2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI core. */
28 #include <linux/export.h>
29 #include <linux/idr.h>
30 #include <linux/rfkill.h>
31 #include <linux/debugfs.h>
32 #include <linux/crypto.h>
33 #include <asm/unaligned.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 #include <net/bluetooth/mgmt.h>
40 #include "hci_request.h"
41 #include "hci_debugfs.h"
44 static void hci_rx_work(struct work_struct *work);
45 static void hci_cmd_work(struct work_struct *work);
46 static void hci_tx_work(struct work_struct *work);
49 LIST_HEAD(hci_dev_list);
50 DEFINE_RWLOCK(hci_dev_list_lock);
52 /* HCI callback list */
53 LIST_HEAD(hci_cb_list);
54 DEFINE_RWLOCK(hci_cb_list_lock);
56 /* HCI ID Numbering */
57 static DEFINE_IDA(hci_index_ida);
59 /* ----- HCI requests ----- */
61 #define HCI_REQ_DONE 0
62 #define HCI_REQ_PEND 1
63 #define HCI_REQ_CANCELED 2
65 #define hci_req_lock(d) mutex_lock(&d->req_lock)
66 #define hci_req_unlock(d) mutex_unlock(&d->req_lock)
68 /* ---- HCI notifications ---- */
70 static void hci_notify(struct hci_dev *hdev, int event)
72 hci_sock_dev_event(hdev, event);
75 /* ---- HCI debugfs entries ---- */
77 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
78 size_t count, loff_t *ppos)
80 struct hci_dev *hdev = file->private_data;
83 buf[0] = test_bit(HCI_DUT_MODE, &hdev->dbg_flags) ? 'Y': 'N';
86 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
89 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
90 size_t count, loff_t *ppos)
92 struct hci_dev *hdev = file->private_data;
95 size_t buf_size = min(count, (sizeof(buf)-1));
99 if (!test_bit(HCI_UP, &hdev->flags))
102 if (copy_from_user(buf, user_buf, buf_size))
105 buf[buf_size] = '\0';
106 if (strtobool(buf, &enable))
109 if (enable == test_bit(HCI_DUT_MODE, &hdev->dbg_flags))
114 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
117 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
119 hci_req_unlock(hdev);
124 err = -bt_to_errno(skb->data[0]);
130 change_bit(HCI_DUT_MODE, &hdev->dbg_flags);
135 static const struct file_operations dut_mode_fops = {
137 .read = dut_mode_read,
138 .write = dut_mode_write,
139 .llseek = default_llseek,
142 /* ---- HCI requests ---- */
144 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode)
146 BT_DBG("%s result 0x%2.2x", hdev->name, result);
148 if (hdev->req_status == HCI_REQ_PEND) {
149 hdev->req_result = result;
150 hdev->req_status = HCI_REQ_DONE;
151 wake_up_interruptible(&hdev->req_wait_q);
155 static void hci_req_cancel(struct hci_dev *hdev, int err)
157 BT_DBG("%s err 0x%2.2x", hdev->name, err);
159 if (hdev->req_status == HCI_REQ_PEND) {
160 hdev->req_result = err;
161 hdev->req_status = HCI_REQ_CANCELED;
162 wake_up_interruptible(&hdev->req_wait_q);
166 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
169 struct hci_ev_cmd_complete *ev;
170 struct hci_event_hdr *hdr;
175 skb = hdev->recv_evt;
176 hdev->recv_evt = NULL;
178 hci_dev_unlock(hdev);
181 return ERR_PTR(-ENODATA);
183 if (skb->len < sizeof(*hdr)) {
184 BT_ERR("Too short HCI event");
188 hdr = (void *) skb->data;
189 skb_pull(skb, HCI_EVENT_HDR_SIZE);
192 if (hdr->evt != event)
197 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
198 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
202 if (skb->len < sizeof(*ev)) {
203 BT_ERR("Too short cmd_complete event");
207 ev = (void *) skb->data;
208 skb_pull(skb, sizeof(*ev));
210 if (opcode == __le16_to_cpu(ev->opcode))
213 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
214 __le16_to_cpu(ev->opcode));
218 return ERR_PTR(-ENODATA);
221 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
222 const void *param, u8 event, u32 timeout)
224 DECLARE_WAITQUEUE(wait, current);
225 struct hci_request req;
228 BT_DBG("%s", hdev->name);
230 hci_req_init(&req, hdev);
232 hci_req_add_ev(&req, opcode, plen, param, event);
234 hdev->req_status = HCI_REQ_PEND;
236 add_wait_queue(&hdev->req_wait_q, &wait);
237 set_current_state(TASK_INTERRUPTIBLE);
239 err = hci_req_run(&req, hci_req_sync_complete);
241 remove_wait_queue(&hdev->req_wait_q, &wait);
242 set_current_state(TASK_RUNNING);
246 schedule_timeout(timeout);
248 remove_wait_queue(&hdev->req_wait_q, &wait);
250 if (signal_pending(current))
251 return ERR_PTR(-EINTR);
253 switch (hdev->req_status) {
255 err = -bt_to_errno(hdev->req_result);
258 case HCI_REQ_CANCELED:
259 err = -hdev->req_result;
267 hdev->req_status = hdev->req_result = 0;
269 BT_DBG("%s end: err %d", hdev->name, err);
274 return hci_get_cmd_complete(hdev, opcode, event);
276 EXPORT_SYMBOL(__hci_cmd_sync_ev);
278 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
279 const void *param, u32 timeout)
281 return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
283 EXPORT_SYMBOL(__hci_cmd_sync);
285 /* Execute request and wait for completion. */
286 static int __hci_req_sync(struct hci_dev *hdev,
287 void (*func)(struct hci_request *req,
289 unsigned long opt, __u32 timeout)
291 struct hci_request req;
292 DECLARE_WAITQUEUE(wait, current);
295 BT_DBG("%s start", hdev->name);
297 hci_req_init(&req, hdev);
299 hdev->req_status = HCI_REQ_PEND;
303 add_wait_queue(&hdev->req_wait_q, &wait);
304 set_current_state(TASK_INTERRUPTIBLE);
306 err = hci_req_run(&req, hci_req_sync_complete);
308 hdev->req_status = 0;
310 remove_wait_queue(&hdev->req_wait_q, &wait);
311 set_current_state(TASK_RUNNING);
313 /* ENODATA means the HCI request command queue is empty.
314 * This can happen when a request with conditionals doesn't
315 * trigger any commands to be sent. This is normal behavior
316 * and should not trigger an error return.
324 schedule_timeout(timeout);
326 remove_wait_queue(&hdev->req_wait_q, &wait);
328 if (signal_pending(current))
331 switch (hdev->req_status) {
333 err = -bt_to_errno(hdev->req_result);
336 case HCI_REQ_CANCELED:
337 err = -hdev->req_result;
345 hdev->req_status = hdev->req_result = 0;
347 BT_DBG("%s end: err %d", hdev->name, err);
352 static int hci_req_sync(struct hci_dev *hdev,
353 void (*req)(struct hci_request *req,
355 unsigned long opt, __u32 timeout)
359 if (!test_bit(HCI_UP, &hdev->flags))
362 /* Serialize all requests */
364 ret = __hci_req_sync(hdev, req, opt, timeout);
365 hci_req_unlock(hdev);
370 static void hci_reset_req(struct hci_request *req, unsigned long opt)
372 BT_DBG("%s %ld", req->hdev->name, opt);
375 set_bit(HCI_RESET, &req->hdev->flags);
376 hci_req_add(req, HCI_OP_RESET, 0, NULL);
379 static void bredr_init(struct hci_request *req)
381 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
383 /* Read Local Supported Features */
384 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
386 /* Read Local Version */
387 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
389 /* Read BD Address */
390 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
393 static void amp_init(struct hci_request *req)
395 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
397 /* Read Local Version */
398 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
400 /* Read Local Supported Commands */
401 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
403 /* Read Local Supported Features */
404 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
406 /* Read Local AMP Info */
407 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
409 /* Read Data Blk size */
410 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
412 /* Read Flow Control Mode */
413 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
415 /* Read Location Data */
416 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
419 static void hci_init1_req(struct hci_request *req, unsigned long opt)
421 struct hci_dev *hdev = req->hdev;
423 BT_DBG("%s %ld", hdev->name, opt);
426 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
427 hci_reset_req(req, 0);
429 switch (hdev->dev_type) {
439 BT_ERR("Unknown device type %d", hdev->dev_type);
444 static void bredr_setup(struct hci_request *req)
449 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
450 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
452 /* Read Class of Device */
453 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
455 /* Read Local Name */
456 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
458 /* Read Voice Setting */
459 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
461 /* Read Number of Supported IAC */
462 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
464 /* Read Current IAC LAP */
465 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
467 /* Clear Event Filters */
468 flt_type = HCI_FLT_CLEAR_ALL;
469 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
471 /* Connection accept timeout ~20 secs */
472 param = cpu_to_le16(0x7d00);
473 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
476 static void le_setup(struct hci_request *req)
478 struct hci_dev *hdev = req->hdev;
480 /* Read LE Buffer Size */
481 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
483 /* Read LE Local Supported Features */
484 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
486 /* Read LE Supported States */
487 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
489 /* Read LE White List Size */
490 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
492 /* Clear LE White List */
493 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
495 /* LE-only controllers have LE implicitly enabled */
496 if (!lmp_bredr_capable(hdev))
497 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
500 static void hci_setup_event_mask(struct hci_request *req)
502 struct hci_dev *hdev = req->hdev;
504 /* The second byte is 0xff instead of 0x9f (two reserved bits
505 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
508 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
510 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
511 * any event mask for pre 1.2 devices.
513 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
516 if (lmp_bredr_capable(hdev)) {
517 events[4] |= 0x01; /* Flow Specification Complete */
518 events[4] |= 0x02; /* Inquiry Result with RSSI */
519 events[4] |= 0x04; /* Read Remote Extended Features Complete */
520 events[5] |= 0x08; /* Synchronous Connection Complete */
521 events[5] |= 0x10; /* Synchronous Connection Changed */
523 /* Use a different default for LE-only devices */
524 memset(events, 0, sizeof(events));
525 events[0] |= 0x10; /* Disconnection Complete */
526 events[1] |= 0x08; /* Read Remote Version Information Complete */
527 events[1] |= 0x20; /* Command Complete */
528 events[1] |= 0x40; /* Command Status */
529 events[1] |= 0x80; /* Hardware Error */
530 events[2] |= 0x04; /* Number of Completed Packets */
531 events[3] |= 0x02; /* Data Buffer Overflow */
533 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
534 events[0] |= 0x80; /* Encryption Change */
535 events[5] |= 0x80; /* Encryption Key Refresh Complete */
539 if (lmp_inq_rssi_capable(hdev))
540 events[4] |= 0x02; /* Inquiry Result with RSSI */
542 if (lmp_sniffsubr_capable(hdev))
543 events[5] |= 0x20; /* Sniff Subrating */
545 if (lmp_pause_enc_capable(hdev))
546 events[5] |= 0x80; /* Encryption Key Refresh Complete */
548 if (lmp_ext_inq_capable(hdev))
549 events[5] |= 0x40; /* Extended Inquiry Result */
551 if (lmp_no_flush_capable(hdev))
552 events[7] |= 0x01; /* Enhanced Flush Complete */
554 if (lmp_lsto_capable(hdev))
555 events[6] |= 0x80; /* Link Supervision Timeout Changed */
557 if (lmp_ssp_capable(hdev)) {
558 events[6] |= 0x01; /* IO Capability Request */
559 events[6] |= 0x02; /* IO Capability Response */
560 events[6] |= 0x04; /* User Confirmation Request */
561 events[6] |= 0x08; /* User Passkey Request */
562 events[6] |= 0x10; /* Remote OOB Data Request */
563 events[6] |= 0x20; /* Simple Pairing Complete */
564 events[7] |= 0x04; /* User Passkey Notification */
565 events[7] |= 0x08; /* Keypress Notification */
566 events[7] |= 0x10; /* Remote Host Supported
567 * Features Notification
571 if (lmp_le_capable(hdev))
572 events[7] |= 0x20; /* LE Meta-Event */
574 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
577 static void hci_init2_req(struct hci_request *req, unsigned long opt)
579 struct hci_dev *hdev = req->hdev;
581 if (lmp_bredr_capable(hdev))
584 clear_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
586 if (lmp_le_capable(hdev))
589 /* All Bluetooth 1.2 and later controllers should support the
590 * HCI command for reading the local supported commands.
592 * Unfortunately some controllers indicate Bluetooth 1.2 support,
593 * but do not have support for this command. If that is the case,
594 * the driver can quirk the behavior and skip reading the local
595 * supported commands.
597 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
598 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
599 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
601 if (lmp_ssp_capable(hdev)) {
602 /* When SSP is available, then the host features page
603 * should also be available as well. However some
604 * controllers list the max_page as 0 as long as SSP
605 * has not been enabled. To achieve proper debugging
606 * output, force the minimum max_page to 1 at least.
608 hdev->max_page = 0x01;
610 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
613 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
614 sizeof(mode), &mode);
616 struct hci_cp_write_eir cp;
618 memset(hdev->eir, 0, sizeof(hdev->eir));
619 memset(&cp, 0, sizeof(cp));
621 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
625 if (lmp_inq_rssi_capable(hdev) ||
626 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
629 /* If Extended Inquiry Result events are supported, then
630 * they are clearly preferred over Inquiry Result with RSSI
633 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
635 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
638 if (lmp_inq_tx_pwr_capable(hdev))
639 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
641 if (lmp_ext_feat_capable(hdev)) {
642 struct hci_cp_read_local_ext_features cp;
645 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
649 if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
651 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
656 static void hci_setup_link_policy(struct hci_request *req)
658 struct hci_dev *hdev = req->hdev;
659 struct hci_cp_write_def_link_policy cp;
662 if (lmp_rswitch_capable(hdev))
663 link_policy |= HCI_LP_RSWITCH;
664 if (lmp_hold_capable(hdev))
665 link_policy |= HCI_LP_HOLD;
666 if (lmp_sniff_capable(hdev))
667 link_policy |= HCI_LP_SNIFF;
668 if (lmp_park_capable(hdev))
669 link_policy |= HCI_LP_PARK;
671 cp.policy = cpu_to_le16(link_policy);
672 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
675 static void hci_set_le_support(struct hci_request *req)
677 struct hci_dev *hdev = req->hdev;
678 struct hci_cp_write_le_host_supported cp;
680 /* LE-only devices do not support explicit enablement */
681 if (!lmp_bredr_capable(hdev))
684 memset(&cp, 0, sizeof(cp));
686 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
691 if (cp.le != lmp_host_le_capable(hdev))
692 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
696 static void hci_set_event_mask_page_2(struct hci_request *req)
698 struct hci_dev *hdev = req->hdev;
699 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
701 /* If Connectionless Slave Broadcast master role is supported
702 * enable all necessary events for it.
704 if (lmp_csb_master_capable(hdev)) {
705 events[1] |= 0x40; /* Triggered Clock Capture */
706 events[1] |= 0x80; /* Synchronization Train Complete */
707 events[2] |= 0x10; /* Slave Page Response Timeout */
708 events[2] |= 0x20; /* CSB Channel Map Change */
711 /* If Connectionless Slave Broadcast slave role is supported
712 * enable all necessary events for it.
714 if (lmp_csb_slave_capable(hdev)) {
715 events[2] |= 0x01; /* Synchronization Train Received */
716 events[2] |= 0x02; /* CSB Receive */
717 events[2] |= 0x04; /* CSB Timeout */
718 events[2] |= 0x08; /* Truncated Page Complete */
721 /* Enable Authenticated Payload Timeout Expired event if supported */
722 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
725 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
728 static void hci_init3_req(struct hci_request *req, unsigned long opt)
730 struct hci_dev *hdev = req->hdev;
733 hci_setup_event_mask(req);
735 if (hdev->commands[6] & 0x20) {
736 struct hci_cp_read_stored_link_key cp;
738 bacpy(&cp.bdaddr, BDADDR_ANY);
740 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
743 if (hdev->commands[5] & 0x10)
744 hci_setup_link_policy(req);
746 if (hdev->commands[8] & 0x01)
747 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
749 /* Some older Broadcom based Bluetooth 1.2 controllers do not
750 * support the Read Page Scan Type command. Check support for
751 * this command in the bit mask of supported commands.
753 if (hdev->commands[13] & 0x01)
754 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
756 if (lmp_le_capable(hdev)) {
759 memset(events, 0, sizeof(events));
762 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
763 events[0] |= 0x10; /* LE Long Term Key Request */
765 /* If controller supports the Connection Parameters Request
766 * Link Layer Procedure, enable the corresponding event.
768 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
769 events[0] |= 0x20; /* LE Remote Connection
773 /* If the controller supports the Data Length Extension
774 * feature, enable the corresponding event.
776 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
777 events[0] |= 0x40; /* LE Data Length Change */
779 /* If the controller supports Extended Scanner Filter
780 * Policies, enable the correspondig event.
782 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
783 events[1] |= 0x04; /* LE Direct Advertising
787 /* If the controller supports the LE Read Local P-256
788 * Public Key command, enable the corresponding event.
790 if (hdev->commands[34] & 0x02)
791 events[0] |= 0x80; /* LE Read Local P-256
792 * Public Key Complete
795 /* If the controller supports the LE Generate DHKey
796 * command, enable the corresponding event.
798 if (hdev->commands[34] & 0x04)
799 events[1] |= 0x01; /* LE Generate DHKey Complete */
801 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
804 if (hdev->commands[25] & 0x40) {
805 /* Read LE Advertising Channel TX Power */
806 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
809 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
810 /* Read LE Maximum Data Length */
811 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
813 /* Read LE Suggested Default Data Length */
814 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
817 hci_set_le_support(req);
820 /* Read features beyond page 1 if available */
821 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
822 struct hci_cp_read_local_ext_features cp;
825 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
830 static void hci_init4_req(struct hci_request *req, unsigned long opt)
832 struct hci_dev *hdev = req->hdev;
834 /* Some Broadcom based Bluetooth controllers do not support the
835 * Delete Stored Link Key command. They are clearly indicating its
836 * absence in the bit mask of supported commands.
838 * Check the supported commands and only if the the command is marked
839 * as supported send it. If not supported assume that the controller
840 * does not have actual support for stored link keys which makes this
841 * command redundant anyway.
843 * Some controllers indicate that they support handling deleting
844 * stored link keys, but they don't. The quirk lets a driver
845 * just disable this command.
847 if (hdev->commands[6] & 0x80 &&
848 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
849 struct hci_cp_delete_stored_link_key cp;
851 bacpy(&cp.bdaddr, BDADDR_ANY);
852 cp.delete_all = 0x01;
853 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
857 /* Set event mask page 2 if the HCI command for it is supported */
858 if (hdev->commands[22] & 0x04)
859 hci_set_event_mask_page_2(req);
861 /* Read local codec list if the HCI command is supported */
862 if (hdev->commands[29] & 0x20)
863 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
865 /* Get MWS transport configuration if the HCI command is supported */
866 if (hdev->commands[30] & 0x08)
867 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
869 /* Check for Synchronization Train support */
870 if (lmp_sync_train_capable(hdev))
871 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
873 /* Enable Secure Connections if supported and configured */
874 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) &&
875 bredr_sc_enabled(hdev)) {
878 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
879 sizeof(support), &support);
883 static int __hci_init(struct hci_dev *hdev)
887 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
891 /* The Device Under Test (DUT) mode is special and available for
892 * all controller types. So just create it early on.
894 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
895 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
899 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
900 * BR/EDR/LE type controllers. AMP controllers only need the
903 if (hdev->dev_type != HCI_BREDR)
906 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
910 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
914 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT);
918 /* This function is only called when the controller is actually in
919 * configured state. When the controller is marked as unconfigured,
920 * this initialization procedure is not run.
922 * It means that it is possible that a controller runs through its
923 * setup phase and then discovers missing settings. If that is the
924 * case, then this function will not be called. It then will only
925 * be called during the config phase.
927 * So only when in setup phase or config phase, create the debugfs
928 * entries and register the SMP channels.
930 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
931 !test_bit(HCI_CONFIG, &hdev->dev_flags))
934 hci_debugfs_create_common(hdev);
936 if (lmp_bredr_capable(hdev))
937 hci_debugfs_create_bredr(hdev);
939 if (lmp_le_capable(hdev))
940 hci_debugfs_create_le(hdev);
945 static void hci_init0_req(struct hci_request *req, unsigned long opt)
947 struct hci_dev *hdev = req->hdev;
949 BT_DBG("%s %ld", hdev->name, opt);
952 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
953 hci_reset_req(req, 0);
955 /* Read Local Version */
956 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
958 /* Read BD Address */
959 if (hdev->set_bdaddr)
960 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
963 static int __hci_unconf_init(struct hci_dev *hdev)
967 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
970 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT);
977 static void hci_scan_req(struct hci_request *req, unsigned long opt)
981 BT_DBG("%s %x", req->hdev->name, scan);
983 /* Inquiry and Page scans */
984 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
987 static void hci_auth_req(struct hci_request *req, unsigned long opt)
991 BT_DBG("%s %x", req->hdev->name, auth);
994 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
997 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
1001 BT_DBG("%s %x", req->hdev->name, encrypt);
1004 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
1007 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
1009 __le16 policy = cpu_to_le16(opt);
1011 BT_DBG("%s %x", req->hdev->name, policy);
1013 /* Default link policy */
1014 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
1017 /* Get HCI device by index.
1018 * Device is held on return. */
1019 struct hci_dev *hci_dev_get(int index)
1021 struct hci_dev *hdev = NULL, *d;
1023 BT_DBG("%d", index);
1028 read_lock(&hci_dev_list_lock);
1029 list_for_each_entry(d, &hci_dev_list, list) {
1030 if (d->id == index) {
1031 hdev = hci_dev_hold(d);
1035 read_unlock(&hci_dev_list_lock);
1039 /* ---- Inquiry support ---- */
1041 bool hci_discovery_active(struct hci_dev *hdev)
1043 struct discovery_state *discov = &hdev->discovery;
1045 switch (discov->state) {
1046 case DISCOVERY_FINDING:
1047 case DISCOVERY_RESOLVING:
1055 void hci_discovery_set_state(struct hci_dev *hdev, int state)
1057 int old_state = hdev->discovery.state;
1059 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1061 if (old_state == state)
1064 hdev->discovery.state = state;
1067 case DISCOVERY_STOPPED:
1068 hci_update_background_scan(hdev);
1070 if (old_state != DISCOVERY_STARTING)
1071 mgmt_discovering(hdev, 0);
1073 case DISCOVERY_STARTING:
1075 case DISCOVERY_FINDING:
1076 mgmt_discovering(hdev, 1);
1078 case DISCOVERY_RESOLVING:
1080 case DISCOVERY_STOPPING:
1085 void hci_inquiry_cache_flush(struct hci_dev *hdev)
1087 struct discovery_state *cache = &hdev->discovery;
1088 struct inquiry_entry *p, *n;
1090 list_for_each_entry_safe(p, n, &cache->all, all) {
1095 INIT_LIST_HEAD(&cache->unknown);
1096 INIT_LIST_HEAD(&cache->resolve);
1099 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1102 struct discovery_state *cache = &hdev->discovery;
1103 struct inquiry_entry *e;
1105 BT_DBG("cache %p, %pMR", cache, bdaddr);
1107 list_for_each_entry(e, &cache->all, all) {
1108 if (!bacmp(&e->data.bdaddr, bdaddr))
1115 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1118 struct discovery_state *cache = &hdev->discovery;
1119 struct inquiry_entry *e;
1121 BT_DBG("cache %p, %pMR", cache, bdaddr);
1123 list_for_each_entry(e, &cache->unknown, list) {
1124 if (!bacmp(&e->data.bdaddr, bdaddr))
1131 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1135 struct discovery_state *cache = &hdev->discovery;
1136 struct inquiry_entry *e;
1138 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1140 list_for_each_entry(e, &cache->resolve, list) {
1141 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1143 if (!bacmp(&e->data.bdaddr, bdaddr))
1150 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1151 struct inquiry_entry *ie)
1153 struct discovery_state *cache = &hdev->discovery;
1154 struct list_head *pos = &cache->resolve;
1155 struct inquiry_entry *p;
1157 list_del(&ie->list);
1159 list_for_each_entry(p, &cache->resolve, list) {
1160 if (p->name_state != NAME_PENDING &&
1161 abs(p->data.rssi) >= abs(ie->data.rssi))
1166 list_add(&ie->list, pos);
1169 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1172 struct discovery_state *cache = &hdev->discovery;
1173 struct inquiry_entry *ie;
1176 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1178 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1180 if (!data->ssp_mode)
1181 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1183 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1185 if (!ie->data.ssp_mode)
1186 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1188 if (ie->name_state == NAME_NEEDED &&
1189 data->rssi != ie->data.rssi) {
1190 ie->data.rssi = data->rssi;
1191 hci_inquiry_cache_update_resolve(hdev, ie);
1197 /* Entry not in the cache. Add new one. */
1198 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1200 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1204 list_add(&ie->all, &cache->all);
1207 ie->name_state = NAME_KNOWN;
1209 ie->name_state = NAME_NOT_KNOWN;
1210 list_add(&ie->list, &cache->unknown);
1214 if (name_known && ie->name_state != NAME_KNOWN &&
1215 ie->name_state != NAME_PENDING) {
1216 ie->name_state = NAME_KNOWN;
1217 list_del(&ie->list);
1220 memcpy(&ie->data, data, sizeof(*data));
1221 ie->timestamp = jiffies;
1222 cache->timestamp = jiffies;
1224 if (ie->name_state == NAME_NOT_KNOWN)
1225 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1231 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1233 struct discovery_state *cache = &hdev->discovery;
1234 struct inquiry_info *info = (struct inquiry_info *) buf;
1235 struct inquiry_entry *e;
1238 list_for_each_entry(e, &cache->all, all) {
1239 struct inquiry_data *data = &e->data;
1244 bacpy(&info->bdaddr, &data->bdaddr);
1245 info->pscan_rep_mode = data->pscan_rep_mode;
1246 info->pscan_period_mode = data->pscan_period_mode;
1247 info->pscan_mode = data->pscan_mode;
1248 memcpy(info->dev_class, data->dev_class, 3);
1249 info->clock_offset = data->clock_offset;
1255 BT_DBG("cache %p, copied %d", cache, copied);
1259 static void hci_inq_req(struct hci_request *req, unsigned long opt)
1261 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1262 struct hci_dev *hdev = req->hdev;
1263 struct hci_cp_inquiry cp;
1265 BT_DBG("%s", hdev->name);
1267 if (test_bit(HCI_INQUIRY, &hdev->flags))
1271 memcpy(&cp.lap, &ir->lap, 3);
1272 cp.length = ir->length;
1273 cp.num_rsp = ir->num_rsp;
1274 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1277 int hci_inquiry(void __user *arg)
1279 __u8 __user *ptr = arg;
1280 struct hci_inquiry_req ir;
1281 struct hci_dev *hdev;
1282 int err = 0, do_inquiry = 0, max_rsp;
1286 if (copy_from_user(&ir, ptr, sizeof(ir)))
1289 hdev = hci_dev_get(ir.dev_id);
1293 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1298 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
1303 if (hdev->dev_type != HCI_BREDR) {
1308 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1314 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1315 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1316 hci_inquiry_cache_flush(hdev);
1319 hci_dev_unlock(hdev);
1321 timeo = ir.length * msecs_to_jiffies(2000);
1324 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1329 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1330 * cleared). If it is interrupted by a signal, return -EINTR.
1332 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1333 TASK_INTERRUPTIBLE))
1337 /* for unlimited number of responses we will use buffer with
1340 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1342 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1343 * copy it to the user space.
1345 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1352 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1353 hci_dev_unlock(hdev);
1355 BT_DBG("num_rsp %d", ir.num_rsp);
1357 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1359 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1372 static int hci_dev_do_open(struct hci_dev *hdev)
1376 BT_DBG("%s %p", hdev->name, hdev);
1380 if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1385 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1386 !test_bit(HCI_CONFIG, &hdev->dev_flags)) {
1387 /* Check for rfkill but allow the HCI setup stage to
1388 * proceed (which in itself doesn't cause any RF activity).
1390 if (test_bit(HCI_RFKILLED, &hdev->dev_flags)) {
1395 /* Check for valid public address or a configured static
1396 * random adddress, but let the HCI setup proceed to
1397 * be able to determine if there is a public address
1400 * In case of user channel usage, it is not important
1401 * if a public address or static random address is
1404 * This check is only valid for BR/EDR controllers
1405 * since AMP controllers do not have an address.
1407 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
1408 hdev->dev_type == HCI_BREDR &&
1409 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1410 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1411 ret = -EADDRNOTAVAIL;
1416 if (test_bit(HCI_UP, &hdev->flags)) {
1421 if (hdev->open(hdev)) {
1426 atomic_set(&hdev->cmd_cnt, 1);
1427 set_bit(HCI_INIT, &hdev->flags);
1429 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1431 ret = hdev->setup(hdev);
1433 /* The transport driver can set these quirks before
1434 * creating the HCI device or in its setup callback.
1436 * In case any of them is set, the controller has to
1437 * start up as unconfigured.
1439 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1440 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1441 set_bit(HCI_UNCONFIGURED, &hdev->dev_flags);
1443 /* For an unconfigured controller it is required to
1444 * read at least the version information provided by
1445 * the Read Local Version Information command.
1447 * If the set_bdaddr driver callback is provided, then
1448 * also the original Bluetooth public device address
1449 * will be read using the Read BD Address command.
1451 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
1452 ret = __hci_unconf_init(hdev);
1455 if (test_bit(HCI_CONFIG, &hdev->dev_flags)) {
1456 /* If public address change is configured, ensure that
1457 * the address gets programmed. If the driver does not
1458 * support changing the public address, fail the power
1461 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1463 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1465 ret = -EADDRNOTAVAIL;
1469 if (!test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) &&
1470 !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
1471 ret = __hci_init(hdev);
1474 clear_bit(HCI_INIT, &hdev->flags);
1478 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
1479 set_bit(HCI_UP, &hdev->flags);
1480 hci_notify(hdev, HCI_DEV_UP);
1481 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1482 !test_bit(HCI_CONFIG, &hdev->dev_flags) &&
1483 !test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) &&
1484 !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
1485 hdev->dev_type == HCI_BREDR) {
1487 mgmt_powered(hdev, 1);
1488 hci_dev_unlock(hdev);
1491 /* Init failed, cleanup */
1492 flush_work(&hdev->tx_work);
1493 flush_work(&hdev->cmd_work);
1494 flush_work(&hdev->rx_work);
1496 skb_queue_purge(&hdev->cmd_q);
1497 skb_queue_purge(&hdev->rx_q);
1502 if (hdev->sent_cmd) {
1503 kfree_skb(hdev->sent_cmd);
1504 hdev->sent_cmd = NULL;
1508 hdev->flags &= BIT(HCI_RAW);
1512 hci_req_unlock(hdev);
1516 /* ---- HCI ioctl helpers ---- */
1518 int hci_dev_open(__u16 dev)
1520 struct hci_dev *hdev;
1523 hdev = hci_dev_get(dev);
1527 /* Devices that are marked as unconfigured can only be powered
1528 * up as user channel. Trying to bring them up as normal devices
1529 * will result into a failure. Only user channel operation is
1532 * When this function is called for a user channel, the flag
1533 * HCI_USER_CHANNEL will be set first before attempting to
1536 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) &&
1537 !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1542 /* We need to ensure that no other power on/off work is pending
1543 * before proceeding to call hci_dev_do_open. This is
1544 * particularly important if the setup procedure has not yet
1547 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1548 cancel_delayed_work(&hdev->power_off);
1550 /* After this call it is guaranteed that the setup procedure
1551 * has finished. This means that error conditions like RFKILL
1552 * or no valid public or static random address apply.
1554 flush_workqueue(hdev->req_workqueue);
1556 /* For controllers not using the management interface and that
1557 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1558 * so that pairing works for them. Once the management interface
1559 * is in use this bit will be cleared again and userspace has
1560 * to explicitly enable it.
1562 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
1563 !test_bit(HCI_MGMT, &hdev->dev_flags))
1564 set_bit(HCI_BONDABLE, &hdev->dev_flags);
1566 err = hci_dev_do_open(hdev);
1573 /* This function requires the caller holds hdev->lock */
1574 static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1576 struct hci_conn_params *p;
1578 list_for_each_entry(p, &hdev->le_conn_params, list) {
1580 hci_conn_drop(p->conn);
1581 hci_conn_put(p->conn);
1584 list_del_init(&p->action);
1587 BT_DBG("All LE pending actions cleared");
1590 static int hci_dev_do_close(struct hci_dev *hdev)
1592 BT_DBG("%s %p", hdev->name, hdev);
1594 if (!test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1595 /* Execute vendor specific shutdown routine */
1597 hdev->shutdown(hdev);
1600 cancel_delayed_work(&hdev->power_off);
1602 hci_req_cancel(hdev, ENODEV);
1605 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1606 cancel_delayed_work_sync(&hdev->cmd_timer);
1607 hci_req_unlock(hdev);
1611 /* Flush RX and TX works */
1612 flush_work(&hdev->tx_work);
1613 flush_work(&hdev->rx_work);
1615 if (hdev->discov_timeout > 0) {
1616 cancel_delayed_work(&hdev->discov_off);
1617 hdev->discov_timeout = 0;
1618 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1619 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1622 if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1623 cancel_delayed_work(&hdev->service_cache);
1625 cancel_delayed_work_sync(&hdev->le_scan_disable);
1626 cancel_delayed_work_sync(&hdev->le_scan_restart);
1628 if (test_bit(HCI_MGMT, &hdev->dev_flags))
1629 cancel_delayed_work_sync(&hdev->rpa_expired);
1631 /* Avoid potential lockdep warnings from the *_flush() calls by
1632 * ensuring the workqueue is empty up front.
1634 drain_workqueue(hdev->workqueue);
1638 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1640 if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
1641 if (hdev->dev_type == HCI_BREDR)
1642 mgmt_powered(hdev, 0);
1645 hci_inquiry_cache_flush(hdev);
1646 hci_pend_le_actions_clear(hdev);
1647 hci_conn_hash_flush(hdev);
1648 hci_dev_unlock(hdev);
1650 smp_unregister(hdev);
1652 hci_notify(hdev, HCI_DEV_DOWN);
1658 skb_queue_purge(&hdev->cmd_q);
1659 atomic_set(&hdev->cmd_cnt, 1);
1660 if (!test_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1661 !test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) &&
1662 test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1663 set_bit(HCI_INIT, &hdev->flags);
1664 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1665 clear_bit(HCI_INIT, &hdev->flags);
1668 /* flush cmd work */
1669 flush_work(&hdev->cmd_work);
1672 skb_queue_purge(&hdev->rx_q);
1673 skb_queue_purge(&hdev->cmd_q);
1674 skb_queue_purge(&hdev->raw_q);
1676 /* Drop last sent command */
1677 if (hdev->sent_cmd) {
1678 cancel_delayed_work_sync(&hdev->cmd_timer);
1679 kfree_skb(hdev->sent_cmd);
1680 hdev->sent_cmd = NULL;
1683 kfree_skb(hdev->recv_evt);
1684 hdev->recv_evt = NULL;
1686 /* After this point our queues are empty
1687 * and no tasks are scheduled. */
1691 hdev->flags &= BIT(HCI_RAW);
1692 hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
1694 /* Controller radio is available but is currently powered down */
1695 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1697 memset(hdev->eir, 0, sizeof(hdev->eir));
1698 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1699 bacpy(&hdev->random_addr, BDADDR_ANY);
1701 hci_req_unlock(hdev);
1707 int hci_dev_close(__u16 dev)
1709 struct hci_dev *hdev;
1712 hdev = hci_dev_get(dev);
1716 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1721 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1722 cancel_delayed_work(&hdev->power_off);
1724 err = hci_dev_do_close(hdev);
1731 static int hci_dev_do_reset(struct hci_dev *hdev)
1735 BT_DBG("%s %p", hdev->name, hdev);
1740 skb_queue_purge(&hdev->rx_q);
1741 skb_queue_purge(&hdev->cmd_q);
1743 /* Avoid potential lockdep warnings from the *_flush() calls by
1744 * ensuring the workqueue is empty up front.
1746 drain_workqueue(hdev->workqueue);
1749 hci_inquiry_cache_flush(hdev);
1750 hci_conn_hash_flush(hdev);
1751 hci_dev_unlock(hdev);
1756 atomic_set(&hdev->cmd_cnt, 1);
1757 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1759 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1761 hci_req_unlock(hdev);
1765 int hci_dev_reset(__u16 dev)
1767 struct hci_dev *hdev;
1770 hdev = hci_dev_get(dev);
1774 if (!test_bit(HCI_UP, &hdev->flags)) {
1779 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1784 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
1789 err = hci_dev_do_reset(hdev);
1796 int hci_dev_reset_stat(__u16 dev)
1798 struct hci_dev *hdev;
1801 hdev = hci_dev_get(dev);
1805 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1810 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
1815 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1822 static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1824 bool conn_changed, discov_changed;
1826 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1828 if ((scan & SCAN_PAGE))
1829 conn_changed = !test_and_set_bit(HCI_CONNECTABLE,
1832 conn_changed = test_and_clear_bit(HCI_CONNECTABLE,
1835 if ((scan & SCAN_INQUIRY)) {
1836 discov_changed = !test_and_set_bit(HCI_DISCOVERABLE,
1839 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1840 discov_changed = test_and_clear_bit(HCI_DISCOVERABLE,
1844 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1847 if (conn_changed || discov_changed) {
1848 /* In case this was disabled through mgmt */
1849 set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
1851 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
1852 mgmt_update_adv_data(hdev);
1854 mgmt_new_settings(hdev);
1858 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1860 struct hci_dev *hdev;
1861 struct hci_dev_req dr;
1864 if (copy_from_user(&dr, arg, sizeof(dr)))
1867 hdev = hci_dev_get(dr.dev_id);
1871 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1876 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
1881 if (hdev->dev_type != HCI_BREDR) {
1886 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1893 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1898 if (!lmp_encrypt_capable(hdev)) {
1903 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1904 /* Auth must be enabled first */
1905 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1911 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1916 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1919 /* Ensure that the connectable and discoverable states
1920 * get correctly modified as this was a non-mgmt change.
1923 hci_update_scan_state(hdev, dr.dev_opt);
1927 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1931 case HCISETLINKMODE:
1932 hdev->link_mode = ((__u16) dr.dev_opt) &
1933 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1937 hdev->pkt_type = (__u16) dr.dev_opt;
1941 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
1942 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1946 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
1947 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1960 int hci_get_dev_list(void __user *arg)
1962 struct hci_dev *hdev;
1963 struct hci_dev_list_req *dl;
1964 struct hci_dev_req *dr;
1965 int n = 0, size, err;
1968 if (get_user(dev_num, (__u16 __user *) arg))
1971 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1974 size = sizeof(*dl) + dev_num * sizeof(*dr);
1976 dl = kzalloc(size, GFP_KERNEL);
1982 read_lock(&hci_dev_list_lock);
1983 list_for_each_entry(hdev, &hci_dev_list, list) {
1984 unsigned long flags = hdev->flags;
1986 /* When the auto-off is configured it means the transport
1987 * is running, but in that case still indicate that the
1988 * device is actually down.
1990 if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1991 flags &= ~BIT(HCI_UP);
1993 (dr + n)->dev_id = hdev->id;
1994 (dr + n)->dev_opt = flags;
1999 read_unlock(&hci_dev_list_lock);
2002 size = sizeof(*dl) + n * sizeof(*dr);
2004 err = copy_to_user(arg, dl, size);
2007 return err ? -EFAULT : 0;
2010 int hci_get_dev_info(void __user *arg)
2012 struct hci_dev *hdev;
2013 struct hci_dev_info di;
2014 unsigned long flags;
2017 if (copy_from_user(&di, arg, sizeof(di)))
2020 hdev = hci_dev_get(di.dev_id);
2024 /* When the auto-off is configured it means the transport
2025 * is running, but in that case still indicate that the
2026 * device is actually down.
2028 if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2029 flags = hdev->flags & ~BIT(HCI_UP);
2031 flags = hdev->flags;
2033 strcpy(di.name, hdev->name);
2034 di.bdaddr = hdev->bdaddr;
2035 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2037 di.pkt_type = hdev->pkt_type;
2038 if (lmp_bredr_capable(hdev)) {
2039 di.acl_mtu = hdev->acl_mtu;
2040 di.acl_pkts = hdev->acl_pkts;
2041 di.sco_mtu = hdev->sco_mtu;
2042 di.sco_pkts = hdev->sco_pkts;
2044 di.acl_mtu = hdev->le_mtu;
2045 di.acl_pkts = hdev->le_pkts;
2049 di.link_policy = hdev->link_policy;
2050 di.link_mode = hdev->link_mode;
2052 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2053 memcpy(&di.features, &hdev->features, sizeof(di.features));
2055 if (copy_to_user(arg, &di, sizeof(di)))
2063 /* ---- Interface to HCI drivers ---- */
2065 static int hci_rfkill_set_block(void *data, bool blocked)
2067 struct hci_dev *hdev = data;
2069 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2071 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
2075 set_bit(HCI_RFKILLED, &hdev->dev_flags);
2076 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
2077 !test_bit(HCI_CONFIG, &hdev->dev_flags))
2078 hci_dev_do_close(hdev);
2080 clear_bit(HCI_RFKILLED, &hdev->dev_flags);
2086 static const struct rfkill_ops hci_rfkill_ops = {
2087 .set_block = hci_rfkill_set_block,
2090 static void hci_power_on(struct work_struct *work)
2092 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2095 BT_DBG("%s", hdev->name);
2097 err = hci_dev_do_open(hdev);
2100 mgmt_set_powered_failed(hdev, err);
2101 hci_dev_unlock(hdev);
2105 /* During the HCI setup phase, a few error conditions are
2106 * ignored and they need to be checked now. If they are still
2107 * valid, it is important to turn the device back off.
2109 if (test_bit(HCI_RFKILLED, &hdev->dev_flags) ||
2110 test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) ||
2111 (hdev->dev_type == HCI_BREDR &&
2112 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2113 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2114 clear_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2115 hci_dev_do_close(hdev);
2116 } else if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2117 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2118 HCI_AUTO_OFF_TIMEOUT);
2121 if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags)) {
2122 /* For unconfigured devices, set the HCI_RAW flag
2123 * so that userspace can easily identify them.
2125 if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
2126 set_bit(HCI_RAW, &hdev->flags);
2128 /* For fully configured devices, this will send
2129 * the Index Added event. For unconfigured devices,
2130 * it will send Unconfigued Index Added event.
2132 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2133 * and no event will be send.
2135 mgmt_index_added(hdev);
2136 } else if (test_and_clear_bit(HCI_CONFIG, &hdev->dev_flags)) {
2137 /* When the controller is now configured, then it
2138 * is important to clear the HCI_RAW flag.
2140 if (!test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
2141 clear_bit(HCI_RAW, &hdev->flags);
2143 /* Powering on the controller with HCI_CONFIG set only
2144 * happens with the transition from unconfigured to
2145 * configured. This will send the Index Added event.
2147 mgmt_index_added(hdev);
2151 static void hci_power_off(struct work_struct *work)
2153 struct hci_dev *hdev = container_of(work, struct hci_dev,
2156 BT_DBG("%s", hdev->name);
2158 hci_dev_do_close(hdev);
2161 static void hci_error_reset(struct work_struct *work)
2163 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2165 BT_DBG("%s", hdev->name);
2168 hdev->hw_error(hdev, hdev->hw_error_code);
2170 BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2171 hdev->hw_error_code);
2173 if (hci_dev_do_close(hdev))
2176 hci_dev_do_open(hdev);
2179 static void hci_discov_off(struct work_struct *work)
2181 struct hci_dev *hdev;
2183 hdev = container_of(work, struct hci_dev, discov_off.work);
2185 BT_DBG("%s", hdev->name);
2187 mgmt_discoverable_timeout(hdev);
2190 void hci_uuids_clear(struct hci_dev *hdev)
2192 struct bt_uuid *uuid, *tmp;
2194 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2195 list_del(&uuid->list);
2200 void hci_link_keys_clear(struct hci_dev *hdev)
2202 struct link_key *key;
2204 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2205 list_del_rcu(&key->list);
2206 kfree_rcu(key, rcu);
2210 void hci_smp_ltks_clear(struct hci_dev *hdev)
2214 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2215 list_del_rcu(&k->list);
2220 void hci_smp_irks_clear(struct hci_dev *hdev)
2224 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2225 list_del_rcu(&k->list);
2230 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2235 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2236 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2246 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2247 u8 key_type, u8 old_key_type)
2250 if (key_type < 0x03)
2253 /* Debug keys are insecure so don't store them persistently */
2254 if (key_type == HCI_LK_DEBUG_COMBINATION)
2257 /* Changed combination key and there's no previous one */
2258 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2261 /* Security mode 3 case */
2265 /* BR/EDR key derived using SC from an LE link */
2266 if (conn->type == LE_LINK)
2269 /* Neither local nor remote side had no-bonding as requirement */
2270 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2273 /* Local side had dedicated bonding as requirement */
2274 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2277 /* Remote side had dedicated bonding as requirement */
2278 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2281 /* If none of the above criteria match, then don't store the key
2286 static u8 ltk_role(u8 type)
2288 if (type == SMP_LTK)
2289 return HCI_ROLE_MASTER;
2291 return HCI_ROLE_SLAVE;
2294 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2295 u8 addr_type, u8 role)
2300 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2301 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2304 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2314 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2316 struct smp_irk *irk;
2319 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2320 if (!bacmp(&irk->rpa, rpa)) {
2326 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2327 if (smp_irk_matches(hdev, irk->val, rpa)) {
2328 bacpy(&irk->rpa, rpa);
2338 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2341 struct smp_irk *irk;
2343 /* Identity Address must be public or static random */
2344 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2348 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2349 if (addr_type == irk->addr_type &&
2350 bacmp(bdaddr, &irk->bdaddr) == 0) {
2360 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2361 bdaddr_t *bdaddr, u8 *val, u8 type,
2362 u8 pin_len, bool *persistent)
2364 struct link_key *key, *old_key;
2367 old_key = hci_find_link_key(hdev, bdaddr);
2369 old_key_type = old_key->type;
2372 old_key_type = conn ? conn->key_type : 0xff;
2373 key = kzalloc(sizeof(*key), GFP_KERNEL);
2376 list_add_rcu(&key->list, &hdev->link_keys);
2379 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2381 /* Some buggy controller combinations generate a changed
2382 * combination key for legacy pairing even when there's no
2384 if (type == HCI_LK_CHANGED_COMBINATION &&
2385 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2386 type = HCI_LK_COMBINATION;
2388 conn->key_type = type;
2391 bacpy(&key->bdaddr, bdaddr);
2392 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2393 key->pin_len = pin_len;
2395 if (type == HCI_LK_CHANGED_COMBINATION)
2396 key->type = old_key_type;
2401 *persistent = hci_persistent_key(hdev, conn, type,
2407 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2408 u8 addr_type, u8 type, u8 authenticated,
2409 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2411 struct smp_ltk *key, *old_key;
2412 u8 role = ltk_role(type);
2414 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2418 key = kzalloc(sizeof(*key), GFP_KERNEL);
2421 list_add_rcu(&key->list, &hdev->long_term_keys);
2424 bacpy(&key->bdaddr, bdaddr);
2425 key->bdaddr_type = addr_type;
2426 memcpy(key->val, tk, sizeof(key->val));
2427 key->authenticated = authenticated;
2430 key->enc_size = enc_size;
2436 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2437 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2439 struct smp_irk *irk;
2441 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2443 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2447 bacpy(&irk->bdaddr, bdaddr);
2448 irk->addr_type = addr_type;
2450 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2453 memcpy(irk->val, val, 16);
2454 bacpy(&irk->rpa, rpa);
2459 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2461 struct link_key *key;
2463 key = hci_find_link_key(hdev, bdaddr);
2467 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2469 list_del_rcu(&key->list);
2470 kfree_rcu(key, rcu);
2475 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2480 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2481 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2484 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2486 list_del_rcu(&k->list);
2491 return removed ? 0 : -ENOENT;
2494 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2498 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2499 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2502 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2504 list_del_rcu(&k->list);
2509 /* HCI command timer function */
2510 static void hci_cmd_timeout(struct work_struct *work)
2512 struct hci_dev *hdev = container_of(work, struct hci_dev,
2515 if (hdev->sent_cmd) {
2516 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2517 u16 opcode = __le16_to_cpu(sent->opcode);
2519 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2521 BT_ERR("%s command tx timeout", hdev->name);
2524 atomic_set(&hdev->cmd_cnt, 1);
2525 queue_work(hdev->workqueue, &hdev->cmd_work);
2528 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2529 bdaddr_t *bdaddr, u8 bdaddr_type)
2531 struct oob_data *data;
2533 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2534 if (bacmp(bdaddr, &data->bdaddr) != 0)
2536 if (data->bdaddr_type != bdaddr_type)
2544 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2547 struct oob_data *data;
2549 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2553 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2555 list_del(&data->list);
2561 void hci_remote_oob_data_clear(struct hci_dev *hdev)
2563 struct oob_data *data, *n;
2565 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2566 list_del(&data->list);
2571 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2572 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2573 u8 *hash256, u8 *rand256)
2575 struct oob_data *data;
2577 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2579 data = kmalloc(sizeof(*data), GFP_KERNEL);
2583 bacpy(&data->bdaddr, bdaddr);
2584 data->bdaddr_type = bdaddr_type;
2585 list_add(&data->list, &hdev->remote_oob_data);
2588 if (hash192 && rand192) {
2589 memcpy(data->hash192, hash192, sizeof(data->hash192));
2590 memcpy(data->rand192, rand192, sizeof(data->rand192));
2591 if (hash256 && rand256)
2592 data->present = 0x03;
2594 memset(data->hash192, 0, sizeof(data->hash192));
2595 memset(data->rand192, 0, sizeof(data->rand192));
2596 if (hash256 && rand256)
2597 data->present = 0x02;
2599 data->present = 0x00;
2602 if (hash256 && rand256) {
2603 memcpy(data->hash256, hash256, sizeof(data->hash256));
2604 memcpy(data->rand256, rand256, sizeof(data->rand256));
2606 memset(data->hash256, 0, sizeof(data->hash256));
2607 memset(data->rand256, 0, sizeof(data->rand256));
2608 if (hash192 && rand192)
2609 data->present = 0x01;
2612 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2617 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2618 bdaddr_t *bdaddr, u8 type)
2620 struct bdaddr_list *b;
2622 list_for_each_entry(b, bdaddr_list, list) {
2623 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2630 void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2632 struct list_head *p, *n;
2634 list_for_each_safe(p, n, bdaddr_list) {
2635 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
2642 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2644 struct bdaddr_list *entry;
2646 if (!bacmp(bdaddr, BDADDR_ANY))
2649 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2652 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2656 bacpy(&entry->bdaddr, bdaddr);
2657 entry->bdaddr_type = type;
2659 list_add(&entry->list, list);
2664 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2666 struct bdaddr_list *entry;
2668 if (!bacmp(bdaddr, BDADDR_ANY)) {
2669 hci_bdaddr_list_clear(list);
2673 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2677 list_del(&entry->list);
2683 /* This function requires the caller holds hdev->lock */
2684 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2685 bdaddr_t *addr, u8 addr_type)
2687 struct hci_conn_params *params;
2689 /* The conn params list only contains identity addresses */
2690 if (!hci_is_identity_address(addr, addr_type))
2693 list_for_each_entry(params, &hdev->le_conn_params, list) {
2694 if (bacmp(¶ms->addr, addr) == 0 &&
2695 params->addr_type == addr_type) {
2703 /* This function requires the caller holds hdev->lock */
2704 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2705 bdaddr_t *addr, u8 addr_type)
2707 struct hci_conn_params *param;
2709 /* The list only contains identity addresses */
2710 if (!hci_is_identity_address(addr, addr_type))
2713 list_for_each_entry(param, list, action) {
2714 if (bacmp(¶m->addr, addr) == 0 &&
2715 param->addr_type == addr_type)
2722 /* This function requires the caller holds hdev->lock */
2723 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2724 bdaddr_t *addr, u8 addr_type)
2726 struct hci_conn_params *params;
2728 if (!hci_is_identity_address(addr, addr_type))
2731 params = hci_conn_params_lookup(hdev, addr, addr_type);
2735 params = kzalloc(sizeof(*params), GFP_KERNEL);
2737 BT_ERR("Out of memory");
2741 bacpy(¶ms->addr, addr);
2742 params->addr_type = addr_type;
2744 list_add(¶ms->list, &hdev->le_conn_params);
2745 INIT_LIST_HEAD(¶ms->action);
2747 params->conn_min_interval = hdev->le_conn_min_interval;
2748 params->conn_max_interval = hdev->le_conn_max_interval;
2749 params->conn_latency = hdev->le_conn_latency;
2750 params->supervision_timeout = hdev->le_supv_timeout;
2751 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2753 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2758 static void hci_conn_params_free(struct hci_conn_params *params)
2761 hci_conn_drop(params->conn);
2762 hci_conn_put(params->conn);
2765 list_del(¶ms->action);
2766 list_del(¶ms->list);
2770 /* This function requires the caller holds hdev->lock */
2771 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2773 struct hci_conn_params *params;
2775 params = hci_conn_params_lookup(hdev, addr, addr_type);
2779 hci_conn_params_free(params);
2781 hci_update_background_scan(hdev);
2783 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2786 /* This function requires the caller holds hdev->lock */
2787 void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2789 struct hci_conn_params *params, *tmp;
2791 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2792 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2794 list_del(¶ms->list);
2798 BT_DBG("All LE disabled connection parameters were removed");
2801 /* This function requires the caller holds hdev->lock */
2802 void hci_conn_params_clear_all(struct hci_dev *hdev)
2804 struct hci_conn_params *params, *tmp;
2806 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2807 hci_conn_params_free(params);
2809 hci_update_background_scan(hdev);
2811 BT_DBG("All LE connection parameters were removed");
2814 static void inquiry_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2817 BT_ERR("Failed to start inquiry: status %d", status);
2820 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2821 hci_dev_unlock(hdev);
2826 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status,
2829 /* General inquiry access code (GIAC) */
2830 u8 lap[3] = { 0x33, 0x8b, 0x9e };
2831 struct hci_request req;
2832 struct hci_cp_inquiry cp;
2836 BT_ERR("Failed to disable LE scanning: status %d", status);
2840 hdev->discovery.scan_start = 0;
2842 switch (hdev->discovery.type) {
2843 case DISCOV_TYPE_LE:
2845 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2846 hci_dev_unlock(hdev);
2849 case DISCOV_TYPE_INTERLEAVED:
2850 hci_req_init(&req, hdev);
2852 memset(&cp, 0, sizeof(cp));
2853 memcpy(&cp.lap, lap, sizeof(cp.lap));
2854 cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
2855 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2859 hci_inquiry_cache_flush(hdev);
2861 err = hci_req_run(&req, inquiry_complete);
2863 BT_ERR("Inquiry request failed: err %d", err);
2864 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2867 hci_dev_unlock(hdev);
2872 static void le_scan_disable_work(struct work_struct *work)
2874 struct hci_dev *hdev = container_of(work, struct hci_dev,
2875 le_scan_disable.work);
2876 struct hci_request req;
2879 BT_DBG("%s", hdev->name);
2881 cancel_delayed_work_sync(&hdev->le_scan_restart);
2883 hci_req_init(&req, hdev);
2885 hci_req_add_le_scan_disable(&req);
2887 err = hci_req_run(&req, le_scan_disable_work_complete);
2889 BT_ERR("Disable LE scanning request failed: err %d", err);
2892 static void le_scan_restart_work_complete(struct hci_dev *hdev, u8 status,
2895 unsigned long timeout, duration, scan_start, now;
2897 BT_DBG("%s", hdev->name);
2900 BT_ERR("Failed to restart LE scan: status %d", status);
2904 if (!test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks) ||
2905 !hdev->discovery.scan_start)
2908 /* When the scan was started, hdev->le_scan_disable has been queued
2909 * after duration from scan_start. During scan restart this job
2910 * has been canceled, and we need to queue it again after proper
2911 * timeout, to make sure that scan does not run indefinitely.
2913 duration = hdev->discovery.scan_duration;
2914 scan_start = hdev->discovery.scan_start;
2916 if (now - scan_start <= duration) {
2919 if (now >= scan_start)
2920 elapsed = now - scan_start;
2922 elapsed = ULONG_MAX - scan_start + now;
2924 timeout = duration - elapsed;
2928 queue_delayed_work(hdev->workqueue,
2929 &hdev->le_scan_disable, timeout);
2932 static void le_scan_restart_work(struct work_struct *work)
2934 struct hci_dev *hdev = container_of(work, struct hci_dev,
2935 le_scan_restart.work);
2936 struct hci_request req;
2937 struct hci_cp_le_set_scan_enable cp;
2940 BT_DBG("%s", hdev->name);
2942 /* If controller is not scanning we are done. */
2943 if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
2946 hci_req_init(&req, hdev);
2948 hci_req_add_le_scan_disable(&req);
2950 memset(&cp, 0, sizeof(cp));
2951 cp.enable = LE_SCAN_ENABLE;
2952 cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
2953 hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2955 err = hci_req_run(&req, le_scan_restart_work_complete);
2957 BT_ERR("Restart LE scan request failed: err %d", err);
2960 /* Copy the Identity Address of the controller.
2962 * If the controller has a public BD_ADDR, then by default use that one.
2963 * If this is a LE only controller without a public address, default to
2964 * the static random address.
2966 * For debugging purposes it is possible to force controllers with a
2967 * public address to use the static random address instead.
2969 * In case BR/EDR has been disabled on a dual-mode controller and
2970 * userspace has configured a static address, then that address
2971 * becomes the identity address instead of the public BR/EDR address.
2973 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2976 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) ||
2977 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2978 (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) &&
2979 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2980 bacpy(bdaddr, &hdev->static_addr);
2981 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2983 bacpy(bdaddr, &hdev->bdaddr);
2984 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2988 /* Alloc HCI device */
2989 struct hci_dev *hci_alloc_dev(void)
2991 struct hci_dev *hdev;
2993 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2997 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2998 hdev->esco_type = (ESCO_HV1);
2999 hdev->link_mode = (HCI_LM_ACCEPT);
3000 hdev->num_iac = 0x01; /* One IAC support is mandatory */
3001 hdev->io_capability = 0x03; /* No Input No Output */
3002 hdev->manufacturer = 0xffff; /* Default to internal use */
3003 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
3004 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
3006 hdev->sniff_max_interval = 800;
3007 hdev->sniff_min_interval = 80;
3009 hdev->le_adv_channel_map = 0x07;
3010 hdev->le_adv_min_interval = 0x0800;
3011 hdev->le_adv_max_interval = 0x0800;
3012 hdev->le_scan_interval = 0x0060;
3013 hdev->le_scan_window = 0x0030;
3014 hdev->le_conn_min_interval = 0x0028;
3015 hdev->le_conn_max_interval = 0x0038;
3016 hdev->le_conn_latency = 0x0000;
3017 hdev->le_supv_timeout = 0x002a;
3018 hdev->le_def_tx_len = 0x001b;
3019 hdev->le_def_tx_time = 0x0148;
3020 hdev->le_max_tx_len = 0x001b;
3021 hdev->le_max_tx_time = 0x0148;
3022 hdev->le_max_rx_len = 0x001b;
3023 hdev->le_max_rx_time = 0x0148;
3025 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3026 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
3027 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
3028 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
3030 mutex_init(&hdev->lock);
3031 mutex_init(&hdev->req_lock);
3033 INIT_LIST_HEAD(&hdev->mgmt_pending);
3034 INIT_LIST_HEAD(&hdev->blacklist);
3035 INIT_LIST_HEAD(&hdev->whitelist);
3036 INIT_LIST_HEAD(&hdev->uuids);
3037 INIT_LIST_HEAD(&hdev->link_keys);
3038 INIT_LIST_HEAD(&hdev->long_term_keys);
3039 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
3040 INIT_LIST_HEAD(&hdev->remote_oob_data);
3041 INIT_LIST_HEAD(&hdev->le_white_list);
3042 INIT_LIST_HEAD(&hdev->le_conn_params);
3043 INIT_LIST_HEAD(&hdev->pend_le_conns);
3044 INIT_LIST_HEAD(&hdev->pend_le_reports);
3045 INIT_LIST_HEAD(&hdev->conn_hash.list);
3047 INIT_WORK(&hdev->rx_work, hci_rx_work);
3048 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
3049 INIT_WORK(&hdev->tx_work, hci_tx_work);
3050 INIT_WORK(&hdev->power_on, hci_power_on);
3051 INIT_WORK(&hdev->error_reset, hci_error_reset);
3053 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
3054 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
3055 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
3056 INIT_DELAYED_WORK(&hdev->le_scan_restart, le_scan_restart_work);
3058 skb_queue_head_init(&hdev->rx_q);
3059 skb_queue_head_init(&hdev->cmd_q);
3060 skb_queue_head_init(&hdev->raw_q);
3062 init_waitqueue_head(&hdev->req_wait_q);
3064 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3066 hci_init_sysfs(hdev);
3067 discovery_init(hdev);
3071 EXPORT_SYMBOL(hci_alloc_dev);
3073 /* Free HCI device */
3074 void hci_free_dev(struct hci_dev *hdev)
3076 /* will free via device release */
3077 put_device(&hdev->dev);
3079 EXPORT_SYMBOL(hci_free_dev);
3081 /* Register HCI device */
3082 int hci_register_dev(struct hci_dev *hdev)
3086 if (!hdev->open || !hdev->close || !hdev->send)
3089 /* Do not allow HCI_AMP devices to register at index 0,
3090 * so the index can be used as the AMP controller ID.
3092 switch (hdev->dev_type) {
3094 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3097 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3106 sprintf(hdev->name, "hci%d", id);
3109 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3111 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3112 WQ_MEM_RECLAIM, 1, hdev->name);
3113 if (!hdev->workqueue) {
3118 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3119 WQ_MEM_RECLAIM, 1, hdev->name);
3120 if (!hdev->req_workqueue) {
3121 destroy_workqueue(hdev->workqueue);
3126 if (!IS_ERR_OR_NULL(bt_debugfs))
3127 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3129 dev_set_name(&hdev->dev, "%s", hdev->name);
3131 error = device_add(&hdev->dev);
3135 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3136 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3139 if (rfkill_register(hdev->rfkill) < 0) {
3140 rfkill_destroy(hdev->rfkill);
3141 hdev->rfkill = NULL;
3145 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3146 set_bit(HCI_RFKILLED, &hdev->dev_flags);
3148 set_bit(HCI_SETUP, &hdev->dev_flags);
3149 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
3151 if (hdev->dev_type == HCI_BREDR) {
3152 /* Assume BR/EDR support until proven otherwise (such as
3153 * through reading supported features during init.
3155 set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
3158 write_lock(&hci_dev_list_lock);
3159 list_add(&hdev->list, &hci_dev_list);
3160 write_unlock(&hci_dev_list_lock);
3162 /* Devices that are marked for raw-only usage are unconfigured
3163 * and should not be included in normal operation.
3165 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3166 set_bit(HCI_UNCONFIGURED, &hdev->dev_flags);
3168 hci_notify(hdev, HCI_DEV_REG);
3171 queue_work(hdev->req_workqueue, &hdev->power_on);
3176 destroy_workqueue(hdev->workqueue);
3177 destroy_workqueue(hdev->req_workqueue);
3179 ida_simple_remove(&hci_index_ida, hdev->id);
3183 EXPORT_SYMBOL(hci_register_dev);
3185 /* Unregister HCI device */
3186 void hci_unregister_dev(struct hci_dev *hdev)
3190 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3192 set_bit(HCI_UNREGISTER, &hdev->dev_flags);
3196 write_lock(&hci_dev_list_lock);
3197 list_del(&hdev->list);
3198 write_unlock(&hci_dev_list_lock);
3200 hci_dev_do_close(hdev);
3202 for (i = 0; i < NUM_REASSEMBLY; i++)
3203 kfree_skb(hdev->reassembly[i]);
3205 cancel_work_sync(&hdev->power_on);
3207 if (!test_bit(HCI_INIT, &hdev->flags) &&
3208 !test_bit(HCI_SETUP, &hdev->dev_flags) &&
3209 !test_bit(HCI_CONFIG, &hdev->dev_flags)) {
3211 mgmt_index_removed(hdev);
3212 hci_dev_unlock(hdev);
3215 /* mgmt_index_removed should take care of emptying the
3217 BUG_ON(!list_empty(&hdev->mgmt_pending));
3219 hci_notify(hdev, HCI_DEV_UNREG);
3222 rfkill_unregister(hdev->rfkill);
3223 rfkill_destroy(hdev->rfkill);
3226 device_del(&hdev->dev);
3228 debugfs_remove_recursive(hdev->debugfs);
3230 destroy_workqueue(hdev->workqueue);
3231 destroy_workqueue(hdev->req_workqueue);
3234 hci_bdaddr_list_clear(&hdev->blacklist);
3235 hci_bdaddr_list_clear(&hdev->whitelist);
3236 hci_uuids_clear(hdev);
3237 hci_link_keys_clear(hdev);
3238 hci_smp_ltks_clear(hdev);
3239 hci_smp_irks_clear(hdev);
3240 hci_remote_oob_data_clear(hdev);
3241 hci_bdaddr_list_clear(&hdev->le_white_list);
3242 hci_conn_params_clear_all(hdev);
3243 hci_discovery_filter_clear(hdev);
3244 hci_dev_unlock(hdev);
3248 ida_simple_remove(&hci_index_ida, id);
3250 EXPORT_SYMBOL(hci_unregister_dev);
3252 /* Suspend HCI device */
3253 int hci_suspend_dev(struct hci_dev *hdev)
3255 hci_notify(hdev, HCI_DEV_SUSPEND);
3258 EXPORT_SYMBOL(hci_suspend_dev);
3260 /* Resume HCI device */
3261 int hci_resume_dev(struct hci_dev *hdev)
3263 hci_notify(hdev, HCI_DEV_RESUME);
3266 EXPORT_SYMBOL(hci_resume_dev);
3268 /* Reset HCI device */
3269 int hci_reset_dev(struct hci_dev *hdev)
3271 const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3272 struct sk_buff *skb;
3274 skb = bt_skb_alloc(3, GFP_ATOMIC);
3278 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
3279 memcpy(skb_put(skb, 3), hw_err, 3);
3281 /* Send Hardware Error to upper stack */
3282 return hci_recv_frame(hdev, skb);
3284 EXPORT_SYMBOL(hci_reset_dev);
3286 /* Receive frame from HCI drivers */
3287 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3289 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3290 && !test_bit(HCI_INIT, &hdev->flags))) {
3296 bt_cb(skb)->incoming = 1;
3299 __net_timestamp(skb);
3301 skb_queue_tail(&hdev->rx_q, skb);
3302 queue_work(hdev->workqueue, &hdev->rx_work);
3306 EXPORT_SYMBOL(hci_recv_frame);
3308 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
3309 int count, __u8 index)
3314 struct sk_buff *skb;
3315 struct bt_skb_cb *scb;
3317 if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
3318 index >= NUM_REASSEMBLY)
3321 skb = hdev->reassembly[index];
3325 case HCI_ACLDATA_PKT:
3326 len = HCI_MAX_FRAME_SIZE;
3327 hlen = HCI_ACL_HDR_SIZE;
3330 len = HCI_MAX_EVENT_SIZE;
3331 hlen = HCI_EVENT_HDR_SIZE;
3333 case HCI_SCODATA_PKT:
3334 len = HCI_MAX_SCO_SIZE;
3335 hlen = HCI_SCO_HDR_SIZE;
3339 skb = bt_skb_alloc(len, GFP_ATOMIC);
3343 scb = (void *) skb->cb;
3345 scb->pkt_type = type;
3347 hdev->reassembly[index] = skb;
3351 scb = (void *) skb->cb;
3352 len = min_t(uint, scb->expect, count);
3354 memcpy(skb_put(skb, len), data, len);
3363 if (skb->len == HCI_EVENT_HDR_SIZE) {
3364 struct hci_event_hdr *h = hci_event_hdr(skb);
3365 scb->expect = h->plen;
3367 if (skb_tailroom(skb) < scb->expect) {
3369 hdev->reassembly[index] = NULL;
3375 case HCI_ACLDATA_PKT:
3376 if (skb->len == HCI_ACL_HDR_SIZE) {
3377 struct hci_acl_hdr *h = hci_acl_hdr(skb);
3378 scb->expect = __le16_to_cpu(h->dlen);
3380 if (skb_tailroom(skb) < scb->expect) {
3382 hdev->reassembly[index] = NULL;
3388 case HCI_SCODATA_PKT:
3389 if (skb->len == HCI_SCO_HDR_SIZE) {
3390 struct hci_sco_hdr *h = hci_sco_hdr(skb);
3391 scb->expect = h->dlen;
3393 if (skb_tailroom(skb) < scb->expect) {
3395 hdev->reassembly[index] = NULL;
3402 if (scb->expect == 0) {
3403 /* Complete frame */
3405 bt_cb(skb)->pkt_type = type;
3406 hci_recv_frame(hdev, skb);
3408 hdev->reassembly[index] = NULL;
3416 #define STREAM_REASSEMBLY 0
3418 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
3424 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
3427 struct { char type; } *pkt;
3429 /* Start of the frame */
3436 type = bt_cb(skb)->pkt_type;
3438 rem = hci_reassembly(hdev, type, data, count,
3443 data += (count - rem);
3449 EXPORT_SYMBOL(hci_recv_stream_fragment);
3451 /* ---- Interface to upper protocols ---- */
3453 int hci_register_cb(struct hci_cb *cb)
3455 BT_DBG("%p name %s", cb, cb->name);
3457 write_lock(&hci_cb_list_lock);
3458 list_add(&cb->list, &hci_cb_list);
3459 write_unlock(&hci_cb_list_lock);
3463 EXPORT_SYMBOL(hci_register_cb);
3465 int hci_unregister_cb(struct hci_cb *cb)
3467 BT_DBG("%p name %s", cb, cb->name);
3469 write_lock(&hci_cb_list_lock);
3470 list_del(&cb->list);
3471 write_unlock(&hci_cb_list_lock);
3475 EXPORT_SYMBOL(hci_unregister_cb);
3477 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3481 BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
3484 __net_timestamp(skb);
3486 /* Send copy to monitor */
3487 hci_send_to_monitor(hdev, skb);
3489 if (atomic_read(&hdev->promisc)) {
3490 /* Send copy to the sockets */
3491 hci_send_to_sock(hdev, skb);
3494 /* Get rid of skb owner, prior to sending to the driver. */
3497 err = hdev->send(hdev, skb);
3499 BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3504 bool hci_req_pending(struct hci_dev *hdev)
3506 return (hdev->req_status == HCI_REQ_PEND);
3509 /* Send HCI command */
3510 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3513 struct sk_buff *skb;
3515 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3517 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3519 BT_ERR("%s no memory for command", hdev->name);
3523 /* Stand-alone HCI commands must be flagged as
3524 * single-command requests.
3526 bt_cb(skb)->req.start = true;
3528 skb_queue_tail(&hdev->cmd_q, skb);
3529 queue_work(hdev->workqueue, &hdev->cmd_work);
3534 /* Get data from the previously sent command */
3535 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3537 struct hci_command_hdr *hdr;
3539 if (!hdev->sent_cmd)
3542 hdr = (void *) hdev->sent_cmd->data;
3544 if (hdr->opcode != cpu_to_le16(opcode))
3547 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3549 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3553 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3555 struct hci_acl_hdr *hdr;
3558 skb_push(skb, HCI_ACL_HDR_SIZE);
3559 skb_reset_transport_header(skb);
3560 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3561 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3562 hdr->dlen = cpu_to_le16(len);
3565 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3566 struct sk_buff *skb, __u16 flags)
3568 struct hci_conn *conn = chan->conn;
3569 struct hci_dev *hdev = conn->hdev;
3570 struct sk_buff *list;
3572 skb->len = skb_headlen(skb);
3575 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3577 switch (hdev->dev_type) {
3579 hci_add_acl_hdr(skb, conn->handle, flags);
3582 hci_add_acl_hdr(skb, chan->handle, flags);
3585 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3589 list = skb_shinfo(skb)->frag_list;
3591 /* Non fragmented */
3592 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3594 skb_queue_tail(queue, skb);
3597 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3599 skb_shinfo(skb)->frag_list = NULL;
3601 /* Queue all fragments atomically. We need to use spin_lock_bh
3602 * here because of 6LoWPAN links, as there this function is
3603 * called from softirq and using normal spin lock could cause
3606 spin_lock_bh(&queue->lock);
3608 __skb_queue_tail(queue, skb);
3610 flags &= ~ACL_START;
3613 skb = list; list = list->next;
3615 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3616 hci_add_acl_hdr(skb, conn->handle, flags);
3618 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3620 __skb_queue_tail(queue, skb);
3623 spin_unlock_bh(&queue->lock);
3627 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3629 struct hci_dev *hdev = chan->conn->hdev;
3631 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3633 hci_queue_acl(chan, &chan->data_q, skb, flags);
3635 queue_work(hdev->workqueue, &hdev->tx_work);
3639 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3641 struct hci_dev *hdev = conn->hdev;
3642 struct hci_sco_hdr hdr;
3644 BT_DBG("%s len %d", hdev->name, skb->len);
3646 hdr.handle = cpu_to_le16(conn->handle);
3647 hdr.dlen = skb->len;
3649 skb_push(skb, HCI_SCO_HDR_SIZE);
3650 skb_reset_transport_header(skb);
3651 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3653 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
3655 skb_queue_tail(&conn->data_q, skb);
3656 queue_work(hdev->workqueue, &hdev->tx_work);
3659 /* ---- HCI TX task (outgoing data) ---- */
3661 /* HCI Connection scheduler */
3662 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3665 struct hci_conn_hash *h = &hdev->conn_hash;
3666 struct hci_conn *conn = NULL, *c;
3667 unsigned int num = 0, min = ~0;
3669 /* We don't have to lock device here. Connections are always
3670 * added and removed with TX task disabled. */
3674 list_for_each_entry_rcu(c, &h->list, list) {
3675 if (c->type != type || skb_queue_empty(&c->data_q))
3678 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3683 if (c->sent < min) {
3688 if (hci_conn_num(hdev, type) == num)
3697 switch (conn->type) {
3699 cnt = hdev->acl_cnt;
3703 cnt = hdev->sco_cnt;
3706 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3710 BT_ERR("Unknown link type");
3718 BT_DBG("conn %p quote %d", conn, *quote);
3722 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3724 struct hci_conn_hash *h = &hdev->conn_hash;
3727 BT_ERR("%s link tx timeout", hdev->name);
3731 /* Kill stalled connections */
3732 list_for_each_entry_rcu(c, &h->list, list) {
3733 if (c->type == type && c->sent) {
3734 BT_ERR("%s killing stalled connection %pMR",
3735 hdev->name, &c->dst);
3736 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3743 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3746 struct hci_conn_hash *h = &hdev->conn_hash;
3747 struct hci_chan *chan = NULL;
3748 unsigned int num = 0, min = ~0, cur_prio = 0;
3749 struct hci_conn *conn;
3750 int cnt, q, conn_num = 0;
3752 BT_DBG("%s", hdev->name);
3756 list_for_each_entry_rcu(conn, &h->list, list) {
3757 struct hci_chan *tmp;
3759 if (conn->type != type)
3762 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3767 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3768 struct sk_buff *skb;
3770 if (skb_queue_empty(&tmp->data_q))
3773 skb = skb_peek(&tmp->data_q);
3774 if (skb->priority < cur_prio)
3777 if (skb->priority > cur_prio) {
3780 cur_prio = skb->priority;
3785 if (conn->sent < min) {
3791 if (hci_conn_num(hdev, type) == conn_num)
3800 switch (chan->conn->type) {
3802 cnt = hdev->acl_cnt;
3805 cnt = hdev->block_cnt;
3809 cnt = hdev->sco_cnt;
3812 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3816 BT_ERR("Unknown link type");
3821 BT_DBG("chan %p quote %d", chan, *quote);
3825 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3827 struct hci_conn_hash *h = &hdev->conn_hash;
3828 struct hci_conn *conn;
3831 BT_DBG("%s", hdev->name);
3835 list_for_each_entry_rcu(conn, &h->list, list) {
3836 struct hci_chan *chan;
3838 if (conn->type != type)
3841 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3846 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3847 struct sk_buff *skb;
3854 if (skb_queue_empty(&chan->data_q))
3857 skb = skb_peek(&chan->data_q);
3858 if (skb->priority >= HCI_PRIO_MAX - 1)
3861 skb->priority = HCI_PRIO_MAX - 1;
3863 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3867 if (hci_conn_num(hdev, type) == num)
3875 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3877 /* Calculate count of blocks used by this packet */
3878 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3881 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3883 if (!test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
3884 /* ACL tx timeout must be longer than maximum
3885 * link supervision timeout (40.9 seconds) */
3886 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3887 HCI_ACL_TX_TIMEOUT))
3888 hci_link_tx_to(hdev, ACL_LINK);
3892 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3894 unsigned int cnt = hdev->acl_cnt;
3895 struct hci_chan *chan;
3896 struct sk_buff *skb;
3899 __check_timeout(hdev, cnt);
3901 while (hdev->acl_cnt &&
3902 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3903 u32 priority = (skb_peek(&chan->data_q))->priority;
3904 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3905 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3906 skb->len, skb->priority);
3908 /* Stop if priority has changed */
3909 if (skb->priority < priority)
3912 skb = skb_dequeue(&chan->data_q);
3914 hci_conn_enter_active_mode(chan->conn,
3915 bt_cb(skb)->force_active);
3917 hci_send_frame(hdev, skb);
3918 hdev->acl_last_tx = jiffies;
3926 if (cnt != hdev->acl_cnt)
3927 hci_prio_recalculate(hdev, ACL_LINK);
3930 static void hci_sched_acl_blk(struct hci_dev *hdev)
3932 unsigned int cnt = hdev->block_cnt;
3933 struct hci_chan *chan;
3934 struct sk_buff *skb;
3938 __check_timeout(hdev, cnt);
3940 BT_DBG("%s", hdev->name);
3942 if (hdev->dev_type == HCI_AMP)
3947 while (hdev->block_cnt > 0 &&
3948 (chan = hci_chan_sent(hdev, type, "e))) {
3949 u32 priority = (skb_peek(&chan->data_q))->priority;
3950 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3953 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3954 skb->len, skb->priority);
3956 /* Stop if priority has changed */
3957 if (skb->priority < priority)
3960 skb = skb_dequeue(&chan->data_q);
3962 blocks = __get_blocks(hdev, skb);
3963 if (blocks > hdev->block_cnt)
3966 hci_conn_enter_active_mode(chan->conn,
3967 bt_cb(skb)->force_active);
3969 hci_send_frame(hdev, skb);
3970 hdev->acl_last_tx = jiffies;
3972 hdev->block_cnt -= blocks;
3975 chan->sent += blocks;
3976 chan->conn->sent += blocks;
3980 if (cnt != hdev->block_cnt)
3981 hci_prio_recalculate(hdev, type);
3984 static void hci_sched_acl(struct hci_dev *hdev)
3986 BT_DBG("%s", hdev->name);
3988 /* No ACL link over BR/EDR controller */
3989 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3992 /* No AMP link over AMP controller */
3993 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3996 switch (hdev->flow_ctl_mode) {
3997 case HCI_FLOW_CTL_MODE_PACKET_BASED:
3998 hci_sched_acl_pkt(hdev);
4001 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
4002 hci_sched_acl_blk(hdev);
4008 static void hci_sched_sco(struct hci_dev *hdev)
4010 struct hci_conn *conn;
4011 struct sk_buff *skb;
4014 BT_DBG("%s", hdev->name);
4016 if (!hci_conn_num(hdev, SCO_LINK))
4019 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
4020 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4021 BT_DBG("skb %p len %d", skb, skb->len);
4022 hci_send_frame(hdev, skb);
4025 if (conn->sent == ~0)
4031 static void hci_sched_esco(struct hci_dev *hdev)
4033 struct hci_conn *conn;
4034 struct sk_buff *skb;
4037 BT_DBG("%s", hdev->name);
4039 if (!hci_conn_num(hdev, ESCO_LINK))
4042 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
4044 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4045 BT_DBG("skb %p len %d", skb, skb->len);
4046 hci_send_frame(hdev, skb);
4049 if (conn->sent == ~0)
4055 static void hci_sched_le(struct hci_dev *hdev)
4057 struct hci_chan *chan;
4058 struct sk_buff *skb;
4059 int quote, cnt, tmp;
4061 BT_DBG("%s", hdev->name);
4063 if (!hci_conn_num(hdev, LE_LINK))
4066 if (!test_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
4067 /* LE tx timeout must be longer than maximum
4068 * link supervision timeout (40.9 seconds) */
4069 if (!hdev->le_cnt && hdev->le_pkts &&
4070 time_after(jiffies, hdev->le_last_tx + HZ * 45))
4071 hci_link_tx_to(hdev, LE_LINK);
4074 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
4076 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
4077 u32 priority = (skb_peek(&chan->data_q))->priority;
4078 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4079 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4080 skb->len, skb->priority);
4082 /* Stop if priority has changed */
4083 if (skb->priority < priority)
4086 skb = skb_dequeue(&chan->data_q);
4088 hci_send_frame(hdev, skb);
4089 hdev->le_last_tx = jiffies;
4100 hdev->acl_cnt = cnt;
4103 hci_prio_recalculate(hdev, LE_LINK);
4106 static void hci_tx_work(struct work_struct *work)
4108 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4109 struct sk_buff *skb;
4111 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4112 hdev->sco_cnt, hdev->le_cnt);
4114 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4115 /* Schedule queues and send stuff to HCI driver */
4116 hci_sched_acl(hdev);
4117 hci_sched_sco(hdev);
4118 hci_sched_esco(hdev);
4122 /* Send next queued raw (unknown type) packet */
4123 while ((skb = skb_dequeue(&hdev->raw_q)))
4124 hci_send_frame(hdev, skb);
4127 /* ----- HCI RX task (incoming data processing) ----- */
4129 /* ACL data packet */
4130 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4132 struct hci_acl_hdr *hdr = (void *) skb->data;
4133 struct hci_conn *conn;
4134 __u16 handle, flags;
4136 skb_pull(skb, HCI_ACL_HDR_SIZE);
4138 handle = __le16_to_cpu(hdr->handle);
4139 flags = hci_flags(handle);
4140 handle = hci_handle(handle);
4142 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4145 hdev->stat.acl_rx++;
4148 conn = hci_conn_hash_lookup_handle(hdev, handle);
4149 hci_dev_unlock(hdev);
4152 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
4154 /* Send to upper protocol */
4155 l2cap_recv_acldata(conn, skb, flags);
4158 BT_ERR("%s ACL packet for unknown connection handle %d",
4159 hdev->name, handle);
4165 /* SCO data packet */
4166 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4168 struct hci_sco_hdr *hdr = (void *) skb->data;
4169 struct hci_conn *conn;
4172 skb_pull(skb, HCI_SCO_HDR_SIZE);
4174 handle = __le16_to_cpu(hdr->handle);
4176 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4178 hdev->stat.sco_rx++;
4181 conn = hci_conn_hash_lookup_handle(hdev, handle);
4182 hci_dev_unlock(hdev);
4185 /* Send to upper protocol */
4186 sco_recv_scodata(conn, skb);
4189 BT_ERR("%s SCO packet for unknown connection handle %d",
4190 hdev->name, handle);
4196 static bool hci_req_is_complete(struct hci_dev *hdev)
4198 struct sk_buff *skb;
4200 skb = skb_peek(&hdev->cmd_q);
4204 return bt_cb(skb)->req.start;
4207 static void hci_resend_last(struct hci_dev *hdev)
4209 struct hci_command_hdr *sent;
4210 struct sk_buff *skb;
4213 if (!hdev->sent_cmd)
4216 sent = (void *) hdev->sent_cmd->data;
4217 opcode = __le16_to_cpu(sent->opcode);
4218 if (opcode == HCI_OP_RESET)
4221 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4225 skb_queue_head(&hdev->cmd_q, skb);
4226 queue_work(hdev->workqueue, &hdev->cmd_work);
4229 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
4231 hci_req_complete_t req_complete = NULL;
4232 struct sk_buff *skb;
4233 unsigned long flags;
4235 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4237 /* If the completed command doesn't match the last one that was
4238 * sent we need to do special handling of it.
4240 if (!hci_sent_cmd_data(hdev, opcode)) {
4241 /* Some CSR based controllers generate a spontaneous
4242 * reset complete event during init and any pending
4243 * command will never be completed. In such a case we
4244 * need to resend whatever was the last sent
4247 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4248 hci_resend_last(hdev);
4253 /* If the command succeeded and there's still more commands in
4254 * this request the request is not yet complete.
4256 if (!status && !hci_req_is_complete(hdev))
4259 /* If this was the last command in a request the complete
4260 * callback would be found in hdev->sent_cmd instead of the
4261 * command queue (hdev->cmd_q).
4263 if (hdev->sent_cmd) {
4264 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
4267 /* We must set the complete callback to NULL to
4268 * avoid calling the callback more than once if
4269 * this function gets called again.
4271 bt_cb(hdev->sent_cmd)->req.complete = NULL;
4277 /* Remove all pending commands belonging to this request */
4278 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4279 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4280 if (bt_cb(skb)->req.start) {
4281 __skb_queue_head(&hdev->cmd_q, skb);
4285 req_complete = bt_cb(skb)->req.complete;
4288 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4292 req_complete(hdev, status, status ? opcode : HCI_OP_NOP);
4295 static void hci_rx_work(struct work_struct *work)
4297 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4298 struct sk_buff *skb;
4300 BT_DBG("%s", hdev->name);
4302 while ((skb = skb_dequeue(&hdev->rx_q))) {
4303 /* Send copy to monitor */
4304 hci_send_to_monitor(hdev, skb);
4306 if (atomic_read(&hdev->promisc)) {
4307 /* Send copy to the sockets */
4308 hci_send_to_sock(hdev, skb);
4311 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4316 if (test_bit(HCI_INIT, &hdev->flags)) {
4317 /* Don't process data packets in this states. */
4318 switch (bt_cb(skb)->pkt_type) {
4319 case HCI_ACLDATA_PKT:
4320 case HCI_SCODATA_PKT:
4327 switch (bt_cb(skb)->pkt_type) {
4329 BT_DBG("%s Event packet", hdev->name);
4330 hci_event_packet(hdev, skb);
4333 case HCI_ACLDATA_PKT:
4334 BT_DBG("%s ACL data packet", hdev->name);
4335 hci_acldata_packet(hdev, skb);
4338 case HCI_SCODATA_PKT:
4339 BT_DBG("%s SCO data packet", hdev->name);
4340 hci_scodata_packet(hdev, skb);
4350 static void hci_cmd_work(struct work_struct *work)
4352 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4353 struct sk_buff *skb;
4355 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4356 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4358 /* Send queued commands */
4359 if (atomic_read(&hdev->cmd_cnt)) {
4360 skb = skb_dequeue(&hdev->cmd_q);
4364 kfree_skb(hdev->sent_cmd);
4366 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4367 if (hdev->sent_cmd) {
4368 atomic_dec(&hdev->cmd_cnt);
4369 hci_send_frame(hdev, skb);
4370 if (test_bit(HCI_RESET, &hdev->flags))
4371 cancel_delayed_work(&hdev->cmd_timer);
4373 schedule_delayed_work(&hdev->cmd_timer,
4376 skb_queue_head(&hdev->cmd_q, skb);
4377 queue_work(hdev->workqueue, &hdev->cmd_work);
projects / firefly-linux-kernel-4.4.55.git / blob