1. 18 4月, 2013 5 次提交
  2. 17 4月, 2013 5 次提交
    • D
      Bluetooth: l2cap: add l2cap_user sub-modules · 2c8e1411
      David Herrmann 提交于
      Several sub-modules like HIDP, rfcomm, ... need to track l2cap
      connections. The l2cap_conn->hcon->dev object is used as parent for sysfs
      devices so the sub-modules need to be notified when the hci_conn object is
      removed from sysfs.
      
      As submodules normally use the l2cap layer, the l2cap_user objects are
      registered there instead of on the underlying hci_conn object. This avoids
      any direct dependency on the HCI layer and lets the l2cap core handle any
      specifics.
      
      This patch introduces l2cap_user objects which contain a "probe" and
      "remove" callback. You can register them on any l2cap_conn object and if
      it is active, the "probe" callback will get called. Otherwise, an error is
      returned.
      
      The l2cap_conn object will call your "remove" callback directly before it
      is removed from user-space. This allows you to remove your submodules
      _before_ the parent l2cap_conn and hci_conn object is removed.
      
      At any time you can asynchronously unregister your l2cap_user object if
      your submodule vanishes before the l2cap_conn object does.
      
      There is no way around l2cap_user. If we want wire-protocols in the
      kernel, we always want the hci_conn object as parent in the sysfs tree. We
      cannot use a channel here since we might need multiple channels for a
      single protocol.
      But the problem is, we _must_ get notified when an l2cap_conn object is
      removed. We cannot use reference-counting for object-removal! This is not
      how it works. If a hardware is removed, we should immediately remove the
      object from sysfs. Any other behavior would be inconsistent with the rest
      of the system. Also note that device_del() might sleep, but it doesn't
      wait for user-space or block very long. It only _unlinks_ the object from
      sysfs and the whole device-tree. Everything else is handled by ref-counts!
      This is exactly what the other sub-modules must do: unlink their devices
      when the "remove" l2cap_user callback is called. They should not do any
      cleanup or synchronous shutdowns.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      2c8e1411
    • D
      Bluetooth: l2cap: introduce l2cap_conn ref-counting · 9c903e37
      David Herrmann 提交于
      If we want to use l2cap_conn outside of l2cap_core.c, we need refcounting
      for these objects. Otherwise, we cannot synchronize l2cap locks with
      outside locks and end up with deadlocks.
      
      Hence, introduce ref-counting for l2cap_conn objects. This doesn't affect
      l2cap internals at all, as they use a direct synchronization.
      We also keep a reference to the parent hci_conn for locking purposes as
      l2cap_conn depends on this. This doesn't affect the connection itself but
      only the lifetime of the (dead) object.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      9c903e37
    • D
      Bluetooth: allow constant arguments for bacmp()/bacpy() · f53c20e9
      David Herrmann 提交于
      There is no reason to require the source arguments to be writeable so fix
      this to allow constant source addresses.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      f53c20e9
    • D
      Bluetooth: introduce hci_conn ref-counting · 8d12356f
      David Herrmann 提交于
      We currently do not allow using hci_conn from outside of HCI-core.
      However, several other users could make great use of it. This includes
      HIDP, rfcomm and all other sub-protocols that rely on an active
      connection.
      
      Hence, we now introduce hci_conn ref-counting. We currently never call
      get_device(). put_device() is exclusively used in hci_conn_del_sysfs().
      Hence, we currently never have a greater device-refcnt than 1.
      Therefore, it is safe to move the put_device() call from
      hci_conn_del_sysfs() to hci_conn_del() (it's the only caller). In fact,
      this even fixes a "use-after-free" bug as we access hci_conn after calling
      hci_conn_del_sysfs() in hci_conn_del().
      
      From now on we can add references to hci_conn objects in other layers
      (like l2cap_sock, HIDP, rfcomm, ...) and grab a reference via
      hci_conn_get(). This does _not_ guarantee, that the connection is still
      alive. But, this isn't what we want. We can simply lock the hci_conn
      device and use "device_is_registered(hci_conn->dev)" to test that.
      However, this is hardly necessary as outside users should never rely on
      the HCI connection to be alive, anyway. Instead, they should solely rely
      on the device-object to be available.
      But if sub-devices want the hci_conn object as sysfs parent, they need to
      be notified when the connection drops. This will be introduced in later
      patches with l2cap_users.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      8d12356f
    • D
      Bluetooth: remove unneeded hci_conn_hold/put_device() · fc225c3f
      David Herrmann 提交于
      hci_conn_hold/put_device() is used to control when hci_conn->dev is no
      longer needed and can be deleted from the system. Lets first look how they
      are currently used throughout the code (excluding HIDP!).
      
      All code that uses hci_conn_hold_device() looks like this:
          ...
          hci_conn_hold_device();
          hci_conn_add_sysfs();
          ...
      On the other side, hci_conn_put_device() is exclusively used in
      hci_conn_del().
      
      So, considering that hci_conn_del() must not be called twice (which would
      fail horribly), we know that hci_conn_put_device() is only called _once_
      (which is in hci_conn_del()).
      On the other hand, hci_conn_add_sysfs() must not be called twice, either
      (it would call device_add twice, which breaks the device, see
      drivers/base/core.c). So we know that hci_conn_hold_device() is also
      called only once (it's only called directly before hci_conn_add_sysfs()).
      
      So hold and put are known to be called only once. That means we can safely
      remove them and directly call hci_conn_del_sysfs() in hci_conn_del().
      
      But there is one issue left: HIDP also uses hci_conn_hold/put_device().
      However, this case can be ignored and simply removed as it is totally
      broken. The issue is, the only thing HIDP delays with
      hci_conn_hold_device() is the removal of the hci_conn->dev from sysfs.
      But, the hci_conn device has no mechanism to get notified when its own
      parent (hci_dev) gets removed from sysfs. hci_dev_hold/put() does _not_
      control when it is removed but only when the device object is created
      and destroyed.
      And hci_dev calls hci_conn_flush_*() when it removes itself from sysfs,
      which itself causes hci_conn_del() to be called, but it does _not_ cause
      hci_conn_del_sysfs() to be called, which is wrong.
      
      Hence, we fix it to call hci_conn_del_sysfs() in hci_conn_del(). This
      guarantees that a hci_conn object is removed from sysfs _before_ its
      parent hci_dev is removed.
      
      The changes to HIDP look scary, wrong and broken. However, if you look at
      the HIDP session management, you will notice they're already broken in the
      exact _same_ way (ever tried "unplugging" HIDP devices? Breaks _all_ the
      time).
      So this patch only makes HIDP look _scary_ and _obviously broken_. It does
      not break HIDP itself, it already is!
      
      See later patches in this series which fix HIDP to use proper
      session-management.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      fc225c3f
  3. 12 4月, 2013 1 次提交
    • D
      Bluetooth: rename hci_conn_put to hci_conn_drop · 76a68ba0
      David Herrmann 提交于
      We use _get() and _put() for device ref-counting in the kernel. However,
      hci_conn_put() is _not_ used for ref-counting, hence, rename it to
      hci_conn_drop() so we can later fix ref-counting and introduce
      hci_conn_put().
      
      hci_conn_hold() and hci_conn_put() are currently used to manage how long a
      connection should be held alive. When the last user drops the connection,
      we spawn a delayed work that performs the disconnect. Obviously, this has
      nothing to do with ref-counting for the _object_ but rather for the
      keep-alive of the connection.
      
      But we really _need_ proper ref-counting for the _object_ to allow
      connection-users like rfcomm-tty, HIDP or others.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      76a68ba0
  4. 06 4月, 2013 1 次提交
  5. 05 4月, 2013 6 次提交
  6. 04 4月, 2013 1 次提交
  7. 19 3月, 2013 9 次提交
  8. 11 3月, 2013 1 次提交
  9. 10 3月, 2013 2 次提交
  10. 08 3月, 2013 9 次提交
    • J
      Bluetooth: Remove unused hdev->init_last_cmd · cecbb967
      Johan Hedberg 提交于
      This variable is no longer needed (due to async HCI request support and
      the conversion of hci_req_sync to use it), so it can be safely removed.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      cecbb967
    • J
      Bluetooth: Use async requests internally in hci_req_sync · 42c6b129
      Johan Hedberg 提交于
      This patch converts the hci_req_sync() procedure to internaly use the
      asynchronous HCI requests.
      
      The hci_req_sync mechanism relies on hci_req_complete() calls from
      hci_event.c into hci_core.c whenever a HCI command completes. This is
      very similar to what asynchronous requests do and makes the conversion
      fairly straight forward by converting hci_req_complete into a request
      complete callback. By this change hci_req_complete (renamed to
      hci_req_sync_complete) becomes private to hci_core.c and all calls to it
      can be removed from hci_event.c.
      
      The commands in each hci_req_sync procedure are collected into their own
      request by passing the hci_request pointer to the request callback
      (instead of the hci_dev pointer). The one slight exception is the HCI
      init request which has the special handling of HCI driver specific
      initialization commands. These commands are run in their own request
      prior to the "main" init request.
      
      One other extra change that this patch must contain is the handling of
      spontaneous HCI reset complete events that some controllers exhibit.
      These were previously handled in the hci_req_complete function but the
      right place for them now becomes the hci_req_cmd_complete function.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      42c6b129
    • J
      Bluetooth: Add request cmd_complete and cmd_status functions · 9238f36a
      Johan Hedberg 提交于
      This patch introduces functions to process the HCI request state when
      receiving HCI Command Status or Command Complete events. Some HCI
      commands, like Inquiry do not result in a Command complete event so
      special handling is needed for them. Inquiry is a particularly important
      one since it is the only forseeable "non-cmd_complete" command that will
      make good use of the request functionality, and its completion is either
      indicated by an Inquiry Complete event of a successful Command Complete
      for HCI_Inquiry_Cancel.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      9238f36a
    • J
      Bluetooth: Introduce new hci_req_add function · 71c76a17
      Johan Hedberg 提交于
      This function is analogous to hci_send_cmd() but instead of directly
      queuing the command to hdev->cmd_q it adds it to the local queue of the
      asynchronous HCI request being build (inside struct hci_request).
      
      This is the main function used for building asynchronous requests and
      there should be one or more calls to it between calls to hci_req_init
      and hci_req_run.
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      71c76a17
    • J
      Bluetooth: Add initial skeleton for asynchronous HCI requests · 3119ae95
      Johan Hedberg 提交于
      This patch adds the initial definitions and functions for asynchronous
      HCI requests. Asynchronous requests are essentially a group of HCI
      commands together with an optional completion callback. The request is
      tracked through the already existing command queue by having the
      necessary context information as part of the control buffer of each skb.
      
      The only information needed in the skb control buffer is a flag for
      indicating that the skb is the start of a request as well as the
      optional complete callback that should be used when the request is
      complete (this will be found in the last skb of the request).
      Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      3119ae95
    • D
      Bluetooth: Remove RFCOMM session refcnt · 08c30aca
      Dean Jenkins 提交于
      Previous commits have improved the handling of the RFCOMM session
      timer and the RFCOMM session pointers such that freed RFCOMM
      session structures should no longer be erroneously accessed. The
      RFCOMM session refcnt now has no purpose and will be deleted by
      this commit.
      
      Note that the RFCOMM session is now deleted as soon as the
      RFCOMM control channel link is no longer required. This makes the
      lifetime of the RFCOMM session deterministic and absolute.
      Previously with the refcnt, there was uncertainty about when
      the session structure would be deleted because the relative
      refcnt prevented the session structure from being deleted at will.
      
      It was noted that the refcnt could malfunction under very heavy
      real-time processor loading in embedded SMP environments. This
      could cause premature RFCOMM session deletion or double session
      deletion that could result in kernel crashes. Removal of the
      refcnt prevents this issue.
      
      There are 4 connection / disconnection RFCOMM session scenarios:
      host initiated control link ---> host disconnected control link
      host initiated ctrl link ---> remote device disconnected ctrl link
      remote device initiated ctrl link ---> host disconnected ctrl link
      remote device initiated ctrl link ---> remote device disc'ed ctrl link
      
      The control channel connection procedures are independent of the
      disconnection procedures. Strangely, the RFCOMM session refcnt was
      applying special treatment so erroneously combining connection and
      disconnection events. This commit fixes this issue by removing
      some session code that used the "initiator" member of the session
      structure that was intended for use with the data channels.
      Signed-off-by: NDean Jenkins <Dean_Jenkins@mentor.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      08c30aca
    • D
      Bluetooth: Return RFCOMM session ptrs to avoid freed session · 8ff52f7d
      Dean Jenkins 提交于
      Unfortunately, the design retains local copies of the s RFCOMM
      session pointer in various code blocks and this invites the erroneous
      access to a freed RFCOMM session structure.
      
      Therefore, return the RFCOMM session pointer back up the call stack
      to avoid accessing a freed RFCOMM session structure. When the RFCOMM
      session is deleted, NULL is passed up the call stack.
      
      If active DLCs exist when the rfcomm session is terminating,
      avoid a memory leak of rfcomm_dlc structures by ensuring that
      rfcomm_session_close() is used instead of rfcomm_session_del().
      Signed-off-by: NDean Jenkins <Dean_Jenkins@mentor.com>
      Acked-by: NMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      8ff52f7d
    • D
      Bluetooth: change bt_sock_unregister() to return void · be9f97f0
      David Herrmann 提交于
      There is no reason a caller ever wants to check the return type of this
      call. _Iff_ a user successfully called bt_sock_register(), they're allowed
      to call bt_sock_unregister().
      All other calls in the kernel (device_del, device_unregister, kfree(), ..)
      that are logically equivalent return void. Lets not make callers think
      they have to check the return type of this call and instead simply return
      void.
      
      We guarantee that after bt_sock_unregister() is called, the socket type
      _is_ unregistered. If that is not what the caller wants, they're using the
      wrong function, anyway.
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      be9f97f0
    • A
      Bluetooth: Rename hci_acl_disconn · bed71748
      Andre Guedes 提交于
      As hci_acl_disconn function basically sends the HCI Disconnect Command
      and it is used to disconnect ACL, SCO and LE links, renaming it to
      hci_disconnect is more suitable.
      Signed-off-by: NAndre Guedes <andre.guedes@openbossa.org>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      bed71748