projects / firefly-linux-kernel-4.4.55.git / blob
? search:


6e6a9dd8a1557a66a10d15c74dc170cde6029bc0
[firefly-linux-kernel-4.4.55.git] / net / bluetooth / hci_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI core. */
27
28 #include <linux/export.h>
29 #include <linux/idr.h>
30
31 #include <linux/rfkill.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35
36 static void hci_rx_work(struct work_struct *work);
37 static void hci_cmd_work(struct work_struct *work);
38 static void hci_tx_work(struct work_struct *work);
39
40 /* HCI device list */
41 LIST_HEAD(hci_dev_list);
42 DEFINE_RWLOCK(hci_dev_list_lock);
43
44 /* HCI callback list */
45 LIST_HEAD(hci_cb_list);
46 DEFINE_RWLOCK(hci_cb_list_lock);
47
48 /* HCI ID Numbering */
49 static DEFINE_IDA(hci_index_ida);
50
51 /* ---- HCI notifications ---- */
52
53 static void hci_notify(struct hci_dev *hdev, int event)
54 {
55         hci_sock_dev_event(hdev, event);
56 }
57
58 /* ---- HCI requests ---- */
59
60 void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result)
61 {
62         BT_DBG("%s command 0x%4.4x result 0x%2.2x", hdev->name, cmd, result);
63
64         /* If this is the init phase check if the completed command matches
65          * the last init command, and if not just return.
66          */
67         if (test_bit(HCI_INIT, &hdev->flags) && hdev->init_last_cmd != cmd) {
68                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
69                 u16 opcode = __le16_to_cpu(sent->opcode);
70                 struct sk_buff *skb;
71
72                 /* Some CSR based controllers generate a spontaneous
73                  * reset complete event during init and any pending
74                  * command will never be completed. In such a case we
75                  * need to resend whatever was the last sent
76                  * command.
77                  */
78
79                 if (cmd != HCI_OP_RESET || opcode == HCI_OP_RESET)
80                         return;
81
82                 skb = skb_clone(hdev->sent_cmd, GFP_ATOMIC);
83                 if (skb) {
84                         skb_queue_head(&hdev->cmd_q, skb);
85                         queue_work(hdev->workqueue, &hdev->cmd_work);
86                 }
87
88                 return;
89         }
90
91         if (hdev->req_status == HCI_REQ_PEND) {
92                 hdev->req_result = result;
93                 hdev->req_status = HCI_REQ_DONE;
94                 wake_up_interruptible(&hdev->req_wait_q);
95         }
96 }
97
98 static void hci_req_cancel(struct hci_dev *hdev, int err)
99 {
100         BT_DBG("%s err 0x%2.2x", hdev->name, err);
101
102         if (hdev->req_status == HCI_REQ_PEND) {
103                 hdev->req_result = err;
104                 hdev->req_status = HCI_REQ_CANCELED;
105                 wake_up_interruptible(&hdev->req_wait_q);
106         }
107 }
108
109 /* Execute request and wait for completion. */
110 static int __hci_req_sync(struct hci_dev *hdev,
111                           void (*req)(struct hci_dev *hdev, unsigned long opt),
112                           unsigned long opt, __u32 timeout)
113 {
114         DECLARE_WAITQUEUE(wait, current);
115         int err = 0;
116
117         BT_DBG("%s start", hdev->name);
118
119         hdev->req_status = HCI_REQ_PEND;
120
121         add_wait_queue(&hdev->req_wait_q, &wait);
122         set_current_state(TASK_INTERRUPTIBLE);
123
124         req(hdev, opt);
125
126         /* If the request didn't send any commands return immediately */
127         if (skb_queue_empty(&hdev->cmd_q) && atomic_read(&hdev->cmd_cnt)) {
128                 hdev->req_status = 0;
129                 remove_wait_queue(&hdev->req_wait_q, &wait);
130                 return err;
131         }
132
133         schedule_timeout(timeout);
134
135         remove_wait_queue(&hdev->req_wait_q, &wait);
136
137         if (signal_pending(current))
138                 return -EINTR;
139
140         switch (hdev->req_status) {
141         case HCI_REQ_DONE:
142                 err = -bt_to_errno(hdev->req_result);
143                 break;
144
145         case HCI_REQ_CANCELED:
146                 err = -hdev->req_result;
147                 break;
148
149         default:
150                 err = -ETIMEDOUT;
151                 break;
152         }
153
154         hdev->req_status = hdev->req_result = 0;
155
156         BT_DBG("%s end: err %d", hdev->name, err);
157
158         return err;
159 }
160
161 static int hci_req_sync(struct hci_dev *hdev,
162                         void (*req)(struct hci_dev *hdev, unsigned long opt),
163                         unsigned long opt, __u32 timeout)
164 {
165         int ret;
166
167         if (!test_bit(HCI_UP, &hdev->flags))
168                 return -ENETDOWN;
169
170         /* Serialize all requests */
171         hci_req_lock(hdev);
172         ret = __hci_req_sync(hdev, req, opt, timeout);
173         hci_req_unlock(hdev);
174
175         return ret;
176 }
177
178 static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
179 {
180         BT_DBG("%s %ld", hdev->name, opt);
181
182         /* Reset device */
183         set_bit(HCI_RESET, &hdev->flags);
184         hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
185 }
186
187 static void bredr_init(struct hci_dev *hdev)
188 {
189         hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
190
191         /* Read Local Supported Features */
192         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
193
194         /* Read Local Version */
195         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
196
197         /* Read BD Address */
198         hci_send_cmd(hdev, HCI_OP_READ_BD_ADDR, 0, NULL);
199 }
200
201 static void amp_init(struct hci_dev *hdev)
202 {
203         hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
204
205         /* Read Local Version */
206         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
207
208         /* Read Local AMP Info */
209         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
210
211         /* Read Data Blk size */
212         hci_send_cmd(hdev, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
213 }
214
215 static void hci_init1_req(struct hci_dev *hdev, unsigned long opt)
216 {
217         struct sk_buff *skb;
218
219         BT_DBG("%s %ld", hdev->name, opt);
220
221         /* Driver initialization */
222
223         /* Special commands */
224         while ((skb = skb_dequeue(&hdev->driver_init))) {
225                 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
226                 skb->dev = (void *) hdev;
227
228                 skb_queue_tail(&hdev->cmd_q, skb);
229                 queue_work(hdev->workqueue, &hdev->cmd_work);
230         }
231         skb_queue_purge(&hdev->driver_init);
232
233         /* Reset */
234         if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
235                 hci_reset_req(hdev, 0);
236
237         switch (hdev->dev_type) {
238         case HCI_BREDR:
239                 bredr_init(hdev);
240                 break;
241
242         case HCI_AMP:
243                 amp_init(hdev);
244                 break;
245
246         default:
247                 BT_ERR("Unknown device type %d", hdev->dev_type);
248                 break;
249         }
250 }
251
252 static void bredr_setup(struct hci_dev *hdev)
253 {
254         struct hci_cp_delete_stored_link_key cp;
255         __le16 param;
256         __u8 flt_type;
257
258         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
259         hci_send_cmd(hdev, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
260
261         /* Read Class of Device */
262         hci_send_cmd(hdev, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
263
264         /* Read Local Name */
265         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL);
266
267         /* Read Voice Setting */
268         hci_send_cmd(hdev, HCI_OP_READ_VOICE_SETTING, 0, NULL);
269
270         /* Clear Event Filters */
271         flt_type = HCI_FLT_CLEAR_ALL;
272         hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
273
274         /* Connection accept timeout ~20 secs */
275         param = __constant_cpu_to_le16(0x7d00);
276         hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
277
278         bacpy(&cp.bdaddr, BDADDR_ANY);
279         cp.delete_all = 0x01;
280         hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
281 }
282
283 static void le_setup(struct hci_dev *hdev)
284 {
285         /* Read LE Buffer Size */
286         hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
287
288         /* Read LE Local Supported Features */
289         hci_send_cmd(hdev, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
290
291         /* Read LE Advertising Channel TX Power */
292         hci_send_cmd(hdev, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
293
294         /* Read LE White List Size */
295         hci_send_cmd(hdev, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
296
297         /* Read LE Supported States */
298         hci_send_cmd(hdev, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
299 }
300
301 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
302 {
303         if (lmp_ext_inq_capable(hdev))
304                 return 0x02;
305
306         if (lmp_inq_rssi_capable(hdev))
307                 return 0x01;
308
309         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
310             hdev->lmp_subver == 0x0757)
311                 return 0x01;
312
313         if (hdev->manufacturer == 15) {
314                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
315                         return 0x01;
316                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
317                         return 0x01;
318                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
319                         return 0x01;
320         }
321
322         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
323             hdev->lmp_subver == 0x1805)
324                 return 0x01;
325
326         return 0x00;
327 }
328
329 static void hci_setup_inquiry_mode(struct hci_dev *hdev)
330 {
331         u8 mode;
332
333         mode = hci_get_inquiry_mode(hdev);
334
335         hci_send_cmd(hdev, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
336 }
337
338 static void hci_setup_event_mask(struct hci_dev *hdev)
339 {
340         /* The second byte is 0xff instead of 0x9f (two reserved bits
341          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
342          * command otherwise.
343          */
344         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
345
346         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
347          * any event mask for pre 1.2 devices.
348          */
349         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
350                 return;
351
352         if (lmp_bredr_capable(hdev)) {
353                 events[4] |= 0x01; /* Flow Specification Complete */
354                 events[4] |= 0x02; /* Inquiry Result with RSSI */
355                 events[4] |= 0x04; /* Read Remote Extended Features Complete */
356                 events[5] |= 0x08; /* Synchronous Connection Complete */
357                 events[5] |= 0x10; /* Synchronous Connection Changed */
358         }
359
360         if (lmp_inq_rssi_capable(hdev))
361                 events[4] |= 0x02; /* Inquiry Result with RSSI */
362
363         if (lmp_sniffsubr_capable(hdev))
364                 events[5] |= 0x20; /* Sniff Subrating */
365
366         if (lmp_pause_enc_capable(hdev))
367                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
368
369         if (lmp_ext_inq_capable(hdev))
370                 events[5] |= 0x40; /* Extended Inquiry Result */
371
372         if (lmp_no_flush_capable(hdev))
373                 events[7] |= 0x01; /* Enhanced Flush Complete */
374
375         if (lmp_lsto_capable(hdev))
376                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
377
378         if (lmp_ssp_capable(hdev)) {
379                 events[6] |= 0x01;      /* IO Capability Request */
380                 events[6] |= 0x02;      /* IO Capability Response */
381                 events[6] |= 0x04;      /* User Confirmation Request */
382                 events[6] |= 0x08;      /* User Passkey Request */
383                 events[6] |= 0x10;      /* Remote OOB Data Request */
384                 events[6] |= 0x20;      /* Simple Pairing Complete */
385                 events[7] |= 0x04;      /* User Passkey Notification */
386                 events[7] |= 0x08;      /* Keypress Notification */
387                 events[7] |= 0x10;      /* Remote Host Supported
388                                          * Features Notification
389                                          */
390         }
391
392         if (lmp_le_capable(hdev))
393                 events[7] |= 0x20;      /* LE Meta-Event */
394
395         hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
396
397         if (lmp_le_capable(hdev)) {
398                 memset(events, 0, sizeof(events));
399                 events[0] = 0x1f;
400                 hci_send_cmd(hdev, HCI_OP_LE_SET_EVENT_MASK,
401                              sizeof(events), events);
402         }
403 }
404
405 static void hci_init2_req(struct hci_dev *hdev, unsigned long opt)
406 {
407         if (lmp_bredr_capable(hdev))
408                 bredr_setup(hdev);
409
410         if (lmp_le_capable(hdev))
411                 le_setup(hdev);
412
413         hci_setup_event_mask(hdev);
414
415         if (hdev->hci_ver > BLUETOOTH_VER_1_1)
416                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
417
418         if (lmp_ssp_capable(hdev)) {
419                 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
420                         u8 mode = 0x01;
421                         hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE,
422                                      sizeof(mode), &mode);
423                 } else {
424                         struct hci_cp_write_eir cp;
425
426                         memset(hdev->eir, 0, sizeof(hdev->eir));
427                         memset(&cp, 0, sizeof(cp));
428
429                         hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
430                 }
431         }
432
433         if (lmp_inq_rssi_capable(hdev))
434                 hci_setup_inquiry_mode(hdev);
435
436         if (lmp_inq_tx_pwr_capable(hdev))
437                 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
438
439         if (lmp_ext_feat_capable(hdev)) {
440                 struct hci_cp_read_local_ext_features cp;
441
442                 cp.page = 0x01;
443                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp),
444                              &cp);
445         }
446
447         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
448                 u8 enable = 1;
449                 hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
450                              &enable);
451         }
452 }
453
454 static void hci_setup_link_policy(struct hci_dev *hdev)
455 {
456         struct hci_cp_write_def_link_policy cp;
457         u16 link_policy = 0;
458
459         if (lmp_rswitch_capable(hdev))
460                 link_policy |= HCI_LP_RSWITCH;
461         if (lmp_hold_capable(hdev))
462                 link_policy |= HCI_LP_HOLD;
463         if (lmp_sniff_capable(hdev))
464                 link_policy |= HCI_LP_SNIFF;
465         if (lmp_park_capable(hdev))
466                 link_policy |= HCI_LP_PARK;
467
468         cp.policy = cpu_to_le16(link_policy);
469         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
470 }
471
472 static void hci_set_le_support(struct hci_dev *hdev)
473 {
474         struct hci_cp_write_le_host_supported cp;
475
476         memset(&cp, 0, sizeof(cp));
477
478         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
479                 cp.le = 0x01;
480                 cp.simul = lmp_le_br_capable(hdev);
481         }
482
483         if (cp.le != lmp_host_le_capable(hdev))
484                 hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
485                              &cp);
486 }
487
488 static void hci_init3_req(struct hci_dev *hdev, unsigned long opt)
489 {
490         if (hdev->commands[5] & 0x10)
491                 hci_setup_link_policy(hdev);
492
493         if (lmp_le_capable(hdev))
494                 hci_set_le_support(hdev);
495 }
496
497 static int __hci_init(struct hci_dev *hdev)
498 {
499         int err;
500
501         err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
502         if (err < 0)
503                 return err;
504
505         /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
506          * BR/EDR/LE type controllers. AMP controllers only need the
507          * first stage init.
508          */
509         if (hdev->dev_type != HCI_BREDR)
510                 return 0;
511
512         err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
513         if (err < 0)
514                 return err;
515
516         return __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
517 }
518
519 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
520 {
521         __u8 scan = opt;
522
523         BT_DBG("%s %x", hdev->name, scan);
524
525         /* Inquiry and Page scans */
526         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
527 }
528
529 static void hci_auth_req(struct hci_dev *hdev, unsigned long opt)
530 {
531         __u8 auth = opt;
532
533         BT_DBG("%s %x", hdev->name, auth);
534
535         /* Authentication */
536         hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
537 }
538
539 static void hci_encrypt_req(struct hci_dev *hdev, unsigned long opt)
540 {
541         __u8 encrypt = opt;
542
543         BT_DBG("%s %x", hdev->name, encrypt);
544
545         /* Encryption */
546         hci_send_cmd(hdev, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
547 }
548
549 static void hci_linkpol_req(struct hci_dev *hdev, unsigned long opt)
550 {
551         __le16 policy = cpu_to_le16(opt);
552
553         BT_DBG("%s %x", hdev->name, policy);
554
555         /* Default link policy */
556         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
557 }
558
559 /* Get HCI device by index.
560  * Device is held on return. */
561 struct hci_dev *hci_dev_get(int index)
562 {
563         struct hci_dev *hdev = NULL, *d;
564
565         BT_DBG("%d", index);
566
567         if (index < 0)
568                 return NULL;
569
570         read_lock(&hci_dev_list_lock);
571         list_for_each_entry(d, &hci_dev_list, list) {
572                 if (d->id == index) {
573                         hdev = hci_dev_hold(d);
574                         break;
575                 }
576         }
577         read_unlock(&hci_dev_list_lock);
578         return hdev;
579 }
580
581 /* ---- Inquiry support ---- */
582
583 bool hci_discovery_active(struct hci_dev *hdev)
584 {
585         struct discovery_state *discov = &hdev->discovery;
586
587         switch (discov->state) {
588         case DISCOVERY_FINDING:
589         case DISCOVERY_RESOLVING:
590                 return true;
591
592         default:
593                 return false;
594         }
595 }
596
597 void hci_discovery_set_state(struct hci_dev *hdev, int state)
598 {
599         BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
600
601         if (hdev->discovery.state == state)
602                 return;
603
604         switch (state) {
605         case DISCOVERY_STOPPED:
606                 if (hdev->discovery.state != DISCOVERY_STARTING)
607                         mgmt_discovering(hdev, 0);
608                 break;
609         case DISCOVERY_STARTING:
610                 break;
611         case DISCOVERY_FINDING:
612                 mgmt_discovering(hdev, 1);
613                 break;
614         case DISCOVERY_RESOLVING:
615                 break;
616         case DISCOVERY_STOPPING:
617                 break;
618         }
619
620         hdev->discovery.state = state;
621 }
622
623 static void inquiry_cache_flush(struct hci_dev *hdev)
624 {
625         struct discovery_state *cache = &hdev->discovery;
626         struct inquiry_entry *p, *n;
627
628         list_for_each_entry_safe(p, n, &cache->all, all) {
629                 list_del(&p->all);
630                 kfree(p);
631         }
632
633         INIT_LIST_HEAD(&cache->unknown);
634         INIT_LIST_HEAD(&cache->resolve);
635 }
636
637 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
638                                                bdaddr_t *bdaddr)
639 {
640         struct discovery_state *cache = &hdev->discovery;
641         struct inquiry_entry *e;
642
643         BT_DBG("cache %p, %pMR", cache, bdaddr);
644
645         list_for_each_entry(e, &cache->all, all) {
646                 if (!bacmp(&e->data.bdaddr, bdaddr))
647                         return e;
648         }
649
650         return NULL;
651 }
652
653 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
654                                                        bdaddr_t *bdaddr)
655 {
656         struct discovery_state *cache = &hdev->discovery;
657         struct inquiry_entry *e;
658
659         BT_DBG("cache %p, %pMR", cache, bdaddr);
660
661         list_for_each_entry(e, &cache->unknown, list) {
662                 if (!bacmp(&e->data.bdaddr, bdaddr))
663                         return e;
664         }
665
666         return NULL;
667 }
668
669 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
670                                                        bdaddr_t *bdaddr,
671                                                        int state)
672 {
673         struct discovery_state *cache = &hdev->discovery;
674         struct inquiry_entry *e;
675
676         BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
677
678         list_for_each_entry(e, &cache->resolve, list) {
679                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
680                         return e;
681                 if (!bacmp(&e->data.bdaddr, bdaddr))
682                         return e;
683         }
684
685         return NULL;
686 }
687
688 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
689                                       struct inquiry_entry *ie)
690 {
691         struct discovery_state *cache = &hdev->discovery;
692         struct list_head *pos = &cache->resolve;
693         struct inquiry_entry *p;
694
695         list_del(&ie->list);
696
697         list_for_each_entry(p, &cache->resolve, list) {
698                 if (p->name_state != NAME_PENDING &&
699                     abs(p->data.rssi) >= abs(ie->data.rssi))
700                         break;
701                 pos = &p->list;
702         }
703
704         list_add(&ie->list, pos);
705 }
706
707 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
708                               bool name_known, bool *ssp)
709 {
710         struct discovery_state *cache = &hdev->discovery;
711         struct inquiry_entry *ie;
712
713         BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
714
715         hci_remove_remote_oob_data(hdev, &data->bdaddr);
716
717         if (ssp)
718                 *ssp = data->ssp_mode;
719
720         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
721         if (ie) {
722                 if (ie->data.ssp_mode && ssp)
723                         *ssp = true;
724
725                 if (ie->name_state == NAME_NEEDED &&
726                     data->rssi != ie->data.rssi) {
727                         ie->data.rssi = data->rssi;
728                         hci_inquiry_cache_update_resolve(hdev, ie);
729                 }
730
731                 goto update;
732         }
733
734         /* Entry not in the cache. Add new one. */
735         ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
736         if (!ie)
737                 return false;
738
739         list_add(&ie->all, &cache->all);
740
741         if (name_known) {
742                 ie->name_state = NAME_KNOWN;
743         } else {
744                 ie->name_state = NAME_NOT_KNOWN;
745                 list_add(&ie->list, &cache->unknown);
746         }
747
748 update:
749         if (name_known && ie->name_state != NAME_KNOWN &&
750             ie->name_state != NAME_PENDING) {
751                 ie->name_state = NAME_KNOWN;
752                 list_del(&ie->list);
753         }
754
755         memcpy(&ie->data, data, sizeof(*data));
756         ie->timestamp = jiffies;
757         cache->timestamp = jiffies;
758
759         if (ie->name_state == NAME_NOT_KNOWN)
760                 return false;
761
762         return true;
763 }
764
765 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
766 {
767         struct discovery_state *cache = &hdev->discovery;
768         struct inquiry_info *info = (struct inquiry_info *) buf;
769         struct inquiry_entry *e;
770         int copied = 0;
771
772         list_for_each_entry(e, &cache->all, all) {
773                 struct inquiry_data *data = &e->data;
774
775                 if (copied >= num)
776                         break;
777
778                 bacpy(&info->bdaddr, &data->bdaddr);
779                 info->pscan_rep_mode    = data->pscan_rep_mode;
780                 info->pscan_period_mode = data->pscan_period_mode;
781                 info->pscan_mode        = data->pscan_mode;
782                 memcpy(info->dev_class, data->dev_class, 3);
783                 info->clock_offset      = data->clock_offset;
784
785                 info++;
786                 copied++;
787         }
788
789         BT_DBG("cache %p, copied %d", cache, copied);
790         return copied;
791 }
792
793 static void hci_inq_req(struct hci_dev *hdev, unsigned long opt)
794 {
795         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
796         struct hci_cp_inquiry cp;
797
798         BT_DBG("%s", hdev->name);
799
800         if (test_bit(HCI_INQUIRY, &hdev->flags))
801                 return;
802
803         /* Start Inquiry */
804         memcpy(&cp.lap, &ir->lap, 3);
805         cp.length  = ir->length;
806         cp.num_rsp = ir->num_rsp;
807         hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
808 }
809
810 int hci_inquiry(void __user *arg)
811 {
812         __u8 __user *ptr = arg;
813         struct hci_inquiry_req ir;
814         struct hci_dev *hdev;
815         int err = 0, do_inquiry = 0, max_rsp;
816         long timeo;
817         __u8 *buf;
818
819         if (copy_from_user(&ir, ptr, sizeof(ir)))
820                 return -EFAULT;
821
822         hdev = hci_dev_get(ir.dev_id);
823         if (!hdev)
824                 return -ENODEV;
825
826         hci_dev_lock(hdev);
827         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
828             inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
829                 inquiry_cache_flush(hdev);
830                 do_inquiry = 1;
831         }
832         hci_dev_unlock(hdev);
833
834         timeo = ir.length * msecs_to_jiffies(2000);
835
836         if (do_inquiry) {
837                 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
838                                    timeo);
839                 if (err < 0)
840                         goto done;
841         }
842
843         /* for unlimited number of responses we will use buffer with
844          * 255 entries
845          */
846         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
847
848         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
849          * copy it to the user space.
850          */
851         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
852         if (!buf) {
853                 err = -ENOMEM;
854                 goto done;
855         }
856
857         hci_dev_lock(hdev);
858         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
859         hci_dev_unlock(hdev);
860
861         BT_DBG("num_rsp %d", ir.num_rsp);
862
863         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
864                 ptr += sizeof(ir);
865                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
866                                  ir.num_rsp))
867                         err = -EFAULT;
868         } else
869                 err = -EFAULT;
870
871         kfree(buf);
872
873 done:
874         hci_dev_put(hdev);
875         return err;
876 }
877
878 static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
879 {
880         u8 ad_len = 0, flags = 0;
881         size_t name_len;
882
883         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
884                 flags |= LE_AD_GENERAL;
885
886         if (!lmp_bredr_capable(hdev))
887                 flags |= LE_AD_NO_BREDR;
888
889         if (lmp_le_br_capable(hdev))
890                 flags |= LE_AD_SIM_LE_BREDR_CTRL;
891
892         if (lmp_host_le_br_capable(hdev))
893                 flags |= LE_AD_SIM_LE_BREDR_HOST;
894
895         if (flags) {
896                 BT_DBG("adv flags 0x%02x", flags);
897
898                 ptr[0] = 2;
899                 ptr[1] = EIR_FLAGS;
900                 ptr[2] = flags;
901
902                 ad_len += 3;
903                 ptr += 3;
904         }
905
906         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
907                 ptr[0] = 2;
908                 ptr[1] = EIR_TX_POWER;
909                 ptr[2] = (u8) hdev->adv_tx_power;
910
911                 ad_len += 3;
912                 ptr += 3;
913         }
914
915         name_len = strlen(hdev->dev_name);
916         if (name_len > 0) {
917                 size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
918
919                 if (name_len > max_len) {
920                         name_len = max_len;
921                         ptr[1] = EIR_NAME_SHORT;
922                 } else
923                         ptr[1] = EIR_NAME_COMPLETE;
924
925                 ptr[0] = name_len + 1;
926
927                 memcpy(ptr + 2, hdev->dev_name, name_len);
928
929                 ad_len += (name_len + 2);
930                 ptr += (name_len + 2);
931         }
932
933         return ad_len;
934 }
935
936 int hci_update_ad(struct hci_dev *hdev)
937 {
938         struct hci_cp_le_set_adv_data cp;
939         u8 len;
940         int err;
941
942         hci_dev_lock(hdev);
943
944         if (!lmp_le_capable(hdev)) {
945                 err = -EINVAL;
946                 goto unlock;
947         }
948
949         memset(&cp, 0, sizeof(cp));
950
951         len = create_ad(hdev, cp.data);
952
953         if (hdev->adv_data_len == len &&
954             memcmp(cp.data, hdev->adv_data, len) == 0) {
955                 err = 0;
956                 goto unlock;
957         }
958
959         memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
960         hdev->adv_data_len = len;
961
962         cp.length = len;
963         err = hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
964
965 unlock:
966         hci_dev_unlock(hdev);
967
968         return err;
969 }
970
971 /* ---- HCI ioctl helpers ---- */
972
973 int hci_dev_open(__u16 dev)
974 {
975         struct hci_dev *hdev;
976         int ret = 0;
977
978         hdev = hci_dev_get(dev);
979         if (!hdev)
980                 return -ENODEV;
981
982         BT_DBG("%s %p", hdev->name, hdev);
983
984         hci_req_lock(hdev);
985
986         if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
987                 ret = -ENODEV;
988                 goto done;
989         }
990
991         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
992                 ret = -ERFKILL;
993                 goto done;
994         }
995
996         if (test_bit(HCI_UP, &hdev->flags)) {
997                 ret = -EALREADY;
998                 goto done;
999         }
1000
1001         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1002                 set_bit(HCI_RAW, &hdev->flags);
1003
1004         /* Treat all non BR/EDR controllers as raw devices if
1005            enable_hs is not set */
1006         if (hdev->dev_type != HCI_BREDR && !enable_hs)
1007                 set_bit(HCI_RAW, &hdev->flags);
1008
1009         if (hdev->open(hdev)) {
1010                 ret = -EIO;
1011                 goto done;
1012         }
1013
1014         if (!test_bit(HCI_RAW, &hdev->flags)) {
1015                 atomic_set(&hdev->cmd_cnt, 1);
1016                 set_bit(HCI_INIT, &hdev->flags);
1017                 hdev->init_last_cmd = 0;
1018
1019                 ret = __hci_init(hdev);
1020
1021                 clear_bit(HCI_INIT, &hdev->flags);
1022         }
1023
1024         if (!ret) {
1025                 hci_dev_hold(hdev);
1026                 set_bit(HCI_UP, &hdev->flags);
1027                 hci_notify(hdev, HCI_DEV_UP);
1028                 hci_update_ad(hdev);
1029                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1030                     mgmt_valid_hdev(hdev)) {
1031                         hci_dev_lock(hdev);
1032                         mgmt_powered(hdev, 1);
1033                         hci_dev_unlock(hdev);
1034                 }
1035         } else {
1036                 /* Init failed, cleanup */
1037                 flush_work(&hdev->tx_work);
1038                 flush_work(&hdev->cmd_work);
1039                 flush_work(&hdev->rx_work);
1040
1041                 skb_queue_purge(&hdev->cmd_q);
1042                 skb_queue_purge(&hdev->rx_q);
1043
1044                 if (hdev->flush)
1045                         hdev->flush(hdev);
1046
1047                 if (hdev->sent_cmd) {
1048                         kfree_skb(hdev->sent_cmd);
1049                         hdev->sent_cmd = NULL;
1050                 }
1051
1052                 hdev->close(hdev);
1053                 hdev->flags = 0;
1054         }
1055
1056 done:
1057         hci_req_unlock(hdev);
1058         hci_dev_put(hdev);
1059         return ret;
1060 }
1061
1062 static int hci_dev_do_close(struct hci_dev *hdev)
1063 {
1064         BT_DBG("%s %p", hdev->name, hdev);
1065
1066         cancel_work_sync(&hdev->le_scan);
1067
1068         cancel_delayed_work(&hdev->power_off);
1069
1070         hci_req_cancel(hdev, ENODEV);
1071         hci_req_lock(hdev);
1072
1073         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1074                 del_timer_sync(&hdev->cmd_timer);
1075                 hci_req_unlock(hdev);
1076                 return 0;
1077         }
1078
1079         /* Flush RX and TX works */
1080         flush_work(&hdev->tx_work);
1081         flush_work(&hdev->rx_work);
1082
1083         if (hdev->discov_timeout > 0) {
1084                 cancel_delayed_work(&hdev->discov_off);
1085                 hdev->discov_timeout = 0;
1086                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1087         }
1088
1089         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1090                 cancel_delayed_work(&hdev->service_cache);
1091
1092         cancel_delayed_work_sync(&hdev->le_scan_disable);
1093
1094         hci_dev_lock(hdev);
1095         inquiry_cache_flush(hdev);
1096         hci_conn_hash_flush(hdev);
1097         hci_dev_unlock(hdev);
1098
1099         hci_notify(hdev, HCI_DEV_DOWN);
1100
1101         if (hdev->flush)
1102                 hdev->flush(hdev);
1103
1104         /* Reset device */
1105         skb_queue_purge(&hdev->cmd_q);
1106         atomic_set(&hdev->cmd_cnt, 1);
1107         if (!test_bit(HCI_RAW, &hdev->flags) &&
1108             test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1109                 set_bit(HCI_INIT, &hdev->flags);
1110                 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1111                 clear_bit(HCI_INIT, &hdev->flags);
1112         }
1113
1114         /* flush cmd  work */
1115         flush_work(&hdev->cmd_work);
1116
1117         /* Drop queues */
1118         skb_queue_purge(&hdev->rx_q);
1119         skb_queue_purge(&hdev->cmd_q);
1120         skb_queue_purge(&hdev->raw_q);
1121
1122         /* Drop last sent command */
1123         if (hdev->sent_cmd) {
1124                 del_timer_sync(&hdev->cmd_timer);
1125                 kfree_skb(hdev->sent_cmd);
1126                 hdev->sent_cmd = NULL;
1127         }
1128
1129         /* After this point our queues are empty
1130          * and no tasks are scheduled. */
1131         hdev->close(hdev);
1132
1133         if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1134             mgmt_valid_hdev(hdev)) {
1135                 hci_dev_lock(hdev);
1136                 mgmt_powered(hdev, 0);
1137                 hci_dev_unlock(hdev);
1138         }
1139
1140         /* Clear flags */
1141         hdev->flags = 0;
1142
1143         /* Controller radio is available but is currently powered down */
1144         hdev->amp_status = 0;
1145
1146         memset(hdev->eir, 0, sizeof(hdev->eir));
1147         memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1148
1149         hci_req_unlock(hdev);
1150
1151         hci_dev_put(hdev);
1152         return 0;
1153 }
1154
1155 int hci_dev_close(__u16 dev)
1156 {
1157         struct hci_dev *hdev;
1158         int err;
1159
1160         hdev = hci_dev_get(dev);
1161         if (!hdev)
1162                 return -ENODEV;
1163
1164         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1165                 cancel_delayed_work(&hdev->power_off);
1166
1167         err = hci_dev_do_close(hdev);
1168
1169         hci_dev_put(hdev);
1170         return err;
1171 }
1172
1173 int hci_dev_reset(__u16 dev)
1174 {
1175         struct hci_dev *hdev;
1176         int ret = 0;
1177
1178         hdev = hci_dev_get(dev);
1179         if (!hdev)
1180                 return -ENODEV;
1181
1182         hci_req_lock(hdev);
1183
1184         if (!test_bit(HCI_UP, &hdev->flags))
1185                 goto done;
1186
1187         /* Drop queues */
1188         skb_queue_purge(&hdev->rx_q);
1189         skb_queue_purge(&hdev->cmd_q);
1190
1191         hci_dev_lock(hdev);
1192         inquiry_cache_flush(hdev);
1193         hci_conn_hash_flush(hdev);
1194         hci_dev_unlock(hdev);
1195
1196         if (hdev->flush)
1197                 hdev->flush(hdev);
1198
1199         atomic_set(&hdev->cmd_cnt, 1);
1200         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1201
1202         if (!test_bit(HCI_RAW, &hdev->flags))
1203                 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1204
1205 done:
1206         hci_req_unlock(hdev);
1207         hci_dev_put(hdev);
1208         return ret;
1209 }
1210
1211 int hci_dev_reset_stat(__u16 dev)
1212 {
1213         struct hci_dev *hdev;
1214         int ret = 0;
1215
1216         hdev = hci_dev_get(dev);
1217         if (!hdev)
1218                 return -ENODEV;
1219
1220         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1221
1222         hci_dev_put(hdev);
1223
1224         return ret;
1225 }
1226
1227 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1228 {
1229         struct hci_dev *hdev;
1230         struct hci_dev_req dr;
1231         int err = 0;
1232
1233         if (copy_from_user(&dr, arg, sizeof(dr)))
1234                 return -EFAULT;
1235
1236         hdev = hci_dev_get(dr.dev_id);
1237         if (!hdev)
1238                 return -ENODEV;
1239
1240         switch (cmd) {
1241         case HCISETAUTH:
1242                 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1243                                    HCI_INIT_TIMEOUT);
1244                 break;
1245
1246         case HCISETENCRYPT:
1247                 if (!lmp_encrypt_capable(hdev)) {
1248                         err = -EOPNOTSUPP;
1249                         break;
1250                 }
1251
1252                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1253                         /* Auth must be enabled first */
1254                         err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1255                                            HCI_INIT_TIMEOUT);
1256                         if (err)
1257                                 break;
1258                 }
1259
1260                 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1261                                    HCI_INIT_TIMEOUT);
1262                 break;
1263
1264         case HCISETSCAN:
1265                 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1266                                    HCI_INIT_TIMEOUT);
1267                 break;
1268
1269         case HCISETLINKPOL:
1270                 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1271                                    HCI_INIT_TIMEOUT);
1272                 break;
1273
1274         case HCISETLINKMODE:
1275                 hdev->link_mode = ((__u16) dr.dev_opt) &
1276                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
1277                 break;
1278
1279         case HCISETPTYPE:
1280                 hdev->pkt_type = (__u16) dr.dev_opt;
1281                 break;
1282
1283         case HCISETACLMTU:
1284                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1285                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1286                 break;
1287
1288         case HCISETSCOMTU:
1289                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1290                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1291                 break;
1292
1293         default:
1294                 err = -EINVAL;
1295                 break;
1296         }
1297
1298         hci_dev_put(hdev);
1299         return err;
1300 }
1301
1302 int hci_get_dev_list(void __user *arg)
1303 {
1304         struct hci_dev *hdev;
1305         struct hci_dev_list_req *dl;
1306         struct hci_dev_req *dr;
1307         int n = 0, size, err;
1308         __u16 dev_num;
1309
1310         if (get_user(dev_num, (__u16 __user *) arg))
1311                 return -EFAULT;
1312
1313         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1314                 return -EINVAL;
1315
1316         size = sizeof(*dl) + dev_num * sizeof(*dr);
1317
1318         dl = kzalloc(size, GFP_KERNEL);
1319         if (!dl)
1320                 return -ENOMEM;
1321
1322         dr = dl->dev_req;
1323
1324         read_lock(&hci_dev_list_lock);
1325         list_for_each_entry(hdev, &hci_dev_list, list) {
1326                 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1327                         cancel_delayed_work(&hdev->power_off);
1328
1329                 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1330                         set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1331
1332                 (dr + n)->dev_id  = hdev->id;
1333                 (dr + n)->dev_opt = hdev->flags;
1334
1335                 if (++n >= dev_num)
1336                         break;
1337         }
1338         read_unlock(&hci_dev_list_lock);
1339
1340         dl->dev_num = n;
1341         size = sizeof(*dl) + n * sizeof(*dr);
1342
1343         err = copy_to_user(arg, dl, size);
1344         kfree(dl);
1345
1346         return err ? -EFAULT : 0;
1347 }
1348
1349 int hci_get_dev_info(void __user *arg)
1350 {
1351         struct hci_dev *hdev;
1352         struct hci_dev_info di;
1353         int err = 0;
1354
1355         if (copy_from_user(&di, arg, sizeof(di)))
1356                 return -EFAULT;
1357
1358         hdev = hci_dev_get(di.dev_id);
1359         if (!hdev)
1360                 return -ENODEV;
1361
1362         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1363                 cancel_delayed_work_sync(&hdev->power_off);
1364
1365         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1366                 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1367
1368         strcpy(di.name, hdev->name);
1369         di.bdaddr   = hdev->bdaddr;
1370         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
1371         di.flags    = hdev->flags;
1372         di.pkt_type = hdev->pkt_type;
1373         if (lmp_bredr_capable(hdev)) {
1374                 di.acl_mtu  = hdev->acl_mtu;
1375                 di.acl_pkts = hdev->acl_pkts;
1376                 di.sco_mtu  = hdev->sco_mtu;
1377                 di.sco_pkts = hdev->sco_pkts;
1378         } else {
1379                 di.acl_mtu  = hdev->le_mtu;
1380                 di.acl_pkts = hdev->le_pkts;
1381                 di.sco_mtu  = 0;
1382                 di.sco_pkts = 0;
1383         }
1384         di.link_policy = hdev->link_policy;
1385         di.link_mode   = hdev->link_mode;
1386
1387         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1388         memcpy(&di.features, &hdev->features, sizeof(di.features));
1389
1390         if (copy_to_user(arg, &di, sizeof(di)))
1391                 err = -EFAULT;
1392
1393         hci_dev_put(hdev);
1394
1395         return err;
1396 }
1397
1398 /* ---- Interface to HCI drivers ---- */
1399
1400 static int hci_rfkill_set_block(void *data, bool blocked)
1401 {
1402         struct hci_dev *hdev = data;
1403
1404         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1405
1406         if (!blocked)
1407                 return 0;
1408
1409         hci_dev_do_close(hdev);
1410
1411         return 0;
1412 }
1413
1414 static const struct rfkill_ops hci_rfkill_ops = {
1415         .set_block = hci_rfkill_set_block,
1416 };
1417
1418 static void hci_power_on(struct work_struct *work)
1419 {
1420         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1421
1422         BT_DBG("%s", hdev->name);
1423
1424         if (hci_dev_open(hdev->id) < 0)
1425                 return;
1426
1427         if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1428                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1429                                    HCI_AUTO_OFF_TIMEOUT);
1430
1431         if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
1432                 mgmt_index_added(hdev);
1433 }
1434
1435 static void hci_power_off(struct work_struct *work)
1436 {
1437         struct hci_dev *hdev = container_of(work, struct hci_dev,
1438                                             power_off.work);
1439
1440         BT_DBG("%s", hdev->name);
1441
1442         hci_dev_do_close(hdev);
1443 }
1444
1445 static void hci_discov_off(struct work_struct *work)
1446 {
1447         struct hci_dev *hdev;
1448         u8 scan = SCAN_PAGE;
1449
1450         hdev = container_of(work, struct hci_dev, discov_off.work);
1451
1452         BT_DBG("%s", hdev->name);
1453
1454         hci_dev_lock(hdev);
1455
1456         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1457
1458         hdev->discov_timeout = 0;
1459
1460         hci_dev_unlock(hdev);
1461 }
1462
1463 int hci_uuids_clear(struct hci_dev *hdev)
1464 {
1465         struct bt_uuid *uuid, *tmp;
1466
1467         list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1468                 list_del(&uuid->list);
1469                 kfree(uuid);
1470         }
1471
1472         return 0;
1473 }
1474
1475 int hci_link_keys_clear(struct hci_dev *hdev)
1476 {
1477         struct list_head *p, *n;
1478
1479         list_for_each_safe(p, n, &hdev->link_keys) {
1480                 struct link_key *key;
1481
1482                 key = list_entry(p, struct link_key, list);
1483
1484                 list_del(p);
1485                 kfree(key);
1486         }
1487
1488         return 0;
1489 }
1490
1491 int hci_smp_ltks_clear(struct hci_dev *hdev)
1492 {
1493         struct smp_ltk *k, *tmp;
1494
1495         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1496                 list_del(&k->list);
1497                 kfree(k);
1498         }
1499
1500         return 0;
1501 }
1502
1503 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1504 {
1505         struct link_key *k;
1506
1507         list_for_each_entry(k, &hdev->link_keys, list)
1508                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1509                         return k;
1510
1511         return NULL;
1512 }
1513
1514 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1515                                u8 key_type, u8 old_key_type)
1516 {
1517         /* Legacy key */
1518         if (key_type < 0x03)
1519                 return true;
1520
1521         /* Debug keys are insecure so don't store them persistently */
1522         if (key_type == HCI_LK_DEBUG_COMBINATION)
1523                 return false;
1524
1525         /* Changed combination key and there's no previous one */
1526         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1527                 return false;
1528
1529         /* Security mode 3 case */
1530         if (!conn)
1531                 return true;
1532
1533         /* Neither local nor remote side had no-bonding as requirement */
1534         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1535                 return true;
1536
1537         /* Local side had dedicated bonding as requirement */
1538         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1539                 return true;
1540
1541         /* Remote side had dedicated bonding as requirement */
1542         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1543                 return true;
1544
1545         /* If none of the above criteria match, then don't store the key
1546          * persistently */
1547         return false;
1548 }
1549
1550 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1551 {
1552         struct smp_ltk *k;
1553
1554         list_for_each_entry(k, &hdev->long_term_keys, list) {
1555                 if (k->ediv != ediv ||
1556                     memcmp(rand, k->rand, sizeof(k->rand)))
1557                         continue;
1558
1559                 return k;
1560         }
1561
1562         return NULL;
1563 }
1564
1565 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1566                                      u8 addr_type)
1567 {
1568         struct smp_ltk *k;
1569
1570         list_for_each_entry(k, &hdev->long_term_keys, list)
1571                 if (addr_type == k->bdaddr_type &&
1572                     bacmp(bdaddr, &k->bdaddr) == 0)
1573                         return k;
1574
1575         return NULL;
1576 }
1577
1578 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1579                      bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1580 {
1581         struct link_key *key, *old_key;
1582         u8 old_key_type;
1583         bool persistent;
1584
1585         old_key = hci_find_link_key(hdev, bdaddr);
1586         if (old_key) {
1587                 old_key_type = old_key->type;
1588                 key = old_key;
1589         } else {
1590                 old_key_type = conn ? conn->key_type : 0xff;
1591                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1592                 if (!key)
1593                         return -ENOMEM;
1594                 list_add(&key->list, &hdev->link_keys);
1595         }
1596
1597         BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1598
1599         /* Some buggy controller combinations generate a changed
1600          * combination key for legacy pairing even when there's no
1601          * previous key */
1602         if (type == HCI_LK_CHANGED_COMBINATION &&
1603             (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1604                 type = HCI_LK_COMBINATION;
1605                 if (conn)
1606                         conn->key_type = type;
1607         }
1608
1609         bacpy(&key->bdaddr, bdaddr);
1610         memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1611         key->pin_len = pin_len;
1612
1613         if (type == HCI_LK_CHANGED_COMBINATION)
1614                 key->type = old_key_type;
1615         else
1616                 key->type = type;
1617
1618         if (!new_key)
1619                 return 0;
1620
1621         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1622
1623         mgmt_new_link_key(hdev, key, persistent);
1624
1625         if (conn)
1626                 conn->flush_key = !persistent;
1627
1628         return 0;
1629 }
1630
1631 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
1632                 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
1633                 ediv, u8 rand[8])
1634 {
1635         struct smp_ltk *key, *old_key;
1636
1637         if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
1638                 return 0;
1639
1640         old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
1641         if (old_key)
1642                 key = old_key;
1643         else {
1644                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1645                 if (!key)
1646                         return -ENOMEM;
1647                 list_add(&key->list, &hdev->long_term_keys);
1648         }
1649
1650         bacpy(&key->bdaddr, bdaddr);
1651         key->bdaddr_type = addr_type;
1652         memcpy(key->val, tk, sizeof(key->val));
1653         key->authenticated = authenticated;
1654         key->ediv = ediv;
1655         key->enc_size = enc_size;
1656         key->type = type;
1657         memcpy(key->rand, rand, sizeof(key->rand));
1658
1659         if (!new_key)
1660                 return 0;
1661
1662         if (type & HCI_SMP_LTK)
1663                 mgmt_new_ltk(hdev, key, 1);
1664
1665         return 0;
1666 }
1667
1668 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1669 {
1670         struct link_key *key;
1671
1672         key = hci_find_link_key(hdev, bdaddr);
1673         if (!key)
1674                 return -ENOENT;
1675
1676         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1677
1678         list_del(&key->list);
1679         kfree(key);
1680
1681         return 0;
1682 }
1683
1684 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
1685 {
1686         struct smp_ltk *k, *tmp;
1687
1688         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1689                 if (bacmp(bdaddr, &k->bdaddr))
1690                         continue;
1691
1692                 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1693
1694                 list_del(&k->list);
1695                 kfree(k);
1696         }
1697
1698         return 0;
1699 }
1700
1701 /* HCI command timer function */
1702 static void hci_cmd_timeout(unsigned long arg)
1703 {
1704         struct hci_dev *hdev = (void *) arg;
1705
1706         if (hdev->sent_cmd) {
1707                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
1708                 u16 opcode = __le16_to_cpu(sent->opcode);
1709
1710                 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
1711         } else {
1712                 BT_ERR("%s command tx timeout", hdev->name);
1713         }
1714
1715         atomic_set(&hdev->cmd_cnt, 1);
1716         queue_work(hdev->workqueue, &hdev->cmd_work);
1717 }
1718
1719 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1720                                           bdaddr_t *bdaddr)
1721 {
1722         struct oob_data *data;
1723
1724         list_for_each_entry(data, &hdev->remote_oob_data, list)
1725                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1726                         return data;
1727
1728         return NULL;
1729 }
1730
1731 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1732 {
1733         struct oob_data *data;
1734
1735         data = hci_find_remote_oob_data(hdev, bdaddr);
1736         if (!data)
1737                 return -ENOENT;
1738
1739         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1740
1741         list_del(&data->list);
1742         kfree(data);
1743
1744         return 0;
1745 }
1746
1747 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1748 {
1749         struct oob_data *data, *n;
1750
1751         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1752                 list_del(&data->list);
1753                 kfree(data);
1754         }
1755
1756         return 0;
1757 }
1758
1759 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1760                             u8 *randomizer)
1761 {
1762         struct oob_data *data;
1763
1764         data = hci_find_remote_oob_data(hdev, bdaddr);
1765
1766         if (!data) {
1767                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1768                 if (!data)
1769                         return -ENOMEM;
1770
1771                 bacpy(&data->bdaddr, bdaddr);
1772                 list_add(&data->list, &hdev->remote_oob_data);
1773         }
1774
1775         memcpy(data->hash, hash, sizeof(data->hash));
1776         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1777
1778         BT_DBG("%s for %pMR", hdev->name, bdaddr);
1779
1780         return 0;
1781 }
1782
1783 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
1784 {
1785         struct bdaddr_list *b;
1786
1787         list_for_each_entry(b, &hdev->blacklist, list)
1788                 if (bacmp(bdaddr, &b->bdaddr) == 0)
1789                         return b;
1790
1791         return NULL;
1792 }
1793
1794 int hci_blacklist_clear(struct hci_dev *hdev)
1795 {
1796         struct list_head *p, *n;
1797
1798         list_for_each_safe(p, n, &hdev->blacklist) {
1799                 struct bdaddr_list *b;
1800
1801                 b = list_entry(p, struct bdaddr_list, list);
1802
1803                 list_del(p);
1804                 kfree(b);
1805         }
1806
1807         return 0;
1808 }
1809
1810 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1811 {
1812         struct bdaddr_list *entry;
1813
1814         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1815                 return -EBADF;
1816
1817         if (hci_blacklist_lookup(hdev, bdaddr))
1818                 return -EEXIST;
1819
1820         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1821         if (!entry)
1822                 return -ENOMEM;
1823
1824         bacpy(&entry->bdaddr, bdaddr);
1825
1826         list_add(&entry->list, &hdev->blacklist);
1827
1828         return mgmt_device_blocked(hdev, bdaddr, type);
1829 }
1830
1831 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1832 {
1833         struct bdaddr_list *entry;
1834
1835         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1836                 return hci_blacklist_clear(hdev);
1837
1838         entry = hci_blacklist_lookup(hdev, bdaddr);
1839         if (!entry)
1840                 return -ENOENT;
1841
1842         list_del(&entry->list);
1843         kfree(entry);
1844
1845         return mgmt_device_unblocked(hdev, bdaddr, type);
1846 }
1847
1848 static void le_scan_param_req(struct hci_dev *hdev, unsigned long opt)
1849 {
1850         struct le_scan_params *param =  (struct le_scan_params *) opt;
1851         struct hci_cp_le_set_scan_param cp;
1852
1853         memset(&cp, 0, sizeof(cp));
1854         cp.type = param->type;
1855         cp.interval = cpu_to_le16(param->interval);
1856         cp.window = cpu_to_le16(param->window);
1857
1858         hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_PARAM, sizeof(cp), &cp);
1859 }
1860
1861 static void le_scan_enable_req(struct hci_dev *hdev, unsigned long opt)
1862 {
1863         struct hci_cp_le_set_scan_enable cp;
1864
1865         memset(&cp, 0, sizeof(cp));
1866         cp.enable = 1;
1867         cp.filter_dup = 1;
1868
1869         hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1870 }
1871
1872 static int hci_do_le_scan(struct hci_dev *hdev, u8 type, u16 interval,
1873                           u16 window, int timeout)
1874 {
1875         long timeo = msecs_to_jiffies(3000);
1876         struct le_scan_params param;
1877         int err;
1878
1879         BT_DBG("%s", hdev->name);
1880
1881         if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
1882                 return -EINPROGRESS;
1883
1884         param.type = type;
1885         param.interval = interval;
1886         param.window = window;
1887
1888         hci_req_lock(hdev);
1889
1890         err = __hci_req_sync(hdev, le_scan_param_req, (unsigned long) &param,
1891                              timeo);
1892         if (!err)
1893                 err = __hci_req_sync(hdev, le_scan_enable_req, 0, timeo);
1894
1895         hci_req_unlock(hdev);
1896
1897         if (err < 0)
1898                 return err;
1899
1900         queue_delayed_work(hdev->workqueue, &hdev->le_scan_disable,
1901                            msecs_to_jiffies(timeout));
1902
1903         return 0;
1904 }
1905
1906 int hci_cancel_le_scan(struct hci_dev *hdev)
1907 {
1908         BT_DBG("%s", hdev->name);
1909
1910         if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
1911                 return -EALREADY;
1912
1913         if (cancel_delayed_work(&hdev->le_scan_disable)) {
1914                 struct hci_cp_le_set_scan_enable cp;
1915
1916                 /* Send HCI command to disable LE Scan */
1917                 memset(&cp, 0, sizeof(cp));
1918                 hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1919         }
1920
1921         return 0;
1922 }
1923
1924 static void le_scan_disable_work(struct work_struct *work)
1925 {
1926         struct hci_dev *hdev = container_of(work, struct hci_dev,
1927                                             le_scan_disable.work);
1928         struct hci_cp_le_set_scan_enable cp;
1929
1930         BT_DBG("%s", hdev->name);
1931
1932         memset(&cp, 0, sizeof(cp));
1933
1934         hci_send_cmd(hdev, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
1935 }
1936
1937 static void le_scan_work(struct work_struct *work)
1938 {
1939         struct hci_dev *hdev = container_of(work, struct hci_dev, le_scan);
1940         struct le_scan_params *param = &hdev->le_scan_params;
1941
1942         BT_DBG("%s", hdev->name);
1943
1944         hci_do_le_scan(hdev, param->type, param->interval, param->window,
1945                        param->timeout);
1946 }
1947
1948 int hci_le_scan(struct hci_dev *hdev, u8 type, u16 interval, u16 window,
1949                 int timeout)
1950 {
1951         struct le_scan_params *param = &hdev->le_scan_params;
1952
1953         BT_DBG("%s", hdev->name);
1954
1955         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
1956                 return -ENOTSUPP;
1957
1958         if (work_busy(&hdev->le_scan))
1959                 return -EINPROGRESS;
1960
1961         param->type = type;
1962         param->interval = interval;
1963         param->window = window;
1964         param->timeout = timeout;
1965
1966         queue_work(system_long_wq, &hdev->le_scan);
1967
1968         return 0;
1969 }
1970
1971 /* Alloc HCI device */
1972 struct hci_dev *hci_alloc_dev(void)
1973 {
1974         struct hci_dev *hdev;
1975
1976         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
1977         if (!hdev)
1978                 return NULL;
1979
1980         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
1981         hdev->esco_type = (ESCO_HV1);
1982         hdev->link_mode = (HCI_LM_ACCEPT);
1983         hdev->io_capability = 0x03; /* No Input No Output */
1984         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
1985         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
1986
1987         hdev->sniff_max_interval = 800;
1988         hdev->sniff_min_interval = 80;
1989
1990         mutex_init(&hdev->lock);
1991         mutex_init(&hdev->req_lock);
1992
1993         INIT_LIST_HEAD(&hdev->mgmt_pending);
1994         INIT_LIST_HEAD(&hdev->blacklist);
1995         INIT_LIST_HEAD(&hdev->uuids);
1996         INIT_LIST_HEAD(&hdev->link_keys);
1997         INIT_LIST_HEAD(&hdev->long_term_keys);
1998         INIT_LIST_HEAD(&hdev->remote_oob_data);
1999         INIT_LIST_HEAD(&hdev->conn_hash.list);
2000
2001         INIT_WORK(&hdev->rx_work, hci_rx_work);
2002         INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2003         INIT_WORK(&hdev->tx_work, hci_tx_work);
2004         INIT_WORK(&hdev->power_on, hci_power_on);
2005         INIT_WORK(&hdev->le_scan, le_scan_work);
2006
2007         INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2008         INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2009         INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2010
2011         skb_queue_head_init(&hdev->driver_init);
2012         skb_queue_head_init(&hdev->rx_q);
2013         skb_queue_head_init(&hdev->cmd_q);
2014         skb_queue_head_init(&hdev->raw_q);
2015
2016         init_waitqueue_head(&hdev->req_wait_q);
2017
2018         setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2019
2020         hci_init_sysfs(hdev);
2021         discovery_init(hdev);
2022
2023         return hdev;
2024 }
2025 EXPORT_SYMBOL(hci_alloc_dev);
2026
2027 /* Free HCI device */
2028 void hci_free_dev(struct hci_dev *hdev)
2029 {
2030         skb_queue_purge(&hdev->driver_init);
2031
2032         /* will free via device release */
2033         put_device(&hdev->dev);
2034 }
2035 EXPORT_SYMBOL(hci_free_dev);
2036
2037 /* Register HCI device */
2038 int hci_register_dev(struct hci_dev *hdev)
2039 {
2040         int id, error;
2041
2042         if (!hdev->open || !hdev->close)
2043                 return -EINVAL;
2044
2045         /* Do not allow HCI_AMP devices to register at index 0,
2046          * so the index can be used as the AMP controller ID.
2047          */
2048         switch (hdev->dev_type) {
2049         case HCI_BREDR:
2050                 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2051                 break;
2052         case HCI_AMP:
2053                 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2054                 break;
2055         default:
2056                 return -EINVAL;
2057         }
2058
2059         if (id < 0)
2060                 return id;
2061
2062         sprintf(hdev->name, "hci%d", id);
2063         hdev->id = id;
2064
2065         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2066
2067         write_lock(&hci_dev_list_lock);
2068         list_add(&hdev->list, &hci_dev_list);
2069         write_unlock(&hci_dev_list_lock);
2070
2071         hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
2072                                           WQ_MEM_RECLAIM, 1);
2073         if (!hdev->workqueue) {
2074                 error = -ENOMEM;
2075                 goto err;
2076         }
2077
2078         hdev->req_workqueue = alloc_workqueue(hdev->name,
2079                                               WQ_HIGHPRI | WQ_UNBOUND |
2080                                               WQ_MEM_RECLAIM, 1);
2081         if (!hdev->req_workqueue) {
2082                 destroy_workqueue(hdev->workqueue);
2083                 error = -ENOMEM;
2084                 goto err;
2085         }
2086
2087         error = hci_add_sysfs(hdev);
2088         if (error < 0)
2089                 goto err_wqueue;
2090
2091         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2092                                     RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2093                                     hdev);
2094         if (hdev->rfkill) {
2095                 if (rfkill_register(hdev->rfkill) < 0) {
2096                         rfkill_destroy(hdev->rfkill);
2097                         hdev->rfkill = NULL;
2098                 }
2099         }
2100
2101         set_bit(HCI_SETUP, &hdev->dev_flags);
2102
2103         if (hdev->dev_type != HCI_AMP)
2104                 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2105
2106         hci_notify(hdev, HCI_DEV_REG);
2107         hci_dev_hold(hdev);
2108
2109         queue_work(hdev->req_workqueue, &hdev->power_on);
2110
2111         return id;
2112
2113 err_wqueue:
2114         destroy_workqueue(hdev->workqueue);
2115         destroy_workqueue(hdev->req_workqueue);
2116 err:
2117         ida_simple_remove(&hci_index_ida, hdev->id);
2118         write_lock(&hci_dev_list_lock);
2119         list_del(&hdev->list);
2120         write_unlock(&hci_dev_list_lock);
2121
2122         return error;
2123 }
2124 EXPORT_SYMBOL(hci_register_dev);
2125
2126 /* Unregister HCI device */
2127 void hci_unregister_dev(struct hci_dev *hdev)
2128 {
2129         int i, id;
2130
2131         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2132
2133         set_bit(HCI_UNREGISTER, &hdev->dev_flags);
2134
2135         id = hdev->id;
2136
2137         write_lock(&hci_dev_list_lock);
2138         list_del(&hdev->list);
2139         write_unlock(&hci_dev_list_lock);
2140
2141         hci_dev_do_close(hdev);
2142
2143         for (i = 0; i < NUM_REASSEMBLY; i++)
2144                 kfree_skb(hdev->reassembly[i]);
2145
2146         cancel_work_sync(&hdev->power_on);
2147
2148         if (!test_bit(HCI_INIT, &hdev->flags) &&
2149             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
2150                 hci_dev_lock(hdev);
2151                 mgmt_index_removed(hdev);
2152                 hci_dev_unlock(hdev);
2153         }
2154
2155         /* mgmt_index_removed should take care of emptying the
2156          * pending list */
2157         BUG_ON(!list_empty(&hdev->mgmt_pending));
2158
2159         hci_notify(hdev, HCI_DEV_UNREG);
2160
2161         if (hdev->rfkill) {
2162                 rfkill_unregister(hdev->rfkill);
2163                 rfkill_destroy(hdev->rfkill);
2164         }
2165
2166         hci_del_sysfs(hdev);
2167
2168         destroy_workqueue(hdev->workqueue);
2169         destroy_workqueue(hdev->req_workqueue);
2170
2171         hci_dev_lock(hdev);
2172         hci_blacklist_clear(hdev);
2173         hci_uuids_clear(hdev);
2174         hci_link_keys_clear(hdev);
2175         hci_smp_ltks_clear(hdev);
2176         hci_remote_oob_data_clear(hdev);
2177         hci_dev_unlock(hdev);
2178
2179         hci_dev_put(hdev);
2180
2181         ida_simple_remove(&hci_index_ida, id);
2182 }
2183 EXPORT_SYMBOL(hci_unregister_dev);
2184
2185 /* Suspend HCI device */
2186 int hci_suspend_dev(struct hci_dev *hdev)
2187 {
2188         hci_notify(hdev, HCI_DEV_SUSPEND);
2189         return 0;
2190 }
2191 EXPORT_SYMBOL(hci_suspend_dev);
2192
2193 /* Resume HCI device */
2194 int hci_resume_dev(struct hci_dev *hdev)
2195 {
2196         hci_notify(hdev, HCI_DEV_RESUME);
2197         return 0;
2198 }
2199 EXPORT_SYMBOL(hci_resume_dev);
2200
2201 /* Receive frame from HCI drivers */
2202 int hci_recv_frame(struct sk_buff *skb)
2203 {
2204         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2205         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2206                       && !test_bit(HCI_INIT, &hdev->flags))) {
2207                 kfree_skb(skb);
2208                 return -ENXIO;
2209         }
2210
2211         /* Incoming skb */
2212         bt_cb(skb)->incoming = 1;
2213
2214         /* Time stamp */
2215         __net_timestamp(skb);
2216
2217         skb_queue_tail(&hdev->rx_q, skb);
2218         queue_work(hdev->workqueue, &hdev->rx_work);
2219
2220         return 0;
2221 }
2222 EXPORT_SYMBOL(hci_recv_frame);
2223
2224 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
2225                           int count, __u8 index)
2226 {
2227         int len = 0;
2228         int hlen = 0;
2229         int remain = count;
2230         struct sk_buff *skb;
2231         struct bt_skb_cb *scb;
2232
2233         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
2234             index >= NUM_REASSEMBLY)
2235                 return -EILSEQ;
2236
2237         skb = hdev->reassembly[index];
2238
2239         if (!skb) {
2240                 switch (type) {
2241                 case HCI_ACLDATA_PKT:
2242                         len = HCI_MAX_FRAME_SIZE;
2243                         hlen = HCI_ACL_HDR_SIZE;
2244                         break;
2245                 case HCI_EVENT_PKT:
2246                         len = HCI_MAX_EVENT_SIZE;
2247                         hlen = HCI_EVENT_HDR_SIZE;
2248                         break;
2249                 case HCI_SCODATA_PKT:
2250                         len = HCI_MAX_SCO_SIZE;
2251                         hlen = HCI_SCO_HDR_SIZE;
2252                         break;
2253                 }
2254
2255                 skb = bt_skb_alloc(len, GFP_ATOMIC);
2256                 if (!skb)
2257                         return -ENOMEM;
2258
2259                 scb = (void *) skb->cb;
2260                 scb->expect = hlen;
2261                 scb->pkt_type = type;
2262
2263                 skb->dev = (void *) hdev;
2264                 hdev->reassembly[index] = skb;
2265         }
2266
2267         while (count) {
2268                 scb = (void *) skb->cb;
2269                 len = min_t(uint, scb->expect, count);
2270
2271                 memcpy(skb_put(skb, len), data, len);
2272
2273                 count -= len;
2274                 data += len;
2275                 scb->expect -= len;
2276                 remain = count;
2277
2278                 switch (type) {
2279                 case HCI_EVENT_PKT:
2280                         if (skb->len == HCI_EVENT_HDR_SIZE) {
2281                                 struct hci_event_hdr *h = hci_event_hdr(skb);
2282                                 scb->expect = h->plen;
2283
2284                                 if (skb_tailroom(skb) < scb->expect) {
2285                                         kfree_skb(skb);
2286                                         hdev->reassembly[index] = NULL;
2287                                         return -ENOMEM;
2288                                 }
2289                         }
2290                         break;
2291
2292                 case HCI_ACLDATA_PKT:
2293                         if (skb->len  == HCI_ACL_HDR_SIZE) {
2294                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
2295                                 scb->expect = __le16_to_cpu(h->dlen);
2296
2297                                 if (skb_tailroom(skb) < scb->expect) {
2298                                         kfree_skb(skb);
2299                                         hdev->reassembly[index] = NULL;
2300                                         return -ENOMEM;
2301                                 }
2302                         }
2303                         break;
2304
2305                 case HCI_SCODATA_PKT:
2306                         if (skb->len == HCI_SCO_HDR_SIZE) {
2307                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
2308                                 scb->expect = h->dlen;
2309
2310                                 if (skb_tailroom(skb) < scb->expect) {
2311                                         kfree_skb(skb);
2312                                         hdev->reassembly[index] = NULL;
2313                                         return -ENOMEM;
2314                                 }
2315                         }
2316                         break;
2317                 }
2318
2319                 if (scb->expect == 0) {
2320                         /* Complete frame */
2321
2322                         bt_cb(skb)->pkt_type = type;
2323                         hci_recv_frame(skb);
2324
2325                         hdev->reassembly[index] = NULL;
2326                         return remain;
2327                 }
2328         }
2329
2330         return remain;
2331 }
2332
2333 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
2334 {
2335         int rem = 0;
2336
2337         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
2338                 return -EILSEQ;
2339
2340         while (count) {
2341                 rem = hci_reassembly(hdev, type, data, count, type - 1);
2342                 if (rem < 0)
2343                         return rem;
2344
2345                 data += (count - rem);
2346                 count = rem;
2347         }
2348
2349         return rem;
2350 }
2351 EXPORT_SYMBOL(hci_recv_fragment);
2352
2353 #define STREAM_REASSEMBLY 0
2354
2355 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
2356 {
2357         int type;
2358         int rem = 0;
2359
2360         while (count) {
2361                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
2362
2363                 if (!skb) {
2364                         struct { char type; } *pkt;
2365
2366                         /* Start of the frame */
2367                         pkt = data;
2368                         type = pkt->type;
2369
2370                         data++;
2371                         count--;
2372                 } else
2373                         type = bt_cb(skb)->pkt_type;
2374
2375                 rem = hci_reassembly(hdev, type, data, count,
2376                                      STREAM_REASSEMBLY);
2377                 if (rem < 0)
2378                         return rem;
2379
2380                 data += (count - rem);
2381                 count = rem;
2382         }
2383
2384         return rem;
2385 }
2386 EXPORT_SYMBOL(hci_recv_stream_fragment);
2387
2388 /* ---- Interface to upper protocols ---- */
2389
2390 int hci_register_cb(struct hci_cb *cb)
2391 {
2392         BT_DBG("%p name %s", cb, cb->name);
2393
2394         write_lock(&hci_cb_list_lock);
2395         list_add(&cb->list, &hci_cb_list);
2396         write_unlock(&hci_cb_list_lock);
2397
2398         return 0;
2399 }
2400 EXPORT_SYMBOL(hci_register_cb);
2401
2402 int hci_unregister_cb(struct hci_cb *cb)
2403 {
2404         BT_DBG("%p name %s", cb, cb->name);
2405
2406         write_lock(&hci_cb_list_lock);
2407         list_del(&cb->list);
2408         write_unlock(&hci_cb_list_lock);
2409
2410         return 0;
2411 }
2412 EXPORT_SYMBOL(hci_unregister_cb);
2413
2414 static int hci_send_frame(struct sk_buff *skb)
2415 {
2416         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2417
2418         if (!hdev) {
2419                 kfree_skb(skb);
2420                 return -ENODEV;
2421         }
2422
2423         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
2424
2425         /* Time stamp */
2426         __net_timestamp(skb);
2427
2428         /* Send copy to monitor */
2429         hci_send_to_monitor(hdev, skb);
2430
2431         if (atomic_read(&hdev->promisc)) {
2432                 /* Send copy to the sockets */
2433                 hci_send_to_sock(hdev, skb);
2434         }
2435
2436         /* Get rid of skb owner, prior to sending to the driver. */
2437         skb_orphan(skb);
2438
2439         return hdev->send(skb);
2440 }
2441
2442 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
2443 {
2444         skb_queue_head_init(&req->cmd_q);
2445         req->hdev = hdev;
2446 }
2447
2448 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
2449 {
2450         struct hci_dev *hdev = req->hdev;
2451         struct sk_buff *skb;
2452         unsigned long flags;
2453
2454         BT_DBG("length %u", skb_queue_len(&req->cmd_q));
2455
2456         /* Do not allow empty requests */
2457         if (skb_queue_empty(&req->cmd_q))
2458                 return -EINVAL;
2459
2460         skb = skb_peek_tail(&req->cmd_q);
2461         bt_cb(skb)->req.complete = complete;
2462
2463         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
2464         skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
2465         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
2466
2467         queue_work(hdev->workqueue, &hdev->cmd_work);
2468
2469         return 0;
2470 }
2471
2472 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
2473                                        u32 plen, void *param)
2474 {
2475         int len = HCI_COMMAND_HDR_SIZE + plen;
2476         struct hci_command_hdr *hdr;
2477         struct sk_buff *skb;
2478
2479         skb = bt_skb_alloc(len, GFP_ATOMIC);
2480         if (!skb)
2481                 return NULL;
2482
2483         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
2484         hdr->opcode = cpu_to_le16(opcode);
2485         hdr->plen   = plen;
2486
2487         if (plen)
2488                 memcpy(skb_put(skb, plen), param, plen);
2489
2490         BT_DBG("skb len %d", skb->len);
2491
2492         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
2493         skb->dev = (void *) hdev;
2494
2495         return skb;
2496 }
2497
2498 /* Send HCI command */
2499 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
2500 {
2501         struct sk_buff *skb;
2502
2503         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2504
2505         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2506         if (!skb) {
2507                 BT_ERR("%s no memory for command", hdev->name);
2508                 return -ENOMEM;
2509         }
2510
2511         if (test_bit(HCI_INIT, &hdev->flags))
2512                 hdev->init_last_cmd = opcode;
2513
2514         skb_queue_tail(&hdev->cmd_q, skb);
2515         queue_work(hdev->workqueue, &hdev->cmd_work);
2516
2517         return 0;
2518 }
2519
2520 /* Queue a command to an asynchronous HCI request */
2521 int hci_req_add(struct hci_request *req, u16 opcode, u32 plen, void *param)
2522 {
2523         struct hci_dev *hdev = req->hdev;
2524         struct sk_buff *skb;
2525
2526         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2527
2528         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2529         if (!skb) {
2530                 BT_ERR("%s no memory for command", hdev->name);
2531                 return -ENOMEM;
2532         }
2533
2534         if (skb_queue_empty(&req->cmd_q))
2535                 bt_cb(skb)->req.start = true;
2536
2537         skb_queue_tail(&req->cmd_q, skb);
2538
2539         return 0;
2540 }
2541
2542 /* Get data from the previously sent command */
2543 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2544 {
2545         struct hci_command_hdr *hdr;
2546
2547         if (!hdev->sent_cmd)
2548                 return NULL;
2549
2550         hdr = (void *) hdev->sent_cmd->data;
2551
2552         if (hdr->opcode != cpu_to_le16(opcode))
2553                 return NULL;
2554
2555         BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2556
2557         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
2558 }
2559
2560 /* Send ACL data */
2561 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
2562 {
2563         struct hci_acl_hdr *hdr;
2564         int len = skb->len;
2565
2566         skb_push(skb, HCI_ACL_HDR_SIZE);
2567         skb_reset_transport_header(skb);
2568         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
2569         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
2570         hdr->dlen   = cpu_to_le16(len);
2571 }
2572
2573 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
2574                           struct sk_buff *skb, __u16 flags)
2575 {
2576         struct hci_conn *conn = chan->conn;
2577         struct hci_dev *hdev = conn->hdev;
2578         struct sk_buff *list;
2579
2580         skb->len = skb_headlen(skb);
2581         skb->data_len = 0;
2582
2583         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2584
2585         switch (hdev->dev_type) {
2586         case HCI_BREDR:
2587                 hci_add_acl_hdr(skb, conn->handle, flags);
2588                 break;
2589         case HCI_AMP:
2590                 hci_add_acl_hdr(skb, chan->handle, flags);
2591                 break;
2592         default:
2593                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2594                 return;
2595         }
2596
2597         list = skb_shinfo(skb)->frag_list;
2598         if (!list) {
2599                 /* Non fragmented */
2600                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
2601
2602                 skb_queue_tail(queue, skb);
2603         } else {
2604                 /* Fragmented */
2605                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2606
2607                 skb_shinfo(skb)->frag_list = NULL;
2608
2609                 /* Queue all fragments atomically */
2610                 spin_lock(&queue->lock);
2611
2612                 __skb_queue_tail(queue, skb);
2613
2614                 flags &= ~ACL_START;
2615                 flags |= ACL_CONT;
2616                 do {
2617                         skb = list; list = list->next;
2618
2619                         skb->dev = (void *) hdev;
2620                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2621                         hci_add_acl_hdr(skb, conn->handle, flags);
2622
2623                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2624
2625                         __skb_queue_tail(queue, skb);
2626                 } while (list);
2627
2628                 spin_unlock(&queue->lock);
2629         }
2630 }
2631
2632 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2633 {
2634         struct hci_dev *hdev = chan->conn->hdev;
2635
2636         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
2637
2638         skb->dev = (void *) hdev;
2639
2640         hci_queue_acl(chan, &chan->data_q, skb, flags);
2641
2642         queue_work(hdev->workqueue, &hdev->tx_work);
2643 }
2644
2645 /* Send SCO data */
2646 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2647 {
2648         struct hci_dev *hdev = conn->hdev;
2649         struct hci_sco_hdr hdr;
2650
2651         BT_DBG("%s len %d", hdev->name, skb->len);
2652
2653         hdr.handle = cpu_to_le16(conn->handle);
2654         hdr.dlen   = skb->len;
2655
2656         skb_push(skb, HCI_SCO_HDR_SIZE);
2657         skb_reset_transport_header(skb);
2658         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2659
2660         skb->dev = (void *) hdev;
2661         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2662
2663         skb_queue_tail(&conn->data_q, skb);
2664         queue_work(hdev->workqueue, &hdev->tx_work);
2665 }
2666
2667 /* ---- HCI TX task (outgoing data) ---- */
2668
2669 /* HCI Connection scheduler */
2670 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
2671                                      int *quote)
2672 {
2673         struct hci_conn_hash *h = &hdev->conn_hash;
2674         struct hci_conn *conn = NULL, *c;
2675         unsigned int num = 0, min = ~0;
2676
2677         /* We don't have to lock device here. Connections are always
2678          * added and removed with TX task disabled. */
2679
2680         rcu_read_lock();
2681
2682         list_for_each_entry_rcu(c, &h->list, list) {
2683                 if (c->type != type || skb_queue_empty(&c->data_q))
2684                         continue;
2685
2686                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2687                         continue;
2688
2689                 num++;
2690
2691                 if (c->sent < min) {
2692                         min  = c->sent;
2693                         conn = c;
2694                 }
2695
2696                 if (hci_conn_num(hdev, type) == num)
2697                         break;
2698         }
2699
2700         rcu_read_unlock();
2701
2702         if (conn) {
2703                 int cnt, q;
2704
2705                 switch (conn->type) {
2706                 case ACL_LINK:
2707                         cnt = hdev->acl_cnt;
2708                         break;
2709                 case SCO_LINK:
2710                 case ESCO_LINK:
2711                         cnt = hdev->sco_cnt;
2712                         break;
2713                 case LE_LINK:
2714                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2715                         break;
2716                 default:
2717                         cnt = 0;
2718                         BT_ERR("Unknown link type");
2719                 }
2720
2721                 q = cnt / num;
2722                 *quote = q ? q : 1;
2723         } else
2724                 *quote = 0;
2725
2726         BT_DBG("conn %p quote %d", conn, *quote);
2727         return conn;
2728 }
2729
2730 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2731 {
2732         struct hci_conn_hash *h = &hdev->conn_hash;
2733         struct hci_conn *c;
2734
2735         BT_ERR("%s link tx timeout", hdev->name);
2736
2737         rcu_read_lock();
2738
2739         /* Kill stalled connections */
2740         list_for_each_entry_rcu(c, &h->list, list) {
2741                 if (c->type == type && c->sent) {
2742                         BT_ERR("%s killing stalled connection %pMR",
2743                                hdev->name, &c->dst);
2744                         hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
2745                 }
2746         }
2747
2748         rcu_read_unlock();
2749 }
2750
2751 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2752                                       int *quote)
2753 {
2754         struct hci_conn_hash *h = &hdev->conn_hash;
2755         struct hci_chan *chan = NULL;
2756         unsigned int num = 0, min = ~0, cur_prio = 0;
2757         struct hci_conn *conn;
2758         int cnt, q, conn_num = 0;
2759
2760         BT_DBG("%s", hdev->name);
2761
2762         rcu_read_lock();
2763
2764         list_for_each_entry_rcu(conn, &h->list, list) {
2765                 struct hci_chan *tmp;
2766
2767                 if (conn->type != type)
2768                         continue;
2769
2770                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2771                         continue;
2772
2773                 conn_num++;
2774
2775                 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2776                         struct sk_buff *skb;
2777
2778                         if (skb_queue_empty(&tmp->data_q))
2779                                 continue;
2780
2781                         skb = skb_peek(&tmp->data_q);
2782                         if (skb->priority < cur_prio)
2783                                 continue;
2784
2785                         if (skb->priority > cur_prio) {
2786                                 num = 0;
2787                                 min = ~0;
2788                                 cur_prio = skb->priority;
2789                         }
2790
2791                         num++;
2792
2793                         if (conn->sent < min) {
2794                                 min  = conn->sent;
2795                                 chan = tmp;
2796                         }
2797                 }
2798
2799                 if (hci_conn_num(hdev, type) == conn_num)
2800                         break;
2801         }
2802
2803         rcu_read_unlock();
2804
2805         if (!chan)
2806                 return NULL;
2807
2808         switch (chan->conn->type) {
2809         case ACL_LINK:
2810                 cnt = hdev->acl_cnt;
2811                 break;
2812         case AMP_LINK:
2813                 cnt = hdev->block_cnt;
2814                 break;
2815         case SCO_LINK:
2816         case ESCO_LINK:
2817                 cnt = hdev->sco_cnt;
2818                 break;
2819         case LE_LINK:
2820                 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2821                 break;
2822         default:
2823                 cnt = 0;
2824                 BT_ERR("Unknown link type");
2825         }
2826
2827         q = cnt / num;
2828         *quote = q ? q : 1;
2829         BT_DBG("chan %p quote %d", chan, *quote);
2830         return chan;
2831 }
2832
2833 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2834 {
2835         struct hci_conn_hash *h = &hdev->conn_hash;
2836         struct hci_conn *conn;
2837         int num = 0;
2838
2839         BT_DBG("%s", hdev->name);
2840
2841         rcu_read_lock();
2842
2843         list_for_each_entry_rcu(conn, &h->list, list) {
2844                 struct hci_chan *chan;
2845
2846                 if (conn->type != type)
2847                         continue;
2848
2849                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2850                         continue;
2851
2852                 num++;
2853
2854                 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
2855                         struct sk_buff *skb;
2856
2857                         if (chan->sent) {
2858                                 chan->sent = 0;
2859                                 continue;
2860                         }
2861
2862                         if (skb_queue_empty(&chan->data_q))
2863                                 continue;
2864
2865                         skb = skb_peek(&chan->data_q);
2866                         if (skb->priority >= HCI_PRIO_MAX - 1)
2867                                 continue;
2868
2869                         skb->priority = HCI_PRIO_MAX - 1;
2870
2871                         BT_DBG("chan %p skb %p promoted to %d", chan, skb,
2872                                skb->priority);
2873                 }
2874
2875                 if (hci_conn_num(hdev, type) == num)
2876                         break;
2877         }
2878
2879         rcu_read_unlock();
2880
2881 }
2882
2883 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
2884 {
2885         /* Calculate count of blocks used by this packet */
2886         return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
2887 }
2888
2889 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
2890 {
2891         if (!test_bit(HCI_RAW, &hdev->flags)) {
2892                 /* ACL tx timeout must be longer than maximum
2893                  * link supervision timeout (40.9 seconds) */
2894                 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
2895                                        HCI_ACL_TX_TIMEOUT))
2896                         hci_link_tx_to(hdev, ACL_LINK);
2897         }
2898 }
2899
2900 static void hci_sched_acl_pkt(struct hci_dev *hdev)
2901 {
2902         unsigned int cnt = hdev->acl_cnt;
2903         struct hci_chan *chan;
2904         struct sk_buff *skb;
2905         int quote;
2906
2907         __check_timeout(hdev, cnt);
2908
2909         while (hdev->acl_cnt &&
2910                (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
2911                 u32 priority = (skb_peek(&chan->data_q))->priority;
2912                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
2913                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
2914                                skb->len, skb->priority);
2915
2916                         /* Stop if priority has changed */
2917                         if (skb->priority < priority)
2918                                 break;
2919
2920                         skb = skb_dequeue(&chan->data_q);
2921
2922                         hci_conn_enter_active_mode(chan->conn,
2923                                                    bt_cb(skb)->force_active);
2924
2925                         hci_send_frame(skb);
2926                         hdev->acl_last_tx = jiffies;
2927
2928                         hdev->acl_cnt--;
2929                         chan->sent++;
2930                         chan->conn->sent++;
2931                 }
2932         }
2933
2934         if (cnt != hdev->acl_cnt)
2935                 hci_prio_recalculate(hdev, ACL_LINK);
2936 }
2937
2938 static void hci_sched_acl_blk(struct hci_dev *hdev)
2939 {
2940         unsigned int cnt = hdev->block_cnt;
2941         struct hci_chan *chan;
2942         struct sk_buff *skb;
2943         int quote;
2944         u8 type;
2945
2946         __check_timeout(hdev, cnt);
2947
2948         BT_DBG("%s", hdev->name);
2949
2950         if (hdev->dev_type == HCI_AMP)
2951                 type = AMP_LINK;
2952         else
2953                 type = ACL_LINK;
2954
2955         while (hdev->block_cnt > 0 &&
2956                (chan = hci_chan_sent(hdev, type, &quote))) {
2957                 u32 priority = (skb_peek(&chan->data_q))->priority;
2958                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
2959                         int blocks;
2960
2961                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
2962                                skb->len, skb->priority);
2963
2964                         /* Stop if priority has changed */
2965                         if (skb->priority < priority)
2966                                 break;
2967
2968                         skb = skb_dequeue(&chan->data_q);
2969
2970                         blocks = __get_blocks(hdev, skb);
2971                         if (blocks > hdev->block_cnt)
2972                                 return;
2973
2974                         hci_conn_enter_active_mode(chan->conn,
2975                                                    bt_cb(skb)->force_active);
2976
2977                         hci_send_frame(skb);
2978                         hdev->acl_last_tx = jiffies;
2979
2980                         hdev->block_cnt -= blocks;
2981                         quote -= blocks;
2982
2983                         chan->sent += blocks;
2984                         chan->conn->sent += blocks;
2985                 }
2986         }
2987
2988         if (cnt != hdev->block_cnt)
2989                 hci_prio_recalculate(hdev, type);
2990 }
2991
2992 static void hci_sched_acl(struct hci_dev *hdev)
2993 {
2994         BT_DBG("%s", hdev->name);
2995
2996         /* No ACL link over BR/EDR controller */
2997         if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
2998                 return;
2999
3000         /* No AMP link over AMP controller */
3001         if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3002                 return;
3003
3004         switch (hdev->flow_ctl_mode) {
3005         case HCI_FLOW_CTL_MODE_PACKET_BASED:
3006                 hci_sched_acl_pkt(hdev);
3007                 break;
3008
3009         case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3010                 hci_sched_acl_blk(hdev);
3011                 break;
3012         }
3013 }
3014
3015 /* Schedule SCO */
3016 static void hci_sched_sco(struct hci_dev *hdev)
3017 {
3018         struct hci_conn *conn;
3019         struct sk_buff *skb;
3020         int quote;
3021
3022         BT_DBG("%s", hdev->name);
3023
3024         if (!hci_conn_num(hdev, SCO_LINK))
3025                 return;
3026
3027         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3028                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3029                         BT_DBG("skb %p len %d", skb, skb->len);
3030                         hci_send_frame(skb);
3031
3032                         conn->sent++;
3033                         if (conn->sent == ~0)
3034                                 conn->sent = 0;
3035                 }
3036         }
3037 }
3038
3039 static void hci_sched_esco(struct hci_dev *hdev)
3040 {
3041         struct hci_conn *conn;
3042         struct sk_buff *skb;
3043         int quote;
3044
3045         BT_DBG("%s", hdev->name);
3046
3047         if (!hci_conn_num(hdev, ESCO_LINK))
3048                 return;
3049
3050         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3051                                                      &quote))) {
3052                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3053                         BT_DBG("skb %p len %d", skb, skb->len);
3054                         hci_send_frame(skb);
3055
3056                         conn->sent++;
3057                         if (conn->sent == ~0)
3058                                 conn->sent = 0;
3059                 }
3060         }
3061 }
3062
3063 static void hci_sched_le(struct hci_dev *hdev)
3064 {
3065         struct hci_chan *chan;
3066         struct sk_buff *skb;
3067         int quote, cnt, tmp;
3068
3069         BT_DBG("%s", hdev->name);
3070
3071         if (!hci_conn_num(hdev, LE_LINK))
3072                 return;
3073
3074         if (!test_bit(HCI_RAW, &hdev->flags)) {
3075                 /* LE tx timeout must be longer than maximum
3076                  * link supervision timeout (40.9 seconds) */
3077                 if (!hdev->le_cnt && hdev->le_pkts &&
3078                     time_after(jiffies, hdev->le_last_tx + HZ * 45))
3079                         hci_link_tx_to(hdev, LE_LINK);
3080         }
3081
3082         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3083         tmp = cnt;
3084         while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3085                 u32 priority = (skb_peek(&chan->data_q))->priority;
3086                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3087                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3088                                skb->len, skb->priority);
3089
3090                         /* Stop if priority has changed */
3091                         if (skb->priority < priority)
3092                                 break;
3093
3094                         skb = skb_dequeue(&chan->data_q);
3095
3096                         hci_send_frame(skb);
3097                         hdev->le_last_tx = jiffies;
3098
3099                         cnt--;
3100                         chan->sent++;
3101                         chan->conn->sent++;
3102                 }
3103         }
3104
3105         if (hdev->le_pkts)
3106                 hdev->le_cnt = cnt;
3107         else
3108                 hdev->acl_cnt = cnt;
3109
3110         if (cnt != tmp)
3111                 hci_prio_recalculate(hdev, LE_LINK);
3112 }
3113
3114 static void hci_tx_work(struct work_struct *work)
3115 {
3116         struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3117         struct sk_buff *skb;
3118
3119         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3120                hdev->sco_cnt, hdev->le_cnt);
3121
3122         /* Schedule queues and send stuff to HCI driver */
3123
3124         hci_sched_acl(hdev);
3125
3126         hci_sched_sco(hdev);
3127
3128         hci_sched_esco(hdev);
3129
3130         hci_sched_le(hdev);
3131
3132         /* Send next queued raw (unknown type) packet */
3133         while ((skb = skb_dequeue(&hdev->raw_q)))
3134                 hci_send_frame(skb);
3135 }
3136
3137 /* ----- HCI RX task (incoming data processing) ----- */
3138
3139 /* ACL data packet */
3140 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3141 {
3142         struct hci_acl_hdr *hdr = (void *) skb->data;
3143         struct hci_conn *conn;
3144         __u16 handle, flags;
3145
3146         skb_pull(skb, HCI_ACL_HDR_SIZE);
3147
3148         handle = __le16_to_cpu(hdr->handle);
3149         flags  = hci_flags(handle);
3150         handle = hci_handle(handle);
3151
3152         BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3153                handle, flags);
3154
3155         hdev->stat.acl_rx++;
3156
3157         hci_dev_lock(hdev);
3158         conn = hci_conn_hash_lookup_handle(hdev, handle);
3159         hci_dev_unlock(hdev);
3160
3161         if (conn) {
3162                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3163
3164                 /* Send to upper protocol */
3165                 l2cap_recv_acldata(conn, skb, flags);
3166                 return;
3167         } else {
3168                 BT_ERR("%s ACL packet for unknown connection handle %d",
3169                        hdev->name, handle);
3170         }
3171
3172         kfree_skb(skb);
3173 }
3174
3175 /* SCO data packet */
3176 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3177 {
3178         struct hci_sco_hdr *hdr = (void *) skb->data;
3179         struct hci_conn *conn;
3180         __u16 handle;
3181
3182         skb_pull(skb, HCI_SCO_HDR_SIZE);
3183
3184         handle = __le16_to_cpu(hdr->handle);
3185
3186         BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
3187
3188         hdev->stat.sco_rx++;
3189
3190         hci_dev_lock(hdev);
3191         conn = hci_conn_hash_lookup_handle(hdev, handle);
3192         hci_dev_unlock(hdev);
3193
3194         if (conn) {
3195                 /* Send to upper protocol */
3196                 sco_recv_scodata(conn, skb);
3197                 return;
3198         } else {
3199                 BT_ERR("%s SCO packet for unknown connection handle %d",
3200                        hdev->name, handle);
3201         }
3202
3203         kfree_skb(skb);
3204 }
3205
3206 static void hci_rx_work(struct work_struct *work)
3207 {
3208         struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3209         struct sk_buff *skb;
3210
3211         BT_DBG("%s", hdev->name);
3212
3213         while ((skb = skb_dequeue(&hdev->rx_q))) {
3214                 /* Send copy to monitor */
3215                 hci_send_to_monitor(hdev, skb);
3216
3217                 if (atomic_read(&hdev->promisc)) {
3218                         /* Send copy to the sockets */
3219                         hci_send_to_sock(hdev, skb);
3220                 }
3221
3222                 if (test_bit(HCI_RAW, &hdev->flags)) {
3223                         kfree_skb(skb);
3224                         continue;
3225                 }
3226
3227                 if (test_bit(HCI_INIT, &hdev->flags)) {
3228                         /* Don't process data packets in this states. */
3229                         switch (bt_cb(skb)->pkt_type) {
3230                         case HCI_ACLDATA_PKT:
3231                         case HCI_SCODATA_PKT:
3232                                 kfree_skb(skb);
3233                                 continue;
3234                         }
3235                 }
3236
3237                 /* Process frame */
3238                 switch (bt_cb(skb)->pkt_type) {
3239                 case HCI_EVENT_PKT:
3240                         BT_DBG("%s Event packet", hdev->name);
3241                         hci_event_packet(hdev, skb);
3242                         break;
3243
3244                 case HCI_ACLDATA_PKT:
3245                         BT_DBG("%s ACL data packet", hdev->name);
3246                         hci_acldata_packet(hdev, skb);
3247                         break;
3248
3249                 case HCI_SCODATA_PKT:
3250                         BT_DBG("%s SCO data packet", hdev->name);
3251                         hci_scodata_packet(hdev, skb);
3252                         break;
3253
3254                 default:
3255                         kfree_skb(skb);
3256                         break;
3257                 }
3258         }
3259 }
3260
3261 static void hci_cmd_work(struct work_struct *work)
3262 {
3263         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
3264         struct sk_buff *skb;
3265
3266         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
3267                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
3268
3269         /* Send queued commands */
3270         if (atomic_read(&hdev->cmd_cnt)) {
3271                 skb = skb_dequeue(&hdev->cmd_q);
3272                 if (!skb)
3273                         return;
3274
3275                 kfree_skb(hdev->sent_cmd);
3276
3277                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
3278                 if (hdev->sent_cmd) {
3279                         atomic_dec(&hdev->cmd_cnt);
3280                         hci_send_frame(skb);
3281                         if (test_bit(HCI_RESET, &hdev->flags))
3282                                 del_timer(&hdev->cmd_timer);
3283                         else
3284                                 mod_timer(&hdev->cmd_timer,
3285                                           jiffies + HCI_CMD_TIMEOUT);
3286                 } else {
3287                         skb_queue_head(&hdev->cmd_q, skb);
3288                         queue_work(hdev->workqueue, &hdev->cmd_work);
3289                 }
3290         }
3291 }
3292
3293 int hci_do_inquiry(struct hci_dev *hdev, u8 length)
3294 {
3295         /* General inquiry access code (GIAC) */
3296         u8 lap[3] = { 0x33, 0x8b, 0x9e };
3297         struct hci_cp_inquiry cp;
3298
3299         BT_DBG("%s", hdev->name);
3300
3301         if (test_bit(HCI_INQUIRY, &hdev->flags))
3302                 return -EINPROGRESS;
3303
3304         inquiry_cache_flush(hdev);
3305
3306         memset(&cp, 0, sizeof(cp));
3307         memcpy(&cp.lap, lap, sizeof(cp.lap));
3308         cp.length  = length;
3309
3310         return hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
3311 }
3312
3313 int hci_cancel_inquiry(struct hci_dev *hdev)
3314 {
3315         BT_DBG("%s", hdev->name);
3316
3317         if (!test_bit(HCI_INQUIRY, &hdev->flags))
3318                 return -EALREADY;
3319
3320         return hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
3321 }
3322
3323 u8 bdaddr_to_le(u8 bdaddr_type)
3324 {
3325         switch (bdaddr_type) {
3326         case BDADDR_LE_PUBLIC:
3327                 return ADDR_LE_DEV_PUBLIC;
3328
3329         default:
3330                 /* Fallback to LE Random address type */
3331                 return ADDR_LE_DEV_RANDOM;
3332         }
3333 }
Unnamed repository; edit this file 'description' to name the repository.