xref: /linux/net/bluetooth/sco.c (revision 905e46acd3272d04566fec49afbd7ad9e2ed9ae3)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth SCO sockets. */
26 
27 #include <linux/module.h>
28 #include <linux/debugfs.h>
29 #include <linux/seq_file.h>
30 #include <linux/sched/signal.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/sco.h>
35 
36 static bool disable_esco;
37 
38 static const struct proto_ops sco_sock_ops;
39 
40 static struct bt_sock_list sco_sk_list = {
41 	.lock = __RW_LOCK_UNLOCKED(sco_sk_list.lock)
42 };
43 
44 /* ---- SCO connections ---- */
45 struct sco_conn {
46 	struct hci_conn	*hcon;
47 
48 	spinlock_t	lock;
49 	struct sock	*sk;
50 
51 	unsigned int    mtu;
52 };
53 
54 #define sco_conn_lock(c)	spin_lock(&c->lock);
55 #define sco_conn_unlock(c)	spin_unlock(&c->lock);
56 
57 static void sco_sock_close(struct sock *sk);
58 static void sco_sock_kill(struct sock *sk);
59 
60 /* ----- SCO socket info ----- */
61 #define sco_pi(sk) ((struct sco_pinfo *) sk)
62 
63 struct sco_pinfo {
64 	struct bt_sock	bt;
65 	bdaddr_t	src;
66 	bdaddr_t	dst;
67 	__u32		flags;
68 	__u16		setting;
69 	struct sco_conn	*conn;
70 };
71 
72 /* ---- SCO timers ---- */
73 #define SCO_CONN_TIMEOUT	(HZ * 40)
74 #define SCO_DISCONN_TIMEOUT	(HZ * 2)
75 
76 static void sco_sock_timeout(unsigned long arg)
77 {
78 	struct sock *sk = (struct sock *)arg;
79 
80 	BT_DBG("sock %p state %d", sk, sk->sk_state);
81 
82 	bh_lock_sock(sk);
83 	sk->sk_err = ETIMEDOUT;
84 	sk->sk_state_change(sk);
85 	bh_unlock_sock(sk);
86 
87 	sco_sock_kill(sk);
88 	sock_put(sk);
89 }
90 
91 static void sco_sock_set_timer(struct sock *sk, long timeout)
92 {
93 	BT_DBG("sock %p state %d timeout %ld", sk, sk->sk_state, timeout);
94 	sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
95 }
96 
97 static void sco_sock_clear_timer(struct sock *sk)
98 {
99 	BT_DBG("sock %p state %d", sk, sk->sk_state);
100 	sk_stop_timer(sk, &sk->sk_timer);
101 }
102 
103 /* ---- SCO connections ---- */
104 static struct sco_conn *sco_conn_add(struct hci_conn *hcon)
105 {
106 	struct hci_dev *hdev = hcon->hdev;
107 	struct sco_conn *conn = hcon->sco_data;
108 
109 	if (conn)
110 		return conn;
111 
112 	conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL);
113 	if (!conn)
114 		return NULL;
115 
116 	spin_lock_init(&conn->lock);
117 
118 	hcon->sco_data = conn;
119 	conn->hcon = hcon;
120 
121 	if (hdev->sco_mtu > 0)
122 		conn->mtu = hdev->sco_mtu;
123 	else
124 		conn->mtu = 60;
125 
126 	BT_DBG("hcon %p conn %p", hcon, conn);
127 
128 	return conn;
129 }
130 
131 /* Delete channel.
132  * Must be called on the locked socket. */
133 static void sco_chan_del(struct sock *sk, int err)
134 {
135 	struct sco_conn *conn;
136 
137 	conn = sco_pi(sk)->conn;
138 
139 	BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
140 
141 	if (conn) {
142 		sco_conn_lock(conn);
143 		conn->sk = NULL;
144 		sco_pi(sk)->conn = NULL;
145 		sco_conn_unlock(conn);
146 
147 		if (conn->hcon)
148 			hci_conn_drop(conn->hcon);
149 	}
150 
151 	sk->sk_state = BT_CLOSED;
152 	sk->sk_err   = err;
153 	sk->sk_state_change(sk);
154 
155 	sock_set_flag(sk, SOCK_ZAPPED);
156 }
157 
158 static void sco_conn_del(struct hci_conn *hcon, int err)
159 {
160 	struct sco_conn *conn = hcon->sco_data;
161 	struct sock *sk;
162 
163 	if (!conn)
164 		return;
165 
166 	BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
167 
168 	/* Kill socket */
169 	sco_conn_lock(conn);
170 	sk = conn->sk;
171 	sco_conn_unlock(conn);
172 
173 	if (sk) {
174 		sock_hold(sk);
175 		bh_lock_sock(sk);
176 		sco_sock_clear_timer(sk);
177 		sco_chan_del(sk, err);
178 		bh_unlock_sock(sk);
179 		sco_sock_kill(sk);
180 		sock_put(sk);
181 	}
182 
183 	hcon->sco_data = NULL;
184 	kfree(conn);
185 }
186 
187 static void __sco_chan_add(struct sco_conn *conn, struct sock *sk,
188 			   struct sock *parent)
189 {
190 	BT_DBG("conn %p", conn);
191 
192 	sco_pi(sk)->conn = conn;
193 	conn->sk = sk;
194 
195 	if (parent)
196 		bt_accept_enqueue(parent, sk);
197 }
198 
199 static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
200 			struct sock *parent)
201 {
202 	int err = 0;
203 
204 	sco_conn_lock(conn);
205 	if (conn->sk)
206 		err = -EBUSY;
207 	else
208 		__sco_chan_add(conn, sk, parent);
209 
210 	sco_conn_unlock(conn);
211 	return err;
212 }
213 
214 static int sco_connect(struct sock *sk)
215 {
216 	struct sco_conn *conn;
217 	struct hci_conn *hcon;
218 	struct hci_dev  *hdev;
219 	int err, type;
220 
221 	BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst);
222 
223 	hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR);
224 	if (!hdev)
225 		return -EHOSTUNREACH;
226 
227 	hci_dev_lock(hdev);
228 
229 	if (lmp_esco_capable(hdev) && !disable_esco)
230 		type = ESCO_LINK;
231 	else
232 		type = SCO_LINK;
233 
234 	if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
235 	    (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
236 		err = -EOPNOTSUPP;
237 		goto done;
238 	}
239 
240 	hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
241 			       sco_pi(sk)->setting);
242 	if (IS_ERR(hcon)) {
243 		err = PTR_ERR(hcon);
244 		goto done;
245 	}
246 
247 	conn = sco_conn_add(hcon);
248 	if (!conn) {
249 		hci_conn_drop(hcon);
250 		err = -ENOMEM;
251 		goto done;
252 	}
253 
254 	/* Update source addr of the socket */
255 	bacpy(&sco_pi(sk)->src, &hcon->src);
256 
257 	err = sco_chan_add(conn, sk, NULL);
258 	if (err)
259 		goto done;
260 
261 	if (hcon->state == BT_CONNECTED) {
262 		sco_sock_clear_timer(sk);
263 		sk->sk_state = BT_CONNECTED;
264 	} else {
265 		sk->sk_state = BT_CONNECT;
266 		sco_sock_set_timer(sk, sk->sk_sndtimeo);
267 	}
268 
269 done:
270 	hci_dev_unlock(hdev);
271 	hci_dev_put(hdev);
272 	return err;
273 }
274 
275 static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
276 {
277 	struct sco_conn *conn = sco_pi(sk)->conn;
278 	struct sk_buff *skb;
279 	int err;
280 
281 	/* Check outgoing MTU */
282 	if (len > conn->mtu)
283 		return -EINVAL;
284 
285 	BT_DBG("sk %p len %d", sk, len);
286 
287 	skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
288 	if (!skb)
289 		return err;
290 
291 	if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
292 		kfree_skb(skb);
293 		return -EFAULT;
294 	}
295 
296 	hci_send_sco(conn->hcon, skb);
297 
298 	return len;
299 }
300 
301 static void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
302 {
303 	struct sock *sk;
304 
305 	sco_conn_lock(conn);
306 	sk = conn->sk;
307 	sco_conn_unlock(conn);
308 
309 	if (!sk)
310 		goto drop;
311 
312 	BT_DBG("sk %p len %d", sk, skb->len);
313 
314 	if (sk->sk_state != BT_CONNECTED)
315 		goto drop;
316 
317 	if (!sock_queue_rcv_skb(sk, skb))
318 		return;
319 
320 drop:
321 	kfree_skb(skb);
322 }
323 
324 /* -------- Socket interface ---------- */
325 static struct sock *__sco_get_sock_listen_by_addr(bdaddr_t *ba)
326 {
327 	struct sock *sk;
328 
329 	sk_for_each(sk, &sco_sk_list.head) {
330 		if (sk->sk_state != BT_LISTEN)
331 			continue;
332 
333 		if (!bacmp(&sco_pi(sk)->src, ba))
334 			return sk;
335 	}
336 
337 	return NULL;
338 }
339 
340 /* Find socket listening on source bdaddr.
341  * Returns closest match.
342  */
343 static struct sock *sco_get_sock_listen(bdaddr_t *src)
344 {
345 	struct sock *sk = NULL, *sk1 = NULL;
346 
347 	read_lock(&sco_sk_list.lock);
348 
349 	sk_for_each(sk, &sco_sk_list.head) {
350 		if (sk->sk_state != BT_LISTEN)
351 			continue;
352 
353 		/* Exact match. */
354 		if (!bacmp(&sco_pi(sk)->src, src))
355 			break;
356 
357 		/* Closest match */
358 		if (!bacmp(&sco_pi(sk)->src, BDADDR_ANY))
359 			sk1 = sk;
360 	}
361 
362 	read_unlock(&sco_sk_list.lock);
363 
364 	return sk ? sk : sk1;
365 }
366 
367 static void sco_sock_destruct(struct sock *sk)
368 {
369 	BT_DBG("sk %p", sk);
370 
371 	skb_queue_purge(&sk->sk_receive_queue);
372 	skb_queue_purge(&sk->sk_write_queue);
373 }
374 
375 static void sco_sock_cleanup_listen(struct sock *parent)
376 {
377 	struct sock *sk;
378 
379 	BT_DBG("parent %p", parent);
380 
381 	/* Close not yet accepted channels */
382 	while ((sk = bt_accept_dequeue(parent, NULL))) {
383 		sco_sock_close(sk);
384 		sco_sock_kill(sk);
385 	}
386 
387 	parent->sk_state  = BT_CLOSED;
388 	sock_set_flag(parent, SOCK_ZAPPED);
389 }
390 
391 /* Kill socket (only if zapped and orphan)
392  * Must be called on unlocked socket.
393  */
394 static void sco_sock_kill(struct sock *sk)
395 {
396 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
397 		return;
398 
399 	BT_DBG("sk %p state %d", sk, sk->sk_state);
400 
401 	/* Kill poor orphan */
402 	bt_sock_unlink(&sco_sk_list, sk);
403 	sock_set_flag(sk, SOCK_DEAD);
404 	sock_put(sk);
405 }
406 
407 static void __sco_sock_close(struct sock *sk)
408 {
409 	BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
410 
411 	switch (sk->sk_state) {
412 	case BT_LISTEN:
413 		sco_sock_cleanup_listen(sk);
414 		break;
415 
416 	case BT_CONNECTED:
417 	case BT_CONFIG:
418 		if (sco_pi(sk)->conn->hcon) {
419 			sk->sk_state = BT_DISCONN;
420 			sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
421 			sco_conn_lock(sco_pi(sk)->conn);
422 			hci_conn_drop(sco_pi(sk)->conn->hcon);
423 			sco_pi(sk)->conn->hcon = NULL;
424 			sco_conn_unlock(sco_pi(sk)->conn);
425 		} else
426 			sco_chan_del(sk, ECONNRESET);
427 		break;
428 
429 	case BT_CONNECT2:
430 	case BT_CONNECT:
431 	case BT_DISCONN:
432 		sco_chan_del(sk, ECONNRESET);
433 		break;
434 
435 	default:
436 		sock_set_flag(sk, SOCK_ZAPPED);
437 		break;
438 	}
439 }
440 
441 /* Must be called on unlocked socket. */
442 static void sco_sock_close(struct sock *sk)
443 {
444 	sco_sock_clear_timer(sk);
445 	lock_sock(sk);
446 	__sco_sock_close(sk);
447 	release_sock(sk);
448 	sco_sock_kill(sk);
449 }
450 
451 static void sco_sock_init(struct sock *sk, struct sock *parent)
452 {
453 	BT_DBG("sk %p", sk);
454 
455 	if (parent) {
456 		sk->sk_type = parent->sk_type;
457 		bt_sk(sk)->flags = bt_sk(parent)->flags;
458 		security_sk_clone(parent, sk);
459 	}
460 }
461 
462 static struct proto sco_proto = {
463 	.name		= "SCO",
464 	.owner		= THIS_MODULE,
465 	.obj_size	= sizeof(struct sco_pinfo)
466 };
467 
468 static struct sock *sco_sock_alloc(struct net *net, struct socket *sock,
469 				   int proto, gfp_t prio, int kern)
470 {
471 	struct sock *sk;
472 
473 	sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);
474 	if (!sk)
475 		return NULL;
476 
477 	sock_init_data(sock, sk);
478 	INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
479 
480 	sk->sk_destruct = sco_sock_destruct;
481 	sk->sk_sndtimeo = SCO_CONN_TIMEOUT;
482 
483 	sock_reset_flag(sk, SOCK_ZAPPED);
484 
485 	sk->sk_protocol = proto;
486 	sk->sk_state    = BT_OPEN;
487 
488 	sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
489 
490 	setup_timer(&sk->sk_timer, sco_sock_timeout, (unsigned long)sk);
491 
492 	bt_sock_link(&sco_sk_list, sk);
493 	return sk;
494 }
495 
496 static int sco_sock_create(struct net *net, struct socket *sock, int protocol,
497 			   int kern)
498 {
499 	struct sock *sk;
500 
501 	BT_DBG("sock %p", sock);
502 
503 	sock->state = SS_UNCONNECTED;
504 
505 	if (sock->type != SOCK_SEQPACKET)
506 		return -ESOCKTNOSUPPORT;
507 
508 	sock->ops = &sco_sock_ops;
509 
510 	sk = sco_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern);
511 	if (!sk)
512 		return -ENOMEM;
513 
514 	sco_sock_init(sk, NULL);
515 	return 0;
516 }
517 
518 static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
519 			 int addr_len)
520 {
521 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
522 	struct sock *sk = sock->sk;
523 	int err = 0;
524 
525 	BT_DBG("sk %p %pMR", sk, &sa->sco_bdaddr);
526 
527 	if (!addr || addr->sa_family != AF_BLUETOOTH)
528 		return -EINVAL;
529 
530 	if (addr_len < sizeof(struct sockaddr_sco))
531 		return -EINVAL;
532 
533 	lock_sock(sk);
534 
535 	if (sk->sk_state != BT_OPEN) {
536 		err = -EBADFD;
537 		goto done;
538 	}
539 
540 	if (sk->sk_type != SOCK_SEQPACKET) {
541 		err = -EINVAL;
542 		goto done;
543 	}
544 
545 	bacpy(&sco_pi(sk)->src, &sa->sco_bdaddr);
546 
547 	sk->sk_state = BT_BOUND;
548 
549 done:
550 	release_sock(sk);
551 	return err;
552 }
553 
554 static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
555 {
556 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
557 	struct sock *sk = sock->sk;
558 	int err;
559 
560 	BT_DBG("sk %p", sk);
561 
562 	if (alen < sizeof(struct sockaddr_sco) ||
563 	    addr->sa_family != AF_BLUETOOTH)
564 		return -EINVAL;
565 
566 	if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND)
567 		return -EBADFD;
568 
569 	if (sk->sk_type != SOCK_SEQPACKET)
570 		return -EINVAL;
571 
572 	lock_sock(sk);
573 
574 	/* Set destination address and psm */
575 	bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr);
576 
577 	err = sco_connect(sk);
578 	if (err)
579 		goto done;
580 
581 	err = bt_sock_wait_state(sk, BT_CONNECTED,
582 				 sock_sndtimeo(sk, flags & O_NONBLOCK));
583 
584 done:
585 	release_sock(sk);
586 	return err;
587 }
588 
589 static int sco_sock_listen(struct socket *sock, int backlog)
590 {
591 	struct sock *sk = sock->sk;
592 	bdaddr_t *src = &sco_pi(sk)->src;
593 	int err = 0;
594 
595 	BT_DBG("sk %p backlog %d", sk, backlog);
596 
597 	lock_sock(sk);
598 
599 	if (sk->sk_state != BT_BOUND) {
600 		err = -EBADFD;
601 		goto done;
602 	}
603 
604 	if (sk->sk_type != SOCK_SEQPACKET) {
605 		err = -EINVAL;
606 		goto done;
607 	}
608 
609 	write_lock(&sco_sk_list.lock);
610 
611 	if (__sco_get_sock_listen_by_addr(src)) {
612 		err = -EADDRINUSE;
613 		goto unlock;
614 	}
615 
616 	sk->sk_max_ack_backlog = backlog;
617 	sk->sk_ack_backlog = 0;
618 
619 	sk->sk_state = BT_LISTEN;
620 
621 unlock:
622 	write_unlock(&sco_sk_list.lock);
623 
624 done:
625 	release_sock(sk);
626 	return err;
627 }
628 
629 static int sco_sock_accept(struct socket *sock, struct socket *newsock,
630 			   int flags, bool kern)
631 {
632 	DEFINE_WAIT_FUNC(wait, woken_wake_function);
633 	struct sock *sk = sock->sk, *ch;
634 	long timeo;
635 	int err = 0;
636 
637 	lock_sock(sk);
638 
639 	timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
640 
641 	BT_DBG("sk %p timeo %ld", sk, timeo);
642 
643 	/* Wait for an incoming connection. (wake-one). */
644 	add_wait_queue_exclusive(sk_sleep(sk), &wait);
645 	while (1) {
646 		if (sk->sk_state != BT_LISTEN) {
647 			err = -EBADFD;
648 			break;
649 		}
650 
651 		ch = bt_accept_dequeue(sk, newsock);
652 		if (ch)
653 			break;
654 
655 		if (!timeo) {
656 			err = -EAGAIN;
657 			break;
658 		}
659 
660 		if (signal_pending(current)) {
661 			err = sock_intr_errno(timeo);
662 			break;
663 		}
664 
665 		release_sock(sk);
666 
667 		timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
668 		lock_sock(sk);
669 	}
670 	remove_wait_queue(sk_sleep(sk), &wait);
671 
672 	if (err)
673 		goto done;
674 
675 	newsock->state = SS_CONNECTED;
676 
677 	BT_DBG("new socket %p", ch);
678 
679 done:
680 	release_sock(sk);
681 	return err;
682 }
683 
684 static int sco_sock_getname(struct socket *sock, struct sockaddr *addr,
685 			    int *len, int peer)
686 {
687 	struct sockaddr_sco *sa = (struct sockaddr_sco *) addr;
688 	struct sock *sk = sock->sk;
689 
690 	BT_DBG("sock %p, sk %p", sock, sk);
691 
692 	addr->sa_family = AF_BLUETOOTH;
693 	*len = sizeof(struct sockaddr_sco);
694 
695 	if (peer)
696 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->dst);
697 	else
698 		bacpy(&sa->sco_bdaddr, &sco_pi(sk)->src);
699 
700 	return 0;
701 }
702 
703 static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
704 			    size_t len)
705 {
706 	struct sock *sk = sock->sk;
707 	int err;
708 
709 	BT_DBG("sock %p, sk %p", sock, sk);
710 
711 	err = sock_error(sk);
712 	if (err)
713 		return err;
714 
715 	if (msg->msg_flags & MSG_OOB)
716 		return -EOPNOTSUPP;
717 
718 	lock_sock(sk);
719 
720 	if (sk->sk_state == BT_CONNECTED)
721 		err = sco_send_frame(sk, msg, len);
722 	else
723 		err = -ENOTCONN;
724 
725 	release_sock(sk);
726 	return err;
727 }
728 
729 static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting)
730 {
731 	struct hci_dev *hdev = conn->hdev;
732 
733 	BT_DBG("conn %p", conn);
734 
735 	conn->state = BT_CONFIG;
736 
737 	if (!lmp_esco_capable(hdev)) {
738 		struct hci_cp_accept_conn_req cp;
739 
740 		bacpy(&cp.bdaddr, &conn->dst);
741 		cp.role = 0x00; /* Ignored */
742 
743 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
744 	} else {
745 		struct hci_cp_accept_sync_conn_req cp;
746 
747 		bacpy(&cp.bdaddr, &conn->dst);
748 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
749 
750 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
751 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
752 		cp.content_format = cpu_to_le16(setting);
753 
754 		switch (setting & SCO_AIRMODE_MASK) {
755 		case SCO_AIRMODE_TRANSP:
756 			if (conn->pkt_type & ESCO_2EV3)
757 				cp.max_latency = cpu_to_le16(0x0008);
758 			else
759 				cp.max_latency = cpu_to_le16(0x000D);
760 			cp.retrans_effort = 0x02;
761 			break;
762 		case SCO_AIRMODE_CVSD:
763 			cp.max_latency = cpu_to_le16(0xffff);
764 			cp.retrans_effort = 0xff;
765 			break;
766 		}
767 
768 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
769 			     sizeof(cp), &cp);
770 	}
771 }
772 
773 static int sco_sock_recvmsg(struct socket *sock, struct msghdr *msg,
774 			    size_t len, int flags)
775 {
776 	struct sock *sk = sock->sk;
777 	struct sco_pinfo *pi = sco_pi(sk);
778 
779 	lock_sock(sk);
780 
781 	if (sk->sk_state == BT_CONNECT2 &&
782 	    test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
783 		sco_conn_defer_accept(pi->conn->hcon, pi->setting);
784 		sk->sk_state = BT_CONFIG;
785 
786 		release_sock(sk);
787 		return 0;
788 	}
789 
790 	release_sock(sk);
791 
792 	return bt_sock_recvmsg(sock, msg, len, flags);
793 }
794 
795 static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
796 			       char __user *optval, unsigned int optlen)
797 {
798 	struct sock *sk = sock->sk;
799 	int len, err = 0;
800 	struct bt_voice voice;
801 	u32 opt;
802 
803 	BT_DBG("sk %p", sk);
804 
805 	lock_sock(sk);
806 
807 	switch (optname) {
808 
809 	case BT_DEFER_SETUP:
810 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
811 			err = -EINVAL;
812 			break;
813 		}
814 
815 		if (get_user(opt, (u32 __user *) optval)) {
816 			err = -EFAULT;
817 			break;
818 		}
819 
820 		if (opt)
821 			set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
822 		else
823 			clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
824 		break;
825 
826 	case BT_VOICE:
827 		if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND &&
828 		    sk->sk_state != BT_CONNECT2) {
829 			err = -EINVAL;
830 			break;
831 		}
832 
833 		voice.setting = sco_pi(sk)->setting;
834 
835 		len = min_t(unsigned int, sizeof(voice), optlen);
836 		if (copy_from_user((char *)&voice, optval, len)) {
837 			err = -EFAULT;
838 			break;
839 		}
840 
841 		/* Explicitly check for these values */
842 		if (voice.setting != BT_VOICE_TRANSPARENT &&
843 		    voice.setting != BT_VOICE_CVSD_16BIT) {
844 			err = -EINVAL;
845 			break;
846 		}
847 
848 		sco_pi(sk)->setting = voice.setting;
849 		break;
850 
851 	default:
852 		err = -ENOPROTOOPT;
853 		break;
854 	}
855 
856 	release_sock(sk);
857 	return err;
858 }
859 
860 static int sco_sock_getsockopt_old(struct socket *sock, int optname,
861 				   char __user *optval, int __user *optlen)
862 {
863 	struct sock *sk = sock->sk;
864 	struct sco_options opts;
865 	struct sco_conninfo cinfo;
866 	int len, err = 0;
867 
868 	BT_DBG("sk %p", sk);
869 
870 	if (get_user(len, optlen))
871 		return -EFAULT;
872 
873 	lock_sock(sk);
874 
875 	switch (optname) {
876 	case SCO_OPTIONS:
877 		if (sk->sk_state != BT_CONNECTED &&
878 		    !(sk->sk_state == BT_CONNECT2 &&
879 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
880 			err = -ENOTCONN;
881 			break;
882 		}
883 
884 		opts.mtu = sco_pi(sk)->conn->mtu;
885 
886 		BT_DBG("mtu %d", opts.mtu);
887 
888 		len = min_t(unsigned int, len, sizeof(opts));
889 		if (copy_to_user(optval, (char *)&opts, len))
890 			err = -EFAULT;
891 
892 		break;
893 
894 	case SCO_CONNINFO:
895 		if (sk->sk_state != BT_CONNECTED &&
896 		    !(sk->sk_state == BT_CONNECT2 &&
897 		      test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) {
898 			err = -ENOTCONN;
899 			break;
900 		}
901 
902 		memset(&cinfo, 0, sizeof(cinfo));
903 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
904 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
905 
906 		len = min_t(unsigned int, len, sizeof(cinfo));
907 		if (copy_to_user(optval, (char *)&cinfo, len))
908 			err = -EFAULT;
909 
910 		break;
911 
912 	default:
913 		err = -ENOPROTOOPT;
914 		break;
915 	}
916 
917 	release_sock(sk);
918 	return err;
919 }
920 
921 static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
922 			       char __user *optval, int __user *optlen)
923 {
924 	struct sock *sk = sock->sk;
925 	int len, err = 0;
926 	struct bt_voice voice;
927 
928 	BT_DBG("sk %p", sk);
929 
930 	if (level == SOL_SCO)
931 		return sco_sock_getsockopt_old(sock, optname, optval, optlen);
932 
933 	if (get_user(len, optlen))
934 		return -EFAULT;
935 
936 	lock_sock(sk);
937 
938 	switch (optname) {
939 
940 	case BT_DEFER_SETUP:
941 		if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
942 			err = -EINVAL;
943 			break;
944 		}
945 
946 		if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags),
947 			     (u32 __user *)optval))
948 			err = -EFAULT;
949 
950 		break;
951 
952 	case BT_VOICE:
953 		voice.setting = sco_pi(sk)->setting;
954 
955 		len = min_t(unsigned int, len, sizeof(voice));
956 		if (copy_to_user(optval, (char *)&voice, len))
957 			err = -EFAULT;
958 
959 		break;
960 
961 	default:
962 		err = -ENOPROTOOPT;
963 		break;
964 	}
965 
966 	release_sock(sk);
967 	return err;
968 }
969 
970 static int sco_sock_shutdown(struct socket *sock, int how)
971 {
972 	struct sock *sk = sock->sk;
973 	int err = 0;
974 
975 	BT_DBG("sock %p, sk %p", sock, sk);
976 
977 	if (!sk)
978 		return 0;
979 
980 	sock_hold(sk);
981 	lock_sock(sk);
982 
983 	if (!sk->sk_shutdown) {
984 		sk->sk_shutdown = SHUTDOWN_MASK;
985 		sco_sock_clear_timer(sk);
986 		__sco_sock_close(sk);
987 
988 		if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
989 		    !(current->flags & PF_EXITING))
990 			err = bt_sock_wait_state(sk, BT_CLOSED,
991 						 sk->sk_lingertime);
992 	}
993 
994 	release_sock(sk);
995 	sock_put(sk);
996 
997 	return err;
998 }
999 
1000 static int sco_sock_release(struct socket *sock)
1001 {
1002 	struct sock *sk = sock->sk;
1003 	int err = 0;
1004 
1005 	BT_DBG("sock %p, sk %p", sock, sk);
1006 
1007 	if (!sk)
1008 		return 0;
1009 
1010 	sco_sock_close(sk);
1011 
1012 	if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
1013 	    !(current->flags & PF_EXITING)) {
1014 		lock_sock(sk);
1015 		err = bt_sock_wait_state(sk, BT_CLOSED, sk->sk_lingertime);
1016 		release_sock(sk);
1017 	}
1018 
1019 	sock_orphan(sk);
1020 	sco_sock_kill(sk);
1021 	return err;
1022 }
1023 
1024 static void sco_conn_ready(struct sco_conn *conn)
1025 {
1026 	struct sock *parent;
1027 	struct sock *sk = conn->sk;
1028 
1029 	BT_DBG("conn %p", conn);
1030 
1031 	if (sk) {
1032 		sco_sock_clear_timer(sk);
1033 		bh_lock_sock(sk);
1034 		sk->sk_state = BT_CONNECTED;
1035 		sk->sk_state_change(sk);
1036 		bh_unlock_sock(sk);
1037 	} else {
1038 		sco_conn_lock(conn);
1039 
1040 		if (!conn->hcon) {
1041 			sco_conn_unlock(conn);
1042 			return;
1043 		}
1044 
1045 		parent = sco_get_sock_listen(&conn->hcon->src);
1046 		if (!parent) {
1047 			sco_conn_unlock(conn);
1048 			return;
1049 		}
1050 
1051 		bh_lock_sock(parent);
1052 
1053 		sk = sco_sock_alloc(sock_net(parent), NULL,
1054 				    BTPROTO_SCO, GFP_ATOMIC, 0);
1055 		if (!sk) {
1056 			bh_unlock_sock(parent);
1057 			sco_conn_unlock(conn);
1058 			return;
1059 		}
1060 
1061 		sco_sock_init(sk, parent);
1062 
1063 		bacpy(&sco_pi(sk)->src, &conn->hcon->src);
1064 		bacpy(&sco_pi(sk)->dst, &conn->hcon->dst);
1065 
1066 		hci_conn_hold(conn->hcon);
1067 		__sco_chan_add(conn, sk, parent);
1068 
1069 		if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
1070 			sk->sk_state = BT_CONNECT2;
1071 		else
1072 			sk->sk_state = BT_CONNECTED;
1073 
1074 		/* Wake up parent */
1075 		parent->sk_data_ready(parent);
1076 
1077 		bh_unlock_sock(parent);
1078 
1079 		sco_conn_unlock(conn);
1080 	}
1081 }
1082 
1083 /* ----- SCO interface with lower layer (HCI) ----- */
1084 int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags)
1085 {
1086 	struct sock *sk;
1087 	int lm = 0;
1088 
1089 	BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
1090 
1091 	/* Find listening sockets */
1092 	read_lock(&sco_sk_list.lock);
1093 	sk_for_each(sk, &sco_sk_list.head) {
1094 		if (sk->sk_state != BT_LISTEN)
1095 			continue;
1096 
1097 		if (!bacmp(&sco_pi(sk)->src, &hdev->bdaddr) ||
1098 		    !bacmp(&sco_pi(sk)->src, BDADDR_ANY)) {
1099 			lm |= HCI_LM_ACCEPT;
1100 
1101 			if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))
1102 				*flags |= HCI_PROTO_DEFER;
1103 			break;
1104 		}
1105 	}
1106 	read_unlock(&sco_sk_list.lock);
1107 
1108 	return lm;
1109 }
1110 
1111 static void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
1112 {
1113 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1114 		return;
1115 
1116 	BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
1117 
1118 	if (!status) {
1119 		struct sco_conn *conn;
1120 
1121 		conn = sco_conn_add(hcon);
1122 		if (conn)
1123 			sco_conn_ready(conn);
1124 	} else
1125 		sco_conn_del(hcon, bt_to_errno(status));
1126 }
1127 
1128 static void sco_disconn_cfm(struct hci_conn *hcon, __u8 reason)
1129 {
1130 	if (hcon->type != SCO_LINK && hcon->type != ESCO_LINK)
1131 		return;
1132 
1133 	BT_DBG("hcon %p reason %d", hcon, reason);
1134 
1135 	sco_conn_del(hcon, bt_to_errno(reason));
1136 }
1137 
1138 void sco_recv_scodata(struct hci_conn *hcon, struct sk_buff *skb)
1139 {
1140 	struct sco_conn *conn = hcon->sco_data;
1141 
1142 	if (!conn)
1143 		goto drop;
1144 
1145 	BT_DBG("conn %p len %d", conn, skb->len);
1146 
1147 	if (skb->len) {
1148 		sco_recv_frame(conn, skb);
1149 		return;
1150 	}
1151 
1152 drop:
1153 	kfree_skb(skb);
1154 }
1155 
1156 static struct hci_cb sco_cb = {
1157 	.name		= "SCO",
1158 	.connect_cfm	= sco_connect_cfm,
1159 	.disconn_cfm	= sco_disconn_cfm,
1160 };
1161 
1162 static int sco_debugfs_show(struct seq_file *f, void *p)
1163 {
1164 	struct sock *sk;
1165 
1166 	read_lock(&sco_sk_list.lock);
1167 
1168 	sk_for_each(sk, &sco_sk_list.head) {
1169 		seq_printf(f, "%pMR %pMR %d\n", &sco_pi(sk)->src,
1170 			   &sco_pi(sk)->dst, sk->sk_state);
1171 	}
1172 
1173 	read_unlock(&sco_sk_list.lock);
1174 
1175 	return 0;
1176 }
1177 
1178 static int sco_debugfs_open(struct inode *inode, struct file *file)
1179 {
1180 	return single_open(file, sco_debugfs_show, inode->i_private);
1181 }
1182 
1183 static const struct file_operations sco_debugfs_fops = {
1184 	.open		= sco_debugfs_open,
1185 	.read		= seq_read,
1186 	.llseek		= seq_lseek,
1187 	.release	= single_release,
1188 };
1189 
1190 static struct dentry *sco_debugfs;
1191 
1192 static const struct proto_ops sco_sock_ops = {
1193 	.family		= PF_BLUETOOTH,
1194 	.owner		= THIS_MODULE,
1195 	.release	= sco_sock_release,
1196 	.bind		= sco_sock_bind,
1197 	.connect	= sco_sock_connect,
1198 	.listen		= sco_sock_listen,
1199 	.accept		= sco_sock_accept,
1200 	.getname	= sco_sock_getname,
1201 	.sendmsg	= sco_sock_sendmsg,
1202 	.recvmsg	= sco_sock_recvmsg,
1203 	.poll		= bt_sock_poll,
1204 	.ioctl		= bt_sock_ioctl,
1205 	.mmap		= sock_no_mmap,
1206 	.socketpair	= sock_no_socketpair,
1207 	.shutdown	= sco_sock_shutdown,
1208 	.setsockopt	= sco_sock_setsockopt,
1209 	.getsockopt	= sco_sock_getsockopt
1210 };
1211 
1212 static const struct net_proto_family sco_sock_family_ops = {
1213 	.family	= PF_BLUETOOTH,
1214 	.owner	= THIS_MODULE,
1215 	.create	= sco_sock_create,
1216 };
1217 
1218 int __init sco_init(void)
1219 {
1220 	int err;
1221 
1222 	BUILD_BUG_ON(sizeof(struct sockaddr_sco) > sizeof(struct sockaddr));
1223 
1224 	err = proto_register(&sco_proto, 0);
1225 	if (err < 0)
1226 		return err;
1227 
1228 	err = bt_sock_register(BTPROTO_SCO, &sco_sock_family_ops);
1229 	if (err < 0) {
1230 		BT_ERR("SCO socket registration failed");
1231 		goto error;
1232 	}
1233 
1234 	err = bt_procfs_init(&init_net, "sco", &sco_sk_list, NULL);
1235 	if (err < 0) {
1236 		BT_ERR("Failed to create SCO proc file");
1237 		bt_sock_unregister(BTPROTO_SCO);
1238 		goto error;
1239 	}
1240 
1241 	BT_INFO("SCO socket layer initialized");
1242 
1243 	hci_register_cb(&sco_cb);
1244 
1245 	if (IS_ERR_OR_NULL(bt_debugfs))
1246 		return 0;
1247 
1248 	sco_debugfs = debugfs_create_file("sco", 0444, bt_debugfs,
1249 					  NULL, &sco_debugfs_fops);
1250 
1251 	return 0;
1252 
1253 error:
1254 	proto_unregister(&sco_proto);
1255 	return err;
1256 }
1257 
1258 void sco_exit(void)
1259 {
1260 	bt_procfs_cleanup(&init_net, "sco");
1261 
1262 	debugfs_remove(sco_debugfs);
1263 
1264 	hci_unregister_cb(&sco_cb);
1265 
1266 	bt_sock_unregister(BTPROTO_SCO);
1267 
1268 	proto_unregister(&sco_proto);
1269 }
1270 
1271 module_param(disable_esco, bool, 0644);
1272 MODULE_PARM_DESC(disable_esco, "Disable eSCO connection creation");
1273