Bluetooth: hidp: fix sending output reports on intr channel

[mirror_ubuntu-artful-kernel.git] / net / bluetooth / hidp / core.c

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index a7352ff3fd1e7884c2fc43142fba9bc0033063b8..940f5acb6694c3901c0607df32ecc8fef1e5f224 100644 (file)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1,6 +1,7 @@
 /*
    HIDP implementation for Linux Bluetooth stack (BlueZ).
    Copyright (C) 2003-2004 Marcel Holtmann <marcel@holtmann.org>
+   Copyright (C) 2013 David Herrmann <dh.herrmann@gmail.com>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License version 2 as
@@ -20,6 +21,7 @@
    SOFTWARE IS DISCLAIMED.
 */
 
+#include <linux/kref.h>
 #include <linux/module.h>
 #include <linux/file.h>
 #include <linux/kthread.h>
@@ -59,39 +61,20 @@ static unsigned char hidp_keycode[256] = {
 
 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
 
-static struct hidp_session *__hidp_get_session(bdaddr_t *bdaddr)
-{
-       struct hidp_session *session;
-
-       BT_DBG("");
+static int hidp_session_probe(struct l2cap_conn *conn,
+                             struct l2cap_user *user);
+static void hidp_session_remove(struct l2cap_conn *conn,
+                               struct l2cap_user *user);
+static int hidp_session_thread(void *arg);
+static void hidp_session_terminate(struct hidp_session *s);
 
-       list_for_each_entry(session, &hidp_session_list, list) {
-               if (!bacmp(bdaddr, &session->bdaddr))
-                       return session;
-       }
-
-       return NULL;
-}
-
-static void __hidp_link_session(struct hidp_session *session)
-{
-       list_add(&session->list, &hidp_session_list);
-}
-
-static void __hidp_unlink_session(struct hidp_session *session)
-{
-       hci_conn_put_device(session->conn);
-
-       list_del(&session->list);
-}
-
-static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
+static void hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
 {
        memset(ci, 0, sizeof(*ci));
        bacpy(&ci->bdaddr, &session->bdaddr);
 
        ci->flags = session->flags;
-       ci->state = session->state;
+       ci->state = BT_CONNECTED;
 
        ci->vendor  = 0x0000;
        ci->product = 0x0000;
@@ -115,58 +98,80 @@ static void __hidp_copy_session(struct hidp_session *session, struct hidp_connin
        }
 }
 
-static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev,
-                               unsigned int type, unsigned int code, int value)
+/* assemble skb, queue message on @transmit and wake up the session thread */
+static int hidp_send_message(struct hidp_session *session, struct socket *sock,
+                            struct sk_buff_head *transmit, unsigned char hdr,
+                            const unsigned char *data, int size)
 {
-       unsigned char newleds;
        struct sk_buff *skb;
+       struct sock *sk = sock->sk;
 
-       BT_DBG("session %p type %d code %d value %d", session, type, code, value);
-
-       if (type != EV_LED)
-               return -1;
-
-       newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
-                 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
-                 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
-                 (!!test_bit(LED_CAPSL,   dev->led) << 1) |
-                 (!!test_bit(LED_NUML,    dev->led));
-
-       if (session->leds == newleds)
-               return 0;
+       BT_DBG("session %p data %p size %d", session, data, size);
 
-       session->leds = newleds;
+       if (atomic_read(&session->terminate))
+               return -EIO;
 
-       skb = alloc_skb(3, GFP_ATOMIC);
+       skb = alloc_skb(size + 1, GFP_ATOMIC);
        if (!skb) {
                BT_ERR("Can't allocate memory for new frame");
                return -ENOMEM;
        }
 
-       *skb_put(skb, 1) = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
-       *skb_put(skb, 1) = 0x01;
-       *skb_put(skb, 1) = newleds;
-
-       skb_queue_tail(&session->intr_transmit, skb);
+       *skb_put(skb, 1) = hdr;
+       if (data && size > 0)
+               memcpy(skb_put(skb, size), data, size);
 
-       hidp_schedule(session);
+       skb_queue_tail(transmit, skb);
+       wake_up_interruptible(sk_sleep(sk));
 
        return 0;
 }
 
-static int hidp_hidinput_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
+static int hidp_send_ctrl_message(struct hidp_session *session,
+                                 unsigned char hdr, const unsigned char *data,
+                                 int size)
 {
-       struct hid_device *hid = input_get_drvdata(dev);
-       struct hidp_session *session = hid->driver_data;
+       return hidp_send_message(session, session->ctrl_sock,
+                                &session->ctrl_transmit, hdr, data, size);
+}
 
-       return hidp_queue_event(session, dev, type, code, value);
+static int hidp_send_intr_message(struct hidp_session *session,
+                                 unsigned char hdr, const unsigned char *data,
+                                 int size)
+{
+       return hidp_send_message(session, session->intr_sock,
+                                &session->intr_transmit, hdr, data, size);
 }
 
-static int hidp_input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
+static int hidp_input_event(struct input_dev *dev, unsigned int type,
+                           unsigned int code, int value)
 {
        struct hidp_session *session = input_get_drvdata(dev);
+       unsigned char newleds;
+       unsigned char hdr, data[2];
+
+       BT_DBG("session %p type %d code %d value %d",
+              session, type, code, value);
+
+       if (type != EV_LED)
+               return -1;
+
+       newleds = (!!test_bit(LED_KANA,    dev->led) << 3) |
+                 (!!test_bit(LED_COMPOSE, dev->led) << 3) |
+                 (!!test_bit(LED_SCROLLL, dev->led) << 2) |
+                 (!!test_bit(LED_CAPSL,   dev->led) << 1) |
+                 (!!test_bit(LED_NUML,    dev->led));
 
-       return hidp_queue_event(session, dev, type, code, value);
+       if (session->leds == newleds)
+               return 0;
+
+       session->leds = newleds;
+
+       hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
+       data[0] = 0x01;
+       data[1] = newleds;
+
+       return hidp_send_intr_message(session, hdr, data, 2);
 }
 
 static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
@@ -224,71 +229,9 @@ static void hidp_input_report(struct hidp_session *session, struct sk_buff *skb)
        input_sync(dev);
 }
 
-static int __hidp_send_ctrl_message(struct hidp_session *session,
-                                   unsigned char hdr, unsigned char *data,
-                                   int size)
-{
-       struct sk_buff *skb;
-
-       BT_DBG("session %p data %p size %d", session, data, size);
-
-       if (atomic_read(&session->terminate))
-               return -EIO;
-
-       skb = alloc_skb(size + 1, GFP_ATOMIC);
-       if (!skb) {
-               BT_ERR("Can't allocate memory for new frame");
-               return -ENOMEM;
-       }
-
-       *skb_put(skb, 1) = hdr;
-       if (data && size > 0)
-               memcpy(skb_put(skb, size), data, size);
-
-       skb_queue_tail(&session->ctrl_transmit, skb);
-
-       return 0;
-}
-
-static int hidp_send_ctrl_message(struct hidp_session *session,
-                       unsigned char hdr, unsigned char *data, int size)
-{
-       int err;
-
-       err = __hidp_send_ctrl_message(session, hdr, data, size);
-
-       hidp_schedule(session);
-
-       return err;
-}
-
-static int hidp_queue_report(struct hidp_session *session,
-                               unsigned char *data, int size)
-{
-       struct sk_buff *skb;
-
-       BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
-
-       skb = alloc_skb(size + 1, GFP_ATOMIC);
-       if (!skb) {
-               BT_ERR("Can't allocate memory for new frame");
-               return -ENOMEM;
-       }
-
-       *skb_put(skb, 1) = 0xa2;
-       if (size > 0)
-               memcpy(skb_put(skb, size), data, size);
-
-       skb_queue_tail(&session->intr_transmit, skb);
-
-       hidp_schedule(session);
-
-       return 0;
-}
-
 static int hidp_send_report(struct hidp_session *session, struct hid_report *report)
 {
-       unsigned char buf[32];
+       unsigned char buf[32], hdr;
        int rsize;
 
        rsize = ((report->size - 1) >> 3) + 1 + (report->id > 0);
@@ -296,8 +239,9 @@ static int hidp_send_report(struct hidp_session *session, struct hid_report *rep
                return -EIO;
 
        hid_output_report(report, buf);
+       hdr = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
 
-       return hidp_queue_report(session, buf, rsize);
+       return hidp_send_intr_message(session, hdr, buf, rsize);
 }
 
 static int hidp_get_raw_report(struct hid_device *hid,
@@ -311,6 +255,9 @@ static int hidp_get_raw_report(struct hid_device *hid,
        int numbered_reports = hid->report_enum[report_type].numbered;
        int ret;
 
+       if (atomic_read(&session->terminate))
+               return -EIO;
+
        switch (report_type) {
        case HID_FEATURE_REPORT:
                report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
@@ -333,17 +280,19 @@ static int hidp_get_raw_report(struct hid_device *hid,
        session->waiting_report_number = numbered_reports ? report_number : -1;
        set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
        data[0] = report_number;
-       ret = hidp_send_ctrl_message(hid->driver_data, report_type, data, 1);
+       ret = hidp_send_ctrl_message(session, report_type, data, 1);
        if (ret)
                goto err;
 
        /* Wait for the return of the report. The returned report
           gets put in session->report_return.  */
-       while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
+       while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
+              !atomic_read(&session->terminate)) {
                int res;
 
                res = wait_event_interruptible_timeout(session->report_queue,
-                       !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags),
+                       !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)
+                               || atomic_read(&session->terminate),
                        5*HZ);
                if (res == 0) {
                        /* timeout */
@@ -386,14 +335,11 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
        struct hidp_session *session = hid->driver_data;
        int ret;
 
-       switch (report_type) {
-       case HID_FEATURE_REPORT:
-               report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
-               break;
-       case HID_OUTPUT_REPORT:
-               report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
-               break;
-       default:
+       if (report_type == HID_OUTPUT_REPORT) {
+               report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
+               return hidp_send_intr_message(session, report_type,
+                                             data, count);
+       } else if (report_type != HID_FEATURE_REPORT) {
                return -EINVAL;
        }
 
@@ -402,17 +348,19 @@ static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, s
 
        /* Set up our wait, and send the report request to the device. */
        set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
-       ret = hidp_send_ctrl_message(hid->driver_data, report_type, data,
-                                                                       count);
+       report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
+       ret = hidp_send_ctrl_message(session, report_type, data, count);
        if (ret)
                goto err;
 
        /* Wait for the ACK from the device. */
-       while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
+       while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags) &&
+              !atomic_read(&session->terminate)) {
                int res;
 
                res = wait_event_interruptible_timeout(session->report_queue,
-                       !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags),
+                       !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)
+                               || atomic_read(&session->terminate),
                        10*HZ);
                if (res == 0) {
                        /* timeout */
@@ -443,8 +391,7 @@ static void hidp_idle_timeout(unsigned long arg)
 {
        struct hidp_session *session = (struct hidp_session *) arg;
 
-       atomic_inc(&session->terminate);
-       wake_up_process(session->task);
+       hidp_session_terminate(session);
 }
 
 static void hidp_set_timer(struct hidp_session *session)
@@ -487,12 +434,12 @@ static void hidp_process_handshake(struct hidp_session *session,
        case HIDP_HSHK_ERR_FATAL:
                /* Device requests a reboot, as this is the only way this error
                 * can be recovered. */
-               __hidp_send_ctrl_message(session,
+               hidp_send_ctrl_message(session,
                        HIDP_TRANS_HID_CONTROL | HIDP_CTRL_SOFT_RESET, NULL, 0);
                break;
 
        default:
-               __hidp_send_ctrl_message(session,
+               hidp_send_ctrl_message(session,
                        HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
                break;
        }
@@ -512,8 +459,7 @@ static void hidp_process_hid_control(struct hidp_session *session,
                skb_queue_purge(&session->ctrl_transmit);
                skb_queue_purge(&session->intr_transmit);
 
-               atomic_inc(&session->terminate);
-               wake_up_process(current);
+               hidp_session_terminate(session);
        }
 }
 
@@ -541,7 +487,7 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
                break;
 
        default:
-               __hidp_send_ctrl_message(session,
+               hidp_send_ctrl_message(session,
                        HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
        }
 
@@ -588,7 +534,7 @@ static void hidp_recv_ctrl_frame(struct hidp_session *session,
                break;
 
        default:
-               __hidp_send_ctrl_message(session,
+               hidp_send_ctrl_message(session,
                        HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_UNSUPPORTED_REQUEST, NULL, 0);
                break;
        }
@@ -639,32 +585,24 @@ static int hidp_send_frame(struct socket *sock, unsigned char *data, int len)
        return kernel_sendmsg(sock, &msg, &iv, 1, len);
 }
 
-static void hidp_process_intr_transmit(struct hidp_session *session)
+/* dequeue message from @transmit and send via @sock */
+static void hidp_process_transmit(struct hidp_session *session,
+                                 struct sk_buff_head *transmit,
+                                 struct socket *sock)
 {
        struct sk_buff *skb;
+       int ret;
 
        BT_DBG("session %p", session);
 
-       while ((skb = skb_dequeue(&session->intr_transmit))) {
-               if (hidp_send_frame(session->intr_sock, skb->data, skb->len) < 0) {
-                       skb_queue_head(&session->intr_transmit, skb);
+       while ((skb = skb_dequeue(transmit))) {
+               ret = hidp_send_frame(sock, skb->data, skb->len);
+               if (ret == -EAGAIN) {
+                       skb_queue_head(transmit, skb);
                        break;
-               }
-
-               hidp_set_timer(session);
-               kfree_skb(skb);
-       }
-}
-
-static void hidp_process_ctrl_transmit(struct hidp_session *session)
-{
-       struct sk_buff *skb;
-
-       BT_DBG("session %p", session);
-
-       while ((skb = skb_dequeue(&session->ctrl_transmit))) {
-               if (hidp_send_frame(session->ctrl_sock, skb->data, skb->len) < 0) {
-                       skb_queue_head(&session->ctrl_transmit, skb);
+               } else if (ret < 0) {
+                       hidp_session_terminate(session);
+                       kfree_skb(skb);
                        break;
                }
 
@@ -673,121 +611,6 @@ static void hidp_process_ctrl_transmit(struct hidp_session *session)
        }
 }
 
-static int hidp_session(void *arg)
-{
-       struct hidp_session *session = arg;
-       struct sock *ctrl_sk = session->ctrl_sock->sk;
-       struct sock *intr_sk = session->intr_sock->sk;
-       struct sk_buff *skb;
-       wait_queue_t ctrl_wait, intr_wait;
-
-       BT_DBG("session %p", session);
-
-       __module_get(THIS_MODULE);
-       set_user_nice(current, -15);
-
-       init_waitqueue_entry(&ctrl_wait, current);
-       init_waitqueue_entry(&intr_wait, current);
-       add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
-       add_wait_queue(sk_sleep(intr_sk), &intr_wait);
-       session->waiting_for_startup = 0;
-       wake_up_interruptible(&session->startup_queue);
-       set_current_state(TASK_INTERRUPTIBLE);
-       while (!atomic_read(&session->terminate)) {
-               if (ctrl_sk->sk_state != BT_CONNECTED ||
-                               intr_sk->sk_state != BT_CONNECTED)
-                       break;
-
-               while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
-                       skb_orphan(skb);
-                       if (!skb_linearize(skb))
-                               hidp_recv_intr_frame(session, skb);
-                       else
-                               kfree_skb(skb);
-               }
-
-               hidp_process_intr_transmit(session);
-
-               while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
-                       skb_orphan(skb);
-                       if (!skb_linearize(skb))
-                               hidp_recv_ctrl_frame(session, skb);
-                       else
-                               kfree_skb(skb);
-               }
-
-               hidp_process_ctrl_transmit(session);
-
-               schedule();
-               set_current_state(TASK_INTERRUPTIBLE);
-       }
-       set_current_state(TASK_RUNNING);
-       remove_wait_queue(sk_sleep(intr_sk), &intr_wait);
-       remove_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
-
-       clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
-       clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
-       wake_up_interruptible(&session->report_queue);
-
-       down_write(&hidp_session_sem);
-
-       hidp_del_timer(session);
-
-       if (session->input) {
-               input_unregister_device(session->input);
-               session->input = NULL;
-       }
-
-       if (session->hid) {
-               hid_destroy_device(session->hid);
-               session->hid = NULL;
-       }
-
-       /* Wakeup user-space polling for socket errors */
-       session->intr_sock->sk->sk_err = EUNATCH;
-       session->ctrl_sock->sk->sk_err = EUNATCH;
-
-       hidp_schedule(session);
-
-       fput(session->intr_sock->file);
-
-       wait_event_timeout(*(sk_sleep(ctrl_sk)),
-               (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
-
-       fput(session->ctrl_sock->file);
-
-       __hidp_unlink_session(session);
-
-       up_write(&hidp_session_sem);
-
-       kfree(session->rd_data);
-       kfree(session);
-       module_put_and_exit(0);
-       return 0;
-}
-
-static struct hci_conn *hidp_get_connection(struct hidp_session *session)
-{
-       bdaddr_t *src = &bt_sk(session->ctrl_sock->sk)->src;
-       bdaddr_t *dst = &bt_sk(session->ctrl_sock->sk)->dst;
-       struct hci_conn *conn;
-       struct hci_dev *hdev;
-
-       hdev = hci_get_route(dst, src);
-       if (!hdev)
-               return NULL;
-
-       hci_dev_lock(hdev);
-       conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
-       if (conn)
-               hci_conn_hold_device(conn);
-       hci_dev_unlock(hdev);
-
-       hci_dev_put(hdev);
-
-       return conn;
-}
-
 static int hidp_setup_input(struct hidp_session *session,
                                struct hidp_connadd_req *req)
 {
@@ -835,7 +658,7 @@ static int hidp_setup_input(struct hidp_session *session,
                input->relbit[0] |= BIT_MASK(REL_WHEEL);
        }
 
-       input->dev.parent = &session->conn->dev;
+       input->dev.parent = &session->conn->hcon->dev;
 
        input->event = hidp_input_event;
 
@@ -894,7 +717,6 @@ static struct hid_ll_driver hidp_hid_driver = {
        .stop = hidp_stop,
        .open  = hidp_open,
        .close = hidp_close,
-       .hidinput_input_event = hidp_hidinput_event,
 };
 
 /* This function sets up the hid device. It does not add it
@@ -939,7 +761,7 @@ static int hidp_setup_hid(struct hidp_session *session,
        snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
                 &bt_sk(session->ctrl_sock->sk)->dst);
 
-       hid->dev.parent = &session->conn->dev;
+       hid->dev.parent = &session->conn->hcon->dev;
        hid->ll_driver = &hidp_hid_driver;
 
        hid->hid_get_raw_report = hidp_get_raw_report;
@@ -961,80 +783,217 @@ fault:
        return err;
 }
 
-int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
+/* initialize session devices */
+static int hidp_session_dev_init(struct hidp_session *session,
+                                struct hidp_connadd_req *req)
 {
-       struct hidp_session *session, *s;
-       int vendor, product;
-       int err;
+       int ret;
 
-       BT_DBG("");
+       if (req->rd_size > 0) {
+               ret = hidp_setup_hid(session, req);
+               if (ret && ret != -ENODEV)
+                       return ret;
+       }
 
-       if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
-                       bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
-               return -ENOTUNIQ;
+       if (!session->hid) {
+               ret = hidp_setup_input(session, req);
+               if (ret < 0)
+                       return ret;
+       }
 
-       BT_DBG("rd_data %p rd_size %d", req->rd_data, req->rd_size);
+       return 0;
+}
 
-       down_write(&hidp_session_sem);
+/* destroy session devices */
+static void hidp_session_dev_destroy(struct hidp_session *session)
+{
+       if (session->hid)
+               put_device(&session->hid->dev);
+       else if (session->input)
+               input_put_device(session->input);
 
-       s = __hidp_get_session(&bt_sk(ctrl_sock->sk)->dst);
-       if (s && s->state == BT_CONNECTED) {
-               up_write(&hidp_session_sem);
-               return -EEXIST;
-       }
+       kfree(session->rd_data);
+       session->rd_data = NULL;
+}
 
-       session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
-       if (!session) {
-               up_write(&hidp_session_sem);
-               return -ENOMEM;
-       }
+/* add HID/input devices to their underlying bus systems */
+static int hidp_session_dev_add(struct hidp_session *session)
+{
+       int ret;
 
-       bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
+       /* Both HID and input systems drop a ref-count when unregistering the
+        * device but they don't take a ref-count when registering them. Work
+        * around this by explicitly taking a refcount during registration
+        * which is dropped automatically by unregistering the devices. */
 
-       session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
-                                       l2cap_pi(ctrl_sock->sk)->chan->imtu);
-       session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
-                                       l2cap_pi(intr_sock->sk)->chan->imtu);
+       if (session->hid) {
+               ret = hid_add_device(session->hid);
+               if (ret)
+                       return ret;
+               get_device(&session->hid->dev);
+       } else if (session->input) {
+               ret = input_register_device(session->input);
+               if (ret)
+                       return ret;
+               input_get_device(session->input);
+       }
 
-       BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
+       return 0;
+}
 
-       session->ctrl_sock = ctrl_sock;
-       session->intr_sock = intr_sock;
-       session->state     = BT_CONNECTED;
+/* remove HID/input devices from their bus systems */
+static void hidp_session_dev_del(struct hidp_session *session)
+{
+       if (session->hid)
+               hid_destroy_device(session->hid);
+       else if (session->input)
+               input_unregister_device(session->input);
+}
 
-       session->conn = hidp_get_connection(session);
-       if (!session->conn) {
-               err = -ENOTCONN;
-               goto failed;
-       }
+/*
+ * Create new session object
+ * Allocate session object, initialize static fields, copy input data into the
+ * object and take a reference to all sub-objects.
+ * This returns 0 on success and puts a pointer to the new session object in
+ * \out. Otherwise, an error code is returned.
+ * The new session object has an initial ref-count of 1.
+ */
+static int hidp_session_new(struct hidp_session **out, const bdaddr_t *bdaddr,
+                           struct socket *ctrl_sock,
+                           struct socket *intr_sock,
+                           struct hidp_connadd_req *req,
+                           struct l2cap_conn *conn)
+{
+       struct hidp_session *session;
+       int ret;
+       struct bt_sock *ctrl, *intr;
+
+       ctrl = bt_sk(ctrl_sock->sk);
+       intr = bt_sk(intr_sock->sk);
 
-       setup_timer(&session->timer, hidp_idle_timeout, (unsigned long)session);
+       session = kzalloc(sizeof(*session), GFP_KERNEL);
+       if (!session)
+               return -ENOMEM;
 
+       /* object and runtime management */
+       kref_init(&session->ref);
+       atomic_set(&session->state, HIDP_SESSION_IDLING);
+       init_waitqueue_head(&session->state_queue);
+       session->flags = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
+
+       /* connection management */
+       bacpy(&session->bdaddr, bdaddr);
+       session->conn = conn;
+       session->user.probe = hidp_session_probe;
+       session->user.remove = hidp_session_remove;
+       session->ctrl_sock = ctrl_sock;
+       session->intr_sock = intr_sock;
        skb_queue_head_init(&session->ctrl_transmit);
        skb_queue_head_init(&session->intr_transmit);
+       session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl)->chan->omtu,
+                                       l2cap_pi(ctrl)->chan->imtu);
+       session->intr_mtu = min_t(uint, l2cap_pi(intr)->chan->omtu,
+                                       l2cap_pi(intr)->chan->imtu);
+       session->idle_to = req->idle_to;
 
+       /* device management */
+       setup_timer(&session->timer, hidp_idle_timeout,
+                   (unsigned long)session);
+
+       /* session data */
        mutex_init(&session->report_mutex);
        init_waitqueue_head(&session->report_queue);
-       init_waitqueue_head(&session->startup_queue);
-       session->waiting_for_startup = 1;
-       session->flags   = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
-       session->idle_to = req->idle_to;
 
-       __hidp_link_session(session);
+       ret = hidp_session_dev_init(session, req);
+       if (ret)
+               goto err_free;
 
-       if (req->rd_size > 0) {
-               err = hidp_setup_hid(session, req);
-               if (err && err != -ENODEV)
-                       goto purge;
-       }
+       l2cap_conn_get(session->conn);
+       get_file(session->intr_sock->file);
+       get_file(session->ctrl_sock->file);
+       *out = session;
+       return 0;
 
-       if (!session->hid) {
-               err = hidp_setup_input(session, req);
-               if (err < 0)
-                       goto purge;
+err_free:
+       kfree(session);
+       return ret;
+}
+
+/* increase ref-count of the given session by one */
+static void hidp_session_get(struct hidp_session *session)
+{
+       kref_get(&session->ref);
+}
+
+/* release callback */
+static void session_free(struct kref *ref)
+{
+       struct hidp_session *session = container_of(ref, struct hidp_session,
+                                                   ref);
+
+       hidp_session_dev_destroy(session);
+       skb_queue_purge(&session->ctrl_transmit);
+       skb_queue_purge(&session->intr_transmit);
+       fput(session->intr_sock->file);
+       fput(session->ctrl_sock->file);
+       l2cap_conn_put(session->conn);
+       kfree(session);
+}
+
+/* decrease ref-count of the given session by one */
+static void hidp_session_put(struct hidp_session *session)
+{
+       kref_put(&session->ref, session_free);
+}
+
+/*
+ * Search the list of active sessions for a session with target address
+ * \bdaddr. You must hold at least a read-lock on \hidp_session_sem. As long as
+ * you do not release this lock, the session objects cannot vanish and you can
+ * safely take a reference to the session yourself.
+ */
+static struct hidp_session *__hidp_session_find(const bdaddr_t *bdaddr)
+{
+       struct hidp_session *session;
+
+       list_for_each_entry(session, &hidp_session_list, list) {
+               if (!bacmp(bdaddr, &session->bdaddr))
+                       return session;
        }
 
-       hidp_set_timer(session);
+       return NULL;
+}
+
+/*
+ * Same as __hidp_session_find() but no locks must be held. This also takes a
+ * reference of the returned session (if non-NULL) so you must drop this
+ * reference if you no longer use the object.
+ */
+static struct hidp_session *hidp_session_find(const bdaddr_t *bdaddr)
+{
+       struct hidp_session *session;
+
+       down_read(&hidp_session_sem);
+
+       session = __hidp_session_find(bdaddr);
+       if (session)
+               hidp_session_get(session);
+
+       up_read(&hidp_session_sem);
+
+       return session;
+}
+
+/*
+ * Start session synchronously
+ * This starts a session thread and waits until initialization
+ * is done or returns an error if it couldn't be started.
+ * If this returns 0 the session thread is up and running. You must call
+ * hipd_session_stop_sync() before deleting any runtime resources.
+ */
+static int hidp_session_start_sync(struct hidp_session *session)
+{
+       unsigned int vendor, product;
 
        if (session->hid) {
                vendor  = session->hid->vendor;
@@ -1047,98 +1006,320 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
                product = 0x0000;
        }
 
-       session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
-                                                       vendor, product);
-       if (IS_ERR(session->task)) {
-               err = PTR_ERR(session->task);
-               goto unlink;
-       }
+       session->task = kthread_run(hidp_session_thread, session,
+                                   "khidpd_%04x%04x", vendor, product);
+       if (IS_ERR(session->task))
+               return PTR_ERR(session->task);
 
-       while (session->waiting_for_startup) {
-               wait_event_interruptible(session->startup_queue,
-                       !session->waiting_for_startup);
-       }
+       while (atomic_read(&session->state) <= HIDP_SESSION_IDLING)
+               wait_event(session->state_queue,
+                          atomic_read(&session->state) > HIDP_SESSION_IDLING);
 
-       if (session->hid)
-               err = hid_add_device(session->hid);
-       else
-               err = input_register_device(session->input);
+       return 0;
+}
 
-       if (err < 0) {
-               atomic_inc(&session->terminate);
-               wake_up_process(session->task);
-               up_write(&hidp_session_sem);
-               return err;
-       }
+/*
+ * Terminate session thread
+ * Wake up session thread and notify it to stop. This is asynchronous and
+ * returns immediately. Call this whenever a runtime error occurs and you want
+ * the session to stop.
+ * Note: wake_up_process() performs any necessary memory-barriers for us.
+ */
+static void hidp_session_terminate(struct hidp_session *session)
+{
+       atomic_inc(&session->terminate);
+       wake_up_process(session->task);
+}
 
-       if (session->input) {
-               hidp_send_ctrl_message(session,
-                       HIDP_TRANS_SET_PROTOCOL | HIDP_PROTO_BOOT, NULL, 0);
-               session->flags |= (1 << HIDP_BOOT_PROTOCOL_MODE);
+/*
+ * Probe HIDP session
+ * This is called from the l2cap_conn core when our l2cap_user object is bound
+ * to the hci-connection. We get the session via the \user object and can now
+ * start the session thread, register the HID/input devices and link it into
+ * the global session list.
+ * The global session-list owns its own reference to the session object so you
+ * can drop your own reference after registering the l2cap_user object.
+ */
+static int hidp_session_probe(struct l2cap_conn *conn,
+                             struct l2cap_user *user)
+{
+       struct hidp_session *session = container_of(user,
+                                                   struct hidp_session,
+                                                   user);
+       struct hidp_session *s;
+       int ret;
 
-               session->leds = 0xff;
-               hidp_input_event(session->input, EV_LED, 0, 0);
+       down_write(&hidp_session_sem);
+
+       /* check that no other session for this device exists */
+       s = __hidp_session_find(&session->bdaddr);
+       if (s) {
+               ret = -EEXIST;
+               goto out_unlock;
        }
 
+       ret = hidp_session_start_sync(session);
+       if (ret)
+               goto out_unlock;
+
+       ret = hidp_session_dev_add(session);
+       if (ret)
+               goto out_stop;
+
+       hidp_session_get(session);
+       list_add(&session->list, &hidp_session_list);
+       ret = 0;
+       goto out_unlock;
+
+out_stop:
+       hidp_session_terminate(session);
+out_unlock:
        up_write(&hidp_session_sem);
-       return 0;
+       return ret;
+}
 
-unlink:
+/*
+ * Remove HIDP session
+ * Called from the l2cap_conn core when either we explicitly unregistered
+ * the l2cap_user object or if the underlying connection is shut down.
+ * We signal the hidp-session thread to shut down, unregister the HID/input
+ * devices and unlink the session from the global list.
+ * This drops the reference to the session that is owned by the global
+ * session-list.
+ * Note: We _must_ not synchronosly wait for the session-thread to shut down.
+ * This is, because the session-thread might be waiting for an HCI lock that is
+ * held while we are called. Therefore, we only unregister the devices and
+ * notify the session-thread to terminate. The thread itself owns a reference
+ * to the session object so it can safely shut down.
+ */
+static void hidp_session_remove(struct l2cap_conn *conn,
+                               struct l2cap_user *user)
+{
+       struct hidp_session *session = container_of(user,
+                                                   struct hidp_session,
+                                                   user);
+
+       down_write(&hidp_session_sem);
+
+       hidp_session_terminate(session);
+       hidp_session_dev_del(session);
+       list_del(&session->list);
+
+       up_write(&hidp_session_sem);
+
+       hidp_session_put(session);
+}
+
+/*
+ * Session Worker
+ * This performs the actual main-loop of the HIDP worker. We first check
+ * whether the underlying connection is still alive, then parse all pending
+ * messages and finally send all outstanding messages.
+ */
+static void hidp_session_run(struct hidp_session *session)
+{
+       struct sock *ctrl_sk = session->ctrl_sock->sk;
+       struct sock *intr_sk = session->intr_sock->sk;
+       struct sk_buff *skb;
+
+       for (;;) {
+               /*
+                * This thread can be woken up two ways:
+                *  - You call hidp_session_terminate() which sets the
+                *    session->terminate flag and wakes this thread up.
+                *  - Via modifying the socket state of ctrl/intr_sock. This
+                *    thread is woken up by ->sk_state_changed().
+                *
+                * Note: set_current_state() performs any necessary
+                * memory-barriers for us.
+                */
+               set_current_state(TASK_INTERRUPTIBLE);
+
+               if (atomic_read(&session->terminate))
+                       break;
+
+               if (ctrl_sk->sk_state != BT_CONNECTED ||
+                   intr_sk->sk_state != BT_CONNECTED)
+                       break;
+
+               /* parse incoming intr-skbs */
+               while ((skb = skb_dequeue(&intr_sk->sk_receive_queue))) {
+                       skb_orphan(skb);
+                       if (!skb_linearize(skb))
+                               hidp_recv_intr_frame(session, skb);
+                       else
+                               kfree_skb(skb);
+               }
+
+               /* send pending intr-skbs */
+               hidp_process_transmit(session, &session->intr_transmit,
+                                     session->intr_sock);
+
+               /* parse incoming ctrl-skbs */
+               while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
+                       skb_orphan(skb);
+                       if (!skb_linearize(skb))
+                               hidp_recv_ctrl_frame(session, skb);
+                       else
+                               kfree_skb(skb);
+               }
+
+               /* send pending ctrl-skbs */
+               hidp_process_transmit(session, &session->ctrl_transmit,
+                                     session->ctrl_sock);
+
+               schedule();
+       }
+
+       atomic_inc(&session->terminate);
+       set_current_state(TASK_RUNNING);
+}
+
+/*
+ * HIDP session thread
+ * This thread runs the I/O for a single HIDP session. Startup is synchronous
+ * which allows us to take references to ourself here instead of doing that in
+ * the caller.
+ * When we are ready to run we notify the caller and call hidp_session_run().
+ */
+static int hidp_session_thread(void *arg)
+{
+       struct hidp_session *session = arg;
+       wait_queue_t ctrl_wait, intr_wait;
+
+       BT_DBG("session %p", session);
+
+       /* initialize runtime environment */
+       hidp_session_get(session);
+       __module_get(THIS_MODULE);
+       set_user_nice(current, -15);
+       hidp_set_timer(session);
+
+       init_waitqueue_entry(&ctrl_wait, current);
+       init_waitqueue_entry(&intr_wait, current);
+       add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
+       add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
+       /* This memory barrier is paired with wq_has_sleeper(). See
+        * sock_poll_wait() for more information why this is needed. */
+       smp_mb();
+
+       /* notify synchronous startup that we're ready */
+       atomic_inc(&session->state);
+       wake_up(&session->state_queue);
+
+       /* run session */
+       hidp_session_run(session);
+
+       /* cleanup runtime environment */
+       remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
+       remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
+       wake_up_interruptible(&session->report_queue);
        hidp_del_timer(session);
 
-       if (session->input) {
-               input_unregister_device(session->input);
-               session->input = NULL;
+       /*
+        * If we stopped ourself due to any internal signal, we should try to
+        * unregister our own session here to avoid having it linger until the
+        * parent l2cap_conn dies or user-space cleans it up.
+        * This does not deadlock as we don't do any synchronous shutdown.
+        * Instead, this call has the same semantics as if user-space tried to
+        * delete the session.
+        */
+       l2cap_unregister_user(session->conn, &session->user);
+       hidp_session_put(session);
+
+       module_put_and_exit(0);
+       return 0;
+}
+
+static int hidp_verify_sockets(struct socket *ctrl_sock,
+                              struct socket *intr_sock)
+{
+       struct bt_sock *ctrl, *intr;
+       struct hidp_session *session;
+
+       if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
+               return -EINVAL;
+
+       ctrl = bt_sk(ctrl_sock->sk);
+       intr = bt_sk(intr_sock->sk);
+
+       if (bacmp(&ctrl->src, &intr->src) || bacmp(&ctrl->dst, &intr->dst))
+               return -ENOTUNIQ;
+       if (ctrl->sk.sk_state != BT_CONNECTED ||
+           intr->sk.sk_state != BT_CONNECTED)
+               return -EBADFD;
+
+       /* early session check, we check again during session registration */
+       session = hidp_session_find(&ctrl->dst);
+       if (session) {
+               hidp_session_put(session);
+               return -EEXIST;
        }
 
-       if (session->hid) {
-               hid_destroy_device(session->hid);
-               session->hid = NULL;
+       return 0;
+}
+
+int hidp_connection_add(struct hidp_connadd_req *req,
+                       struct socket *ctrl_sock,
+                       struct socket *intr_sock)
+{
+       struct hidp_session *session;
+       struct l2cap_conn *conn;
+       struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
+       int ret;
+
+       ret = hidp_verify_sockets(ctrl_sock, intr_sock);
+       if (ret)
+               return ret;
+
+       conn = NULL;
+       l2cap_chan_lock(chan);
+       if (chan->conn) {
+               l2cap_conn_get(chan->conn);
+               conn = chan->conn;
        }
+       l2cap_chan_unlock(chan);
 
-       kfree(session->rd_data);
-       session->rd_data = NULL;
+       if (!conn)
+               return -EBADFD;
 
-purge:
-       __hidp_unlink_session(session);
+       ret = hidp_session_new(&session, &bt_sk(ctrl_sock->sk)->dst, ctrl_sock,
+                              intr_sock, req, conn);
+       if (ret)
+               goto out_conn;
 
-       skb_queue_purge(&session->ctrl_transmit);
-       skb_queue_purge(&session->intr_transmit);
+       ret = l2cap_register_user(conn, &session->user);
+       if (ret)
+               goto out_session;
 
-failed:
-       up_write(&hidp_session_sem);
+       ret = 0;
 
-       kfree(session);
-       return err;
+out_session:
+       hidp_session_put(session);
+out_conn:
+       l2cap_conn_put(conn);
+       return ret;
 }
 
-int hidp_del_connection(struct hidp_conndel_req *req)
+int hidp_connection_del(struct hidp_conndel_req *req)
 {
        struct hidp_session *session;
-       int err = 0;
 
-       BT_DBG("");
+       session = hidp_session_find(&req->bdaddr);
+       if (!session)
+               return -ENOENT;
 
-       down_read(&hidp_session_sem);
+       if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG))
+               hidp_send_ctrl_message(session,
+                                      HIDP_TRANS_HID_CONTROL |
+                                        HIDP_CTRL_VIRTUAL_CABLE_UNPLUG,
+                                      NULL, 0);
+       else
+               l2cap_unregister_user(session->conn, &session->user);
 
-       session = __hidp_get_session(&req->bdaddr);
-       if (session) {
-               if (req->flags & (1 << HIDP_VIRTUAL_CABLE_UNPLUG)) {
-                       hidp_send_ctrl_message(session,
-                               HIDP_TRANS_HID_CONTROL | HIDP_CTRL_VIRTUAL_CABLE_UNPLUG, NULL, 0);
-               } else {
-                       /* Flush the transmit queues */
-                       skb_queue_purge(&session->ctrl_transmit);
-                       skb_queue_purge(&session->intr_transmit);
-
-                       atomic_inc(&session->terminate);
-                       wake_up_process(session->task);
-               }
-       } else
-               err = -ENOENT;
+       hidp_session_put(session);
 
-       up_read(&hidp_session_sem);
-       return err;
+       return 0;
 }
 
 int hidp_get_connlist(struct hidp_connlist_req *req)
@@ -1153,7 +1334,7 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
        list_for_each_entry(session, &hidp_session_list, list) {
                struct hidp_conninfo ci;
 
-               __hidp_copy_session(session, &ci);
+               hidp_copy_session(session, &ci);
 
                if (copy_to_user(req->ci, &ci, sizeof(ci))) {
                        err = -EFAULT;
@@ -1174,18 +1355,14 @@ int hidp_get_connlist(struct hidp_connlist_req *req)
 int hidp_get_conninfo(struct hidp_conninfo *ci)
 {
        struct hidp_session *session;
-       int err = 0;
-
-       down_read(&hidp_session_sem);
 
-       session = __hidp_get_session(&ci->bdaddr);
-       if (session)
-               __hidp_copy_session(session, ci);
-       else
-               err = -ENOENT;
+       session = hidp_session_find(&ci->bdaddr);
+       if (session) {
+               hidp_copy_session(session, ci);
+               hidp_session_put(session);
+       }
 
-       up_read(&hidp_session_sem);
-       return err;
+       return session ? 0 : -ENOENT;
 }
 
 static int __init hidp_init(void)
@@ -1204,6 +1381,7 @@ module_init(hidp_init);
 module_exit(hidp_exit);
 
 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
+MODULE_AUTHOR("David Herrmann <dh.herrmann@gmail.com>");
 MODULE_DESCRIPTION("Bluetooth HIDP ver " VERSION);
 MODULE_VERSION(VERSION);
 MODULE_LICENSE("GPL");