xref: /linux/net/bluetooth/sco.c (revision 3503d56cc7233ced602e38a4c13caa64f00ab2aa)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth SCO sockets. */
26 
27 #include <linux/module.h>
28 #include <linux/debugfs.h>
29 #include <linux/seq_file.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/sco.h>
35 
36 static bool disable_esco;
37 
38 static const struct proto_ops sco_sock_ops;
39 
40 static struct bt_sock_list sco_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(sco_sk_list.lock)
42 };
43 
44 /* ---- SCO connections ---- */
45 struct sco_conn {
46 	struct hci_conn	*hcon;
47 
48 	spinlock_t	lock;
49 	struct sock	*sk;
50 
51 	unsigned int    mtu;
52 };
53 
54 #define sco_conn_lock(c)	spin_lock(&c->lock);
55 #define sco_conn_unlock(c)	spin_unlock(&c->lock);
56 
57 static void sco_sock_close(struct sock *sk);
58 static void sco_sock_kill(struct sock *sk);
59 
60 /* ----- SCO socket info ----- */
61 #define sco_pi(sk) ((struct sco_pinfo *) sk)
62 
63 struct sco_pinfo {
64 	struct bt_sock	bt;
65 	bdaddr_t	src;
66 	bdaddr_t	dst;
67 	__u32		flags;
68 	__u16		setting;
69 	struct sco_conn	*conn;
70 };
71 
72 /* ---- SCO timers ---- */
73 #define SCO_CONN_TIMEOUT	(HZ * 40)
74 #define SCO_DISCONN_TIMEOUT	(HZ * 2)
75 
76 static void sco_sock_timeout(struct timer_list *t)
77 {
78 	struct sock *sk = from_timer(sk, t, sk_timer);
79 
80 	BT_DBG("sock %p state %d", sk, sk->sk_state);
81 
82 	bh_lock_sock(sk);
83 	sk->sk_err = ETIMEDOUT;
84 	sk->sk_state_change(sk);
85 	bh_unlock_sock(sk);
86 
87 	sco_sock_kill(sk);
88 	sock_put(sk);
89 }
90 
91 static void sco_sock_set_timer(struct sock *sk, long timeout)
92 {
93 	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
94 	sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
95 }
96 
97 static void sco_sock_clear_timer(struct sock *sk)
98 {
99 	BT_DBG("sock %p state %d", sk, sk->sk_state);
100 	sk_stop_timer(sk, &sk->sk_timer);
101 }
102 
103 /* ---- SCO connections ---- */
104 static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
105 {
106 	struct hci_dev *hdev = hcon->hdev;
107 	struct sco_conn *conn = hcon->sco_data;
108 
109 	if (conn)
110 		return conn;
111 
112 	conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
113 	if (!conn)
114 		return NULL;
115 
116 	spin_lock_init(&conn->lock);
117 
118 	hcon->sco_data = conn;
119 	conn->hcon = hcon;
120 
121 	if (hdev->sco_mtu > 0)
122 		conn->mtu = hdev->sco_mtu;
123 	else
124 		conn->mtu = 60;
125 
126 	BT_DBG("hcon %p conn %p", hcon, conn);
127 
128 	return conn;
129 }
130 
131 /* Delete channel.
132  * Must be called on the locked socket. */
133 static void sco_chan_del(struct sock *sk, int err)
134 {
135 	struct sco_conn *conn;
136 
137 	conn = sco_pi(sk)->conn;
138 
139 	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
140 
141 	if (conn) {
142 		sco_conn_lock(conn);
143 		conn->sk = NULL;
144 		sco_pi(sk)->conn = NULL;
145 		sco_conn_unlock(conn);
146 
147 		if (conn->hcon)
148 			hci_conn_drop(conn->hcon);
149 	}
150 
151 	sk->sk_state = BT_CLOSED;
152 	sk->sk_err   = err;
153 	sk->sk_state_change(sk);
154 
155 	sock_set_flag(sk, SOCK_ZAPPED);
156 }
157 
158 static void sco_conn_del(struct hci_conn *hcon, int err)
159 {
160 	struct sco_conn *conn = hcon->sco_data;
161 	struct sock *sk;
162 
163 	if (!conn)
164 		return;
165 
166 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
167 
168 	/* Kill socket */
169 	sco_conn_lock(conn);
170 	sk = conn->sk;
171 	sco_conn_unlock(conn);
172 
173 	if (sk) {
174 		sock_hold(sk);
175 		bh_lock_sock(sk);
176 		sco_sock_clear_timer(sk);
177 		sco_chan_del(sk, err);
178 		bh_unlock_sock(sk);
179 		sco_sock_kill(sk);
180 		sock_put(sk);
181 	}
182 
183 	hcon->sco_data = NULL;
184 	kfree(conn);
185 }
186 
187 static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
188 			   struct sock *parent)
189 {
190 	BT_DBG("conn %p", conn);
191 
192 	sco_pi(sk)->conn = conn;
193 	conn->sk = sk;
194 
195 	if (parent)
196 		bt_accept_enqueue(parent, sk, true);
197 }
198 
199 static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
200 			struct sock *parent)
201 {
202 	int err = 0;
203 
204 	sco_conn_lock(conn);
205 	if (conn->sk)
206 		err = -EBUSY;
207 	else
208 		__sco_chan_add(conn, sk, parent);
209 
210 	sco_conn_unlock(conn);
211 	return err;
212 }
213 
214 static int sco_connect(struct sock *sk)
215 {
216 	struct sco_conn *conn;
217 	struct hci_conn *hcon;
218 	struct hci_dev  *hdev;
219 	int err, type;
220 
221 	BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
222 
223 	hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
224 	if (!hdev)
225 		return -EHOSTUNREACH;
226 
227 	hci_dev_lock(hdev);
228 
229 	if (lmp_esco_capable(hdev) && !disable_esco)
230 		type = ESCO_LINK;
231 	else
232 		type = SCO_LINK;
233 
234 	if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
235 	    (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
236 		err = -EOPNOTSUPP;
237 		goto done;
238 	}
239 
240 	hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
241 			       sco_pi(sk)->setting);
242 	if (IS_ERR(hcon)) {
243 		err = PTR_ERR(hcon);
244 		goto done;
245 	}
246 
247 	conn = sco_conn_add(hcon);
248 	if (!conn) {
249 		hci_conn_drop(hcon);
250 		err = -ENOMEM;
251 		goto done;
252 	}
253 
254 	/* Update source addr of the socket */
255 	bacpy(&sco_pi(sk)->src, &hcon->src);
256 
257 	err = sco_chan_add(conn, sk, NULL);
258 	if (err)
259 		goto done;
260 
261 	if (hcon->state == BT_CONNECTED) {
262 		sco_sock_clear_timer(sk);
263 		sk->sk_state = BT_CONNECTED;
264 	} else {
265 		sk->sk_state = BT_CONNECT;
266 		sco_sock_set_timer(sk, sk->sk_sndtimeo);
267 	}
268 
269 done:
270 	hci_dev_unlock(hdev);
271 	hci_dev_put(hdev);
272 	return err;
273 }
274 
275 static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
276 {
277 	struct sco_conn *conn = sco_pi(sk)->conn;
278 	struct sk_buff *skb;
279 	int err;
280 
281 	/* Check outgoing MTU */
282 	if (len > conn->mtu)
283 		return -EINVAL;
284 
285 	BT_DBG("sk %p len %d", sk, len);
286 
287 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
288 	if (!skb)
289 		return err;
290 
291 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
292 		kfree_skb(skb);
293 		return -EFAULT;
294 	}
295 
296 	hci_send_sco(conn->hcon, skb);
297 
298 	return len;
299 }
300 
301 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
302 {
303 	struct sock *sk;
304 
305 	sco_conn_lock(conn);
306 	sk = conn->sk;
307 	sco_conn_unlock(conn);
308 
309 	if (!sk)
310 		goto drop;
311 
312 	BT_DBG("sk %p len %d", sk, skb->len);
313 
314 	if (sk->sk_state != BT_CONNECTED)
315 		goto drop;
316 
317 	if (!sock_queue_rcv_skb(sk, skb))
318 		return;
319 
320 drop:
321 	kfree_skb(skb);
322 }
323 
324 /* -------- Socket interface ---------- */
325 static struct sock *__sco_get_sock_listen_by_addr(bdaddr_t *ba)
326 {
327 	struct sock *sk;
328 
329 	sk_for_each(sk, &sco_sk_list.head) {
330 		if (sk->sk_state != BT_LISTEN)
331 			continue;
332 
333 		if (!bacmp(&sco_pi(sk)->src, ba))
334 			return sk;
335 	}
336 
337 	return NULL;
338 }
339 
340 /* Find socket listening on source bdaddr.
341  * Returns closest match.
342  */
343 static struct sock *sco_get_sock_listen(bdaddr_t *src)
344 {
345 	struct sock *sk = NULL, *sk1 = NULL;
346 
347 	read_lock(&sco_sk_list.lock);
348 
349 	sk_for_each(sk, &sco_sk_list.head) {
350 		if (sk->sk_state != BT_LISTEN)
351 			continue;
352 
353 		/* Exact match. */
354 		if (!bacmp(&sco_pi(sk)->src, src))
355 			break;
356 
357 		/* Closest match */
358 		if (!bacmp(&sco_pi(sk)->src, BDADDR_ANY))
359 			sk1 = sk;
360 	}
361 
362 	read_unlock(&sco_sk_list.lock);
363 
364 	return sk ? sk : sk1;
365 }
366 
367 static void sco_sock_destruct(struct sock *sk)
368 {
369 	BT_DBG("sk %p", sk);
370 
371 	skb_queue_purge(&sk->sk_receive_queue);
372 	skb_queue_purge(&sk->sk_write_queue);
373 }
374 
375 static void sco_sock_cleanup_listen(struct sock *parent)
376 {
377 	struct sock *sk;
378 
379 	BT_DBG("parent %p", parent);
380 
381 	/* Close not yet accepted channels */
382 	while ((sk = bt_accept_dequeue(parent, NULL))) {
383 		sco_sock_close(sk);
384 		sco_sock_kill(sk);
385 	}
386 
387 	parent->sk_state  = BT_CLOSED;
388 	sock_set_flag(parent, SOCK_ZAPPED);
389 }
390 
391 /* Kill socket (only if zapped and orphan)
392  * Must be called on unlocked socket.
393  */
394 static void sco_sock_kill(struct sock *sk)
395 {
396 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
397 	    sock_flag(sk, SOCK_DEAD))
398 		return;
399 
400 	BT_DBG("sk %p state %d", sk, sk->sk_state);
401 
402 	/* Kill poor orphan */
403 	bt_sock_unlink(&sco_sk_list, sk);
404 	sock_set_flag(sk, SOCK_DEAD);
405 	sock_put(sk);
406 }
407 
408 static void __sco_sock_close(struct sock *sk)
409 {
410 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
411 
412 	switch (sk->sk_state) {
413 	case BT_LISTEN:
414 		sco_sock_cleanup_listen(sk);
415 		break;
416 
417 	case BT_CONNECTED:
418 	case BT_CONFIG:
419 		if (sco_pi(sk)->conn->hcon) {
420 			sk->sk_state = BT_DISCONN;
421 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
422 			sco_conn_lock(sco_pi(sk)->conn);
423 			hci_conn_drop(sco_pi(sk)->conn->hcon);
424 			sco_pi(sk)->conn->hcon = NULL;
425 			sco_conn_unlock(sco_pi(sk)->conn);
426 		} else
427 			sco_chan_del(sk, ECONNRESET);
428 		break;
429 
430 	case BT_CONNECT2:
431 	case BT_CONNECT:
432 	case BT_DISCONN:
433 		sco_chan_del(sk, ECONNRESET);
434 		break;
435 
436 	default:
437 		sock_set_flag(sk, SOCK_ZAPPED);
438 		break;
439 	}
440 }
441 
442 /* Must be called on unlocked socket. */
443 static void sco_sock_close(struct sock *sk)
444 {
445 	sco_sock_clear_timer(sk);
446 	lock_sock(sk);
447 	__sco_sock_close(sk);
448 	release_sock(sk);
449 	sco_sock_kill(sk);
450 }
451 
452 static void sco_sock_init(struct sock *sk, struct sock *parent)
453 {
454 	BT_DBG("sk %p", sk);
455 
456 	if (parent) {
457 		sk->sk_type = parent->sk_type;
458 		bt_sk(sk)->flags = bt_sk(parent)->flags;
459 		security_sk_clone(parent, sk);
460 	}
461 }
462 
463 static struct proto sco_proto = {
464 	.name		= "SCO",
465 	.owner		= THIS_MODULE,
466 	.obj_size	= sizeof(struct sco_pinfo)
467 };
468 
469 static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
470 				   int proto, gfp_t prio, int kern)
471 {
472 	struct sock *sk;
473 
474 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);
475 	if (!sk)
476 		return NULL;
477 
478 	sock_init_data(sock, sk);
479 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
480 
481 	sk->sk_destruct = sco_sock_destruct;
482 	sk->sk_sndtimeo = SCO_CONN_TIMEOUT;
483 
484 	sock_reset_flag(sk, SOCK_ZAPPED);
485 
486 	sk->sk_protocol = proto;
487 	sk->sk_state    = BT_OPEN;
488 
489 	sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
490 
491 	timer_setup(&sk->sk_timer, sco_sock_timeout, 0);
492 
493 	bt_sock_link(&sco_sk_list, sk);
494 	return sk;
495 }
496 
497 static int sco_sock_create(struct net *net, struct socket *sock, int protocol,
498 			   int kern)
499 {
500 	struct sock *sk;
501 
502 	BT_DBG("sock %p", sock);
503 
504 	sock->state = SS_UNCONNECTED;
505 
506 	if (sock->type != SOCK_SEQPACKET)
507 		return -ESOCKTNOSUPPORT;
508 
509 	sock->ops = &sco_sock_ops;
510 
511 	sk = sco_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
512 	if (!sk)
513 		return -ENOMEM;
514 
515 	sco_sock_init(sk, NULL);
516 	return 0;
517 }
518 
519 static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
520 			 int addr_len)
521 {
522 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
523 	struct sock *sk = sock->sk;
524 	int err = 0;
525 
526 	if (!addr || addr_len < sizeof(struct sockaddr_sco) ||
527 	    addr->sa_family != AF_BLUETOOTH)
528 		return -EINVAL;
529 
530 	BT_DBG("sk %p %pMR", sk, &sa->sco_bdaddr);
531 
532 	lock_sock(sk);
533 
534 	if (sk->sk_state != BT_OPEN) {
535 		err = -EBADFD;
536 		goto done;
537 	}
538 
539 	if (sk->sk_type != SOCK_SEQPACKET) {
540 		err = -EINVAL;
541 		goto done;
542 	}
543 
544 	bacpy(&sco_pi(sk)->src, &sa->sco_bdaddr);
545 
546 	sk->sk_state = BT_BOUND;
547 
548 done:
549 	release_sock(sk);
550 	return err;
551 }
552 
553 static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
554 {
555 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
556 	struct sock *sk = sock->sk;
557 	int err;
558 
559 	BT_DBG("sk %p", sk);
560 
561 	if (alen < sizeof(struct sockaddr_sco) ||
562 	    addr->sa_family != AF_BLUETOOTH)
563 		return -EINVAL;
564 
565 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
566 		return -EBADFD;
567 
568 	if (sk->sk_type != SOCK_SEQPACKET)
569 		return -EINVAL;
570 
571 	lock_sock(sk);
572 
573 	/* Set destination address and psm */
574 	bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
575 
576 	err = sco_connect(sk);
577 	if (err)
578 		goto done;
579 
580 	err = bt_sock_wait_state(sk, BT_CONNECTED,
581 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
582 
583 done:
584 	release_sock(sk);
585 	return err;
586 }
587 
588 static int sco_sock_listen(struct socket *sock, int backlog)
589 {
590 	struct sock *sk = sock->sk;
591 	bdaddr_t *src = &sco_pi(sk)->src;
592 	int err = 0;
593 
594 	BT_DBG("sk %p backlog %d", sk, backlog);
595 
596 	lock_sock(sk);
597 
598 	if (sk->sk_state != BT_BOUND) {
599 		err = -EBADFD;
600 		goto done;
601 	}
602 
603 	if (sk->sk_type != SOCK_SEQPACKET) {
604 		err = -EINVAL;
605 		goto done;
606 	}
607 
608 	write_lock(&sco_sk_list.lock);
609 
610 	if (__sco_get_sock_listen_by_addr(src)) {
611 		err = -EADDRINUSE;
612 		goto unlock;
613 	}
614 
615 	sk->sk_max_ack_backlog = backlog;
616 	sk->sk_ack_backlog = 0;
617 
618 	sk->sk_state = BT_LISTEN;
619 
620 unlock:
621 	write_unlock(&sco_sk_list.lock);
622 
623 done:
624 	release_sock(sk);
625 	return err;
626 }
627 
628 static int sco_sock_accept(struct socket *sock, struct socket *newsock,
629 			   int flags, bool kern)
630 {
631 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
632 	struct sock *sk = sock->sk, *ch;
633 	long timeo;
634 	int err = 0;
635 
636 	lock_sock(sk);
637 
638 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
639 
640 	BT_DBG("sk %p timeo %ld", sk, timeo);
641 
642 	/* Wait for an incoming connection. (wake-one). */
643 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
644 	while (1) {
645 		if (sk->sk_state != BT_LISTEN) {
646 			err = -EBADFD;
647 			break;
648 		}
649 
650 		ch = bt_accept_dequeue(sk, newsock);
651 		if (ch)
652 			break;
653 
654 		if (!timeo) {
655 			err = -EAGAIN;
656 			break;
657 		}
658 
659 		if (signal_pending(current)) {
660 			err = sock_intr_errno(timeo);
661 			break;
662 		}
663 
664 		release_sock(sk);
665 
666 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
667 		lock_sock(sk);
668 	}
669 	remove_wait_queue(sk_sleep(sk), &wait);
670 
671 	if (err)
672 		goto done;
673 
674 	newsock->state = SS_CONNECTED;
675 
676 	BT_DBG("new socket %p", ch);
677 
678 done:
679 	release_sock(sk);
680 	return err;
681 }
682 
683 static int sco_sock_getname(struct socket *sock, struct sockaddr *addr,
684 			    int peer)
685 {
686 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
687 	struct sock *sk = sock->sk;
688 
689 	BT_DBG("sock %p, sk %p", sock, sk);
690 
691 	addr->sa_family = AF_BLUETOOTH;
692 
693 	if (peer)
694 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->dst);
695 	else
696 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->src);
697 
698 	return sizeof(struct sockaddr_sco);
699 }
700 
701 static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
702 			    size_t len)
703 {
704 	struct sock *sk = sock->sk;
705 	int err;
706 
707 	BT_DBG("sock %p, sk %p", sock, sk);
708 
709 	err = sock_error(sk);
710 	if (err)
711 		return err;
712 
713 	if (msg->msg_flags & MSG_OOB)
714 		return -EOPNOTSUPP;
715 
716 	lock_sock(sk);
717 
718 	if (sk->sk_state == BT_CONNECTED)
719 		err = sco_send_frame(sk, msg, len);
720 	else
721 		err = -ENOTCONN;
722 
723 	release_sock(sk);
724 	return err;
725 }
726 
727 static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
728 {
729 	struct hci_dev *hdev = conn->hdev;
730 
731 	BT_DBG("conn %p", conn);
732 
733 	conn->state = BT_CONFIG;
734 
735 	if (!lmp_esco_capable(hdev)) {
736 		struct hci_cp_accept_conn_req cp;
737 
738 		bacpy(&cp.bdaddr, &conn->dst);
739 		cp.role = 0x00; /* Ignored */
740 
741 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
742 	} else {
743 		struct hci_cp_accept_sync_conn_req cp;
744 
745 		bacpy(&cp.bdaddr, &conn->dst);
746 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
747 
748 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
749 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
750 		cp.content_format = cpu_to_le16(setting);
751 
752 		switch (setting & SCO_AIRMODE_MASK) {
753 		case SCO_AIRMODE_TRANSP:
754 			if (conn->pkt_type & ESCO_2EV3)
755 				cp.max_latency = cpu_to_le16(0x0008);
756 			else
757 				cp.max_latency = cpu_to_le16(0x000D);
758 			cp.retrans_effort = 0x02;
759 			break;
760 		case SCO_AIRMODE_CVSD:
761 			cp.max_latency = cpu_to_le16(0xffff);
762 			cp.retrans_effort = 0xff;
763 			break;
764 		}
765 
766 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
767 			     sizeof(cp), &cp);
768 	}
769 }
770 
771 static int sco_sock_recvmsg(struct socket *sock, struct msghdr *msg,
772 			    size_t len, int flags)
773 {
774 	struct sock *sk = sock->sk;
775 	struct sco_pinfo *pi = sco_pi(sk);
776 
777 	lock_sock(sk);
778 
779 	if (sk->sk_state == BT_CONNECT2 &&
780 	    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
781 		sco_conn_defer_accept(pi->conn->hcon, pi->setting);
782 		sk->sk_state = BT_CONFIG;
783 
784 		release_sock(sk);
785 		return 0;
786 	}
787 
788 	release_sock(sk);
789 
790 	return bt_sock_recvmsg(sock, msg, len, flags);
791 }
792 
793 static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
794 			       char __user *optval, unsigned int optlen)
795 {
796 	struct sock *sk = sock->sk;
797 	int len, err = 0;
798 	struct bt_voice voice;
799 	u32 opt;
800 
801 	BT_DBG("sk %p", sk);
802 
803 	lock_sock(sk);
804 
805 	switch (optname) {
806 
807 	case BT_DEFER_SETUP:
808 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
809 			err = -EINVAL;
810 			break;
811 		}
812 
813 		if (get_user(opt, (u32 __user *) optval)) {
814 			err = -EFAULT;
815 			break;
816 		}
817 
818 		if (opt)
819 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
820 		else
821 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
822 		break;
823 
824 	case BT_VOICE:
825 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
826 		    sk->sk_state != BT_CONNECT2) {
827 			err = -EINVAL;
828 			break;
829 		}
830 
831 		voice.setting = sco_pi(sk)->setting;
832 
833 		len = min_t(unsigned int, sizeof(voice), optlen);
834 		if (copy_from_user((char *)&voice, optval, len)) {
835 			err = -EFAULT;
836 			break;
837 		}
838 
839 		/* Explicitly check for these values */
840 		if (voice.setting != BT_VOICE_TRANSPARENT &&
841 		    voice.setting != BT_VOICE_CVSD_16BIT) {
842 			err = -EINVAL;
843 			break;
844 		}
845 
846 		sco_pi(sk)->setting = voice.setting;
847 		break;
848 
849 	default:
850 		err = -ENOPROTOOPT;
851 		break;
852 	}
853 
854 	release_sock(sk);
855 	return err;
856 }
857 
858 static int sco_sock_getsockopt_old(struct socket *sock, int optname,
859 				   char __user *optval, int __user *optlen)
860 {
861 	struct sock *sk = sock->sk;
862 	struct sco_options opts;
863 	struct sco_conninfo cinfo;
864 	int len, err = 0;
865 
866 	BT_DBG("sk %p", sk);
867 
868 	if (get_user(len, optlen))
869 		return -EFAULT;
870 
871 	lock_sock(sk);
872 
873 	switch (optname) {
874 	case SCO_OPTIONS:
875 		if (sk->sk_state != BT_CONNECTED &&
876 		    !(sk->sk_state == BT_CONNECT2 &&
877 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
878 			err = -ENOTCONN;
879 			break;
880 		}
881 
882 		opts.mtu = sco_pi(sk)->conn->mtu;
883 
884 		BT_DBG("mtu %d", opts.mtu);
885 
886 		len = min_t(unsigned int, len, sizeof(opts));
887 		if (copy_to_user(optval, (char *)&opts, len))
888 			err = -EFAULT;
889 
890 		break;
891 
892 	case SCO_CONNINFO:
893 		if (sk->sk_state != BT_CONNECTED &&
894 		    !(sk->sk_state == BT_CONNECT2 &&
895 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
896 			err = -ENOTCONN;
897 			break;
898 		}
899 
900 		memset(&cinfo, 0, sizeof(cinfo));
901 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
902 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
903 
904 		len = min_t(unsigned int, len, sizeof(cinfo));
905 		if (copy_to_user(optval, (char *)&cinfo, len))
906 			err = -EFAULT;
907 
908 		break;
909 
910 	default:
911 		err = -ENOPROTOOPT;
912 		break;
913 	}
914 
915 	release_sock(sk);
916 	return err;
917 }
918 
919 static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
920 			       char __user *optval, int __user *optlen)
921 {
922 	struct sock *sk = sock->sk;
923 	int len, err = 0;
924 	struct bt_voice voice;
925 	u32 phys;
926 
927 	BT_DBG("sk %p", sk);
928 
929 	if (level == SOL_SCO)
930 		return sco_sock_getsockopt_old(sock, optname, optval, optlen);
931 
932 	if (get_user(len, optlen))
933 		return -EFAULT;
934 
935 	lock_sock(sk);
936 
937 	switch (optname) {
938 
939 	case BT_DEFER_SETUP:
940 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
941 			err = -EINVAL;
942 			break;
943 		}
944 
945 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
946 			     (u32 __user *)optval))
947 			err = -EFAULT;
948 
949 		break;
950 
951 	case BT_VOICE:
952 		voice.setting = sco_pi(sk)->setting;
953 
954 		len = min_t(unsigned int, len, sizeof(voice));
955 		if (copy_to_user(optval, (char *)&voice, len))
956 			err = -EFAULT;
957 
958 		break;
959 
960 	case BT_PHY:
961 		if (sk->sk_state != BT_CONNECTED) {
962 			err = -ENOTCONN;
963 			break;
964 		}
965 
966 		phys = hci_conn_get_phy(sco_pi(sk)->conn->hcon);
967 
968 		if (put_user(phys, (u32 __user *) optval))
969 			err = -EFAULT;
970 		break;
971 
972 	default:
973 		err = -ENOPROTOOPT;
974 		break;
975 	}
976 
977 	release_sock(sk);
978 	return err;
979 }
980 
981 static int sco_sock_shutdown(struct socket *sock, int how)
982 {
983 	struct sock *sk = sock->sk;
984 	int err = 0;
985 
986 	BT_DBG("sock %p, sk %p", sock, sk);
987 
988 	if (!sk)
989 		return 0;
990 
991 	sock_hold(sk);
992 	lock_sock(sk);
993 
994 	if (!sk->sk_shutdown) {
995 		sk->sk_shutdown = SHUTDOWN_MASK;
996 		sco_sock_clear_timer(sk);
997 		__sco_sock_close(sk);
998 
999 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1000 		    !(current->flags & PF_EXITING))
1001 			err = bt_sock_wait_state(sk, BT_CLOSED,
1002 						 sk->sk_lingertime);
1003 	}
1004 
1005 	release_sock(sk);
1006 	sock_put(sk);
1007 
1008 	return err;
1009 }
1010 
1011 static int sco_sock_release(struct socket *sock)
1012 {
1013 	struct sock *sk = sock->sk;
1014 	int err = 0;
1015 
1016 	BT_DBG("sock %p, sk %p", sock, sk);
1017 
1018 	if (!sk)
1019 		return 0;
1020 
1021 	sco_sock_close(sk);
1022 
1023 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1024 	    !(current->flags & PF_EXITING)) {
1025 		lock_sock(sk);
1026 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1027 		release_sock(sk);
1028 	}
1029 
1030 	sock_orphan(sk);
1031 	sco_sock_kill(sk);
1032 	return err;
1033 }
1034 
1035 static void sco_conn_ready(struct sco_conn *conn)
1036 {
1037 	struct sock *parent;
1038 	struct sock *sk = conn->sk;
1039 
1040 	BT_DBG("conn %p", conn);
1041 
1042 	if (sk) {
1043 		sco_sock_clear_timer(sk);
1044 		bh_lock_sock(sk);
1045 		sk->sk_state = BT_CONNECTED;
1046 		sk->sk_state_change(sk);
1047 		bh_unlock_sock(sk);
1048 	} else {
1049 		sco_conn_lock(conn);
1050 
1051 		if (!conn->hcon) {
1052 			sco_conn_unlock(conn);
1053 			return;
1054 		}
1055 
1056 		parent = sco_get_sock_listen(&conn->hcon->src);
1057 		if (!parent) {
1058 			sco_conn_unlock(conn);
1059 			return;
1060 		}
1061 
1062 		bh_lock_sock(parent);
1063 
1064 		sk = sco_sock_alloc(sock_net(parent), NULL,
1065 				    BTPROTO_SCO, GFP_ATOMIC, 0);
1066 		if (!sk) {
1067 			bh_unlock_sock(parent);
1068 			sco_conn_unlock(conn);
1069 			return;
1070 		}
1071 
1072 		sco_sock_init(sk, parent);
1073 
1074 		bacpy(&sco_pi(sk)->src, &conn->hcon->src);
1075 		bacpy(&sco_pi(sk)->dst, &conn->hcon->dst);
1076 
1077 		hci_conn_hold(conn->hcon);
1078 		__sco_chan_add(conn, sk, parent);
1079 
1080 		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1081 			sk->sk_state = BT_CONNECT2;
1082 		else
1083 			sk->sk_state = BT_CONNECTED;
1084 
1085 		/* Wake up parent */
1086 		parent->sk_data_ready(parent);
1087 
1088 		bh_unlock_sock(parent);
1089 
1090 		sco_conn_unlock(conn);
1091 	}
1092 }
1093 
1094 /* ----- SCO interface with lower layer (HCI) ----- */
1095 int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1096 {
1097 	struct sock *sk;
1098 	int lm = 0;
1099 
1100 	BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1101 
1102 	/* Find listening sockets */
1103 	read_lock(&sco_sk_list.lock);
1104 	sk_for_each(sk, &sco_sk_list.head) {
1105 		if (sk->sk_state != BT_LISTEN)
1106 			continue;
1107 
1108 		if (!bacmp(&sco_pi(sk)->src, &hdev->bdaddr) ||
1109 		    !bacmp(&sco_pi(sk)->src, BDADDR_ANY)) {
1110 			lm |= HCI_LM_ACCEPT;
1111 
1112 			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1113 				*flags |= HCI_PROTO_DEFER;
1114 			break;
1115 		}
1116 	}
1117 	read_unlock(&sco_sk_list.lock);
1118 
1119 	return lm;
1120 }
1121 
1122 static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
1123 {
1124 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1125 		return;
1126 
1127 	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1128 
1129 	if (!status) {
1130 		struct sco_conn *conn;
1131 
1132 		conn = sco_conn_add(hcon);
1133 		if (conn)
1134 			sco_conn_ready(conn);
1135 	} else
1136 		sco_conn_del(hcon, bt_to_errno(status));
1137 }
1138 
1139 static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
1140 {
1141 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1142 		return;
1143 
1144 	BT_DBG("hcon %p reason %d", hcon, reason);
1145 
1146 	sco_conn_del(hcon, bt_to_errno(reason));
1147 }
1148 
1149 void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
1150 {
1151 	struct sco_conn *conn = hcon->sco_data;
1152 
1153 	if (!conn)
1154 		goto drop;
1155 
1156 	BT_DBG("conn %p len %d", conn, skb->len);
1157 
1158 	if (skb->len) {
1159 		sco_recv_frame(conn, skb);
1160 		return;
1161 	}
1162 
1163 drop:
1164 	kfree_skb(skb);
1165 }
1166 
1167 static struct hci_cb sco_cb = {
1168 	.name		= "SCO",
1169 	.connect_cfm	= sco_connect_cfm,
1170 	.disconn_cfm	= sco_disconn_cfm,
1171 };
1172 
1173 static int sco_debugfs_show(struct seq_file *f, void *p)
1174 {
1175 	struct sock *sk;
1176 
1177 	read_lock(&sco_sk_list.lock);
1178 
1179 	sk_for_each(sk, &sco_sk_list.head) {
1180 		seq_printf(f, "%pMR %pMR %d\n", &sco_pi(sk)->src,
1181 			   &sco_pi(sk)->dst, sk->sk_state);
1182 	}
1183 
1184 	read_unlock(&sco_sk_list.lock);
1185 
1186 	return 0;
1187 }
1188 
1189 DEFINE_SHOW_ATTRIBUTE(sco_debugfs);
1190 
1191 static struct dentry *sco_debugfs;
1192 
1193 static const struct proto_ops sco_sock_ops = {
1194 	.family		= PF_BLUETOOTH,
1195 	.owner		= THIS_MODULE,
1196 	.release	= sco_sock_release,
1197 	.bind		= sco_sock_bind,
1198 	.connect	= sco_sock_connect,
1199 	.listen		= sco_sock_listen,
1200 	.accept		= sco_sock_accept,
1201 	.getname	= sco_sock_getname,
1202 	.sendmsg	= sco_sock_sendmsg,
1203 	.recvmsg	= sco_sock_recvmsg,
1204 	.poll		= bt_sock_poll,
1205 	.ioctl		= bt_sock_ioctl,
1206 	.gettstamp	= sock_gettstamp,
1207 	.mmap		= sock_no_mmap,
1208 	.socketpair	= sock_no_socketpair,
1209 	.shutdown	= sco_sock_shutdown,
1210 	.setsockopt	= sco_sock_setsockopt,
1211 	.getsockopt	= sco_sock_getsockopt
1212 };
1213 
1214 static const struct net_proto_family sco_sock_family_ops = {
1215 	.family	= PF_BLUETOOTH,
1216 	.owner	= THIS_MODULE,
1217 	.create	= sco_sock_create,
1218 };
1219 
1220 int __init sco_init(void)
1221 {
1222 	int err;
1223 
1224 	BUILD_BUG_ON(sizeof(struct sockaddr_sco) > sizeof(struct sockaddr));
1225 
1226 	err = proto_register(&sco_proto, 0);
1227 	if (err < 0)
1228 		return err;
1229 
1230 	err = bt_sock_register(BTPROTO_SCO, &sco_sock_family_ops);
1231 	if (err < 0) {
1232 		BT_ERR("SCO socket registration failed");
1233 		goto error;
1234 	}
1235 
1236 	err = bt_procfs_init(&init_net, "sco", &sco_sk_list, NULL);
1237 	if (err < 0) {
1238 		BT_ERR("Failed to create SCO proc file");
1239 		bt_sock_unregister(BTPROTO_SCO);
1240 		goto error;
1241 	}
1242 
1243 	BT_INFO("SCO socket layer initialized");
1244 
1245 	hci_register_cb(&sco_cb);
1246 
1247 	if (IS_ERR_OR_NULL(bt_debugfs))
1248 		return 0;
1249 
1250 	sco_debugfs = debugfs_create_file("sco", 0444, bt_debugfs,
1251 					  NULL, &sco_debugfs_fops);
1252 
1253 	return 0;
1254 
1255 error:
1256 	proto_unregister(&sco_proto);
1257 	return err;
1258 }
1259 
1260 void sco_exit(void)
1261 {
1262 	bt_procfs_cleanup(&init_net, "sco");
1263 
1264 	debugfs_remove(sco_debugfs);
1265 
1266 	hci_unregister_cb(&sco_cb);
1267 
1268 	bt_sock_unregister(BTPROTO_SCO);
1269 
1270 	proto_unregister(&sco_proto);
1271 }
1272 
1273 module_param(disable_esco, bool, 0644);
1274 MODULE_PARM_DESC(disable_esco, "Disable eSCO connection creation");
1275