1. 23 6月, 2013 6 次提交
  2. 14 6月, 2013 2 次提交
    • J
      Bluetooth: Fix conditions for HCI_Delete_Stored_Link_Key · 59f45d57
      Johan Hedberg 提交于
      Even though the HCI_Delete_Stored_Link_Key command is mandatory for 1.1
      and later controllers some controllers do not seem to support it
      properly as was witnessed by one Broadcom based controller:
      
      < HCI Command: Delete Stored Link Key (0x03|0x0012) plen 7
          bdaddr 00:00:00:00:00:00 all 1
      > HCI Event: Command Complete (0x0e) plen 4
          Delete Stored Link Key (0x03|0x0012) ncmd 1
          status 0x11 deleted 0
          Error: Unsupported Feature or Parameter Value
      
      Luckily this same controller also doesn't list the command in its
      supported commands bit mask (counting from 0 bit 7 of octet 6):
      
      < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0
      > HCI Event: Command Complete (0x0e) plen 68
          Read Local Supported Commands (0x04|0x0002) ncmd 1
          status 0x00
          Commands: ffffffffffff1ffffffffffff30fffff3f
      
      Therefore, it makes sense to move sending of HCI_Delete_Stored_Link_Key
      to after receiving the supported commands response and to only send it
      if its respective bit in the mask is set. The downside of this is that
      we no longer send the HCI_Delete_Stored_Link_Key command for Bluetooth
      1.1 controllers since HCI_Read_Local_Supported_Command was introduced in
      version 1.2, but this is an acceptable penalty as the command in
      question shouldn't affect critical behavior.
      Reported-by: NPavel Machek <pavel@ucw.cz>
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Tested-by: NPavel Machek <pavel@ucw.cz>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      59f45d57
    • A
      Bluetooth: Fix crash in l2cap_build_cmd() with small MTU · 300b962e
      Anderson Lizardo 提交于
      If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
      controller, memory corruption happens due to a memcpy() call with
      negative length.
      
      Fix this crash on either incoming or outgoing connections with a MTU
      smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
      
      [   46.885433] BUG: unable to handle kernel paging request at f56ad000
      [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
      [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
      [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
      [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
      [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
      [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
      [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
      [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
      [   46.888037] EIP is at memcpy+0x1d/0x40
      [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
      [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
      [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
      [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [   46.888037] DR6: ffff0ff0 DR7: 00000400
      [   46.888037] Stack:
      [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
      [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
      [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
      [   46.888037] Call Trace:
      [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
      [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
      [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
      [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
      [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
      [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
      [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
      [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
      [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
      [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
      [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
      [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
      [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
      [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
      [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
      [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
      [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
      [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
      [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
      [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
      [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
      [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
      [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
      [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
      [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
      [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
      [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
      [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
      [   46.888037] CR2: 00000000f56ad000
      [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
      Signed-off-by: NAnderson Lizardo <anderson.lizardo@openbossa.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      300b962e
  3. 12 6月, 2013 3 次提交
  4. 24 4月, 2013 3 次提交
  5. 19 4月, 2013 1 次提交
  6. 18 4月, 2013 8 次提交
    • A
      Bluetooth: Rename LE_SCANNING_* macros · 76a388be
      Andre Guedes 提交于
      This patch renames LE_SCANNING_ENABLED and LE_SCANNING_DISABLED
      macros to LE_SCAN_ENABLE and LE_SCAN_DISABLE in order to keep
      the same prefix others LE scan macros have.
      
      It also fixes le_scan_enable_req function so it uses the LE_SCAN_
      ENABLE macro instead of a magic number.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      76a388be
    • A
      Bluetooth: Add macros for filter duplicates values · 525e296a
      Andre Guedes 提交于
      This patch adds macros for filter_duplicates parameter values from
      HCI LE Set Scan Enable command. It also fixes le_scan_enable_req
      function so it uses the LE_SCAN_FILTER_DUP_ENABLE macro instead of
      a magic number.
      
      The LE_SCAN_FILTER_DUP_DISABLE was also defined since it will be
      required to properly support the GAP Observer Role.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      525e296a
    • A
      Bluetooth: Add LE scan type macros · 5df480b5
      Andre Guedes 提交于
      This patch adds macros for active and passive LE scan type values.
      The LE_SCAN_PASSIVE was also defined since it will be used in future
      by LE connection routine and GAP Observer Role support.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      5df480b5
    • A
      Bluetooth: Change LE scanning timeout macros · b6c7515a
      Andre Guedes 提交于
      Define LE scanning timeout macros in jiffies just like we do for
      others timeout macros.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Acked-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      b6c7515a
    • J
      Bluetooth: Add reading of all local feature pages · d2c5d77f
      Johan Hedberg 提交于
      With the introduction of CSA4 there is now also a features page number 2
      available. This patch increments the maximum supported page number to 2
      and adds code for reading all available pages (as long as we have
      support for them - indicated by HCI_MAX_PAGES).
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      d2c5d77f
    • J
      Bluetooth: Track feature pages in a single table · cad718ed
      Johan Hedberg 提交于
      The local and remote features are organized by page number. Page 0
      are the LMP features, page 1 the host features, and any pages beyond 1
      features that future core specification versions may define. So far
      we've only had the first two pages and two separate variables has been
      convenient enough, however with the introduction of Core Specification
      Addendum 4 there are features defined on page 2.
      
      Instead of requiring the addition of a new variable each time a new page
      number is defined, this patch refactors the code to use a single table
      for the features. The patch needs to update both the hci_dev and
      hci_conn structures since there are macros that depend on the features
      being represented in the same way in both of them.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      cad718ed
    • F
      Bluetooth: Move and rename hci_conn_accept · fa5513be
      Frédéric Dalleau 提交于
      Since this function is only used by sco, move it from hci_event.c to
      sco.c and rename to sco_conn_defer_accept. Make it static.
      Signed-off-by: NFrédéric Dalleau <frederic.dalleau@linux.intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      fa5513be
    • J
      Bluetooth: Fix incorrect SSP mode bit for non SSP devices · bbb0eada
      Jaganath Kanakkassery 提交于
      Some faulty non SSP devices send extended inquiry response
      during device discovery which is a violation of 2.1 specification.
      So for these devices we set SSP bit during acl connection
      initiation thinking that it is an SSP device. But for these
      devices, in remote host features event SSP supported bit
      will be off. But we are not clearing the SSP bit in that case
      and eventually SSP bit in conn flag will be incorrectly set for
      these devices.
      
      The software which has caused this issue is MecApp
      http://www.mecel.se/products/bluetooth/downloads/MecApp_download
      
      This patch does a workaround by clearing the SSP bit if it is
      not supported in remote host features event
      
      hcidump log
      ----------
      
      < HCI Command: Inquiry (0x01|0x0001) plen 5
          lap 0x9e8b33 len 4 num 0
      > HCI Event: Command Status (0x0f) plen 4
          Inquiry (0x01|0x0001) status 0x00 ncmd 1
      > HCI Event: Extended Inquiry Result (0x2f) plen 255
          bdaddr 00:1B:DC:05:B5:25 mode 1 clkoffset 0x3263 class 0x3c0000 rssi -77
          Unknown type 0x42 with 8 bytes data
          Unknown type 0x1e with 2 bytes data
      > HCI Event: Inquiry Complete (0x01) plen 1
          status 0x00
      
      < HCI Command: Create Connection (0x01|0x0005) plen 13
          bdaddr 00:1B:DC:05:B5:25 ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
          Packet type: DM1 DM3 DM5 DH1 DH3 DH5
      > HCI Event: Command Status (0x0f) plen 4
          Create Connection (0x01|0x0005) status 0x00 ncmd 1
      > HCI Event: Connect Complete (0x03) plen 11
          status 0x00 handle 12 bdaddr 00:1B:DC:05:B5:25 type ACL encrypt 0x00
      < HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2
          handle 12
      > HCI Event: Command Status (0x0f) plen 4
          Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1
      > HCI Event: Read Remote Supported Features (0x0b) plen 11
          status 0x00 handle 12
          Features: 0xff 0xff 0x8f 0x7e 0xd8 0x1f 0x5b 0x87
      < HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3
          handle 12 page 1
      > HCI Event: Command Status (0x0f) plen 4
          Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1
      > HCI Event: Page Scan Repetition Mode Change (0x20) plen 7
          bdaddr 00:1B:DC:05:B5:25 mode 1
      > HCI Event: Max Slots Change (0x1b) plen 3
          handle 12 slots 5
      > HCI Event: Read Remote Extended Features (0x23) plen 13
          status 0x00 handle 12 page 1 max 0
          Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
      < HCI Command: Remote Name Request (0x01|0x0019) plen 10
          bdaddr 00:1B:DC:05:B5:25 mode 2 clkoffset 0x0000
      > HCI Event: Command Status (0x0f) plen 4
          Remote Name Request (0x01|0x0019) status 0x00 ncmd 1
      > HCI Event: Remote Name Req Complete (0x07) plen 255
          status 0x00 bdaddr 00:1B:DC:05:B5:25 name 'Bluetooth PTS Radio v4'
      < HCI Command: Authentication Requested (0x01|0x0011) plen 2
          handle 12
      > HCI Event: Command Status (0x0f) plen 4
          Authentication Requested (0x01|0x0011) status 0x00 ncmd 1
      > HCI Event: Link Key Request (0x17) plen 6
          bdaddr 00:1B:DC:05:B5:25
      < HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6
          bdaddr 00:1B:DC:05:B5:25
      > HCI Event: Command Complete (0x0e) plen 10
          Link Key Request Negative Reply (0x01|0x000c) ncmd 1
          status 0x00 bdaddr 00:1B:DC:05:B5:25
      > HCI Event: PIN Code Request (0x16) plen 6
          bdaddr 00:1B:DC:05:B5:25
      Signed-off-by: NJaganath Kanakkassery <jaganath.k@samsung.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      bbb0eada
  7. 17 4月, 2013 14 次提交
    • D
      Bluetooth: hidp: fix sending output reports on intr channel · e73dcfbf
      David Herrmann 提交于
      According to the specifications, data output reports must be sent on the
      interrupt channel. See also usbhid implementation.
      Sending these reports on the control channel breaks newer Wii Remotes.
      
      Note that this will make output reports asynchronous. However, that's how
      hid_output_raw_report() is supposed to work with HID_OUTPUT_REPORT as
      report type. There are no responses to output reports.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      e73dcfbf
    • D
      Bluetooth: hidp: don't send boot-protocol messages as HID-reports · af87b3d0
      David Herrmann 提交于
      If a device is registered as HID device, it is always in Report-Mode.
      Therefore, we must not send Boot-Protocol messages on
      hidinput_input_event() callbacks. This confuses devices and may cause
      disconnects on protocol errors.
      
      We disable the hidinput_input_event() callback for now. We can implement
      it properly later, but lets first fix the current code by disabling it.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      af87b3d0
    • D
      Bluetooth: hidp: merge 'send' functions into hidp_send_message() · 41edc0c0
      David Herrmann 提交于
      We handle skb buffers all over the place, even though we have
      hidp_send_*_message() helpers. This creates a more generic
      hidp_send_message() helper and uses it instead of dealing with transmit
      queues directly everywhere.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      41edc0c0
    • D
      Bluetooth: hidp: merge hidp_process_{ctrl,intr}_transmit() · 7350e6cf
      David Herrmann 提交于
      Both hidp_process_ctrl_transmit() and hidp_process_intr_transmit() are
      exactly the same apart from the transmit-queue and socket pointers.
      Therefore, pass them as argument and merge both functions into one so we
      avoid 25 lines of code-duplication.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      7350e6cf
    • D
      Bluetooth: hidp: handle kernel_sendmsg() errors correctly · 2df01200
      David Herrmann 提交于
      We shouldn't push back the skbs if kernel_sendmsg() fails. Instead, we
      terminate the connection and drop the skb. Only on EAGAIN we push it back
      and return.
      l2cap doesn't return EAGAIN, yet, but this guarantees we're safe if it
      will at some time in the future.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      2df01200
    • D
      Bluetooth: hidp: remove old session-management · 5205185d
      David Herrmann 提交于
      We have the full new session-management now available so lets switch over
      and remove all the old code. Few semantics changed, so we need to adjust
      the sock.c callers a bit. But this mostly simplifies the logic.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      5205185d
    • D
      Bluetooth: hidp: add new session-management helpers · b4f34d8d
      David Herrmann 提交于
      This is a rewrite of the HIDP session management. It implements HIDP as an
      l2cap_user sub-module so we get proper notification when the underlying
      connection goes away.
      
      The helpers are not yet used but only added in this commit. The old
      session management is still used and will be removed in a following patch.
      
      The old session-management was flawed. Hotplugging is horribly broken and
      we have no way of getting notified when the underlying connection goes
      down. The whole idea of removing the HID/input sub-devices from within the
      session itself is broken and suffers from major dead-locks. We never can
      guarantee that the session can unregister itself as long as we use
      synchronous shutdowns. This can only work with asynchronous shutdowns.
      However, in this case we _must_ be able to unregister the session from the
      outside as otherwise the l2cap_conn object might be unlinked before we
      are.
      
      The new session-management is based on l2cap_user. There is only one
      way how to add a session and how to delete a session: "probe" and "remove"
      callbacks from l2cap_user.
      This guarantees that the session can be registered and unregistered at
      _any_ time without any synchronous shutdown.
      On the other hand, much work has been put into proper session-refcounting.
      We can unregister/unlink the session only if we can guarantee that it will
      stay alive. But for asynchronous shutdowns we never know when the last
      user goes away so we must use proper ref-counting.
      
      The old ->conn field has been renamed to ->hconn so we can reuse ->conn in
      the new session management. No other existing HIDP code is modified.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      b4f34d8d
    • D
      Bluetooth: l2cap: add l2cap_user sub-modules · 2c8e1411
      David Herrmann 提交于
      Several sub-modules like HIDP, rfcomm, ... need to track l2cap
      connections. The l2cap_conn->hcon->dev object is used as parent for sysfs
      devices so the sub-modules need to be notified when the hci_conn object is
      removed from sysfs.
      
      As submodules normally use the l2cap layer, the l2cap_user objects are
      registered there instead of on the underlying hci_conn object. This avoids
      any direct dependency on the HCI layer and lets the l2cap core handle any
      specifics.
      
      This patch introduces l2cap_user objects which contain a "probe" and
      "remove" callback. You can register them on any l2cap_conn object and if
      it is active, the "probe" callback will get called. Otherwise, an error is
      returned.
      
      The l2cap_conn object will call your "remove" callback directly before it
      is removed from user-space. This allows you to remove your submodules
      _before_ the parent l2cap_conn and hci_conn object is removed.
      
      At any time you can asynchronously unregister your l2cap_user object if
      your submodule vanishes before the l2cap_conn object does.
      
      There is no way around l2cap_user. If we want wire-protocols in the
      kernel, we always want the hci_conn object as parent in the sysfs tree. We
      cannot use a channel here since we might need multiple channels for a
      single protocol.
      But the problem is, we _must_ get notified when an l2cap_conn object is
      removed. We cannot use reference-counting for object-removal! This is not
      how it works. If a hardware is removed, we should immediately remove the
      object from sysfs. Any other behavior would be inconsistent with the rest
      of the system. Also note that device_del() might sleep, but it doesn't
      wait for user-space or block very long. It only _unlinks_ the object from
      sysfs and the whole device-tree. Everything else is handled by ref-counts!
      This is exactly what the other sub-modules must do: unlink their devices
      when the "remove" l2cap_user callback is called. They should not do any
      cleanup or synchronous shutdowns.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      2c8e1411
    • D
      Bluetooth: l2cap: introduce l2cap_conn ref-counting · 9c903e37
      David Herrmann 提交于
      If we want to use l2cap_conn outside of l2cap_core.c, we need refcounting
      for these objects. Otherwise, we cannot synchronize l2cap locks with
      outside locks and end up with deadlocks.
      
      Hence, introduce ref-counting for l2cap_conn objects. This doesn't affect
      l2cap internals at all, as they use a direct synchronization.
      We also keep a reference to the parent hci_conn for locking purposes as
      l2cap_conn depends on this. This doesn't affect the connection itself but
      only the lifetime of the (dead) object.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      9c903e37
    • D
      Bluetooth: hidp: move hidp_schedule() to core.c · 3764eaa9
      David Herrmann 提交于
      There is no reason to keep this helper in the header file. No other file
      depends on it so move it into hidp/core.c where it belongs.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      3764eaa9
    • D
      Bluetooth: hidp: test "terminate" before sleeping · e3492dc3
      David Herrmann 提交于
      The "terminate" flag is guaranteed to be set before the session terminates
      and the handlers are woken up. Hence, we need to add it to the
      sleep-condition.
      
      Note that testing the flags is not enough as nothing prevents us from
      setting the flags again after the session-handler terminated.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      e3492dc3
    • D
      Bluetooth: hidp: remove unused session->state field · dcc07647
      David Herrmann 提交于
      This field is always BT_CONNECTED. Remove it and set it to BT_CONNECTED in
      hidp_copy_session() unconditionally.
      
      Also note that this field is totally bogus. Userspace can query an
      hidp-session for its state. However, whenever user-space queries us, this
      field should be BT_CONNECTED. If it wasn't BT_CONNECTED, then we would be
      currently cleaning up the session and the session itself would exit in the
      next few milliseconds. Hence, there is no reason to let user-space know
      that the session will exit now if they cannot make _any_ use of that.
      
      Thus, remove the field and let user-space think that a session is always
      BT_CONNECTED as long as they can query it.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      dcc07647
    • D
      Bluetooth: introduce hci_conn ref-counting · 8d12356f
      David Herrmann 提交于
      We currently do not allow using hci_conn from outside of HCI-core.
      However, several other users could make great use of it. This includes
      HIDP, rfcomm and all other sub-protocols that rely on an active
      connection.
      
      Hence, we now introduce hci_conn ref-counting. We currently never call
      get_device(). put_device() is exclusively used in hci_conn_del_sysfs().
      Hence, we currently never have a greater device-refcnt than 1.
      Therefore, it is safe to move the put_device() call from
      hci_conn_del_sysfs() to hci_conn_del() (it's the only caller). In fact,
      this even fixes a "use-after-free" bug as we access hci_conn after calling
      hci_conn_del_sysfs() in hci_conn_del().
      
      From now on we can add references to hci_conn objects in other layers
      (like l2cap_sock, HIDP, rfcomm, ...) and grab a reference via
      hci_conn_get(). This does _not_ guarantee, that the connection is still
      alive. But, this isn't what we want. We can simply lock the hci_conn
      device and use "device_is_registered(hci_conn->dev)" to test that.
      However, this is hardly necessary as outside users should never rely on
      the HCI connection to be alive, anyway. Instead, they should solely rely
      on the device-object to be available.
      But if sub-devices want the hci_conn object as sysfs parent, they need to
      be notified when the connection drops. This will be introduced in later
      patches with l2cap_users.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      8d12356f
    • D
      Bluetooth: remove unneeded hci_conn_hold/put_device() · fc225c3f
      David Herrmann 提交于
      hci_conn_hold/put_device() is used to control when hci_conn->dev is no
      longer needed and can be deleted from the system. Lets first look how they
      are currently used throughout the code (excluding HIDP!).
      
      All code that uses hci_conn_hold_device() looks like this:
          ...
          hci_conn_hold_device();
          hci_conn_add_sysfs();
          ...
      On the other side, hci_conn_put_device() is exclusively used in
      hci_conn_del().
      
      So, considering that hci_conn_del() must not be called twice (which would
      fail horribly), we know that hci_conn_put_device() is only called _once_
      (which is in hci_conn_del()).
      On the other hand, hci_conn_add_sysfs() must not be called twice, either
      (it would call device_add twice, which breaks the device, see
      drivers/base/core.c). So we know that hci_conn_hold_device() is also
      called only once (it's only called directly before hci_conn_add_sysfs()).
      
      So hold and put are known to be called only once. That means we can safely
      remove them and directly call hci_conn_del_sysfs() in hci_conn_del().
      
      But there is one issue left: HIDP also uses hci_conn_hold/put_device().
      However, this case can be ignored and simply removed as it is totally
      broken. The issue is, the only thing HIDP delays with
      hci_conn_hold_device() is the removal of the hci_conn->dev from sysfs.
      But, the hci_conn device has no mechanism to get notified when its own
      parent (hci_dev) gets removed from sysfs. hci_dev_hold/put() does _not_
      control when it is removed but only when the device object is created
      and destroyed.
      And hci_dev calls hci_conn_flush_*() when it removes itself from sysfs,
      which itself causes hci_conn_del() to be called, but it does _not_ cause
      hci_conn_del_sysfs() to be called, which is wrong.
      
      Hence, we fix it to call hci_conn_del_sysfs() in hci_conn_del(). This
      guarantees that a hci_conn object is removed from sysfs _before_ its
      parent hci_dev is removed.
      
      The changes to HIDP look scary, wrong and broken. However, if you look at
      the HIDP session management, you will notice they're already broken in the
      exact _same_ way (ever tried "unplugging" HIDP devices? Breaks _all_ the
      time).
      So this patch only makes HIDP look _scary_ and _obviously broken_. It does
      not break HIDP itself, it already is!
      
      See later patches in this series which fix HIDP to use proper
      session-management.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      fc225c3f
  8. 12 4月, 2013 3 次提交