xref: /linux/net/bluetooth/hidp/core.c (revision c4ee0af3fa0dc65f690fc908f02b8355f9576ea0)
1 /*
2    HIDP implementation for Linux Bluetooth stack (BlueZ).
3    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
4    Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
5 
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License version 2 as
8    published by the Free Software Foundation;
9 
10    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
11    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
13    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
14    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
15    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 
19    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
20    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
21    SOFTWARE IS DISCLAIMED.
22 */
23 
24 #include <linux/kref.h>
25 #include <linux/module.h>
26 #include <linux/file.h>
27 #include <linux/kthread.h>
28 #include <linux/hidraw.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 
34 #include "hidp.h"
35 
36 #define VERSION "1.2"
37 
38 static DECLARE_RWSEM(hidp_session_sem);
39 static LIST_HEAD(hidp_session_list);
40 
41 static unsigned char hidp_keycode[256] = {
42 	  0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
43 	 37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
44 	 21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
45 	 14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
46 	 53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
47 	 99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
48 	 98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
49 	 82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
50 	191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
51 	136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
52 	 95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
53 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
54 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
55 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
56 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
57 	  0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
58 	 29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
59 	114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
60 };
61 
62 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
63 
64 static int hidp_session_probe(struct l2cap_conn *conn,
65 			      struct l2cap_user *user);
66 static void hidp_session_remove(struct l2cap_conn *conn,
67 				struct l2cap_user *user);
68 static int hidp_session_thread(void *arg);
69 static void hidp_session_terminate(struct hidp_session *s);
70 
71 static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
72 {
73 	memset(ci, 0, sizeof(*ci));
74 	bacpy(&ci->bdaddr, &session->bdaddr);
75 
76 	ci->flags = session->flags;
77 	ci->state = BT_CONNECTED;
78 
79 	if (session->input) {
80 		ci->vendor  = session->input->id.vendor;
81 		ci->product = session->input->id.product;
82 		ci->version = session->input->id.version;
83 		if (session->input->name)
84 			strlcpy(ci->name, session->input->name, 128);
85 		else
86 			strlcpy(ci->name, "HID Boot Device", 128);
87 	} else if (session->hid) {
88 		ci->vendor  = session->hid->vendor;
89 		ci->product = session->hid->product;
90 		ci->version = session->hid->version;
91 		strlcpy(ci->name, session->hid->name, 128);
92 	}
93 }
94 
95 /* assemble skb, queue message on @transmit and wake up the session thread */
96 static int hidp_send_message(struct hidp_session *session, struct socket *sock,
97 			     struct sk_buff_head *transmit, unsigned char hdr,
98 			     const unsigned char *data, int size)
99 {
100 	struct sk_buff *skb;
101 	struct sock *sk = sock->sk;
102 
103 	BT_DBG("session %p data %p size %d", session, data, size);
104 
105 	if (atomic_read(&session->terminate))
106 		return -EIO;
107 
108 	skb = alloc_skb(size + 1, GFP_ATOMIC);
109 	if (!skb) {
110 		BT_ERR("Can't allocate memory for new frame");
111 		return -ENOMEM;
112 	}
113 
114 	*skb_put(skb, 1) = hdr;
115 	if (data && size > 0)
116 		memcpy(skb_put(skb, size), data, size);
117 
118 	skb_queue_tail(transmit, skb);
119 	wake_up_interruptible(sk_sleep(sk));
120 
121 	return 0;
122 }
123 
124 static int hidp_send_ctrl_message(struct hidp_session *session,
125 				  unsigned char hdr, const unsigned char *data,
126 				  int size)
127 {
128 	return hidp_send_message(session, session->ctrl_sock,
129 				 &session->ctrl_transmit, hdr, data, size);
130 }
131 
132 static int hidp_send_intr_message(struct hidp_session *session,
133 				  unsigned char hdr, const unsigned char *data,
134 				  int size)
135 {
136 	return hidp_send_message(session, session->intr_sock,
137 				 &session->intr_transmit, hdr, data, size);
138 }
139 
140 static int hidp_input_event(struct input_dev *dev, unsigned int type,
141 			    unsigned int code, int value)
142 {
143 	struct hidp_session *session = input_get_drvdata(dev);
144 	unsigned char newleds;
145 	unsigned char hdr, data[2];
146 
147 	BT_DBG("session %p type %d code %d value %d",
148 	       session, type, code, value);
149 
150 	if (type != EV_LED)
151 		return -1;
152 
153 	newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
154 		  (!!test_bit(LED_COMPOSE, dev->led) << 3) |
155 		  (!!test_bit(LED_SCROLLL, dev->led) << 2) |
156 		  (!!test_bit(LED_CAPSL,   dev->led) << 1) |
157 		  (!!test_bit(LED_NUML,    dev->led));
158 
159 	if (session->leds == newleds)
160 		return 0;
161 
162 	session->leds = newleds;
163 
164 	hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
165 	data[0] = 0x01;
166 	data[1] = newleds;
167 
168 	return hidp_send_intr_message(session, hdr, data, 2);
169 }
170 
171 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
172 {
173 	struct input_dev *dev = session->input;
174 	unsigned char *keys = session->keys;
175 	unsigned char *udata = skb->data + 1;
176 	signed char *sdata = skb->data + 1;
177 	int i, size = skb->len - 1;
178 
179 	switch (skb->data[0]) {
180 	case 0x01:	/* Keyboard report */
181 		for (i = 0; i < 8; i++)
182 			input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
183 
184 		/* If all the key codes have been set to 0x01, it means
185 		 * too many keys were pressed at the same time. */
186 		if (!memcmp(udata + 2, hidp_mkeyspat, 6))
187 			break;
188 
189 		for (i = 2; i < 8; i++) {
190 			if (keys[i] > 3 && memscan(udata + 2, keys[i], 6) == udata + 8) {
191 				if (hidp_keycode[keys[i]])
192 					input_report_key(dev, hidp_keycode[keys[i]], 0);
193 				else
194 					BT_ERR("Unknown key (scancode %#x) released.", keys[i]);
195 			}
196 
197 			if (udata[i] > 3 && memscan(keys + 2, udata[i], 6) == keys + 8) {
198 				if (hidp_keycode[udata[i]])
199 					input_report_key(dev, hidp_keycode[udata[i]], 1);
200 				else
201 					BT_ERR("Unknown key (scancode %#x) pressed.", udata[i]);
202 			}
203 		}
204 
205 		memcpy(keys, udata, 8);
206 		break;
207 
208 	case 0x02:	/* Mouse report */
209 		input_report_key(dev, BTN_LEFT,   sdata[0] & 0x01);
210 		input_report_key(dev, BTN_RIGHT,  sdata[0] & 0x02);
211 		input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
212 		input_report_key(dev, BTN_SIDE,   sdata[0] & 0x08);
213 		input_report_key(dev, BTN_EXTRA,  sdata[0] & 0x10);
214 
215 		input_report_rel(dev, REL_X, sdata[1]);
216 		input_report_rel(dev, REL_Y, sdata[2]);
217 
218 		if (size > 3)
219 			input_report_rel(dev, REL_WHEEL, sdata[3]);
220 		break;
221 	}
222 
223 	input_sync(dev);
224 }
225 
226 static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
227 {
228 	unsigned char hdr;
229 	u8 *buf;
230 	int rsize, ret;
231 
232 	buf = hid_alloc_report_buf(report, GFP_ATOMIC);
233 	if (!buf)
234 		return -EIO;
235 
236 	hid_output_report(report, buf);
237 	hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
238 
239 	rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
240 	ret = hidp_send_intr_message(session, hdr, buf, rsize);
241 
242 	kfree(buf);
243 	return ret;
244 }
245 
246 static int hidp_hidinput_event(struct input_dev *dev, unsigned int type,
247 			       unsigned int code, int value)
248 {
249 	struct hid_device *hid = input_get_drvdata(dev);
250 	struct hidp_session *session = hid->driver_data;
251 	struct hid_field *field;
252 	int offset;
253 
254 	BT_DBG("session %p type %d code %d value %d",
255 	       session, type, code, value);
256 
257 	if (type != EV_LED)
258 		return -1;
259 
260 	offset = hidinput_find_field(hid, type, code, &field);
261 	if (offset == -1) {
262 		hid_warn(dev, "event field not found\n");
263 		return -1;
264 	}
265 
266 	hid_set_field(field, offset, value);
267 
268 	return hidp_send_report(session, field->report);
269 }
270 
271 static int hidp_get_raw_report(struct hid_device *hid,
272 		unsigned char report_number,
273 		unsigned char *data, size_t count,
274 		unsigned char report_type)
275 {
276 	struct hidp_session *session = hid->driver_data;
277 	struct sk_buff *skb;
278 	size_t len;
279 	int numbered_reports = hid->report_enum[report_type].numbered;
280 	int ret;
281 
282 	if (atomic_read(&session->terminate))
283 		return -EIO;
284 
285 	switch (report_type) {
286 	case HID_FEATURE_REPORT:
287 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
288 		break;
289 	case HID_INPUT_REPORT:
290 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
291 		break;
292 	case HID_OUTPUT_REPORT:
293 		report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
294 		break;
295 	default:
296 		return -EINVAL;
297 	}
298 
299 	if (mutex_lock_interruptible(&session->report_mutex))
300 		return -ERESTARTSYS;
301 
302 	/* Set up our wait, and send the report request to the device. */
303 	session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
304 	session->waiting_report_number = numbered_reports ? report_number : -1;
305 	set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
306 	data[0] = report_number;
307 	ret = hidp_send_ctrl_message(session, report_type, data, 1);
308 	if (ret)
309 		goto err;
310 
311 	/* Wait for the return of the report. The returned report
312 	   gets put in session->report_return.  */
313 	while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
314 	       !atomic_read(&session->terminate)) {
315 		int res;
316 
317 		res = wait_event_interruptible_timeout(session->report_queue,
318 			!test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
319 				|| atomic_read(&session->terminate),
320 			5*HZ);
321 		if (res == 0) {
322 			/* timeout */
323 			ret = -EIO;
324 			goto err;
325 		}
326 		if (res < 0) {
327 			/* signal */
328 			ret = -ERESTARTSYS;
329 			goto err;
330 		}
331 	}
332 
333 	skb = session->report_return;
334 	if (skb) {
335 		len = skb->len < count ? skb->len : count;
336 		memcpy(data, skb->data, len);
337 
338 		kfree_skb(skb);
339 		session->report_return = NULL;
340 	} else {
341 		/* Device returned a HANDSHAKE, indicating  protocol error. */
342 		len = -EIO;
343 	}
344 
345 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
346 	mutex_unlock(&session->report_mutex);
347 
348 	return len;
349 
350 err:
351 	clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
352 	mutex_unlock(&session->report_mutex);
353 	return ret;
354 }
355 
356 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
357 		unsigned char report_type)
358 {
359 	struct hidp_session *session = hid->driver_data;
360 	int ret;
361 
362 	if (report_type == HID_OUTPUT_REPORT) {
363 		report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
364 		return hidp_send_intr_message(session, report_type,
365 					      data, count);
366 	} else if (report_type != HID_FEATURE_REPORT) {
367 		return -EINVAL;
368 	}
369 
370 	if (mutex_lock_interruptible(&session->report_mutex))
371 		return -ERESTARTSYS;
372 
373 	/* Set up our wait, and send the report request to the device. */
374 	set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
375 	report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
376 	ret = hidp_send_ctrl_message(session, report_type, data, count);
377 	if (ret)
378 		goto err;
379 
380 	/* Wait for the ACK from the device. */
381 	while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
382 	       !atomic_read(&session->terminate)) {
383 		int res;
384 
385 		res = wait_event_interruptible_timeout(session->report_queue,
386 			!test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
387 				|| atomic_read(&session->terminate),
388 			10*HZ);
389 		if (res == 0) {
390 			/* timeout */
391 			ret = -EIO;
392 			goto err;
393 		}
394 		if (res < 0) {
395 			/* signal */
396 			ret = -ERESTARTSYS;
397 			goto err;
398 		}
399 	}
400 
401 	if (!session->output_report_success) {
402 		ret = -EIO;
403 		goto err;
404 	}
405 
406 	ret = count;
407 
408 err:
409 	clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
410 	mutex_unlock(&session->report_mutex);
411 	return ret;
412 }
413 
414 static void hidp_idle_timeout(unsigned long arg)
415 {
416 	struct hidp_session *session = (struct hidp_session *) arg;
417 
418 	hidp_session_terminate(session);
419 }
420 
421 static void hidp_set_timer(struct hidp_session *session)
422 {
423 	if (session->idle_to > 0)
424 		mod_timer(&session->timer, jiffies + HZ * session->idle_to);
425 }
426 
427 static void hidp_del_timer(struct hidp_session *session)
428 {
429 	if (session->idle_to > 0)
430 		del_timer(&session->timer);
431 }
432 
433 static void hidp_process_handshake(struct hidp_session *session,
434 					unsigned char param)
435 {
436 	BT_DBG("session %p param 0x%02x", session, param);
437 	session->output_report_success = 0; /* default condition */
438 
439 	switch (param) {
440 	case HIDP_HSHK_SUCCESSFUL:
441 		/* FIXME: Call into SET_ GET_ handlers here */
442 		session->output_report_success = 1;
443 		break;
444 
445 	case HIDP_HSHK_NOT_READY:
446 	case HIDP_HSHK_ERR_INVALID_REPORT_ID:
447 	case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
448 	case HIDP_HSHK_ERR_INVALID_PARAMETER:
449 		if (test_and_clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags))
450 			wake_up_interruptible(&session->report_queue);
451 
452 		/* FIXME: Call into SET_ GET_ handlers here */
453 		break;
454 
455 	case HIDP_HSHK_ERR_UNKNOWN:
456 		break;
457 
458 	case HIDP_HSHK_ERR_FATAL:
459 		/* Device requests a reboot, as this is the only way this error
460 		 * can be recovered. */
461 		hidp_send_ctrl_message(session,
462 			HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
463 		break;
464 
465 	default:
466 		hidp_send_ctrl_message(session,
467 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
468 		break;
469 	}
470 
471 	/* Wake up the waiting thread. */
472 	if (test_and_clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags))
473 		wake_up_interruptible(&session->report_queue);
474 }
475 
476 static void hidp_process_hid_control(struct hidp_session *session,
477 					unsigned char param)
478 {
479 	BT_DBG("session %p param 0x%02x", session, param);
480 
481 	if (param == HIDP_CTRL_VIRTUAL_CABLE_UNPLUG) {
482 		/* Flush the transmit queues */
483 		skb_queue_purge(&session->ctrl_transmit);
484 		skb_queue_purge(&session->intr_transmit);
485 
486 		hidp_session_terminate(session);
487 	}
488 }
489 
490 /* Returns true if the passed-in skb should be freed by the caller. */
491 static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
492 				unsigned char param)
493 {
494 	int done_with_skb = 1;
495 	BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
496 
497 	switch (param) {
498 	case HIDP_DATA_RTYPE_INPUT:
499 		hidp_set_timer(session);
500 
501 		if (session->input)
502 			hidp_input_report(session, skb);
503 
504 		if (session->hid)
505 			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
506 		break;
507 
508 	case HIDP_DATA_RTYPE_OTHER:
509 	case HIDP_DATA_RTYPE_OUPUT:
510 	case HIDP_DATA_RTYPE_FEATURE:
511 		break;
512 
513 	default:
514 		hidp_send_ctrl_message(session,
515 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
516 	}
517 
518 	if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
519 				param == session->waiting_report_type) {
520 		if (session->waiting_report_number < 0 ||
521 		    session->waiting_report_number == skb->data[0]) {
522 			/* hidp_get_raw_report() is waiting on this report. */
523 			session->report_return = skb;
524 			done_with_skb = 0;
525 			clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
526 			wake_up_interruptible(&session->report_queue);
527 		}
528 	}
529 
530 	return done_with_skb;
531 }
532 
533 static void hidp_recv_ctrl_frame(struct hidp_session *session,
534 					struct sk_buff *skb)
535 {
536 	unsigned char hdr, type, param;
537 	int free_skb = 1;
538 
539 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
540 
541 	hdr = skb->data[0];
542 	skb_pull(skb, 1);
543 
544 	type = hdr & HIDP_HEADER_TRANS_MASK;
545 	param = hdr & HIDP_HEADER_PARAM_MASK;
546 
547 	switch (type) {
548 	case HIDP_TRANS_HANDSHAKE:
549 		hidp_process_handshake(session, param);
550 		break;
551 
552 	case HIDP_TRANS_HID_CONTROL:
553 		hidp_process_hid_control(session, param);
554 		break;
555 
556 	case HIDP_TRANS_DATA:
557 		free_skb = hidp_process_data(session, skb, param);
558 		break;
559 
560 	default:
561 		hidp_send_ctrl_message(session,
562 			HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
563 		break;
564 	}
565 
566 	if (free_skb)
567 		kfree_skb(skb);
568 }
569 
570 static void hidp_recv_intr_frame(struct hidp_session *session,
571 				struct sk_buff *skb)
572 {
573 	unsigned char hdr;
574 
575 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
576 
577 	hdr = skb->data[0];
578 	skb_pull(skb, 1);
579 
580 	if (hdr == (HIDP_TRANS_DATA | HIDP_DATA_RTYPE_INPUT)) {
581 		hidp_set_timer(session);
582 
583 		if (session->input)
584 			hidp_input_report(session, skb);
585 
586 		if (session->hid) {
587 			hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1);
588 			BT_DBG("report len %d", skb->len);
589 		}
590 	} else {
591 		BT_DBG("Unsupported protocol header 0x%02x", hdr);
592 	}
593 
594 	kfree_skb(skb);
595 }
596 
597 static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
598 {
599 	struct kvec iv = { data, len };
600 	struct msghdr msg;
601 
602 	BT_DBG("sock %p data %p len %d", sock, data, len);
603 
604 	if (!len)
605 		return 0;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	return kernel_sendmsg(sock, &msg, &iv, 1, len);
610 }
611 
612 /* dequeue message from @transmit and send via @sock */
613 static void hidp_process_transmit(struct hidp_session *session,
614 				  struct sk_buff_head *transmit,
615 				  struct socket *sock)
616 {
617 	struct sk_buff *skb;
618 	int ret;
619 
620 	BT_DBG("session %p", session);
621 
622 	while ((skb = skb_dequeue(transmit))) {
623 		ret = hidp_send_frame(sock, skb->data, skb->len);
624 		if (ret == -EAGAIN) {
625 			skb_queue_head(transmit, skb);
626 			break;
627 		} else if (ret < 0) {
628 			hidp_session_terminate(session);
629 			kfree_skb(skb);
630 			break;
631 		}
632 
633 		hidp_set_timer(session);
634 		kfree_skb(skb);
635 	}
636 }
637 
638 static int hidp_setup_input(struct hidp_session *session,
639 				struct hidp_connadd_req *req)
640 {
641 	struct input_dev *input;
642 	int i;
643 
644 	input = input_allocate_device();
645 	if (!input)
646 		return -ENOMEM;
647 
648 	session->input = input;
649 
650 	input_set_drvdata(input, session);
651 
652 	input->name = "Bluetooth HID Boot Protocol Device";
653 
654 	input->id.bustype = BUS_BLUETOOTH;
655 	input->id.vendor  = req->vendor;
656 	input->id.product = req->product;
657 	input->id.version = req->version;
658 
659 	if (req->subclass & 0x40) {
660 		set_bit(EV_KEY, input->evbit);
661 		set_bit(EV_LED, input->evbit);
662 		set_bit(EV_REP, input->evbit);
663 
664 		set_bit(LED_NUML,    input->ledbit);
665 		set_bit(LED_CAPSL,   input->ledbit);
666 		set_bit(LED_SCROLLL, input->ledbit);
667 		set_bit(LED_COMPOSE, input->ledbit);
668 		set_bit(LED_KANA,    input->ledbit);
669 
670 		for (i = 0; i < sizeof(hidp_keycode); i++)
671 			set_bit(hidp_keycode[i], input->keybit);
672 		clear_bit(0, input->keybit);
673 	}
674 
675 	if (req->subclass & 0x80) {
676 		input->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REL);
677 		input->keybit[BIT_WORD(BTN_MOUSE)] = BIT_MASK(BTN_LEFT) |
678 			BIT_MASK(BTN_RIGHT) | BIT_MASK(BTN_MIDDLE);
679 		input->relbit[0] = BIT_MASK(REL_X) | BIT_MASK(REL_Y);
680 		input->keybit[BIT_WORD(BTN_MOUSE)] |= BIT_MASK(BTN_SIDE) |
681 			BIT_MASK(BTN_EXTRA);
682 		input->relbit[0] |= BIT_MASK(REL_WHEEL);
683 	}
684 
685 	input->dev.parent = &session->conn->hcon->dev;
686 
687 	input->event = hidp_input_event;
688 
689 	return 0;
690 }
691 
692 static int hidp_open(struct hid_device *hid)
693 {
694 	return 0;
695 }
696 
697 static void hidp_close(struct hid_device *hid)
698 {
699 }
700 
701 static int hidp_parse(struct hid_device *hid)
702 {
703 	struct hidp_session *session = hid->driver_data;
704 
705 	return hid_parse_report(session->hid, session->rd_data,
706 			session->rd_size);
707 }
708 
709 static int hidp_start(struct hid_device *hid)
710 {
711 	return 0;
712 }
713 
714 static void hidp_stop(struct hid_device *hid)
715 {
716 	struct hidp_session *session = hid->driver_data;
717 
718 	skb_queue_purge(&session->ctrl_transmit);
719 	skb_queue_purge(&session->intr_transmit);
720 
721 	hid->claimed = 0;
722 }
723 
724 static struct hid_ll_driver hidp_hid_driver = {
725 	.parse = hidp_parse,
726 	.start = hidp_start,
727 	.stop = hidp_stop,
728 	.open  = hidp_open,
729 	.close = hidp_close,
730 	.hidinput_input_event = hidp_hidinput_event,
731 };
732 
733 /* This function sets up the hid device. It does not add it
734    to the HID system. That is done in hidp_add_connection(). */
735 static int hidp_setup_hid(struct hidp_session *session,
736 				struct hidp_connadd_req *req)
737 {
738 	struct hid_device *hid;
739 	int err;
740 
741 	session->rd_data = kzalloc(req->rd_size, GFP_KERNEL);
742 	if (!session->rd_data)
743 		return -ENOMEM;
744 
745 	if (copy_from_user(session->rd_data, req->rd_data, req->rd_size)) {
746 		err = -EFAULT;
747 		goto fault;
748 	}
749 	session->rd_size = req->rd_size;
750 
751 	hid = hid_allocate_device();
752 	if (IS_ERR(hid)) {
753 		err = PTR_ERR(hid);
754 		goto fault;
755 	}
756 
757 	session->hid = hid;
758 
759 	hid->driver_data = session;
760 
761 	hid->bus     = BUS_BLUETOOTH;
762 	hid->vendor  = req->vendor;
763 	hid->product = req->product;
764 	hid->version = req->version;
765 	hid->country = req->country;
766 
767 	strncpy(hid->name, req->name, sizeof(req->name) - 1);
768 
769 	snprintf(hid->phys, sizeof(hid->phys), "%pMR",
770 		 &l2cap_pi(session->ctrl_sock->sk)->chan->src);
771 
772 	snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
773 		 &l2cap_pi(session->ctrl_sock->sk)->chan->dst);
774 
775 	hid->dev.parent = &session->conn->hcon->dev;
776 	hid->ll_driver = &hidp_hid_driver;
777 
778 	hid->hid_get_raw_report = hidp_get_raw_report;
779 	hid->hid_output_raw_report = hidp_output_raw_report;
780 
781 	/* True if device is blacklisted in drivers/hid/hid-core.c */
782 	if (hid_ignore(hid)) {
783 		hid_destroy_device(session->hid);
784 		session->hid = NULL;
785 		return -ENODEV;
786 	}
787 
788 	return 0;
789 
790 fault:
791 	kfree(session->rd_data);
792 	session->rd_data = NULL;
793 
794 	return err;
795 }
796 
797 /* initialize session devices */
798 static int hidp_session_dev_init(struct hidp_session *session,
799 				 struct hidp_connadd_req *req)
800 {
801 	int ret;
802 
803 	if (req->rd_size > 0) {
804 		ret = hidp_setup_hid(session, req);
805 		if (ret && ret != -ENODEV)
806 			return ret;
807 	}
808 
809 	if (!session->hid) {
810 		ret = hidp_setup_input(session, req);
811 		if (ret < 0)
812 			return ret;
813 	}
814 
815 	return 0;
816 }
817 
818 /* destroy session devices */
819 static void hidp_session_dev_destroy(struct hidp_session *session)
820 {
821 	if (session->hid)
822 		put_device(&session->hid->dev);
823 	else if (session->input)
824 		input_put_device(session->input);
825 
826 	kfree(session->rd_data);
827 	session->rd_data = NULL;
828 }
829 
830 /* add HID/input devices to their underlying bus systems */
831 static int hidp_session_dev_add(struct hidp_session *session)
832 {
833 	int ret;
834 
835 	/* Both HID and input systems drop a ref-count when unregistering the
836 	 * device but they don't take a ref-count when registering them. Work
837 	 * around this by explicitly taking a refcount during registration
838 	 * which is dropped automatically by unregistering the devices. */
839 
840 	if (session->hid) {
841 		ret = hid_add_device(session->hid);
842 		if (ret)
843 			return ret;
844 		get_device(&session->hid->dev);
845 	} else if (session->input) {
846 		ret = input_register_device(session->input);
847 		if (ret)
848 			return ret;
849 		input_get_device(session->input);
850 	}
851 
852 	return 0;
853 }
854 
855 /* remove HID/input devices from their bus systems */
856 static void hidp_session_dev_del(struct hidp_session *session)
857 {
858 	if (session->hid)
859 		hid_destroy_device(session->hid);
860 	else if (session->input)
861 		input_unregister_device(session->input);
862 }
863 
864 /*
865  * Asynchronous device registration
866  * HID device drivers might want to perform I/O during initialization to
867  * detect device types. Therefore, call device registration in a separate
868  * worker so the HIDP thread can schedule I/O operations.
869  * Note that this must be called after the worker thread was initialized
870  * successfully. This will then add the devices and increase session state
871  * on success, otherwise it will terminate the session thread.
872  */
873 static void hidp_session_dev_work(struct work_struct *work)
874 {
875 	struct hidp_session *session = container_of(work,
876 						    struct hidp_session,
877 						    dev_init);
878 	int ret;
879 
880 	ret = hidp_session_dev_add(session);
881 	if (!ret)
882 		atomic_inc(&session->state);
883 	else
884 		hidp_session_terminate(session);
885 }
886 
887 /*
888  * Create new session object
889  * Allocate session object, initialize static fields, copy input data into the
890  * object and take a reference to all sub-objects.
891  * This returns 0 on success and puts a pointer to the new session object in
892  * \out. Otherwise, an error code is returned.
893  * The new session object has an initial ref-count of 1.
894  */
895 static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
896 			    struct socket *ctrl_sock,
897 			    struct socket *intr_sock,
898 			    struct hidp_connadd_req *req,
899 			    struct l2cap_conn *conn)
900 {
901 	struct hidp_session *session;
902 	int ret;
903 	struct bt_sock *ctrl, *intr;
904 
905 	ctrl = bt_sk(ctrl_sock->sk);
906 	intr = bt_sk(intr_sock->sk);
907 
908 	session = kzalloc(sizeof(*session), GFP_KERNEL);
909 	if (!session)
910 		return -ENOMEM;
911 
912 	/* object and runtime management */
913 	kref_init(&session->ref);
914 	atomic_set(&session->state, HIDP_SESSION_IDLING);
915 	init_waitqueue_head(&session->state_queue);
916 	session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
917 
918 	/* connection management */
919 	bacpy(&session->bdaddr, bdaddr);
920 	session->conn = conn;
921 	session->user.probe = hidp_session_probe;
922 	session->user.remove = hidp_session_remove;
923 	session->ctrl_sock = ctrl_sock;
924 	session->intr_sock = intr_sock;
925 	skb_queue_head_init(&session->ctrl_transmit);
926 	skb_queue_head_init(&session->intr_transmit);
927 	session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
928 					l2cap_pi(ctrl)->chan->imtu);
929 	session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
930 					l2cap_pi(intr)->chan->imtu);
931 	session->idle_to = req->idle_to;
932 
933 	/* device management */
934 	INIT_WORK(&session->dev_init, hidp_session_dev_work);
935 	setup_timer(&session->timer, hidp_idle_timeout,
936 		    (unsigned long)session);
937 
938 	/* session data */
939 	mutex_init(&session->report_mutex);
940 	init_waitqueue_head(&session->report_queue);
941 
942 	ret = hidp_session_dev_init(session, req);
943 	if (ret)
944 		goto err_free;
945 
946 	l2cap_conn_get(session->conn);
947 	get_file(session->intr_sock->file);
948 	get_file(session->ctrl_sock->file);
949 	*out = session;
950 	return 0;
951 
952 err_free:
953 	kfree(session);
954 	return ret;
955 }
956 
957 /* increase ref-count of the given session by one */
958 static void hidp_session_get(struct hidp_session *session)
959 {
960 	kref_get(&session->ref);
961 }
962 
963 /* release callback */
964 static void session_free(struct kref *ref)
965 {
966 	struct hidp_session *session = container_of(ref, struct hidp_session,
967 						    ref);
968 
969 	hidp_session_dev_destroy(session);
970 	skb_queue_purge(&session->ctrl_transmit);
971 	skb_queue_purge(&session->intr_transmit);
972 	fput(session->intr_sock->file);
973 	fput(session->ctrl_sock->file);
974 	l2cap_conn_put(session->conn);
975 	kfree(session);
976 }
977 
978 /* decrease ref-count of the given session by one */
979 static void hidp_session_put(struct hidp_session *session)
980 {
981 	kref_put(&session->ref, session_free);
982 }
983 
984 /*
985  * Search the list of active sessions for a session with target address
986  * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
987  * you do not release this lock, the session objects cannot vanish and you can
988  * safely take a reference to the session yourself.
989  */
990 static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
991 {
992 	struct hidp_session *session;
993 
994 	list_for_each_entry(session, &hidp_session_list, list) {
995 		if (!bacmp(bdaddr, &session->bdaddr))
996 			return session;
997 	}
998 
999 	return NULL;
1000 }
1001 
1002 /*
1003  * Same as __hidp_session_find() but no locks must be held. This also takes a
1004  * reference of the returned session (if non-NULL) so you must drop this
1005  * reference if you no longer use the object.
1006  */
1007 static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
1008 {
1009 	struct hidp_session *session;
1010 
1011 	down_read(&hidp_session_sem);
1012 
1013 	session = __hidp_session_find(bdaddr);
1014 	if (session)
1015 		hidp_session_get(session);
1016 
1017 	up_read(&hidp_session_sem);
1018 
1019 	return session;
1020 }
1021 
1022 /*
1023  * Start session synchronously
1024  * This starts a session thread and waits until initialization
1025  * is done or returns an error if it couldn't be started.
1026  * If this returns 0 the session thread is up and running. You must call
1027  * hipd_session_stop_sync() before deleting any runtime resources.
1028  */
1029 static int hidp_session_start_sync(struct hidp_session *session)
1030 {
1031 	unsigned int vendor, product;
1032 
1033 	if (session->hid) {
1034 		vendor  = session->hid->vendor;
1035 		product = session->hid->product;
1036 	} else if (session->input) {
1037 		vendor  = session->input->id.vendor;
1038 		product = session->input->id.product;
1039 	} else {
1040 		vendor = 0x0000;
1041 		product = 0x0000;
1042 	}
1043 
1044 	session->task = kthread_run(hidp_session_thread, session,
1045 				    "khidpd_%04x%04x", vendor, product);
1046 	if (IS_ERR(session->task))
1047 		return PTR_ERR(session->task);
1048 
1049 	while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
1050 		wait_event(session->state_queue,
1051 			   atomic_read(&session->state) > HIDP_SESSION_IDLING);
1052 
1053 	return 0;
1054 }
1055 
1056 /*
1057  * Terminate session thread
1058  * Wake up session thread and notify it to stop. This is asynchronous and
1059  * returns immediately. Call this whenever a runtime error occurs and you want
1060  * the session to stop.
1061  * Note: wake_up_process() performs any necessary memory-barriers for us.
1062  */
1063 static void hidp_session_terminate(struct hidp_session *session)
1064 {
1065 	atomic_inc(&session->terminate);
1066 	wake_up_process(session->task);
1067 }
1068 
1069 /*
1070  * Probe HIDP session
1071  * This is called from the l2cap_conn core when our l2cap_user object is bound
1072  * to the hci-connection. We get the session via the \user object and can now
1073  * start the session thread, link it into the global session list and
1074  * schedule HID/input device registration.
1075  * The global session-list owns its own reference to the session object so you
1076  * can drop your own reference after registering the l2cap_user object.
1077  */
1078 static int hidp_session_probe(struct l2cap_conn *conn,
1079 			      struct l2cap_user *user)
1080 {
1081 	struct hidp_session *session = container_of(user,
1082 						    struct hidp_session,
1083 						    user);
1084 	struct hidp_session *s;
1085 	int ret;
1086 
1087 	down_write(&hidp_session_sem);
1088 
1089 	/* check that no other session for this device exists */
1090 	s = __hidp_session_find(&session->bdaddr);
1091 	if (s) {
1092 		ret = -EEXIST;
1093 		goto out_unlock;
1094 	}
1095 
1096 	if (session->input) {
1097 		ret = hidp_session_dev_add(session);
1098 		if (ret)
1099 			goto out_unlock;
1100 	}
1101 
1102 	ret = hidp_session_start_sync(session);
1103 	if (ret)
1104 		goto out_del;
1105 
1106 	/* HID device registration is async to allow I/O during probe */
1107 	if (session->input)
1108 		atomic_inc(&session->state);
1109 	else
1110 		schedule_work(&session->dev_init);
1111 
1112 	hidp_session_get(session);
1113 	list_add(&session->list, &hidp_session_list);
1114 	ret = 0;
1115 	goto out_unlock;
1116 
1117 out_del:
1118 	if (session->input)
1119 		hidp_session_dev_del(session);
1120 out_unlock:
1121 	up_write(&hidp_session_sem);
1122 	return ret;
1123 }
1124 
1125 /*
1126  * Remove HIDP session
1127  * Called from the l2cap_conn core when either we explicitly unregistered
1128  * the l2cap_user object or if the underlying connection is shut down.
1129  * We signal the hidp-session thread to shut down, unregister the HID/input
1130  * devices and unlink the session from the global list.
1131  * This drops the reference to the session that is owned by the global
1132  * session-list.
1133  * Note: We _must_ not synchronosly wait for the session-thread to shut down.
1134  * This is, because the session-thread might be waiting for an HCI lock that is
1135  * held while we are called. Therefore, we only unregister the devices and
1136  * notify the session-thread to terminate. The thread itself owns a reference
1137  * to the session object so it can safely shut down.
1138  */
1139 static void hidp_session_remove(struct l2cap_conn *conn,
1140 				struct l2cap_user *user)
1141 {
1142 	struct hidp_session *session = container_of(user,
1143 						    struct hidp_session,
1144 						    user);
1145 
1146 	down_write(&hidp_session_sem);
1147 
1148 	hidp_session_terminate(session);
1149 
1150 	cancel_work_sync(&session->dev_init);
1151 	if (session->input ||
1152 	    atomic_read(&session->state) > HIDP_SESSION_PREPARING)
1153 		hidp_session_dev_del(session);
1154 
1155 	list_del(&session->list);
1156 
1157 	up_write(&hidp_session_sem);
1158 
1159 	hidp_session_put(session);
1160 }
1161 
1162 /*
1163  * Session Worker
1164  * This performs the actual main-loop of the HIDP worker. We first check
1165  * whether the underlying connection is still alive, then parse all pending
1166  * messages and finally send all outstanding messages.
1167  */
1168 static void hidp_session_run(struct hidp_session *session)
1169 {
1170 	struct sock *ctrl_sk = session->ctrl_sock->sk;
1171 	struct sock *intr_sk = session->intr_sock->sk;
1172 	struct sk_buff *skb;
1173 
1174 	for (;;) {
1175 		/*
1176 		 * This thread can be woken up two ways:
1177 		 *  - You call hidp_session_terminate() which sets the
1178 		 *    session->terminate flag and wakes this thread up.
1179 		 *  - Via modifying the socket state of ctrl/intr_sock. This
1180 		 *    thread is woken up by ->sk_state_changed().
1181 		 *
1182 		 * Note: set_current_state() performs any necessary
1183 		 * memory-barriers for us.
1184 		 */
1185 		set_current_state(TASK_INTERRUPTIBLE);
1186 
1187 		if (atomic_read(&session->terminate))
1188 			break;
1189 
1190 		if (ctrl_sk->sk_state != BT_CONNECTED ||
1191 		    intr_sk->sk_state != BT_CONNECTED)
1192 			break;
1193 
1194 		/* parse incoming intr-skbs */
1195 		while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
1196 			skb_orphan(skb);
1197 			if (!skb_linearize(skb))
1198 				hidp_recv_intr_frame(session, skb);
1199 			else
1200 				kfree_skb(skb);
1201 		}
1202 
1203 		/* send pending intr-skbs */
1204 		hidp_process_transmit(session, &session->intr_transmit,
1205 				      session->intr_sock);
1206 
1207 		/* parse incoming ctrl-skbs */
1208 		while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
1209 			skb_orphan(skb);
1210 			if (!skb_linearize(skb))
1211 				hidp_recv_ctrl_frame(session, skb);
1212 			else
1213 				kfree_skb(skb);
1214 		}
1215 
1216 		/* send pending ctrl-skbs */
1217 		hidp_process_transmit(session, &session->ctrl_transmit,
1218 				      session->ctrl_sock);
1219 
1220 		schedule();
1221 	}
1222 
1223 	atomic_inc(&session->terminate);
1224 	set_current_state(TASK_RUNNING);
1225 }
1226 
1227 /*
1228  * HIDP session thread
1229  * This thread runs the I/O for a single HIDP session. Startup is synchronous
1230  * which allows us to take references to ourself here instead of doing that in
1231  * the caller.
1232  * When we are ready to run we notify the caller and call hidp_session_run().
1233  */
1234 static int hidp_session_thread(void *arg)
1235 {
1236 	struct hidp_session *session = arg;
1237 	wait_queue_t ctrl_wait, intr_wait;
1238 
1239 	BT_DBG("session %p", session);
1240 
1241 	/* initialize runtime environment */
1242 	hidp_session_get(session);
1243 	__module_get(THIS_MODULE);
1244 	set_user_nice(current, -15);
1245 	hidp_set_timer(session);
1246 
1247 	init_waitqueue_entry(&ctrl_wait, current);
1248 	init_waitqueue_entry(&intr_wait, current);
1249 	add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
1250 	add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1251 	/* This memory barrier is paired with wq_has_sleeper(). See
1252 	 * sock_poll_wait() for more information why this is needed. */
1253 	smp_mb();
1254 
1255 	/* notify synchronous startup that we're ready */
1256 	atomic_inc(&session->state);
1257 	wake_up(&session->state_queue);
1258 
1259 	/* run session */
1260 	hidp_session_run(session);
1261 
1262 	/* cleanup runtime environment */
1263 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
1264 	remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
1265 	wake_up_interruptible(&session->report_queue);
1266 	hidp_del_timer(session);
1267 
1268 	/*
1269 	 * If we stopped ourself due to any internal signal, we should try to
1270 	 * unregister our own session here to avoid having it linger until the
1271 	 * parent l2cap_conn dies or user-space cleans it up.
1272 	 * This does not deadlock as we don't do any synchronous shutdown.
1273 	 * Instead, this call has the same semantics as if user-space tried to
1274 	 * delete the session.
1275 	 */
1276 	l2cap_unregister_user(session->conn, &session->user);
1277 	hidp_session_put(session);
1278 
1279 	module_put_and_exit(0);
1280 	return 0;
1281 }
1282 
1283 static int hidp_verify_sockets(struct socket *ctrl_sock,
1284 			       struct socket *intr_sock)
1285 {
1286 	struct l2cap_chan *ctrl_chan, *intr_chan;
1287 	struct bt_sock *ctrl, *intr;
1288 	struct hidp_session *session;
1289 
1290 	if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
1291 		return -EINVAL;
1292 
1293 	ctrl_chan = l2cap_pi(ctrl_sock->sk)->chan;
1294 	intr_chan = l2cap_pi(intr_sock->sk)->chan;
1295 
1296 	if (bacmp(&ctrl_chan->src, &intr_chan->src) ||
1297 	    bacmp(&ctrl_chan->dst, &intr_chan->dst))
1298 		return -ENOTUNIQ;
1299 
1300 	ctrl = bt_sk(ctrl_sock->sk);
1301 	intr = bt_sk(intr_sock->sk);
1302 
1303 	if (ctrl->sk.sk_state != BT_CONNECTED ||
1304 	    intr->sk.sk_state != BT_CONNECTED)
1305 		return -EBADFD;
1306 
1307 	/* early session check, we check again during session registration */
1308 	session = hidp_session_find(&ctrl_chan->dst);
1309 	if (session) {
1310 		hidp_session_put(session);
1311 		return -EEXIST;
1312 	}
1313 
1314 	return 0;
1315 }
1316 
1317 int hidp_connection_add(struct hidp_connadd_req *req,
1318 			struct socket *ctrl_sock,
1319 			struct socket *intr_sock)
1320 {
1321 	struct hidp_session *session;
1322 	struct l2cap_conn *conn;
1323 	struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
1324 	int ret;
1325 
1326 	ret = hidp_verify_sockets(ctrl_sock, intr_sock);
1327 	if (ret)
1328 		return ret;
1329 
1330 	conn = NULL;
1331 	l2cap_chan_lock(chan);
1332 	if (chan->conn) {
1333 		l2cap_conn_get(chan->conn);
1334 		conn = chan->conn;
1335 	}
1336 	l2cap_chan_unlock(chan);
1337 
1338 	if (!conn)
1339 		return -EBADFD;
1340 
1341 	ret = hidp_session_new(&session, &chan->dst, ctrl_sock,
1342 			       intr_sock, req, conn);
1343 	if (ret)
1344 		goto out_conn;
1345 
1346 	ret = l2cap_register_user(conn, &session->user);
1347 	if (ret)
1348 		goto out_session;
1349 
1350 	ret = 0;
1351 
1352 out_session:
1353 	hidp_session_put(session);
1354 out_conn:
1355 	l2cap_conn_put(conn);
1356 	return ret;
1357 }
1358 
1359 int hidp_connection_del(struct hidp_conndel_req *req)
1360 {
1361 	struct hidp_session *session;
1362 
1363 	session = hidp_session_find(&req->bdaddr);
1364 	if (!session)
1365 		return -ENOENT;
1366 
1367 	if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG))
1368 		hidp_send_ctrl_message(session,
1369 				       HIDP_TRANS_HID_CONTROL |
1370 				         HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
1371 				       NULL, 0);
1372 	else
1373 		l2cap_unregister_user(session->conn, &session->user);
1374 
1375 	hidp_session_put(session);
1376 
1377 	return 0;
1378 }
1379 
1380 int hidp_get_connlist(struct hidp_connlist_req *req)
1381 {
1382 	struct hidp_session *session;
1383 	int err = 0, n = 0;
1384 
1385 	BT_DBG("");
1386 
1387 	down_read(&hidp_session_sem);
1388 
1389 	list_for_each_entry(session, &hidp_session_list, list) {
1390 		struct hidp_conninfo ci;
1391 
1392 		hidp_copy_session(session, &ci);
1393 
1394 		if (copy_to_user(req->ci, &ci, sizeof(ci))) {
1395 			err = -EFAULT;
1396 			break;
1397 		}
1398 
1399 		if (++n >= req->cnum)
1400 			break;
1401 
1402 		req->ci++;
1403 	}
1404 	req->cnum = n;
1405 
1406 	up_read(&hidp_session_sem);
1407 	return err;
1408 }
1409 
1410 int hidp_get_conninfo(struct hidp_conninfo *ci)
1411 {
1412 	struct hidp_session *session;
1413 
1414 	session = hidp_session_find(&ci->bdaddr);
1415 	if (session) {
1416 		hidp_copy_session(session, ci);
1417 		hidp_session_put(session);
1418 	}
1419 
1420 	return session ? 0 : -ENOENT;
1421 }
1422 
1423 static int __init hidp_init(void)
1424 {
1425 	BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
1426 
1427 	return hidp_init_sockets();
1428 }
1429 
1430 static void __exit hidp_exit(void)
1431 {
1432 	hidp_cleanup_sockets();
1433 }
1434 
1435 module_init(hidp_init);
1436 module_exit(hidp_exit);
1437 
1438 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
1439 MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
1440 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
1441 MODULE_VERSION(VERSION);
1442 MODULE_LICENSE("GPL");
1443 MODULE_ALIAS("bt-proto-6");
1444