfo));
941 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
942 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
943 
944 		len = min_t(unsigned int, len, sizeof(cinfo));
945 		if (copy_to_user(optval, (char *)&cinfo, len))
946 			err = -EFAULT;
947 
948 		break;
949 
950 	default:
951 		err = -ENOPROTOOPT;
952 		break;
953 	}
954 
955 	release_sock(sk);
956 	return err;
957 }
958 
959 static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
960 			       char __user *optval, int __user *optlen)
961 {
962 	struct sock *sk = sock->sk;
963 	int len, err = 0;
964 	struct bt_voice voice;
965 	u32 phys;
966 	int pkt_status;
967 
968 	BT_DBG("sk %p", sk);
969 
970 	if (level == SOL_SCO)
971 		return sco_sock_getsockopt_old(sock, optname, optval, optlen);
972 
973 	if (get_user(len, optlen))
974 		return -EFAULT;
975 
976 	lock_sock(sk);
977 
978 	switch (optname) {
979 
980 	case BT_DEFER_SETUP:
981 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
982 			err = -EINVAL;
983 			break;
984 		}
985 
986 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
987 			     (u32 __user *)optval))
988 			err = -EFAULT;
989 
990 		break;
991 
992 	case BT_VOICE:
993 		voice.setting = sco_pi(sk)->setting;
994 
995 		len = min_t(unsigned int, len, sizeof(voice));
996 		if (copy_to_user(optval, (char *)&voice, len))
997 			err = -EFAULT;
998 
999 		break;
1000 
1001 	case BT_PHY:
1002 		if (sk->sk_state != BT_CONNECTED) {
1003 			err = -ENOTCONN;
1004 			break;
1005 		}
1006 
1007 		phys = hci_conn_get_phy(sco_pi(sk)->conn->hcon);
1008 
1009 		if (put_user(phys, (u32 __user *) optval))
1010 			err = -EFAULT;
1011 		break;
1012 
1013 	case BT_PKT_STATUS:
1014 		pkt_status = (sco_pi(sk)->cmsg_mask & SCO_CMSG_PKT_STATUS);
1015 
1016 		if (put_user(pkt_status, (int __user *)optval))
1017 			err = -EFAULT;
1018 		break;
1019 
1020 	case BT_SNDMTU:
1021 	case BT_RCVMTU:
1022 		if (sk->sk_state != BT_CONNECTED) {
1023 			err = -ENOTCONN;
1024 			break;
1025 		}
1026 
1027 		if (put_user(sco_pi(sk)->conn->mtu, (u32 __user *)optval))
1028 			err = -EFAULT;
1029 		break;
1030 
1031 	default:
1032 		err = -ENOPROTOOPT;
1033 		break;
1034 	}
1035 
1036 	release_sock(sk);
1037 	return err;
1038 }
1039 
1040 static int sco_sock_shutdown(struct socket *sock, int how)
1041 {
1042 	struct sock *sk = sock->sk;
1043 	int err = 0;
1044 
1045 	BT_DBG("sock %p, sk %p", sock, sk);
1046 
1047 	if (!sk)
1048 		return 0;
1049 
1050 	sock_hold(sk);
1051 	lock_sock(sk);
1052 
1053 	if (!sk->sk_shutdown) {
1054 		sk->sk_shutdown = SHUTDOWN_MASK;
1055 		sco_sock_clear_timer(sk);
1056 		__sco_sock_close(sk);
1057 
1058 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1059 		    !(current->flags & PF_EXITING))
1060 			err = bt_sock_wait_state(sk, BT_CLOSED,
1061 						 sk->sk_lingertime);
1062 	}
1063 
1064 	release_sock(sk);
1065 	sock_put(sk);
1066 
1067 	return err;
1068 }
1069 
1070 static int sco_sock_release(struct socket *sock)
1071 {
1072 	struct sock *sk = sock->sk;
1073 	int err = 0;
1074 
1075 	BT_DBG("sock %p, sk %p", sock, sk);
1076 
1077 	if (!sk)
1078 		return 0;
1079 
1080 	sco_sock_close(sk);
1081 
1082 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1083 	    !(current->flags & PF_EXITING)) {
1084 		lock_sock(sk);
1085 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1086 		release_sock(sk);
1087 	}
1088 
1089 	sock_orphan(sk);
1090 	sco_sock_kill(sk);
1091 	return err;
1092 }
1093 
1094 static void sco_conn_ready(struct sco_conn *conn)
1095 {
1096 	struct sock *parent;
1097 	struct sock *sk = conn->sk;
1098 
1099 	BT_DBG("conn %p", conn);
1100 
1101 	if (sk) {
1102 		lock_sock(sk);
1103 		sco_sock_clear_timer(sk);
1104 		sk->sk_state = BT_CONNECTED;
1105 		sk->sk_state_change(sk);
1106 		release_sock(sk);
1107 	} else {
1108 		sco_conn_lock(conn);
1109 
1110 		if (!conn->hcon) {
1111 			sco_conn_unlock(conn);
1112 			return;
1113 		}
1114 
1115 		parent = sco_get_sock_listen(&conn->hcon->src);
1116 		if (!parent) {
1117 			sco_conn_unlock(conn);
1118 			return;
1119 		}
1120 
1121 		lock_sock(parent);
1122 
1123 		sk = sco_sock_alloc(sock_net(parent), NULL,
1124 				    BTPROTO_SCO, GFP_ATOMIC, 0);
1125 		if (!sk) {
1126 			release_sock(parent);
1127 			sco_conn_unlock(conn);
1128 			return;
1129 		}
1130 
1131 		sco_sock_init(sk, parent);
1132 
1133 		bacpy(&sco_pi(sk)->src, &conn->hcon->src);
1134 		bacpy(&sco_pi(sk)->dst, &conn->hcon->dst);
1135 
1136 		hci_conn_hold(conn->hcon);
1137 		__sco_chan_add(conn, sk, parent);
1138 
1139 		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1140 			sk->sk_state = BT_CONNECT2;
1141 		else
1142 			sk->sk_state = BT_CONNECTED;
1143 
1144 		/* Wake up parent */
1145 		parent->sk_data_ready(parent);
1146 
1147 		release_sock(parent);
1148 
1149 		sco_conn_unlock(conn);
1150 	}
1151 }
1152 
1153 /* ----- SCO interface with lower layer (HCI) ----- */
1154 int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1155 {
1156 	struct sock *sk;
1157 	int lm = 0;
1158 
1159 	BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1160 
1161 	/* Find listening sockets */
1162 	read_lock(&sco_sk_list.lock);
1163 	sk_for_each(sk, &sco_sk_list.head) {
1164 		if (sk->sk_state != BT_LISTEN)
1165 			continue;
1166 
1167 		if (!bacmp(&sco_pi(sk)->src, &hdev->bdaddr) ||
1168 		    !bacmp(&sco_pi(sk)->src, BDADDR_ANY)) {
1169 			lm |= HCI_LM_ACCEPT;
1170 
1171 			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1172 				*flags |= HCI_PROTO_DEFER;
1173 			break;
1174 		}
1175 	}
1176 	read_unlock(&sco_sk_list.lock);
1177 
1178 	return lm;
1179 }
1180 
1181 static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
1182 {
1183 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1184 		return;
1185 
1186 	BT_DBG("hcon %p bdaddr %pMR status %u", hcon, &hcon->dst, status);
1187 
1188 	if (!status) {
1189 		struct sco_conn *conn;
1190 
1191 		conn = sco_conn_add(hcon);
1192 		if (conn)
1193 			sco_conn_ready(conn);
1194 	} else
1195 		sco_conn_del(hcon, bt_to_errno(status));
1196 }
1197 
1198 static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
1199 {
1200 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1201 		return;
1202 
1203 	BT_DBG("hcon %p reason %d", hcon, reason);
1204 
1205 	sco_conn_del(hcon, bt_to_errno(reason));
1206 }
1207 
1208 void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
1209 {
1210 	struct sco_conn *conn = hcon->sco_data;
1211 
1212 	if (!conn)
1213 		goto drop;
1214 
1215 	BT_DBG("conn %p len %u", conn, skb->len);
1216 
1217 	if (skb->len) {
1218 		sco_recv_frame(conn, skb);
1219 		return;
1220 	}
1221 
1222 drop:
1223 	kfree_skb(skb);
1224 }
1225 
1226 static struct hci_cb sco_cb = {
1227 	.name		= "SCO",
1228 	.connect_cfm	= sco_connect_cfm,
1229 	.disconn_cfm	= sco_disconn_cfm,
1230 };
1231 
1232 static int sco_debugfs_show(struct seq_file *f, void *p)
1233 {
1234 	struct sock *sk;
1235 
1236 	read_lock(&sco_sk_list.lock);
1237 
1238 	sk_for_each(sk, &sco_sk_list.head) {
1239 		seq_printf(f, "%pMR %pMR %d\n", &sco_pi(sk)->src,
1240 			   &sco_pi(sk)->dst, sk->sk_state);
1241 	}
1242 
1243 	read_unlock(&sco_sk_list.lock);
1244 
1245 	return 0;
1246 }
1247 
1248 DEFINE_SHOW_ATTRIBUTE(sco_debugfs);
1249 
1250 static struct dentry *sco_debugfs;
1251 
1252 static const struct proto_ops sco_sock_ops = {
1253 	.family		= PF_BLUETOOTH,
1254 	.owner		= THIS_MODULE,
1255 	.release	= sco_sock_release,
1256 	.bind		= sco_sock_bind,
1257 	.connect	= sco_sock_connect,
1258 	.listen		= sco_sock_listen,
1259 	.accept		= sco_sock_accept,
1260 	.getname	= sco_sock_getname,
1261 	.sendmsg	= sco_sock_sendmsg,
1262 	.recvmsg	= sco_sock_recvmsg,
1263 	.poll		= bt_sock_poll,
1264 	.ioctl		= bt_sock_ioctl,
1265 	.gettstamp	= sock_gettstamp,
1266 	.mmap		= sock_no_mmap,
1267 	.socketpair	= sock_no_socketpair,
1268 	.shutdown	= sco_sock_shutdown,
1269 	.setsockopt	= sco_sock_setsockopt,
1270 	.getsockopt	= sco_sock_getsockopt
1271 };
1272 
1273 static const struct net_proto_family sco_sock_family_ops = {
1274 	.family	= PF_BLUETOOTH,
1275 	.owner	= THIS_MODULE,
1276 	.create	= sco_sock_create,
1277 };
1278 
1279 int __init sco_init(void)
1280 {
1281 	int err;
1282 
1283 	BUILD_BUG_ON(sizeof(struct sockaddr_sco) > sizeof(struct sockaddr));
1284 
1285 	err = proto_register(&sco_proto, 0);
1286 	if (err < 0)
1287 		return err;
1288 
1289 	err = bt_sock_register(BTPROTO_SCO, &sco_sock_family_ops);
1290 	if (err < 0) {
1291 		BT_ERR("SCO socket registration failed");
1292 		goto error;
1293 	}
1294 
1295 	err = bt_procfs_init(&init_net, "sco", &sco_sk_list, NULL);
1296 	if (err < 0) {
1297 		BT_ERR("Failed to create SCO proc file");
1298 		bt_sock_unregister(BTPROTO_SCO);
1299 		goto error;
1300 	}
1301 
1302 	BT_INFO("SCO socket layer initialized");
1303 
1304 	hci_register_cb(&sco_cb);
1305 
1306 	if (IS_ERR_OR_NULL(bt_debugfs))
1307 		return 0;
1308 
1309 	sco_debugfs = debugfs_create_file("sco", 0444, bt_debugfs,
1310 					  NULL, &sco_debugfs_fops);
1311 
1312 	return 0;
1313 
1314 error:
1315 	proto_unregister(&sco_proto);
1316 	return err;
1317 }
1318 
1319 void sco_exit(void)
1320 {
1321 	bt_procfs_cleanup(&init_net, "sco");
1322 
1323 	debugfs_remove(sco_debugfs);
1324 
1325 	hci_unregister_cb(&sco_cb);
1326 
1327 	bt_sock_unregister(BTPROTO_SCO);
1328 
1329 	proto_unregister(&sco_proto);
1330 }
1331 
1332 module_param(disable_esco, bool, 0644);
1333 MODULE_PARM_DESC(disable_esco, "Disable eSCO connection creation");
1334