Checking only for sco_conn seems to not be enough and lead to NULL
dereferences in the code, check for hcon instead.

<1>[11340.226404] BUG: unable to handle kernel NULL pointer dereference at
0000000
8
<4>[11340.226619] EIP is at __sco_sock_close+0xe8/0x1a0
<4>[11340.226629] EAX: f063a740 EBX: 00000000 ECX: f58f4544 EDX: 00000000
<4>[11340.226640] ESI: dec83e00 EDI: 5f9a081f EBP: e0fdff38 ESP: e0fdff1c
<0>[11340.226674] Stack:
<4>[11340.226682]  c184db87 c1251028 dec83e00 e0fdff38 c1754aef dec83e00
00000000
e0fdff5c
<4>[11340.226718]  c184f587 e0fdff64 e0fdff68 5f9a081f e0fdff5c c1751852
d7813800
62262f10
<4>[11340.226752]  e0fdff70 c1753c00 00000000 00000001 0000000d e0fdffac
c175425c
00000041
<0>[11340.226793] Call Trace:
<4>[11340.226813]  [<c184db87>] ? sco_sock_clear_timer+0x27/0x60
<4>[11340.226831]  [<c1251028>] ? local_bh_enable+0x68/0xd0
<4>[11340.226846]  [<c1754aef>] ? lock_sock_nested+0x4f/0x60
<4>[11340.226862]  [<c184f587>] sco_sock_shutdown+0x67/0xb0
<4>[11340.226879]  [<c1751852>] ? sockfd_lookup_light+0x22/0x80
<4>[11340.226897]  [<c1753c00>] sys_shutdown+0x30/0x60
<4>[11340.226912]  [<c175425c>] sys_socketcall+0x1dc/0x2a0
<4>[11340.226929]  [<c149ba78>] ? trace_hardirqs_on_thunk+0xc/0x10
<4>[11340.226944]  [<c18860f1>] syscall_call+0x7/0xb
<4>[11340.226960]  [<c1880000>] ? restore_cur+0x5e/0xd7
<0>[11340.226969] Code: <f0> ff 4b 08 0f 94 c0 84 c0 74 20 80 7b 19 01 74
2f b8 0a 00 00
Reported-by: NChuansheng Liu <chuansheng.liu@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

This reverts commit 269c4845.

The commit was causing dead locks and NULL dereferences in the sco code:

 [28084.104013] BUG: soft lockup - CPU#0 stuck for 22s! [kworker/u:0H:7]
 [28084.104021] Modules linked in: btusb bluetooth <snip [last unloaded:
bluetooth]
...
 [28084.104021]  [<c160246d>] _raw_spin_lock+0xd/0x10
 [28084.104021]  [<f920e708>] sco_conn_del+0x58/0x1b0 [bluetooth]
 [28084.104021]  [<f920f1a9>] sco_connect_cfm+0xb9/0x2b0 [bluetooth]
 [28084.104021]  [<f91ef289>]
hci_sync_conn_complete_evt.isra.94+0x1c9/0x260 [bluetooth]
 [28084.104021]  [<f91f1a8d>] hci_event_packet+0x74d/0x2b40 [bluetooth]
 [28084.104021]  [<c1501abd>] ? __kfree_skb+0x3d/0x90
 [28084.104021]  [<c1501b46>] ? kfree_skb+0x36/0x90
 [28084.104021]  [<f91fcb4e>] ? hci_send_to_monitor+0x10e/0x190 [bluetooth]
 [28084.104021]  [<f91fcb4e>] ? hci_send_to_monitor+0x10e/0x190 [bluetooth]

Cc: stable@vger.kernel.org
Reported-by: NChan-yeol Park <chanyeol.park@gmail.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

In order to authenticate and configure an incoming SCO connection, the
BT_DEFER_SETUP option was added. This option is intended to defer reply
to Connect Request on SCO sockets.
When a connection is requested, the listening socket is unblocked but
the effective connection setup happens only on first recv. Any send
between accept and recv fails with -ENOTCONN.
Signed-off-by: NFrédéric Dalleau <frederic.dalleau@linux.intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

This option will set the BT_SK_DEFER_SETUP bit in socket flags.
Signed-off-by: NFrédéric Dalleau <frederic.dalleau@linux.intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Instead of old unsafe batostr function use %pMR print specifier
for printing Bluetooth addresses in sprintf and seq_printf
statements.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Instead of old unsafe batostr function use %pMR print specifier
for printing Bluetooth addresses in debug and error statements.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

sco_chan_del() only has conn != NULL when called from sco_conn_del() so
just move the code from it that deal with conn to sco_conn_del().

[  120.765529]
[  120.765529] ======================================================
[  120.766529] [ INFO: possible circular locking dependency detected ]
[  120.766529] 3.5.0-rc1-10292-g3701f944-dirty #70 Tainted: G        W
[  120.766529] -------------------------------------------------------
[  120.766529] kworker/u:3/1497 is trying to acquire lock:
[  120.766529]  (&(&conn->lock)->rlock#2){+.+...}, at:
[<ffffffffa00b7ecc>] sco_chan_del+0x4c/0x170 [bluetooth]
[  120.766529]
[  120.766529] but task is already holding lock:
[  120.766529]  (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}, at:
[<ffffffffa00b8401>] sco_conn_del+0x61/0xe0 [bluetooth]
[  120.766529]
[  120.766529] which lock already depends on the new lock.
[  120.766529]
[  120.766529]
[  120.766529] the existing dependency chain (in reverse order) is:
[  120.766529]
[  120.766529] -> #1 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.+...}:
[  120.766529]        [<ffffffff8107980e>] lock_acquire+0x8e/0xb0
[  120.766529]        [<ffffffff813c19e0>] _raw_spin_lock+0x40/0x80
[  120.766529]        [<ffffffffa00b85e9>] sco_connect_cfm+0x79/0x300
[bluetooth]
[  120.766529]        [<ffffffffa0094b13>]
hci_sync_conn_complete_evt.isra.90+0x343/0x400 [bluetooth]
[  120.766529]        [<ffffffffa009d447>] hci_event_packet+0x317/0xfb0
[bluetooth]
[  120.766529]        [<ffffffffa008aa68>] hci_rx_work+0x2c8/0x890
[bluetooth]
[  120.766529]        [<ffffffff81047db7>] process_one_work+0x197/0x460
[  120.766529]        [<ffffffff810489d6>] worker_thread+0x126/0x2d0
[  120.766529]        [<ffffffff8104ee4d>] kthread+0x9d/0xb0
[  120.766529]        [<ffffffff813c4294>] kernel_thread_helper+0x4/0x10
[  120.766529]
[  120.766529] -> #0 (&(&conn->lock)->rlock#2){+.+...}:
[  120.766529]        [<ffffffff81078a8a>] __lock_acquire+0x154a/0x1d30
[  120.766529]        [<ffffffff8107980e>] lock_acquire+0x8e/0xb0
[  120.766529]        [<ffffffff813c19e0>] _raw_spin_lock+0x40/0x80
[  120.766529]        [<ffffffffa00b7ecc>] sco_chan_del+0x4c/0x170
[bluetooth]
[  120.766529]        [<ffffffffa00b8414>] sco_conn_del+0x74/0xe0
[bluetooth]
[  120.766529]        [<ffffffffa00b88a2>] sco_disconn_cfm+0x32/0x60
[bluetooth]
[  120.766529]        [<ffffffffa0093a82>]
hci_disconn_complete_evt.isra.53+0x242/0x390 [bluetooth]
[  120.766529]        [<ffffffffa009d747>] hci_event_packet+0x617/0xfb0
[bluetooth]
[  120.766529]        [<ffffffffa008aa68>] hci_rx_work+0x2c8/0x890
[bluetooth]
[  120.766529]        [<ffffffff81047db7>] process_one_work+0x197/0x460
[  120.766529]        [<ffffffff810489d6>] worker_thread+0x126/0x2d0
[  120.766529]        [<ffffffff8104ee4d>] kthread+0x9d/0xb0
[  120.766529]        [<ffffffff813c4294>] kernel_thread_helper+0x4/0x10
[  120.766529]
[  120.766529] other info that might help us debug this:
[  120.766529]
[  120.766529]  Possible unsafe locking scenario:
[  120.766529]
[  120.766529]        CPU0                    CPU1
[  120.766529]        ----                    ----
[  120.766529]   lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
[  120.766529]
lock(&(&conn->lock)->rlock#2);
[  120.766529]
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
[  120.766529]   lock(&(&conn->lock)->rlock#2);
[  120.766529]
[  120.766529]  *** DEADLOCK ***
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Added /proc/net/sco via bt_procfs_init().
Signed-off-by: NMasatake YAMATO <yamato@redhat.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Return values are never used because callers hci_proto_connect_cfm
and hci_proto_disconn_cfm return void.
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@intel.com>
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>

Most of the include were unnecessary or already included by some other
header.
Replace module.h by export.h where possible.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Let the compiler chooses what is best.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Only obvious cases were left as inline, mostly oneline functions.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Follow the net subsystem rules.
Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

This patch adds the dst_type parameter to hci_connect function.
Instead of searching the address type in advertising cache, we
use the dst_type parameter to establish LE connections.

The dst_type is ignored for BR/EDR connection establishment.
Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

The SCO sockets are only identified by its address. So only allow one
SCO socket in listening state per address or BDADDR_ANY.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Checking the source address in SCO bind function will prevent from
having an incoming and outgoing SCO socket. However that might be
needed in case of multiple SCO connections on a single device.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Sco_conn_add is called from two places and always with status = 0.
Signed-off-by: NLukasz Rymanowski <lukasz.rymanowski@tieto.com>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Split the checks for sk->sk_state and sk->sk_type for SCO listen
sockets. This makes the code more readable.
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

By some reason this is not needed anymore.
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

The function already fails if the given size is greater than the MTU, so
there is no need to consider that case afterwards.
Signed-off-by: NMikel Astiz <mikel.astiz.oss@gmail.com>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo Padovan <gustavo@padovan.org>

Remove all #inclusions of asm/system.h preparatory to splitting and killing
it.  Performed with the following command:

perl -p -i -e 's!^#\s*include\s*<asm/system[.]h>.*\n!!' `grep -Irl '^#\s*include\s*<asm/system[.]h>' *`
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Those locks are not shared between interrupt and process context anymore,
so remove the part that disable interrupts. We are still safe because
preemption is disabled.
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

The struct hci_proto and all related register/unregister and dispatching
code was removed. HCI core code now call directly the SCO and L2CAP
event functions.
Signed-off-by: NUlisses Furquim <ulisses@profusion.mobi>
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

module_param(bool) used to counter-intuitively take an int.  In
fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy
trick.

It's time to remove the int/unsigned int option.  For this version
it'll simply give a warning, but it'll break next kernel version.

(Thanks to Joe Perches for suggesting coccinelle for 0/1 -> true/false).

Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Now we run everything in HCI in process context, so it's a better idea use
mutex instead spin_lock. The macro remains hci_dev_lock() (and I got rid
of hci_dev_lock_bh()), of course.
Acked-by: NMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

The Bluetooth stack has internal connection handlers for all of the various
Bluetooth protocols, and unfortunately, they are currently lacking the LSM
hooks found in the core network stack's connection handlers.  I say
unfortunately, because this can cause problems for users who have have an
LSM enabled and are using certain Bluetooth devices.  See one problem
report below:

 * http://bugzilla.redhat.com/show_bug.cgi?id=741703

In order to keep things simple at this point in time, this patch fixes the
problem by cloning the parent socket's LSM attributes to the newly created
child socket.  If we decide we need a more elaborate LSM marking mechanism
for Bluetooth (I somewhat doubt this) we can always revisit this decision
in the future.
Reported-by: NJames M. Cape <jcape@ignore-your.tv>
Signed-off-by: NPaul Moore <pmoore@redhat.com>
Acked-by: NJames Morris <jmorris@namei.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix race conditions which can cause lost wakeups (or missed signals)
while waiting to accept a sco socket connection.
Signed-off-by: NPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Make it easier to use more normal logging styles later.
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

shutdown should wait for SCO link to be properly disconnected before
detroying the socket, otherwise an application using the socket may
assume link is properly disconnected before it really happens which
can be a problem when e.g synchronizing profile switch.
Signed-off-by: NLuiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

shutdown should wait for SCO link to be properly disconnected before
detroying the socket, otherwise an application using the socket may
assume link is properly disconnected before it really happens which
can be a problem when e.g synchronizing profile switch.
Signed-off-by: NLuiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

This reverts commit f21ca5ff.

Quoth Gustavo F. Padovan:
  "Commit f21ca5ff can cause a NULL
   dereference if we call shutdown in a bluetooth SCO socket and doesn't
   wait the shutdown completion to call close().  Please revert it.  I
   may have a fix for it soon, but we don't have time anymore, so revert
   is the way to go.  ;)"
Requested-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

shutdown should wait for SCO link to be properly disconnected before
detroying the socket, otherwise an application using the socket may
assume link is properly disconnected before it really happens which
can be a problem when e.g synchronizing profile switch.
Signed-off-by: NLuiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Use ERR_PTR mechanism to return error from hci_connect.
Signed-off-by: NVille Tervo <ville.tervo@nokia.com>
Signed-off-by: NAnderson Briglia <anderson.briglia@openbossa.org>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Actually doesn't make sense have these modules built separately.
The L2CAP layer is needed by almost all Bluetooth protocols and profiles.
There isn't any real use case without having L2CAP loaded.
SCO is only essential for Audio transfers, but it is so small that we can
have it loaded always in bluetooth.ko without problems.
If you really doesn't want it you can disable SCO in the kernel config.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.
Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Do not use assignments in IF condition, remove extra spaces
Signed-off-by: NAndrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

Return 0 in that situation could lead to errors in the caller.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>

This patch removes from net/ (but not any netfilter files)
all the unnecessary return; statements that precede the
last closing brace of void functions.

It does not remove the returns that are immediately
preceded by a label as gcc doesn't like that.

Done via:
$ grep -rP --include=*.[ch] -l "return;\n}" net/ | \
  xargs perl -i -e 'local $/ ; while (<>) { s/\n[ \t\n]+return;\n}/\n}/g; print; }'
Signed-off-by: NJoe Perches <joe@perches.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Remove extra braces and labels, break over column 80 lines, etc
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

It also removes an unneeded check for the MTU. The check is done before
on sco_send_frame()
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Reviewed-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>