xref: /openbmc/linux/net/bluetooth/sco.c (revision f79e4d5f92a129a1159c973735007d4ddc8541f3)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth SCO sockets. */
26 
27 #include <linux/module.h>
28 #include <linux/debugfs.h>
29 #include <linux/seq_file.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/sco.h>
35 
36 static bool disable_esco;
37 
38 static const struct proto_ops sco_sock_ops;
39 
40 static struct bt_sock_list sco_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(sco_sk_list.lock)
42 };
43 
44 /* ---- SCO connections ---- */
45 struct sco_conn {
46 	struct hci_conn	*hcon;
47 
48 	spinlock_t	lock;
49 	struct sock	*sk;
50 
51 	unsigned int    mtu;
52 };
53 
54 #define sco_conn_lock(c)	spin_lock(&c->lock);
55 #define sco_conn_unlock(c)	spin_unlock(&c->lock);
56 
57 static void sco_sock_close(struct sock *sk);
58 static void sco_sock_kill(struct sock *sk);
59 
60 /* ----- SCO socket info ----- */
61 #define sco_pi(sk) ((struct sco_pinfo *) sk)
62 
63 struct sco_pinfo {
64 	struct bt_sock	bt;
65 	bdaddr_t	src;
66 	bdaddr_t	dst;
67 	__u32		flags;
68 	__u16		setting;
69 	struct sco_conn	*conn;
70 };
71 
72 /* ---- SCO timers ---- */
73 #define SCO_CONN_TIMEOUT	(HZ * 40)
74 #define SCO_DISCONN_TIMEOUT	(HZ * 2)
75 
76 static void sco_sock_timeout(struct timer_list *t)
77 {
78 	struct sock *sk = from_timer(sk, t, sk_timer);
79 
80 	BT_DBG("sock %p state %d", sk, sk->sk_state);
81 
82 	bh_lock_sock(sk);
83 	sk->sk_err = ETIMEDOUT;
84 	sk->sk_state_change(sk);
85 	bh_unlock_sock(sk);
86 
87 	sco_sock_kill(sk);
88 	sock_put(sk);
89 }
90 
91 static void sco_sock_set_timer(struct sock *sk, long timeout)
92 {
93 	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
94 	sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
95 }
96 
97 static void sco_sock_clear_timer(struct sock *sk)
98 {
99 	BT_DBG("sock %p state %d", sk, sk->sk_state);
100 	sk_stop_timer(sk, &sk->sk_timer);
101 }
102 
103 /* ---- SCO connections ---- */
104 static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
105 {
106 	struct hci_dev *hdev = hcon->hdev;
107 	struct sco_conn *conn = hcon->sco_data;
108 
109 	if (conn)
110 		return conn;
111 
112 	conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
113 	if (!conn)
114 		return NULL;
115 
116 	spin_lock_init(&conn->lock);
117 
118 	hcon->sco_data = conn;
119 	conn->hcon = hcon;
120 
121 	if (hdev->sco_mtu > 0)
122 		conn->mtu = hdev->sco_mtu;
123 	else
124 		conn->mtu = 60;
125 
126 	BT_DBG("hcon %p conn %p", hcon, conn);
127 
128 	return conn;
129 }
130 
131 /* Delete channel.
132  * Must be called on the locked socket. */
133 static void sco_chan_del(struct sock *sk, int err)
134 {
135 	struct sco_conn *conn;
136 
137 	conn = sco_pi(sk)->conn;
138 
139 	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
140 
141 	if (conn) {
142 		sco_conn_lock(conn);
143 		conn->sk = NULL;
144 		sco_pi(sk)->conn = NULL;
145 		sco_conn_unlock(conn);
146 
147 		if (conn->hcon)
148 			hci_conn_drop(conn->hcon);
149 	}
150 
151 	sk->sk_state = BT_CLOSED;
152 	sk->sk_err   = err;
153 	sk->sk_state_change(sk);
154 
155 	sock_set_flag(sk, SOCK_ZAPPED);
156 }
157 
158 static void sco_conn_del(struct hci_conn *hcon, int err)
159 {
160 	struct sco_conn *conn = hcon->sco_data;
161 	struct sock *sk;
162 
163 	if (!conn)
164 		return;
165 
166 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
167 
168 	/* Kill socket */
169 	sco_conn_lock(conn);
170 	sk = conn->sk;
171 	sco_conn_unlock(conn);
172 
173 	if (sk) {
174 		sock_hold(sk);
175 		bh_lock_sock(sk);
176 		sco_sock_clear_timer(sk);
177 		sco_chan_del(sk, err);
178 		bh_unlock_sock(sk);
179 		sco_sock_kill(sk);
180 		sock_put(sk);
181 	}
182 
183 	hcon->sco_data = NULL;
184 	kfree(conn);
185 }
186 
187 static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
188 			   struct sock *parent)
189 {
190 	BT_DBG("conn %p", conn);
191 
192 	sco_pi(sk)->conn = conn;
193 	conn->sk = sk;
194 
195 	if (parent)
196 		bt_accept_enqueue(parent, sk);
197 }
198 
199 static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
200 			struct sock *parent)
201 {
202 	int err = 0;
203 
204 	sco_conn_lock(conn);
205 	if (conn->sk)
206 		err = -EBUSY;
207 	else
208 		__sco_chan_add(conn, sk, parent);
209 
210 	sco_conn_unlock(conn);
211 	return err;
212 }
213 
214 static int sco_connect(struct sock *sk)
215 {
216 	struct sco_conn *conn;
217 	struct hci_conn *hcon;
218 	struct hci_dev  *hdev;
219 	int err, type;
220 
221 	BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
222 
223 	hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
224 	if (!hdev)
225 		return -EHOSTUNREACH;
226 
227 	hci_dev_lock(hdev);
228 
229 	if (lmp_esco_capable(hdev) && !disable_esco)
230 		type = ESCO_LINK;
231 	else
232 		type = SCO_LINK;
233 
234 	if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
235 	    (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
236 		err = -EOPNOTSUPP;
237 		goto done;
238 	}
239 
240 	hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
241 			       sco_pi(sk)->setting);
242 	if (IS_ERR(hcon)) {
243 		err = PTR_ERR(hcon);
244 		goto done;
245 	}
246 
247 	conn = sco_conn_add(hcon);
248 	if (!conn) {
249 		hci_conn_drop(hcon);
250 		err = -ENOMEM;
251 		goto done;
252 	}
253 
254 	/* Update source addr of the socket */
255 	bacpy(&sco_pi(sk)->src, &hcon->src);
256 
257 	err = sco_chan_add(conn, sk, NULL);
258 	if (err)
259 		goto done;
260 
261 	if (hcon->state == BT_CONNECTED) {
262 		sco_sock_clear_timer(sk);
263 		sk->sk_state = BT_CONNECTED;
264 	} else {
265 		sk->sk_state = BT_CONNECT;
266 		sco_sock_set_timer(sk, sk->sk_sndtimeo);
267 	}
268 
269 done:
270 	hci_dev_unlock(hdev);
271 	hci_dev_put(hdev);
272 	return err;
273 }
274 
275 static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
276 {
277 	struct sco_conn *conn = sco_pi(sk)->conn;
278 	struct sk_buff *skb;
279 	int err;
280 
281 	/* Check outgoing MTU */
282 	if (len > conn->mtu)
283 		return -EINVAL;
284 
285 	BT_DBG("sk %p len %d", sk, len);
286 
287 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
288 	if (!skb)
289 		return err;
290 
291 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
292 		kfree_skb(skb);
293 		return -EFAULT;
294 	}
295 
296 	hci_send_sco(conn->hcon, skb);
297 
298 	return len;
299 }
300 
301 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
302 {
303 	struct sock *sk;
304 
305 	sco_conn_lock(conn);
306 	sk = conn->sk;
307 	sco_conn_unlock(conn);
308 
309 	if (!sk)
310 		goto drop;
311 
312 	BT_DBG("sk %p len %d", sk, skb->len);
313 
314 	if (sk->sk_state != BT_CONNECTED)
315 		goto drop;
316 
317 	if (!sock_queue_rcv_skb(sk, skb))
318 		return;
319 
320 drop:
321 	kfree_skb(skb);
322 }
323 
324 /* -------- Socket interface ---------- */
325 static struct sock *__sco_get_sock_listen_by_addr(bdaddr_t *ba)
326 {
327 	struct sock *sk;
328 
329 	sk_for_each(sk, &sco_sk_list.head) {
330 		if (sk->sk_state != BT_LISTEN)
331 			continue;
332 
333 		if (!bacmp(&sco_pi(sk)->src, ba))
334 			return sk;
335 	}
336 
337 	return NULL;
338 }
339 
340 /* Find socket listening on source bdaddr.
341  * Returns closest match.
342  */
343 static struct sock *sco_get_sock_listen(bdaddr_t *src)
344 {
345 	struct sock *sk = NULL, *sk1 = NULL;
346 
347 	read_lock(&sco_sk_list.lock);
348 
349 	sk_for_each(sk, &sco_sk_list.head) {
350 		if (sk->sk_state != BT_LISTEN)
351 			continue;
352 
353 		/* Exact match. */
354 		if (!bacmp(&sco_pi(sk)->src, src))
355 			break;
356 
357 		/* Closest match */
358 		if (!bacmp(&sco_pi(sk)->src, BDADDR_ANY))
359 			sk1 = sk;
360 	}
361 
362 	read_unlock(&sco_sk_list.lock);
363 
364 	return sk ? sk : sk1;
365 }
366 
367 static void sco_sock_destruct(struct sock *sk)
368 {
369 	BT_DBG("sk %p", sk);
370 
371 	skb_queue_purge(&sk->sk_receive_queue);
372 	skb_queue_purge(&sk->sk_write_queue);
373 }
374 
375 static void sco_sock_cleanup_listen(struct sock *parent)
376 {
377 	struct sock *sk;
378 
379 	BT_DBG("parent %p", parent);
380 
381 	/* Close not yet accepted channels */
382 	while ((sk = bt_accept_dequeue(parent, NULL))) {
383 		sco_sock_close(sk);
384 		sco_sock_kill(sk);
385 	}
386 
387 	parent->sk_state  = BT_CLOSED;
388 	sock_set_flag(parent, SOCK_ZAPPED);
389 }
390 
391 /* Kill socket (only if zapped and orphan)
392  * Must be called on unlocked socket.
393  */
394 static void sco_sock_kill(struct sock *sk)
395 {
396 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
397 		return;
398 
399 	BT_DBG("sk %p state %d", sk, sk->sk_state);
400 
401 	/* Kill poor orphan */
402 	bt_sock_unlink(&sco_sk_list, sk);
403 	sock_set_flag(sk, SOCK_DEAD);
404 	sock_put(sk);
405 }
406 
407 static void __sco_sock_close(struct sock *sk)
408 {
409 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
410 
411 	switch (sk->sk_state) {
412 	case BT_LISTEN:
413 		sco_sock_cleanup_listen(sk);
414 		break;
415 
416 	case BT_CONNECTED:
417 	case BT_CONFIG:
418 		if (sco_pi(sk)->conn->hcon) {
419 			sk->sk_state = BT_DISCONN;
420 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
421 			sco_conn_lock(sco_pi(sk)->conn);
422 			hci_conn_drop(sco_pi(sk)->conn->hcon);
423 			sco_pi(sk)->conn->hcon = NULL;
424 			sco_conn_unlock(sco_pi(sk)->conn);
425 		} else
426 			sco_chan_del(sk, ECONNRESET);
427 		break;
428 
429 	case BT_CONNECT2:
430 	case BT_CONNECT:
431 	case BT_DISCONN:
432 		sco_chan_del(sk, ECONNRESET);
433 		break;
434 
435 	default:
436 		sock_set_flag(sk, SOCK_ZAPPED);
437 		break;
438 	}
439 }
440 
441 /* Must be called on unlocked socket. */
442 static void sco_sock_close(struct sock *sk)
443 {
444 	sco_sock_clear_timer(sk);
445 	lock_sock(sk);
446 	__sco_sock_close(sk);
447 	release_sock(sk);
448 	sco_sock_kill(sk);
449 }
450 
451 static void sco_sock_init(struct sock *sk, struct sock *parent)
452 {
453 	BT_DBG("sk %p", sk);
454 
455 	if (parent) {
456 		sk->sk_type = parent->sk_type;
457 		bt_sk(sk)->flags = bt_sk(parent)->flags;
458 		security_sk_clone(parent, sk);
459 	}
460 }
461 
462 static struct proto sco_proto = {
463 	.name		= "SCO",
464 	.owner		= THIS_MODULE,
465 	.obj_size	= sizeof(struct sco_pinfo)
466 };
467 
468 static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
469 				   int proto, gfp_t prio, int kern)
470 {
471 	struct sock *sk;
472 
473 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);
474 	if (!sk)
475 		return NULL;
476 
477 	sock_init_data(sock, sk);
478 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
479 
480 	sk->sk_destruct = sco_sock_destruct;
481 	sk->sk_sndtimeo = SCO_CONN_TIMEOUT;
482 
483 	sock_reset_flag(sk, SOCK_ZAPPED);
484 
485 	sk->sk_protocol = proto;
486 	sk->sk_state    = BT_OPEN;
487 
488 	sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
489 
490 	timer_setup(&sk->sk_timer, sco_sock_timeout, 0);
491 
492 	bt_sock_link(&sco_sk_list, sk);
493 	return sk;
494 }
495 
496 static int sco_sock_create(struct net *net, struct socket *sock, int protocol,
497 			   int kern)
498 {
499 	struct sock *sk;
500 
501 	BT_DBG("sock %p", sock);
502 
503 	sock->state = SS_UNCONNECTED;
504 
505 	if (sock->type != SOCK_SEQPACKET)
506 		return -ESOCKTNOSUPPORT;
507 
508 	sock->ops = &sco_sock_ops;
509 
510 	sk = sco_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
511 	if (!sk)
512 		return -ENOMEM;
513 
514 	sco_sock_init(sk, NULL);
515 	return 0;
516 }
517 
518 static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
519 			 int addr_len)
520 {
521 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
522 	struct sock *sk = sock->sk;
523 	int err = 0;
524 
525 	BT_DBG("sk %p %pMR", sk, &sa->sco_bdaddr);
526 
527 	if (!addr || addr_len < sizeof(struct sockaddr_sco) ||
528 	    addr->sa_family != AF_BLUETOOTH)
529 		return -EINVAL;
530 
531 	lock_sock(sk);
532 
533 	if (sk->sk_state != BT_OPEN) {
534 		err = -EBADFD;
535 		goto done;
536 	}
537 
538 	if (sk->sk_type != SOCK_SEQPACKET) {
539 		err = -EINVAL;
540 		goto done;
541 	}
542 
543 	bacpy(&sco_pi(sk)->src, &sa->sco_bdaddr);
544 
545 	sk->sk_state = BT_BOUND;
546 
547 done:
548 	release_sock(sk);
549 	return err;
550 }
551 
552 static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
553 {
554 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
555 	struct sock *sk = sock->sk;
556 	int err;
557 
558 	BT_DBG("sk %p", sk);
559 
560 	if (alen < sizeof(struct sockaddr_sco) ||
561 	    addr->sa_family != AF_BLUETOOTH)
562 		return -EINVAL;
563 
564 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
565 		return -EBADFD;
566 
567 	if (sk->sk_type != SOCK_SEQPACKET)
568 		return -EINVAL;
569 
570 	lock_sock(sk);
571 
572 	/* Set destination address and psm */
573 	bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
574 
575 	err = sco_connect(sk);
576 	if (err)
577 		goto done;
578 
579 	err = bt_sock_wait_state(sk, BT_CONNECTED,
580 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
581 
582 done:
583 	release_sock(sk);
584 	return err;
585 }
586 
587 static int sco_sock_listen(struct socket *sock, int backlog)
588 {
589 	struct sock *sk = sock->sk;
590 	bdaddr_t *src = &sco_pi(sk)->src;
591 	int err = 0;
592 
593 	BT_DBG("sk %p backlog %d", sk, backlog);
594 
595 	lock_sock(sk);
596 
597 	if (sk->sk_state != BT_BOUND) {
598 		err = -EBADFD;
599 		goto done;
600 	}
601 
602 	if (sk->sk_type != SOCK_SEQPACKET) {
603 		err = -EINVAL;
604 		goto done;
605 	}
606 
607 	write_lock(&sco_sk_list.lock);
608 
609 	if (__sco_get_sock_listen_by_addr(src)) {
610 		err = -EADDRINUSE;
611 		goto unlock;
612 	}
613 
614 	sk->sk_max_ack_backlog = backlog;
615 	sk->sk_ack_backlog = 0;
616 
617 	sk->sk_state = BT_LISTEN;
618 
619 unlock:
620 	write_unlock(&sco_sk_list.lock);
621 
622 done:
623 	release_sock(sk);
624 	return err;
625 }
626 
627 static int sco_sock_accept(struct socket *sock, struct socket *newsock,
628 			   int flags, bool kern)
629 {
630 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
631 	struct sock *sk = sock->sk, *ch;
632 	long timeo;
633 	int err = 0;
634 
635 	lock_sock(sk);
636 
637 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
638 
639 	BT_DBG("sk %p timeo %ld", sk, timeo);
640 
641 	/* Wait for an incoming connection. (wake-one). */
642 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
643 	while (1) {
644 		if (sk->sk_state != BT_LISTEN) {
645 			err = -EBADFD;
646 			break;
647 		}
648 
649 		ch = bt_accept_dequeue(sk, newsock);
650 		if (ch)
651 			break;
652 
653 		if (!timeo) {
654 			err = -EAGAIN;
655 			break;
656 		}
657 
658 		if (signal_pending(current)) {
659 			err = sock_intr_errno(timeo);
660 			break;
661 		}
662 
663 		release_sock(sk);
664 
665 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
666 		lock_sock(sk);
667 	}
668 	remove_wait_queue(sk_sleep(sk), &wait);
669 
670 	if (err)
671 		goto done;
672 
673 	newsock->state = SS_CONNECTED;
674 
675 	BT_DBG("new socket %p", ch);
676 
677 done:
678 	release_sock(sk);
679 	return err;
680 }
681 
682 static int sco_sock_getname(struct socket *sock, struct sockaddr *addr,
683 			    int peer)
684 {
685 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
686 	struct sock *sk = sock->sk;
687 
688 	BT_DBG("sock %p, sk %p", sock, sk);
689 
690 	addr->sa_family = AF_BLUETOOTH;
691 
692 	if (peer)
693 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->dst);
694 	else
695 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->src);
696 
697 	return sizeof(struct sockaddr_sco);
698 }
699 
700 static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
701 			    size_t len)
702 {
703 	struct sock *sk = sock->sk;
704 	int err;
705 
706 	BT_DBG("sock %p, sk %p", sock, sk);
707 
708 	err = sock_error(sk);
709 	if (err)
710 		return err;
711 
712 	if (msg->msg_flags & MSG_OOB)
713 		return -EOPNOTSUPP;
714 
715 	lock_sock(sk);
716 
717 	if (sk->sk_state == BT_CONNECTED)
718 		err = sco_send_frame(sk, msg, len);
719 	else
720 		err = -ENOTCONN;
721 
722 	release_sock(sk);
723 	return err;
724 }
725 
726 static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
727 {
728 	struct hci_dev *hdev = conn->hdev;
729 
730 	BT_DBG("conn %p", conn);
731 
732 	conn->state = BT_CONFIG;
733 
734 	if (!lmp_esco_capable(hdev)) {
735 		struct hci_cp_accept_conn_req cp;
736 
737 		bacpy(&cp.bdaddr, &conn->dst);
738 		cp.role = 0x00; /* Ignored */
739 
740 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
741 	} else {
742 		struct hci_cp_accept_sync_conn_req cp;
743 
744 		bacpy(&cp.bdaddr, &conn->dst);
745 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
746 
747 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
748 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
749 		cp.content_format = cpu_to_le16(setting);
750 
751 		switch (setting & SCO_AIRMODE_MASK) {
752 		case SCO_AIRMODE_TRANSP:
753 			if (conn->pkt_type & ESCO_2EV3)
754 				cp.max_latency = cpu_to_le16(0x0008);
755 			else
756 				cp.max_latency = cpu_to_le16(0x000D);
757 			cp.retrans_effort = 0x02;
758 			break;
759 		case SCO_AIRMODE_CVSD:
760 			cp.max_latency = cpu_to_le16(0xffff);
761 			cp.retrans_effort = 0xff;
762 			break;
763 		}
764 
765 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
766 			     sizeof(cp), &cp);
767 	}
768 }
769 
770 static int sco_sock_recvmsg(struct socket *sock, struct msghdr *msg,
771 			    size_t len, int flags)
772 {
773 	struct sock *sk = sock->sk;
774 	struct sco_pinfo *pi = sco_pi(sk);
775 
776 	lock_sock(sk);
777 
778 	if (sk->sk_state == BT_CONNECT2 &&
779 	    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
780 		sco_conn_defer_accept(pi->conn->hcon, pi->setting);
781 		sk->sk_state = BT_CONFIG;
782 
783 		release_sock(sk);
784 		return 0;
785 	}
786 
787 	release_sock(sk);
788 
789 	return bt_sock_recvmsg(sock, msg, len, flags);
790 }
791 
792 static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
793 			       char __user *optval, unsigned int optlen)
794 {
795 	struct sock *sk = sock->sk;
796 	int len, err = 0;
797 	struct bt_voice voice;
798 	u32 opt;
799 
800 	BT_DBG("sk %p", sk);
801 
802 	lock_sock(sk);
803 
804 	switch (optname) {
805 
806 	case BT_DEFER_SETUP:
807 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
808 			err = -EINVAL;
809 			break;
810 		}
811 
812 		if (get_user(opt, (u32 __user *) optval)) {
813 			err = -EFAULT;
814 			break;
815 		}
816 
817 		if (opt)
818 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
819 		else
820 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
821 		break;
822 
823 	case BT_VOICE:
824 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
825 		    sk->sk_state != BT_CONNECT2) {
826 			err = -EINVAL;
827 			break;
828 		}
829 
830 		voice.setting = sco_pi(sk)->setting;
831 
832 		len = min_t(unsigned int, sizeof(voice), optlen);
833 		if (copy_from_user((char *)&voice, optval, len)) {
834 			err = -EFAULT;
835 			break;
836 		}
837 
838 		/* Explicitly check for these values */
839 		if (voice.setting != BT_VOICE_TRANSPARENT &&
840 		    voice.setting != BT_VOICE_CVSD_16BIT) {
841 			err = -EINVAL;
842 			break;
843 		}
844 
845 		sco_pi(sk)->setting = voice.setting;
846 		break;
847 
848 	default:
849 		err = -ENOPROTOOPT;
850 		break;
851 	}
852 
853 	release_sock(sk);
854 	return err;
855 }
856 
857 static int sco_sock_getsockopt_old(struct socket *sock, int optname,
858 				   char __user *optval, int __user *optlen)
859 {
860 	struct sock *sk = sock->sk;
861 	struct sco_options opts;
862 	struct sco_conninfo cinfo;
863 	int len, err = 0;
864 
865 	BT_DBG("sk %p", sk);
866 
867 	if (get_user(len, optlen))
868 		return -EFAULT;
869 
870 	lock_sock(sk);
871 
872 	switch (optname) {
873 	case SCO_OPTIONS:
874 		if (sk->sk_state != BT_CONNECTED &&
875 		    !(sk->sk_state == BT_CONNECT2 &&
876 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
877 			err = -ENOTCONN;
878 			break;
879 		}
880 
881 		opts.mtu = sco_pi(sk)->conn->mtu;
882 
883 		BT_DBG("mtu %d", opts.mtu);
884 
885 		len = min_t(unsigned int, len, sizeof(opts));
886 		if (copy_to_user(optval, (char *)&opts, len))
887 			err = -EFAULT;
888 
889 		break;
890 
891 	case SCO_CONNINFO:
892 		if (sk->sk_state != BT_CONNECTED &&
893 		    !(sk->sk_state == BT_CONNECT2 &&
894 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
895 			err = -ENOTCONN;
896 			break;
897 		}
898 
899 		memset(&cinfo, 0, sizeof(cinfo));
900 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
901 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
902 
903 		len = min_t(unsigned int, len, sizeof(cinfo));
904 		if (copy_to_user(optval, (char *)&cinfo, len))
905 			err = -EFAULT;
906 
907 		break;
908 
909 	default:
910 		err = -ENOPROTOOPT;
911 		break;
912 	}
913 
914 	release_sock(sk);
915 	return err;
916 }
917 
918 static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
919 			       char __user *optval, int __user *optlen)
920 {
921 	struct sock *sk = sock->sk;
922 	int len, err = 0;
923 	struct bt_voice voice;
924 
925 	BT_DBG("sk %p", sk);
926 
927 	if (level == SOL_SCO)
928 		return sco_sock_getsockopt_old(sock, optname, optval, optlen);
929 
930 	if (get_user(len, optlen))
931 		return -EFAULT;
932 
933 	lock_sock(sk);
934 
935 	switch (optname) {
936 
937 	case BT_DEFER_SETUP:
938 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
939 			err = -EINVAL;
940 			break;
941 		}
942 
943 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
944 			     (u32 __user *)optval))
945 			err = -EFAULT;
946 
947 		break;
948 
949 	case BT_VOICE:
950 		voice.setting = sco_pi(sk)->setting;
951 
952 		len = min_t(unsigned int, len, sizeof(voice));
953 		if (copy_to_user(optval, (char *)&voice, len))
954 			err = -EFAULT;
955 
956 		break;
957 
958 	default:
959 		err = -ENOPROTOOPT;
960 		break;
961 	}
962 
963 	release_sock(sk);
964 	return err;
965 }
966 
967 static int sco_sock_shutdown(struct socket *sock, int how)
968 {
969 	struct sock *sk = sock->sk;
970 	int err = 0;
971 
972 	BT_DBG("sock %p, sk %p", sock, sk);
973 
974 	if (!sk)
975 		return 0;
976 
977 	sock_hold(sk);
978 	lock_sock(sk);
979 
980 	if (!sk->sk_shutdown) {
981 		sk->sk_shutdown = SHUTDOWN_MASK;
982 		sco_sock_clear_timer(sk);
983 		__sco_sock_close(sk);
984 
985 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
986 		    !(current->flags & PF_EXITING))
987 			err = bt_sock_wait_state(sk, BT_CLOSED,
988 						 sk->sk_lingertime);
989 	}
990 
991 	release_sock(sk);
992 	sock_put(sk);
993 
994 	return err;
995 }
996 
997 static int sco_sock_release(struct socket *sock)
998 {
999 	struct sock *sk = sock->sk;
1000 	int err = 0;
1001 
1002 	BT_DBG("sock %p, sk %p", sock, sk);
1003 
1004 	if (!sk)
1005 		return 0;
1006 
1007 	sco_sock_close(sk);
1008 
1009 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1010 	    !(current->flags & PF_EXITING)) {
1011 		lock_sock(sk);
1012 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1013 		release_sock(sk);
1014 	}
1015 
1016 	sock_orphan(sk);
1017 	sco_sock_kill(sk);
1018 	return err;
1019 }
1020 
1021 static void sco_conn_ready(struct sco_conn *conn)
1022 {
1023 	struct sock *parent;
1024 	struct sock *sk = conn->sk;
1025 
1026 	BT_DBG("conn %p", conn);
1027 
1028 	if (sk) {
1029 		sco_sock_clear_timer(sk);
1030 		bh_lock_sock(sk);
1031 		sk->sk_state = BT_CONNECTED;
1032 		sk->sk_state_change(sk);
1033 		bh_unlock_sock(sk);
1034 	} else {
1035 		sco_conn_lock(conn);
1036 
1037 		if (!conn->hcon) {
1038 			sco_conn_unlock(conn);
1039 			return;
1040 		}
1041 
1042 		parent = sco_get_sock_listen(&conn->hcon->src);
1043 		if (!parent) {
1044 			sco_conn_unlock(conn);
1045 			return;
1046 		}
1047 
1048 		bh_lock_sock(parent);
1049 
1050 		sk = sco_sock_alloc(sock_net(parent), NULL,
1051 				    BTPROTO_SCO, GFP_ATOMIC, 0);
1052 		if (!sk) {
1053 			bh_unlock_sock(parent);
1054 			sco_conn_unlock(conn);
1055 			return;
1056 		}
1057 
1058 		sco_sock_init(sk, parent);
1059 
1060 		bacpy(&sco_pi(sk)->src, &conn->hcon->src);
1061 		bacpy(&sco_pi(sk)->dst, &conn->hcon->dst);
1062 
1063 		hci_conn_hold(conn->hcon);
1064 		__sco_chan_add(conn, sk, parent);
1065 
1066 		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1067 			sk->sk_state = BT_CONNECT2;
1068 		else
1069 			sk->sk_state = BT_CONNECTED;
1070 
1071 		/* Wake up parent */
1072 		parent->sk_data_ready(parent);
1073 
1074 		bh_unlock_sock(parent);
1075 
1076 		sco_conn_unlock(conn);
1077 	}
1078 }
1079 
1080 /* ----- SCO interface with lower layer (HCI) ----- */
1081 int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1082 {
1083 	struct sock *sk;
1084 	int lm = 0;
1085 
1086 	BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1087 
1088 	/* Find listening sockets */
1089 	read_lock(&sco_sk_list.lock);
1090 	sk_for_each(sk, &sco_sk_list.head) {
1091 		if (sk->sk_state != BT_LISTEN)
1092 			continue;
1093 
1094 		if (!bacmp(&sco_pi(sk)->src, &hdev->bdaddr) ||
1095 		    !bacmp(&sco_pi(sk)->src, BDADDR_ANY)) {
1096 			lm |= HCI_LM_ACCEPT;
1097 
1098 			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1099 				*flags |= HCI_PROTO_DEFER;
1100 			break;
1101 		}
1102 	}
1103 	read_unlock(&sco_sk_list.lock);
1104 
1105 	return lm;
1106 }
1107 
1108 static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
1109 {
1110 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1111 		return;
1112 
1113 	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1114 
1115 	if (!status) {
1116 		struct sco_conn *conn;
1117 
1118 		conn = sco_conn_add(hcon);
1119 		if (conn)
1120 			sco_conn_ready(conn);
1121 	} else
1122 		sco_conn_del(hcon, bt_to_errno(status));
1123 }
1124 
1125 static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
1126 {
1127 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1128 		return;
1129 
1130 	BT_DBG("hcon %p reason %d", hcon, reason);
1131 
1132 	sco_conn_del(hcon, bt_to_errno(reason));
1133 }
1134 
1135 void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
1136 {
1137 	struct sco_conn *conn = hcon->sco_data;
1138 
1139 	if (!conn)
1140 		goto drop;
1141 
1142 	BT_DBG("conn %p len %d", conn, skb->len);
1143 
1144 	if (skb->len) {
1145 		sco_recv_frame(conn, skb);
1146 		return;
1147 	}
1148 
1149 drop:
1150 	kfree_skb(skb);
1151 }
1152 
1153 static struct hci_cb sco_cb = {
1154 	.name		= "SCO",
1155 	.connect_cfm	= sco_connect_cfm,
1156 	.disconn_cfm	= sco_disconn_cfm,
1157 };
1158 
1159 static int sco_debugfs_show(struct seq_file *f, void *p)
1160 {
1161 	struct sock *sk;
1162 
1163 	read_lock(&sco_sk_list.lock);
1164 
1165 	sk_for_each(sk, &sco_sk_list.head) {
1166 		seq_printf(f, "%pMR %pMR %d\n", &sco_pi(sk)->src,
1167 			   &sco_pi(sk)->dst, sk->sk_state);
1168 	}
1169 
1170 	read_unlock(&sco_sk_list.lock);
1171 
1172 	return 0;
1173 }
1174 
1175 static int sco_debugfs_open(struct inode *inode, struct file *file)
1176 {
1177 	return single_open(file, sco_debugfs_show, inode->i_private);
1178 }
1179 
1180 static const struct file_operations sco_debugfs_fops = {
1181 	.open		= sco_debugfs_open,
1182 	.read		= seq_read,
1183 	.llseek		= seq_lseek,
1184 	.release	= single_release,
1185 };
1186 
1187 static struct dentry *sco_debugfs;
1188 
1189 static const struct proto_ops sco_sock_ops = {
1190 	.family		= PF_BLUETOOTH,
1191 	.owner		= THIS_MODULE,
1192 	.release	= sco_sock_release,
1193 	.bind		= sco_sock_bind,
1194 	.connect	= sco_sock_connect,
1195 	.listen		= sco_sock_listen,
1196 	.accept		= sco_sock_accept,
1197 	.getname	= sco_sock_getname,
1198 	.sendmsg	= sco_sock_sendmsg,
1199 	.recvmsg	= sco_sock_recvmsg,
1200 	.poll		= bt_sock_poll,
1201 	.ioctl		= bt_sock_ioctl,
1202 	.mmap		= sock_no_mmap,
1203 	.socketpair	= sock_no_socketpair,
1204 	.shutdown	= sco_sock_shutdown,
1205 	.setsockopt	= sco_sock_setsockopt,
1206 	.getsockopt	= sco_sock_getsockopt
1207 };
1208 
1209 static const struct net_proto_family sco_sock_family_ops = {
1210 	.family	= PF_BLUETOOTH,
1211 	.owner	= THIS_MODULE,
1212 	.create	= sco_sock_create,
1213 };
1214 
1215 int __init sco_init(void)
1216 {
1217 	int err;
1218 
1219 	BUILD_BUG_ON(sizeof(struct sockaddr_sco) > sizeof(struct sockaddr));
1220 
1221 	err = proto_register(&sco_proto, 0);
1222 	if (err < 0)
1223 		return err;
1224 
1225 	err = bt_sock_register(BTPROTO_SCO, &sco_sock_family_ops);
1226 	if (err < 0) {
1227 		BT_ERR("SCO socket registration failed");
1228 		goto error;
1229 	}
1230 
1231 	err = bt_procfs_init(&init_net, "sco", &sco_sk_list, NULL);
1232 	if (err < 0) {
1233 		BT_ERR("Failed to create SCO proc file");
1234 		bt_sock_unregister(BTPROTO_SCO);
1235 		goto error;
1236 	}
1237 
1238 	BT_INFO("SCO socket layer initialized");
1239 
1240 	hci_register_cb(&sco_cb);
1241 
1242 	if (IS_ERR_OR_NULL(bt_debugfs))
1243 		return 0;
1244 
1245 	sco_debugfs = debugfs_create_file("sco", 0444, bt_debugfs,
1246 					  NULL, &sco_debugfs_fops);
1247 
1248 	return 0;
1249 
1250 error:
1251 	proto_unregister(&sco_proto);
1252 	return err;
1253 }
1254 
1255 void sco_exit(void)
1256 {
1257 	bt_procfs_cleanup(&init_net, "sco");
1258 
1259 	debugfs_remove(sco_debugfs);
1260 
1261 	hci_unregister_cb(&sco_cb);
1262 
1263 	bt_sock_unregister(BTPROTO_SCO);
1264 
1265 	proto_unregister(&sco_proto);
1266 }
1267 
1268 module_param(disable_esco, bool, 0644);
1269 MODULE_PARM_DESC(disable_esco, "Disable eSCO connection creation");
1270