LXR linux/net/bluetooth/hci

   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2000-2001 Qualcomm Incorporated
   4   Copyright (C) 2011 ProFUSION Embedded Systems
   5
   6   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   7
   8   This program is free software; you can redistribute it and/or modify
   9   it under the terms of the GNU General Public License version 2 as
  10   published by the Free Software Foundation;
  11
  12   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  13   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  14   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  15   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  16   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  17   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  18   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  19   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  20
  21   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  22   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  23   SOFTWARE IS DISCLAIMED.
  24*/
  25
  26/* Bluetooth HCI core. */
  27
  28#include <linux/export.h>
  29#include <linux/idr.h>
  30#include <linux/rfkill.h>
  31#include <linux/debugfs.h>
  32#include <linux/crypto.h>
  33#include <asm/unaligned.h>
  34
  35#include <net/bluetooth/bluetooth.h>
  36#include <net/bluetooth/hci_core.h>
  37#include <net/bluetooth/l2cap.h>
  38#include <net/bluetooth/mgmt.h>
  39
  40#include "hci_request.h"
  41#include "hci_debugfs.h"
  42#include "smp.h"
  43#include "leds.h"
  44
  45static void hci_rx_work(struct work_struct *work);
  46static void hci_cmd_work(struct work_struct *work);
  47static void hci_tx_work(struct work_struct *work);
  48
  49/* HCI device list */
  50LIST_HEAD(hci_dev_list);
  51DEFINE_RWLOCK(hci_dev_list_lock);
  52
  53/* HCI callback list */
  54LIST_HEAD(hci_cb_list);
  55DEFINE_MUTEX(hci_cb_list_lock);
  56
  57/* HCI ID Numbering */
  58static DEFINE_IDA(hci_index_ida);
  59
  60/* ---- HCI debugfs entries ---- */
  61
  62static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
  63                             size_t count, loff_t *ppos)
  64{
  65        struct hci_dev *hdev = file->private_data;
  66        char buf[3];
  67
  68        buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
  69        buf[1] = '\n';
  70        buf[2] = '\0';
  71        return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
  72}
  73
  74static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
  75                              size_t count, loff_t *ppos)
  76{
  77        struct hci_dev *hdev = file->private_data;
  78        struct sk_buff *skb;
  79        char buf[32];
  80        size_t buf_size = min(count, (sizeof(buf)-1));
  81        bool enable;
  82
  83        if (!test_bit(HCI_UP, &hdev->flags))
  84                return -ENETDOWN;
  85
  86        if (copy_from_user(buf, user_buf, buf_size))
  87                return -EFAULT;
  88
  89        buf[buf_size] = '\0';
  90        if (strtobool(buf, &enable))
  91                return -EINVAL;
  92
  93        if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
  94                return -EALREADY;
  95
  96        hci_req_sync_lock(hdev);
  97        if (enable)
  98                skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
  99                                     HCI_CMD_TIMEOUT);
 100        else
 101                skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
 102                                     HCI_CMD_TIMEOUT);
 103        hci_req_sync_unlock(hdev);
 104
 105        if (IS_ERR(skb))
 106                return PTR_ERR(skb);
 107
 108        kfree_skb(skb);
 109
 110        hci_dev_change_flag(hdev, HCI_DUT_MODE);
 111
 112        return count;
 113}
 114
 115static const struct file_operations dut_mode_fops = {
 116        .open           = simple_open,
 117        .read           = dut_mode_read,
 118        .write          = dut_mode_write,
 119        .llseek         = default_llseek,
 120};
 121
 122static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
 123                                size_t count, loff_t *ppos)
 124{
 125        struct hci_dev *hdev = file->private_data;
 126        char buf[3];
 127
 128        buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
 129        buf[1] = '\n';
 130        buf[2] = '\0';
 131        return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
 132}
 133
 134static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
 135                                 size_t count, loff_t *ppos)
 136{
 137        struct hci_dev *hdev = file->private_data;
 138        char buf[32];
 139        size_t buf_size = min(count, (sizeof(buf)-1));
 140        bool enable;
 141        int err;
 142
 143        if (copy_from_user(buf, user_buf, buf_size))
 144                return -EFAULT;
 145
 146        buf[buf_size] = '\0';
 147        if (strtobool(buf, &enable))
 148                return -EINVAL;
 149
 150        /* When the diagnostic flags are not persistent and the transport
 151         * is not active, then there is no need for the vendor callback.
 152         *
 153         * Instead just store the desired value. If needed the setting
 154         * will be programmed when the controller gets powered on.
 155         */
 156        if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
 157            !test_bit(HCI_RUNNING, &hdev->flags))
 158                goto done;
 159
 160        hci_req_sync_lock(hdev);
 161        err = hdev->set_diag(hdev, enable);
 162        hci_req_sync_unlock(hdev);
 163
 164        if (err < 0)
 165                return err;
 166
 167done:
 168        if (enable)
 169                hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
 170        else
 171                hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
 172
 173        return count;
 174}
 175
 176static const struct file_operations vendor_diag_fops = {
 177        .open           = simple_open,
 178        .read           = vendor_diag_read,
 179        .write          = vendor_diag_write,
 180        .llseek         = default_llseek,
 181};
 182
 183static void hci_debugfs_create_basic(struct hci_dev *hdev)
 184{
 185        debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
 186                            &dut_mode_fops);
 187
 188        if (hdev->set_diag)
 189                debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
 190                                    &vendor_diag_fops);
 191}
 192
 193static int hci_reset_req(struct hci_request *req, unsigned long opt)
 194{
 195        BT_DBG("%s %ld", req->hdev->name, opt);
 196
 197        /* Reset device */
 198        set_bit(HCI_RESET, &req->hdev->flags);
 199        hci_req_add(req, HCI_OP_RESET, 0, NULL);
 200        return 0;
 201}
 202
 203static void bredr_init(struct hci_request *req)
 204{
 205        req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
 206
 207        /* Read Local Supported Features */
 208        hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
 209
 210        /* Read Local Version */
 211        hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
 212
 213        /* Read BD Address */
 214        hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
 215}
 216
 217static void amp_init1(struct hci_request *req)
 218{
 219        req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
 220
 221        /* Read Local Version */
 222        hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
 223
 224        /* Read Local Supported Commands */
 225        hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
 226
 227        /* Read Local AMP Info */
 228        hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
 229
 230        /* Read Data Blk size */
 231        hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
 232
 233        /* Read Flow Control Mode */
 234        hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
 235
 236        /* Read Location Data */
 237        hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
 238}
 239
 240static int amp_init2(struct hci_request *req)
 241{
 242        /* Read Local Supported Features. Not all AMP controllers
 243         * support this so it's placed conditionally in the second
 244         * stage init.
 245         */
 246        if (req->hdev->commands[14] & 0x20)
 247                hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
 248
 249        return 0;
 250}
 251
 252static int hci_init1_req(struct hci_request *req, unsigned long opt)
 253{
 254        struct hci_dev *hdev = req->hdev;
 255
 256        BT_DBG("%s %ld", hdev->name, opt);
 257
 258        /* Reset */
 259        if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
 260                hci_reset_req(req, 0);
 261
 262        switch (hdev->dev_type) {
 263        case HCI_BREDR:
 264                bredr_init(req);
 265                break;
 266
 267        case HCI_AMP:
 268                amp_init1(req);
 269                break;
 270
 271        default:
 272                BT_ERR("Unknown device type %d", hdev->dev_type);
 273                break;
 274        }
 275
 276        return 0;
 277}
 278
 279static void bredr_setup(struct hci_request *req)
 280{
 281        __le16 param;
 282        __u8 flt_type;
 283
 284        /* Read Buffer Size (ACL mtu, max pkt, etc.) */
 285        hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
 286
 287        /* Read Class of Device */
 288        hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
 289
 290        /* Read Local Name */
 291        hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
 292
 293        /* Read Voice Setting */
 294        hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
 295
 296        /* Read Number of Supported IAC */
 297        hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
 298
 299        /* Read Current IAC LAP */
 300        hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
 301
 302        /* Clear Event Filters */
 303        flt_type = HCI_FLT_CLEAR_ALL;
 304        hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
 305
 306        /* Connection accept timeout ~20 secs */
 307        param = cpu_to_le16(0x7d00);
 308        hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
 309}
 310
 311static void le_setup(struct hci_request *req)
 312{
 313        struct hci_dev *hdev = req->hdev;
 314
 315        /* Read LE Buffer Size */
 316        hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
 317
 318        /* Read LE Local Supported Features */
 319        hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
 320
 321        /* Read LE Supported States */
 322        hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
 323
 324        /* LE-only controllers have LE implicitly enabled */
 325        if (!lmp_bredr_capable(hdev))
 326                hci_dev_set_flag(hdev, HCI_LE_ENABLED);
 327}
 328
 329static void hci_setup_event_mask(struct hci_request *req)
 330{
 331        struct hci_dev *hdev = req->hdev;
 332
 333        /* The second byte is 0xff instead of 0x9f (two reserved bits
 334         * disabled) since a Broadcom 1.2 dongle doesn't respond to the
 335         * command otherwise.
 336         */
 337        u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
 338
 339        /* CSR 1.1 dongles does not accept any bitfield so don't try to set
 340         * any event mask for pre 1.2 devices.
 341         */
 342        if (hdev->hci_ver < BLUETOOTH_VER_1_2)
 343                return;
 344
 345        if (lmp_bredr_capable(hdev)) {
 346                events[4] |= 0x01; /* Flow Specification Complete */
 347        } else {
 348                /* Use a different default for LE-only devices */
 349                memset(events, 0, sizeof(events));
 350                events[1] |= 0x20; /* Command Complete */
 351                events[1] |= 0x40; /* Command Status */
 352                events[1] |= 0x80; /* Hardware Error */
 353
 354                /* If the controller supports the Disconnect command, enable
 355                 * the corresponding event. In addition enable packet flow
 356                 * control related events.
 357                 */
 358                if (hdev->commands[0] & 0x20) {
 359                        events[0] |= 0x10; /* Disconnection Complete */
 360                        events[2] |= 0x04; /* Number of Completed Packets */
 361                        events[3] |= 0x02; /* Data Buffer Overflow */
 362                }
 363
 364                /* If the controller supports the Read Remote Version
 365                 * Information command, enable the corresponding event.
 366                 */
 367                if (hdev->commands[2] & 0x80)
 368                        events[1] |= 0x08; /* Read Remote Version Information
 369                                            * Complete
 370                                            */
 371
 372                if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
 373                        events[0] |= 0x80; /* Encryption Change */
 374                        events[5] |= 0x80; /* Encryption Key Refresh Complete */
 375                }
 376        }
 377
 378        if (lmp_inq_rssi_capable(hdev) ||
 379            test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
 380                events[4] |= 0x02; /* Inquiry Result with RSSI */
 381
 382        if (lmp_ext_feat_capable(hdev))
 383                events[4] |= 0x04; /* Read Remote Extended Features Complete */
 384
 385        if (lmp_esco_capable(hdev)) {
 386                events[5] |= 0x08; /* Synchronous Connection Complete */
 387                events[5] |= 0x10; /* Synchronous Connection Changed */
 388        }
 389
 390        if (lmp_sniffsubr_capable(hdev))
 391                events[5] |= 0x20; /* Sniff Subrating */
 392
 393        if (lmp_pause_enc_capable(hdev))
 394                events[5] |= 0x80; /* Encryption Key Refresh Complete */
 395
 396        if (lmp_ext_inq_capable(hdev))
 397                events[5] |= 0x40; /* Extended Inquiry Result */
 398
 399        if (lmp_no_flush_capable(hdev))
 400                events[7] |= 0x01; /* Enhanced Flush Complete */
 401
 402        if (lmp_lsto_capable(hdev))
 403                events[6] |= 0x80; /* Link Supervision Timeout Changed */
 404
 405        if (lmp_ssp_capable(hdev)) {
 406                events[6] |= 0x01;      /* IO Capability Request */
 407                events[6] |= 0x02;      /* IO Capability Response */
 408                events[6] |= 0x04;      /* User Confirmation Request */
 409                events[6] |= 0x08;      /* User Passkey Request */
 410                events[6] |= 0x10;      /* Remote OOB Data Request */
 411                events[6] |= 0x20;      /* Simple Pairing Complete */
 412                events[7] |= 0x04;      /* User Passkey Notification */
 413                events[7] |= 0x08;      /* Keypress Notification */
 414                events[7] |= 0x10;      /* Remote Host Supported
 415                                         * Features Notification
 416                                         */
 417        }
 418
 419        if (lmp_le_capable(hdev))
 420                events[7] |= 0x20;      /* LE Meta-Event */
 421
 422        hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
 423}
 424
 425static int hci_init2_req(struct hci_request *req, unsigned long opt)
 426{
 427        struct hci_dev *hdev = req->hdev;
 428
 429        if (hdev->dev_type == HCI_AMP)
 430                return amp_init2(req);
 431
 432        if (lmp_bredr_capable(hdev))
 433                bredr_setup(req);
 434        else
 435                hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
 436
 437        if (lmp_le_capable(hdev))
 438                le_setup(req);
 439
 440        /* All Bluetooth 1.2 and later controllers should support the
 441         * HCI command for reading the local supported commands.
 442         *
 443         * Unfortunately some controllers indicate Bluetooth 1.2 support,
 444         * but do not have support for this command. If that is the case,
 445         * the driver can quirk the behavior and skip reading the local
 446         * supported commands.
 447         */
 448        if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
 449            !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
 450                hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
 451
 452        if (lmp_ssp_capable(hdev)) {
 453                /* When SSP is available, then the host features page
 454                 * should also be available as well. However some
 455                 * controllers list the max_page as 0 as long as SSP
 456                 * has not been enabled. To achieve proper debugging
 457                 * output, force the minimum max_page to 1 at least.
 458                 */
 459                hdev->max_page = 0x01;
 460
 461                if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
 462                        u8 mode = 0x01;
 463
 464                        hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
 465                                    sizeof(mode), &mode);
 466                } else {
 467                        struct hci_cp_write_eir cp;
 468
 469                        memset(hdev->eir, 0, sizeof(hdev->eir));
 470                        memset(&cp, 0, sizeof(cp));
 471
 472                        hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
 473                }
 474        }
 475
 476        if (lmp_inq_rssi_capable(hdev) ||
 477            test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
 478                u8 mode;
 479
 480                /* If Extended Inquiry Result events are supported, then
 481                 * they are clearly preferred over Inquiry Result with RSSI
 482                 * events.
 483                 */
 484                mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
 485
 486                hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
 487        }
 488
 489        if (lmp_inq_tx_pwr_capable(hdev))
 490                hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
 491
 492        if (lmp_ext_feat_capable(hdev)) {
 493                struct hci_cp_read_local_ext_features cp;
 494
 495                cp.page = 0x01;
 496                hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
 497                            sizeof(cp), &cp);
 498        }
 499
 500        if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
 501                u8 enable = 1;
 502                hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
 503                            &enable);
 504        }
 505
 506        return 0;
 507}
 508
 509static void hci_setup_link_policy(struct hci_request *req)
 510{
 511        struct hci_dev *hdev = req->hdev;
 512        struct hci_cp_write_def_link_policy cp;
 513        u16 link_policy = 0;
 514
 515        if (lmp_rswitch_capable(hdev))
 516                link_policy |= HCI_LP_RSWITCH;
 517        if (lmp_hold_capable(hdev))
 518                link_policy |= HCI_LP_HOLD;
 519        if (lmp_sniff_capable(hdev))
 520                link_policy |= HCI_LP_SNIFF;
 521        if (lmp_park_capable(hdev))
 522                link_policy |= HCI_LP_PARK;
 523
 524        cp.policy = cpu_to_le16(link_policy);
 525        hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
 526}
 527
 528static void hci_set_le_support(struct hci_request *req)
 529{
 530        struct hci_dev *hdev = req->hdev;
 531        struct hci_cp_write_le_host_supported cp;
 532
 533        /* LE-only devices do not support explicit enablement */
 534        if (!lmp_bredr_capable(hdev))
 535                return;
 536
 537        memset(&cp, 0, sizeof(cp));
 538
 539        if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
 540                cp.le = 0x01;
 541                cp.simul = 0x00;
 542        }
 543
 544        if (cp.le != lmp_host_le_capable(hdev))
 545                hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
 546                            &cp);
 547}
 548
 549static void hci_set_event_mask_page_2(struct hci_request *req)
 550{
 551        struct hci_dev *hdev = req->hdev;
 552        u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 553
 554        /* If Connectionless Slave Broadcast master role is supported
 555         * enable all necessary events for it.
 556         */
 557        if (lmp_csb_master_capable(hdev)) {
 558                events[1] |= 0x40;      /* Triggered Clock Capture */
 559                events[1] |= 0x80;      /* Synchronization Train Complete */
 560                events[2] |= 0x10;      /* Slave Page Response Timeout */
 561                events[2] |= 0x20;      /* CSB Channel Map Change */
 562        }
 563
 564        /* If Connectionless Slave Broadcast slave role is supported
 565         * enable all necessary events for it.
 566         */
 567        if (lmp_csb_slave_capable(hdev)) {
 568                events[2] |= 0x01;      /* Synchronization Train Received */
 569                events[2] |= 0x02;      /* CSB Receive */
 570                events[2] |= 0x04;      /* CSB Timeout */
 571                events[2] |= 0x08;      /* Truncated Page Complete */
 572        }
 573
 574        /* Enable Authenticated Payload Timeout Expired event if supported */
 575        if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
 576                events[2] |= 0x80;
 577
 578        hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
 579}
 580
 581static int hci_init3_req(struct hci_request *req, unsigned long opt)
 582{
 583        struct hci_dev *hdev = req->hdev;
 584        u8 p;
 585
 586        hci_setup_event_mask(req);
 587
 588        if (hdev->commands[6] & 0x20 &&
 589            !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
 590                struct hci_cp_read_stored_link_key cp;
 591
 592                bacpy(&cp.bdaddr, BDADDR_ANY);
 593                cp.read_all = 0x01;
 594                hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
 595        }
 596
 597        if (hdev->commands[5] & 0x10)
 598                hci_setup_link_policy(req);
 599
 600        if (hdev->commands[8] & 0x01)
 601                hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
 602
 603        /* Some older Broadcom based Bluetooth 1.2 controllers do not
 604         * support the Read Page Scan Type command. Check support for
 605         * this command in the bit mask of supported commands.
 606         */
 607        if (hdev->commands[13] & 0x01)
 608                hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
 609
 610        if (lmp_le_capable(hdev)) {
 611                u8 events[8];
 612
 613                memset(events, 0, sizeof(events));
 614
 615                if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
 616                        events[0] |= 0x10;      /* LE Long Term Key Request */
 617
 618                /* If controller supports the Connection Parameters Request
 619                 * Link Layer Procedure, enable the corresponding event.
 620                 */
 621                if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
 622                        events[0] |= 0x20;      /* LE Remote Connection
 623                                                 * Parameter Request
 624                                                 */
 625
 626                /* If the controller supports the Data Length Extension
 627                 * feature, enable the corresponding event.
 628                 */
 629                if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
 630                        events[0] |= 0x40;      /* LE Data Length Change */
 631
 632                /* If the controller supports Extended Scanner Filter
 633                 * Policies, enable the correspondig event.
 634                 */
 635                if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
 636                        events[1] |= 0x04;      /* LE Direct Advertising
 637                                                 * Report
 638                                                 */
 639
 640                /* If the controller supports the LE Set Scan Enable command,
 641                 * enable the corresponding advertising report event.
 642                 */
 643                if (hdev->commands[26] & 0x08)
 644                        events[0] |= 0x02;      /* LE Advertising Report */
 645
 646                /* If the controller supports the LE Create Connection
 647                 * command, enable the corresponding event.
 648                 */
 649                if (hdev->commands[26] & 0x10)
 650                        events[0] |= 0x01;      /* LE Connection Complete */
 651
 652                /* If the controller supports the LE Connection Update
 653                 * command, enable the corresponding event.
 654                 */
 655                if (hdev->commands[27] & 0x04)
 656                        events[0] |= 0x04;      /* LE Connection Update
 657                                                 * Complete
 658                                                 */
 659
 660                /* If the controller supports the LE Read Remote Used Features
 661                 * command, enable the corresponding event.
 662                 */
 663                if (hdev->commands[27] & 0x20)
 664                        events[0] |= 0x08;      /* LE Read Remote Used
 665                                                 * Features Complete
 666                                                 */
 667
 668                /* If the controller supports the LE Read Local P-256
 669                 * Public Key command, enable the corresponding event.
 670                 */
 671                if (hdev->commands[34] & 0x02)
 672                        events[0] |= 0x80;      /* LE Read Local P-256
 673                                                 * Public Key Complete
 674                                                 */
 675
 676                /* If the controller supports the LE Generate DHKey
 677                 * command, enable the corresponding event.
 678                 */
 679                if (hdev->commands[34] & 0x04)
 680                        events[1] |= 0x01;      /* LE Generate DHKey Complete */
 681
 682                hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
 683                            events);
 684
 685                if (hdev->commands[25] & 0x40) {
 686                        /* Read LE Advertising Channel TX Power */
 687                        hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
 688                }
 689
 690                if (hdev->commands[26] & 0x40) {
 691                        /* Read LE White List Size */
 692                        hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
 693                                    0, NULL);
 694                }
 695
 696                if (hdev->commands[26] & 0x80) {
 697                        /* Clear LE White List */
 698                        hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
 699                }
 700
 701                if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
 702                        /* Read LE Maximum Data Length */
 703                        hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
 704
 705                        /* Read LE Suggested Default Data Length */
 706                        hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
 707                }
 708
 709                hci_set_le_support(req);
 710        }
 711
 712        /* Read features beyond page 1 if available */
 713        for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
 714                struct hci_cp_read_local_ext_features cp;
 715
 716                cp.page = p;
 717                hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
 718                            sizeof(cp), &cp);
 719        }
 720
 721        return 0;
 722}
 723
 724static int hci_init4_req(struct hci_request *req, unsigned long opt)
 725{
 726        struct hci_dev *hdev = req->hdev;
 727
 728        /* Some Broadcom based Bluetooth controllers do not support the
 729         * Delete Stored Link Key command. They are clearly indicating its
 730         * absence in the bit mask of supported commands.
 731         *
 732         * Check the supported commands and only if the the command is marked
 733         * as supported send it. If not supported assume that the controller
 734         * does not have actual support for stored link keys which makes this
 735         * command redundant anyway.
 736         *
 737         * Some controllers indicate that they support handling deleting
 738         * stored link keys, but they don't. The quirk lets a driver
 739         * just disable this command.
 740         */
 741        if (hdev->commands[6] & 0x80 &&
 742            !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
 743                struct hci_cp_delete_stored_link_key cp;
 744
 745                bacpy(&cp.bdaddr, BDADDR_ANY);
 746                cp.delete_all = 0x01;
 747                hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
 748                            sizeof(cp), &cp);
 749        }
 750
 751        /* Set event mask page 2 if the HCI command for it is supported */
 752        if (hdev->commands[22] & 0x04)
 753                hci_set_event_mask_page_2(req);
 754
 755        /* Read local codec list if the HCI command is supported */
 756        if (hdev->commands[29] & 0x20)
 757                hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
 758
 759        /* Get MWS transport configuration if the HCI command is supported */
 760        if (hdev->commands[30] & 0x08)
 761                hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
 762
 763        /* Check for Synchronization Train support */
 764        if (lmp_sync_train_capable(hdev))
 765                hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
 766
 767        /* Enable Secure Connections if supported and configured */
 768        if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
 769            bredr_sc_enabled(hdev)) {
 770                u8 support = 0x01;
 771
 772                hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
 773                            sizeof(support), &support);
 774        }
 775
 776        return 0;
 777}
 778
 779static int __hci_init(struct hci_dev *hdev)
 780{
 781        int err;
 782
 783        err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
 784        if (err < 0)
 785                return err;
 786
 787        if (hci_dev_test_flag(hdev, HCI_SETUP))
 788                hci_debugfs_create_basic(hdev);
 789
 790        err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
 791        if (err < 0)
 792                return err;
 793
 794        /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
 795         * BR/EDR/LE type controllers. AMP controllers only need the
 796         * first two stages of init.
 797         */
 798        if (hdev->dev_type != HCI_BREDR)
 799                return 0;
 800
 801        err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
 802        if (err < 0)
 803                return err;
 804
 805        err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
 806        if (err < 0)
 807                return err;
 808
 809        /* This function is only called when the controller is actually in
 810         * configured state. When the controller is marked as unconfigured,
 811         * this initialization procedure is not run.
 812         *
 813         * It means that it is possible that a controller runs through its
 814         * setup phase and then discovers missing settings. If that is the
 815         * case, then this function will not be called. It then will only
 816         * be called during the config phase.
 817         *
 818         * So only when in setup phase or config phase, create the debugfs
 819         * entries and register the SMP channels.
 820         */
 821        if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
 822            !hci_dev_test_flag(hdev, HCI_CONFIG))
 823                return 0;
 824
 825        hci_debugfs_create_common(hdev);
 826
 827        if (lmp_bredr_capable(hdev))
 828                hci_debugfs_create_bredr(hdev);
 829
 830        if (lmp_le_capable(hdev))
 831                hci_debugfs_create_le(hdev);
 832
 833        return 0;
 834}
 835
 836static int hci_init0_req(struct hci_request *req, unsigned long opt)
 837{
 838        struct hci_dev *hdev = req->hdev;
 839
 840        BT_DBG("%s %ld", hdev->name, opt);
 841
 842        /* Reset */
 843        if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
 844                hci_reset_req(req, 0);
 845
 846        /* Read Local Version */
 847        hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
 848
 849        /* Read BD Address */
 850        if (hdev->set_bdaddr)
 851                hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
 852
 853        return 0;
 854}
 855
 856static int __hci_unconf_init(struct hci_dev *hdev)
 857{
 858        int err;
 859
 860        if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
 861                return 0;
 862
 863        err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
 864        if (err < 0)
 865                return err;
 866
 867        if (hci_dev_test_flag(hdev, HCI_SETUP))
 868                hci_debugfs_create_basic(hdev);
 869
 870        return 0;
 871}
 872
 873static int hci_scan_req(struct hci_request *req, unsigned long opt)
 874{
 875        __u8 scan = opt;
 876
 877        BT_DBG("%s %x", req->hdev->name, scan);
 878
 879        /* Inquiry and Page scans */
 880        hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
 881        return 0;
 882}
 883
 884static int hci_auth_req(struct hci_request *req, unsigned long opt)
 885{
 886        __u8 auth = opt;
 887
 888        BT_DBG("%s %x", req->hdev->name, auth);
 889
 890        /* Authentication */
 891        hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
 892        return 0;
 893}
 894
 895static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
 896{
 897        __u8 encrypt = opt;
 898
 899        BT_DBG("%s %x", req->hdev->name, encrypt);
 900
 901        /* Encryption */
 902        hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
 903        return 0;
 904}
 905
 906static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
 907{
 908        __le16 policy = cpu_to_le16(opt);
 909
 910        BT_DBG("%s %x", req->hdev->name, policy);
 911
 912        /* Default link policy */
 913        hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
 914        return 0;
 915}
 916
 917/* Get HCI device by index.
 918 * Device is held on return. */
 919struct hci_dev *hci_dev_get(int index)
 920{
 921        struct hci_dev *hdev = NULL, *d;
 922
 923        BT_DBG("%d", index);
 924
 925        if (index < 0)
 926                return NULL;
 927
 928        read_lock(&hci_dev_list_lock);
 929        list_for_each_entry(d, &hci_dev_list, list) {
 930                if (d->id == index) {
 931                        hdev = hci_dev_hold(d);
 932                        break;
 933                }
 934        }
 935        read_unlock(&hci_dev_list_lock);
 936        return hdev;
 937}
 938
 939/* ---- Inquiry support ---- */
 940
 941bool hci_discovery_active(struct hci_dev *hdev)
 942{
 943        struct discovery_state *discov = &hdev->discovery;
 944
 945        switch (discov->state) {
 946        case DISCOVERY_FINDING:
 947        case DISCOVERY_RESOLVING:
 948                return true;
 949
 950        default:
 951                return false;
 952        }
 953}
 954
 955void hci_discovery_set_state(struct hci_dev *hdev, int state)
 956{
 957        int old_state = hdev->discovery.state;
 958
 959        BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
 960
 961        if (old_state == state)
 962                return;
 963
 964        hdev->discovery.state = state;
 965
 966        switch (state) {
 967        case DISCOVERY_STOPPED:
 968                hci_update_background_scan(hdev);
 969
 970                if (old_state != DISCOVERY_STARTING)
 971                        mgmt_discovering(hdev, 0);
 972                break;
 973        case DISCOVERY_STARTING:
 974                break;
 975        case DISCOVERY_FINDING:
 976                mgmt_discovering(hdev, 1);
 977                break;
 978        case DISCOVERY_RESOLVING:
 979                break;
 980        case DISCOVERY_STOPPING:
 981                break;
 982        }
 983}
 984
 985void hci_inquiry_cache_flush(struct hci_dev *hdev)
 986{
 987        struct discovery_state *cache = &hdev->discovery;
 988        struct inquiry_entry *p, *n;
 989
 990        list_for_each_entry_safe(p, n, &cache->all, all) {
 991                list_del(&p->all);
 992                kfree(p);
 993        }
 994
 995        INIT_LIST_HEAD(&cache->unknown);
 996        INIT_LIST_HEAD(&cache->resolve);
 997}
 998
 999struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1000                                               bdaddr_t *bdaddr)

1001{
1002        struct discovery_state *cache = &hdev->discovery;
1003        struct inquiry_entry *e;
1004
1005        BT_DBG("cache %p, %pMR", cache, bdaddr);
1006
1007        list_for_each_entry(e, &cache->all, all) {
1008                if (!bacmp(&e->data.bdaddr, bdaddr))
1009                        return e;
1010        }
1011
1012        return NULL;
1013}
1014
1015struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1016                                                       bdaddr_t *bdaddr)
1017{
1018        struct discovery_state *cache = &hdev->discovery;
1019        struct inquiry_entry *e;
1020
1021        BT_DBG("cache %p, %pMR", cache, bdaddr);
1022
1023        list_for_each_entry(e, &cache->unknown, list) {
1024                if (!bacmp(&e->data.bdaddr, bdaddr))
1025                        return e;
1026        }
1027
1028        return NULL;
1029}
1030
1031struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1032                                                       bdaddr_t *bdaddr,
1033                                                       int state)
1034{
1035        struct discovery_state *cache = &hdev->discovery;
1036        struct inquiry_entry *e;
1037
1038        BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1039
1040        list_for_each_entry(e, &cache->resolve, list) {
1041                if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1042                        return e;
1043                if (!bacmp(&e->data.bdaddr, bdaddr))
1044                        return e;
1045        }
1046
1047        return NULL;
1048}
1049
1050void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1051                                      struct inquiry_entry *ie)
1052{
1053        struct discovery_state *cache = &hdev->discovery;
1054        struct list_head *pos = &cache->resolve;
1055        struct inquiry_entry *p;
1056
1057        list_del(&ie->list);
1058
1059        list_for_each_entry(p, &cache->resolve, list) {
1060                if (p->name_state != NAME_PENDING &&
1061                    abs(p->data.rssi) >= abs(ie->data.rssi))
1062                        break;
1063                pos = &p->list;
1064        }
1065
1066        list_add(&ie->list, pos);
1067}
1068
1069u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1070                             bool name_known)
1071{
1072        struct discovery_state *cache = &hdev->discovery;
1073        struct inquiry_entry *ie;
1074        u32 flags = 0;
1075
1076        BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1077
1078        hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1079
1080        if (!data->ssp_mode)
1081                flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1082
1083        ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1084        if (ie) {
1085                if (!ie->data.ssp_mode)
1086                        flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1087
1088                if (ie->name_state == NAME_NEEDED &&
1089                    data->rssi != ie->data.rssi) {
1090                        ie->data.rssi = data->rssi;
1091                        hci_inquiry_cache_update_resolve(hdev, ie);
1092                }
1093
1094                goto update;
1095        }
1096
1097        /* Entry not in the cache. Add new one. */
1098        ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1099        if (!ie) {
1100                flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1101                goto done;
1102        }
1103
1104        list_add(&ie->all, &cache->all);
1105
1106        if (name_known) {
1107                ie->name_state = NAME_KNOWN;
1108        } else {
1109                ie->name_state = NAME_NOT_KNOWN;
1110                list_add(&ie->list, &cache->unknown);
1111        }
1112
1113update:
1114        if (name_known && ie->name_state != NAME_KNOWN &&
1115            ie->name_state != NAME_PENDING) {
1116                ie->name_state = NAME_KNOWN;
1117                list_del(&ie->list);
1118        }
1119
1120        memcpy(&ie->data, data, sizeof(*data));
1121        ie->timestamp = jiffies;
1122        cache->timestamp = jiffies;
1123
1124        if (ie->name_state == NAME_NOT_KNOWN)
1125                flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1126
1127done:
1128        return flags;
1129}
1130
1131static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1132{
1133        struct discovery_state *cache = &hdev->discovery;
1134        struct inquiry_info *info = (struct inquiry_info *) buf;
1135        struct inquiry_entry *e;
1136        int copied = 0;
1137
1138        list_for_each_entry(e, &cache->all, all) {
1139                struct inquiry_data *data = &e->data;
1140
1141                if (copied >= num)
1142                        break;
1143
1144                bacpy(&info->bdaddr, &data->bdaddr);
1145                info->pscan_rep_mode    = data->pscan_rep_mode;
1146                info->pscan_period_mode = data->pscan_period_mode;
1147                info->pscan_mode        = data->pscan_mode;
1148                memcpy(info->dev_class, data->dev_class, 3);
1149                info->clock_offset      = data->clock_offset;
1150
1151                info++;
1152                copied++;
1153        }
1154
1155        BT_DBG("cache %p, copied %d", cache, copied);
1156        return copied;
1157}
1158
1159static int hci_inq_req(struct hci_request *req, unsigned long opt)
1160{
1161        struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1162        struct hci_dev *hdev = req->hdev;
1163        struct hci_cp_inquiry cp;
1164
1165        BT_DBG("%s", hdev->name);
1166
1167        if (test_bit(HCI_INQUIRY, &hdev->flags))
1168                return 0;
1169
1170        /* Start Inquiry */
1171        memcpy(&cp.lap, &ir->lap, 3);
1172        cp.length  = ir->length;
1173        cp.num_rsp = ir->num_rsp;
1174        hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1175
1176        return 0;
1177}
1178
1179int hci_inquiry(void __user *arg)
1180{
1181        __u8 __user *ptr = arg;
1182        struct hci_inquiry_req ir;
1183        struct hci_dev *hdev;
1184        int err = 0, do_inquiry = 0, max_rsp;
1185        long timeo;
1186        __u8 *buf;
1187
1188        if (copy_from_user(&ir, ptr, sizeof(ir)))
1189                return -EFAULT;
1190
1191        hdev = hci_dev_get(ir.dev_id);
1192        if (!hdev)
1193                return -ENODEV;
1194
1195        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1196                err = -EBUSY;
1197                goto done;
1198        }
1199
1200        if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1201                err = -EOPNOTSUPP;
1202                goto done;
1203        }
1204
1205        if (hdev->dev_type != HCI_BREDR) {
1206                err = -EOPNOTSUPP;
1207                goto done;
1208        }
1209
1210        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1211                err = -EOPNOTSUPP;
1212                goto done;
1213        }
1214
1215        hci_dev_lock(hdev);
1216        if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1217            inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1218                hci_inquiry_cache_flush(hdev);
1219                do_inquiry = 1;
1220        }
1221        hci_dev_unlock(hdev);
1222
1223        timeo = ir.length * msecs_to_jiffies(2000);
1224
1225        if (do_inquiry) {
1226                err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1227                                   timeo, NULL);
1228                if (err < 0)
1229                        goto done;
1230
1231                /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1232                 * cleared). If it is interrupted by a signal, return -EINTR.
1233                 */
1234                if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1235                                TASK_INTERRUPTIBLE))
1236                        return -EINTR;
1237        }
1238
1239        /* for unlimited number of responses we will use buffer with
1240         * 255 entries
1241         */
1242        max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1243
1244        /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1245         * copy it to the user space.
1246         */
1247        buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1248        if (!buf) {
1249                err = -ENOMEM;
1250                goto done;
1251        }
1252
1253        hci_dev_lock(hdev);
1254        ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1255        hci_dev_unlock(hdev);
1256
1257        BT_DBG("num_rsp %d", ir.num_rsp);
1258
1259        if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1260                ptr += sizeof(ir);
1261                if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1262                                 ir.num_rsp))
1263                        err = -EFAULT;
1264        } else
1265                err = -EFAULT;
1266
1267        kfree(buf);
1268
1269done:
1270        hci_dev_put(hdev);
1271        return err;
1272}
1273
1274static int hci_dev_do_open(struct hci_dev *hdev)
1275{
1276        int ret = 0;
1277
1278        BT_DBG("%s %p", hdev->name, hdev);
1279
1280        hci_req_sync_lock(hdev);
1281
1282        if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1283                ret = -ENODEV;
1284                goto done;
1285        }
1286
1287        if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1288            !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1289                /* Check for rfkill but allow the HCI setup stage to
1290                 * proceed (which in itself doesn't cause any RF activity).
1291                 */
1292                if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1293                        ret = -ERFKILL;
1294                        goto done;
1295                }
1296
1297                /* Check for valid public address or a configured static
1298                 * random adddress, but let the HCI setup proceed to
1299                 * be able to determine if there is a public address
1300                 * or not.
1301                 *
1302                 * In case of user channel usage, it is not important
1303                 * if a public address or static random address is
1304                 * available.
1305                 *
1306                 * This check is only valid for BR/EDR controllers
1307                 * since AMP controllers do not have an address.
1308                 */
1309                if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1310                    hdev->dev_type == HCI_BREDR &&
1311                    !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1312                    !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1313                        ret = -EADDRNOTAVAIL;
1314                        goto done;
1315                }
1316        }
1317
1318        if (test_bit(HCI_UP, &hdev->flags)) {
1319                ret = -EALREADY;
1320                goto done;
1321        }
1322
1323        if (hdev->open(hdev)) {
1324                ret = -EIO;
1325                goto done;
1326        }
1327
1328        set_bit(HCI_RUNNING, &hdev->flags);
1329        hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1330
1331        atomic_set(&hdev->cmd_cnt, 1);
1332        set_bit(HCI_INIT, &hdev->flags);
1333
1334        if (hci_dev_test_flag(hdev, HCI_SETUP)) {
1335                hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1336
1337                if (hdev->setup)
1338                        ret = hdev->setup(hdev);
1339
1340                /* The transport driver can set these quirks before
1341                 * creating the HCI device or in its setup callback.
1342                 *
1343                 * In case any of them is set, the controller has to
1344                 * start up as unconfigured.
1345                 */
1346                if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1347                    test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1348                        hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1349
1350                /* For an unconfigured controller it is required to
1351                 * read at least the version information provided by
1352                 * the Read Local Version Information command.
1353                 *
1354                 * If the set_bdaddr driver callback is provided, then
1355                 * also the original Bluetooth public device address
1356                 * will be read using the Read BD Address command.
1357                 */
1358                if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1359                        ret = __hci_unconf_init(hdev);
1360        }
1361
1362        if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1363                /* If public address change is configured, ensure that
1364                 * the address gets programmed. If the driver does not
1365                 * support changing the public address, fail the power
1366                 * on procedure.
1367                 */
1368                if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1369                    hdev->set_bdaddr)
1370                        ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1371                else
1372                        ret = -EADDRNOTAVAIL;
1373        }
1374
1375        if (!ret) {
1376                if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1377                    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1378                        ret = __hci_init(hdev);
1379                        if (!ret && hdev->post_init)
1380                                ret = hdev->post_init(hdev);
1381                }
1382        }
1383
1384        /* If the HCI Reset command is clearing all diagnostic settings,
1385         * then they need to be reprogrammed after the init procedure
1386         * completed.
1387         */
1388        if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1389            hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1390                ret = hdev->set_diag(hdev, true);
1391
1392        clear_bit(HCI_INIT, &hdev->flags);
1393
1394        if (!ret) {
1395                hci_dev_hold(hdev);
1396                hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1397                set_bit(HCI_UP, &hdev->flags);
1398                hci_sock_dev_event(hdev, HCI_DEV_UP);
1399                hci_leds_update_powered(hdev, true);
1400                if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1401                    !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1402                    !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1403                    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1404                    hci_dev_test_flag(hdev, HCI_MGMT) &&
1405                    hdev->dev_type == HCI_BREDR) {
1406                        ret = __hci_req_hci_power_on(hdev);
1407                        mgmt_power_on(hdev, ret);
1408                }
1409        } else {
1410                /* Init failed, cleanup */
1411                flush_work(&hdev->tx_work);
1412                flush_work(&hdev->cmd_work);
1413                flush_work(&hdev->rx_work);
1414
1415                skb_queue_purge(&hdev->cmd_q);
1416                skb_queue_purge(&hdev->rx_q);
1417
1418                if (hdev->flush)
1419                        hdev->flush(hdev);
1420
1421                if (hdev->sent_cmd) {
1422                        kfree_skb(hdev->sent_cmd);
1423                        hdev->sent_cmd = NULL;
1424                }
1425
1426                clear_bit(HCI_RUNNING, &hdev->flags);
1427                hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1428
1429                hdev->close(hdev);
1430                hdev->flags &= BIT(HCI_RAW);
1431        }
1432
1433done:
1434        hci_req_sync_unlock(hdev);
1435        return ret;
1436}
1437
1438/* ---- HCI ioctl helpers ---- */
1439
1440int hci_dev_open(__u16 dev)
1441{
1442        struct hci_dev *hdev;
1443        int err;
1444
1445        hdev = hci_dev_get(dev);
1446        if (!hdev)
1447                return -ENODEV;
1448
1449        /* Devices that are marked as unconfigured can only be powered
1450         * up as user channel. Trying to bring them up as normal devices
1451         * will result into a failure. Only user channel operation is
1452         * possible.
1453         *
1454         * When this function is called for a user channel, the flag
1455         * HCI_USER_CHANNEL will be set first before attempting to
1456         * open the device.
1457         */
1458        if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1459            !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1460                err = -EOPNOTSUPP;
1461                goto done;
1462        }
1463
1464        /* We need to ensure that no other power on/off work is pending
1465         * before proceeding to call hci_dev_do_open. This is
1466         * particularly important if the setup procedure has not yet
1467         * completed.
1468         */
1469        if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1470                cancel_delayed_work(&hdev->power_off);
1471
1472        /* After this call it is guaranteed that the setup procedure
1473         * has finished. This means that error conditions like RFKILL
1474         * or no valid public or static random address apply.
1475         */
1476        flush_workqueue(hdev->req_workqueue);
1477
1478        /* For controllers not using the management interface and that
1479         * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1480         * so that pairing works for them. Once the management interface
1481         * is in use this bit will be cleared again and userspace has
1482         * to explicitly enable it.
1483         */
1484        if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1485            !hci_dev_test_flag(hdev, HCI_MGMT))
1486                hci_dev_set_flag(hdev, HCI_BONDABLE);
1487
1488        err = hci_dev_do_open(hdev);
1489
1490done:
1491        hci_dev_put(hdev);
1492        return err;
1493}
1494
1495/* This function requires the caller holds hdev->lock */
1496static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1497{
1498        struct hci_conn_params *p;
1499
1500        list_for_each_entry(p, &hdev->le_conn_params, list) {
1501                if (p->conn) {
1502                        hci_conn_drop(p->conn);
1503                        hci_conn_put(p->conn);
1504                        p->conn = NULL;
1505                }
1506                list_del_init(&p->action);
1507        }
1508
1509        BT_DBG("All LE pending actions cleared");
1510}
1511
1512int hci_dev_do_close(struct hci_dev *hdev)
1513{
1514        bool auto_off;
1515
1516        BT_DBG("%s %p", hdev->name, hdev);
1517
1518        if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1519            !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1520            test_bit(HCI_UP, &hdev->flags)) {
1521                /* Execute vendor specific shutdown routine */
1522                if (hdev->shutdown)
1523                        hdev->shutdown(hdev);
1524        }
1525
1526        cancel_delayed_work(&hdev->power_off);
1527
1528        hci_request_cancel_all(hdev);
1529        hci_req_sync_lock(hdev);
1530
1531        if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1532                cancel_delayed_work_sync(&hdev->cmd_timer);
1533                hci_req_sync_unlock(hdev);
1534                return 0;
1535        }
1536
1537        hci_leds_update_powered(hdev, false);
1538
1539        /* Flush RX and TX works */
1540        flush_work(&hdev->tx_work);
1541        flush_work(&hdev->rx_work);
1542
1543        if (hdev->discov_timeout > 0) {
1544                hdev->discov_timeout = 0;
1545                hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1546                hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1547        }
1548
1549        if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1550                cancel_delayed_work(&hdev->service_cache);
1551
1552        if (hci_dev_test_flag(hdev, HCI_MGMT))
1553                cancel_delayed_work_sync(&hdev->rpa_expired);
1554
1555        /* Avoid potential lockdep warnings from the *_flush() calls by
1556         * ensuring the workqueue is empty up front.
1557         */
1558        drain_workqueue(hdev->workqueue);
1559
1560        hci_dev_lock(hdev);
1561
1562        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1563
1564        auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1565
1566        if (!auto_off && hdev->dev_type == HCI_BREDR &&
1567            hci_dev_test_flag(hdev, HCI_MGMT))
1568                __mgmt_power_off(hdev);
1569
1570        hci_inquiry_cache_flush(hdev);
1571        hci_pend_le_actions_clear(hdev);
1572        hci_conn_hash_flush(hdev);
1573        hci_dev_unlock(hdev);
1574
1575        smp_unregister(hdev);
1576
1577        hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1578
1579        if (hdev->flush)
1580                hdev->flush(hdev);
1581
1582        /* Reset device */
1583        skb_queue_purge(&hdev->cmd_q);
1584        atomic_set(&hdev->cmd_cnt, 1);
1585        if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1586            !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1587                set_bit(HCI_INIT, &hdev->flags);
1588                __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1589                clear_bit(HCI_INIT, &hdev->flags);
1590        }
1591
1592        /* flush cmd  work */
1593        flush_work(&hdev->cmd_work);
1594
1595        /* Drop queues */
1596        skb_queue_purge(&hdev->rx_q);
1597        skb_queue_purge(&hdev->cmd_q);
1598        skb_queue_purge(&hdev->raw_q);
1599
1600        /* Drop last sent command */
1601        if (hdev->sent_cmd) {
1602                cancel_delayed_work_sync(&hdev->cmd_timer);
1603                kfree_skb(hdev->sent_cmd);
1604                hdev->sent_cmd = NULL;
1605        }
1606
1607        clear_bit(HCI_RUNNING, &hdev->flags);
1608        hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1609
1610        /* After this point our queues are empty
1611         * and no tasks are scheduled. */
1612        hdev->close(hdev);
1613
1614        /* Clear flags */
1615        hdev->flags &= BIT(HCI_RAW);
1616        hci_dev_clear_volatile_flags(hdev);
1617
1618        /* Controller radio is available but is currently powered down */
1619        hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1620
1621        memset(hdev->eir, 0, sizeof(hdev->eir));
1622        memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1623        bacpy(&hdev->random_addr, BDADDR_ANY);
1624
1625        hci_req_sync_unlock(hdev);
1626
1627        hci_dev_put(hdev);
1628        return 0;
1629}
1630
1631int hci_dev_close(__u16 dev)
1632{
1633        struct hci_dev *hdev;
1634        int err;
1635
1636        hdev = hci_dev_get(dev);
1637        if (!hdev)
1638                return -ENODEV;
1639
1640        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1641                err = -EBUSY;
1642                goto done;
1643        }
1644
1645        if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1646                cancel_delayed_work(&hdev->power_off);
1647
1648        err = hci_dev_do_close(hdev);
1649
1650done:
1651        hci_dev_put(hdev);
1652        return err;
1653}
1654
1655static int hci_dev_do_reset(struct hci_dev *hdev)
1656{
1657        int ret;
1658
1659        BT_DBG("%s %p", hdev->name, hdev);
1660
1661        hci_req_sync_lock(hdev);
1662
1663        /* Drop queues */
1664        skb_queue_purge(&hdev->rx_q);
1665        skb_queue_purge(&hdev->cmd_q);
1666
1667        /* Avoid potential lockdep warnings from the *_flush() calls by
1668         * ensuring the workqueue is empty up front.
1669         */
1670        drain_workqueue(hdev->workqueue);
1671
1672        hci_dev_lock(hdev);
1673        hci_inquiry_cache_flush(hdev);
1674        hci_conn_hash_flush(hdev);
1675        hci_dev_unlock(hdev);
1676
1677        if (hdev->flush)
1678                hdev->flush(hdev);
1679
1680        atomic_set(&hdev->cmd_cnt, 1);
1681        hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1682
1683        ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1684
1685        hci_req_sync_unlock(hdev);
1686        return ret;
1687}
1688
1689int hci_dev_reset(__u16 dev)
1690{
1691        struct hci_dev *hdev;
1692        int err;
1693
1694        hdev = hci_dev_get(dev);
1695        if (!hdev)
1696                return -ENODEV;
1697
1698        if (!test_bit(HCI_UP, &hdev->flags)) {
1699                err = -ENETDOWN;
1700                goto done;
1701        }
1702
1703        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1704                err = -EBUSY;
1705                goto done;
1706        }
1707
1708        if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1709                err = -EOPNOTSUPP;
1710                goto done;
1711        }
1712
1713        err = hci_dev_do_reset(hdev);
1714
1715done:
1716        hci_dev_put(hdev);
1717        return err;
1718}
1719
1720int hci_dev_reset_stat(__u16 dev)
1721{
1722        struct hci_dev *hdev;
1723        int ret = 0;
1724
1725        hdev = hci_dev_get(dev);
1726        if (!hdev)
1727                return -ENODEV;
1728
1729        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1730                ret = -EBUSY;
1731                goto done;
1732        }
1733
1734        if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1735                ret = -EOPNOTSUPP;
1736                goto done;
1737        }
1738
1739        memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1740
1741done:
1742        hci_dev_put(hdev);
1743        return ret;
1744}
1745
1746static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1747{
1748        bool conn_changed, discov_changed;
1749
1750        BT_DBG("%s scan 0x%02x", hdev->name, scan);
1751
1752        if ((scan & SCAN_PAGE))
1753                conn_changed = !hci_dev_test_and_set_flag(hdev,
1754                                                          HCI_CONNECTABLE);
1755        else
1756                conn_changed = hci_dev_test_and_clear_flag(hdev,
1757                                                           HCI_CONNECTABLE);
1758
1759        if ((scan & SCAN_INQUIRY)) {
1760                discov_changed = !hci_dev_test_and_set_flag(hdev,
1761                                                            HCI_DISCOVERABLE);
1762        } else {
1763                hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1764                discov_changed = hci_dev_test_and_clear_flag(hdev,
1765                                                             HCI_DISCOVERABLE);
1766        }
1767
1768        if (!hci_dev_test_flag(hdev, HCI_MGMT))
1769                return;
1770
1771        if (conn_changed || discov_changed) {
1772                /* In case this was disabled through mgmt */
1773                hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1774
1775                if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1776                        hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1777
1778                mgmt_new_settings(hdev);
1779        }
1780}
1781
1782int hci_dev_cmd(unsigned int cmd, void __user *arg)
1783{
1784        struct hci_dev *hdev;
1785        struct hci_dev_req dr;
1786        int err = 0;
1787
1788        if (copy_from_user(&dr, arg, sizeof(dr)))
1789                return -EFAULT;
1790
1791        hdev = hci_dev_get(dr.dev_id);
1792        if (!hdev)
1793                return -ENODEV;
1794
1795        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1796                err = -EBUSY;
1797                goto done;
1798        }
1799
1800        if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1801                err = -EOPNOTSUPP;
1802                goto done;
1803        }
1804
1805        if (hdev->dev_type != HCI_BREDR) {
1806                err = -EOPNOTSUPP;
1807                goto done;
1808        }
1809
1810        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1811                err = -EOPNOTSUPP;
1812                goto done;
1813        }
1814
1815        switch (cmd) {
1816        case HCISETAUTH:
1817                err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1818                                   HCI_INIT_TIMEOUT, NULL);
1819                break;
1820
1821        case HCISETENCRYPT:
1822                if (!lmp_encrypt_capable(hdev)) {
1823                        err = -EOPNOTSUPP;
1824                        break;
1825                }
1826
1827                if (!test_bit(HCI_AUTH, &hdev->flags)) {
1828                        /* Auth must be enabled first */
1829                        err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1830                                           HCI_INIT_TIMEOUT, NULL);
1831                        if (err)
1832                                break;
1833                }
1834
1835                err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1836                                   HCI_INIT_TIMEOUT, NULL);
1837                break;
1838
1839        case HCISETSCAN:
1840                err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1841                                   HCI_INIT_TIMEOUT, NULL);
1842
1843                /* Ensure that the connectable and discoverable states
1844                 * get correctly modified as this was a non-mgmt change.
1845                 */
1846                if (!err)
1847                        hci_update_scan_state(hdev, dr.dev_opt);
1848                break;
1849
1850        case HCISETLINKPOL:
1851                err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1852                                   HCI_INIT_TIMEOUT, NULL);
1853                break;
1854
1855        case HCISETLINKMODE:
1856                hdev->link_mode = ((__u16) dr.dev_opt) &
1857                                        (HCI_LM_MASTER | HCI_LM_ACCEPT);
1858                break;
1859
1860        case HCISETPTYPE:
1861                hdev->pkt_type = (__u16) dr.dev_opt;
1862                break;
1863
1864        case HCISETACLMTU:
1865                hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1866                hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1867                break;
1868
1869        case HCISETSCOMTU:
1870                hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1871                hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1872                break;
1873
1874        default:
1875                err = -EINVAL;
1876                break;
1877        }
1878
1879done:
1880        hci_dev_put(hdev);
1881        return err;
1882}
1883
1884int hci_get_dev_list(void __user *arg)
1885{
1886        struct hci_dev *hdev;
1887        struct hci_dev_list_req *dl;
1888        struct hci_dev_req *dr;
1889        int n = 0, size, err;
1890        __u16 dev_num;
1891
1892        if (get_user(dev_num, (__u16 __user *) arg))
1893                return -EFAULT;
1894
1895        if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1896                return -EINVAL;
1897
1898        size = sizeof(*dl) + dev_num * sizeof(*dr);
1899
1900        dl = kzalloc(size, GFP_KERNEL);
1901        if (!dl)
1902                return -ENOMEM;
1903
1904        dr = dl->dev_req;
1905
1906        read_lock(&hci_dev_list_lock);
1907        list_for_each_entry(hdev, &hci_dev_list, list) {
1908                unsigned long flags = hdev->flags;
1909
1910                /* When the auto-off is configured it means the transport
1911                 * is running, but in that case still indicate that the
1912                 * device is actually down.
1913                 */
1914                if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1915                        flags &= ~BIT(HCI_UP);
1916
1917                (dr + n)->dev_id  = hdev->id;
1918                (dr + n)->dev_opt = flags;
1919
1920                if (++n >= dev_num)
1921                        break;
1922        }
1923        read_unlock(&hci_dev_list_lock);
1924
1925        dl->dev_num = n;
1926        size = sizeof(*dl) + n * sizeof(*dr);
1927
1928        err = copy_to_user(arg, dl, size);
1929        kfree(dl);
1930
1931        return err ? -EFAULT : 0;
1932}
1933
1934int hci_get_dev_info(void __user *arg)
1935{
1936        struct hci_dev *hdev;
1937        struct hci_dev_info di;
1938        unsigned long flags;
1939        int err = 0;
1940
1941        if (copy_from_user(&di, arg, sizeof(di)))
1942                return -EFAULT;
1943
1944        hdev = hci_dev_get(di.dev_id);
1945        if (!hdev)
1946                return -ENODEV;
1947
1948        /* When the auto-off is configured it means the transport
1949         * is running, but in that case still indicate that the
1950         * device is actually down.
1951         */
1952        if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1953                flags = hdev->flags & ~BIT(HCI_UP);
1954        else
1955                flags = hdev->flags;
1956
1957        strcpy(di.name, hdev->name);
1958        di.bdaddr   = hdev->bdaddr;
1959        di.type     = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
1960        di.flags    = flags;
1961        di.pkt_type = hdev->pkt_type;
1962        if (lmp_bredr_capable(hdev)) {
1963                di.acl_mtu  = hdev->acl_mtu;
1964                di.acl_pkts = hdev->acl_pkts;
1965                di.sco_mtu  = hdev->sco_mtu;
1966                di.sco_pkts = hdev->sco_pkts;
1967        } else {
1968                di.acl_mtu  = hdev->le_mtu;
1969                di.acl_pkts = hdev->le_pkts;
1970                di.sco_mtu  = 0;
1971                di.sco_pkts = 0;
1972        }
1973        di.link_policy = hdev->link_policy;
1974        di.link_mode   = hdev->link_mode;
1975
1976        memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1977        memcpy(&di.features, &hdev->features, sizeof(di.features));
1978
1979        if (copy_to_user(arg, &di, sizeof(di)))
1980                err = -EFAULT;
1981
1982        hci_dev_put(hdev);
1983
1984        return err;
1985}
1986
1987/* ---- Interface to HCI drivers ---- */
1988
1989static int hci_rfkill_set_block(void *data, bool blocked)
1990{
1991        struct hci_dev *hdev = data;
1992
1993        BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1994
1995        if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1996                return -EBUSY;
1997
1998        if (blocked) {
1999                hci_dev_set_flag(hdev, HCI_RFKILLED);
2000                if (!hci_dev_test_flag(hdev, HCI_SETUP) &&

2001                    !hci_dev_test_flag(hdev, HCI_CONFIG))
2002                        hci_dev_do_close(hdev);
2003        } else {
2004                hci_dev_clear_flag(hdev, HCI_RFKILLED);
2005        }
2006
2007        return 0;
2008}
2009
2010static const struct rfkill_ops hci_rfkill_ops = {
2011        .set_block = hci_rfkill_set_block,
2012};
2013
2014static void hci_power_on(struct work_struct *work)
2015{
2016        struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2017        int err;
2018
2019        BT_DBG("%s", hdev->name);
2020
2021        if (test_bit(HCI_UP, &hdev->flags) &&
2022            hci_dev_test_flag(hdev, HCI_MGMT) &&
2023            hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2024                cancel_delayed_work(&hdev->power_off);
2025                hci_req_sync_lock(hdev);
2026                err = __hci_req_hci_power_on(hdev);
2027                hci_req_sync_unlock(hdev);
2028                mgmt_power_on(hdev, err);
2029                return;
2030        }
2031
2032        err = hci_dev_do_open(hdev);
2033        if (err < 0) {
2034                hci_dev_lock(hdev);
2035                mgmt_set_powered_failed(hdev, err);
2036                hci_dev_unlock(hdev);
2037                return;
2038        }
2039
2040        /* During the HCI setup phase, a few error conditions are
2041         * ignored and they need to be checked now. If they are still
2042         * valid, it is important to turn the device back off.
2043         */
2044        if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2045            hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2046            (hdev->dev_type == HCI_BREDR &&
2047             !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2048             !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2049                hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2050                hci_dev_do_close(hdev);
2051        } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2052                queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2053                                   HCI_AUTO_OFF_TIMEOUT);
2054        }
2055
2056        if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2057                /* For unconfigured devices, set the HCI_RAW flag
2058                 * so that userspace can easily identify them.
2059                 */
2060                if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2061                        set_bit(HCI_RAW, &hdev->flags);
2062
2063                /* For fully configured devices, this will send
2064                 * the Index Added event. For unconfigured devices,
2065                 * it will send Unconfigued Index Added event.
2066                 *
2067                 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2068                 * and no event will be send.
2069                 */
2070                mgmt_index_added(hdev);
2071        } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2072                /* When the controller is now configured, then it
2073                 * is important to clear the HCI_RAW flag.
2074                 */
2075                if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2076                        clear_bit(HCI_RAW, &hdev->flags);
2077
2078                /* Powering on the controller with HCI_CONFIG set only
2079                 * happens with the transition from unconfigured to
2080                 * configured. This will send the Index Added event.
2081                 */
2082                mgmt_index_added(hdev);
2083        }
2084}
2085
2086static void hci_power_off(struct work_struct *work)
2087{
2088        struct hci_dev *hdev = container_of(work, struct hci_dev,
2089                                            power_off.work);
2090
2091        BT_DBG("%s", hdev->name);
2092
2093        hci_dev_do_close(hdev);
2094}
2095
2096static void hci_error_reset(struct work_struct *work)
2097{
2098        struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2099
2100        BT_DBG("%s", hdev->name);
2101
2102        if (hdev->hw_error)
2103                hdev->hw_error(hdev, hdev->hw_error_code);
2104        else
2105                BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2106                       hdev->hw_error_code);
2107
2108        if (hci_dev_do_close(hdev))
2109                return;
2110
2111        hci_dev_do_open(hdev);
2112}
2113
2114void hci_uuids_clear(struct hci_dev *hdev)
2115{
2116        struct bt_uuid *uuid, *tmp;
2117
2118        list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2119                list_del(&uuid->list);
2120                kfree(uuid);
2121        }
2122}
2123
2124void hci_link_keys_clear(struct hci_dev *hdev)
2125{
2126        struct link_key *key;
2127
2128        list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2129                list_del_rcu(&key->list);
2130                kfree_rcu(key, rcu);
2131        }
2132}
2133
2134void hci_smp_ltks_clear(struct hci_dev *hdev)
2135{
2136        struct smp_ltk *k;
2137
2138        list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2139                list_del_rcu(&k->list);
2140                kfree_rcu(k, rcu);
2141        }
2142}
2143
2144void hci_smp_irks_clear(struct hci_dev *hdev)
2145{
2146        struct smp_irk *k;
2147
2148        list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2149                list_del_rcu(&k->list);
2150                kfree_rcu(k, rcu);
2151        }
2152}
2153
2154struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2155{
2156        struct link_key *k;
2157
2158        rcu_read_lock();
2159        list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2160                if (bacmp(bdaddr, &k->bdaddr) == 0) {
2161                        rcu_read_unlock();
2162                        return k;
2163                }
2164        }
2165        rcu_read_unlock();
2166
2167        return NULL;
2168}
2169
2170static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2171                               u8 key_type, u8 old_key_type)
2172{
2173        /* Legacy key */
2174        if (key_type < 0x03)
2175                return true;
2176
2177        /* Debug keys are insecure so don't store them persistently */
2178        if (key_type == HCI_LK_DEBUG_COMBINATION)
2179                return false;
2180
2181        /* Changed combination key and there's no previous one */
2182        if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2183                return false;
2184
2185        /* Security mode 3 case */
2186        if (!conn)
2187                return true;
2188
2189        /* BR/EDR key derived using SC from an LE link */
2190        if (conn->type == LE_LINK)
2191                return true;
2192
2193        /* Neither local nor remote side had no-bonding as requirement */
2194        if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2195                return true;
2196
2197        /* Local side had dedicated bonding as requirement */
2198        if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2199                return true;
2200
2201        /* Remote side had dedicated bonding as requirement */
2202        if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2203                return true;
2204
2205        /* If none of the above criteria match, then don't store the key
2206         * persistently */
2207        return false;
2208}
2209
2210static u8 ltk_role(u8 type)
2211{
2212        if (type == SMP_LTK)
2213                return HCI_ROLE_MASTER;
2214
2215        return HCI_ROLE_SLAVE;
2216}
2217
2218struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2219                             u8 addr_type, u8 role)
2220{
2221        struct smp_ltk *k;
2222
2223        rcu_read_lock();
2224        list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2225                if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2226                        continue;
2227
2228                if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2229                        rcu_read_unlock();
2230                        return k;
2231                }
2232        }
2233        rcu_read_unlock();
2234
2235        return NULL;
2236}
2237
2238struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2239{
2240        struct smp_irk *irk;
2241
2242        rcu_read_lock();
2243        list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2244                if (!bacmp(&irk->rpa, rpa)) {
2245                        rcu_read_unlock();
2246                        return irk;
2247                }
2248        }
2249
2250        list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2251                if (smp_irk_matches(hdev, irk->val, rpa)) {
2252                        bacpy(&irk->rpa, rpa);
2253                        rcu_read_unlock();
2254                        return irk;
2255                }
2256        }
2257        rcu_read_unlock();
2258
2259        return NULL;
2260}
2261
2262struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2263                                     u8 addr_type)
2264{
2265        struct smp_irk *irk;
2266
2267        /* Identity Address must be public or static random */
2268        if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2269                return NULL;
2270
2271        rcu_read_lock();
2272        list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2273                if (addr_type == irk->addr_type &&
2274                    bacmp(bdaddr, &irk->bdaddr) == 0) {
2275                        rcu_read_unlock();
2276                        return irk;
2277                }
2278        }
2279        rcu_read_unlock();
2280
2281        return NULL;
2282}
2283
2284struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2285                                  bdaddr_t *bdaddr, u8 *val, u8 type,
2286                                  u8 pin_len, bool *persistent)
2287{
2288        struct link_key *key, *old_key;
2289        u8 old_key_type;
2290
2291        old_key = hci_find_link_key(hdev, bdaddr);
2292        if (old_key) {
2293                old_key_type = old_key->type;
2294                key = old_key;
2295        } else {
2296                old_key_type = conn ? conn->key_type : 0xff;
2297                key = kzalloc(sizeof(*key), GFP_KERNEL);
2298                if (!key)
2299                        return NULL;
2300                list_add_rcu(&key->list, &hdev->link_keys);
2301        }
2302
2303        BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2304
2305        /* Some buggy controller combinations generate a changed
2306         * combination key for legacy pairing even when there's no
2307         * previous key */
2308        if (type == HCI_LK_CHANGED_COMBINATION &&
2309            (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2310                type = HCI_LK_COMBINATION;
2311                if (conn)
2312                        conn->key_type = type;
2313        }
2314
2315        bacpy(&key->bdaddr, bdaddr);
2316        memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2317        key->pin_len = pin_len;
2318
2319        if (type == HCI_LK_CHANGED_COMBINATION)
2320                key->type = old_key_type;
2321        else
2322                key->type = type;
2323
2324        if (persistent)
2325                *persistent = hci_persistent_key(hdev, conn, type,
2326                                                 old_key_type);
2327
2328        return key;
2329}
2330
2331struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2332                            u8 addr_type, u8 type, u8 authenticated,
2333                            u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2334{
2335        struct smp_ltk *key, *old_key;
2336        u8 role = ltk_role(type);
2337
2338        old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2339        if (old_key)
2340                key = old_key;
2341        else {
2342                key = kzalloc(sizeof(*key), GFP_KERNEL);
2343                if (!key)
2344                        return NULL;
2345                list_add_rcu(&key->list, &hdev->long_term_keys);
2346        }
2347
2348        bacpy(&key->bdaddr, bdaddr);
2349        key->bdaddr_type = addr_type;
2350        memcpy(key->val, tk, sizeof(key->val));
2351        key->authenticated = authenticated;
2352        key->ediv = ediv;
2353        key->rand = rand;
2354        key->enc_size = enc_size;
2355        key->type = type;
2356
2357        return key;
2358}
2359
2360struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2361                            u8 addr_type, u8 val[16], bdaddr_t *rpa)
2362{
2363        struct smp_irk *irk;
2364
2365        irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2366        if (!irk) {
2367                irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2368                if (!irk)
2369                        return NULL;
2370
2371                bacpy(&irk->bdaddr, bdaddr);
2372                irk->addr_type = addr_type;
2373
2374                list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2375        }
2376
2377        memcpy(irk->val, val, 16);
2378        bacpy(&irk->rpa, rpa);
2379
2380        return irk;
2381}
2382
2383int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2384{
2385        struct link_key *key;
2386
2387        key = hci_find_link_key(hdev, bdaddr);
2388        if (!key)
2389                return -ENOENT;
2390
2391        BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2392
2393        list_del_rcu(&key->list);
2394        kfree_rcu(key, rcu);
2395
2396        return 0;
2397}
2398
2399int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2400{
2401        struct smp_ltk *k;
2402        int removed = 0;
2403
2404        list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2405                if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2406                        continue;
2407
2408                BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2409
2410                list_del_rcu(&k->list);
2411                kfree_rcu(k, rcu);
2412                removed++;
2413        }
2414
2415        return removed ? 0 : -ENOENT;
2416}
2417
2418void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2419{
2420        struct smp_irk *k;
2421
2422        list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2423                if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2424                        continue;
2425
2426                BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2427
2428                list_del_rcu(&k->list);
2429                kfree_rcu(k, rcu);
2430        }
2431}
2432
2433bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2434{
2435        struct smp_ltk *k;
2436        struct smp_irk *irk;
2437        u8 addr_type;
2438
2439        if (type == BDADDR_BREDR) {
2440                if (hci_find_link_key(hdev, bdaddr))
2441                        return true;
2442                return false;
2443        }
2444
2445        /* Convert to HCI addr type which struct smp_ltk uses */
2446        if (type == BDADDR_LE_PUBLIC)
2447                addr_type = ADDR_LE_DEV_PUBLIC;
2448        else
2449                addr_type = ADDR_LE_DEV_RANDOM;
2450
2451        irk = hci_get_irk(hdev, bdaddr, addr_type);
2452        if (irk) {
2453                bdaddr = &irk->bdaddr;
2454                addr_type = irk->addr_type;
2455        }
2456
2457        rcu_read_lock();
2458        list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2459                if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2460                        rcu_read_unlock();
2461                        return true;
2462                }
2463        }
2464        rcu_read_unlock();
2465
2466        return false;
2467}
2468
2469/* HCI command timer function */
2470static void hci_cmd_timeout(struct work_struct *work)
2471{
2472        struct hci_dev *hdev = container_of(work, struct hci_dev,
2473                                            cmd_timer.work);
2474
2475        if (hdev->sent_cmd) {
2476                struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2477                u16 opcode = __le16_to_cpu(sent->opcode);
2478
2479                BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2480        } else {
2481                BT_ERR("%s command tx timeout", hdev->name);
2482        }
2483
2484        atomic_set(&hdev->cmd_cnt, 1);
2485        queue_work(hdev->workqueue, &hdev->cmd_work);
2486}
2487
2488struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2489                                          bdaddr_t *bdaddr, u8 bdaddr_type)
2490{
2491        struct oob_data *data;
2492
2493        list_for_each_entry(data, &hdev->remote_oob_data, list) {
2494                if (bacmp(bdaddr, &data->bdaddr) != 0)
2495                        continue;
2496                if (data->bdaddr_type != bdaddr_type)
2497                        continue;
2498                return data;
2499        }
2500
2501        return NULL;
2502}
2503
2504int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2505                               u8 bdaddr_type)
2506{
2507        struct oob_data *data;
2508
2509        data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2510        if (!data)
2511                return -ENOENT;
2512
2513        BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2514
2515        list_del(&data->list);
2516        kfree(data);
2517
2518        return 0;
2519}
2520
2521void hci_remote_oob_data_clear(struct hci_dev *hdev)
2522{
2523        struct oob_data *data, *n;
2524
2525        list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2526                list_del(&data->list);
2527                kfree(data);
2528        }
2529}
2530
2531int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2532                            u8 bdaddr_type, u8 *hash192, u8 *rand192,
2533                            u8 *hash256, u8 *rand256)
2534{
2535        struct oob_data *data;
2536
2537        data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2538        if (!data) {
2539                data = kmalloc(sizeof(*data), GFP_KERNEL);
2540                if (!data)
2541                        return -ENOMEM;
2542
2543                bacpy(&data->bdaddr, bdaddr);
2544                data->bdaddr_type = bdaddr_type;
2545                list_add(&data->list, &hdev->remote_oob_data);
2546        }
2547
2548        if (hash192 && rand192) {
2549                memcpy(data->hash192, hash192, sizeof(data->hash192));
2550                memcpy(data->rand192, rand192, sizeof(data->rand192));
2551                if (hash256 && rand256)
2552                        data->present = 0x03;
2553        } else {
2554                memset(data->hash192, 0, sizeof(data->hash192));
2555                memset(data->rand192, 0, sizeof(data->rand192));
2556                if (hash256 && rand256)
2557                        data->present = 0x02;
2558                else
2559                        data->present = 0x00;
2560        }
2561
2562        if (hash256 && rand256) {
2563                memcpy(data->hash256, hash256, sizeof(data->hash256));
2564                memcpy(data->rand256, rand256, sizeof(data->rand256));
2565        } else {
2566                memset(data->hash256, 0, sizeof(data->hash256));
2567                memset(data->rand256, 0, sizeof(data->rand256));
2568                if (hash192 && rand192)
2569                        data->present = 0x01;
2570        }
2571
2572        BT_DBG("%s for %pMR", hdev->name, bdaddr);
2573
2574        return 0;
2575}
2576
2577/* This function requires the caller holds hdev->lock */
2578struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2579{
2580        struct adv_info *adv_instance;
2581
2582        list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2583                if (adv_instance->instance == instance)
2584                        return adv_instance;
2585        }
2586
2587        return NULL;
2588}
2589
2590/* This function requires the caller holds hdev->lock */
2591struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2592{
2593        struct adv_info *cur_instance;
2594
2595        cur_instance = hci_find_adv_instance(hdev, instance);
2596        if (!cur_instance)
2597                return NULL;
2598
2599        if (cur_instance == list_last_entry(&hdev->adv_instances,
2600                                            struct adv_info, list))
2601                return list_first_entry(&hdev->adv_instances,
2602                                                 struct adv_info, list);
2603        else
2604                return list_next_entry(cur_instance, list);
2605}
2606
2607/* This function requires the caller holds hdev->lock */
2608int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2609{
2610        struct adv_info *adv_instance;
2611
2612        adv_instance = hci_find_adv_instance(hdev, instance);
2613        if (!adv_instance)
2614                return -ENOENT;
2615
2616        BT_DBG("%s removing %dMR", hdev->name, instance);
2617
2618        if (hdev->cur_adv_instance == instance) {
2619                if (hdev->adv_instance_timeout) {
2620                        cancel_delayed_work(&hdev->adv_instance_expire);
2621                        hdev->adv_instance_timeout = 0;
2622                }
2623                hdev->cur_adv_instance = 0x00;
2624        }
2625
2626        list_del(&adv_instance->list);
2627        kfree(adv_instance);
2628
2629        hdev->adv_instance_cnt--;
2630
2631        return 0;
2632}
2633
2634/* This function requires the caller holds hdev->lock */
2635void hci_adv_instances_clear(struct hci_dev *hdev)
2636{
2637        struct adv_info *adv_instance, *n;
2638
2639        if (hdev->adv_instance_timeout) {
2640                cancel_delayed_work(&hdev->adv_instance_expire);
2641                hdev->adv_instance_timeout = 0;
2642        }
2643
2644        list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2645                list_del(&adv_instance->list);
2646                kfree(adv_instance);
2647        }
2648
2649        hdev->adv_instance_cnt = 0;
2650        hdev->cur_adv_instance = 0x00;
2651}
2652
2653/* This function requires the caller holds hdev->lock */
2654int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2655                         u16 adv_data_len, u8 *adv_data,
2656                         u16 scan_rsp_len, u8 *scan_rsp_data,
2657                         u16 timeout, u16 duration)
2658{
2659        struct adv_info *adv_instance;
2660
2661        adv_instance = hci_find_adv_instance(hdev, instance);
2662        if (adv_instance) {
2663                memset(adv_instance->adv_data, 0,
2664                       sizeof(adv_instance->adv_data));
2665                memset(adv_instance->scan_rsp_data, 0,
2666                       sizeof(adv_instance->scan_rsp_data));
2667        } else {
2668                if (hdev->adv_instance_cnt >= HCI_MAX_ADV_INSTANCES ||
2669                    instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2670                        return -EOVERFLOW;
2671
2672                adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2673                if (!adv_instance)
2674                        return -ENOMEM;
2675
2676                adv_instance->pending = true;
2677                adv_instance->instance = instance;
2678                list_add(&adv_instance->list, &hdev->adv_instances);
2679                hdev->adv_instance_cnt++;
2680        }
2681
2682        adv_instance->flags = flags;
2683        adv_instance->adv_data_len = adv_data_len;
2684        adv_instance->scan_rsp_len = scan_rsp_len;
2685
2686        if (adv_data_len)
2687                memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2688
2689        if (scan_rsp_len)
2690                memcpy(adv_instance->scan_rsp_data,
2691                       scan_rsp_data, scan_rsp_len);
2692
2693        adv_instance->timeout = timeout;
2694        adv_instance->remaining_time = timeout;
2695
2696        if (duration == 0)
2697                adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2698        else
2699                adv_instance->duration = duration;
2700
2701        BT_DBG("%s for %dMR", hdev->name, instance);
2702
2703        return 0;
2704}
2705
2706struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2707                                         bdaddr_t *bdaddr, u8 type)
2708{
2709        struct bdaddr_list *b;
2710
2711        list_for_each_entry(b, bdaddr_list, list) {
2712                if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2713                        return b;
2714        }
2715
2716        return NULL;
2717}
2718
2719void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2720{
2721        struct bdaddr_list *b, *n;
2722
2723        list_for_each_entry_safe(b, n, bdaddr_list, list) {
2724                list_del(&b->list);
2725                kfree(b);
2726        }
2727}
2728
2729int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2730{
2731        struct bdaddr_list *entry;
2732
2733        if (!bacmp(bdaddr, BDADDR_ANY))
2734                return -EBADF;
2735
2736        if (hci_bdaddr_list_lookup(list, bdaddr, type))
2737                return -EEXIST;
2738
2739        entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2740        if (!entry)
2741                return -ENOMEM;
2742
2743        bacpy(&entry->bdaddr, bdaddr);
2744        entry->bdaddr_type = type;
2745
2746        list_add(&entry->list, list);
2747
2748        return 0;
2749}
2750
2751int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2752{
2753        struct bdaddr_list *entry;
2754
2755        if (!bacmp(bdaddr, BDADDR_ANY)) {
2756                hci_bdaddr_list_clear(list);
2757                return 0;
2758        }
2759
2760        entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2761        if (!entry)
2762                return -ENOENT;
2763
2764        list_del(&entry->list);
2765        kfree(entry);
2766
2767        return 0;
2768}
2769
2770/* This function requires the caller holds hdev->lock */
2771struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2772                                               bdaddr_t *addr, u8 addr_type)
2773{
2774        struct hci_conn_params *params;
2775
2776        list_for_each_entry(params, &hdev->le_conn_params, list) {
2777                if (bacmp(&params->addr, addr) == 0 &&
2778                    params->addr_type == addr_type) {
2779                        return params;
2780                }
2781        }
2782
2783        return NULL;
2784}
2785
2786/* This function requires the caller holds hdev->lock */
2787struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2788                                                  bdaddr_t *addr, u8 addr_type)
2789{
2790        struct hci_conn_params *param;
2791
2792        list_for_each_entry(param, list, action) {
2793                if (bacmp(&param->addr, addr) == 0 &&
2794                    param->addr_type == addr_type)
2795                        return param;
2796        }
2797
2798        return NULL;
2799}
2800
2801/* This function requires the caller holds hdev->lock */
2802struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2803                                            bdaddr_t *addr, u8 addr_type)
2804{
2805        struct hci_conn_params *params;
2806
2807        params = hci_conn_params_lookup(hdev, addr, addr_type);
2808        if (params)
2809                return params;
2810
2811        params = kzalloc(sizeof(*params), GFP_KERNEL);
2812        if (!params) {
2813                BT_ERR("Out of memory");
2814                return NULL;
2815        }
2816
2817        bacpy(&params->addr, addr);
2818        params->addr_type = addr_type;
2819
2820        list_add(&params->list, &hdev->le_conn_params);
2821        INIT_LIST_HEAD(&params->action);
2822
2823        params->conn_min_interval = hdev->le_conn_min_interval;
2824        params->conn_max_interval = hdev->le_conn_max_interval;
2825        params->conn_latency = hdev->le_conn_latency;
2826        params->supervision_timeout = hdev->le_supv_timeout;
2827        params->auto_connect = HCI_AUTO_CONN_DISABLED;
2828
2829        BT_DBG("addr %pMR (type %u)", addr, addr_type);
2830
2831        return params;
2832}
2833
2834static void hci_conn_params_free(struct hci_conn_params *params)
2835{
2836        if (params->conn) {
2837                hci_conn_drop(params->conn);
2838                hci_conn_put(params->conn);
2839        }
2840
2841        list_del(&params->action);
2842        list_del(&params->list);
2843        kfree(params);
2844}
2845
2846/* This function requires the caller holds hdev->lock */
2847void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2848{
2849        struct hci_conn_params *params;
2850
2851        params = hci_conn_params_lookup(hdev, addr, addr_type);
2852        if (!params)
2853                return;
2854
2855        hci_conn_params_free(params);
2856
2857        hci_update_background_scan(hdev);
2858
2859        BT_DBG("addr %pMR (type %u)", addr, addr_type);
2860}
2861
2862/* This function requires the caller holds hdev->lock */
2863void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2864{
2865        struct hci_conn_params *params, *tmp;
2866
2867        list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2868                if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2869                        continue;
2870
2871                /* If trying to estabilish one time connection to disabled
2872                 * device, leave the params, but mark them as just once.
2873                 */
2874                if (params->explicit_connect) {
2875                        params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2876                        continue;
2877                }
2878
2879                list_del(&params->list);
2880                kfree(params);
2881        }
2882
2883        BT_DBG("All LE disabled connection parameters were removed");
2884}
2885
2886/* This function requires the caller holds hdev->lock */
2887static void hci_conn_params_clear_all(struct hci_dev *hdev)
2888{
2889        struct hci_conn_params *params, *tmp;
2890
2891        list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2892                hci_conn_params_free(params);
2893
2894        BT_DBG("All LE connection parameters were removed");
2895}
2896
2897/* Copy the Identity Address of the controller.
2898 *
2899 * If the controller has a public BD_ADDR, then by default use that one.
2900 * If this is a LE only controller without a public address, default to
2901 * the static random address.
2902 *
2903 * For debugging purposes it is possible to force controllers with a
2904 * public address to use the static random address instead.
2905 *
2906 * In case BR/EDR has been disabled on a dual-mode controller and
2907 * userspace has configured a static address, then that address
2908 * becomes the identity address instead of the public BR/EDR address.
2909 */
2910void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2911                               u8 *bdaddr_type)
2912{
2913        if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2914            !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2915            (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2916             bacmp(&hdev->static_addr, BDADDR_ANY))) {
2917                bacpy(bdaddr, &hdev->static_addr);
2918                *bdaddr_type = ADDR_LE_DEV_RANDOM;
2919        } else {
2920                bacpy(bdaddr, &hdev->bdaddr);
2921                *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2922        }
2923}
2924
2925/* Alloc HCI device */
2926struct hci_dev *hci_alloc_dev(void)
2927{
2928        struct hci_dev *hdev;
2929
2930        hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2931        if (!hdev)
2932                return NULL;
2933
2934        hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2935        hdev->esco_type = (ESCO_HV1);
2936        hdev->link_mode = (HCI_LM_ACCEPT);
2937        hdev->num_iac = 0x01;           /* One IAC support is mandatory */
2938        hdev->io_capability = 0x03;     /* No Input No Output */
2939        hdev->manufacturer = 0xffff;    /* Default to internal use */
2940        hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2941        hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2942        hdev->adv_instance_cnt = 0;
2943        hdev->cur_adv_instance = 0x00;
2944        hdev->adv_instance_timeout = 0;
2945
2946        hdev->sniff_max_interval = 800;
2947        hdev->sniff_min_interval = 80;
2948
2949        hdev->le_adv_channel_map = 0x07;
2950        hdev->le_adv_min_interval = 0x0800;
2951        hdev->le_adv_max_interval = 0x0800;
2952        hdev->le_scan_interval = 0x0060;
2953        hdev->le_scan_window = 0x0030;
2954        hdev->le_conn_min_interval = 0x0028;
2955        hdev->le_conn_max_interval = 0x0038;
2956        hdev->le_conn_latency = 0x0000;
2957        hdev->le_supv_timeout = 0x002a;
2958        hdev->le_def_tx_len = 0x001b;
2959        hdev->le_def_tx_time = 0x0148;
2960        hdev->le_max_tx_len = 0x001b;
2961        hdev->le_max_tx_time = 0x0148;
2962        hdev->le_max_rx_len = 0x001b;
2963        hdev->le_max_rx_time = 0x0148;
2964
2965        hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2966        hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2967        hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2968        hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2969
2970        mutex_init(&hdev->lock);
2971        mutex_init(&hdev->req_lock);
2972
2973        INIT_LIST_HEAD(&hdev->mgmt_pending);
2974        INIT_LIST_HEAD(&hdev->blacklist);
2975        INIT_LIST_HEAD(&hdev->whitelist);
2976        INIT_LIST_HEAD(&hdev->uuids);
2977        INIT_LIST_HEAD(&hdev->link_keys);
2978        INIT_LIST_HEAD(&hdev->long_term_keys);
2979        INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2980        INIT_LIST_HEAD(&hdev->remote_oob_data);
2981        INIT_LIST_HEAD(&hdev->le_white_list);
2982        INIT_LIST_HEAD(&hdev->le_conn_params);
2983        INIT_LIST_HEAD(&hdev->pend_le_conns);
2984        INIT_LIST_HEAD(&hdev->pend_le_reports);
2985        INIT_LIST_HEAD(&hdev->conn_hash.list);
2986        INIT_LIST_HEAD(&hdev->adv_instances);
2987
2988        INIT_WORK(&hdev->rx_work, hci_rx_work);
2989        INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2990        INIT_WORK(&hdev->tx_work, hci_tx_work);
2991        INIT_WORK(&hdev->power_on, hci_power_on);
2992        INIT_WORK(&hdev->error_reset, hci_error_reset);
2993
2994        INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2995
2996        skb_queue_head_init(&hdev->rx_q);
2997        skb_queue_head_init(&hdev->cmd_q);
2998        skb_queue_head_init(&hdev->raw_q);
2999
3000        init_waitqueue_head(&hdev->req_wait_q);

3001
3002        INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3003
3004        hci_request_setup(hdev);
3005
3006        hci_init_sysfs(hdev);
3007        discovery_init(hdev);
3008
3009        return hdev;
3010}
3011EXPORT_SYMBOL(hci_alloc_dev);
3012
3013/* Free HCI device */
3014void hci_free_dev(struct hci_dev *hdev)
3015{
3016        /* will free via device release */
3017        put_device(&hdev->dev);
3018}
3019EXPORT_SYMBOL(hci_free_dev);
3020
3021/* Register HCI device */
3022int hci_register_dev(struct hci_dev *hdev)
3023{
3024        int id, error;
3025
3026        if (!hdev->open || !hdev->close || !hdev->send)
3027                return -EINVAL;
3028
3029        /* Do not allow HCI_AMP devices to register at index 0,
3030         * so the index can be used as the AMP controller ID.
3031         */
3032        switch (hdev->dev_type) {
3033        case HCI_BREDR:
3034                id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3035                break;
3036        case HCI_AMP:
3037                id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3038                break;
3039        default:
3040                return -EINVAL;
3041        }
3042
3043        if (id < 0)
3044                return id;
3045
3046        sprintf(hdev->name, "hci%d", id);
3047        hdev->id = id;
3048
3049        BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3050
3051        hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3052                                          WQ_MEM_RECLAIM, 1, hdev->name);
3053        if (!hdev->workqueue) {
3054                error = -ENOMEM;
3055                goto err;
3056        }
3057
3058        hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3059                                              WQ_MEM_RECLAIM, 1, hdev->name);
3060        if (!hdev->req_workqueue) {
3061                destroy_workqueue(hdev->workqueue);
3062                error = -ENOMEM;
3063                goto err;
3064        }
3065
3066        if (!IS_ERR_OR_NULL(bt_debugfs))
3067                hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3068
3069        dev_set_name(&hdev->dev, "%s", hdev->name);
3070
3071        error = device_add(&hdev->dev);
3072        if (error < 0)
3073                goto err_wqueue;
3074
3075        hci_leds_init(hdev);
3076
3077        hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3078                                    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3079                                    hdev);
3080        if (hdev->rfkill) {
3081                if (rfkill_register(hdev->rfkill) < 0) {
3082                        rfkill_destroy(hdev->rfkill);
3083                        hdev->rfkill = NULL;
3084                }
3085        }
3086
3087        if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3088                hci_dev_set_flag(hdev, HCI_RFKILLED);
3089
3090        hci_dev_set_flag(hdev, HCI_SETUP);
3091        hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3092
3093        if (hdev->dev_type == HCI_BREDR) {
3094                /* Assume BR/EDR support until proven otherwise (such as
3095                 * through reading supported features during init.
3096                 */
3097                hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3098        }
3099
3100        write_lock(&hci_dev_list_lock);
3101        list_add(&hdev->list, &hci_dev_list);
3102        write_unlock(&hci_dev_list_lock);
3103
3104        /* Devices that are marked for raw-only usage are unconfigured
3105         * and should not be included in normal operation.
3106         */
3107        if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3108                hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3109
3110        hci_sock_dev_event(hdev, HCI_DEV_REG);
3111        hci_dev_hold(hdev);
3112
3113        queue_work(hdev->req_workqueue, &hdev->power_on);
3114
3115        return id;
3116
3117err_wqueue:
3118        destroy_workqueue(hdev->workqueue);
3119        destroy_workqueue(hdev->req_workqueue);
3120err:
3121        ida_simple_remove(&hci_index_ida, hdev->id);
3122
3123        return error;
3124}
3125EXPORT_SYMBOL(hci_register_dev);
3126
3127/* Unregister HCI device */
3128void hci_unregister_dev(struct hci_dev *hdev)
3129{
3130        int id;
3131
3132        BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3133
3134        hci_dev_set_flag(hdev, HCI_UNREGISTER);
3135
3136        id = hdev->id;
3137
3138        write_lock(&hci_dev_list_lock);
3139        list_del(&hdev->list);
3140        write_unlock(&hci_dev_list_lock);
3141
3142        hci_dev_do_close(hdev);
3143
3144        cancel_work_sync(&hdev->power_on);
3145
3146        if (!test_bit(HCI_INIT, &hdev->flags) &&
3147            !hci_dev_test_flag(hdev, HCI_SETUP) &&
3148            !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3149                hci_dev_lock(hdev);
3150                mgmt_index_removed(hdev);
3151                hci_dev_unlock(hdev);
3152        }
3153
3154        /* mgmt_index_removed should take care of emptying the
3155         * pending list */
3156        BUG_ON(!list_empty(&hdev->mgmt_pending));
3157
3158        hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3159
3160        if (hdev->rfkill) {
3161                rfkill_unregister(hdev->rfkill);
3162                rfkill_destroy(hdev->rfkill);
3163        }
3164
3165        device_del(&hdev->dev);
3166
3167        debugfs_remove_recursive(hdev->debugfs);
3168
3169        destroy_workqueue(hdev->workqueue);
3170        destroy_workqueue(hdev->req_workqueue);
3171
3172        hci_dev_lock(hdev);
3173        hci_bdaddr_list_clear(&hdev->blacklist);
3174        hci_bdaddr_list_clear(&hdev->whitelist);
3175        hci_uuids_clear(hdev);
3176        hci_link_keys_clear(hdev);
3177        hci_smp_ltks_clear(hdev);
3178        hci_smp_irks_clear(hdev);
3179        hci_remote_oob_data_clear(hdev);
3180        hci_adv_instances_clear(hdev);
3181        hci_bdaddr_list_clear(&hdev->le_white_list);
3182        hci_conn_params_clear_all(hdev);
3183        hci_discovery_filter_clear(hdev);
3184        hci_dev_unlock(hdev);
3185
3186        hci_dev_put(hdev);
3187
3188        ida_simple_remove(&hci_index_ida, id);
3189}
3190EXPORT_SYMBOL(hci_unregister_dev);
3191
3192/* Suspend HCI device */
3193int hci_suspend_dev(struct hci_dev *hdev)
3194{
3195        hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3196        return 0;
3197}
3198EXPORT_SYMBOL(hci_suspend_dev);
3199
3200/* Resume HCI device */
3201int hci_resume_dev(struct hci_dev *hdev)
3202{
3203        hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3204        return 0;
3205}
3206EXPORT_SYMBOL(hci_resume_dev);
3207
3208/* Reset HCI device */
3209int hci_reset_dev(struct hci_dev *hdev)
3210{
3211        const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3212        struct sk_buff *skb;
3213
3214        skb = bt_skb_alloc(3, GFP_ATOMIC);
3215        if (!skb)
3216                return -ENOMEM;
3217
3218        hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3219        memcpy(skb_put(skb, 3), hw_err, 3);
3220
3221        /* Send Hardware Error to upper stack */
3222        return hci_recv_frame(hdev, skb);
3223}
3224EXPORT_SYMBOL(hci_reset_dev);
3225
3226/* Receive frame from HCI drivers */
3227int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3228{
3229        if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3230                      && !test_bit(HCI_INIT, &hdev->flags))) {
3231                kfree_skb(skb);
3232                return -ENXIO;
3233        }
3234
3235        if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3236            hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3237            hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3238                kfree_skb(skb);
3239                return -EINVAL;
3240        }
3241
3242        /* Incoming skb */
3243        bt_cb(skb)->incoming = 1;
3244
3245        /* Time stamp */
3246        __net_timestamp(skb);
3247
3248        skb_queue_tail(&hdev->rx_q, skb);
3249        queue_work(hdev->workqueue, &hdev->rx_work);
3250
3251        return 0;
3252}
3253EXPORT_SYMBOL(hci_recv_frame);
3254
3255/* Receive diagnostic message from HCI drivers */
3256int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3257{
3258        /* Mark as diagnostic packet */
3259        hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3260
3261        /* Time stamp */
3262        __net_timestamp(skb);
3263
3264        skb_queue_tail(&hdev->rx_q, skb);
3265        queue_work(hdev->workqueue, &hdev->rx_work);
3266
3267        return 0;
3268}
3269EXPORT_SYMBOL(hci_recv_diag);
3270
3271/* ---- Interface to upper protocols ---- */
3272
3273int hci_register_cb(struct hci_cb *cb)
3274{
3275        BT_DBG("%p name %s", cb, cb->name);
3276
3277        mutex_lock(&hci_cb_list_lock);
3278        list_add_tail(&cb->list, &hci_cb_list);
3279        mutex_unlock(&hci_cb_list_lock);
3280
3281        return 0;
3282}
3283EXPORT_SYMBOL(hci_register_cb);
3284
3285int hci_unregister_cb(struct hci_cb *cb)
3286{
3287        BT_DBG("%p name %s", cb, cb->name);
3288
3289        mutex_lock(&hci_cb_list_lock);
3290        list_del(&cb->list);
3291        mutex_unlock(&hci_cb_list_lock);
3292
3293        return 0;
3294}
3295EXPORT_SYMBOL(hci_unregister_cb);
3296
3297static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3298{
3299        int err;
3300
3301        BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3302               skb->len);
3303
3304        /* Time stamp */
3305        __net_timestamp(skb);
3306
3307        /* Send copy to monitor */
3308        hci_send_to_monitor(hdev, skb);
3309
3310        if (atomic_read(&hdev->promisc)) {
3311                /* Send copy to the sockets */
3312                hci_send_to_sock(hdev, skb);
3313        }
3314
3315        /* Get rid of skb owner, prior to sending to the driver. */
3316        skb_orphan(skb);
3317
3318        if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3319                kfree_skb(skb);
3320                return;
3321        }
3322
3323        err = hdev->send(hdev, skb);
3324        if (err < 0) {
3325                BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3326                kfree_skb(skb);
3327        }
3328}
3329
3330/* Send HCI command */
3331int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3332                 const void *param)
3333{
3334        struct sk_buff *skb;
3335
3336        BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3337
3338        skb = hci_prepare_cmd(hdev, opcode, plen, param);
3339        if (!skb) {
3340                BT_ERR("%s no memory for command", hdev->name);
3341                return -ENOMEM;
3342        }
3343
3344        /* Stand-alone HCI commands must be flagged as
3345         * single-command requests.
3346         */
3347        bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3348
3349        skb_queue_tail(&hdev->cmd_q, skb);
3350        queue_work(hdev->workqueue, &hdev->cmd_work);
3351
3352        return 0;
3353}
3354
3355/* Get data from the previously sent command */
3356void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3357{
3358        struct hci_command_hdr *hdr;
3359
3360        if (!hdev->sent_cmd)
3361                return NULL;
3362
3363        hdr = (void *) hdev->sent_cmd->data;
3364
3365        if (hdr->opcode != cpu_to_le16(opcode))
3366                return NULL;
3367
3368        BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3369
3370        return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3371}
3372
3373/* Send HCI command and wait for command commplete event */
3374struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3375                             const void *param, u32 timeout)
3376{
3377        struct sk_buff *skb;
3378
3379        if (!test_bit(HCI_UP, &hdev->flags))
3380                return ERR_PTR(-ENETDOWN);
3381
3382        bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3383
3384        hci_req_sync_lock(hdev);
3385        skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3386        hci_req_sync_unlock(hdev);
3387
3388        return skb;
3389}
3390EXPORT_SYMBOL(hci_cmd_sync);
3391
3392/* Send ACL data */
3393static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3394{
3395        struct hci_acl_hdr *hdr;
3396        int len = skb->len;
3397
3398        skb_push(skb, HCI_ACL_HDR_SIZE);
3399        skb_reset_transport_header(skb);
3400        hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3401        hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3402        hdr->dlen   = cpu_to_le16(len);
3403}
3404
3405static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3406                          struct sk_buff *skb, __u16 flags)
3407{
3408        struct hci_conn *conn = chan->conn;
3409        struct hci_dev *hdev = conn->hdev;
3410        struct sk_buff *list;
3411
3412        skb->len = skb_headlen(skb);
3413        skb->data_len = 0;
3414
3415        hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3416
3417        switch (hdev->dev_type) {
3418        case HCI_BREDR:
3419                hci_add_acl_hdr(skb, conn->handle, flags);
3420                break;
3421        case HCI_AMP:
3422                hci_add_acl_hdr(skb, chan->handle, flags);
3423                break;
3424        default:
3425                BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3426                return;
3427        }
3428
3429        list = skb_shinfo(skb)->frag_list;
3430        if (!list) {
3431                /* Non fragmented */
3432                BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3433
3434                skb_queue_tail(queue, skb);
3435        } else {
3436                /* Fragmented */
3437                BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3438
3439                skb_shinfo(skb)->frag_list = NULL;
3440
3441                /* Queue all fragments atomically. We need to use spin_lock_bh
3442                 * here because of 6LoWPAN links, as there this function is
3443                 * called from softirq and using normal spin lock could cause
3444                 * deadlocks.
3445                 */
3446                spin_lock_bh(&queue->lock);
3447
3448                __skb_queue_tail(queue, skb);
3449
3450                flags &= ~ACL_START;
3451                flags |= ACL_CONT;
3452                do {
3453                        skb = list; list = list->next;
3454
3455                        hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3456                        hci_add_acl_hdr(skb, conn->handle, flags);
3457
3458                        BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3459
3460                        __skb_queue_tail(queue, skb);
3461                } while (list);
3462
3463                spin_unlock_bh(&queue->lock);
3464        }
3465}
3466
3467void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3468{
3469        struct hci_dev *hdev = chan->conn->hdev;
3470
3471        BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3472
3473        hci_queue_acl(chan, &chan->data_q, skb, flags);
3474
3475        queue_work(hdev->workqueue, &hdev->tx_work);
3476}
3477
3478/* Send SCO data */
3479void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3480{
3481        struct hci_dev *hdev = conn->hdev;
3482        struct hci_sco_hdr hdr;
3483
3484        BT_DBG("%s len %d", hdev->name, skb->len);
3485
3486        hdr.handle = cpu_to_le16(conn->handle);
3487        hdr.dlen   = skb->len;
3488
3489        skb_push(skb, HCI_SCO_HDR_SIZE);
3490        skb_reset_transport_header(skb);
3491        memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3492
3493        hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3494
3495        skb_queue_tail(&conn->data_q, skb);
3496        queue_work(hdev->workqueue, &hdev->tx_work);
3497}
3498
3499/* ---- HCI TX task (outgoing data) ---- */
3500
3501/* HCI Connection scheduler */
3502static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3503                                     int *quote)
3504{
3505        struct hci_conn_hash *h = &hdev->conn_hash;
3506        struct hci_conn *conn = NULL, *c;
3507        unsigned int num = 0, min = ~0;
3508
3509        /* We don't have to lock device here. Connections are always
3510         * added and removed with TX task disabled. */
3511
3512        rcu_read_lock();
3513
3514        list_for_each_entry_rcu(c, &h->list, list) {
3515                if (c->type != type || skb_queue_empty(&c->data_q))
3516                        continue;
3517
3518                if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3519                        continue;
3520
3521                num++;
3522
3523                if (c->sent < min) {
3524                        min  = c->sent;
3525                        conn = c;
3526                }
3527
3528                if (hci_conn_num(hdev, type) == num)
3529                        break;
3530        }
3531
3532        rcu_read_unlock();
3533
3534        if (conn) {
3535                int cnt, q;
3536
3537                switch (conn->type) {
3538                case ACL_LINK:
3539                        cnt = hdev->acl_cnt;
3540                        break;
3541                case SCO_LINK:
3542                case ESCO_LINK:
3543                        cnt = hdev->sco_cnt;
3544                        break;
3545                case LE_LINK:
3546                        cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3547                        break;
3548                default:
3549                        cnt = 0;
3550                        BT_ERR("Unknown link type");
3551                }
3552
3553                q = cnt / num;
3554                *quote = q ? q : 1;
3555        } else
3556                *quote = 0;
3557
3558        BT_DBG("conn %p quote %d", conn, *quote);
3559        return conn;
3560}
3561
3562static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3563{
3564        struct hci_conn_hash *h = &hdev->conn_hash;
3565        struct hci_conn *c;
3566
3567        BT_ERR("%s link tx timeout", hdev->name);
3568
3569        rcu_read_lock();
3570
3571        /* Kill stalled connections */
3572        list_for_each_entry_rcu(c, &h->list, list) {
3573                if (c->type == type && c->sent) {
3574                        BT_ERR("%s killing stalled connection %pMR",
3575                               hdev->name, &c->dst);
3576                        hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3577                }
3578        }
3579
3580        rcu_read_unlock();
3581}
3582
3583static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3584                                      int *quote)
3585{
3586        struct hci_conn_hash *h = &hdev->conn_hash;
3587        struct hci_chan *chan = NULL;
3588        unsigned int num = 0, min = ~0, cur_prio = 0;
3589        struct hci_conn *conn;
3590        int cnt, q, conn_num = 0;
3591
3592        BT_DBG("%s", hdev->name);
3593
3594        rcu_read_lock();
3595
3596        list_for_each_entry_rcu(conn, &h->list, list) {
3597                struct hci_chan *tmp;
3598
3599                if (conn->type != type)
3600                        continue;
3601
3602                if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3603                        continue;
3604
3605                conn_num++;
3606
3607                list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3608                        struct sk_buff *skb;
3609
3610                        if (skb_queue_empty(&tmp->data_q))
3611                                continue;
3612
3613                        skb = skb_peek(&tmp->data_q);
3614                        if (skb->priority < cur_prio)
3615                                continue;
3616
3617                        if (skb->priority > cur_prio) {
3618                                num = 0;
3619                                min = ~0;
3620                                cur_prio = skb->priority;
3621                        }
3622
3623                        num++;
3624
3625                        if (conn->sent < min) {
3626                                min  = conn->sent;
3627                                chan = tmp;
3628                        }
3629                }
3630
3631                if (hci_conn_num(hdev, type) == conn_num)
3632                        break;
3633        }
3634
3635        rcu_read_unlock();
3636
3637        if (!chan)
3638                return NULL;
3639
3640        switch (chan->conn->type) {
3641        case ACL_LINK:
3642                cnt = hdev->acl_cnt;
3643                break;
3644        case AMP_LINK:
3645                cnt = hdev->block_cnt;
3646                break;
3647        case SCO_LINK:
3648        case ESCO_LINK:
3649                cnt = hdev->sco_cnt;
3650                break;
3651        case LE_LINK:
3652                cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3653                break;
3654        default:
3655                cnt = 0;
3656                BT_ERR("Unknown link type");
3657        }
3658
3659        q = cnt / num;
3660        *quote = q ? q : 1;
3661        BT_DBG("chan %p quote %d", chan, *quote);
3662        return chan;
3663}
3664
3665static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3666{
3667        struct hci_conn_hash *h = &hdev->conn_hash;
3668        struct hci_conn *conn;
3669        int num = 0;
3670
3671        BT_DBG("%s", hdev->name);
3672
3673        rcu_read_lock();
3674
3675        list_for_each_entry_rcu(conn, &h->list, list) {
3676                struct hci_chan *chan;
3677
3678                if (conn->type != type)
3679                        continue;
3680
3681                if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3682                        continue;
3683
3684                num++;
3685
3686                list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3687                        struct sk_buff *skb;
3688
3689                        if (chan->sent) {
3690                                chan->sent = 0;
3691                                continue;
3692                        }
3693
3694                        if (skb_queue_empty(&chan->data_q))
3695                                continue;
3696
3697                        skb = skb_peek(&chan->data_q);
3698                        if (skb->priority >= HCI_PRIO_MAX - 1)
3699                                continue;
3700
3701                        skb->priority = HCI_PRIO_MAX - 1;
3702
3703                        BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3704                               skb->priority);
3705                }
3706
3707                if (hci_conn_num(hdev, type) == num)
3708                        break;
3709        }
3710
3711        rcu_read_unlock();
3712
3713}
3714
3715static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3716{
3717        /* Calculate count of blocks used by this packet */
3718        return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3719}
3720
3721static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3722{
3723        if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3724                /* ACL tx timeout must be longer than maximum
3725                 * link supervision timeout (40.9 seconds) */
3726                if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3727                                       HCI_ACL_TX_TIMEOUT))
3728                        hci_link_tx_to(hdev, ACL_LINK);
3729        }
3730}
3731
3732static void hci_sched_acl_pkt(struct hci_dev *hdev)
3733{
3734        unsigned int cnt = hdev->acl_cnt;
3735        struct hci_chan *chan;
3736        struct sk_buff *skb;
3737        int quote;
3738
3739        __check_timeout(hdev, cnt);
3740
3741        while (hdev->acl_cnt &&
3742               (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3743                u32 priority = (skb_peek(&chan->data_q))->priority;
3744                while (quote-- && (skb = skb_peek(&chan->data_q))) {
3745                        BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3746                               skb->len, skb->priority);
3747
3748                        /* Stop if priority has changed */
3749                        if (skb->priority < priority)
3750                                break;
3751
3752                        skb = skb_dequeue(&chan->data_q);
3753
3754                        hci_conn_enter_active_mode(chan->conn,
3755                                                   bt_cb(skb)->force_active);
3756
3757                        hci_send_frame(hdev, skb);
3758                        hdev->acl_last_tx = jiffies;
3759
3760                        hdev->acl_cnt--;
3761                        chan->sent++;
3762                        chan->conn->sent++;
3763                }
3764        }
3765
3766        if (cnt != hdev->acl_cnt)
3767                hci_prio_recalculate(hdev, ACL_LINK);
3768}
3769
3770static void hci_sched_acl_blk(struct hci_dev *hdev)
3771{
3772        unsigned int cnt = hdev->block_cnt;
3773        struct hci_chan *chan;
3774        struct sk_buff *skb;
3775        int quote;
3776        u8 type;
3777
3778        __check_timeout(hdev, cnt);
3779
3780        BT_DBG("%s", hdev->name);
3781
3782        if (hdev->dev_type == HCI_AMP)
3783                type = AMP_LINK;
3784        else
3785                type = ACL_LINK;
3786
3787        while (hdev->block_cnt > 0 &&
3788               (chan = hci_chan_sent(hdev, type, &quote))) {
3789                u32 priority = (skb_peek(&chan->data_q))->priority;
3790                while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3791                        int blocks;
3792
3793                        BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3794                               skb->len, skb->priority);
3795
3796                        /* Stop if priority has changed */
3797                        if (skb->priority < priority)
3798                                break;
3799
3800                        skb = skb_dequeue(&chan->data_q);
3801
3802                        blocks = __get_blocks(hdev, skb);
3803                        if (blocks > hdev->block_cnt)
3804                                return;
3805
3806                        hci_conn_enter_active_mode(chan->conn,
3807                                                   bt_cb(skb)->force_active);
3808
3809                        hci_send_frame(hdev, skb);
3810                        hdev->acl_last_tx = jiffies;
3811
3812                        hdev->block_cnt -= blocks;
3813                        quote -= blocks;
3814
3815                        chan->sent += blocks;
3816                        chan->conn->sent += blocks;
3817                }
3818        }
3819
3820        if (cnt != hdev->block_cnt)
3821                hci_prio_recalculate(hdev, type);
3822}
3823
3824static void hci_sched_acl(struct hci_dev *hdev)
3825{
3826        BT_DBG("%s", hdev->name);
3827
3828        /* No ACL link over BR/EDR controller */
3829        if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3830                return;
3831
3832        /* No AMP link over AMP controller */
3833        if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3834                return;
3835
3836        switch (hdev->flow_ctl_mode) {
3837        case HCI_FLOW_CTL_MODE_PACKET_BASED:
3838                hci_sched_acl_pkt(hdev);
3839                break;
3840
3841        case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3842                hci_sched_acl_blk(hdev);
3843                break;
3844        }
3845}
3846
3847/* Schedule SCO */
3848static void hci_sched_sco(struct hci_dev *hdev)
3849{
3850        struct hci_conn *conn;
3851        struct sk_buff *skb;
3852        int quote;
3853
3854        BT_DBG("%s", hdev->name);
3855
3856        if (!hci_conn_num(hdev, SCO_LINK))
3857                return;
3858
3859        while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3860                while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3861                        BT_DBG("skb %p len %d", skb, skb->len);
3862                        hci_send_frame(hdev, skb);
3863
3864                        conn->sent++;
3865                        if (conn->sent == ~0)
3866                                conn->sent = 0;
3867                }
3868        }
3869}
3870
3871static void hci_sched_esco(struct hci_dev *hdev)
3872{
3873        struct hci_conn *conn;
3874        struct sk_buff *skb;
3875        int quote;
3876
3877        BT_DBG("%s", hdev->name);
3878
3879        if (!hci_conn_num(hdev, ESCO_LINK))
3880                return;
3881
3882        while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3883                                                     &quote))) {
3884                while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3885                        BT_DBG("skb %p len %d", skb, skb->len);
3886                        hci_send_frame(hdev, skb);
3887
3888                        conn->sent++;
3889                        if (conn->sent == ~0)
3890                                conn->sent = 0;
3891                }
3892        }
3893}
3894
3895static void hci_sched_le(struct hci_dev *hdev)
3896{
3897        struct hci_chan *chan;
3898        struct sk_buff *skb;
3899        int quote, cnt, tmp;
3900
3901        BT_DBG("%s", hdev->name);
3902
3903        if (!hci_conn_num(hdev, LE_LINK))
3904                return;
3905
3906        if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3907                /* LE tx timeout must be longer than maximum
3908                 * link supervision timeout (40.9 seconds) */
3909                if (!hdev->le_cnt && hdev->le_pkts &&
3910                    time_after(jiffies, hdev->le_last_tx + HZ * 45))
3911                        hci_link_tx_to(hdev, LE_LINK);
3912        }
3913
3914        cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3915        tmp = cnt;
3916        while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3917                u32 priority = (skb_peek(&chan->data_q))->priority;
3918                while (quote-- && (skb = skb_peek(&chan->data_q))) {
3919                        BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3920                               skb->len, skb->priority);
3921
3922                        /* Stop if priority has changed */
3923                        if (skb->priority < priority)
3924                                break;
3925
3926                        skb = skb_dequeue(&chan->data_q);
3927
3928                        hci_send_frame(hdev, skb);
3929                        hdev->le_last_tx = jiffies;
3930
3931                        cnt--;
3932                        chan->sent++;
3933                        chan->conn->sent++;
3934                }
3935        }
3936
3937        if (hdev->le_pkts)
3938                hdev->le_cnt = cnt;
3939        else
3940                hdev->acl_cnt = cnt;
3941
3942        if (cnt != tmp)
3943                hci_prio_recalculate(hdev, LE_LINK);
3944}
3945
3946static void hci_tx_work(struct work_struct *work)
3947{
3948        struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3949        struct sk_buff *skb;
3950
3951        BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3952               hdev->sco_cnt, hdev->le_cnt);
3953
3954        if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3955                /* Schedule queues and send stuff to HCI driver */
3956                hci_sched_acl(hdev);
3957                hci_sched_sco(hdev);
3958                hci_sched_esco(hdev);
3959                hci_sched_le(hdev);
3960        }
3961
3962        /* Send next queued raw (unknown type) packet */
3963        while ((skb = skb_dequeue(&hdev->raw_q)))
3964                hci_send_frame(hdev, skb);
3965}
3966
3967/* ----- HCI RX task (incoming data processing) ----- */
3968
3969/* ACL data packet */
3970static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3971{
3972        struct hci_acl_hdr *hdr = (void *) skb->data;
3973        struct hci_conn *conn;
3974        __u16 handle, flags;
3975
3976        skb_pull(skb, HCI_ACL_HDR_SIZE);
3977
3978        handle = __le16_to_cpu(hdr->handle);
3979        flags  = hci_flags(handle);
3980        handle = hci_handle(handle);
3981
3982        BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3983               handle, flags);
3984
3985        hdev->stat.acl_rx++;
3986
3987        hci_dev_lock(hdev);
3988        conn = hci_conn_hash_lookup_handle(hdev, handle);
3989        hci_dev_unlock(hdev);
3990
3991        if (conn) {
3992                hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3993
3994                /* Send to upper protocol */
3995                l2cap_recv_acldata(conn, skb, flags);
3996                return;
3997        } else {
3998                BT_ERR("%s ACL packet for unknown connection handle %d",
3999                       hdev->name, handle);
4000        }

4001
4002        kfree_skb(skb);
4003}
4004
4005/* SCO data packet */
4006static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4007{
4008        struct hci_sco_hdr *hdr = (void *) skb->data;
4009        struct hci_conn *conn;
4010        __u16 handle;
4011
4012        skb_pull(skb, HCI_SCO_HDR_SIZE);
4013
4014        handle = __le16_to_cpu(hdr->handle);
4015
4016        BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4017
4018        hdev->stat.sco_rx++;
4019
4020        hci_dev_lock(hdev);
4021        conn = hci_conn_hash_lookup_handle(hdev, handle);
4022        hci_dev_unlock(hdev);
4023
4024        if (conn) {
4025                /* Send to upper protocol */
4026                sco_recv_scodata(conn, skb);
4027                return;
4028        } else {
4029                BT_ERR("%s SCO packet for unknown connection handle %d",
4030                       hdev->name, handle);
4031        }
4032
4033        kfree_skb(skb);
4034}
4035
4036static bool hci_req_is_complete(struct hci_dev *hdev)
4037{
4038        struct sk_buff *skb;
4039
4040        skb = skb_peek(&hdev->cmd_q);
4041        if (!skb)
4042                return true;
4043
4044        return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4045}
4046
4047static void hci_resend_last(struct hci_dev *hdev)
4048{
4049        struct hci_command_hdr *sent;
4050        struct sk_buff *skb;
4051        u16 opcode;
4052
4053        if (!hdev->sent_cmd)
4054                return;
4055
4056        sent = (void *) hdev->sent_cmd->data;
4057        opcode = __le16_to_cpu(sent->opcode);
4058        if (opcode == HCI_OP_RESET)
4059                return;
4060
4061        skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4062        if (!skb)
4063                return;
4064
4065        skb_queue_head(&hdev->cmd_q, skb);
4066        queue_work(hdev->workqueue, &hdev->cmd_work);
4067}
4068
4069void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4070                          hci_req_complete_t *req_complete,
4071                          hci_req_complete_skb_t *req_complete_skb)
4072{
4073        struct sk_buff *skb;
4074        unsigned long flags;
4075
4076        BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4077
4078        /* If the completed command doesn't match the last one that was
4079         * sent we need to do special handling of it.
4080         */
4081        if (!hci_sent_cmd_data(hdev, opcode)) {
4082                /* Some CSR based controllers generate a spontaneous
4083                 * reset complete event during init and any pending
4084                 * command will never be completed. In such a case we
4085                 * need to resend whatever was the last sent
4086                 * command.
4087                 */
4088                if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4089                        hci_resend_last(hdev);
4090
4091                return;
4092        }
4093
4094        /* If the command succeeded and there's still more commands in
4095         * this request the request is not yet complete.
4096         */
4097        if (!status && !hci_req_is_complete(hdev))
4098                return;
4099
4100        /* If this was the last command in a request the complete
4101         * callback would be found in hdev->sent_cmd instead of the
4102         * command queue (hdev->cmd_q).
4103         */
4104        if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4105                *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4106                return;
4107        }
4108
4109        if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4110                *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4111                return;
4112        }
4113
4114        /* Remove all pending commands belonging to this request */
4115        spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4116        while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4117                if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4118                        __skb_queue_head(&hdev->cmd_q, skb);
4119                        break;
4120                }
4121
4122                if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4123                        *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4124                else
4125                        *req_complete = bt_cb(skb)->hci.req_complete;
4126                kfree_skb(skb);
4127        }
4128        spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4129}
4130
4131static void hci_rx_work(struct work_struct *work)
4132{
4133        struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4134        struct sk_buff *skb;
4135
4136        BT_DBG("%s", hdev->name);
4137
4138        while ((skb = skb_dequeue(&hdev->rx_q))) {
4139                /* Send copy to monitor */
4140                hci_send_to_monitor(hdev, skb);
4141
4142                if (atomic_read(&hdev->promisc)) {
4143                        /* Send copy to the sockets */
4144                        hci_send_to_sock(hdev, skb);
4145                }
4146
4147                if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4148                        kfree_skb(skb);
4149                        continue;
4150                }
4151
4152                if (test_bit(HCI_INIT, &hdev->flags)) {
4153                        /* Don't process data packets in this states. */
4154                        switch (hci_skb_pkt_type(skb)) {
4155                        case HCI_ACLDATA_PKT:
4156                        case HCI_SCODATA_PKT:
4157                                kfree_skb(skb);
4158                                continue;
4159                        }
4160                }
4161
4162                /* Process frame */
4163                switch (hci_skb_pkt_type(skb)) {
4164                case HCI_EVENT_PKT:
4165                        BT_DBG("%s Event packet", hdev->name);
4166                        hci_event_packet(hdev, skb);
4167                        break;
4168
4169                case HCI_ACLDATA_PKT:
4170                        BT_DBG("%s ACL data packet", hdev->name);
4171                        hci_acldata_packet(hdev, skb);
4172                        break;
4173
4174                case HCI_SCODATA_PKT:
4175                        BT_DBG("%s SCO data packet", hdev->name);
4176                        hci_scodata_packet(hdev, skb);
4177                        break;
4178
4179                default:
4180                        kfree_skb(skb);
4181                        break;
4182                }
4183        }
4184}
4185
4186static void hci_cmd_work(struct work_struct *work)
4187{
4188        struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4189        struct sk_buff *skb;
4190
4191        BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4192               atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4193
4194        /* Send queued commands */
4195        if (atomic_read(&hdev->cmd_cnt)) {
4196                skb = skb_dequeue(&hdev->cmd_q);
4197                if (!skb)
4198                        return;
4199
4200                kfree_skb(hdev->sent_cmd);
4201
4202                hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4203                if (hdev->sent_cmd) {
4204                        atomic_dec(&hdev->cmd_cnt);
4205                        hci_send_frame(hdev, skb);
4206                        if (test_bit(HCI_RESET, &hdev->flags))
4207                                cancel_delayed_work(&hdev->cmd_timer);
4208                        else
4209                                schedule_delayed_work(&hdev->cmd_timer,
4210                                                      HCI_CMD_TIMEOUT);
4211                } else {
4212                        skb_queue_head(&hdev->cmd_q, skb);
4213                        queue_work(hdev->workqueue, &hdev->cmd_work);
4214                }
4215        }
4216}
4217