Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI core. */
27
28#include <linux/export.h>
29#include <linux/idr.h>
30#include <linux/rfkill.h>
31#include <linux/debugfs.h>
32#include <linux/crypto.h>
33#include <asm/unaligned.h>
34
35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
38#include <net/bluetooth/mgmt.h>
39
40#include "hci_request.h"
41#include "hci_debugfs.h"
42#include "smp.h"
43#include "leds.h"
44
45static void hci_rx_work(struct work_struct *work);
46static void hci_cmd_work(struct work_struct *work);
47static void hci_tx_work(struct work_struct *work);
48
49/* HCI device list */
50LIST_HEAD(hci_dev_list);
51DEFINE_RWLOCK(hci_dev_list_lock);
52
53/* HCI callback list */
54LIST_HEAD(hci_cb_list);
55DEFINE_MUTEX(hci_cb_list_lock);
56
57/* HCI ID Numbering */
58static DEFINE_IDA(hci_index_ida);
59
60/* ---- HCI debugfs entries ---- */
61
62static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
63 size_t count, loff_t *ppos)
64{
65 struct hci_dev *hdev = file->private_data;
66 char buf[3];
67
68 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
69 buf[1] = '\n';
70 buf[2] = '\0';
71 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
72}
73
74static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
75 size_t count, loff_t *ppos)
76{
77 struct hci_dev *hdev = file->private_data;
78 struct sk_buff *skb;
79 char buf[32];
80 size_t buf_size = min(count, (sizeof(buf)-1));
81 bool enable;
82
83 if (!test_bit(HCI_UP, &hdev->flags))
84 return -ENETDOWN;
85
86 if (copy_from_user(buf, user_buf, buf_size))
87 return -EFAULT;
88
89 buf[buf_size] = '\0';
90 if (strtobool(buf, &enable))
91 return -EINVAL;
92
93 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
94 return -EALREADY;
95
96 hci_req_sync_lock(hdev);
97 if (enable)
98 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
99 HCI_CMD_TIMEOUT);
100 else
101 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
102 HCI_CMD_TIMEOUT);
103 hci_req_sync_unlock(hdev);
104
105 if (IS_ERR(skb))
106 return PTR_ERR(skb);
107
108 kfree_skb(skb);
109
110 hci_dev_change_flag(hdev, HCI_DUT_MODE);
111
112 return count;
113}
114
115static const struct file_operations dut_mode_fops = {
116 .open = simple_open,
117 .read = dut_mode_read,
118 .write = dut_mode_write,
119 .llseek = default_llseek,
120};
121
122static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
123 size_t count, loff_t *ppos)
124{
125 struct hci_dev *hdev = file->private_data;
126 char buf[3];
127
128 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
129 buf[1] = '\n';
130 buf[2] = '\0';
131 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
132}
133
134static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
135 size_t count, loff_t *ppos)
136{
137 struct hci_dev *hdev = file->private_data;
138 char buf[32];
139 size_t buf_size = min(count, (sizeof(buf)-1));
140 bool enable;
141 int err;
142
143 if (copy_from_user(buf, user_buf, buf_size))
144 return -EFAULT;
145
146 buf[buf_size] = '\0';
147 if (strtobool(buf, &enable))
148 return -EINVAL;
149
150 /* When the diagnostic flags are not persistent and the transport
151 * is not active, then there is no need for the vendor callback.
152 *
153 * Instead just store the desired value. If needed the setting
154 * will be programmed when the controller gets powered on.
155 */
156 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
157 !test_bit(HCI_RUNNING, &hdev->flags))
158 goto done;
159
160 hci_req_sync_lock(hdev);
161 err = hdev->set_diag(hdev, enable);
162 hci_req_sync_unlock(hdev);
163
164 if (err < 0)
165 return err;
166
167done:
168 if (enable)
169 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
170 else
171 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
172
173 return count;
174}
175
176static const struct file_operations vendor_diag_fops = {
177 .open = simple_open,
178 .read = vendor_diag_read,
179 .write = vendor_diag_write,
180 .llseek = default_llseek,
181};
182
183static void hci_debugfs_create_basic(struct hci_dev *hdev)
184{
185 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
186 &dut_mode_fops);
187
188 if (hdev->set_diag)
189 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
190 &vendor_diag_fops);
191}
192
193static int hci_reset_req(struct hci_request *req, unsigned long opt)
194{
195 BT_DBG("%s %ld", req->hdev->name, opt);
196
197 /* Reset device */
198 set_bit(HCI_RESET, &req->hdev->flags);
199 hci_req_add(req, HCI_OP_RESET, 0, NULL);
200 return 0;
201}
202
203static void bredr_init(struct hci_request *req)
204{
205 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
206
207 /* Read Local Supported Features */
208 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
209
210 /* Read Local Version */
211 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
212
213 /* Read BD Address */
214 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
215}
216
217static void amp_init1(struct hci_request *req)
218{
219 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
220
221 /* Read Local Version */
222 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
223
224 /* Read Local Supported Commands */
225 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
226
227 /* Read Local AMP Info */
228 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
229
230 /* Read Data Blk size */
231 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
232
233 /* Read Flow Control Mode */
234 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
235
236 /* Read Location Data */
237 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
238}
239
240static int amp_init2(struct hci_request *req)
241{
242 /* Read Local Supported Features. Not all AMP controllers
243 * support this so it's placed conditionally in the second
244 * stage init.
245 */
246 if (req->hdev->commands[14] & 0x20)
247 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
248
249 return 0;
250}
251
252static int hci_init1_req(struct hci_request *req, unsigned long opt)
253{
254 struct hci_dev *hdev = req->hdev;
255
256 BT_DBG("%s %ld", hdev->name, opt);
257
258 /* Reset */
259 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
260 hci_reset_req(req, 0);
261
262 switch (hdev->dev_type) {
263 case HCI_BREDR:
264 bredr_init(req);
265 break;
266
267 case HCI_AMP:
268 amp_init1(req);
269 break;
270
271 default:
272 BT_ERR("Unknown device type %d", hdev->dev_type);
273 break;
274 }
275
276 return 0;
277}
278
279static void bredr_setup(struct hci_request *req)
280{
281 __le16 param;
282 __u8 flt_type;
283
284 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
285 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
286
287 /* Read Class of Device */
288 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
289
290 /* Read Local Name */
291 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
292
293 /* Read Voice Setting */
294 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
295
296 /* Read Number of Supported IAC */
297 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
298
299 /* Read Current IAC LAP */
300 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
301
302 /* Clear Event Filters */
303 flt_type = HCI_FLT_CLEAR_ALL;
304 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
305
306 /* Connection accept timeout ~20 secs */
307 param = cpu_to_le16(0x7d00);
308 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
309}
310
311static void le_setup(struct hci_request *req)
312{
313 struct hci_dev *hdev = req->hdev;
314
315 /* Read LE Buffer Size */
316 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
317
318 /* Read LE Local Supported Features */
319 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
320
321 /* Read LE Supported States */
322 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
323
324 /* LE-only controllers have LE implicitly enabled */
325 if (!lmp_bredr_capable(hdev))
326 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
327}
328
329static void hci_setup_event_mask(struct hci_request *req)
330{
331 struct hci_dev *hdev = req->hdev;
332
333 /* The second byte is 0xff instead of 0x9f (two reserved bits
334 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
335 * command otherwise.
336 */
337 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
338
339 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
340 * any event mask for pre 1.2 devices.
341 */
342 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
343 return;
344
345 if (lmp_bredr_capable(hdev)) {
346 events[4] |= 0x01; /* Flow Specification Complete */
347 } else {
348 /* Use a different default for LE-only devices */
349 memset(events, 0, sizeof(events));
350 events[1] |= 0x20; /* Command Complete */
351 events[1] |= 0x40; /* Command Status */
352 events[1] |= 0x80; /* Hardware Error */
353
354 /* If the controller supports the Disconnect command, enable
355 * the corresponding event. In addition enable packet flow
356 * control related events.
357 */
358 if (hdev->commands[0] & 0x20) {
359 events[0] |= 0x10; /* Disconnection Complete */
360 events[2] |= 0x04; /* Number of Completed Packets */
361 events[3] |= 0x02; /* Data Buffer Overflow */
362 }
363
364 /* If the controller supports the Read Remote Version
365 * Information command, enable the corresponding event.
366 */
367 if (hdev->commands[2] & 0x80)
368 events[1] |= 0x08; /* Read Remote Version Information
369 * Complete
370 */
371
372 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
373 events[0] |= 0x80; /* Encryption Change */
374 events[5] |= 0x80; /* Encryption Key Refresh Complete */
375 }
376 }
377
378 if (lmp_inq_rssi_capable(hdev) ||
379 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
380 events[4] |= 0x02; /* Inquiry Result with RSSI */
381
382 if (lmp_ext_feat_capable(hdev))
383 events[4] |= 0x04; /* Read Remote Extended Features Complete */
384
385 if (lmp_esco_capable(hdev)) {
386 events[5] |= 0x08; /* Synchronous Connection Complete */
387 events[5] |= 0x10; /* Synchronous Connection Changed */
388 }
389
390 if (lmp_sniffsubr_capable(hdev))
391 events[5] |= 0x20; /* Sniff Subrating */
392
393 if (lmp_pause_enc_capable(hdev))
394 events[5] |= 0x80; /* Encryption Key Refresh Complete */
395
396 if (lmp_ext_inq_capable(hdev))
397 events[5] |= 0x40; /* Extended Inquiry Result */
398
399 if (lmp_no_flush_capable(hdev))
400 events[7] |= 0x01; /* Enhanced Flush Complete */
401
402 if (lmp_lsto_capable(hdev))
403 events[6] |= 0x80; /* Link Supervision Timeout Changed */
404
405 if (lmp_ssp_capable(hdev)) {
406 events[6] |= 0x01; /* IO Capability Request */
407 events[6] |= 0x02; /* IO Capability Response */
408 events[6] |= 0x04; /* User Confirmation Request */
409 events[6] |= 0x08; /* User Passkey Request */
410 events[6] |= 0x10; /* Remote OOB Data Request */
411 events[6] |= 0x20; /* Simple Pairing Complete */
412 events[7] |= 0x04; /* User Passkey Notification */
413 events[7] |= 0x08; /* Keypress Notification */
414 events[7] |= 0x10; /* Remote Host Supported
415 * Features Notification
416 */
417 }
418
419 if (lmp_le_capable(hdev))
420 events[7] |= 0x20; /* LE Meta-Event */
421
422 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
423}
424
425static int hci_init2_req(struct hci_request *req, unsigned long opt)
426{
427 struct hci_dev *hdev = req->hdev;
428
429 if (hdev->dev_type == HCI_AMP)
430 return amp_init2(req);
431
432 if (lmp_bredr_capable(hdev))
433 bredr_setup(req);
434 else
435 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
436
437 if (lmp_le_capable(hdev))
438 le_setup(req);
439
440 /* All Bluetooth 1.2 and later controllers should support the
441 * HCI command for reading the local supported commands.
442 *
443 * Unfortunately some controllers indicate Bluetooth 1.2 support,
444 * but do not have support for this command. If that is the case,
445 * the driver can quirk the behavior and skip reading the local
446 * supported commands.
447 */
448 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
449 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
450 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
451
452 if (lmp_ssp_capable(hdev)) {
453 /* When SSP is available, then the host features page
454 * should also be available as well. However some
455 * controllers list the max_page as 0 as long as SSP
456 * has not been enabled. To achieve proper debugging
457 * output, force the minimum max_page to 1 at least.
458 */
459 hdev->max_page = 0x01;
460
461 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
462 u8 mode = 0x01;
463
464 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
465 sizeof(mode), &mode);
466 } else {
467 struct hci_cp_write_eir cp;
468
469 memset(hdev->eir, 0, sizeof(hdev->eir));
470 memset(&cp, 0, sizeof(cp));
471
472 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
473 }
474 }
475
476 if (lmp_inq_rssi_capable(hdev) ||
477 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
478 u8 mode;
479
480 /* If Extended Inquiry Result events are supported, then
481 * they are clearly preferred over Inquiry Result with RSSI
482 * events.
483 */
484 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
485
486 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
487 }
488
489 if (lmp_inq_tx_pwr_capable(hdev))
490 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
491
492 if (lmp_ext_feat_capable(hdev)) {
493 struct hci_cp_read_local_ext_features cp;
494
495 cp.page = 0x01;
496 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
497 sizeof(cp), &cp);
498 }
499
500 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
501 u8 enable = 1;
502 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
503 &enable);
504 }
505
506 return 0;
507}
508
509static void hci_setup_link_policy(struct hci_request *req)
510{
511 struct hci_dev *hdev = req->hdev;
512 struct hci_cp_write_def_link_policy cp;
513 u16 link_policy = 0;
514
515 if (lmp_rswitch_capable(hdev))
516 link_policy |= HCI_LP_RSWITCH;
517 if (lmp_hold_capable(hdev))
518 link_policy |= HCI_LP_HOLD;
519 if (lmp_sniff_capable(hdev))
520 link_policy |= HCI_LP_SNIFF;
521 if (lmp_park_capable(hdev))
522 link_policy |= HCI_LP_PARK;
523
524 cp.policy = cpu_to_le16(link_policy);
525 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
526}
527
528static void hci_set_le_support(struct hci_request *req)
529{
530 struct hci_dev *hdev = req->hdev;
531 struct hci_cp_write_le_host_supported cp;
532
533 /* LE-only devices do not support explicit enablement */
534 if (!lmp_bredr_capable(hdev))
535 return;
536
537 memset(&cp, 0, sizeof(cp));
538
539 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
540 cp.le = 0x01;
541 cp.simul = 0x00;
542 }
543
544 if (cp.le != lmp_host_le_capable(hdev))
545 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
546 &cp);
547}
548
549static void hci_set_event_mask_page_2(struct hci_request *req)
550{
551 struct hci_dev *hdev = req->hdev;
552 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
553
554 /* If Connectionless Slave Broadcast master role is supported
555 * enable all necessary events for it.
556 */
557 if (lmp_csb_master_capable(hdev)) {
558 events[1] |= 0x40; /* Triggered Clock Capture */
559 events[1] |= 0x80; /* Synchronization Train Complete */
560 events[2] |= 0x10; /* Slave Page Response Timeout */
561 events[2] |= 0x20; /* CSB Channel Map Change */
562 }
563
564 /* If Connectionless Slave Broadcast slave role is supported
565 * enable all necessary events for it.
566 */
567 if (lmp_csb_slave_capable(hdev)) {
568 events[2] |= 0x01; /* Synchronization Train Received */
569 events[2] |= 0x02; /* CSB Receive */
570 events[2] |= 0x04; /* CSB Timeout */
571 events[2] |= 0x08; /* Truncated Page Complete */
572 }
573
574 /* Enable Authenticated Payload Timeout Expired event if supported */
575 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
576 events[2] |= 0x80;
577
578 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
579}
580
581static int hci_init3_req(struct hci_request *req, unsigned long opt)
582{
583 struct hci_dev *hdev = req->hdev;
584 u8 p;
585
586 hci_setup_event_mask(req);
587
588 if (hdev->commands[6] & 0x20 &&
589 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
590 struct hci_cp_read_stored_link_key cp;
591
592 bacpy(&cp.bdaddr, BDADDR_ANY);
593 cp.read_all = 0x01;
594 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
595 }
596
597 if (hdev->commands[5] & 0x10)
598 hci_setup_link_policy(req);
599
600 if (hdev->commands[8] & 0x01)
601 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
602
603 /* Some older Broadcom based Bluetooth 1.2 controllers do not
604 * support the Read Page Scan Type command. Check support for
605 * this command in the bit mask of supported commands.
606 */
607 if (hdev->commands[13] & 0x01)
608 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
609
610 if (lmp_le_capable(hdev)) {
611 u8 events[8];
612
613 memset(events, 0, sizeof(events));
614
615 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
616 events[0] |= 0x10; /* LE Long Term Key Request */
617
618 /* If controller supports the Connection Parameters Request
619 * Link Layer Procedure, enable the corresponding event.
620 */
621 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
622 events[0] |= 0x20; /* LE Remote Connection
623 * Parameter Request
624 */
625
626 /* If the controller supports the Data Length Extension
627 * feature, enable the corresponding event.
628 */
629 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
630 events[0] |= 0x40; /* LE Data Length Change */
631
632 /* If the controller supports Extended Scanner Filter
633 * Policies, enable the correspondig event.
634 */
635 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
636 events[1] |= 0x04; /* LE Direct Advertising
637 * Report
638 */
639
640 /* If the controller supports the LE Set Scan Enable command,
641 * enable the corresponding advertising report event.
642 */
643 if (hdev->commands[26] & 0x08)
644 events[0] |= 0x02; /* LE Advertising Report */
645
646 /* If the controller supports the LE Create Connection
647 * command, enable the corresponding event.
648 */
649 if (hdev->commands[26] & 0x10)
650 events[0] |= 0x01; /* LE Connection Complete */
651
652 /* If the controller supports the LE Connection Update
653 * command, enable the corresponding event.
654 */
655 if (hdev->commands[27] & 0x04)
656 events[0] |= 0x04; /* LE Connection Update
657 * Complete
658 */
659
660 /* If the controller supports the LE Read Remote Used Features
661 * command, enable the corresponding event.
662 */
663 if (hdev->commands[27] & 0x20)
664 events[0] |= 0x08; /* LE Read Remote Used
665 * Features Complete
666 */
667
668 /* If the controller supports the LE Read Local P-256
669 * Public Key command, enable the corresponding event.
670 */
671 if (hdev->commands[34] & 0x02)
672 events[0] |= 0x80; /* LE Read Local P-256
673 * Public Key Complete
674 */
675
676 /* If the controller supports the LE Generate DHKey
677 * command, enable the corresponding event.
678 */
679 if (hdev->commands[34] & 0x04)
680 events[1] |= 0x01; /* LE Generate DHKey Complete */
681
682 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
683 events);
684
685 if (hdev->commands[25] & 0x40) {
686 /* Read LE Advertising Channel TX Power */
687 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
688 }
689
690 if (hdev->commands[26] & 0x40) {
691 /* Read LE White List Size */
692 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
693 0, NULL);
694 }
695
696 if (hdev->commands[26] & 0x80) {
697 /* Clear LE White List */
698 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
699 }
700
701 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
702 /* Read LE Maximum Data Length */
703 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
704
705 /* Read LE Suggested Default Data Length */
706 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
707 }
708
709 hci_set_le_support(req);
710 }
711
712 /* Read features beyond page 1 if available */
713 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
714 struct hci_cp_read_local_ext_features cp;
715
716 cp.page = p;
717 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
718 sizeof(cp), &cp);
719 }
720
721 return 0;
722}
723
724static int hci_init4_req(struct hci_request *req, unsigned long opt)
725{
726 struct hci_dev *hdev = req->hdev;
727
728 /* Some Broadcom based Bluetooth controllers do not support the
729 * Delete Stored Link Key command. They are clearly indicating its
730 * absence in the bit mask of supported commands.
731 *
732 * Check the supported commands and only if the the command is marked
733 * as supported send it. If not supported assume that the controller
734 * does not have actual support for stored link keys which makes this
735 * command redundant anyway.
736 *
737 * Some controllers indicate that they support handling deleting
738 * stored link keys, but they don't. The quirk lets a driver
739 * just disable this command.
740 */
741 if (hdev->commands[6] & 0x80 &&
742 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
743 struct hci_cp_delete_stored_link_key cp;
744
745 bacpy(&cp.bdaddr, BDADDR_ANY);
746 cp.delete_all = 0x01;
747 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
748 sizeof(cp), &cp);
749 }
750
751 /* Set event mask page 2 if the HCI command for it is supported */
752 if (hdev->commands[22] & 0x04)
753 hci_set_event_mask_page_2(req);
754
755 /* Read local codec list if the HCI command is supported */
756 if (hdev->commands[29] & 0x20)
757 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
758
759 /* Get MWS transport configuration if the HCI command is supported */
760 if (hdev->commands[30] & 0x08)
761 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
762
763 /* Check for Synchronization Train support */
764 if (lmp_sync_train_capable(hdev))
765 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
766
767 /* Enable Secure Connections if supported and configured */
768 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
769 bredr_sc_enabled(hdev)) {
770 u8 support = 0x01;
771
772 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
773 sizeof(support), &support);
774 }
775
776 return 0;
777}
778
779static int __hci_init(struct hci_dev *hdev)
780{
781 int err;
782
783 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
784 if (err < 0)
785 return err;
786
787 if (hci_dev_test_flag(hdev, HCI_SETUP))
788 hci_debugfs_create_basic(hdev);
789
790 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
791 if (err < 0)
792 return err;
793
794 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
795 * BR/EDR/LE type controllers. AMP controllers only need the
796 * first two stages of init.
797 */
798 if (hdev->dev_type != HCI_BREDR)
799 return 0;
800
801 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
802 if (err < 0)
803 return err;
804
805 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
806 if (err < 0)
807 return err;
808
809 /* This function is only called when the controller is actually in
810 * configured state. When the controller is marked as unconfigured,
811 * this initialization procedure is not run.
812 *
813 * It means that it is possible that a controller runs through its
814 * setup phase and then discovers missing settings. If that is the
815 * case, then this function will not be called. It then will only
816 * be called during the config phase.
817 *
818 * So only when in setup phase or config phase, create the debugfs
819 * entries and register the SMP channels.
820 */
821 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
822 !hci_dev_test_flag(hdev, HCI_CONFIG))
823 return 0;
824
825 hci_debugfs_create_common(hdev);
826
827 if (lmp_bredr_capable(hdev))
828 hci_debugfs_create_bredr(hdev);
829
830 if (lmp_le_capable(hdev))
831 hci_debugfs_create_le(hdev);
832
833 return 0;
834}
835
836static int hci_init0_req(struct hci_request *req, unsigned long opt)
837{
838 struct hci_dev *hdev = req->hdev;
839
840 BT_DBG("%s %ld", hdev->name, opt);
841
842 /* Reset */
843 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
844 hci_reset_req(req, 0);
845
846 /* Read Local Version */
847 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
848
849 /* Read BD Address */
850 if (hdev->set_bdaddr)
851 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
852
853 return 0;
854}
855
856static int __hci_unconf_init(struct hci_dev *hdev)
857{
858 int err;
859
860 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
861 return 0;
862
863 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
864 if (err < 0)
865 return err;
866
867 if (hci_dev_test_flag(hdev, HCI_SETUP))
868 hci_debugfs_create_basic(hdev);
869
870 return 0;
871}
872
873static int hci_scan_req(struct hci_request *req, unsigned long opt)
874{
875 __u8 scan = opt;
876
877 BT_DBG("%s %x", req->hdev->name, scan);
878
879 /* Inquiry and Page scans */
880 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
881 return 0;
882}
883
884static int hci_auth_req(struct hci_request *req, unsigned long opt)
885{
886 __u8 auth = opt;
887
888 BT_DBG("%s %x", req->hdev->name, auth);
889
890 /* Authentication */
891 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
892 return 0;
893}
894
895static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
896{
897 __u8 encrypt = opt;
898
899 BT_DBG("%s %x", req->hdev->name, encrypt);
900
901 /* Encryption */
902 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
903 return 0;
904}
905
906static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
907{
908 __le16 policy = cpu_to_le16(opt);
909
910 BT_DBG("%s %x", req->hdev->name, policy);
911
912 /* Default link policy */
913 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
914 return 0;
915}
916
917/* Get HCI device by index.
918 * Device is held on return. */
919struct hci_dev *hci_dev_get(int index)
920{
921 struct hci_dev *hdev = NULL, *d;
922
923 BT_DBG("%d", index);
924
925 if (index < 0)
926 return NULL;
927
928 read_lock(&hci_dev_list_lock);
929 list_for_each_entry(d, &hci_dev_list, list) {
930 if (d->id == index) {
931 hdev = hci_dev_hold(d);
932 break;
933 }
934 }
935 read_unlock(&hci_dev_list_lock);
936 return hdev;
937}
938
939/* ---- Inquiry support ---- */
940
941bool hci_discovery_active(struct hci_dev *hdev)
942{
943 struct discovery_state *discov = &hdev->discovery;
944
945 switch (discov->state) {
946 case DISCOVERY_FINDING:
947 case DISCOVERY_RESOLVING:
948 return true;
949
950 default:
951 return false;
952 }
953}
954
955void hci_discovery_set_state(struct hci_dev *hdev, int state)
956{
957 int old_state = hdev->discovery.state;
958
959 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
960
961 if (old_state == state)
962 return;
963
964 hdev->discovery.state = state;
965
966 switch (state) {
967 case DISCOVERY_STOPPED:
968 hci_update_background_scan(hdev);
969
970 if (old_state != DISCOVERY_STARTING)
971 mgmt_discovering(hdev, 0);
972 break;
973 case DISCOVERY_STARTING:
974 break;
975 case DISCOVERY_FINDING:
976 mgmt_discovering(hdev, 1);
977 break;
978 case DISCOVERY_RESOLVING:
979 break;
980 case DISCOVERY_STOPPING:
981 break;
982 }
983}
984
985void hci_inquiry_cache_flush(struct hci_dev *hdev)
986{
987 struct discovery_state *cache = &hdev->discovery;
988 struct inquiry_entry *p, *n;
989
990 list_for_each_entry_safe(p, n, &cache->all, all) {
991 list_del(&p->all);
992 kfree(p);
993 }
994
995 INIT_LIST_HEAD(&cache->unknown);
996 INIT_LIST_HEAD(&cache->resolve);
997}
998
999struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1000 bdaddr_t *bdaddr)
1001{
1002 struct discovery_state *cache = &hdev->discovery;
1003 struct inquiry_entry *e;
1004
1005 BT_DBG("cache %p, %pMR", cache, bdaddr);
1006
1007 list_for_each_entry(e, &cache->all, all) {
1008 if (!bacmp(&e->data.bdaddr, bdaddr))
1009 return e;
1010 }
1011
1012 return NULL;
1013}
1014
1015struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1016 bdaddr_t *bdaddr)
1017{
1018 struct discovery_state *cache = &hdev->discovery;
1019 struct inquiry_entry *e;
1020
1021 BT_DBG("cache %p, %pMR", cache, bdaddr);
1022
1023 list_for_each_entry(e, &cache->unknown, list) {
1024 if (!bacmp(&e->data.bdaddr, bdaddr))
1025 return e;
1026 }
1027
1028 return NULL;
1029}
1030
1031struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1032 bdaddr_t *bdaddr,
1033 int state)
1034{
1035 struct discovery_state *cache = &hdev->discovery;
1036 struct inquiry_entry *e;
1037
1038 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1039
1040 list_for_each_entry(e, &cache->resolve, list) {
1041 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1042 return e;
1043 if (!bacmp(&e->data.bdaddr, bdaddr))
1044 return e;
1045 }
1046
1047 return NULL;
1048}
1049
1050void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1051 struct inquiry_entry *ie)
1052{
1053 struct discovery_state *cache = &hdev->discovery;
1054 struct list_head *pos = &cache->resolve;
1055 struct inquiry_entry *p;
1056
1057 list_del(&ie->list);
1058
1059 list_for_each_entry(p, &cache->resolve, list) {
1060 if (p->name_state != NAME_PENDING &&
1061 abs(p->data.rssi) >= abs(ie->data.rssi))
1062 break;
1063 pos = &p->list;
1064 }
1065
1066 list_add(&ie->list, pos);
1067}
1068
1069u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1070 bool name_known)
1071{
1072 struct discovery_state *cache = &hdev->discovery;
1073 struct inquiry_entry *ie;
1074 u32 flags = 0;
1075
1076 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1077
1078 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1079
1080 if (!data->ssp_mode)
1081 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1082
1083 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1084 if (ie) {
1085 if (!ie->data.ssp_mode)
1086 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1087
1088 if (ie->name_state == NAME_NEEDED &&
1089 data->rssi != ie->data.rssi) {
1090 ie->data.rssi = data->rssi;
1091 hci_inquiry_cache_update_resolve(hdev, ie);
1092 }
1093
1094 goto update;
1095 }
1096
1097 /* Entry not in the cache. Add new one. */
1098 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1099 if (!ie) {
1100 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1101 goto done;
1102 }
1103
1104 list_add(&ie->all, &cache->all);
1105
1106 if (name_known) {
1107 ie->name_state = NAME_KNOWN;
1108 } else {
1109 ie->name_state = NAME_NOT_KNOWN;
1110 list_add(&ie->list, &cache->unknown);
1111 }
1112
1113update:
1114 if (name_known && ie->name_state != NAME_KNOWN &&
1115 ie->name_state != NAME_PENDING) {
1116 ie->name_state = NAME_KNOWN;
1117 list_del(&ie->list);
1118 }
1119
1120 memcpy(&ie->data, data, sizeof(*data));
1121 ie->timestamp = jiffies;
1122 cache->timestamp = jiffies;
1123
1124 if (ie->name_state == NAME_NOT_KNOWN)
1125 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1126
1127done:
1128 return flags;
1129}
1130
1131static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1132{
1133 struct discovery_state *cache = &hdev->discovery;
1134 struct inquiry_info *info = (struct inquiry_info *) buf;
1135 struct inquiry_entry *e;
1136 int copied = 0;
1137
1138 list_for_each_entry(e, &cache->all, all) {
1139 struct inquiry_data *data = &e->data;
1140
1141 if (copied >= num)
1142 break;
1143
1144 bacpy(&info->bdaddr, &data->bdaddr);
1145 info->pscan_rep_mode = data->pscan_rep_mode;
1146 info->pscan_period_mode = data->pscan_period_mode;
1147 info->pscan_mode = data->pscan_mode;
1148 memcpy(info->dev_class, data->dev_class, 3);
1149 info->clock_offset = data->clock_offset;
1150
1151 info++;
1152 copied++;
1153 }
1154
1155 BT_DBG("cache %p, copied %d", cache, copied);
1156 return copied;
1157}
1158
1159static int hci_inq_req(struct hci_request *req, unsigned long opt)
1160{
1161 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1162 struct hci_dev *hdev = req->hdev;
1163 struct hci_cp_inquiry cp;
1164
1165 BT_DBG("%s", hdev->name);
1166
1167 if (test_bit(HCI_INQUIRY, &hdev->flags))
1168 return 0;
1169
1170 /* Start Inquiry */
1171 memcpy(&cp.lap, &ir->lap, 3);
1172 cp.length = ir->length;
1173 cp.num_rsp = ir->num_rsp;
1174 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1175
1176 return 0;
1177}
1178
1179int hci_inquiry(void __user *arg)
1180{
1181 __u8 __user *ptr = arg;
1182 struct hci_inquiry_req ir;
1183 struct hci_dev *hdev;
1184 int err = 0, do_inquiry = 0, max_rsp;
1185 long timeo;
1186 __u8 *buf;
1187
1188 if (copy_from_user(&ir, ptr, sizeof(ir)))
1189 return -EFAULT;
1190
1191 hdev = hci_dev_get(ir.dev_id);
1192 if (!hdev)
1193 return -ENODEV;
1194
1195 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1196 err = -EBUSY;
1197 goto done;
1198 }
1199
1200 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1201 err = -EOPNOTSUPP;
1202 goto done;
1203 }
1204
1205 if (hdev->dev_type != HCI_BREDR) {
1206 err = -EOPNOTSUPP;
1207 goto done;
1208 }
1209
1210 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1211 err = -EOPNOTSUPP;
1212 goto done;
1213 }
1214
1215 hci_dev_lock(hdev);
1216 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1217 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1218 hci_inquiry_cache_flush(hdev);
1219 do_inquiry = 1;
1220 }
1221 hci_dev_unlock(hdev);
1222
1223 timeo = ir.length * msecs_to_jiffies(2000);
1224
1225 if (do_inquiry) {
1226 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1227 timeo, NULL);
1228 if (err < 0)
1229 goto done;
1230
1231 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1232 * cleared). If it is interrupted by a signal, return -EINTR.
1233 */
1234 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1235 TASK_INTERRUPTIBLE))
1236 return -EINTR;
1237 }
1238
1239 /* for unlimited number of responses we will use buffer with
1240 * 255 entries
1241 */
1242 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1243
1244 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1245 * copy it to the user space.
1246 */
1247 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1248 if (!buf) {
1249 err = -ENOMEM;
1250 goto done;
1251 }
1252
1253 hci_dev_lock(hdev);
1254 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1255 hci_dev_unlock(hdev);
1256
1257 BT_DBG("num_rsp %d", ir.num_rsp);
1258
1259 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1260 ptr += sizeof(ir);
1261 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1262 ir.num_rsp))
1263 err = -EFAULT;
1264 } else
1265 err = -EFAULT;
1266
1267 kfree(buf);
1268
1269done:
1270 hci_dev_put(hdev);
1271 return err;
1272}
1273
1274static int hci_dev_do_open(struct hci_dev *hdev)
1275{
1276 int ret = 0;
1277
1278 BT_DBG("%s %p", hdev->name, hdev);
1279
1280 hci_req_sync_lock(hdev);
1281
1282 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1283 ret = -ENODEV;
1284 goto done;
1285 }
1286
1287 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1288 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1289 /* Check for rfkill but allow the HCI setup stage to
1290 * proceed (which in itself doesn't cause any RF activity).
1291 */
1292 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1293 ret = -ERFKILL;
1294 goto done;
1295 }
1296
1297 /* Check for valid public address or a configured static
1298 * random adddress, but let the HCI setup proceed to
1299 * be able to determine if there is a public address
1300 * or not.
1301 *
1302 * In case of user channel usage, it is not important
1303 * if a public address or static random address is
1304 * available.
1305 *
1306 * This check is only valid for BR/EDR controllers
1307 * since AMP controllers do not have an address.
1308 */
1309 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1310 hdev->dev_type == HCI_BREDR &&
1311 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1312 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1313 ret = -EADDRNOTAVAIL;
1314 goto done;
1315 }
1316 }
1317
1318 if (test_bit(HCI_UP, &hdev->flags)) {
1319 ret = -EALREADY;
1320 goto done;
1321 }
1322
1323 if (hdev->open(hdev)) {
1324 ret = -EIO;
1325 goto done;
1326 }
1327
1328 set_bit(HCI_RUNNING, &hdev->flags);
1329 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1330
1331 atomic_set(&hdev->cmd_cnt, 1);
1332 set_bit(HCI_INIT, &hdev->flags);
1333
1334 if (hci_dev_test_flag(hdev, HCI_SETUP)) {
1335 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1336
1337 if (hdev->setup)
1338 ret = hdev->setup(hdev);
1339
1340 /* The transport driver can set these quirks before
1341 * creating the HCI device or in its setup callback.
1342 *
1343 * In case any of them is set, the controller has to
1344 * start up as unconfigured.
1345 */
1346 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1347 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1348 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1349
1350 /* For an unconfigured controller it is required to
1351 * read at least the version information provided by
1352 * the Read Local Version Information command.
1353 *
1354 * If the set_bdaddr driver callback is provided, then
1355 * also the original Bluetooth public device address
1356 * will be read using the Read BD Address command.
1357 */
1358 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1359 ret = __hci_unconf_init(hdev);
1360 }
1361
1362 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1363 /* If public address change is configured, ensure that
1364 * the address gets programmed. If the driver does not
1365 * support changing the public address, fail the power
1366 * on procedure.
1367 */
1368 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1369 hdev->set_bdaddr)
1370 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1371 else
1372 ret = -EADDRNOTAVAIL;
1373 }
1374
1375 if (!ret) {
1376 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1377 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1378 ret = __hci_init(hdev);
1379 if (!ret && hdev->post_init)
1380 ret = hdev->post_init(hdev);
1381 }
1382 }
1383
1384 /* If the HCI Reset command is clearing all diagnostic settings,
1385 * then they need to be reprogrammed after the init procedure
1386 * completed.
1387 */
1388 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1389 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1390 ret = hdev->set_diag(hdev, true);
1391
1392 clear_bit(HCI_INIT, &hdev->flags);
1393
1394 if (!ret) {
1395 hci_dev_hold(hdev);
1396 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1397 set_bit(HCI_UP, &hdev->flags);
1398 hci_sock_dev_event(hdev, HCI_DEV_UP);
1399 hci_leds_update_powered(hdev, true);
1400 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1401 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1402 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1403 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1404 hci_dev_test_flag(hdev, HCI_MGMT) &&
1405 hdev->dev_type == HCI_BREDR) {
1406 ret = __hci_req_hci_power_on(hdev);
1407 mgmt_power_on(hdev, ret);
1408 }
1409 } else {
1410 /* Init failed, cleanup */
1411 flush_work(&hdev->tx_work);
1412 flush_work(&hdev->cmd_work);
1413 flush_work(&hdev->rx_work);
1414
1415 skb_queue_purge(&hdev->cmd_q);
1416 skb_queue_purge(&hdev->rx_q);
1417
1418 if (hdev->flush)
1419 hdev->flush(hdev);
1420
1421 if (hdev->sent_cmd) {
1422 kfree_skb(hdev->sent_cmd);
1423 hdev->sent_cmd = NULL;
1424 }
1425
1426 clear_bit(HCI_RUNNING, &hdev->flags);
1427 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1428
1429 hdev->close(hdev);
1430 hdev->flags &= BIT(HCI_RAW);
1431 }
1432
1433done:
1434 hci_req_sync_unlock(hdev);
1435 return ret;
1436}
1437
1438/* ---- HCI ioctl helpers ---- */
1439
1440int hci_dev_open(__u16 dev)
1441{
1442 struct hci_dev *hdev;
1443 int err;
1444
1445 hdev = hci_dev_get(dev);
1446 if (!hdev)
1447 return -ENODEV;
1448
1449 /* Devices that are marked as unconfigured can only be powered
1450 * up as user channel. Trying to bring them up as normal devices
1451 * will result into a failure. Only user channel operation is
1452 * possible.
1453 *
1454 * When this function is called for a user channel, the flag
1455 * HCI_USER_CHANNEL will be set first before attempting to
1456 * open the device.
1457 */
1458 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1459 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1460 err = -EOPNOTSUPP;
1461 goto done;
1462 }
1463
1464 /* We need to ensure that no other power on/off work is pending
1465 * before proceeding to call hci_dev_do_open. This is
1466 * particularly important if the setup procedure has not yet
1467 * completed.
1468 */
1469 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1470 cancel_delayed_work(&hdev->power_off);
1471
1472 /* After this call it is guaranteed that the setup procedure
1473 * has finished. This means that error conditions like RFKILL
1474 * or no valid public or static random address apply.
1475 */
1476 flush_workqueue(hdev->req_workqueue);
1477
1478 /* For controllers not using the management interface and that
1479 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1480 * so that pairing works for them. Once the management interface
1481 * is in use this bit will be cleared again and userspace has
1482 * to explicitly enable it.
1483 */
1484 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1485 !hci_dev_test_flag(hdev, HCI_MGMT))
1486 hci_dev_set_flag(hdev, HCI_BONDABLE);
1487
1488 err = hci_dev_do_open(hdev);
1489
1490done:
1491 hci_dev_put(hdev);
1492 return err;
1493}
1494
1495/* This function requires the caller holds hdev->lock */
1496static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1497{
1498 struct hci_conn_params *p;
1499
1500 list_for_each_entry(p, &hdev->le_conn_params, list) {
1501 if (p->conn) {
1502 hci_conn_drop(p->conn);
1503 hci_conn_put(p->conn);
1504 p->conn = NULL;
1505 }
1506 list_del_init(&p->action);
1507 }
1508
1509 BT_DBG("All LE pending actions cleared");
1510}
1511
1512int hci_dev_do_close(struct hci_dev *hdev)
1513{
1514 bool auto_off;
1515
1516 BT_DBG("%s %p", hdev->name, hdev);
1517
1518 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1519 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1520 test_bit(HCI_UP, &hdev->flags)) {
1521 /* Execute vendor specific shutdown routine */
1522 if (hdev->shutdown)
1523 hdev->shutdown(hdev);
1524 }
1525
1526 cancel_delayed_work(&hdev->power_off);
1527
1528 hci_request_cancel_all(hdev);
1529 hci_req_sync_lock(hdev);
1530
1531 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1532 cancel_delayed_work_sync(&hdev->cmd_timer);
1533 hci_req_sync_unlock(hdev);
1534 return 0;
1535 }
1536
1537 hci_leds_update_powered(hdev, false);
1538
1539 /* Flush RX and TX works */
1540 flush_work(&hdev->tx_work);
1541 flush_work(&hdev->rx_work);
1542
1543 if (hdev->discov_timeout > 0) {
1544 hdev->discov_timeout = 0;
1545 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1546 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1547 }
1548
1549 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1550 cancel_delayed_work(&hdev->service_cache);
1551
1552 if (hci_dev_test_flag(hdev, HCI_MGMT))
1553 cancel_delayed_work_sync(&hdev->rpa_expired);
1554
1555 /* Avoid potential lockdep warnings from the *_flush() calls by
1556 * ensuring the workqueue is empty up front.
1557 */
1558 drain_workqueue(hdev->workqueue);
1559
1560 hci_dev_lock(hdev);
1561
1562 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1563
1564 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1565
1566 if (!auto_off && hdev->dev_type == HCI_BREDR &&
1567 hci_dev_test_flag(hdev, HCI_MGMT))
1568 __mgmt_power_off(hdev);
1569
1570 hci_inquiry_cache_flush(hdev);
1571 hci_pend_le_actions_clear(hdev);
1572 hci_conn_hash_flush(hdev);
1573 hci_dev_unlock(hdev);
1574
1575 smp_unregister(hdev);
1576
1577 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1578
1579 if (hdev->flush)
1580 hdev->flush(hdev);
1581
1582 /* Reset device */
1583 skb_queue_purge(&hdev->cmd_q);
1584 atomic_set(&hdev->cmd_cnt, 1);
1585 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1586 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1587 set_bit(HCI_INIT, &hdev->flags);
1588 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1589 clear_bit(HCI_INIT, &hdev->flags);
1590 }
1591
1592 /* flush cmd work */
1593 flush_work(&hdev->cmd_work);
1594
1595 /* Drop queues */
1596 skb_queue_purge(&hdev->rx_q);
1597 skb_queue_purge(&hdev->cmd_q);
1598 skb_queue_purge(&hdev->raw_q);
1599
1600 /* Drop last sent command */
1601 if (hdev->sent_cmd) {
1602 cancel_delayed_work_sync(&hdev->cmd_timer);
1603 kfree_skb(hdev->sent_cmd);
1604 hdev->sent_cmd = NULL;
1605 }
1606
1607 clear_bit(HCI_RUNNING, &hdev->flags);
1608 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1609
1610 /* After this point our queues are empty
1611 * and no tasks are scheduled. */
1612 hdev->close(hdev);
1613
1614 /* Clear flags */
1615 hdev->flags &= BIT(HCI_RAW);
1616 hci_dev_clear_volatile_flags(hdev);
1617
1618 /* Controller radio is available but is currently powered down */
1619 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1620
1621 memset(hdev->eir, 0, sizeof(hdev->eir));
1622 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1623 bacpy(&hdev->random_addr, BDADDR_ANY);
1624
1625 hci_req_sync_unlock(hdev);
1626
1627 hci_dev_put(hdev);
1628 return 0;
1629}
1630
1631int hci_dev_close(__u16 dev)
1632{
1633 struct hci_dev *hdev;
1634 int err;
1635
1636 hdev = hci_dev_get(dev);
1637 if (!hdev)
1638 return -ENODEV;
1639
1640 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1641 err = -EBUSY;
1642 goto done;
1643 }
1644
1645 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1646 cancel_delayed_work(&hdev->power_off);
1647
1648 err = hci_dev_do_close(hdev);
1649
1650done:
1651 hci_dev_put(hdev);
1652 return err;
1653}
1654
1655static int hci_dev_do_reset(struct hci_dev *hdev)
1656{
1657 int ret;
1658
1659 BT_DBG("%s %p", hdev->name, hdev);
1660
1661 hci_req_sync_lock(hdev);
1662
1663 /* Drop queues */
1664 skb_queue_purge(&hdev->rx_q);
1665 skb_queue_purge(&hdev->cmd_q);
1666
1667 /* Avoid potential lockdep warnings from the *_flush() calls by
1668 * ensuring the workqueue is empty up front.
1669 */
1670 drain_workqueue(hdev->workqueue);
1671
1672 hci_dev_lock(hdev);
1673 hci_inquiry_cache_flush(hdev);
1674 hci_conn_hash_flush(hdev);
1675 hci_dev_unlock(hdev);
1676
1677 if (hdev->flush)
1678 hdev->flush(hdev);
1679
1680 atomic_set(&hdev->cmd_cnt, 1);
1681 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1682
1683 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1684
1685 hci_req_sync_unlock(hdev);
1686 return ret;
1687}
1688
1689int hci_dev_reset(__u16 dev)
1690{
1691 struct hci_dev *hdev;
1692 int err;
1693
1694 hdev = hci_dev_get(dev);
1695 if (!hdev)
1696 return -ENODEV;
1697
1698 if (!test_bit(HCI_UP, &hdev->flags)) {
1699 err = -ENETDOWN;
1700 goto done;
1701 }
1702
1703 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1704 err = -EBUSY;
1705 goto done;
1706 }
1707
1708 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1709 err = -EOPNOTSUPP;
1710 goto done;
1711 }
1712
1713 err = hci_dev_do_reset(hdev);
1714
1715done:
1716 hci_dev_put(hdev);
1717 return err;
1718}
1719
1720int hci_dev_reset_stat(__u16 dev)
1721{
1722 struct hci_dev *hdev;
1723 int ret = 0;
1724
1725 hdev = hci_dev_get(dev);
1726 if (!hdev)
1727 return -ENODEV;
1728
1729 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1730 ret = -EBUSY;
1731 goto done;
1732 }
1733
1734 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1735 ret = -EOPNOTSUPP;
1736 goto done;
1737 }
1738
1739 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1740
1741done:
1742 hci_dev_put(hdev);
1743 return ret;
1744}
1745
1746static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1747{
1748 bool conn_changed, discov_changed;
1749
1750 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1751
1752 if ((scan & SCAN_PAGE))
1753 conn_changed = !hci_dev_test_and_set_flag(hdev,
1754 HCI_CONNECTABLE);
1755 else
1756 conn_changed = hci_dev_test_and_clear_flag(hdev,
1757 HCI_CONNECTABLE);
1758
1759 if ((scan & SCAN_INQUIRY)) {
1760 discov_changed = !hci_dev_test_and_set_flag(hdev,
1761 HCI_DISCOVERABLE);
1762 } else {
1763 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1764 discov_changed = hci_dev_test_and_clear_flag(hdev,
1765 HCI_DISCOVERABLE);
1766 }
1767
1768 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1769 return;
1770
1771 if (conn_changed || discov_changed) {
1772 /* In case this was disabled through mgmt */
1773 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1774
1775 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1776 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1777
1778 mgmt_new_settings(hdev);
1779 }
1780}
1781
1782int hci_dev_cmd(unsigned int cmd, void __user *arg)
1783{
1784 struct hci_dev *hdev;
1785 struct hci_dev_req dr;
1786 int err = 0;
1787
1788 if (copy_from_user(&dr, arg, sizeof(dr)))
1789 return -EFAULT;
1790
1791 hdev = hci_dev_get(dr.dev_id);
1792 if (!hdev)
1793 return -ENODEV;
1794
1795 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1796 err = -EBUSY;
1797 goto done;
1798 }
1799
1800 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1801 err = -EOPNOTSUPP;
1802 goto done;
1803 }
1804
1805 if (hdev->dev_type != HCI_BREDR) {
1806 err = -EOPNOTSUPP;
1807 goto done;
1808 }
1809
1810 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1811 err = -EOPNOTSUPP;
1812 goto done;
1813 }
1814
1815 switch (cmd) {
1816 case HCISETAUTH:
1817 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1818 HCI_INIT_TIMEOUT, NULL);
1819 break;
1820
1821 case HCISETENCRYPT:
1822 if (!lmp_encrypt_capable(hdev)) {
1823 err = -EOPNOTSUPP;
1824 break;
1825 }
1826
1827 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1828 /* Auth must be enabled first */
1829 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1830 HCI_INIT_TIMEOUT, NULL);
1831 if (err)
1832 break;
1833 }
1834
1835 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1836 HCI_INIT_TIMEOUT, NULL);
1837 break;
1838
1839 case HCISETSCAN:
1840 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1841 HCI_INIT_TIMEOUT, NULL);
1842
1843 /* Ensure that the connectable and discoverable states
1844 * get correctly modified as this was a non-mgmt change.
1845 */
1846 if (!err)
1847 hci_update_scan_state(hdev, dr.dev_opt);
1848 break;
1849
1850 case HCISETLINKPOL:
1851 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1852 HCI_INIT_TIMEOUT, NULL);
1853 break;
1854
1855 case HCISETLINKMODE:
1856 hdev->link_mode = ((__u16) dr.dev_opt) &
1857 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1858 break;
1859
1860 case HCISETPTYPE:
1861 hdev->pkt_type = (__u16) dr.dev_opt;
1862 break;
1863
1864 case HCISETACLMTU:
1865 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
1866 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1867 break;
1868
1869 case HCISETSCOMTU:
1870 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
1871 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1872 break;
1873
1874 default:
1875 err = -EINVAL;
1876 break;
1877 }
1878
1879done:
1880 hci_dev_put(hdev);
1881 return err;
1882}
1883
1884int hci_get_dev_list(void __user *arg)
1885{
1886 struct hci_dev *hdev;
1887 struct hci_dev_list_req *dl;
1888 struct hci_dev_req *dr;
1889 int n = 0, size, err;
1890 __u16 dev_num;
1891
1892 if (get_user(dev_num, (__u16 __user *) arg))
1893 return -EFAULT;
1894
1895 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1896 return -EINVAL;
1897
1898 size = sizeof(*dl) + dev_num * sizeof(*dr);
1899
1900 dl = kzalloc(size, GFP_KERNEL);
1901 if (!dl)
1902 return -ENOMEM;
1903
1904 dr = dl->dev_req;
1905
1906 read_lock(&hci_dev_list_lock);
1907 list_for_each_entry(hdev, &hci_dev_list, list) {
1908 unsigned long flags = hdev->flags;
1909
1910 /* When the auto-off is configured it means the transport
1911 * is running, but in that case still indicate that the
1912 * device is actually down.
1913 */
1914 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1915 flags &= ~BIT(HCI_UP);
1916
1917 (dr + n)->dev_id = hdev->id;
1918 (dr + n)->dev_opt = flags;
1919
1920 if (++n >= dev_num)
1921 break;
1922 }
1923 read_unlock(&hci_dev_list_lock);
1924
1925 dl->dev_num = n;
1926 size = sizeof(*dl) + n * sizeof(*dr);
1927
1928 err = copy_to_user(arg, dl, size);
1929 kfree(dl);
1930
1931 return err ? -EFAULT : 0;
1932}
1933
1934int hci_get_dev_info(void __user *arg)
1935{
1936 struct hci_dev *hdev;
1937 struct hci_dev_info di;
1938 unsigned long flags;
1939 int err = 0;
1940
1941 if (copy_from_user(&di, arg, sizeof(di)))
1942 return -EFAULT;
1943
1944 hdev = hci_dev_get(di.dev_id);
1945 if (!hdev)
1946 return -ENODEV;
1947
1948 /* When the auto-off is configured it means the transport
1949 * is running, but in that case still indicate that the
1950 * device is actually down.
1951 */
1952 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1953 flags = hdev->flags & ~BIT(HCI_UP);
1954 else
1955 flags = hdev->flags;
1956
1957 strcpy(di.name, hdev->name);
1958 di.bdaddr = hdev->bdaddr;
1959 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
1960 di.flags = flags;
1961 di.pkt_type = hdev->pkt_type;
1962 if (lmp_bredr_capable(hdev)) {
1963 di.acl_mtu = hdev->acl_mtu;
1964 di.acl_pkts = hdev->acl_pkts;
1965 di.sco_mtu = hdev->sco_mtu;
1966 di.sco_pkts = hdev->sco_pkts;
1967 } else {
1968 di.acl_mtu = hdev->le_mtu;
1969 di.acl_pkts = hdev->le_pkts;
1970 di.sco_mtu = 0;
1971 di.sco_pkts = 0;
1972 }
1973 di.link_policy = hdev->link_policy;
1974 di.link_mode = hdev->link_mode;
1975
1976 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1977 memcpy(&di.features, &hdev->features, sizeof(di.features));
1978
1979 if (copy_to_user(arg, &di, sizeof(di)))
1980 err = -EFAULT;
1981
1982 hci_dev_put(hdev);
1983
1984 return err;
1985}
1986
1987/* ---- Interface to HCI drivers ---- */
1988
1989static int hci_rfkill_set_block(void *data, bool blocked)
1990{
1991 struct hci_dev *hdev = data;
1992
1993 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1994
1995 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1996 return -EBUSY;
1997
1998 if (blocked) {
1999 hci_dev_set_flag(hdev, HCI_RFKILLED);
2000 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2001 !hci_dev_test_flag(hdev, HCI_CONFIG))
2002 hci_dev_do_close(hdev);
2003 } else {
2004 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2005 }
2006
2007 return 0;
2008}
2009
2010static const struct rfkill_ops hci_rfkill_ops = {
2011 .set_block = hci_rfkill_set_block,
2012};
2013
2014static void hci_power_on(struct work_struct *work)
2015{
2016 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2017 int err;
2018
2019 BT_DBG("%s", hdev->name);
2020
2021 if (test_bit(HCI_UP, &hdev->flags) &&
2022 hci_dev_test_flag(hdev, HCI_MGMT) &&
2023 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2024 cancel_delayed_work(&hdev->power_off);
2025 hci_req_sync_lock(hdev);
2026 err = __hci_req_hci_power_on(hdev);
2027 hci_req_sync_unlock(hdev);
2028 mgmt_power_on(hdev, err);
2029 return;
2030 }
2031
2032 err = hci_dev_do_open(hdev);
2033 if (err < 0) {
2034 hci_dev_lock(hdev);
2035 mgmt_set_powered_failed(hdev, err);
2036 hci_dev_unlock(hdev);
2037 return;
2038 }
2039
2040 /* During the HCI setup phase, a few error conditions are
2041 * ignored and they need to be checked now. If they are still
2042 * valid, it is important to turn the device back off.
2043 */
2044 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2045 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2046 (hdev->dev_type == HCI_BREDR &&
2047 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2048 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2049 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2050 hci_dev_do_close(hdev);
2051 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2052 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2053 HCI_AUTO_OFF_TIMEOUT);
2054 }
2055
2056 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2057 /* For unconfigured devices, set the HCI_RAW flag
2058 * so that userspace can easily identify them.
2059 */
2060 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2061 set_bit(HCI_RAW, &hdev->flags);
2062
2063 /* For fully configured devices, this will send
2064 * the Index Added event. For unconfigured devices,
2065 * it will send Unconfigued Index Added event.
2066 *
2067 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2068 * and no event will be send.
2069 */
2070 mgmt_index_added(hdev);
2071 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2072 /* When the controller is now configured, then it
2073 * is important to clear the HCI_RAW flag.
2074 */
2075 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2076 clear_bit(HCI_RAW, &hdev->flags);
2077
2078 /* Powering on the controller with HCI_CONFIG set only
2079 * happens with the transition from unconfigured to
2080 * configured. This will send the Index Added event.
2081 */
2082 mgmt_index_added(hdev);
2083 }
2084}
2085
2086static void hci_power_off(struct work_struct *work)
2087{
2088 struct hci_dev *hdev = container_of(work, struct hci_dev,
2089 power_off.work);
2090
2091 BT_DBG("%s", hdev->name);
2092
2093 hci_dev_do_close(hdev);
2094}
2095
2096static void hci_error_reset(struct work_struct *work)
2097{
2098 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2099
2100 BT_DBG("%s", hdev->name);
2101
2102 if (hdev->hw_error)
2103 hdev->hw_error(hdev, hdev->hw_error_code);
2104 else
2105 BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2106 hdev->hw_error_code);
2107
2108 if (hci_dev_do_close(hdev))
2109 return;
2110
2111 hci_dev_do_open(hdev);
2112}
2113
2114void hci_uuids_clear(struct hci_dev *hdev)
2115{
2116 struct bt_uuid *uuid, *tmp;
2117
2118 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2119 list_del(&uuid->list);
2120 kfree(uuid);
2121 }
2122}
2123
2124void hci_link_keys_clear(struct hci_dev *hdev)
2125{
2126 struct link_key *key;
2127
2128 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2129 list_del_rcu(&key->list);
2130 kfree_rcu(key, rcu);
2131 }
2132}
2133
2134void hci_smp_ltks_clear(struct hci_dev *hdev)
2135{
2136 struct smp_ltk *k;
2137
2138 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2139 list_del_rcu(&k->list);
2140 kfree_rcu(k, rcu);
2141 }
2142}
2143
2144void hci_smp_irks_clear(struct hci_dev *hdev)
2145{
2146 struct smp_irk *k;
2147
2148 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2149 list_del_rcu(&k->list);
2150 kfree_rcu(k, rcu);
2151 }
2152}
2153
2154struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2155{
2156 struct link_key *k;
2157
2158 rcu_read_lock();
2159 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2160 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2161 rcu_read_unlock();
2162 return k;
2163 }
2164 }
2165 rcu_read_unlock();
2166
2167 return NULL;
2168}
2169
2170static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2171 u8 key_type, u8 old_key_type)
2172{
2173 /* Legacy key */
2174 if (key_type < 0x03)
2175 return true;
2176
2177 /* Debug keys are insecure so don't store them persistently */
2178 if (key_type == HCI_LK_DEBUG_COMBINATION)
2179 return false;
2180
2181 /* Changed combination key and there's no previous one */
2182 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2183 return false;
2184
2185 /* Security mode 3 case */
2186 if (!conn)
2187 return true;
2188
2189 /* BR/EDR key derived using SC from an LE link */
2190 if (conn->type == LE_LINK)
2191 return true;
2192
2193 /* Neither local nor remote side had no-bonding as requirement */
2194 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2195 return true;
2196
2197 /* Local side had dedicated bonding as requirement */
2198 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2199 return true;
2200
2201 /* Remote side had dedicated bonding as requirement */
2202 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2203 return true;
2204
2205 /* If none of the above criteria match, then don't store the key
2206 * persistently */
2207 return false;
2208}
2209
2210static u8 ltk_role(u8 type)
2211{
2212 if (type == SMP_LTK)
2213 return HCI_ROLE_MASTER;
2214
2215 return HCI_ROLE_SLAVE;
2216}
2217
2218struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2219 u8 addr_type, u8 role)
2220{
2221 struct smp_ltk *k;
2222
2223 rcu_read_lock();
2224 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2225 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2226 continue;
2227
2228 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2229 rcu_read_unlock();
2230 return k;
2231 }
2232 }
2233 rcu_read_unlock();
2234
2235 return NULL;
2236}
2237
2238struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2239{
2240 struct smp_irk *irk;
2241
2242 rcu_read_lock();
2243 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2244 if (!bacmp(&irk->rpa, rpa)) {
2245 rcu_read_unlock();
2246 return irk;
2247 }
2248 }
2249
2250 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2251 if (smp_irk_matches(hdev, irk->val, rpa)) {
2252 bacpy(&irk->rpa, rpa);
2253 rcu_read_unlock();
2254 return irk;
2255 }
2256 }
2257 rcu_read_unlock();
2258
2259 return NULL;
2260}
2261
2262struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2263 u8 addr_type)
2264{
2265 struct smp_irk *irk;
2266
2267 /* Identity Address must be public or static random */
2268 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2269 return NULL;
2270
2271 rcu_read_lock();
2272 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2273 if (addr_type == irk->addr_type &&
2274 bacmp(bdaddr, &irk->bdaddr) == 0) {
2275 rcu_read_unlock();
2276 return irk;
2277 }
2278 }
2279 rcu_read_unlock();
2280
2281 return NULL;
2282}
2283
2284struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2285 bdaddr_t *bdaddr, u8 *val, u8 type,
2286 u8 pin_len, bool *persistent)
2287{
2288 struct link_key *key, *old_key;
2289 u8 old_key_type;
2290
2291 old_key = hci_find_link_key(hdev, bdaddr);
2292 if (old_key) {
2293 old_key_type = old_key->type;
2294 key = old_key;
2295 } else {
2296 old_key_type = conn ? conn->key_type : 0xff;
2297 key = kzalloc(sizeof(*key), GFP_KERNEL);
2298 if (!key)
2299 return NULL;
2300 list_add_rcu(&key->list, &hdev->link_keys);
2301 }
2302
2303 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2304
2305 /* Some buggy controller combinations generate a changed
2306 * combination key for legacy pairing even when there's no
2307 * previous key */
2308 if (type == HCI_LK_CHANGED_COMBINATION &&
2309 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2310 type = HCI_LK_COMBINATION;
2311 if (conn)
2312 conn->key_type = type;
2313 }
2314
2315 bacpy(&key->bdaddr, bdaddr);
2316 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2317 key->pin_len = pin_len;
2318
2319 if (type == HCI_LK_CHANGED_COMBINATION)
2320 key->type = old_key_type;
2321 else
2322 key->type = type;
2323
2324 if (persistent)
2325 *persistent = hci_persistent_key(hdev, conn, type,
2326 old_key_type);
2327
2328 return key;
2329}
2330
2331struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2332 u8 addr_type, u8 type, u8 authenticated,
2333 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2334{
2335 struct smp_ltk *key, *old_key;
2336 u8 role = ltk_role(type);
2337
2338 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2339 if (old_key)
2340 key = old_key;
2341 else {
2342 key = kzalloc(sizeof(*key), GFP_KERNEL);
2343 if (!key)
2344 return NULL;
2345 list_add_rcu(&key->list, &hdev->long_term_keys);
2346 }
2347
2348 bacpy(&key->bdaddr, bdaddr);
2349 key->bdaddr_type = addr_type;
2350 memcpy(key->val, tk, sizeof(key->val));
2351 key->authenticated = authenticated;
2352 key->ediv = ediv;
2353 key->rand = rand;
2354 key->enc_size = enc_size;
2355 key->type = type;
2356
2357 return key;
2358}
2359
2360struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2361 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2362{
2363 struct smp_irk *irk;
2364
2365 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2366 if (!irk) {
2367 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2368 if (!irk)
2369 return NULL;
2370
2371 bacpy(&irk->bdaddr, bdaddr);
2372 irk->addr_type = addr_type;
2373
2374 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2375 }
2376
2377 memcpy(irk->val, val, 16);
2378 bacpy(&irk->rpa, rpa);
2379
2380 return irk;
2381}
2382
2383int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2384{
2385 struct link_key *key;
2386
2387 key = hci_find_link_key(hdev, bdaddr);
2388 if (!key)
2389 return -ENOENT;
2390
2391 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2392
2393 list_del_rcu(&key->list);
2394 kfree_rcu(key, rcu);
2395
2396 return 0;
2397}
2398
2399int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2400{
2401 struct smp_ltk *k;
2402 int removed = 0;
2403
2404 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2405 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2406 continue;
2407
2408 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2409
2410 list_del_rcu(&k->list);
2411 kfree_rcu(k, rcu);
2412 removed++;
2413 }
2414
2415 return removed ? 0 : -ENOENT;
2416}
2417
2418void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2419{
2420 struct smp_irk *k;
2421
2422 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2423 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2424 continue;
2425
2426 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2427
2428 list_del_rcu(&k->list);
2429 kfree_rcu(k, rcu);
2430 }
2431}
2432
2433bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2434{
2435 struct smp_ltk *k;
2436 struct smp_irk *irk;
2437 u8 addr_type;
2438
2439 if (type == BDADDR_BREDR) {
2440 if (hci_find_link_key(hdev, bdaddr))
2441 return true;
2442 return false;
2443 }
2444
2445 /* Convert to HCI addr type which struct smp_ltk uses */
2446 if (type == BDADDR_LE_PUBLIC)
2447 addr_type = ADDR_LE_DEV_PUBLIC;
2448 else
2449 addr_type = ADDR_LE_DEV_RANDOM;
2450
2451 irk = hci_get_irk(hdev, bdaddr, addr_type);
2452 if (irk) {
2453 bdaddr = &irk->bdaddr;
2454 addr_type = irk->addr_type;
2455 }
2456
2457 rcu_read_lock();
2458 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2459 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2460 rcu_read_unlock();
2461 return true;
2462 }
2463 }
2464 rcu_read_unlock();
2465
2466 return false;
2467}
2468
2469/* HCI command timer function */
2470static void hci_cmd_timeout(struct work_struct *work)
2471{
2472 struct hci_dev *hdev = container_of(work, struct hci_dev,
2473 cmd_timer.work);
2474
2475 if (hdev->sent_cmd) {
2476 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2477 u16 opcode = __le16_to_cpu(sent->opcode);
2478
2479 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2480 } else {
2481 BT_ERR("%s command tx timeout", hdev->name);
2482 }
2483
2484 atomic_set(&hdev->cmd_cnt, 1);
2485 queue_work(hdev->workqueue, &hdev->cmd_work);
2486}
2487
2488struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2489 bdaddr_t *bdaddr, u8 bdaddr_type)
2490{
2491 struct oob_data *data;
2492
2493 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2494 if (bacmp(bdaddr, &data->bdaddr) != 0)
2495 continue;
2496 if (data->bdaddr_type != bdaddr_type)
2497 continue;
2498 return data;
2499 }
2500
2501 return NULL;
2502}
2503
2504int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2505 u8 bdaddr_type)
2506{
2507 struct oob_data *data;
2508
2509 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2510 if (!data)
2511 return -ENOENT;
2512
2513 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2514
2515 list_del(&data->list);
2516 kfree(data);
2517
2518 return 0;
2519}
2520
2521void hci_remote_oob_data_clear(struct hci_dev *hdev)
2522{
2523 struct oob_data *data, *n;
2524
2525 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2526 list_del(&data->list);
2527 kfree(data);
2528 }
2529}
2530
2531int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2532 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2533 u8 *hash256, u8 *rand256)
2534{
2535 struct oob_data *data;
2536
2537 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2538 if (!data) {
2539 data = kmalloc(sizeof(*data), GFP_KERNEL);
2540 if (!data)
2541 return -ENOMEM;
2542
2543 bacpy(&data->bdaddr, bdaddr);
2544 data->bdaddr_type = bdaddr_type;
2545 list_add(&data->list, &hdev->remote_oob_data);
2546 }
2547
2548 if (hash192 && rand192) {
2549 memcpy(data->hash192, hash192, sizeof(data->hash192));
2550 memcpy(data->rand192, rand192, sizeof(data->rand192));
2551 if (hash256 && rand256)
2552 data->present = 0x03;
2553 } else {
2554 memset(data->hash192, 0, sizeof(data->hash192));
2555 memset(data->rand192, 0, sizeof(data->rand192));
2556 if (hash256 && rand256)
2557 data->present = 0x02;
2558 else
2559 data->present = 0x00;
2560 }
2561
2562 if (hash256 && rand256) {
2563 memcpy(data->hash256, hash256, sizeof(data->hash256));
2564 memcpy(data->rand256, rand256, sizeof(data->rand256));
2565 } else {
2566 memset(data->hash256, 0, sizeof(data->hash256));
2567 memset(data->rand256, 0, sizeof(data->rand256));
2568 if (hash192 && rand192)
2569 data->present = 0x01;
2570 }
2571
2572 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2573
2574 return 0;
2575}
2576
2577/* This function requires the caller holds hdev->lock */
2578struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2579{
2580 struct adv_info *adv_instance;
2581
2582 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2583 if (adv_instance->instance == instance)
2584 return adv_instance;
2585 }
2586
2587 return NULL;
2588}
2589
2590/* This function requires the caller holds hdev->lock */
2591struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2592{
2593 struct adv_info *cur_instance;
2594
2595 cur_instance = hci_find_adv_instance(hdev, instance);
2596 if (!cur_instance)
2597 return NULL;
2598
2599 if (cur_instance == list_last_entry(&hdev->adv_instances,
2600 struct adv_info, list))
2601 return list_first_entry(&hdev->adv_instances,
2602 struct adv_info, list);
2603 else
2604 return list_next_entry(cur_instance, list);
2605}
2606
2607/* This function requires the caller holds hdev->lock */
2608int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2609{
2610 struct adv_info *adv_instance;
2611
2612 adv_instance = hci_find_adv_instance(hdev, instance);
2613 if (!adv_instance)
2614 return -ENOENT;
2615
2616 BT_DBG("%s removing %dMR", hdev->name, instance);
2617
2618 if (hdev->cur_adv_instance == instance) {
2619 if (hdev->adv_instance_timeout) {
2620 cancel_delayed_work(&hdev->adv_instance_expire);
2621 hdev->adv_instance_timeout = 0;
2622 }
2623 hdev->cur_adv_instance = 0x00;
2624 }
2625
2626 list_del(&adv_instance->list);
2627 kfree(adv_instance);
2628
2629 hdev->adv_instance_cnt--;
2630
2631 return 0;
2632}
2633
2634/* This function requires the caller holds hdev->lock */
2635void hci_adv_instances_clear(struct hci_dev *hdev)
2636{
2637 struct adv_info *adv_instance, *n;
2638
2639 if (hdev->adv_instance_timeout) {
2640 cancel_delayed_work(&hdev->adv_instance_expire);
2641 hdev->adv_instance_timeout = 0;
2642 }
2643
2644 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2645 list_del(&adv_instance->list);
2646 kfree(adv_instance);
2647 }
2648
2649 hdev->adv_instance_cnt = 0;
2650 hdev->cur_adv_instance = 0x00;
2651}
2652
2653/* This function requires the caller holds hdev->lock */
2654int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2655 u16 adv_data_len, u8 *adv_data,
2656 u16 scan_rsp_len, u8 *scan_rsp_data,
2657 u16 timeout, u16 duration)
2658{
2659 struct adv_info *adv_instance;
2660
2661 adv_instance = hci_find_adv_instance(hdev, instance);
2662 if (adv_instance) {
2663 memset(adv_instance->adv_data, 0,
2664 sizeof(adv_instance->adv_data));
2665 memset(adv_instance->scan_rsp_data, 0,
2666 sizeof(adv_instance->scan_rsp_data));
2667 } else {
2668 if (hdev->adv_instance_cnt >= HCI_MAX_ADV_INSTANCES ||
2669 instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2670 return -EOVERFLOW;
2671
2672 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2673 if (!adv_instance)
2674 return -ENOMEM;
2675
2676 adv_instance->pending = true;
2677 adv_instance->instance = instance;
2678 list_add(&adv_instance->list, &hdev->adv_instances);
2679 hdev->adv_instance_cnt++;
2680 }
2681
2682 adv_instance->flags = flags;
2683 adv_instance->adv_data_len = adv_data_len;
2684 adv_instance->scan_rsp_len = scan_rsp_len;
2685
2686 if (adv_data_len)
2687 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2688
2689 if (scan_rsp_len)
2690 memcpy(adv_instance->scan_rsp_data,
2691 scan_rsp_data, scan_rsp_len);
2692
2693 adv_instance->timeout = timeout;
2694 adv_instance->remaining_time = timeout;
2695
2696 if (duration == 0)
2697 adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2698 else
2699 adv_instance->duration = duration;
2700
2701 BT_DBG("%s for %dMR", hdev->name, instance);
2702
2703 return 0;
2704}
2705
2706struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2707 bdaddr_t *bdaddr, u8 type)
2708{
2709 struct bdaddr_list *b;
2710
2711 list_for_each_entry(b, bdaddr_list, list) {
2712 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2713 return b;
2714 }
2715
2716 return NULL;
2717}
2718
2719void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2720{
2721 struct bdaddr_list *b, *n;
2722
2723 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2724 list_del(&b->list);
2725 kfree(b);
2726 }
2727}
2728
2729int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2730{
2731 struct bdaddr_list *entry;
2732
2733 if (!bacmp(bdaddr, BDADDR_ANY))
2734 return -EBADF;
2735
2736 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2737 return -EEXIST;
2738
2739 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2740 if (!entry)
2741 return -ENOMEM;
2742
2743 bacpy(&entry->bdaddr, bdaddr);
2744 entry->bdaddr_type = type;
2745
2746 list_add(&entry->list, list);
2747
2748 return 0;
2749}
2750
2751int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2752{
2753 struct bdaddr_list *entry;
2754
2755 if (!bacmp(bdaddr, BDADDR_ANY)) {
2756 hci_bdaddr_list_clear(list);
2757 return 0;
2758 }
2759
2760 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2761 if (!entry)
2762 return -ENOENT;
2763
2764 list_del(&entry->list);
2765 kfree(entry);
2766
2767 return 0;
2768}
2769
2770/* This function requires the caller holds hdev->lock */
2771struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2772 bdaddr_t *addr, u8 addr_type)
2773{
2774 struct hci_conn_params *params;
2775
2776 list_for_each_entry(params, &hdev->le_conn_params, list) {
2777 if (bacmp(¶ms->addr, addr) == 0 &&
2778 params->addr_type == addr_type) {
2779 return params;
2780 }
2781 }
2782
2783 return NULL;
2784}
2785
2786/* This function requires the caller holds hdev->lock */
2787struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2788 bdaddr_t *addr, u8 addr_type)
2789{
2790 struct hci_conn_params *param;
2791
2792 list_for_each_entry(param, list, action) {
2793 if (bacmp(¶m->addr, addr) == 0 &&
2794 param->addr_type == addr_type)
2795 return param;
2796 }
2797
2798 return NULL;
2799}
2800
2801/* This function requires the caller holds hdev->lock */
2802struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2803 bdaddr_t *addr, u8 addr_type)
2804{
2805 struct hci_conn_params *params;
2806
2807 params = hci_conn_params_lookup(hdev, addr, addr_type);
2808 if (params)
2809 return params;
2810
2811 params = kzalloc(sizeof(*params), GFP_KERNEL);
2812 if (!params) {
2813 BT_ERR("Out of memory");
2814 return NULL;
2815 }
2816
2817 bacpy(¶ms->addr, addr);
2818 params->addr_type = addr_type;
2819
2820 list_add(¶ms->list, &hdev->le_conn_params);
2821 INIT_LIST_HEAD(¶ms->action);
2822
2823 params->conn_min_interval = hdev->le_conn_min_interval;
2824 params->conn_max_interval = hdev->le_conn_max_interval;
2825 params->conn_latency = hdev->le_conn_latency;
2826 params->supervision_timeout = hdev->le_supv_timeout;
2827 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2828
2829 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2830
2831 return params;
2832}
2833
2834static void hci_conn_params_free(struct hci_conn_params *params)
2835{
2836 if (params->conn) {
2837 hci_conn_drop(params->conn);
2838 hci_conn_put(params->conn);
2839 }
2840
2841 list_del(¶ms->action);
2842 list_del(¶ms->list);
2843 kfree(params);
2844}
2845
2846/* This function requires the caller holds hdev->lock */
2847void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2848{
2849 struct hci_conn_params *params;
2850
2851 params = hci_conn_params_lookup(hdev, addr, addr_type);
2852 if (!params)
2853 return;
2854
2855 hci_conn_params_free(params);
2856
2857 hci_update_background_scan(hdev);
2858
2859 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2860}
2861
2862/* This function requires the caller holds hdev->lock */
2863void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2864{
2865 struct hci_conn_params *params, *tmp;
2866
2867 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2868 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2869 continue;
2870
2871 /* If trying to estabilish one time connection to disabled
2872 * device, leave the params, but mark them as just once.
2873 */
2874 if (params->explicit_connect) {
2875 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2876 continue;
2877 }
2878
2879 list_del(¶ms->list);
2880 kfree(params);
2881 }
2882
2883 BT_DBG("All LE disabled connection parameters were removed");
2884}
2885
2886/* This function requires the caller holds hdev->lock */
2887static void hci_conn_params_clear_all(struct hci_dev *hdev)
2888{
2889 struct hci_conn_params *params, *tmp;
2890
2891 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2892 hci_conn_params_free(params);
2893
2894 BT_DBG("All LE connection parameters were removed");
2895}
2896
2897/* Copy the Identity Address of the controller.
2898 *
2899 * If the controller has a public BD_ADDR, then by default use that one.
2900 * If this is a LE only controller without a public address, default to
2901 * the static random address.
2902 *
2903 * For debugging purposes it is possible to force controllers with a
2904 * public address to use the static random address instead.
2905 *
2906 * In case BR/EDR has been disabled on a dual-mode controller and
2907 * userspace has configured a static address, then that address
2908 * becomes the identity address instead of the public BR/EDR address.
2909 */
2910void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2911 u8 *bdaddr_type)
2912{
2913 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2914 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2915 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2916 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2917 bacpy(bdaddr, &hdev->static_addr);
2918 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2919 } else {
2920 bacpy(bdaddr, &hdev->bdaddr);
2921 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2922 }
2923}
2924
2925/* Alloc HCI device */
2926struct hci_dev *hci_alloc_dev(void)
2927{
2928 struct hci_dev *hdev;
2929
2930 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2931 if (!hdev)
2932 return NULL;
2933
2934 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2935 hdev->esco_type = (ESCO_HV1);
2936 hdev->link_mode = (HCI_LM_ACCEPT);
2937 hdev->num_iac = 0x01; /* One IAC support is mandatory */
2938 hdev->io_capability = 0x03; /* No Input No Output */
2939 hdev->manufacturer = 0xffff; /* Default to internal use */
2940 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2941 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2942 hdev->adv_instance_cnt = 0;
2943 hdev->cur_adv_instance = 0x00;
2944 hdev->adv_instance_timeout = 0;
2945
2946 hdev->sniff_max_interval = 800;
2947 hdev->sniff_min_interval = 80;
2948
2949 hdev->le_adv_channel_map = 0x07;
2950 hdev->le_adv_min_interval = 0x0800;
2951 hdev->le_adv_max_interval = 0x0800;
2952 hdev->le_scan_interval = 0x0060;
2953 hdev->le_scan_window = 0x0030;
2954 hdev->le_conn_min_interval = 0x0028;
2955 hdev->le_conn_max_interval = 0x0038;
2956 hdev->le_conn_latency = 0x0000;
2957 hdev->le_supv_timeout = 0x002a;
2958 hdev->le_def_tx_len = 0x001b;
2959 hdev->le_def_tx_time = 0x0148;
2960 hdev->le_max_tx_len = 0x001b;
2961 hdev->le_max_tx_time = 0x0148;
2962 hdev->le_max_rx_len = 0x001b;
2963 hdev->le_max_rx_time = 0x0148;
2964
2965 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2966 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2967 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2968 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2969
2970 mutex_init(&hdev->lock);
2971 mutex_init(&hdev->req_lock);
2972
2973 INIT_LIST_HEAD(&hdev->mgmt_pending);
2974 INIT_LIST_HEAD(&hdev->blacklist);
2975 INIT_LIST_HEAD(&hdev->whitelist);
2976 INIT_LIST_HEAD(&hdev->uuids);
2977 INIT_LIST_HEAD(&hdev->link_keys);
2978 INIT_LIST_HEAD(&hdev->long_term_keys);
2979 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2980 INIT_LIST_HEAD(&hdev->remote_oob_data);
2981 INIT_LIST_HEAD(&hdev->le_white_list);
2982 INIT_LIST_HEAD(&hdev->le_conn_params);
2983 INIT_LIST_HEAD(&hdev->pend_le_conns);
2984 INIT_LIST_HEAD(&hdev->pend_le_reports);
2985 INIT_LIST_HEAD(&hdev->conn_hash.list);
2986 INIT_LIST_HEAD(&hdev->adv_instances);
2987
2988 INIT_WORK(&hdev->rx_work, hci_rx_work);
2989 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2990 INIT_WORK(&hdev->tx_work, hci_tx_work);
2991 INIT_WORK(&hdev->power_on, hci_power_on);
2992 INIT_WORK(&hdev->error_reset, hci_error_reset);
2993
2994 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2995
2996 skb_queue_head_init(&hdev->rx_q);
2997 skb_queue_head_init(&hdev->cmd_q);
2998 skb_queue_head_init(&hdev->raw_q);
2999
3000 init_waitqueue_head(&hdev->req_wait_q);
3001
3002 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3003
3004 hci_request_setup(hdev);
3005
3006 hci_init_sysfs(hdev);
3007 discovery_init(hdev);
3008
3009 return hdev;
3010}
3011EXPORT_SYMBOL(hci_alloc_dev);
3012
3013/* Free HCI device */
3014void hci_free_dev(struct hci_dev *hdev)
3015{
3016 /* will free via device release */
3017 put_device(&hdev->dev);
3018}
3019EXPORT_SYMBOL(hci_free_dev);
3020
3021/* Register HCI device */
3022int hci_register_dev(struct hci_dev *hdev)
3023{
3024 int id, error;
3025
3026 if (!hdev->open || !hdev->close || !hdev->send)
3027 return -EINVAL;
3028
3029 /* Do not allow HCI_AMP devices to register at index 0,
3030 * so the index can be used as the AMP controller ID.
3031 */
3032 switch (hdev->dev_type) {
3033 case HCI_BREDR:
3034 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3035 break;
3036 case HCI_AMP:
3037 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3038 break;
3039 default:
3040 return -EINVAL;
3041 }
3042
3043 if (id < 0)
3044 return id;
3045
3046 sprintf(hdev->name, "hci%d", id);
3047 hdev->id = id;
3048
3049 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3050
3051 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3052 WQ_MEM_RECLAIM, 1, hdev->name);
3053 if (!hdev->workqueue) {
3054 error = -ENOMEM;
3055 goto err;
3056 }
3057
3058 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3059 WQ_MEM_RECLAIM, 1, hdev->name);
3060 if (!hdev->req_workqueue) {
3061 destroy_workqueue(hdev->workqueue);
3062 error = -ENOMEM;
3063 goto err;
3064 }
3065
3066 if (!IS_ERR_OR_NULL(bt_debugfs))
3067 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3068
3069 dev_set_name(&hdev->dev, "%s", hdev->name);
3070
3071 error = device_add(&hdev->dev);
3072 if (error < 0)
3073 goto err_wqueue;
3074
3075 hci_leds_init(hdev);
3076
3077 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3078 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3079 hdev);
3080 if (hdev->rfkill) {
3081 if (rfkill_register(hdev->rfkill) < 0) {
3082 rfkill_destroy(hdev->rfkill);
3083 hdev->rfkill = NULL;
3084 }
3085 }
3086
3087 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3088 hci_dev_set_flag(hdev, HCI_RFKILLED);
3089
3090 hci_dev_set_flag(hdev, HCI_SETUP);
3091 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3092
3093 if (hdev->dev_type == HCI_BREDR) {
3094 /* Assume BR/EDR support until proven otherwise (such as
3095 * through reading supported features during init.
3096 */
3097 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3098 }
3099
3100 write_lock(&hci_dev_list_lock);
3101 list_add(&hdev->list, &hci_dev_list);
3102 write_unlock(&hci_dev_list_lock);
3103
3104 /* Devices that are marked for raw-only usage are unconfigured
3105 * and should not be included in normal operation.
3106 */
3107 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3108 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3109
3110 hci_sock_dev_event(hdev, HCI_DEV_REG);
3111 hci_dev_hold(hdev);
3112
3113 queue_work(hdev->req_workqueue, &hdev->power_on);
3114
3115 return id;
3116
3117err_wqueue:
3118 destroy_workqueue(hdev->workqueue);
3119 destroy_workqueue(hdev->req_workqueue);
3120err:
3121 ida_simple_remove(&hci_index_ida, hdev->id);
3122
3123 return error;
3124}
3125EXPORT_SYMBOL(hci_register_dev);
3126
3127/* Unregister HCI device */
3128void hci_unregister_dev(struct hci_dev *hdev)
3129{
3130 int id;
3131
3132 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3133
3134 hci_dev_set_flag(hdev, HCI_UNREGISTER);
3135
3136 id = hdev->id;
3137
3138 write_lock(&hci_dev_list_lock);
3139 list_del(&hdev->list);
3140 write_unlock(&hci_dev_list_lock);
3141
3142 hci_dev_do_close(hdev);
3143
3144 cancel_work_sync(&hdev->power_on);
3145
3146 if (!test_bit(HCI_INIT, &hdev->flags) &&
3147 !hci_dev_test_flag(hdev, HCI_SETUP) &&
3148 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3149 hci_dev_lock(hdev);
3150 mgmt_index_removed(hdev);
3151 hci_dev_unlock(hdev);
3152 }
3153
3154 /* mgmt_index_removed should take care of emptying the
3155 * pending list */
3156 BUG_ON(!list_empty(&hdev->mgmt_pending));
3157
3158 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3159
3160 if (hdev->rfkill) {
3161 rfkill_unregister(hdev->rfkill);
3162 rfkill_destroy(hdev->rfkill);
3163 }
3164
3165 device_del(&hdev->dev);
3166
3167 debugfs_remove_recursive(hdev->debugfs);
3168
3169 destroy_workqueue(hdev->workqueue);
3170 destroy_workqueue(hdev->req_workqueue);
3171
3172 hci_dev_lock(hdev);
3173 hci_bdaddr_list_clear(&hdev->blacklist);
3174 hci_bdaddr_list_clear(&hdev->whitelist);
3175 hci_uuids_clear(hdev);
3176 hci_link_keys_clear(hdev);
3177 hci_smp_ltks_clear(hdev);
3178 hci_smp_irks_clear(hdev);
3179 hci_remote_oob_data_clear(hdev);
3180 hci_adv_instances_clear(hdev);
3181 hci_bdaddr_list_clear(&hdev->le_white_list);
3182 hci_conn_params_clear_all(hdev);
3183 hci_discovery_filter_clear(hdev);
3184 hci_dev_unlock(hdev);
3185
3186 hci_dev_put(hdev);
3187
3188 ida_simple_remove(&hci_index_ida, id);
3189}
3190EXPORT_SYMBOL(hci_unregister_dev);
3191
3192/* Suspend HCI device */
3193int hci_suspend_dev(struct hci_dev *hdev)
3194{
3195 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3196 return 0;
3197}
3198EXPORT_SYMBOL(hci_suspend_dev);
3199
3200/* Resume HCI device */
3201int hci_resume_dev(struct hci_dev *hdev)
3202{
3203 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3204 return 0;
3205}
3206EXPORT_SYMBOL(hci_resume_dev);
3207
3208/* Reset HCI device */
3209int hci_reset_dev(struct hci_dev *hdev)
3210{
3211 const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3212 struct sk_buff *skb;
3213
3214 skb = bt_skb_alloc(3, GFP_ATOMIC);
3215 if (!skb)
3216 return -ENOMEM;
3217
3218 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3219 memcpy(skb_put(skb, 3), hw_err, 3);
3220
3221 /* Send Hardware Error to upper stack */
3222 return hci_recv_frame(hdev, skb);
3223}
3224EXPORT_SYMBOL(hci_reset_dev);
3225
3226/* Receive frame from HCI drivers */
3227int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3228{
3229 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3230 && !test_bit(HCI_INIT, &hdev->flags))) {
3231 kfree_skb(skb);
3232 return -ENXIO;
3233 }
3234
3235 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3236 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3237 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3238 kfree_skb(skb);
3239 return -EINVAL;
3240 }
3241
3242 /* Incoming skb */
3243 bt_cb(skb)->incoming = 1;
3244
3245 /* Time stamp */
3246 __net_timestamp(skb);
3247
3248 skb_queue_tail(&hdev->rx_q, skb);
3249 queue_work(hdev->workqueue, &hdev->rx_work);
3250
3251 return 0;
3252}
3253EXPORT_SYMBOL(hci_recv_frame);
3254
3255/* Receive diagnostic message from HCI drivers */
3256int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3257{
3258 /* Mark as diagnostic packet */
3259 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3260
3261 /* Time stamp */
3262 __net_timestamp(skb);
3263
3264 skb_queue_tail(&hdev->rx_q, skb);
3265 queue_work(hdev->workqueue, &hdev->rx_work);
3266
3267 return 0;
3268}
3269EXPORT_SYMBOL(hci_recv_diag);
3270
3271/* ---- Interface to upper protocols ---- */
3272
3273int hci_register_cb(struct hci_cb *cb)
3274{
3275 BT_DBG("%p name %s", cb, cb->name);
3276
3277 mutex_lock(&hci_cb_list_lock);
3278 list_add_tail(&cb->list, &hci_cb_list);
3279 mutex_unlock(&hci_cb_list_lock);
3280
3281 return 0;
3282}
3283EXPORT_SYMBOL(hci_register_cb);
3284
3285int hci_unregister_cb(struct hci_cb *cb)
3286{
3287 BT_DBG("%p name %s", cb, cb->name);
3288
3289 mutex_lock(&hci_cb_list_lock);
3290 list_del(&cb->list);
3291 mutex_unlock(&hci_cb_list_lock);
3292
3293 return 0;
3294}
3295EXPORT_SYMBOL(hci_unregister_cb);
3296
3297static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3298{
3299 int err;
3300
3301 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3302 skb->len);
3303
3304 /* Time stamp */
3305 __net_timestamp(skb);
3306
3307 /* Send copy to monitor */
3308 hci_send_to_monitor(hdev, skb);
3309
3310 if (atomic_read(&hdev->promisc)) {
3311 /* Send copy to the sockets */
3312 hci_send_to_sock(hdev, skb);
3313 }
3314
3315 /* Get rid of skb owner, prior to sending to the driver. */
3316 skb_orphan(skb);
3317
3318 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3319 kfree_skb(skb);
3320 return;
3321 }
3322
3323 err = hdev->send(hdev, skb);
3324 if (err < 0) {
3325 BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3326 kfree_skb(skb);
3327 }
3328}
3329
3330/* Send HCI command */
3331int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3332 const void *param)
3333{
3334 struct sk_buff *skb;
3335
3336 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3337
3338 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3339 if (!skb) {
3340 BT_ERR("%s no memory for command", hdev->name);
3341 return -ENOMEM;
3342 }
3343
3344 /* Stand-alone HCI commands must be flagged as
3345 * single-command requests.
3346 */
3347 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3348
3349 skb_queue_tail(&hdev->cmd_q, skb);
3350 queue_work(hdev->workqueue, &hdev->cmd_work);
3351
3352 return 0;
3353}
3354
3355/* Get data from the previously sent command */
3356void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3357{
3358 struct hci_command_hdr *hdr;
3359
3360 if (!hdev->sent_cmd)
3361 return NULL;
3362
3363 hdr = (void *) hdev->sent_cmd->data;
3364
3365 if (hdr->opcode != cpu_to_le16(opcode))
3366 return NULL;
3367
3368 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3369
3370 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3371}
3372
3373/* Send HCI command and wait for command commplete event */
3374struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3375 const void *param, u32 timeout)
3376{
3377 struct sk_buff *skb;
3378
3379 if (!test_bit(HCI_UP, &hdev->flags))
3380 return ERR_PTR(-ENETDOWN);
3381
3382 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3383
3384 hci_req_sync_lock(hdev);
3385 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3386 hci_req_sync_unlock(hdev);
3387
3388 return skb;
3389}
3390EXPORT_SYMBOL(hci_cmd_sync);
3391
3392/* Send ACL data */
3393static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3394{
3395 struct hci_acl_hdr *hdr;
3396 int len = skb->len;
3397
3398 skb_push(skb, HCI_ACL_HDR_SIZE);
3399 skb_reset_transport_header(skb);
3400 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3401 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3402 hdr->dlen = cpu_to_le16(len);
3403}
3404
3405static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3406 struct sk_buff *skb, __u16 flags)
3407{
3408 struct hci_conn *conn = chan->conn;
3409 struct hci_dev *hdev = conn->hdev;
3410 struct sk_buff *list;
3411
3412 skb->len = skb_headlen(skb);
3413 skb->data_len = 0;
3414
3415 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3416
3417 switch (hdev->dev_type) {
3418 case HCI_BREDR:
3419 hci_add_acl_hdr(skb, conn->handle, flags);
3420 break;
3421 case HCI_AMP:
3422 hci_add_acl_hdr(skb, chan->handle, flags);
3423 break;
3424 default:
3425 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3426 return;
3427 }
3428
3429 list = skb_shinfo(skb)->frag_list;
3430 if (!list) {
3431 /* Non fragmented */
3432 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3433
3434 skb_queue_tail(queue, skb);
3435 } else {
3436 /* Fragmented */
3437 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3438
3439 skb_shinfo(skb)->frag_list = NULL;
3440
3441 /* Queue all fragments atomically. We need to use spin_lock_bh
3442 * here because of 6LoWPAN links, as there this function is
3443 * called from softirq and using normal spin lock could cause
3444 * deadlocks.
3445 */
3446 spin_lock_bh(&queue->lock);
3447
3448 __skb_queue_tail(queue, skb);
3449
3450 flags &= ~ACL_START;
3451 flags |= ACL_CONT;
3452 do {
3453 skb = list; list = list->next;
3454
3455 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3456 hci_add_acl_hdr(skb, conn->handle, flags);
3457
3458 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3459
3460 __skb_queue_tail(queue, skb);
3461 } while (list);
3462
3463 spin_unlock_bh(&queue->lock);
3464 }
3465}
3466
3467void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3468{
3469 struct hci_dev *hdev = chan->conn->hdev;
3470
3471 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3472
3473 hci_queue_acl(chan, &chan->data_q, skb, flags);
3474
3475 queue_work(hdev->workqueue, &hdev->tx_work);
3476}
3477
3478/* Send SCO data */
3479void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3480{
3481 struct hci_dev *hdev = conn->hdev;
3482 struct hci_sco_hdr hdr;
3483
3484 BT_DBG("%s len %d", hdev->name, skb->len);
3485
3486 hdr.handle = cpu_to_le16(conn->handle);
3487 hdr.dlen = skb->len;
3488
3489 skb_push(skb, HCI_SCO_HDR_SIZE);
3490 skb_reset_transport_header(skb);
3491 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3492
3493 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3494
3495 skb_queue_tail(&conn->data_q, skb);
3496 queue_work(hdev->workqueue, &hdev->tx_work);
3497}
3498
3499/* ---- HCI TX task (outgoing data) ---- */
3500
3501/* HCI Connection scheduler */
3502static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3503 int *quote)
3504{
3505 struct hci_conn_hash *h = &hdev->conn_hash;
3506 struct hci_conn *conn = NULL, *c;
3507 unsigned int num = 0, min = ~0;
3508
3509 /* We don't have to lock device here. Connections are always
3510 * added and removed with TX task disabled. */
3511
3512 rcu_read_lock();
3513
3514 list_for_each_entry_rcu(c, &h->list, list) {
3515 if (c->type != type || skb_queue_empty(&c->data_q))
3516 continue;
3517
3518 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3519 continue;
3520
3521 num++;
3522
3523 if (c->sent < min) {
3524 min = c->sent;
3525 conn = c;
3526 }
3527
3528 if (hci_conn_num(hdev, type) == num)
3529 break;
3530 }
3531
3532 rcu_read_unlock();
3533
3534 if (conn) {
3535 int cnt, q;
3536
3537 switch (conn->type) {
3538 case ACL_LINK:
3539 cnt = hdev->acl_cnt;
3540 break;
3541 case SCO_LINK:
3542 case ESCO_LINK:
3543 cnt = hdev->sco_cnt;
3544 break;
3545 case LE_LINK:
3546 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3547 break;
3548 default:
3549 cnt = 0;
3550 BT_ERR("Unknown link type");
3551 }
3552
3553 q = cnt / num;
3554 *quote = q ? q : 1;
3555 } else
3556 *quote = 0;
3557
3558 BT_DBG("conn %p quote %d", conn, *quote);
3559 return conn;
3560}
3561
3562static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3563{
3564 struct hci_conn_hash *h = &hdev->conn_hash;
3565 struct hci_conn *c;
3566
3567 BT_ERR("%s link tx timeout", hdev->name);
3568
3569 rcu_read_lock();
3570
3571 /* Kill stalled connections */
3572 list_for_each_entry_rcu(c, &h->list, list) {
3573 if (c->type == type && c->sent) {
3574 BT_ERR("%s killing stalled connection %pMR",
3575 hdev->name, &c->dst);
3576 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3577 }
3578 }
3579
3580 rcu_read_unlock();
3581}
3582
3583static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3584 int *quote)
3585{
3586 struct hci_conn_hash *h = &hdev->conn_hash;
3587 struct hci_chan *chan = NULL;
3588 unsigned int num = 0, min = ~0, cur_prio = 0;
3589 struct hci_conn *conn;
3590 int cnt, q, conn_num = 0;
3591
3592 BT_DBG("%s", hdev->name);
3593
3594 rcu_read_lock();
3595
3596 list_for_each_entry_rcu(conn, &h->list, list) {
3597 struct hci_chan *tmp;
3598
3599 if (conn->type != type)
3600 continue;
3601
3602 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3603 continue;
3604
3605 conn_num++;
3606
3607 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3608 struct sk_buff *skb;
3609
3610 if (skb_queue_empty(&tmp->data_q))
3611 continue;
3612
3613 skb = skb_peek(&tmp->data_q);
3614 if (skb->priority < cur_prio)
3615 continue;
3616
3617 if (skb->priority > cur_prio) {
3618 num = 0;
3619 min = ~0;
3620 cur_prio = skb->priority;
3621 }
3622
3623 num++;
3624
3625 if (conn->sent < min) {
3626 min = conn->sent;
3627 chan = tmp;
3628 }
3629 }
3630
3631 if (hci_conn_num(hdev, type) == conn_num)
3632 break;
3633 }
3634
3635 rcu_read_unlock();
3636
3637 if (!chan)
3638 return NULL;
3639
3640 switch (chan->conn->type) {
3641 case ACL_LINK:
3642 cnt = hdev->acl_cnt;
3643 break;
3644 case AMP_LINK:
3645 cnt = hdev->block_cnt;
3646 break;
3647 case SCO_LINK:
3648 case ESCO_LINK:
3649 cnt = hdev->sco_cnt;
3650 break;
3651 case LE_LINK:
3652 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3653 break;
3654 default:
3655 cnt = 0;
3656 BT_ERR("Unknown link type");
3657 }
3658
3659 q = cnt / num;
3660 *quote = q ? q : 1;
3661 BT_DBG("chan %p quote %d", chan, *quote);
3662 return chan;
3663}
3664
3665static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3666{
3667 struct hci_conn_hash *h = &hdev->conn_hash;
3668 struct hci_conn *conn;
3669 int num = 0;
3670
3671 BT_DBG("%s", hdev->name);
3672
3673 rcu_read_lock();
3674
3675 list_for_each_entry_rcu(conn, &h->list, list) {
3676 struct hci_chan *chan;
3677
3678 if (conn->type != type)
3679 continue;
3680
3681 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3682 continue;
3683
3684 num++;
3685
3686 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3687 struct sk_buff *skb;
3688
3689 if (chan->sent) {
3690 chan->sent = 0;
3691 continue;
3692 }
3693
3694 if (skb_queue_empty(&chan->data_q))
3695 continue;
3696
3697 skb = skb_peek(&chan->data_q);
3698 if (skb->priority >= HCI_PRIO_MAX - 1)
3699 continue;
3700
3701 skb->priority = HCI_PRIO_MAX - 1;
3702
3703 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3704 skb->priority);
3705 }
3706
3707 if (hci_conn_num(hdev, type) == num)
3708 break;
3709 }
3710
3711 rcu_read_unlock();
3712
3713}
3714
3715static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3716{
3717 /* Calculate count of blocks used by this packet */
3718 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3719}
3720
3721static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3722{
3723 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3724 /* ACL tx timeout must be longer than maximum
3725 * link supervision timeout (40.9 seconds) */
3726 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3727 HCI_ACL_TX_TIMEOUT))
3728 hci_link_tx_to(hdev, ACL_LINK);
3729 }
3730}
3731
3732static void hci_sched_acl_pkt(struct hci_dev *hdev)
3733{
3734 unsigned int cnt = hdev->acl_cnt;
3735 struct hci_chan *chan;
3736 struct sk_buff *skb;
3737 int quote;
3738
3739 __check_timeout(hdev, cnt);
3740
3741 while (hdev->acl_cnt &&
3742 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3743 u32 priority = (skb_peek(&chan->data_q))->priority;
3744 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3745 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3746 skb->len, skb->priority);
3747
3748 /* Stop if priority has changed */
3749 if (skb->priority < priority)
3750 break;
3751
3752 skb = skb_dequeue(&chan->data_q);
3753
3754 hci_conn_enter_active_mode(chan->conn,
3755 bt_cb(skb)->force_active);
3756
3757 hci_send_frame(hdev, skb);
3758 hdev->acl_last_tx = jiffies;
3759
3760 hdev->acl_cnt--;
3761 chan->sent++;
3762 chan->conn->sent++;
3763 }
3764 }
3765
3766 if (cnt != hdev->acl_cnt)
3767 hci_prio_recalculate(hdev, ACL_LINK);
3768}
3769
3770static void hci_sched_acl_blk(struct hci_dev *hdev)
3771{
3772 unsigned int cnt = hdev->block_cnt;
3773 struct hci_chan *chan;
3774 struct sk_buff *skb;
3775 int quote;
3776 u8 type;
3777
3778 __check_timeout(hdev, cnt);
3779
3780 BT_DBG("%s", hdev->name);
3781
3782 if (hdev->dev_type == HCI_AMP)
3783 type = AMP_LINK;
3784 else
3785 type = ACL_LINK;
3786
3787 while (hdev->block_cnt > 0 &&
3788 (chan = hci_chan_sent(hdev, type, "e))) {
3789 u32 priority = (skb_peek(&chan->data_q))->priority;
3790 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3791 int blocks;
3792
3793 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3794 skb->len, skb->priority);
3795
3796 /* Stop if priority has changed */
3797 if (skb->priority < priority)
3798 break;
3799
3800 skb = skb_dequeue(&chan->data_q);
3801
3802 blocks = __get_blocks(hdev, skb);
3803 if (blocks > hdev->block_cnt)
3804 return;
3805
3806 hci_conn_enter_active_mode(chan->conn,
3807 bt_cb(skb)->force_active);
3808
3809 hci_send_frame(hdev, skb);
3810 hdev->acl_last_tx = jiffies;
3811
3812 hdev->block_cnt -= blocks;
3813 quote -= blocks;
3814
3815 chan->sent += blocks;
3816 chan->conn->sent += blocks;
3817 }
3818 }
3819
3820 if (cnt != hdev->block_cnt)
3821 hci_prio_recalculate(hdev, type);
3822}
3823
3824static void hci_sched_acl(struct hci_dev *hdev)
3825{
3826 BT_DBG("%s", hdev->name);
3827
3828 /* No ACL link over BR/EDR controller */
3829 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3830 return;
3831
3832 /* No AMP link over AMP controller */
3833 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3834 return;
3835
3836 switch (hdev->flow_ctl_mode) {
3837 case HCI_FLOW_CTL_MODE_PACKET_BASED:
3838 hci_sched_acl_pkt(hdev);
3839 break;
3840
3841 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3842 hci_sched_acl_blk(hdev);
3843 break;
3844 }
3845}
3846
3847/* Schedule SCO */
3848static void hci_sched_sco(struct hci_dev *hdev)
3849{
3850 struct hci_conn *conn;
3851 struct sk_buff *skb;
3852 int quote;
3853
3854 BT_DBG("%s", hdev->name);
3855
3856 if (!hci_conn_num(hdev, SCO_LINK))
3857 return;
3858
3859 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
3860 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3861 BT_DBG("skb %p len %d", skb, skb->len);
3862 hci_send_frame(hdev, skb);
3863
3864 conn->sent++;
3865 if (conn->sent == ~0)
3866 conn->sent = 0;
3867 }
3868 }
3869}
3870
3871static void hci_sched_esco(struct hci_dev *hdev)
3872{
3873 struct hci_conn *conn;
3874 struct sk_buff *skb;
3875 int quote;
3876
3877 BT_DBG("%s", hdev->name);
3878
3879 if (!hci_conn_num(hdev, ESCO_LINK))
3880 return;
3881
3882 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3883 "e))) {
3884 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3885 BT_DBG("skb %p len %d", skb, skb->len);
3886 hci_send_frame(hdev, skb);
3887
3888 conn->sent++;
3889 if (conn->sent == ~0)
3890 conn->sent = 0;
3891 }
3892 }
3893}
3894
3895static void hci_sched_le(struct hci_dev *hdev)
3896{
3897 struct hci_chan *chan;
3898 struct sk_buff *skb;
3899 int quote, cnt, tmp;
3900
3901 BT_DBG("%s", hdev->name);
3902
3903 if (!hci_conn_num(hdev, LE_LINK))
3904 return;
3905
3906 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3907 /* LE tx timeout must be longer than maximum
3908 * link supervision timeout (40.9 seconds) */
3909 if (!hdev->le_cnt && hdev->le_pkts &&
3910 time_after(jiffies, hdev->le_last_tx + HZ * 45))
3911 hci_link_tx_to(hdev, LE_LINK);
3912 }
3913
3914 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3915 tmp = cnt;
3916 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
3917 u32 priority = (skb_peek(&chan->data_q))->priority;
3918 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3919 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3920 skb->len, skb->priority);
3921
3922 /* Stop if priority has changed */
3923 if (skb->priority < priority)
3924 break;
3925
3926 skb = skb_dequeue(&chan->data_q);
3927
3928 hci_send_frame(hdev, skb);
3929 hdev->le_last_tx = jiffies;
3930
3931 cnt--;
3932 chan->sent++;
3933 chan->conn->sent++;
3934 }
3935 }
3936
3937 if (hdev->le_pkts)
3938 hdev->le_cnt = cnt;
3939 else
3940 hdev->acl_cnt = cnt;
3941
3942 if (cnt != tmp)
3943 hci_prio_recalculate(hdev, LE_LINK);
3944}
3945
3946static void hci_tx_work(struct work_struct *work)
3947{
3948 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3949 struct sk_buff *skb;
3950
3951 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3952 hdev->sco_cnt, hdev->le_cnt);
3953
3954 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3955 /* Schedule queues and send stuff to HCI driver */
3956 hci_sched_acl(hdev);
3957 hci_sched_sco(hdev);
3958 hci_sched_esco(hdev);
3959 hci_sched_le(hdev);
3960 }
3961
3962 /* Send next queued raw (unknown type) packet */
3963 while ((skb = skb_dequeue(&hdev->raw_q)))
3964 hci_send_frame(hdev, skb);
3965}
3966
3967/* ----- HCI RX task (incoming data processing) ----- */
3968
3969/* ACL data packet */
3970static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3971{
3972 struct hci_acl_hdr *hdr = (void *) skb->data;
3973 struct hci_conn *conn;
3974 __u16 handle, flags;
3975
3976 skb_pull(skb, HCI_ACL_HDR_SIZE);
3977
3978 handle = __le16_to_cpu(hdr->handle);
3979 flags = hci_flags(handle);
3980 handle = hci_handle(handle);
3981
3982 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3983 handle, flags);
3984
3985 hdev->stat.acl_rx++;
3986
3987 hci_dev_lock(hdev);
3988 conn = hci_conn_hash_lookup_handle(hdev, handle);
3989 hci_dev_unlock(hdev);
3990
3991 if (conn) {
3992 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3993
3994 /* Send to upper protocol */
3995 l2cap_recv_acldata(conn, skb, flags);
3996 return;
3997 } else {
3998 BT_ERR("%s ACL packet for unknown connection handle %d",
3999 hdev->name, handle);
4000 }
4001
4002 kfree_skb(skb);
4003}
4004
4005/* SCO data packet */
4006static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4007{
4008 struct hci_sco_hdr *hdr = (void *) skb->data;
4009 struct hci_conn *conn;
4010 __u16 handle;
4011
4012 skb_pull(skb, HCI_SCO_HDR_SIZE);
4013
4014 handle = __le16_to_cpu(hdr->handle);
4015
4016 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4017
4018 hdev->stat.sco_rx++;
4019
4020 hci_dev_lock(hdev);
4021 conn = hci_conn_hash_lookup_handle(hdev, handle);
4022 hci_dev_unlock(hdev);
4023
4024 if (conn) {
4025 /* Send to upper protocol */
4026 sco_recv_scodata(conn, skb);
4027 return;
4028 } else {
4029 BT_ERR("%s SCO packet for unknown connection handle %d",
4030 hdev->name, handle);
4031 }
4032
4033 kfree_skb(skb);
4034}
4035
4036static bool hci_req_is_complete(struct hci_dev *hdev)
4037{
4038 struct sk_buff *skb;
4039
4040 skb = skb_peek(&hdev->cmd_q);
4041 if (!skb)
4042 return true;
4043
4044 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4045}
4046
4047static void hci_resend_last(struct hci_dev *hdev)
4048{
4049 struct hci_command_hdr *sent;
4050 struct sk_buff *skb;
4051 u16 opcode;
4052
4053 if (!hdev->sent_cmd)
4054 return;
4055
4056 sent = (void *) hdev->sent_cmd->data;
4057 opcode = __le16_to_cpu(sent->opcode);
4058 if (opcode == HCI_OP_RESET)
4059 return;
4060
4061 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4062 if (!skb)
4063 return;
4064
4065 skb_queue_head(&hdev->cmd_q, skb);
4066 queue_work(hdev->workqueue, &hdev->cmd_work);
4067}
4068
4069void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4070 hci_req_complete_t *req_complete,
4071 hci_req_complete_skb_t *req_complete_skb)
4072{
4073 struct sk_buff *skb;
4074 unsigned long flags;
4075
4076 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4077
4078 /* If the completed command doesn't match the last one that was
4079 * sent we need to do special handling of it.
4080 */
4081 if (!hci_sent_cmd_data(hdev, opcode)) {
4082 /* Some CSR based controllers generate a spontaneous
4083 * reset complete event during init and any pending
4084 * command will never be completed. In such a case we
4085 * need to resend whatever was the last sent
4086 * command.
4087 */
4088 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4089 hci_resend_last(hdev);
4090
4091 return;
4092 }
4093
4094 /* If the command succeeded and there's still more commands in
4095 * this request the request is not yet complete.
4096 */
4097 if (!status && !hci_req_is_complete(hdev))
4098 return;
4099
4100 /* If this was the last command in a request the complete
4101 * callback would be found in hdev->sent_cmd instead of the
4102 * command queue (hdev->cmd_q).
4103 */
4104 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4105 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4106 return;
4107 }
4108
4109 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4110 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4111 return;
4112 }
4113
4114 /* Remove all pending commands belonging to this request */
4115 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4116 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4117 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4118 __skb_queue_head(&hdev->cmd_q, skb);
4119 break;
4120 }
4121
4122 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4123 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4124 else
4125 *req_complete = bt_cb(skb)->hci.req_complete;
4126 kfree_skb(skb);
4127 }
4128 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4129}
4130
4131static void hci_rx_work(struct work_struct *work)
4132{
4133 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4134 struct sk_buff *skb;
4135
4136 BT_DBG("%s", hdev->name);
4137
4138 while ((skb = skb_dequeue(&hdev->rx_q))) {
4139 /* Send copy to monitor */
4140 hci_send_to_monitor(hdev, skb);
4141
4142 if (atomic_read(&hdev->promisc)) {
4143 /* Send copy to the sockets */
4144 hci_send_to_sock(hdev, skb);
4145 }
4146
4147 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4148 kfree_skb(skb);
4149 continue;
4150 }
4151
4152 if (test_bit(HCI_INIT, &hdev->flags)) {
4153 /* Don't process data packets in this states. */
4154 switch (hci_skb_pkt_type(skb)) {
4155 case HCI_ACLDATA_PKT:
4156 case HCI_SCODATA_PKT:
4157 kfree_skb(skb);
4158 continue;
4159 }
4160 }
4161
4162 /* Process frame */
4163 switch (hci_skb_pkt_type(skb)) {
4164 case HCI_EVENT_PKT:
4165 BT_DBG("%s Event packet", hdev->name);
4166 hci_event_packet(hdev, skb);
4167 break;
4168
4169 case HCI_ACLDATA_PKT:
4170 BT_DBG("%s ACL data packet", hdev->name);
4171 hci_acldata_packet(hdev, skb);
4172 break;
4173
4174 case HCI_SCODATA_PKT:
4175 BT_DBG("%s SCO data packet", hdev->name);
4176 hci_scodata_packet(hdev, skb);
4177 break;
4178
4179 default:
4180 kfree_skb(skb);
4181 break;
4182 }
4183 }
4184}
4185
4186static void hci_cmd_work(struct work_struct *work)
4187{
4188 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4189 struct sk_buff *skb;
4190
4191 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4192 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4193
4194 /* Send queued commands */
4195 if (atomic_read(&hdev->cmd_cnt)) {
4196 skb = skb_dequeue(&hdev->cmd_q);
4197 if (!skb)
4198 return;
4199
4200 kfree_skb(hdev->sent_cmd);
4201
4202 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4203 if (hdev->sent_cmd) {
4204 atomic_dec(&hdev->cmd_cnt);
4205 hci_send_frame(hdev, skb);
4206 if (test_bit(HCI_RESET, &hdev->flags))
4207 cancel_delayed_work(&hdev->cmd_timer);
4208 else
4209 schedule_delayed_work(&hdev->cmd_timer,
4210 HCI_CMD_TIMEOUT);
4211 } else {
4212 skb_queue_head(&hdev->cmd_q, skb);
4213 queue_work(hdev->workqueue, &hdev->cmd_work);
4214 }
4215 }
4216}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI core. */
27
28#include <linux/export.h>
29#include <linux/rfkill.h>
30#include <linux/debugfs.h>
31#include <linux/crypto.h>
32#include <linux/property.h>
33#include <linux/suspend.h>
34#include <linux/wait.h>
35#include <asm/unaligned.h>
36
37#include <net/bluetooth/bluetooth.h>
38#include <net/bluetooth/hci_core.h>
39#include <net/bluetooth/l2cap.h>
40#include <net/bluetooth/mgmt.h>
41
42#include "hci_request.h"
43#include "hci_debugfs.h"
44#include "smp.h"
45#include "leds.h"
46#include "msft.h"
47#include "aosp.h"
48
49static void hci_rx_work(struct work_struct *work);
50static void hci_cmd_work(struct work_struct *work);
51static void hci_tx_work(struct work_struct *work);
52
53/* HCI device list */
54LIST_HEAD(hci_dev_list);
55DEFINE_RWLOCK(hci_dev_list_lock);
56
57/* HCI callback list */
58LIST_HEAD(hci_cb_list);
59DEFINE_MUTEX(hci_cb_list_lock);
60
61/* HCI ID Numbering */
62static DEFINE_IDA(hci_index_ida);
63
64/* ---- HCI debugfs entries ---- */
65
66static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
67 size_t count, loff_t *ppos)
68{
69 struct hci_dev *hdev = file->private_data;
70 char buf[3];
71
72 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
73 buf[1] = '\n';
74 buf[2] = '\0';
75 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
76}
77
78static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
79 size_t count, loff_t *ppos)
80{
81 struct hci_dev *hdev = file->private_data;
82 struct sk_buff *skb;
83 bool enable;
84 int err;
85
86 if (!test_bit(HCI_UP, &hdev->flags))
87 return -ENETDOWN;
88
89 err = kstrtobool_from_user(user_buf, count, &enable);
90 if (err)
91 return err;
92
93 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
94 return -EALREADY;
95
96 hci_req_sync_lock(hdev);
97 if (enable)
98 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
99 HCI_CMD_TIMEOUT);
100 else
101 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
102 HCI_CMD_TIMEOUT);
103 hci_req_sync_unlock(hdev);
104
105 if (IS_ERR(skb))
106 return PTR_ERR(skb);
107
108 kfree_skb(skb);
109
110 hci_dev_change_flag(hdev, HCI_DUT_MODE);
111
112 return count;
113}
114
115static const struct file_operations dut_mode_fops = {
116 .open = simple_open,
117 .read = dut_mode_read,
118 .write = dut_mode_write,
119 .llseek = default_llseek,
120};
121
122static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
123 size_t count, loff_t *ppos)
124{
125 struct hci_dev *hdev = file->private_data;
126 char buf[3];
127
128 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
129 buf[1] = '\n';
130 buf[2] = '\0';
131 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
132}
133
134static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
135 size_t count, loff_t *ppos)
136{
137 struct hci_dev *hdev = file->private_data;
138 bool enable;
139 int err;
140
141 err = kstrtobool_from_user(user_buf, count, &enable);
142 if (err)
143 return err;
144
145 /* When the diagnostic flags are not persistent and the transport
146 * is not active or in user channel operation, then there is no need
147 * for the vendor callback. Instead just store the desired value and
148 * the setting will be programmed when the controller gets powered on.
149 */
150 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
151 (!test_bit(HCI_RUNNING, &hdev->flags) ||
152 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)))
153 goto done;
154
155 hci_req_sync_lock(hdev);
156 err = hdev->set_diag(hdev, enable);
157 hci_req_sync_unlock(hdev);
158
159 if (err < 0)
160 return err;
161
162done:
163 if (enable)
164 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
165 else
166 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
167
168 return count;
169}
170
171static const struct file_operations vendor_diag_fops = {
172 .open = simple_open,
173 .read = vendor_diag_read,
174 .write = vendor_diag_write,
175 .llseek = default_llseek,
176};
177
178static void hci_debugfs_create_basic(struct hci_dev *hdev)
179{
180 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
181 &dut_mode_fops);
182
183 if (hdev->set_diag)
184 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
185 &vendor_diag_fops);
186}
187
188static int hci_reset_req(struct hci_request *req, unsigned long opt)
189{
190 BT_DBG("%s %ld", req->hdev->name, opt);
191
192 /* Reset device */
193 set_bit(HCI_RESET, &req->hdev->flags);
194 hci_req_add(req, HCI_OP_RESET, 0, NULL);
195 return 0;
196}
197
198static void bredr_init(struct hci_request *req)
199{
200 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
201
202 /* Read Local Supported Features */
203 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
204
205 /* Read Local Version */
206 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
207
208 /* Read BD Address */
209 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
210}
211
212static void amp_init1(struct hci_request *req)
213{
214 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
215
216 /* Read Local Version */
217 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
218
219 /* Read Local Supported Commands */
220 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
221
222 /* Read Local AMP Info */
223 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
224
225 /* Read Data Blk size */
226 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
227
228 /* Read Flow Control Mode */
229 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
230
231 /* Read Location Data */
232 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
233}
234
235static int amp_init2(struct hci_request *req)
236{
237 /* Read Local Supported Features. Not all AMP controllers
238 * support this so it's placed conditionally in the second
239 * stage init.
240 */
241 if (req->hdev->commands[14] & 0x20)
242 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
243
244 return 0;
245}
246
247static int hci_init1_req(struct hci_request *req, unsigned long opt)
248{
249 struct hci_dev *hdev = req->hdev;
250
251 BT_DBG("%s %ld", hdev->name, opt);
252
253 /* Reset */
254 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
255 hci_reset_req(req, 0);
256
257 switch (hdev->dev_type) {
258 case HCI_PRIMARY:
259 bredr_init(req);
260 break;
261 case HCI_AMP:
262 amp_init1(req);
263 break;
264 default:
265 bt_dev_err(hdev, "Unknown device type %d", hdev->dev_type);
266 break;
267 }
268
269 return 0;
270}
271
272static void bredr_setup(struct hci_request *req)
273{
274 __le16 param;
275 __u8 flt_type;
276
277 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
278 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
279
280 /* Read Class of Device */
281 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
282
283 /* Read Local Name */
284 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
285
286 /* Read Voice Setting */
287 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
288
289 /* Read Number of Supported IAC */
290 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
291
292 /* Read Current IAC LAP */
293 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
294
295 /* Clear Event Filters */
296 flt_type = HCI_FLT_CLEAR_ALL;
297 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
298
299 /* Connection accept timeout ~20 secs */
300 param = cpu_to_le16(0x7d00);
301 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
302}
303
304static void le_setup(struct hci_request *req)
305{
306 struct hci_dev *hdev = req->hdev;
307
308 /* Read LE Buffer Size */
309 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
310
311 /* Read LE Local Supported Features */
312 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
313
314 /* Read LE Supported States */
315 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
316
317 /* LE-only controllers have LE implicitly enabled */
318 if (!lmp_bredr_capable(hdev))
319 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
320}
321
322static void hci_setup_event_mask(struct hci_request *req)
323{
324 struct hci_dev *hdev = req->hdev;
325
326 /* The second byte is 0xff instead of 0x9f (two reserved bits
327 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
328 * command otherwise.
329 */
330 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
331
332 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
333 * any event mask for pre 1.2 devices.
334 */
335 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
336 return;
337
338 if (lmp_bredr_capable(hdev)) {
339 events[4] |= 0x01; /* Flow Specification Complete */
340 } else {
341 /* Use a different default for LE-only devices */
342 memset(events, 0, sizeof(events));
343 events[1] |= 0x20; /* Command Complete */
344 events[1] |= 0x40; /* Command Status */
345 events[1] |= 0x80; /* Hardware Error */
346
347 /* If the controller supports the Disconnect command, enable
348 * the corresponding event. In addition enable packet flow
349 * control related events.
350 */
351 if (hdev->commands[0] & 0x20) {
352 events[0] |= 0x10; /* Disconnection Complete */
353 events[2] |= 0x04; /* Number of Completed Packets */
354 events[3] |= 0x02; /* Data Buffer Overflow */
355 }
356
357 /* If the controller supports the Read Remote Version
358 * Information command, enable the corresponding event.
359 */
360 if (hdev->commands[2] & 0x80)
361 events[1] |= 0x08; /* Read Remote Version Information
362 * Complete
363 */
364
365 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
366 events[0] |= 0x80; /* Encryption Change */
367 events[5] |= 0x80; /* Encryption Key Refresh Complete */
368 }
369 }
370
371 if (lmp_inq_rssi_capable(hdev) ||
372 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
373 events[4] |= 0x02; /* Inquiry Result with RSSI */
374
375 if (lmp_ext_feat_capable(hdev))
376 events[4] |= 0x04; /* Read Remote Extended Features Complete */
377
378 if (lmp_esco_capable(hdev)) {
379 events[5] |= 0x08; /* Synchronous Connection Complete */
380 events[5] |= 0x10; /* Synchronous Connection Changed */
381 }
382
383 if (lmp_sniffsubr_capable(hdev))
384 events[5] |= 0x20; /* Sniff Subrating */
385
386 if (lmp_pause_enc_capable(hdev))
387 events[5] |= 0x80; /* Encryption Key Refresh Complete */
388
389 if (lmp_ext_inq_capable(hdev))
390 events[5] |= 0x40; /* Extended Inquiry Result */
391
392 if (lmp_no_flush_capable(hdev))
393 events[7] |= 0x01; /* Enhanced Flush Complete */
394
395 if (lmp_lsto_capable(hdev))
396 events[6] |= 0x80; /* Link Supervision Timeout Changed */
397
398 if (lmp_ssp_capable(hdev)) {
399 events[6] |= 0x01; /* IO Capability Request */
400 events[6] |= 0x02; /* IO Capability Response */
401 events[6] |= 0x04; /* User Confirmation Request */
402 events[6] |= 0x08; /* User Passkey Request */
403 events[6] |= 0x10; /* Remote OOB Data Request */
404 events[6] |= 0x20; /* Simple Pairing Complete */
405 events[7] |= 0x04; /* User Passkey Notification */
406 events[7] |= 0x08; /* Keypress Notification */
407 events[7] |= 0x10; /* Remote Host Supported
408 * Features Notification
409 */
410 }
411
412 if (lmp_le_capable(hdev))
413 events[7] |= 0x20; /* LE Meta-Event */
414
415 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
416}
417
418static int hci_init2_req(struct hci_request *req, unsigned long opt)
419{
420 struct hci_dev *hdev = req->hdev;
421
422 if (hdev->dev_type == HCI_AMP)
423 return amp_init2(req);
424
425 if (lmp_bredr_capable(hdev))
426 bredr_setup(req);
427 else
428 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
429
430 if (lmp_le_capable(hdev))
431 le_setup(req);
432
433 /* All Bluetooth 1.2 and later controllers should support the
434 * HCI command for reading the local supported commands.
435 *
436 * Unfortunately some controllers indicate Bluetooth 1.2 support,
437 * but do not have support for this command. If that is the case,
438 * the driver can quirk the behavior and skip reading the local
439 * supported commands.
440 */
441 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
442 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
443 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
444
445 if (lmp_ssp_capable(hdev)) {
446 /* When SSP is available, then the host features page
447 * should also be available as well. However some
448 * controllers list the max_page as 0 as long as SSP
449 * has not been enabled. To achieve proper debugging
450 * output, force the minimum max_page to 1 at least.
451 */
452 hdev->max_page = 0x01;
453
454 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
455 u8 mode = 0x01;
456
457 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
458 sizeof(mode), &mode);
459 } else {
460 struct hci_cp_write_eir cp;
461
462 memset(hdev->eir, 0, sizeof(hdev->eir));
463 memset(&cp, 0, sizeof(cp));
464
465 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
466 }
467 }
468
469 if (lmp_inq_rssi_capable(hdev) ||
470 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
471 u8 mode;
472
473 /* If Extended Inquiry Result events are supported, then
474 * they are clearly preferred over Inquiry Result with RSSI
475 * events.
476 */
477 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
478
479 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
480 }
481
482 if (lmp_inq_tx_pwr_capable(hdev))
483 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
484
485 if (lmp_ext_feat_capable(hdev)) {
486 struct hci_cp_read_local_ext_features cp;
487
488 cp.page = 0x01;
489 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
490 sizeof(cp), &cp);
491 }
492
493 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
494 u8 enable = 1;
495 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
496 &enable);
497 }
498
499 return 0;
500}
501
502static void hci_setup_link_policy(struct hci_request *req)
503{
504 struct hci_dev *hdev = req->hdev;
505 struct hci_cp_write_def_link_policy cp;
506 u16 link_policy = 0;
507
508 if (lmp_rswitch_capable(hdev))
509 link_policy |= HCI_LP_RSWITCH;
510 if (lmp_hold_capable(hdev))
511 link_policy |= HCI_LP_HOLD;
512 if (lmp_sniff_capable(hdev))
513 link_policy |= HCI_LP_SNIFF;
514 if (lmp_park_capable(hdev))
515 link_policy |= HCI_LP_PARK;
516
517 cp.policy = cpu_to_le16(link_policy);
518 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
519}
520
521static void hci_set_le_support(struct hci_request *req)
522{
523 struct hci_dev *hdev = req->hdev;
524 struct hci_cp_write_le_host_supported cp;
525
526 /* LE-only devices do not support explicit enablement */
527 if (!lmp_bredr_capable(hdev))
528 return;
529
530 memset(&cp, 0, sizeof(cp));
531
532 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
533 cp.le = 0x01;
534 cp.simul = 0x00;
535 }
536
537 if (cp.le != lmp_host_le_capable(hdev))
538 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
539 &cp);
540}
541
542static void hci_set_event_mask_page_2(struct hci_request *req)
543{
544 struct hci_dev *hdev = req->hdev;
545 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
546 bool changed = false;
547
548 /* If Connectionless Peripheral Broadcast central role is supported
549 * enable all necessary events for it.
550 */
551 if (lmp_cpb_central_capable(hdev)) {
552 events[1] |= 0x40; /* Triggered Clock Capture */
553 events[1] |= 0x80; /* Synchronization Train Complete */
554 events[2] |= 0x10; /* Peripheral Page Response Timeout */
555 events[2] |= 0x20; /* CPB Channel Map Change */
556 changed = true;
557 }
558
559 /* If Connectionless Peripheral Broadcast peripheral role is supported
560 * enable all necessary events for it.
561 */
562 if (lmp_cpb_peripheral_capable(hdev)) {
563 events[2] |= 0x01; /* Synchronization Train Received */
564 events[2] |= 0x02; /* CPB Receive */
565 events[2] |= 0x04; /* CPB Timeout */
566 events[2] |= 0x08; /* Truncated Page Complete */
567 changed = true;
568 }
569
570 /* Enable Authenticated Payload Timeout Expired event if supported */
571 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
572 events[2] |= 0x80;
573 changed = true;
574 }
575
576 /* Some Broadcom based controllers indicate support for Set Event
577 * Mask Page 2 command, but then actually do not support it. Since
578 * the default value is all bits set to zero, the command is only
579 * required if the event mask has to be changed. In case no change
580 * to the event mask is needed, skip this command.
581 */
582 if (changed)
583 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
584 sizeof(events), events);
585}
586
587static int hci_init3_req(struct hci_request *req, unsigned long opt)
588{
589 struct hci_dev *hdev = req->hdev;
590 u8 p;
591
592 hci_setup_event_mask(req);
593
594 if (hdev->commands[6] & 0x20 &&
595 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
596 struct hci_cp_read_stored_link_key cp;
597
598 bacpy(&cp.bdaddr, BDADDR_ANY);
599 cp.read_all = 0x01;
600 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
601 }
602
603 if (hdev->commands[5] & 0x10)
604 hci_setup_link_policy(req);
605
606 if (hdev->commands[8] & 0x01)
607 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
608
609 if (hdev->commands[18] & 0x04 &&
610 !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks))
611 hci_req_add(req, HCI_OP_READ_DEF_ERR_DATA_REPORTING, 0, NULL);
612
613 /* Some older Broadcom based Bluetooth 1.2 controllers do not
614 * support the Read Page Scan Type command. Check support for
615 * this command in the bit mask of supported commands.
616 */
617 if (hdev->commands[13] & 0x01)
618 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
619
620 if (lmp_le_capable(hdev)) {
621 u8 events[8];
622
623 memset(events, 0, sizeof(events));
624
625 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
626 events[0] |= 0x10; /* LE Long Term Key Request */
627
628 /* If controller supports the Connection Parameters Request
629 * Link Layer Procedure, enable the corresponding event.
630 */
631 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
632 events[0] |= 0x20; /* LE Remote Connection
633 * Parameter Request
634 */
635
636 /* If the controller supports the Data Length Extension
637 * feature, enable the corresponding event.
638 */
639 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
640 events[0] |= 0x40; /* LE Data Length Change */
641
642 /* If the controller supports LL Privacy feature, enable
643 * the corresponding event.
644 */
645 if (hdev->le_features[0] & HCI_LE_LL_PRIVACY)
646 events[1] |= 0x02; /* LE Enhanced Connection
647 * Complete
648 */
649
650 /* If the controller supports Extended Scanner Filter
651 * Policies, enable the corresponding event.
652 */
653 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
654 events[1] |= 0x04; /* LE Direct Advertising
655 * Report
656 */
657
658 /* If the controller supports Channel Selection Algorithm #2
659 * feature, enable the corresponding event.
660 */
661 if (hdev->le_features[1] & HCI_LE_CHAN_SEL_ALG2)
662 events[2] |= 0x08; /* LE Channel Selection
663 * Algorithm
664 */
665
666 /* If the controller supports the LE Set Scan Enable command,
667 * enable the corresponding advertising report event.
668 */
669 if (hdev->commands[26] & 0x08)
670 events[0] |= 0x02; /* LE Advertising Report */
671
672 /* If the controller supports the LE Create Connection
673 * command, enable the corresponding event.
674 */
675 if (hdev->commands[26] & 0x10)
676 events[0] |= 0x01; /* LE Connection Complete */
677
678 /* If the controller supports the LE Connection Update
679 * command, enable the corresponding event.
680 */
681 if (hdev->commands[27] & 0x04)
682 events[0] |= 0x04; /* LE Connection Update
683 * Complete
684 */
685
686 /* If the controller supports the LE Read Remote Used Features
687 * command, enable the corresponding event.
688 */
689 if (hdev->commands[27] & 0x20)
690 events[0] |= 0x08; /* LE Read Remote Used
691 * Features Complete
692 */
693
694 /* If the controller supports the LE Read Local P-256
695 * Public Key command, enable the corresponding event.
696 */
697 if (hdev->commands[34] & 0x02)
698 events[0] |= 0x80; /* LE Read Local P-256
699 * Public Key Complete
700 */
701
702 /* If the controller supports the LE Generate DHKey
703 * command, enable the corresponding event.
704 */
705 if (hdev->commands[34] & 0x04)
706 events[1] |= 0x01; /* LE Generate DHKey Complete */
707
708 /* If the controller supports the LE Set Default PHY or
709 * LE Set PHY commands, enable the corresponding event.
710 */
711 if (hdev->commands[35] & (0x20 | 0x40))
712 events[1] |= 0x08; /* LE PHY Update Complete */
713
714 /* If the controller supports LE Set Extended Scan Parameters
715 * and LE Set Extended Scan Enable commands, enable the
716 * corresponding event.
717 */
718 if (use_ext_scan(hdev))
719 events[1] |= 0x10; /* LE Extended Advertising
720 * Report
721 */
722
723 /* If the controller supports the LE Extended Advertising
724 * command, enable the corresponding event.
725 */
726 if (ext_adv_capable(hdev))
727 events[2] |= 0x02; /* LE Advertising Set
728 * Terminated
729 */
730
731 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
732 events);
733
734 /* Read LE Advertising Channel TX Power */
735 if ((hdev->commands[25] & 0x40) && !ext_adv_capable(hdev)) {
736 /* HCI TS spec forbids mixing of legacy and extended
737 * advertising commands wherein READ_ADV_TX_POWER is
738 * also included. So do not call it if extended adv
739 * is supported otherwise controller will return
740 * COMMAND_DISALLOWED for extended commands.
741 */
742 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
743 }
744
745 if (hdev->commands[38] & 0x80) {
746 /* Read LE Min/Max Tx Power*/
747 hci_req_add(req, HCI_OP_LE_READ_TRANSMIT_POWER,
748 0, NULL);
749 }
750
751 if (hdev->commands[26] & 0x40) {
752 /* Read LE Accept List Size */
753 hci_req_add(req, HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
754 0, NULL);
755 }
756
757 if (hdev->commands[26] & 0x80) {
758 /* Clear LE Accept List */
759 hci_req_add(req, HCI_OP_LE_CLEAR_ACCEPT_LIST, 0, NULL);
760 }
761
762 if (hdev->commands[34] & 0x40) {
763 /* Read LE Resolving List Size */
764 hci_req_add(req, HCI_OP_LE_READ_RESOLV_LIST_SIZE,
765 0, NULL);
766 }
767
768 if (hdev->commands[34] & 0x20) {
769 /* Clear LE Resolving List */
770 hci_req_add(req, HCI_OP_LE_CLEAR_RESOLV_LIST, 0, NULL);
771 }
772
773 if (hdev->commands[35] & 0x04) {
774 __le16 rpa_timeout = cpu_to_le16(hdev->rpa_timeout);
775
776 /* Set RPA timeout */
777 hci_req_add(req, HCI_OP_LE_SET_RPA_TIMEOUT, 2,
778 &rpa_timeout);
779 }
780
781 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
782 /* Read LE Maximum Data Length */
783 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
784
785 /* Read LE Suggested Default Data Length */
786 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
787 }
788
789 if (ext_adv_capable(hdev)) {
790 /* Read LE Number of Supported Advertising Sets */
791 hci_req_add(req, HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
792 0, NULL);
793 }
794
795 hci_set_le_support(req);
796 }
797
798 /* Read features beyond page 1 if available */
799 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
800 struct hci_cp_read_local_ext_features cp;
801
802 cp.page = p;
803 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
804 sizeof(cp), &cp);
805 }
806
807 return 0;
808}
809
810static int hci_init4_req(struct hci_request *req, unsigned long opt)
811{
812 struct hci_dev *hdev = req->hdev;
813
814 /* Some Broadcom based Bluetooth controllers do not support the
815 * Delete Stored Link Key command. They are clearly indicating its
816 * absence in the bit mask of supported commands.
817 *
818 * Check the supported commands and only if the command is marked
819 * as supported send it. If not supported assume that the controller
820 * does not have actual support for stored link keys which makes this
821 * command redundant anyway.
822 *
823 * Some controllers indicate that they support handling deleting
824 * stored link keys, but they don't. The quirk lets a driver
825 * just disable this command.
826 */
827 if (hdev->commands[6] & 0x80 &&
828 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
829 struct hci_cp_delete_stored_link_key cp;
830
831 bacpy(&cp.bdaddr, BDADDR_ANY);
832 cp.delete_all = 0x01;
833 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
834 sizeof(cp), &cp);
835 }
836
837 /* Set event mask page 2 if the HCI command for it is supported */
838 if (hdev->commands[22] & 0x04)
839 hci_set_event_mask_page_2(req);
840
841 /* Read local codec list if the HCI command is supported */
842 if (hdev->commands[29] & 0x20)
843 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
844
845 /* Read local pairing options if the HCI command is supported */
846 if (hdev->commands[41] & 0x08)
847 hci_req_add(req, HCI_OP_READ_LOCAL_PAIRING_OPTS, 0, NULL);
848
849 /* Get MWS transport configuration if the HCI command is supported */
850 if (hdev->commands[30] & 0x08)
851 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
852
853 /* Check for Synchronization Train support */
854 if (lmp_sync_train_capable(hdev))
855 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
856
857 /* Enable Secure Connections if supported and configured */
858 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
859 bredr_sc_enabled(hdev)) {
860 u8 support = 0x01;
861
862 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
863 sizeof(support), &support);
864 }
865
866 /* Set erroneous data reporting if supported to the wideband speech
867 * setting value
868 */
869 if (hdev->commands[18] & 0x08 &&
870 !test_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks)) {
871 bool enabled = hci_dev_test_flag(hdev,
872 HCI_WIDEBAND_SPEECH_ENABLED);
873
874 if (enabled !=
875 (hdev->err_data_reporting == ERR_DATA_REPORTING_ENABLED)) {
876 struct hci_cp_write_def_err_data_reporting cp;
877
878 cp.err_data_reporting = enabled ?
879 ERR_DATA_REPORTING_ENABLED :
880 ERR_DATA_REPORTING_DISABLED;
881
882 hci_req_add(req, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
883 sizeof(cp), &cp);
884 }
885 }
886
887 /* Set Suggested Default Data Length to maximum if supported */
888 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
889 struct hci_cp_le_write_def_data_len cp;
890
891 cp.tx_len = cpu_to_le16(hdev->le_max_tx_len);
892 cp.tx_time = cpu_to_le16(hdev->le_max_tx_time);
893 hci_req_add(req, HCI_OP_LE_WRITE_DEF_DATA_LEN, sizeof(cp), &cp);
894 }
895
896 /* Set Default PHY parameters if command is supported */
897 if (hdev->commands[35] & 0x20) {
898 struct hci_cp_le_set_default_phy cp;
899
900 cp.all_phys = 0x00;
901 cp.tx_phys = hdev->le_tx_def_phys;
902 cp.rx_phys = hdev->le_rx_def_phys;
903
904 hci_req_add(req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp), &cp);
905 }
906
907 return 0;
908}
909
910static int __hci_init(struct hci_dev *hdev)
911{
912 int err;
913
914 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
915 if (err < 0)
916 return err;
917
918 if (hci_dev_test_flag(hdev, HCI_SETUP))
919 hci_debugfs_create_basic(hdev);
920
921 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
922 if (err < 0)
923 return err;
924
925 /* HCI_PRIMARY covers both single-mode LE, BR/EDR and dual-mode
926 * BR/EDR/LE type controllers. AMP controllers only need the
927 * first two stages of init.
928 */
929 if (hdev->dev_type != HCI_PRIMARY)
930 return 0;
931
932 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
933 if (err < 0)
934 return err;
935
936 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
937 if (err < 0)
938 return err;
939
940 /* This function is only called when the controller is actually in
941 * configured state. When the controller is marked as unconfigured,
942 * this initialization procedure is not run.
943 *
944 * It means that it is possible that a controller runs through its
945 * setup phase and then discovers missing settings. If that is the
946 * case, then this function will not be called. It then will only
947 * be called during the config phase.
948 *
949 * So only when in setup phase or config phase, create the debugfs
950 * entries and register the SMP channels.
951 */
952 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
953 !hci_dev_test_flag(hdev, HCI_CONFIG))
954 return 0;
955
956 hci_debugfs_create_common(hdev);
957
958 if (lmp_bredr_capable(hdev))
959 hci_debugfs_create_bredr(hdev);
960
961 if (lmp_le_capable(hdev))
962 hci_debugfs_create_le(hdev);
963
964 return 0;
965}
966
967static int hci_init0_req(struct hci_request *req, unsigned long opt)
968{
969 struct hci_dev *hdev = req->hdev;
970
971 BT_DBG("%s %ld", hdev->name, opt);
972
973 /* Reset */
974 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
975 hci_reset_req(req, 0);
976
977 /* Read Local Version */
978 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
979
980 /* Read BD Address */
981 if (hdev->set_bdaddr)
982 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
983
984 return 0;
985}
986
987static int __hci_unconf_init(struct hci_dev *hdev)
988{
989 int err;
990
991 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
992 return 0;
993
994 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
995 if (err < 0)
996 return err;
997
998 if (hci_dev_test_flag(hdev, HCI_SETUP))
999 hci_debugfs_create_basic(hdev);
1000
1001 return 0;
1002}
1003
1004static int hci_scan_req(struct hci_request *req, unsigned long opt)
1005{
1006 __u8 scan = opt;
1007
1008 BT_DBG("%s %x", req->hdev->name, scan);
1009
1010 /* Inquiry and Page scans */
1011 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1012 return 0;
1013}
1014
1015static int hci_auth_req(struct hci_request *req, unsigned long opt)
1016{
1017 __u8 auth = opt;
1018
1019 BT_DBG("%s %x", req->hdev->name, auth);
1020
1021 /* Authentication */
1022 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
1023 return 0;
1024}
1025
1026static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
1027{
1028 __u8 encrypt = opt;
1029
1030 BT_DBG("%s %x", req->hdev->name, encrypt);
1031
1032 /* Encryption */
1033 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
1034 return 0;
1035}
1036
1037static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
1038{
1039 __le16 policy = cpu_to_le16(opt);
1040
1041 BT_DBG("%s %x", req->hdev->name, policy);
1042
1043 /* Default link policy */
1044 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
1045 return 0;
1046}
1047
1048/* Get HCI device by index.
1049 * Device is held on return. */
1050struct hci_dev *hci_dev_get(int index)
1051{
1052 struct hci_dev *hdev = NULL, *d;
1053
1054 BT_DBG("%d", index);
1055
1056 if (index < 0)
1057 return NULL;
1058
1059 read_lock(&hci_dev_list_lock);
1060 list_for_each_entry(d, &hci_dev_list, list) {
1061 if (d->id == index) {
1062 hdev = hci_dev_hold(d);
1063 break;
1064 }
1065 }
1066 read_unlock(&hci_dev_list_lock);
1067 return hdev;
1068}
1069
1070/* ---- Inquiry support ---- */
1071
1072bool hci_discovery_active(struct hci_dev *hdev)
1073{
1074 struct discovery_state *discov = &hdev->discovery;
1075
1076 switch (discov->state) {
1077 case DISCOVERY_FINDING:
1078 case DISCOVERY_RESOLVING:
1079 return true;
1080
1081 default:
1082 return false;
1083 }
1084}
1085
1086void hci_discovery_set_state(struct hci_dev *hdev, int state)
1087{
1088 int old_state = hdev->discovery.state;
1089
1090 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1091
1092 if (old_state == state)
1093 return;
1094
1095 hdev->discovery.state = state;
1096
1097 switch (state) {
1098 case DISCOVERY_STOPPED:
1099 hci_update_background_scan(hdev);
1100
1101 if (old_state != DISCOVERY_STARTING)
1102 mgmt_discovering(hdev, 0);
1103 break;
1104 case DISCOVERY_STARTING:
1105 break;
1106 case DISCOVERY_FINDING:
1107 mgmt_discovering(hdev, 1);
1108 break;
1109 case DISCOVERY_RESOLVING:
1110 break;
1111 case DISCOVERY_STOPPING:
1112 break;
1113 }
1114}
1115
1116void hci_inquiry_cache_flush(struct hci_dev *hdev)
1117{
1118 struct discovery_state *cache = &hdev->discovery;
1119 struct inquiry_entry *p, *n;
1120
1121 list_for_each_entry_safe(p, n, &cache->all, all) {
1122 list_del(&p->all);
1123 kfree(p);
1124 }
1125
1126 INIT_LIST_HEAD(&cache->unknown);
1127 INIT_LIST_HEAD(&cache->resolve);
1128}
1129
1130struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1131 bdaddr_t *bdaddr)
1132{
1133 struct discovery_state *cache = &hdev->discovery;
1134 struct inquiry_entry *e;
1135
1136 BT_DBG("cache %p, %pMR", cache, bdaddr);
1137
1138 list_for_each_entry(e, &cache->all, all) {
1139 if (!bacmp(&e->data.bdaddr, bdaddr))
1140 return e;
1141 }
1142
1143 return NULL;
1144}
1145
1146struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1147 bdaddr_t *bdaddr)
1148{
1149 struct discovery_state *cache = &hdev->discovery;
1150 struct inquiry_entry *e;
1151
1152 BT_DBG("cache %p, %pMR", cache, bdaddr);
1153
1154 list_for_each_entry(e, &cache->unknown, list) {
1155 if (!bacmp(&e->data.bdaddr, bdaddr))
1156 return e;
1157 }
1158
1159 return NULL;
1160}
1161
1162struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1163 bdaddr_t *bdaddr,
1164 int state)
1165{
1166 struct discovery_state *cache = &hdev->discovery;
1167 struct inquiry_entry *e;
1168
1169 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1170
1171 list_for_each_entry(e, &cache->resolve, list) {
1172 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1173 return e;
1174 if (!bacmp(&e->data.bdaddr, bdaddr))
1175 return e;
1176 }
1177
1178 return NULL;
1179}
1180
1181void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1182 struct inquiry_entry *ie)
1183{
1184 struct discovery_state *cache = &hdev->discovery;
1185 struct list_head *pos = &cache->resolve;
1186 struct inquiry_entry *p;
1187
1188 list_del(&ie->list);
1189
1190 list_for_each_entry(p, &cache->resolve, list) {
1191 if (p->name_state != NAME_PENDING &&
1192 abs(p->data.rssi) >= abs(ie->data.rssi))
1193 break;
1194 pos = &p->list;
1195 }
1196
1197 list_add(&ie->list, pos);
1198}
1199
1200u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1201 bool name_known)
1202{
1203 struct discovery_state *cache = &hdev->discovery;
1204 struct inquiry_entry *ie;
1205 u32 flags = 0;
1206
1207 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1208
1209 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1210
1211 if (!data->ssp_mode)
1212 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1213
1214 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1215 if (ie) {
1216 if (!ie->data.ssp_mode)
1217 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1218
1219 if (ie->name_state == NAME_NEEDED &&
1220 data->rssi != ie->data.rssi) {
1221 ie->data.rssi = data->rssi;
1222 hci_inquiry_cache_update_resolve(hdev, ie);
1223 }
1224
1225 goto update;
1226 }
1227
1228 /* Entry not in the cache. Add new one. */
1229 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1230 if (!ie) {
1231 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1232 goto done;
1233 }
1234
1235 list_add(&ie->all, &cache->all);
1236
1237 if (name_known) {
1238 ie->name_state = NAME_KNOWN;
1239 } else {
1240 ie->name_state = NAME_NOT_KNOWN;
1241 list_add(&ie->list, &cache->unknown);
1242 }
1243
1244update:
1245 if (name_known && ie->name_state != NAME_KNOWN &&
1246 ie->name_state != NAME_PENDING) {
1247 ie->name_state = NAME_KNOWN;
1248 list_del(&ie->list);
1249 }
1250
1251 memcpy(&ie->data, data, sizeof(*data));
1252 ie->timestamp = jiffies;
1253 cache->timestamp = jiffies;
1254
1255 if (ie->name_state == NAME_NOT_KNOWN)
1256 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1257
1258done:
1259 return flags;
1260}
1261
1262static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1263{
1264 struct discovery_state *cache = &hdev->discovery;
1265 struct inquiry_info *info = (struct inquiry_info *) buf;
1266 struct inquiry_entry *e;
1267 int copied = 0;
1268
1269 list_for_each_entry(e, &cache->all, all) {
1270 struct inquiry_data *data = &e->data;
1271
1272 if (copied >= num)
1273 break;
1274
1275 bacpy(&info->bdaddr, &data->bdaddr);
1276 info->pscan_rep_mode = data->pscan_rep_mode;
1277 info->pscan_period_mode = data->pscan_period_mode;
1278 info->pscan_mode = data->pscan_mode;
1279 memcpy(info->dev_class, data->dev_class, 3);
1280 info->clock_offset = data->clock_offset;
1281
1282 info++;
1283 copied++;
1284 }
1285
1286 BT_DBG("cache %p, copied %d", cache, copied);
1287 return copied;
1288}
1289
1290static int hci_inq_req(struct hci_request *req, unsigned long opt)
1291{
1292 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1293 struct hci_dev *hdev = req->hdev;
1294 struct hci_cp_inquiry cp;
1295
1296 BT_DBG("%s", hdev->name);
1297
1298 if (test_bit(HCI_INQUIRY, &hdev->flags))
1299 return 0;
1300
1301 /* Start Inquiry */
1302 memcpy(&cp.lap, &ir->lap, 3);
1303 cp.length = ir->length;
1304 cp.num_rsp = ir->num_rsp;
1305 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1306
1307 return 0;
1308}
1309
1310int hci_inquiry(void __user *arg)
1311{
1312 __u8 __user *ptr = arg;
1313 struct hci_inquiry_req ir;
1314 struct hci_dev *hdev;
1315 int err = 0, do_inquiry = 0, max_rsp;
1316 long timeo;
1317 __u8 *buf;
1318
1319 if (copy_from_user(&ir, ptr, sizeof(ir)))
1320 return -EFAULT;
1321
1322 hdev = hci_dev_get(ir.dev_id);
1323 if (!hdev)
1324 return -ENODEV;
1325
1326 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1327 err = -EBUSY;
1328 goto done;
1329 }
1330
1331 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1332 err = -EOPNOTSUPP;
1333 goto done;
1334 }
1335
1336 if (hdev->dev_type != HCI_PRIMARY) {
1337 err = -EOPNOTSUPP;
1338 goto done;
1339 }
1340
1341 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1342 err = -EOPNOTSUPP;
1343 goto done;
1344 }
1345
1346 /* Restrict maximum inquiry length to 60 seconds */
1347 if (ir.length > 60) {
1348 err = -EINVAL;
1349 goto done;
1350 }
1351
1352 hci_dev_lock(hdev);
1353 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1354 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1355 hci_inquiry_cache_flush(hdev);
1356 do_inquiry = 1;
1357 }
1358 hci_dev_unlock(hdev);
1359
1360 timeo = ir.length * msecs_to_jiffies(2000);
1361
1362 if (do_inquiry) {
1363 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1364 timeo, NULL);
1365 if (err < 0)
1366 goto done;
1367
1368 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1369 * cleared). If it is interrupted by a signal, return -EINTR.
1370 */
1371 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1372 TASK_INTERRUPTIBLE)) {
1373 err = -EINTR;
1374 goto done;
1375 }
1376 }
1377
1378 /* for unlimited number of responses we will use buffer with
1379 * 255 entries
1380 */
1381 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1382
1383 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1384 * copy it to the user space.
1385 */
1386 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
1387 if (!buf) {
1388 err = -ENOMEM;
1389 goto done;
1390 }
1391
1392 hci_dev_lock(hdev);
1393 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1394 hci_dev_unlock(hdev);
1395
1396 BT_DBG("num_rsp %d", ir.num_rsp);
1397
1398 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1399 ptr += sizeof(ir);
1400 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1401 ir.num_rsp))
1402 err = -EFAULT;
1403 } else
1404 err = -EFAULT;
1405
1406 kfree(buf);
1407
1408done:
1409 hci_dev_put(hdev);
1410 return err;
1411}
1412
1413/**
1414 * hci_dev_get_bd_addr_from_property - Get the Bluetooth Device Address
1415 * (BD_ADDR) for a HCI device from
1416 * a firmware node property.
1417 * @hdev: The HCI device
1418 *
1419 * Search the firmware node for 'local-bd-address'.
1420 *
1421 * All-zero BD addresses are rejected, because those could be properties
1422 * that exist in the firmware tables, but were not updated by the firmware. For
1423 * example, the DTS could define 'local-bd-address', with zero BD addresses.
1424 */
1425static void hci_dev_get_bd_addr_from_property(struct hci_dev *hdev)
1426{
1427 struct fwnode_handle *fwnode = dev_fwnode(hdev->dev.parent);
1428 bdaddr_t ba;
1429 int ret;
1430
1431 ret = fwnode_property_read_u8_array(fwnode, "local-bd-address",
1432 (u8 *)&ba, sizeof(ba));
1433 if (ret < 0 || !bacmp(&ba, BDADDR_ANY))
1434 return;
1435
1436 bacpy(&hdev->public_addr, &ba);
1437}
1438
1439static int hci_dev_do_open(struct hci_dev *hdev)
1440{
1441 int ret = 0;
1442
1443 BT_DBG("%s %p", hdev->name, hdev);
1444
1445 hci_req_sync_lock(hdev);
1446
1447 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1448 ret = -ENODEV;
1449 goto done;
1450 }
1451
1452 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1453 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1454 /* Check for rfkill but allow the HCI setup stage to
1455 * proceed (which in itself doesn't cause any RF activity).
1456 */
1457 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1458 ret = -ERFKILL;
1459 goto done;
1460 }
1461
1462 /* Check for valid public address or a configured static
1463 * random address, but let the HCI setup proceed to
1464 * be able to determine if there is a public address
1465 * or not.
1466 *
1467 * In case of user channel usage, it is not important
1468 * if a public address or static random address is
1469 * available.
1470 *
1471 * This check is only valid for BR/EDR controllers
1472 * since AMP controllers do not have an address.
1473 */
1474 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1475 hdev->dev_type == HCI_PRIMARY &&
1476 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1477 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1478 ret = -EADDRNOTAVAIL;
1479 goto done;
1480 }
1481 }
1482
1483 if (test_bit(HCI_UP, &hdev->flags)) {
1484 ret = -EALREADY;
1485 goto done;
1486 }
1487
1488 if (hdev->open(hdev)) {
1489 ret = -EIO;
1490 goto done;
1491 }
1492
1493 set_bit(HCI_RUNNING, &hdev->flags);
1494 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1495
1496 atomic_set(&hdev->cmd_cnt, 1);
1497 set_bit(HCI_INIT, &hdev->flags);
1498
1499 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1500 test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks)) {
1501 bool invalid_bdaddr;
1502
1503 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1504
1505 if (hdev->setup)
1506 ret = hdev->setup(hdev);
1507
1508 /* The transport driver can set the quirk to mark the
1509 * BD_ADDR invalid before creating the HCI device or in
1510 * its setup callback.
1511 */
1512 invalid_bdaddr = test_bit(HCI_QUIRK_INVALID_BDADDR,
1513 &hdev->quirks);
1514
1515 if (ret)
1516 goto setup_failed;
1517
1518 if (test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) {
1519 if (!bacmp(&hdev->public_addr, BDADDR_ANY))
1520 hci_dev_get_bd_addr_from_property(hdev);
1521
1522 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1523 hdev->set_bdaddr) {
1524 ret = hdev->set_bdaddr(hdev,
1525 &hdev->public_addr);
1526
1527 /* If setting of the BD_ADDR from the device
1528 * property succeeds, then treat the address
1529 * as valid even if the invalid BD_ADDR
1530 * quirk indicates otherwise.
1531 */
1532 if (!ret)
1533 invalid_bdaddr = false;
1534 }
1535 }
1536
1537setup_failed:
1538 /* The transport driver can set these quirks before
1539 * creating the HCI device or in its setup callback.
1540 *
1541 * For the invalid BD_ADDR quirk it is possible that
1542 * it becomes a valid address if the bootloader does
1543 * provide it (see above).
1544 *
1545 * In case any of them is set, the controller has to
1546 * start up as unconfigured.
1547 */
1548 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1549 invalid_bdaddr)
1550 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1551
1552 /* For an unconfigured controller it is required to
1553 * read at least the version information provided by
1554 * the Read Local Version Information command.
1555 *
1556 * If the set_bdaddr driver callback is provided, then
1557 * also the original Bluetooth public device address
1558 * will be read using the Read BD Address command.
1559 */
1560 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1561 ret = __hci_unconf_init(hdev);
1562 }
1563
1564 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1565 /* If public address change is configured, ensure that
1566 * the address gets programmed. If the driver does not
1567 * support changing the public address, fail the power
1568 * on procedure.
1569 */
1570 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1571 hdev->set_bdaddr)
1572 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1573 else
1574 ret = -EADDRNOTAVAIL;
1575 }
1576
1577 if (!ret) {
1578 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1579 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1580 ret = __hci_init(hdev);
1581 if (!ret && hdev->post_init)
1582 ret = hdev->post_init(hdev);
1583 }
1584 }
1585
1586 /* If the HCI Reset command is clearing all diagnostic settings,
1587 * then they need to be reprogrammed after the init procedure
1588 * completed.
1589 */
1590 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1591 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1592 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1593 ret = hdev->set_diag(hdev, true);
1594
1595 msft_do_open(hdev);
1596 aosp_do_open(hdev);
1597
1598 clear_bit(HCI_INIT, &hdev->flags);
1599
1600 if (!ret) {
1601 hci_dev_hold(hdev);
1602 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1603 hci_adv_instances_set_rpa_expired(hdev, true);
1604 set_bit(HCI_UP, &hdev->flags);
1605 hci_sock_dev_event(hdev, HCI_DEV_UP);
1606 hci_leds_update_powered(hdev, true);
1607 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1608 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1609 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1610 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1611 hci_dev_test_flag(hdev, HCI_MGMT) &&
1612 hdev->dev_type == HCI_PRIMARY) {
1613 ret = __hci_req_hci_power_on(hdev);
1614 mgmt_power_on(hdev, ret);
1615 }
1616 } else {
1617 /* Init failed, cleanup */
1618 flush_work(&hdev->tx_work);
1619
1620 /* Since hci_rx_work() is possible to awake new cmd_work
1621 * it should be flushed first to avoid unexpected call of
1622 * hci_cmd_work()
1623 */
1624 flush_work(&hdev->rx_work);
1625 flush_work(&hdev->cmd_work);
1626
1627 skb_queue_purge(&hdev->cmd_q);
1628 skb_queue_purge(&hdev->rx_q);
1629
1630 if (hdev->flush)
1631 hdev->flush(hdev);
1632
1633 if (hdev->sent_cmd) {
1634 kfree_skb(hdev->sent_cmd);
1635 hdev->sent_cmd = NULL;
1636 }
1637
1638 clear_bit(HCI_RUNNING, &hdev->flags);
1639 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1640
1641 hdev->close(hdev);
1642 hdev->flags &= BIT(HCI_RAW);
1643 }
1644
1645done:
1646 hci_req_sync_unlock(hdev);
1647 return ret;
1648}
1649
1650/* ---- HCI ioctl helpers ---- */
1651
1652int hci_dev_open(__u16 dev)
1653{
1654 struct hci_dev *hdev;
1655 int err;
1656
1657 hdev = hci_dev_get(dev);
1658 if (!hdev)
1659 return -ENODEV;
1660
1661 /* Devices that are marked as unconfigured can only be powered
1662 * up as user channel. Trying to bring them up as normal devices
1663 * will result into a failure. Only user channel operation is
1664 * possible.
1665 *
1666 * When this function is called for a user channel, the flag
1667 * HCI_USER_CHANNEL will be set first before attempting to
1668 * open the device.
1669 */
1670 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1671 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1672 err = -EOPNOTSUPP;
1673 goto done;
1674 }
1675
1676 /* We need to ensure that no other power on/off work is pending
1677 * before proceeding to call hci_dev_do_open. This is
1678 * particularly important if the setup procedure has not yet
1679 * completed.
1680 */
1681 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1682 cancel_delayed_work(&hdev->power_off);
1683
1684 /* After this call it is guaranteed that the setup procedure
1685 * has finished. This means that error conditions like RFKILL
1686 * or no valid public or static random address apply.
1687 */
1688 flush_workqueue(hdev->req_workqueue);
1689
1690 /* For controllers not using the management interface and that
1691 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1692 * so that pairing works for them. Once the management interface
1693 * is in use this bit will be cleared again and userspace has
1694 * to explicitly enable it.
1695 */
1696 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1697 !hci_dev_test_flag(hdev, HCI_MGMT))
1698 hci_dev_set_flag(hdev, HCI_BONDABLE);
1699
1700 err = hci_dev_do_open(hdev);
1701
1702done:
1703 hci_dev_put(hdev);
1704 return err;
1705}
1706
1707/* This function requires the caller holds hdev->lock */
1708static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1709{
1710 struct hci_conn_params *p;
1711
1712 list_for_each_entry(p, &hdev->le_conn_params, list) {
1713 if (p->conn) {
1714 hci_conn_drop(p->conn);
1715 hci_conn_put(p->conn);
1716 p->conn = NULL;
1717 }
1718 list_del_init(&p->action);
1719 }
1720
1721 BT_DBG("All LE pending actions cleared");
1722}
1723
1724int hci_dev_do_close(struct hci_dev *hdev)
1725{
1726 bool auto_off;
1727
1728 BT_DBG("%s %p", hdev->name, hdev);
1729
1730 cancel_delayed_work(&hdev->power_off);
1731 cancel_delayed_work(&hdev->ncmd_timer);
1732
1733 hci_request_cancel_all(hdev);
1734 hci_req_sync_lock(hdev);
1735
1736 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1737 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1738 test_bit(HCI_UP, &hdev->flags)) {
1739 /* Execute vendor specific shutdown routine */
1740 if (hdev->shutdown)
1741 hdev->shutdown(hdev);
1742 }
1743
1744 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1745 cancel_delayed_work_sync(&hdev->cmd_timer);
1746 hci_req_sync_unlock(hdev);
1747 return 0;
1748 }
1749
1750 hci_leds_update_powered(hdev, false);
1751
1752 /* Flush RX and TX works */
1753 flush_work(&hdev->tx_work);
1754 flush_work(&hdev->rx_work);
1755
1756 if (hdev->discov_timeout > 0) {
1757 hdev->discov_timeout = 0;
1758 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1759 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1760 }
1761
1762 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1763 cancel_delayed_work(&hdev->service_cache);
1764
1765 if (hci_dev_test_flag(hdev, HCI_MGMT)) {
1766 struct adv_info *adv_instance;
1767
1768 cancel_delayed_work_sync(&hdev->rpa_expired);
1769
1770 list_for_each_entry(adv_instance, &hdev->adv_instances, list)
1771 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1772 }
1773
1774 /* Avoid potential lockdep warnings from the *_flush() calls by
1775 * ensuring the workqueue is empty up front.
1776 */
1777 drain_workqueue(hdev->workqueue);
1778
1779 hci_dev_lock(hdev);
1780
1781 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1782
1783 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1784
1785 if (!auto_off && hdev->dev_type == HCI_PRIMARY &&
1786 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1787 hci_dev_test_flag(hdev, HCI_MGMT))
1788 __mgmt_power_off(hdev);
1789
1790 hci_inquiry_cache_flush(hdev);
1791 hci_pend_le_actions_clear(hdev);
1792 hci_conn_hash_flush(hdev);
1793 hci_dev_unlock(hdev);
1794
1795 smp_unregister(hdev);
1796
1797 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1798
1799 aosp_do_close(hdev);
1800 msft_do_close(hdev);
1801
1802 if (hdev->flush)
1803 hdev->flush(hdev);
1804
1805 /* Reset device */
1806 skb_queue_purge(&hdev->cmd_q);
1807 atomic_set(&hdev->cmd_cnt, 1);
1808 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1809 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1810 set_bit(HCI_INIT, &hdev->flags);
1811 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1812 clear_bit(HCI_INIT, &hdev->flags);
1813 }
1814
1815 /* flush cmd work */
1816 flush_work(&hdev->cmd_work);
1817
1818 /* Drop queues */
1819 skb_queue_purge(&hdev->rx_q);
1820 skb_queue_purge(&hdev->cmd_q);
1821 skb_queue_purge(&hdev->raw_q);
1822
1823 /* Drop last sent command */
1824 if (hdev->sent_cmd) {
1825 cancel_delayed_work_sync(&hdev->cmd_timer);
1826 kfree_skb(hdev->sent_cmd);
1827 hdev->sent_cmd = NULL;
1828 }
1829
1830 clear_bit(HCI_RUNNING, &hdev->flags);
1831 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1832
1833 if (test_and_clear_bit(SUSPEND_POWERING_DOWN, hdev->suspend_tasks))
1834 wake_up(&hdev->suspend_wait_q);
1835
1836 /* After this point our queues are empty
1837 * and no tasks are scheduled. */
1838 hdev->close(hdev);
1839
1840 /* Clear flags */
1841 hdev->flags &= BIT(HCI_RAW);
1842 hci_dev_clear_volatile_flags(hdev);
1843
1844 /* Controller radio is available but is currently powered down */
1845 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1846
1847 memset(hdev->eir, 0, sizeof(hdev->eir));
1848 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1849 bacpy(&hdev->random_addr, BDADDR_ANY);
1850
1851 hci_req_sync_unlock(hdev);
1852
1853 hci_dev_put(hdev);
1854 return 0;
1855}
1856
1857int hci_dev_close(__u16 dev)
1858{
1859 struct hci_dev *hdev;
1860 int err;
1861
1862 hdev = hci_dev_get(dev);
1863 if (!hdev)
1864 return -ENODEV;
1865
1866 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1867 err = -EBUSY;
1868 goto done;
1869 }
1870
1871 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1872 cancel_delayed_work(&hdev->power_off);
1873
1874 err = hci_dev_do_close(hdev);
1875
1876done:
1877 hci_dev_put(hdev);
1878 return err;
1879}
1880
1881static int hci_dev_do_reset(struct hci_dev *hdev)
1882{
1883 int ret;
1884
1885 BT_DBG("%s %p", hdev->name, hdev);
1886
1887 hci_req_sync_lock(hdev);
1888
1889 /* Drop queues */
1890 skb_queue_purge(&hdev->rx_q);
1891 skb_queue_purge(&hdev->cmd_q);
1892
1893 /* Avoid potential lockdep warnings from the *_flush() calls by
1894 * ensuring the workqueue is empty up front.
1895 */
1896 drain_workqueue(hdev->workqueue);
1897
1898 hci_dev_lock(hdev);
1899 hci_inquiry_cache_flush(hdev);
1900 hci_conn_hash_flush(hdev);
1901 hci_dev_unlock(hdev);
1902
1903 if (hdev->flush)
1904 hdev->flush(hdev);
1905
1906 atomic_set(&hdev->cmd_cnt, 1);
1907 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1908
1909 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1910
1911 hci_req_sync_unlock(hdev);
1912 return ret;
1913}
1914
1915int hci_dev_reset(__u16 dev)
1916{
1917 struct hci_dev *hdev;
1918 int err;
1919
1920 hdev = hci_dev_get(dev);
1921 if (!hdev)
1922 return -ENODEV;
1923
1924 if (!test_bit(HCI_UP, &hdev->flags)) {
1925 err = -ENETDOWN;
1926 goto done;
1927 }
1928
1929 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1930 err = -EBUSY;
1931 goto done;
1932 }
1933
1934 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1935 err = -EOPNOTSUPP;
1936 goto done;
1937 }
1938
1939 err = hci_dev_do_reset(hdev);
1940
1941done:
1942 hci_dev_put(hdev);
1943 return err;
1944}
1945
1946int hci_dev_reset_stat(__u16 dev)
1947{
1948 struct hci_dev *hdev;
1949 int ret = 0;
1950
1951 hdev = hci_dev_get(dev);
1952 if (!hdev)
1953 return -ENODEV;
1954
1955 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1956 ret = -EBUSY;
1957 goto done;
1958 }
1959
1960 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1961 ret = -EOPNOTSUPP;
1962 goto done;
1963 }
1964
1965 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1966
1967done:
1968 hci_dev_put(hdev);
1969 return ret;
1970}
1971
1972static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1973{
1974 bool conn_changed, discov_changed;
1975
1976 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1977
1978 if ((scan & SCAN_PAGE))
1979 conn_changed = !hci_dev_test_and_set_flag(hdev,
1980 HCI_CONNECTABLE);
1981 else
1982 conn_changed = hci_dev_test_and_clear_flag(hdev,
1983 HCI_CONNECTABLE);
1984
1985 if ((scan & SCAN_INQUIRY)) {
1986 discov_changed = !hci_dev_test_and_set_flag(hdev,
1987 HCI_DISCOVERABLE);
1988 } else {
1989 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1990 discov_changed = hci_dev_test_and_clear_flag(hdev,
1991 HCI_DISCOVERABLE);
1992 }
1993
1994 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1995 return;
1996
1997 if (conn_changed || discov_changed) {
1998 /* In case this was disabled through mgmt */
1999 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
2000
2001 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2002 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
2003
2004 mgmt_new_settings(hdev);
2005 }
2006}
2007
2008int hci_dev_cmd(unsigned int cmd, void __user *arg)
2009{
2010 struct hci_dev *hdev;
2011 struct hci_dev_req dr;
2012 int err = 0;
2013
2014 if (copy_from_user(&dr, arg, sizeof(dr)))
2015 return -EFAULT;
2016
2017 hdev = hci_dev_get(dr.dev_id);
2018 if (!hdev)
2019 return -ENODEV;
2020
2021 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
2022 err = -EBUSY;
2023 goto done;
2024 }
2025
2026 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
2027 err = -EOPNOTSUPP;
2028 goto done;
2029 }
2030
2031 if (hdev->dev_type != HCI_PRIMARY) {
2032 err = -EOPNOTSUPP;
2033 goto done;
2034 }
2035
2036 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2037 err = -EOPNOTSUPP;
2038 goto done;
2039 }
2040
2041 switch (cmd) {
2042 case HCISETAUTH:
2043 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2044 HCI_INIT_TIMEOUT, NULL);
2045 break;
2046
2047 case HCISETENCRYPT:
2048 if (!lmp_encrypt_capable(hdev)) {
2049 err = -EOPNOTSUPP;
2050 break;
2051 }
2052
2053 if (!test_bit(HCI_AUTH, &hdev->flags)) {
2054 /* Auth must be enabled first */
2055 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2056 HCI_INIT_TIMEOUT, NULL);
2057 if (err)
2058 break;
2059 }
2060
2061 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
2062 HCI_INIT_TIMEOUT, NULL);
2063 break;
2064
2065 case HCISETSCAN:
2066 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
2067 HCI_INIT_TIMEOUT, NULL);
2068
2069 /* Ensure that the connectable and discoverable states
2070 * get correctly modified as this was a non-mgmt change.
2071 */
2072 if (!err)
2073 hci_update_scan_state(hdev, dr.dev_opt);
2074 break;
2075
2076 case HCISETLINKPOL:
2077 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
2078 HCI_INIT_TIMEOUT, NULL);
2079 break;
2080
2081 case HCISETLINKMODE:
2082 hdev->link_mode = ((__u16) dr.dev_opt) &
2083 (HCI_LM_MASTER | HCI_LM_ACCEPT);
2084 break;
2085
2086 case HCISETPTYPE:
2087 if (hdev->pkt_type == (__u16) dr.dev_opt)
2088 break;
2089
2090 hdev->pkt_type = (__u16) dr.dev_opt;
2091 mgmt_phy_configuration_changed(hdev, NULL);
2092 break;
2093
2094 case HCISETACLMTU:
2095 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
2096 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
2097 break;
2098
2099 case HCISETSCOMTU:
2100 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
2101 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
2102 break;
2103
2104 default:
2105 err = -EINVAL;
2106 break;
2107 }
2108
2109done:
2110 hci_dev_put(hdev);
2111 return err;
2112}
2113
2114int hci_get_dev_list(void __user *arg)
2115{
2116 struct hci_dev *hdev;
2117 struct hci_dev_list_req *dl;
2118 struct hci_dev_req *dr;
2119 int n = 0, size, err;
2120 __u16 dev_num;
2121
2122 if (get_user(dev_num, (__u16 __user *) arg))
2123 return -EFAULT;
2124
2125 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
2126 return -EINVAL;
2127
2128 size = sizeof(*dl) + dev_num * sizeof(*dr);
2129
2130 dl = kzalloc(size, GFP_KERNEL);
2131 if (!dl)
2132 return -ENOMEM;
2133
2134 dr = dl->dev_req;
2135
2136 read_lock(&hci_dev_list_lock);
2137 list_for_each_entry(hdev, &hci_dev_list, list) {
2138 unsigned long flags = hdev->flags;
2139
2140 /* When the auto-off is configured it means the transport
2141 * is running, but in that case still indicate that the
2142 * device is actually down.
2143 */
2144 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
2145 flags &= ~BIT(HCI_UP);
2146
2147 (dr + n)->dev_id = hdev->id;
2148 (dr + n)->dev_opt = flags;
2149
2150 if (++n >= dev_num)
2151 break;
2152 }
2153 read_unlock(&hci_dev_list_lock);
2154
2155 dl->dev_num = n;
2156 size = sizeof(*dl) + n * sizeof(*dr);
2157
2158 err = copy_to_user(arg, dl, size);
2159 kfree(dl);
2160
2161 return err ? -EFAULT : 0;
2162}
2163
2164int hci_get_dev_info(void __user *arg)
2165{
2166 struct hci_dev *hdev;
2167 struct hci_dev_info di;
2168 unsigned long flags;
2169 int err = 0;
2170
2171 if (copy_from_user(&di, arg, sizeof(di)))
2172 return -EFAULT;
2173
2174 hdev = hci_dev_get(di.dev_id);
2175 if (!hdev)
2176 return -ENODEV;
2177
2178 /* When the auto-off is configured it means the transport
2179 * is running, but in that case still indicate that the
2180 * device is actually down.
2181 */
2182 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
2183 flags = hdev->flags & ~BIT(HCI_UP);
2184 else
2185 flags = hdev->flags;
2186
2187 strcpy(di.name, hdev->name);
2188 di.bdaddr = hdev->bdaddr;
2189 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2190 di.flags = flags;
2191 di.pkt_type = hdev->pkt_type;
2192 if (lmp_bredr_capable(hdev)) {
2193 di.acl_mtu = hdev->acl_mtu;
2194 di.acl_pkts = hdev->acl_pkts;
2195 di.sco_mtu = hdev->sco_mtu;
2196 di.sco_pkts = hdev->sco_pkts;
2197 } else {
2198 di.acl_mtu = hdev->le_mtu;
2199 di.acl_pkts = hdev->le_pkts;
2200 di.sco_mtu = 0;
2201 di.sco_pkts = 0;
2202 }
2203 di.link_policy = hdev->link_policy;
2204 di.link_mode = hdev->link_mode;
2205
2206 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2207 memcpy(&di.features, &hdev->features, sizeof(di.features));
2208
2209 if (copy_to_user(arg, &di, sizeof(di)))
2210 err = -EFAULT;
2211
2212 hci_dev_put(hdev);
2213
2214 return err;
2215}
2216
2217/* ---- Interface to HCI drivers ---- */
2218
2219static int hci_rfkill_set_block(void *data, bool blocked)
2220{
2221 struct hci_dev *hdev = data;
2222
2223 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2224
2225 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2226 return -EBUSY;
2227
2228 if (blocked) {
2229 hci_dev_set_flag(hdev, HCI_RFKILLED);
2230 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2231 !hci_dev_test_flag(hdev, HCI_CONFIG))
2232 hci_dev_do_close(hdev);
2233 } else {
2234 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2235 }
2236
2237 return 0;
2238}
2239
2240static const struct rfkill_ops hci_rfkill_ops = {
2241 .set_block = hci_rfkill_set_block,
2242};
2243
2244static void hci_power_on(struct work_struct *work)
2245{
2246 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2247 int err;
2248
2249 BT_DBG("%s", hdev->name);
2250
2251 if (test_bit(HCI_UP, &hdev->flags) &&
2252 hci_dev_test_flag(hdev, HCI_MGMT) &&
2253 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2254 cancel_delayed_work(&hdev->power_off);
2255 hci_req_sync_lock(hdev);
2256 err = __hci_req_hci_power_on(hdev);
2257 hci_req_sync_unlock(hdev);
2258 mgmt_power_on(hdev, err);
2259 return;
2260 }
2261
2262 err = hci_dev_do_open(hdev);
2263 if (err < 0) {
2264 hci_dev_lock(hdev);
2265 mgmt_set_powered_failed(hdev, err);
2266 hci_dev_unlock(hdev);
2267 return;
2268 }
2269
2270 /* During the HCI setup phase, a few error conditions are
2271 * ignored and they need to be checked now. If they are still
2272 * valid, it is important to turn the device back off.
2273 */
2274 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2275 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2276 (hdev->dev_type == HCI_PRIMARY &&
2277 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2278 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2279 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2280 hci_dev_do_close(hdev);
2281 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2282 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2283 HCI_AUTO_OFF_TIMEOUT);
2284 }
2285
2286 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2287 /* For unconfigured devices, set the HCI_RAW flag
2288 * so that userspace can easily identify them.
2289 */
2290 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2291 set_bit(HCI_RAW, &hdev->flags);
2292
2293 /* For fully configured devices, this will send
2294 * the Index Added event. For unconfigured devices,
2295 * it will send Unconfigued Index Added event.
2296 *
2297 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2298 * and no event will be send.
2299 */
2300 mgmt_index_added(hdev);
2301 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2302 /* When the controller is now configured, then it
2303 * is important to clear the HCI_RAW flag.
2304 */
2305 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2306 clear_bit(HCI_RAW, &hdev->flags);
2307
2308 /* Powering on the controller with HCI_CONFIG set only
2309 * happens with the transition from unconfigured to
2310 * configured. This will send the Index Added event.
2311 */
2312 mgmt_index_added(hdev);
2313 }
2314}
2315
2316static void hci_power_off(struct work_struct *work)
2317{
2318 struct hci_dev *hdev = container_of(work, struct hci_dev,
2319 power_off.work);
2320
2321 BT_DBG("%s", hdev->name);
2322
2323 hci_dev_do_close(hdev);
2324}
2325
2326static void hci_error_reset(struct work_struct *work)
2327{
2328 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2329
2330 BT_DBG("%s", hdev->name);
2331
2332 if (hdev->hw_error)
2333 hdev->hw_error(hdev, hdev->hw_error_code);
2334 else
2335 bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
2336
2337 if (hci_dev_do_close(hdev))
2338 return;
2339
2340 hci_dev_do_open(hdev);
2341}
2342
2343void hci_uuids_clear(struct hci_dev *hdev)
2344{
2345 struct bt_uuid *uuid, *tmp;
2346
2347 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2348 list_del(&uuid->list);
2349 kfree(uuid);
2350 }
2351}
2352
2353void hci_link_keys_clear(struct hci_dev *hdev)
2354{
2355 struct link_key *key;
2356
2357 list_for_each_entry(key, &hdev->link_keys, list) {
2358 list_del_rcu(&key->list);
2359 kfree_rcu(key, rcu);
2360 }
2361}
2362
2363void hci_smp_ltks_clear(struct hci_dev *hdev)
2364{
2365 struct smp_ltk *k;
2366
2367 list_for_each_entry(k, &hdev->long_term_keys, list) {
2368 list_del_rcu(&k->list);
2369 kfree_rcu(k, rcu);
2370 }
2371}
2372
2373void hci_smp_irks_clear(struct hci_dev *hdev)
2374{
2375 struct smp_irk *k;
2376
2377 list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
2378 list_del_rcu(&k->list);
2379 kfree_rcu(k, rcu);
2380 }
2381}
2382
2383void hci_blocked_keys_clear(struct hci_dev *hdev)
2384{
2385 struct blocked_key *b;
2386
2387 list_for_each_entry(b, &hdev->blocked_keys, list) {
2388 list_del_rcu(&b->list);
2389 kfree_rcu(b, rcu);
2390 }
2391}
2392
2393bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16])
2394{
2395 bool blocked = false;
2396 struct blocked_key *b;
2397
2398 rcu_read_lock();
2399 list_for_each_entry_rcu(b, &hdev->blocked_keys, list) {
2400 if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) {
2401 blocked = true;
2402 break;
2403 }
2404 }
2405
2406 rcu_read_unlock();
2407 return blocked;
2408}
2409
2410struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2411{
2412 struct link_key *k;
2413
2414 rcu_read_lock();
2415 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2416 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2417 rcu_read_unlock();
2418
2419 if (hci_is_blocked_key(hdev,
2420 HCI_BLOCKED_KEY_TYPE_LINKKEY,
2421 k->val)) {
2422 bt_dev_warn_ratelimited(hdev,
2423 "Link key blocked for %pMR",
2424 &k->bdaddr);
2425 return NULL;
2426 }
2427
2428 return k;
2429 }
2430 }
2431 rcu_read_unlock();
2432
2433 return NULL;
2434}
2435
2436static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2437 u8 key_type, u8 old_key_type)
2438{
2439 /* Legacy key */
2440 if (key_type < 0x03)
2441 return true;
2442
2443 /* Debug keys are insecure so don't store them persistently */
2444 if (key_type == HCI_LK_DEBUG_COMBINATION)
2445 return false;
2446
2447 /* Changed combination key and there's no previous one */
2448 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2449 return false;
2450
2451 /* Security mode 3 case */
2452 if (!conn)
2453 return true;
2454
2455 /* BR/EDR key derived using SC from an LE link */
2456 if (conn->type == LE_LINK)
2457 return true;
2458
2459 /* Neither local nor remote side had no-bonding as requirement */
2460 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2461 return true;
2462
2463 /* Local side had dedicated bonding as requirement */
2464 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2465 return true;
2466
2467 /* Remote side had dedicated bonding as requirement */
2468 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2469 return true;
2470
2471 /* If none of the above criteria match, then don't store the key
2472 * persistently */
2473 return false;
2474}
2475
2476static u8 ltk_role(u8 type)
2477{
2478 if (type == SMP_LTK)
2479 return HCI_ROLE_MASTER;
2480
2481 return HCI_ROLE_SLAVE;
2482}
2483
2484struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2485 u8 addr_type, u8 role)
2486{
2487 struct smp_ltk *k;
2488
2489 rcu_read_lock();
2490 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2491 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2492 continue;
2493
2494 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2495 rcu_read_unlock();
2496
2497 if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2498 k->val)) {
2499 bt_dev_warn_ratelimited(hdev,
2500 "LTK blocked for %pMR",
2501 &k->bdaddr);
2502 return NULL;
2503 }
2504
2505 return k;
2506 }
2507 }
2508 rcu_read_unlock();
2509
2510 return NULL;
2511}
2512
2513struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2514{
2515 struct smp_irk *irk_to_return = NULL;
2516 struct smp_irk *irk;
2517
2518 rcu_read_lock();
2519 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2520 if (!bacmp(&irk->rpa, rpa)) {
2521 irk_to_return = irk;
2522 goto done;
2523 }
2524 }
2525
2526 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2527 if (smp_irk_matches(hdev, irk->val, rpa)) {
2528 bacpy(&irk->rpa, rpa);
2529 irk_to_return = irk;
2530 goto done;
2531 }
2532 }
2533
2534done:
2535 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2536 irk_to_return->val)) {
2537 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
2538 &irk_to_return->bdaddr);
2539 irk_to_return = NULL;
2540 }
2541
2542 rcu_read_unlock();
2543
2544 return irk_to_return;
2545}
2546
2547struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2548 u8 addr_type)
2549{
2550 struct smp_irk *irk_to_return = NULL;
2551 struct smp_irk *irk;
2552
2553 /* Identity Address must be public or static random */
2554 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2555 return NULL;
2556
2557 rcu_read_lock();
2558 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2559 if (addr_type == irk->addr_type &&
2560 bacmp(bdaddr, &irk->bdaddr) == 0) {
2561 irk_to_return = irk;
2562 goto done;
2563 }
2564 }
2565
2566done:
2567
2568 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2569 irk_to_return->val)) {
2570 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
2571 &irk_to_return->bdaddr);
2572 irk_to_return = NULL;
2573 }
2574
2575 rcu_read_unlock();
2576
2577 return irk_to_return;
2578}
2579
2580struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2581 bdaddr_t *bdaddr, u8 *val, u8 type,
2582 u8 pin_len, bool *persistent)
2583{
2584 struct link_key *key, *old_key;
2585 u8 old_key_type;
2586
2587 old_key = hci_find_link_key(hdev, bdaddr);
2588 if (old_key) {
2589 old_key_type = old_key->type;
2590 key = old_key;
2591 } else {
2592 old_key_type = conn ? conn->key_type : 0xff;
2593 key = kzalloc(sizeof(*key), GFP_KERNEL);
2594 if (!key)
2595 return NULL;
2596 list_add_rcu(&key->list, &hdev->link_keys);
2597 }
2598
2599 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2600
2601 /* Some buggy controller combinations generate a changed
2602 * combination key for legacy pairing even when there's no
2603 * previous key */
2604 if (type == HCI_LK_CHANGED_COMBINATION &&
2605 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2606 type = HCI_LK_COMBINATION;
2607 if (conn)
2608 conn->key_type = type;
2609 }
2610
2611 bacpy(&key->bdaddr, bdaddr);
2612 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2613 key->pin_len = pin_len;
2614
2615 if (type == HCI_LK_CHANGED_COMBINATION)
2616 key->type = old_key_type;
2617 else
2618 key->type = type;
2619
2620 if (persistent)
2621 *persistent = hci_persistent_key(hdev, conn, type,
2622 old_key_type);
2623
2624 return key;
2625}
2626
2627struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2628 u8 addr_type, u8 type, u8 authenticated,
2629 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2630{
2631 struct smp_ltk *key, *old_key;
2632 u8 role = ltk_role(type);
2633
2634 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2635 if (old_key)
2636 key = old_key;
2637 else {
2638 key = kzalloc(sizeof(*key), GFP_KERNEL);
2639 if (!key)
2640 return NULL;
2641 list_add_rcu(&key->list, &hdev->long_term_keys);
2642 }
2643
2644 bacpy(&key->bdaddr, bdaddr);
2645 key->bdaddr_type = addr_type;
2646 memcpy(key->val, tk, sizeof(key->val));
2647 key->authenticated = authenticated;
2648 key->ediv = ediv;
2649 key->rand = rand;
2650 key->enc_size = enc_size;
2651 key->type = type;
2652
2653 return key;
2654}
2655
2656struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2657 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2658{
2659 struct smp_irk *irk;
2660
2661 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2662 if (!irk) {
2663 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2664 if (!irk)
2665 return NULL;
2666
2667 bacpy(&irk->bdaddr, bdaddr);
2668 irk->addr_type = addr_type;
2669
2670 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2671 }
2672
2673 memcpy(irk->val, val, 16);
2674 bacpy(&irk->rpa, rpa);
2675
2676 return irk;
2677}
2678
2679int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2680{
2681 struct link_key *key;
2682
2683 key = hci_find_link_key(hdev, bdaddr);
2684 if (!key)
2685 return -ENOENT;
2686
2687 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2688
2689 list_del_rcu(&key->list);
2690 kfree_rcu(key, rcu);
2691
2692 return 0;
2693}
2694
2695int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2696{
2697 struct smp_ltk *k;
2698 int removed = 0;
2699
2700 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2701 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2702 continue;
2703
2704 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2705
2706 list_del_rcu(&k->list);
2707 kfree_rcu(k, rcu);
2708 removed++;
2709 }
2710
2711 return removed ? 0 : -ENOENT;
2712}
2713
2714void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2715{
2716 struct smp_irk *k;
2717
2718 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2719 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2720 continue;
2721
2722 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2723
2724 list_del_rcu(&k->list);
2725 kfree_rcu(k, rcu);
2726 }
2727}
2728
2729bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2730{
2731 struct smp_ltk *k;
2732 struct smp_irk *irk;
2733 u8 addr_type;
2734
2735 if (type == BDADDR_BREDR) {
2736 if (hci_find_link_key(hdev, bdaddr))
2737 return true;
2738 return false;
2739 }
2740
2741 /* Convert to HCI addr type which struct smp_ltk uses */
2742 if (type == BDADDR_LE_PUBLIC)
2743 addr_type = ADDR_LE_DEV_PUBLIC;
2744 else
2745 addr_type = ADDR_LE_DEV_RANDOM;
2746
2747 irk = hci_get_irk(hdev, bdaddr, addr_type);
2748 if (irk) {
2749 bdaddr = &irk->bdaddr;
2750 addr_type = irk->addr_type;
2751 }
2752
2753 rcu_read_lock();
2754 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2755 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2756 rcu_read_unlock();
2757 return true;
2758 }
2759 }
2760 rcu_read_unlock();
2761
2762 return false;
2763}
2764
2765/* HCI command timer function */
2766static void hci_cmd_timeout(struct work_struct *work)
2767{
2768 struct hci_dev *hdev = container_of(work, struct hci_dev,
2769 cmd_timer.work);
2770
2771 if (hdev->sent_cmd) {
2772 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2773 u16 opcode = __le16_to_cpu(sent->opcode);
2774
2775 bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
2776 } else {
2777 bt_dev_err(hdev, "command tx timeout");
2778 }
2779
2780 if (hdev->cmd_timeout)
2781 hdev->cmd_timeout(hdev);
2782
2783 atomic_set(&hdev->cmd_cnt, 1);
2784 queue_work(hdev->workqueue, &hdev->cmd_work);
2785}
2786
2787/* HCI ncmd timer function */
2788static void hci_ncmd_timeout(struct work_struct *work)
2789{
2790 struct hci_dev *hdev = container_of(work, struct hci_dev,
2791 ncmd_timer.work);
2792
2793 bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0");
2794
2795 /* During HCI_INIT phase no events can be injected if the ncmd timer
2796 * triggers since the procedure has its own timeout handling.
2797 */
2798 if (test_bit(HCI_INIT, &hdev->flags))
2799 return;
2800
2801 /* This is an irrecoverable state, inject hardware error event */
2802 hci_reset_dev(hdev);
2803}
2804
2805struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2806 bdaddr_t *bdaddr, u8 bdaddr_type)
2807{
2808 struct oob_data *data;
2809
2810 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2811 if (bacmp(bdaddr, &data->bdaddr) != 0)
2812 continue;
2813 if (data->bdaddr_type != bdaddr_type)
2814 continue;
2815 return data;
2816 }
2817
2818 return NULL;
2819}
2820
2821int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2822 u8 bdaddr_type)
2823{
2824 struct oob_data *data;
2825
2826 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2827 if (!data)
2828 return -ENOENT;
2829
2830 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2831
2832 list_del(&data->list);
2833 kfree(data);
2834
2835 return 0;
2836}
2837
2838void hci_remote_oob_data_clear(struct hci_dev *hdev)
2839{
2840 struct oob_data *data, *n;
2841
2842 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2843 list_del(&data->list);
2844 kfree(data);
2845 }
2846}
2847
2848int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2849 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2850 u8 *hash256, u8 *rand256)
2851{
2852 struct oob_data *data;
2853
2854 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2855 if (!data) {
2856 data = kmalloc(sizeof(*data), GFP_KERNEL);
2857 if (!data)
2858 return -ENOMEM;
2859
2860 bacpy(&data->bdaddr, bdaddr);
2861 data->bdaddr_type = bdaddr_type;
2862 list_add(&data->list, &hdev->remote_oob_data);
2863 }
2864
2865 if (hash192 && rand192) {
2866 memcpy(data->hash192, hash192, sizeof(data->hash192));
2867 memcpy(data->rand192, rand192, sizeof(data->rand192));
2868 if (hash256 && rand256)
2869 data->present = 0x03;
2870 } else {
2871 memset(data->hash192, 0, sizeof(data->hash192));
2872 memset(data->rand192, 0, sizeof(data->rand192));
2873 if (hash256 && rand256)
2874 data->present = 0x02;
2875 else
2876 data->present = 0x00;
2877 }
2878
2879 if (hash256 && rand256) {
2880 memcpy(data->hash256, hash256, sizeof(data->hash256));
2881 memcpy(data->rand256, rand256, sizeof(data->rand256));
2882 } else {
2883 memset(data->hash256, 0, sizeof(data->hash256));
2884 memset(data->rand256, 0, sizeof(data->rand256));
2885 if (hash192 && rand192)
2886 data->present = 0x01;
2887 }
2888
2889 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2890
2891 return 0;
2892}
2893
2894/* This function requires the caller holds hdev->lock */
2895struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2896{
2897 struct adv_info *adv_instance;
2898
2899 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2900 if (adv_instance->instance == instance)
2901 return adv_instance;
2902 }
2903
2904 return NULL;
2905}
2906
2907/* This function requires the caller holds hdev->lock */
2908struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2909{
2910 struct adv_info *cur_instance;
2911
2912 cur_instance = hci_find_adv_instance(hdev, instance);
2913 if (!cur_instance)
2914 return NULL;
2915
2916 if (cur_instance == list_last_entry(&hdev->adv_instances,
2917 struct adv_info, list))
2918 return list_first_entry(&hdev->adv_instances,
2919 struct adv_info, list);
2920 else
2921 return list_next_entry(cur_instance, list);
2922}
2923
2924/* This function requires the caller holds hdev->lock */
2925int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2926{
2927 struct adv_info *adv_instance;
2928
2929 adv_instance = hci_find_adv_instance(hdev, instance);
2930 if (!adv_instance)
2931 return -ENOENT;
2932
2933 BT_DBG("%s removing %dMR", hdev->name, instance);
2934
2935 if (hdev->cur_adv_instance == instance) {
2936 if (hdev->adv_instance_timeout) {
2937 cancel_delayed_work(&hdev->adv_instance_expire);
2938 hdev->adv_instance_timeout = 0;
2939 }
2940 hdev->cur_adv_instance = 0x00;
2941 }
2942
2943 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
2944
2945 list_del(&adv_instance->list);
2946 kfree(adv_instance);
2947
2948 hdev->adv_instance_cnt--;
2949
2950 return 0;
2951}
2952
2953void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
2954{
2955 struct adv_info *adv_instance, *n;
2956
2957 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
2958 adv_instance->rpa_expired = rpa_expired;
2959}
2960
2961/* This function requires the caller holds hdev->lock */
2962void hci_adv_instances_clear(struct hci_dev *hdev)
2963{
2964 struct adv_info *adv_instance, *n;
2965
2966 if (hdev->adv_instance_timeout) {
2967 cancel_delayed_work(&hdev->adv_instance_expire);
2968 hdev->adv_instance_timeout = 0;
2969 }
2970
2971 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2972 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
2973 list_del(&adv_instance->list);
2974 kfree(adv_instance);
2975 }
2976
2977 hdev->adv_instance_cnt = 0;
2978 hdev->cur_adv_instance = 0x00;
2979}
2980
2981static void adv_instance_rpa_expired(struct work_struct *work)
2982{
2983 struct adv_info *adv_instance = container_of(work, struct adv_info,
2984 rpa_expired_cb.work);
2985
2986 BT_DBG("");
2987
2988 adv_instance->rpa_expired = true;
2989}
2990
2991/* This function requires the caller holds hdev->lock */
2992int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2993 u16 adv_data_len, u8 *adv_data,
2994 u16 scan_rsp_len, u8 *scan_rsp_data,
2995 u16 timeout, u16 duration, s8 tx_power,
2996 u32 min_interval, u32 max_interval)
2997{
2998 struct adv_info *adv_instance;
2999
3000 adv_instance = hci_find_adv_instance(hdev, instance);
3001 if (adv_instance) {
3002 memset(adv_instance->adv_data, 0,
3003 sizeof(adv_instance->adv_data));
3004 memset(adv_instance->scan_rsp_data, 0,
3005 sizeof(adv_instance->scan_rsp_data));
3006 } else {
3007 if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
3008 instance < 1 || instance > hdev->le_num_of_adv_sets)
3009 return -EOVERFLOW;
3010
3011 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
3012 if (!adv_instance)
3013 return -ENOMEM;
3014
3015 adv_instance->pending = true;
3016 adv_instance->instance = instance;
3017 list_add(&adv_instance->list, &hdev->adv_instances);
3018 hdev->adv_instance_cnt++;
3019 }
3020
3021 adv_instance->flags = flags;
3022 adv_instance->adv_data_len = adv_data_len;
3023 adv_instance->scan_rsp_len = scan_rsp_len;
3024 adv_instance->min_interval = min_interval;
3025 adv_instance->max_interval = max_interval;
3026 adv_instance->tx_power = tx_power;
3027
3028 if (adv_data_len)
3029 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
3030
3031 if (scan_rsp_len)
3032 memcpy(adv_instance->scan_rsp_data,
3033 scan_rsp_data, scan_rsp_len);
3034
3035 adv_instance->timeout = timeout;
3036 adv_instance->remaining_time = timeout;
3037
3038 if (duration == 0)
3039 adv_instance->duration = hdev->def_multi_adv_rotation_duration;
3040 else
3041 adv_instance->duration = duration;
3042
3043 INIT_DELAYED_WORK(&adv_instance->rpa_expired_cb,
3044 adv_instance_rpa_expired);
3045
3046 BT_DBG("%s for %dMR", hdev->name, instance);
3047
3048 return 0;
3049}
3050
3051/* This function requires the caller holds hdev->lock */
3052int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance,
3053 u16 adv_data_len, u8 *adv_data,
3054 u16 scan_rsp_len, u8 *scan_rsp_data)
3055{
3056 struct adv_info *adv_instance;
3057
3058 adv_instance = hci_find_adv_instance(hdev, instance);
3059
3060 /* If advertisement doesn't exist, we can't modify its data */
3061 if (!adv_instance)
3062 return -ENOENT;
3063
3064 if (adv_data_len) {
3065 memset(adv_instance->adv_data, 0,
3066 sizeof(adv_instance->adv_data));
3067 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
3068 adv_instance->adv_data_len = adv_data_len;
3069 }
3070
3071 if (scan_rsp_len) {
3072 memset(adv_instance->scan_rsp_data, 0,
3073 sizeof(adv_instance->scan_rsp_data));
3074 memcpy(adv_instance->scan_rsp_data,
3075 scan_rsp_data, scan_rsp_len);
3076 adv_instance->scan_rsp_len = scan_rsp_len;
3077 }
3078
3079 return 0;
3080}
3081
3082/* This function requires the caller holds hdev->lock */
3083void hci_adv_monitors_clear(struct hci_dev *hdev)
3084{
3085 struct adv_monitor *monitor;
3086 int handle;
3087
3088 idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
3089 hci_free_adv_monitor(hdev, monitor);
3090
3091 idr_destroy(&hdev->adv_monitors_idr);
3092}
3093
3094/* Frees the monitor structure and do some bookkeepings.
3095 * This function requires the caller holds hdev->lock.
3096 */
3097void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
3098{
3099 struct adv_pattern *pattern;
3100 struct adv_pattern *tmp;
3101
3102 if (!monitor)
3103 return;
3104
3105 list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) {
3106 list_del(&pattern->list);
3107 kfree(pattern);
3108 }
3109
3110 if (monitor->handle)
3111 idr_remove(&hdev->adv_monitors_idr, monitor->handle);
3112
3113 if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) {
3114 hdev->adv_monitors_cnt--;
3115 mgmt_adv_monitor_removed(hdev, monitor->handle);
3116 }
3117
3118 kfree(monitor);
3119}
3120
3121int hci_add_adv_patterns_monitor_complete(struct hci_dev *hdev, u8 status)
3122{
3123 return mgmt_add_adv_patterns_monitor_complete(hdev, status);
3124}
3125
3126int hci_remove_adv_monitor_complete(struct hci_dev *hdev, u8 status)
3127{
3128 return mgmt_remove_adv_monitor_complete(hdev, status);
3129}
3130
3131/* Assigns handle to a monitor, and if offloading is supported and power is on,
3132 * also attempts to forward the request to the controller.
3133 * Returns true if request is forwarded (result is pending), false otherwise.
3134 * This function requires the caller holds hdev->lock.
3135 */
3136bool hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor,
3137 int *err)
3138{
3139 int min, max, handle;
3140
3141 *err = 0;
3142
3143 if (!monitor) {
3144 *err = -EINVAL;
3145 return false;
3146 }
3147
3148 min = HCI_MIN_ADV_MONITOR_HANDLE;
3149 max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES;
3150 handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max,
3151 GFP_KERNEL);
3152 if (handle < 0) {
3153 *err = handle;
3154 return false;
3155 }
3156
3157 monitor->handle = handle;
3158
3159 if (!hdev_is_powered(hdev))
3160 return false;
3161
3162 switch (hci_get_adv_monitor_offload_ext(hdev)) {
3163 case HCI_ADV_MONITOR_EXT_NONE:
3164 hci_update_background_scan(hdev);
3165 bt_dev_dbg(hdev, "%s add monitor status %d", hdev->name, *err);
3166 /* Message was not forwarded to controller - not an error */
3167 return false;
3168 case HCI_ADV_MONITOR_EXT_MSFT:
3169 *err = msft_add_monitor_pattern(hdev, monitor);
3170 bt_dev_dbg(hdev, "%s add monitor msft status %d", hdev->name,
3171 *err);
3172 break;
3173 }
3174
3175 return (*err == 0);
3176}
3177
3178/* Attempts to tell the controller and free the monitor. If somehow the
3179 * controller doesn't have a corresponding handle, remove anyway.
3180 * Returns true if request is forwarded (result is pending), false otherwise.
3181 * This function requires the caller holds hdev->lock.
3182 */
3183static bool hci_remove_adv_monitor(struct hci_dev *hdev,
3184 struct adv_monitor *monitor,
3185 u16 handle, int *err)
3186{
3187 *err = 0;
3188
3189 switch (hci_get_adv_monitor_offload_ext(hdev)) {
3190 case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */
3191 goto free_monitor;
3192 case HCI_ADV_MONITOR_EXT_MSFT:
3193 *err = msft_remove_monitor(hdev, monitor, handle);
3194 break;
3195 }
3196
3197 /* In case no matching handle registered, just free the monitor */
3198 if (*err == -ENOENT)
3199 goto free_monitor;
3200
3201 return (*err == 0);
3202
3203free_monitor:
3204 if (*err == -ENOENT)
3205 bt_dev_warn(hdev, "Removing monitor with no matching handle %d",
3206 monitor->handle);
3207 hci_free_adv_monitor(hdev, monitor);
3208
3209 *err = 0;
3210 return false;
3211}
3212
3213/* Returns true if request is forwarded (result is pending), false otherwise.
3214 * This function requires the caller holds hdev->lock.
3215 */
3216bool hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle, int *err)
3217{
3218 struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle);
3219 bool pending;
3220
3221 if (!monitor) {
3222 *err = -EINVAL;
3223 return false;
3224 }
3225
3226 pending = hci_remove_adv_monitor(hdev, monitor, handle, err);
3227 if (!*err && !pending)
3228 hci_update_background_scan(hdev);
3229
3230 bt_dev_dbg(hdev, "%s remove monitor handle %d, status %d, %spending",
3231 hdev->name, handle, *err, pending ? "" : "not ");
3232
3233 return pending;
3234}
3235
3236/* Returns true if request is forwarded (result is pending), false otherwise.
3237 * This function requires the caller holds hdev->lock.
3238 */
3239bool hci_remove_all_adv_monitor(struct hci_dev *hdev, int *err)
3240{
3241 struct adv_monitor *monitor;
3242 int idr_next_id = 0;
3243 bool pending = false;
3244 bool update = false;
3245
3246 *err = 0;
3247
3248 while (!*err && !pending) {
3249 monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id);
3250 if (!monitor)
3251 break;
3252
3253 pending = hci_remove_adv_monitor(hdev, monitor, 0, err);
3254
3255 if (!*err && !pending)
3256 update = true;
3257 }
3258
3259 if (update)
3260 hci_update_background_scan(hdev);
3261
3262 bt_dev_dbg(hdev, "%s remove all monitors status %d, %spending",
3263 hdev->name, *err, pending ? "" : "not ");
3264
3265 return pending;
3266}
3267
3268/* This function requires the caller holds hdev->lock */
3269bool hci_is_adv_monitoring(struct hci_dev *hdev)
3270{
3271 return !idr_is_empty(&hdev->adv_monitors_idr);
3272}
3273
3274int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev)
3275{
3276 if (msft_monitor_supported(hdev))
3277 return HCI_ADV_MONITOR_EXT_MSFT;
3278
3279 return HCI_ADV_MONITOR_EXT_NONE;
3280}
3281
3282struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
3283 bdaddr_t *bdaddr, u8 type)
3284{
3285 struct bdaddr_list *b;
3286
3287 list_for_each_entry(b, bdaddr_list, list) {
3288 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3289 return b;
3290 }
3291
3292 return NULL;
3293}
3294
3295struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
3296 struct list_head *bdaddr_list, bdaddr_t *bdaddr,
3297 u8 type)
3298{
3299 struct bdaddr_list_with_irk *b;
3300
3301 list_for_each_entry(b, bdaddr_list, list) {
3302 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3303 return b;
3304 }
3305
3306 return NULL;
3307}
3308
3309struct bdaddr_list_with_flags *
3310hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list,
3311 bdaddr_t *bdaddr, u8 type)
3312{
3313 struct bdaddr_list_with_flags *b;
3314
3315 list_for_each_entry(b, bdaddr_list, list) {
3316 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3317 return b;
3318 }
3319
3320 return NULL;
3321}
3322
3323void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
3324{
3325 struct bdaddr_list *b, *n;
3326
3327 list_for_each_entry_safe(b, n, bdaddr_list, list) {
3328 list_del(&b->list);
3329 kfree(b);
3330 }
3331}
3332
3333int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
3334{
3335 struct bdaddr_list *entry;
3336
3337 if (!bacmp(bdaddr, BDADDR_ANY))
3338 return -EBADF;
3339
3340 if (hci_bdaddr_list_lookup(list, bdaddr, type))
3341 return -EEXIST;
3342
3343 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3344 if (!entry)
3345 return -ENOMEM;
3346
3347 bacpy(&entry->bdaddr, bdaddr);
3348 entry->bdaddr_type = type;
3349
3350 list_add(&entry->list, list);
3351
3352 return 0;
3353}
3354
3355int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
3356 u8 type, u8 *peer_irk, u8 *local_irk)
3357{
3358 struct bdaddr_list_with_irk *entry;
3359
3360 if (!bacmp(bdaddr, BDADDR_ANY))
3361 return -EBADF;
3362
3363 if (hci_bdaddr_list_lookup(list, bdaddr, type))
3364 return -EEXIST;
3365
3366 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3367 if (!entry)
3368 return -ENOMEM;
3369
3370 bacpy(&entry->bdaddr, bdaddr);
3371 entry->bdaddr_type = type;
3372
3373 if (peer_irk)
3374 memcpy(entry->peer_irk, peer_irk, 16);
3375
3376 if (local_irk)
3377 memcpy(entry->local_irk, local_irk, 16);
3378
3379 list_add(&entry->list, list);
3380
3381 return 0;
3382}
3383
3384int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr,
3385 u8 type, u32 flags)
3386{
3387 struct bdaddr_list_with_flags *entry;
3388
3389 if (!bacmp(bdaddr, BDADDR_ANY))
3390 return -EBADF;
3391
3392 if (hci_bdaddr_list_lookup(list, bdaddr, type))
3393 return -EEXIST;
3394
3395 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3396 if (!entry)
3397 return -ENOMEM;
3398
3399 bacpy(&entry->bdaddr, bdaddr);
3400 entry->bdaddr_type = type;
3401 entry->current_flags = flags;
3402
3403 list_add(&entry->list, list);
3404
3405 return 0;
3406}
3407
3408int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
3409{
3410 struct bdaddr_list *entry;
3411
3412 if (!bacmp(bdaddr, BDADDR_ANY)) {
3413 hci_bdaddr_list_clear(list);
3414 return 0;
3415 }
3416
3417 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
3418 if (!entry)
3419 return -ENOENT;
3420
3421 list_del(&entry->list);
3422 kfree(entry);
3423
3424 return 0;
3425}
3426
3427int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
3428 u8 type)
3429{
3430 struct bdaddr_list_with_irk *entry;
3431
3432 if (!bacmp(bdaddr, BDADDR_ANY)) {
3433 hci_bdaddr_list_clear(list);
3434 return 0;
3435 }
3436
3437 entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
3438 if (!entry)
3439 return -ENOENT;
3440
3441 list_del(&entry->list);
3442 kfree(entry);
3443
3444 return 0;
3445}
3446
3447int hci_bdaddr_list_del_with_flags(struct list_head *list, bdaddr_t *bdaddr,
3448 u8 type)
3449{
3450 struct bdaddr_list_with_flags *entry;
3451
3452 if (!bacmp(bdaddr, BDADDR_ANY)) {
3453 hci_bdaddr_list_clear(list);
3454 return 0;
3455 }
3456
3457 entry = hci_bdaddr_list_lookup_with_flags(list, bdaddr, type);
3458 if (!entry)
3459 return -ENOENT;
3460
3461 list_del(&entry->list);
3462 kfree(entry);
3463
3464 return 0;
3465}
3466
3467/* This function requires the caller holds hdev->lock */
3468struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3469 bdaddr_t *addr, u8 addr_type)
3470{
3471 struct hci_conn_params *params;
3472
3473 list_for_each_entry(params, &hdev->le_conn_params, list) {
3474 if (bacmp(¶ms->addr, addr) == 0 &&
3475 params->addr_type == addr_type) {
3476 return params;
3477 }
3478 }
3479
3480 return NULL;
3481}
3482
3483/* This function requires the caller holds hdev->lock */
3484struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
3485 bdaddr_t *addr, u8 addr_type)
3486{
3487 struct hci_conn_params *param;
3488
3489 switch (addr_type) {
3490 case ADDR_LE_DEV_PUBLIC_RESOLVED:
3491 addr_type = ADDR_LE_DEV_PUBLIC;
3492 break;
3493 case ADDR_LE_DEV_RANDOM_RESOLVED:
3494 addr_type = ADDR_LE_DEV_RANDOM;
3495 break;
3496 }
3497
3498 list_for_each_entry(param, list, action) {
3499 if (bacmp(¶m->addr, addr) == 0 &&
3500 param->addr_type == addr_type)
3501 return param;
3502 }
3503
3504 return NULL;
3505}
3506
3507/* This function requires the caller holds hdev->lock */
3508struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
3509 bdaddr_t *addr, u8 addr_type)
3510{
3511 struct hci_conn_params *params;
3512
3513 params = hci_conn_params_lookup(hdev, addr, addr_type);
3514 if (params)
3515 return params;
3516
3517 params = kzalloc(sizeof(*params), GFP_KERNEL);
3518 if (!params) {
3519 bt_dev_err(hdev, "out of memory");
3520 return NULL;
3521 }
3522
3523 bacpy(¶ms->addr, addr);
3524 params->addr_type = addr_type;
3525
3526 list_add(¶ms->list, &hdev->le_conn_params);
3527 INIT_LIST_HEAD(¶ms->action);
3528
3529 params->conn_min_interval = hdev->le_conn_min_interval;
3530 params->conn_max_interval = hdev->le_conn_max_interval;
3531 params->conn_latency = hdev->le_conn_latency;
3532 params->supervision_timeout = hdev->le_supv_timeout;
3533 params->auto_connect = HCI_AUTO_CONN_DISABLED;
3534
3535 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3536
3537 return params;
3538}
3539
3540static void hci_conn_params_free(struct hci_conn_params *params)
3541{
3542 if (params->conn) {
3543 hci_conn_drop(params->conn);
3544 hci_conn_put(params->conn);
3545 }
3546
3547 list_del(¶ms->action);
3548 list_del(¶ms->list);
3549 kfree(params);
3550}
3551
3552/* This function requires the caller holds hdev->lock */
3553void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3554{
3555 struct hci_conn_params *params;
3556
3557 params = hci_conn_params_lookup(hdev, addr, addr_type);
3558 if (!params)
3559 return;
3560
3561 hci_conn_params_free(params);
3562
3563 hci_update_background_scan(hdev);
3564
3565 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3566}
3567
3568/* This function requires the caller holds hdev->lock */
3569void hci_conn_params_clear_disabled(struct hci_dev *hdev)
3570{
3571 struct hci_conn_params *params, *tmp;
3572
3573 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
3574 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
3575 continue;
3576
3577 /* If trying to establish one time connection to disabled
3578 * device, leave the params, but mark them as just once.
3579 */
3580 if (params->explicit_connect) {
3581 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3582 continue;
3583 }
3584
3585 list_del(¶ms->list);
3586 kfree(params);
3587 }
3588
3589 BT_DBG("All LE disabled connection parameters were removed");
3590}
3591
3592/* This function requires the caller holds hdev->lock */
3593static void hci_conn_params_clear_all(struct hci_dev *hdev)
3594{
3595 struct hci_conn_params *params, *tmp;
3596
3597 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
3598 hci_conn_params_free(params);
3599
3600 BT_DBG("All LE connection parameters were removed");
3601}
3602
3603/* Copy the Identity Address of the controller.
3604 *
3605 * If the controller has a public BD_ADDR, then by default use that one.
3606 * If this is a LE only controller without a public address, default to
3607 * the static random address.
3608 *
3609 * For debugging purposes it is possible to force controllers with a
3610 * public address to use the static random address instead.
3611 *
3612 * In case BR/EDR has been disabled on a dual-mode controller and
3613 * userspace has configured a static address, then that address
3614 * becomes the identity address instead of the public BR/EDR address.
3615 */
3616void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
3617 u8 *bdaddr_type)
3618{
3619 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
3620 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
3621 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
3622 bacmp(&hdev->static_addr, BDADDR_ANY))) {
3623 bacpy(bdaddr, &hdev->static_addr);
3624 *bdaddr_type = ADDR_LE_DEV_RANDOM;
3625 } else {
3626 bacpy(bdaddr, &hdev->bdaddr);
3627 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
3628 }
3629}
3630
3631static void hci_suspend_clear_tasks(struct hci_dev *hdev)
3632{
3633 int i;
3634
3635 for (i = 0; i < __SUSPEND_NUM_TASKS; i++)
3636 clear_bit(i, hdev->suspend_tasks);
3637
3638 wake_up(&hdev->suspend_wait_q);
3639}
3640
3641static int hci_suspend_wait_event(struct hci_dev *hdev)
3642{
3643#define WAKE_COND \
3644 (find_first_bit(hdev->suspend_tasks, __SUSPEND_NUM_TASKS) == \
3645 __SUSPEND_NUM_TASKS)
3646
3647 int i;
3648 int ret = wait_event_timeout(hdev->suspend_wait_q,
3649 WAKE_COND, SUSPEND_NOTIFIER_TIMEOUT);
3650
3651 if (ret == 0) {
3652 bt_dev_err(hdev, "Timed out waiting for suspend events");
3653 for (i = 0; i < __SUSPEND_NUM_TASKS; ++i) {
3654 if (test_bit(i, hdev->suspend_tasks))
3655 bt_dev_err(hdev, "Suspend timeout bit: %d", i);
3656 clear_bit(i, hdev->suspend_tasks);
3657 }
3658
3659 ret = -ETIMEDOUT;
3660 } else {
3661 ret = 0;
3662 }
3663
3664 return ret;
3665}
3666
3667static void hci_prepare_suspend(struct work_struct *work)
3668{
3669 struct hci_dev *hdev =
3670 container_of(work, struct hci_dev, suspend_prepare);
3671
3672 hci_dev_lock(hdev);
3673 hci_req_prepare_suspend(hdev, hdev->suspend_state_next);
3674 hci_dev_unlock(hdev);
3675}
3676
3677static int hci_change_suspend_state(struct hci_dev *hdev,
3678 enum suspended_state next)
3679{
3680 hdev->suspend_state_next = next;
3681 set_bit(SUSPEND_PREPARE_NOTIFIER, hdev->suspend_tasks);
3682 queue_work(hdev->req_workqueue, &hdev->suspend_prepare);
3683 return hci_suspend_wait_event(hdev);
3684}
3685
3686static void hci_clear_wake_reason(struct hci_dev *hdev)
3687{
3688 hci_dev_lock(hdev);
3689
3690 hdev->wake_reason = 0;
3691 bacpy(&hdev->wake_addr, BDADDR_ANY);
3692 hdev->wake_addr_type = 0;
3693
3694 hci_dev_unlock(hdev);
3695}
3696
3697static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
3698 void *data)
3699{
3700 struct hci_dev *hdev =
3701 container_of(nb, struct hci_dev, suspend_notifier);
3702 int ret = 0;
3703 u8 state = BT_RUNNING;
3704
3705 /* If powering down, wait for completion. */
3706 if (mgmt_powering_down(hdev)) {
3707 set_bit(SUSPEND_POWERING_DOWN, hdev->suspend_tasks);
3708 ret = hci_suspend_wait_event(hdev);
3709 if (ret)
3710 goto done;
3711 }
3712
3713 /* Suspend notifier should only act on events when powered. */
3714 if (!hdev_is_powered(hdev) ||
3715 hci_dev_test_flag(hdev, HCI_UNREGISTER))
3716 goto done;
3717
3718 if (action == PM_SUSPEND_PREPARE) {
3719 /* Suspend consists of two actions:
3720 * - First, disconnect everything and make the controller not
3721 * connectable (disabling scanning)
3722 * - Second, program event filter/accept list and enable scan
3723 */
3724 ret = hci_change_suspend_state(hdev, BT_SUSPEND_DISCONNECT);
3725 if (!ret)
3726 state = BT_SUSPEND_DISCONNECT;
3727
3728 /* Only configure accept list if disconnect succeeded and wake
3729 * isn't being prevented.
3730 */
3731 if (!ret && !(hdev->prevent_wake && hdev->prevent_wake(hdev))) {
3732 ret = hci_change_suspend_state(hdev,
3733 BT_SUSPEND_CONFIGURE_WAKE);
3734 if (!ret)
3735 state = BT_SUSPEND_CONFIGURE_WAKE;
3736 }
3737
3738 hci_clear_wake_reason(hdev);
3739 mgmt_suspending(hdev, state);
3740
3741 } else if (action == PM_POST_SUSPEND) {
3742 ret = hci_change_suspend_state(hdev, BT_RUNNING);
3743
3744 mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr,
3745 hdev->wake_addr_type);
3746 }
3747
3748done:
3749 /* We always allow suspend even if suspend preparation failed and
3750 * attempt to recover in resume.
3751 */
3752 if (ret)
3753 bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
3754 action, ret);
3755
3756 return NOTIFY_DONE;
3757}
3758
3759/* Alloc HCI device */
3760struct hci_dev *hci_alloc_dev(void)
3761{
3762 struct hci_dev *hdev;
3763
3764 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
3765 if (!hdev)
3766 return NULL;
3767
3768 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
3769 hdev->esco_type = (ESCO_HV1);
3770 hdev->link_mode = (HCI_LM_ACCEPT);
3771 hdev->num_iac = 0x01; /* One IAC support is mandatory */
3772 hdev->io_capability = 0x03; /* No Input No Output */
3773 hdev->manufacturer = 0xffff; /* Default to internal use */
3774 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
3775 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
3776 hdev->adv_instance_cnt = 0;
3777 hdev->cur_adv_instance = 0x00;
3778 hdev->adv_instance_timeout = 0;
3779
3780 hdev->advmon_allowlist_duration = 300;
3781 hdev->advmon_no_filter_duration = 500;
3782 hdev->enable_advmon_interleave_scan = 0x00; /* Default to disable */
3783
3784 hdev->sniff_max_interval = 800;
3785 hdev->sniff_min_interval = 80;
3786
3787 hdev->le_adv_channel_map = 0x07;
3788 hdev->le_adv_min_interval = 0x0800;
3789 hdev->le_adv_max_interval = 0x0800;
3790 hdev->le_scan_interval = 0x0060;
3791 hdev->le_scan_window = 0x0030;
3792 hdev->le_scan_int_suspend = 0x0400;
3793 hdev->le_scan_window_suspend = 0x0012;
3794 hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
3795 hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
3796 hdev->le_scan_int_adv_monitor = 0x0060;
3797 hdev->le_scan_window_adv_monitor = 0x0030;
3798 hdev->le_scan_int_connect = 0x0060;
3799 hdev->le_scan_window_connect = 0x0060;
3800 hdev->le_conn_min_interval = 0x0018;
3801 hdev->le_conn_max_interval = 0x0028;
3802 hdev->le_conn_latency = 0x0000;
3803 hdev->le_supv_timeout = 0x002a;
3804 hdev->le_def_tx_len = 0x001b;
3805 hdev->le_def_tx_time = 0x0148;
3806 hdev->le_max_tx_len = 0x001b;
3807 hdev->le_max_tx_time = 0x0148;
3808 hdev->le_max_rx_len = 0x001b;
3809 hdev->le_max_rx_time = 0x0148;
3810 hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
3811 hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
3812 hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
3813 hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
3814 hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
3815 hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
3816 hdev->def_le_autoconnect_timeout = HCI_LE_AUTOCONN_TIMEOUT;
3817 hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
3818 hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
3819
3820 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3821 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
3822 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
3823 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
3824 hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
3825 hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
3826
3827 /* default 1.28 sec page scan */
3828 hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
3829 hdev->def_page_scan_int = 0x0800;
3830 hdev->def_page_scan_window = 0x0012;
3831
3832 mutex_init(&hdev->lock);
3833 mutex_init(&hdev->req_lock);
3834
3835 INIT_LIST_HEAD(&hdev->mgmt_pending);
3836 INIT_LIST_HEAD(&hdev->reject_list);
3837 INIT_LIST_HEAD(&hdev->accept_list);
3838 INIT_LIST_HEAD(&hdev->uuids);
3839 INIT_LIST_HEAD(&hdev->link_keys);
3840 INIT_LIST_HEAD(&hdev->long_term_keys);
3841 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
3842 INIT_LIST_HEAD(&hdev->remote_oob_data);
3843 INIT_LIST_HEAD(&hdev->le_accept_list);
3844 INIT_LIST_HEAD(&hdev->le_resolv_list);
3845 INIT_LIST_HEAD(&hdev->le_conn_params);
3846 INIT_LIST_HEAD(&hdev->pend_le_conns);
3847 INIT_LIST_HEAD(&hdev->pend_le_reports);
3848 INIT_LIST_HEAD(&hdev->conn_hash.list);
3849 INIT_LIST_HEAD(&hdev->adv_instances);
3850 INIT_LIST_HEAD(&hdev->blocked_keys);
3851
3852 INIT_WORK(&hdev->rx_work, hci_rx_work);
3853 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
3854 INIT_WORK(&hdev->tx_work, hci_tx_work);
3855 INIT_WORK(&hdev->power_on, hci_power_on);
3856 INIT_WORK(&hdev->error_reset, hci_error_reset);
3857 INIT_WORK(&hdev->suspend_prepare, hci_prepare_suspend);
3858
3859 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
3860
3861 skb_queue_head_init(&hdev->rx_q);
3862 skb_queue_head_init(&hdev->cmd_q);
3863 skb_queue_head_init(&hdev->raw_q);
3864
3865 init_waitqueue_head(&hdev->req_wait_q);
3866 init_waitqueue_head(&hdev->suspend_wait_q);
3867
3868 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3869 INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
3870
3871 hci_request_setup(hdev);
3872
3873 hci_init_sysfs(hdev);
3874 discovery_init(hdev);
3875
3876 return hdev;
3877}
3878EXPORT_SYMBOL(hci_alloc_dev);
3879
3880/* Free HCI device */
3881void hci_free_dev(struct hci_dev *hdev)
3882{
3883 /* will free via device release */
3884 put_device(&hdev->dev);
3885}
3886EXPORT_SYMBOL(hci_free_dev);
3887
3888/* Register HCI device */
3889int hci_register_dev(struct hci_dev *hdev)
3890{
3891 int id, error;
3892
3893 if (!hdev->open || !hdev->close || !hdev->send)
3894 return -EINVAL;
3895
3896 /* Do not allow HCI_AMP devices to register at index 0,
3897 * so the index can be used as the AMP controller ID.
3898 */
3899 switch (hdev->dev_type) {
3900 case HCI_PRIMARY:
3901 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3902 break;
3903 case HCI_AMP:
3904 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3905 break;
3906 default:
3907 return -EINVAL;
3908 }
3909
3910 if (id < 0)
3911 return id;
3912
3913 sprintf(hdev->name, "hci%d", id);
3914 hdev->id = id;
3915
3916 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3917
3918 hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
3919 if (!hdev->workqueue) {
3920 error = -ENOMEM;
3921 goto err;
3922 }
3923
3924 hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
3925 hdev->name);
3926 if (!hdev->req_workqueue) {
3927 destroy_workqueue(hdev->workqueue);
3928 error = -ENOMEM;
3929 goto err;
3930 }
3931
3932 if (!IS_ERR_OR_NULL(bt_debugfs))
3933 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3934
3935 dev_set_name(&hdev->dev, "%s", hdev->name);
3936
3937 error = device_add(&hdev->dev);
3938 if (error < 0)
3939 goto err_wqueue;
3940
3941 hci_leds_init(hdev);
3942
3943 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3944 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3945 hdev);
3946 if (hdev->rfkill) {
3947 if (rfkill_register(hdev->rfkill) < 0) {
3948 rfkill_destroy(hdev->rfkill);
3949 hdev->rfkill = NULL;
3950 }
3951 }
3952
3953 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3954 hci_dev_set_flag(hdev, HCI_RFKILLED);
3955
3956 hci_dev_set_flag(hdev, HCI_SETUP);
3957 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3958
3959 if (hdev->dev_type == HCI_PRIMARY) {
3960 /* Assume BR/EDR support until proven otherwise (such as
3961 * through reading supported features during init.
3962 */
3963 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3964 }
3965
3966 write_lock(&hci_dev_list_lock);
3967 list_add(&hdev->list, &hci_dev_list);
3968 write_unlock(&hci_dev_list_lock);
3969
3970 /* Devices that are marked for raw-only usage are unconfigured
3971 * and should not be included in normal operation.
3972 */
3973 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3974 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3975
3976 hci_sock_dev_event(hdev, HCI_DEV_REG);
3977 hci_dev_hold(hdev);
3978
3979 if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) {
3980 hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
3981 error = register_pm_notifier(&hdev->suspend_notifier);
3982 if (error)
3983 goto err_wqueue;
3984 }
3985
3986 queue_work(hdev->req_workqueue, &hdev->power_on);
3987
3988 idr_init(&hdev->adv_monitors_idr);
3989
3990 return id;
3991
3992err_wqueue:
3993 destroy_workqueue(hdev->workqueue);
3994 destroy_workqueue(hdev->req_workqueue);
3995err:
3996 ida_simple_remove(&hci_index_ida, hdev->id);
3997
3998 return error;
3999}
4000EXPORT_SYMBOL(hci_register_dev);
4001
4002/* Unregister HCI device */
4003void hci_unregister_dev(struct hci_dev *hdev)
4004{
4005 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
4006
4007 hci_dev_set_flag(hdev, HCI_UNREGISTER);
4008
4009 write_lock(&hci_dev_list_lock);
4010 list_del(&hdev->list);
4011 write_unlock(&hci_dev_list_lock);
4012
4013 cancel_work_sync(&hdev->power_on);
4014
4015 if (!test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) {
4016 hci_suspend_clear_tasks(hdev);
4017 unregister_pm_notifier(&hdev->suspend_notifier);
4018 cancel_work_sync(&hdev->suspend_prepare);
4019 }
4020
4021 hci_dev_do_close(hdev);
4022
4023 if (!test_bit(HCI_INIT, &hdev->flags) &&
4024 !hci_dev_test_flag(hdev, HCI_SETUP) &&
4025 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
4026 hci_dev_lock(hdev);
4027 mgmt_index_removed(hdev);
4028 hci_dev_unlock(hdev);
4029 }
4030
4031 /* mgmt_index_removed should take care of emptying the
4032 * pending list */
4033 BUG_ON(!list_empty(&hdev->mgmt_pending));
4034
4035 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
4036
4037 if (hdev->rfkill) {
4038 rfkill_unregister(hdev->rfkill);
4039 rfkill_destroy(hdev->rfkill);
4040 }
4041
4042 device_del(&hdev->dev);
4043 /* Actual cleanup is deferred until hci_cleanup_dev(). */
4044 hci_dev_put(hdev);
4045}
4046EXPORT_SYMBOL(hci_unregister_dev);
4047
4048/* Cleanup HCI device */
4049void hci_cleanup_dev(struct hci_dev *hdev)
4050{
4051 debugfs_remove_recursive(hdev->debugfs);
4052 kfree_const(hdev->hw_info);
4053 kfree_const(hdev->fw_info);
4054
4055 destroy_workqueue(hdev->workqueue);
4056 destroy_workqueue(hdev->req_workqueue);
4057
4058 hci_dev_lock(hdev);
4059 hci_bdaddr_list_clear(&hdev->reject_list);
4060 hci_bdaddr_list_clear(&hdev->accept_list);
4061 hci_uuids_clear(hdev);
4062 hci_link_keys_clear(hdev);
4063 hci_smp_ltks_clear(hdev);
4064 hci_smp_irks_clear(hdev);
4065 hci_remote_oob_data_clear(hdev);
4066 hci_adv_instances_clear(hdev);
4067 hci_adv_monitors_clear(hdev);
4068 hci_bdaddr_list_clear(&hdev->le_accept_list);
4069 hci_bdaddr_list_clear(&hdev->le_resolv_list);
4070 hci_conn_params_clear_all(hdev);
4071 hci_discovery_filter_clear(hdev);
4072 hci_blocked_keys_clear(hdev);
4073 hci_dev_unlock(hdev);
4074
4075 ida_simple_remove(&hci_index_ida, hdev->id);
4076}
4077
4078/* Suspend HCI device */
4079int hci_suspend_dev(struct hci_dev *hdev)
4080{
4081 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
4082 return 0;
4083}
4084EXPORT_SYMBOL(hci_suspend_dev);
4085
4086/* Resume HCI device */
4087int hci_resume_dev(struct hci_dev *hdev)
4088{
4089 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
4090 return 0;
4091}
4092EXPORT_SYMBOL(hci_resume_dev);
4093
4094/* Reset HCI device */
4095int hci_reset_dev(struct hci_dev *hdev)
4096{
4097 static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
4098 struct sk_buff *skb;
4099
4100 skb = bt_skb_alloc(3, GFP_ATOMIC);
4101 if (!skb)
4102 return -ENOMEM;
4103
4104 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
4105 skb_put_data(skb, hw_err, 3);
4106
4107 bt_dev_err(hdev, "Injecting HCI hardware error event");
4108
4109 /* Send Hardware Error to upper stack */
4110 return hci_recv_frame(hdev, skb);
4111}
4112EXPORT_SYMBOL(hci_reset_dev);
4113
4114/* Receive frame from HCI drivers */
4115int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
4116{
4117 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
4118 && !test_bit(HCI_INIT, &hdev->flags))) {
4119 kfree_skb(skb);
4120 return -ENXIO;
4121 }
4122
4123 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
4124 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
4125 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT &&
4126 hci_skb_pkt_type(skb) != HCI_ISODATA_PKT) {
4127 kfree_skb(skb);
4128 return -EINVAL;
4129 }
4130
4131 /* Incoming skb */
4132 bt_cb(skb)->incoming = 1;
4133
4134 /* Time stamp */
4135 __net_timestamp(skb);
4136
4137 skb_queue_tail(&hdev->rx_q, skb);
4138 queue_work(hdev->workqueue, &hdev->rx_work);
4139
4140 return 0;
4141}
4142EXPORT_SYMBOL(hci_recv_frame);
4143
4144/* Receive diagnostic message from HCI drivers */
4145int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
4146{
4147 /* Mark as diagnostic packet */
4148 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
4149
4150 /* Time stamp */
4151 __net_timestamp(skb);
4152
4153 skb_queue_tail(&hdev->rx_q, skb);
4154 queue_work(hdev->workqueue, &hdev->rx_work);
4155
4156 return 0;
4157}
4158EXPORT_SYMBOL(hci_recv_diag);
4159
4160void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
4161{
4162 va_list vargs;
4163
4164 va_start(vargs, fmt);
4165 kfree_const(hdev->hw_info);
4166 hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
4167 va_end(vargs);
4168}
4169EXPORT_SYMBOL(hci_set_hw_info);
4170
4171void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
4172{
4173 va_list vargs;
4174
4175 va_start(vargs, fmt);
4176 kfree_const(hdev->fw_info);
4177 hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
4178 va_end(vargs);
4179}
4180EXPORT_SYMBOL(hci_set_fw_info);
4181
4182/* ---- Interface to upper protocols ---- */
4183
4184int hci_register_cb(struct hci_cb *cb)
4185{
4186 BT_DBG("%p name %s", cb, cb->name);
4187
4188 mutex_lock(&hci_cb_list_lock);
4189 list_add_tail(&cb->list, &hci_cb_list);
4190 mutex_unlock(&hci_cb_list_lock);
4191
4192 return 0;
4193}
4194EXPORT_SYMBOL(hci_register_cb);
4195
4196int hci_unregister_cb(struct hci_cb *cb)
4197{
4198 BT_DBG("%p name %s", cb, cb->name);
4199
4200 mutex_lock(&hci_cb_list_lock);
4201 list_del(&cb->list);
4202 mutex_unlock(&hci_cb_list_lock);
4203
4204 return 0;
4205}
4206EXPORT_SYMBOL(hci_unregister_cb);
4207
4208static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
4209{
4210 int err;
4211
4212 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
4213 skb->len);
4214
4215 /* Time stamp */
4216 __net_timestamp(skb);
4217
4218 /* Send copy to monitor */
4219 hci_send_to_monitor(hdev, skb);
4220
4221 if (atomic_read(&hdev->promisc)) {
4222 /* Send copy to the sockets */
4223 hci_send_to_sock(hdev, skb);
4224 }
4225
4226 /* Get rid of skb owner, prior to sending to the driver. */
4227 skb_orphan(skb);
4228
4229 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
4230 kfree_skb(skb);
4231 return;
4232 }
4233
4234 err = hdev->send(hdev, skb);
4235 if (err < 0) {
4236 bt_dev_err(hdev, "sending frame failed (%d)", err);
4237 kfree_skb(skb);
4238 }
4239}
4240
4241/* Send HCI command */
4242int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
4243 const void *param)
4244{
4245 struct sk_buff *skb;
4246
4247 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
4248
4249 skb = hci_prepare_cmd(hdev, opcode, plen, param);
4250 if (!skb) {
4251 bt_dev_err(hdev, "no memory for command");
4252 return -ENOMEM;
4253 }
4254
4255 /* Stand-alone HCI commands must be flagged as
4256 * single-command requests.
4257 */
4258 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
4259
4260 skb_queue_tail(&hdev->cmd_q, skb);
4261 queue_work(hdev->workqueue, &hdev->cmd_work);
4262
4263 return 0;
4264}
4265
4266int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
4267 const void *param)
4268{
4269 struct sk_buff *skb;
4270
4271 if (hci_opcode_ogf(opcode) != 0x3f) {
4272 /* A controller receiving a command shall respond with either
4273 * a Command Status Event or a Command Complete Event.
4274 * Therefore, all standard HCI commands must be sent via the
4275 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
4276 * Some vendors do not comply with this rule for vendor-specific
4277 * commands and do not return any event. We want to support
4278 * unresponded commands for such cases only.
4279 */
4280 bt_dev_err(hdev, "unresponded command not supported");
4281 return -EINVAL;
4282 }
4283
4284 skb = hci_prepare_cmd(hdev, opcode, plen, param);
4285 if (!skb) {
4286 bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
4287 opcode);
4288 return -ENOMEM;
4289 }
4290
4291 hci_send_frame(hdev, skb);
4292
4293 return 0;
4294}
4295EXPORT_SYMBOL(__hci_cmd_send);
4296
4297/* Get data from the previously sent command */
4298void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
4299{
4300 struct hci_command_hdr *hdr;
4301
4302 if (!hdev->sent_cmd)
4303 return NULL;
4304
4305 hdr = (void *) hdev->sent_cmd->data;
4306
4307 if (hdr->opcode != cpu_to_le16(opcode))
4308 return NULL;
4309
4310 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
4311
4312 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
4313}
4314
4315/* Send HCI command and wait for command complete event */
4316struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
4317 const void *param, u32 timeout)
4318{
4319 struct sk_buff *skb;
4320
4321 if (!test_bit(HCI_UP, &hdev->flags))
4322 return ERR_PTR(-ENETDOWN);
4323
4324 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
4325
4326 hci_req_sync_lock(hdev);
4327 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
4328 hci_req_sync_unlock(hdev);
4329
4330 return skb;
4331}
4332EXPORT_SYMBOL(hci_cmd_sync);
4333
4334/* Send ACL data */
4335static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
4336{
4337 struct hci_acl_hdr *hdr;
4338 int len = skb->len;
4339
4340 skb_push(skb, HCI_ACL_HDR_SIZE);
4341 skb_reset_transport_header(skb);
4342 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
4343 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
4344 hdr->dlen = cpu_to_le16(len);
4345}
4346
4347static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
4348 struct sk_buff *skb, __u16 flags)
4349{
4350 struct hci_conn *conn = chan->conn;
4351 struct hci_dev *hdev = conn->hdev;
4352 struct sk_buff *list;
4353
4354 skb->len = skb_headlen(skb);
4355 skb->data_len = 0;
4356
4357 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
4358
4359 switch (hdev->dev_type) {
4360 case HCI_PRIMARY:
4361 hci_add_acl_hdr(skb, conn->handle, flags);
4362 break;
4363 case HCI_AMP:
4364 hci_add_acl_hdr(skb, chan->handle, flags);
4365 break;
4366 default:
4367 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4368 return;
4369 }
4370
4371 list = skb_shinfo(skb)->frag_list;
4372 if (!list) {
4373 /* Non fragmented */
4374 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
4375
4376 skb_queue_tail(queue, skb);
4377 } else {
4378 /* Fragmented */
4379 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
4380
4381 skb_shinfo(skb)->frag_list = NULL;
4382
4383 /* Queue all fragments atomically. We need to use spin_lock_bh
4384 * here because of 6LoWPAN links, as there this function is
4385 * called from softirq and using normal spin lock could cause
4386 * deadlocks.
4387 */
4388 spin_lock_bh(&queue->lock);
4389
4390 __skb_queue_tail(queue, skb);
4391
4392 flags &= ~ACL_START;
4393 flags |= ACL_CONT;
4394 do {
4395 skb = list; list = list->next;
4396
4397 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
4398 hci_add_acl_hdr(skb, conn->handle, flags);
4399
4400 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
4401
4402 __skb_queue_tail(queue, skb);
4403 } while (list);
4404
4405 spin_unlock_bh(&queue->lock);
4406 }
4407}
4408
4409void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
4410{
4411 struct hci_dev *hdev = chan->conn->hdev;
4412
4413 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
4414
4415 hci_queue_acl(chan, &chan->data_q, skb, flags);
4416
4417 queue_work(hdev->workqueue, &hdev->tx_work);
4418}
4419
4420/* Send SCO data */
4421void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
4422{
4423 struct hci_dev *hdev = conn->hdev;
4424 struct hci_sco_hdr hdr;
4425
4426 BT_DBG("%s len %d", hdev->name, skb->len);
4427
4428 hdr.handle = cpu_to_le16(conn->handle);
4429 hdr.dlen = skb->len;
4430
4431 skb_push(skb, HCI_SCO_HDR_SIZE);
4432 skb_reset_transport_header(skb);
4433 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
4434
4435 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
4436
4437 skb_queue_tail(&conn->data_q, skb);
4438 queue_work(hdev->workqueue, &hdev->tx_work);
4439}
4440
4441/* ---- HCI TX task (outgoing data) ---- */
4442
4443/* HCI Connection scheduler */
4444static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
4445 int *quote)
4446{
4447 struct hci_conn_hash *h = &hdev->conn_hash;
4448 struct hci_conn *conn = NULL, *c;
4449 unsigned int num = 0, min = ~0;
4450
4451 /* We don't have to lock device here. Connections are always
4452 * added and removed with TX task disabled. */
4453
4454 rcu_read_lock();
4455
4456 list_for_each_entry_rcu(c, &h->list, list) {
4457 if (c->type != type || skb_queue_empty(&c->data_q))
4458 continue;
4459
4460 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
4461 continue;
4462
4463 num++;
4464
4465 if (c->sent < min) {
4466 min = c->sent;
4467 conn = c;
4468 }
4469
4470 if (hci_conn_num(hdev, type) == num)
4471 break;
4472 }
4473
4474 rcu_read_unlock();
4475
4476 if (conn) {
4477 int cnt, q;
4478
4479 switch (conn->type) {
4480 case ACL_LINK:
4481 cnt = hdev->acl_cnt;
4482 break;
4483 case SCO_LINK:
4484 case ESCO_LINK:
4485 cnt = hdev->sco_cnt;
4486 break;
4487 case LE_LINK:
4488 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
4489 break;
4490 default:
4491 cnt = 0;
4492 bt_dev_err(hdev, "unknown link type %d", conn->type);
4493 }
4494
4495 q = cnt / num;
4496 *quote = q ? q : 1;
4497 } else
4498 *quote = 0;
4499
4500 BT_DBG("conn %p quote %d", conn, *quote);
4501 return conn;
4502}
4503
4504static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
4505{
4506 struct hci_conn_hash *h = &hdev->conn_hash;
4507 struct hci_conn *c;
4508
4509 bt_dev_err(hdev, "link tx timeout");
4510
4511 rcu_read_lock();
4512
4513 /* Kill stalled connections */
4514 list_for_each_entry_rcu(c, &h->list, list) {
4515 if (c->type == type && c->sent) {
4516 bt_dev_err(hdev, "killing stalled connection %pMR",
4517 &c->dst);
4518 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
4519 }
4520 }
4521
4522 rcu_read_unlock();
4523}
4524
4525static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
4526 int *quote)
4527{
4528 struct hci_conn_hash *h = &hdev->conn_hash;
4529 struct hci_chan *chan = NULL;
4530 unsigned int num = 0, min = ~0, cur_prio = 0;
4531 struct hci_conn *conn;
4532 int cnt, q, conn_num = 0;
4533
4534 BT_DBG("%s", hdev->name);
4535
4536 rcu_read_lock();
4537
4538 list_for_each_entry_rcu(conn, &h->list, list) {
4539 struct hci_chan *tmp;
4540
4541 if (conn->type != type)
4542 continue;
4543
4544 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
4545 continue;
4546
4547 conn_num++;
4548
4549 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
4550 struct sk_buff *skb;
4551
4552 if (skb_queue_empty(&tmp->data_q))
4553 continue;
4554
4555 skb = skb_peek(&tmp->data_q);
4556 if (skb->priority < cur_prio)
4557 continue;
4558
4559 if (skb->priority > cur_prio) {
4560 num = 0;
4561 min = ~0;
4562 cur_prio = skb->priority;
4563 }
4564
4565 num++;
4566
4567 if (conn->sent < min) {
4568 min = conn->sent;
4569 chan = tmp;
4570 }
4571 }
4572
4573 if (hci_conn_num(hdev, type) == conn_num)
4574 break;
4575 }
4576
4577 rcu_read_unlock();
4578
4579 if (!chan)
4580 return NULL;
4581
4582 switch (chan->conn->type) {
4583 case ACL_LINK:
4584 cnt = hdev->acl_cnt;
4585 break;
4586 case AMP_LINK:
4587 cnt = hdev->block_cnt;
4588 break;
4589 case SCO_LINK:
4590 case ESCO_LINK:
4591 cnt = hdev->sco_cnt;
4592 break;
4593 case LE_LINK:
4594 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
4595 break;
4596 default:
4597 cnt = 0;
4598 bt_dev_err(hdev, "unknown link type %d", chan->conn->type);
4599 }
4600
4601 q = cnt / num;
4602 *quote = q ? q : 1;
4603 BT_DBG("chan %p quote %d", chan, *quote);
4604 return chan;
4605}
4606
4607static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
4608{
4609 struct hci_conn_hash *h = &hdev->conn_hash;
4610 struct hci_conn *conn;
4611 int num = 0;
4612
4613 BT_DBG("%s", hdev->name);
4614
4615 rcu_read_lock();
4616
4617 list_for_each_entry_rcu(conn, &h->list, list) {
4618 struct hci_chan *chan;
4619
4620 if (conn->type != type)
4621 continue;
4622
4623 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
4624 continue;
4625
4626 num++;
4627
4628 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
4629 struct sk_buff *skb;
4630
4631 if (chan->sent) {
4632 chan->sent = 0;
4633 continue;
4634 }
4635
4636 if (skb_queue_empty(&chan->data_q))
4637 continue;
4638
4639 skb = skb_peek(&chan->data_q);
4640 if (skb->priority >= HCI_PRIO_MAX - 1)
4641 continue;
4642
4643 skb->priority = HCI_PRIO_MAX - 1;
4644
4645 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
4646 skb->priority);
4647 }
4648
4649 if (hci_conn_num(hdev, type) == num)
4650 break;
4651 }
4652
4653 rcu_read_unlock();
4654
4655}
4656
4657static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
4658{
4659 /* Calculate count of blocks used by this packet */
4660 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
4661}
4662
4663static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
4664{
4665 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
4666 /* ACL tx timeout must be longer than maximum
4667 * link supervision timeout (40.9 seconds) */
4668 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
4669 HCI_ACL_TX_TIMEOUT))
4670 hci_link_tx_to(hdev, ACL_LINK);
4671 }
4672}
4673
4674/* Schedule SCO */
4675static void hci_sched_sco(struct hci_dev *hdev)
4676{
4677 struct hci_conn *conn;
4678 struct sk_buff *skb;
4679 int quote;
4680
4681 BT_DBG("%s", hdev->name);
4682
4683 if (!hci_conn_num(hdev, SCO_LINK))
4684 return;
4685
4686 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
4687 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4688 BT_DBG("skb %p len %d", skb, skb->len);
4689 hci_send_frame(hdev, skb);
4690
4691 conn->sent++;
4692 if (conn->sent == ~0)
4693 conn->sent = 0;
4694 }
4695 }
4696}
4697
4698static void hci_sched_esco(struct hci_dev *hdev)
4699{
4700 struct hci_conn *conn;
4701 struct sk_buff *skb;
4702 int quote;
4703
4704 BT_DBG("%s", hdev->name);
4705
4706 if (!hci_conn_num(hdev, ESCO_LINK))
4707 return;
4708
4709 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
4710 "e))) {
4711 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4712 BT_DBG("skb %p len %d", skb, skb->len);
4713 hci_send_frame(hdev, skb);
4714
4715 conn->sent++;
4716 if (conn->sent == ~0)
4717 conn->sent = 0;
4718 }
4719 }
4720}
4721
4722static void hci_sched_acl_pkt(struct hci_dev *hdev)
4723{
4724 unsigned int cnt = hdev->acl_cnt;
4725 struct hci_chan *chan;
4726 struct sk_buff *skb;
4727 int quote;
4728
4729 __check_timeout(hdev, cnt);
4730
4731 while (hdev->acl_cnt &&
4732 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
4733 u32 priority = (skb_peek(&chan->data_q))->priority;
4734 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4735 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4736 skb->len, skb->priority);
4737
4738 /* Stop if priority has changed */
4739 if (skb->priority < priority)
4740 break;
4741
4742 skb = skb_dequeue(&chan->data_q);
4743
4744 hci_conn_enter_active_mode(chan->conn,
4745 bt_cb(skb)->force_active);
4746
4747 hci_send_frame(hdev, skb);
4748 hdev->acl_last_tx = jiffies;
4749
4750 hdev->acl_cnt--;
4751 chan->sent++;
4752 chan->conn->sent++;
4753
4754 /* Send pending SCO packets right away */
4755 hci_sched_sco(hdev);
4756 hci_sched_esco(hdev);
4757 }
4758 }
4759
4760 if (cnt != hdev->acl_cnt)
4761 hci_prio_recalculate(hdev, ACL_LINK);
4762}
4763
4764static void hci_sched_acl_blk(struct hci_dev *hdev)
4765{
4766 unsigned int cnt = hdev->block_cnt;
4767 struct hci_chan *chan;
4768 struct sk_buff *skb;
4769 int quote;
4770 u8 type;
4771
4772 __check_timeout(hdev, cnt);
4773
4774 BT_DBG("%s", hdev->name);
4775
4776 if (hdev->dev_type == HCI_AMP)
4777 type = AMP_LINK;
4778 else
4779 type = ACL_LINK;
4780
4781 while (hdev->block_cnt > 0 &&
4782 (chan = hci_chan_sent(hdev, type, "e))) {
4783 u32 priority = (skb_peek(&chan->data_q))->priority;
4784 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
4785 int blocks;
4786
4787 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4788 skb->len, skb->priority);
4789
4790 /* Stop if priority has changed */
4791 if (skb->priority < priority)
4792 break;
4793
4794 skb = skb_dequeue(&chan->data_q);
4795
4796 blocks = __get_blocks(hdev, skb);
4797 if (blocks > hdev->block_cnt)
4798 return;
4799
4800 hci_conn_enter_active_mode(chan->conn,
4801 bt_cb(skb)->force_active);
4802
4803 hci_send_frame(hdev, skb);
4804 hdev->acl_last_tx = jiffies;
4805
4806 hdev->block_cnt -= blocks;
4807 quote -= blocks;
4808
4809 chan->sent += blocks;
4810 chan->conn->sent += blocks;
4811 }
4812 }
4813
4814 if (cnt != hdev->block_cnt)
4815 hci_prio_recalculate(hdev, type);
4816}
4817
4818static void hci_sched_acl(struct hci_dev *hdev)
4819{
4820 BT_DBG("%s", hdev->name);
4821
4822 /* No ACL link over BR/EDR controller */
4823 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_PRIMARY)
4824 return;
4825
4826 /* No AMP link over AMP controller */
4827 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
4828 return;
4829
4830 switch (hdev->flow_ctl_mode) {
4831 case HCI_FLOW_CTL_MODE_PACKET_BASED:
4832 hci_sched_acl_pkt(hdev);
4833 break;
4834
4835 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
4836 hci_sched_acl_blk(hdev);
4837 break;
4838 }
4839}
4840
4841static void hci_sched_le(struct hci_dev *hdev)
4842{
4843 struct hci_chan *chan;
4844 struct sk_buff *skb;
4845 int quote, cnt, tmp;
4846
4847 BT_DBG("%s", hdev->name);
4848
4849 if (!hci_conn_num(hdev, LE_LINK))
4850 return;
4851
4852 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
4853
4854 __check_timeout(hdev, cnt);
4855
4856 tmp = cnt;
4857 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
4858 u32 priority = (skb_peek(&chan->data_q))->priority;
4859 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4860 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4861 skb->len, skb->priority);
4862
4863 /* Stop if priority has changed */
4864 if (skb->priority < priority)
4865 break;
4866
4867 skb = skb_dequeue(&chan->data_q);
4868
4869 hci_send_frame(hdev, skb);
4870 hdev->le_last_tx = jiffies;
4871
4872 cnt--;
4873 chan->sent++;
4874 chan->conn->sent++;
4875
4876 /* Send pending SCO packets right away */
4877 hci_sched_sco(hdev);
4878 hci_sched_esco(hdev);
4879 }
4880 }
4881
4882 if (hdev->le_pkts)
4883 hdev->le_cnt = cnt;
4884 else
4885 hdev->acl_cnt = cnt;
4886
4887 if (cnt != tmp)
4888 hci_prio_recalculate(hdev, LE_LINK);
4889}
4890
4891static void hci_tx_work(struct work_struct *work)
4892{
4893 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4894 struct sk_buff *skb;
4895
4896 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4897 hdev->sco_cnt, hdev->le_cnt);
4898
4899 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4900 /* Schedule queues and send stuff to HCI driver */
4901 hci_sched_sco(hdev);
4902 hci_sched_esco(hdev);
4903 hci_sched_acl(hdev);
4904 hci_sched_le(hdev);
4905 }
4906
4907 /* Send next queued raw (unknown type) packet */
4908 while ((skb = skb_dequeue(&hdev->raw_q)))
4909 hci_send_frame(hdev, skb);
4910}
4911
4912/* ----- HCI RX task (incoming data processing) ----- */
4913
4914/* ACL data packet */
4915static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4916{
4917 struct hci_acl_hdr *hdr = (void *) skb->data;
4918 struct hci_conn *conn;
4919 __u16 handle, flags;
4920
4921 skb_pull(skb, HCI_ACL_HDR_SIZE);
4922
4923 handle = __le16_to_cpu(hdr->handle);
4924 flags = hci_flags(handle);
4925 handle = hci_handle(handle);
4926
4927 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4928 handle, flags);
4929
4930 hdev->stat.acl_rx++;
4931
4932 hci_dev_lock(hdev);
4933 conn = hci_conn_hash_lookup_handle(hdev, handle);
4934 hci_dev_unlock(hdev);
4935
4936 if (conn) {
4937 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
4938
4939 /* Send to upper protocol */
4940 l2cap_recv_acldata(conn, skb, flags);
4941 return;
4942 } else {
4943 bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
4944 handle);
4945 }
4946
4947 kfree_skb(skb);
4948}
4949
4950/* SCO data packet */
4951static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4952{
4953 struct hci_sco_hdr *hdr = (void *) skb->data;
4954 struct hci_conn *conn;
4955 __u16 handle, flags;
4956
4957 skb_pull(skb, HCI_SCO_HDR_SIZE);
4958
4959 handle = __le16_to_cpu(hdr->handle);
4960 flags = hci_flags(handle);
4961 handle = hci_handle(handle);
4962
4963 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4964 handle, flags);
4965
4966 hdev->stat.sco_rx++;
4967
4968 hci_dev_lock(hdev);
4969 conn = hci_conn_hash_lookup_handle(hdev, handle);
4970 hci_dev_unlock(hdev);
4971
4972 if (conn) {
4973 /* Send to upper protocol */
4974 bt_cb(skb)->sco.pkt_status = flags & 0x03;
4975 sco_recv_scodata(conn, skb);
4976 return;
4977 } else {
4978 bt_dev_err(hdev, "SCO packet for unknown connection handle %d",
4979 handle);
4980 }
4981
4982 kfree_skb(skb);
4983}
4984
4985static bool hci_req_is_complete(struct hci_dev *hdev)
4986{
4987 struct sk_buff *skb;
4988
4989 skb = skb_peek(&hdev->cmd_q);
4990 if (!skb)
4991 return true;
4992
4993 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4994}
4995
4996static void hci_resend_last(struct hci_dev *hdev)
4997{
4998 struct hci_command_hdr *sent;
4999 struct sk_buff *skb;
5000 u16 opcode;
5001
5002 if (!hdev->sent_cmd)
5003 return;
5004
5005 sent = (void *) hdev->sent_cmd->data;
5006 opcode = __le16_to_cpu(sent->opcode);
5007 if (opcode == HCI_OP_RESET)
5008 return;
5009
5010 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
5011 if (!skb)
5012 return;
5013
5014 skb_queue_head(&hdev->cmd_q, skb);
5015 queue_work(hdev->workqueue, &hdev->cmd_work);
5016}
5017
5018void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
5019 hci_req_complete_t *req_complete,
5020 hci_req_complete_skb_t *req_complete_skb)
5021{
5022 struct sk_buff *skb;
5023 unsigned long flags;
5024
5025 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
5026
5027 /* If the completed command doesn't match the last one that was
5028 * sent we need to do special handling of it.
5029 */
5030 if (!hci_sent_cmd_data(hdev, opcode)) {
5031 /* Some CSR based controllers generate a spontaneous
5032 * reset complete event during init and any pending
5033 * command will never be completed. In such a case we
5034 * need to resend whatever was the last sent
5035 * command.
5036 */
5037 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
5038 hci_resend_last(hdev);
5039
5040 return;
5041 }
5042
5043 /* If we reach this point this event matches the last command sent */
5044 hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
5045
5046 /* If the command succeeded and there's still more commands in
5047 * this request the request is not yet complete.
5048 */
5049 if (!status && !hci_req_is_complete(hdev))
5050 return;
5051
5052 /* If this was the last command in a request the complete
5053 * callback would be found in hdev->sent_cmd instead of the
5054 * command queue (hdev->cmd_q).
5055 */
5056 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
5057 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
5058 return;
5059 }
5060
5061 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
5062 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
5063 return;
5064 }
5065
5066 /* Remove all pending commands belonging to this request */
5067 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
5068 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
5069 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
5070 __skb_queue_head(&hdev->cmd_q, skb);
5071 break;
5072 }
5073
5074 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
5075 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
5076 else
5077 *req_complete = bt_cb(skb)->hci.req_complete;
5078 kfree_skb(skb);
5079 }
5080 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
5081}
5082
5083static void hci_rx_work(struct work_struct *work)
5084{
5085 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
5086 struct sk_buff *skb;
5087
5088 BT_DBG("%s", hdev->name);
5089
5090 while ((skb = skb_dequeue(&hdev->rx_q))) {
5091 /* Send copy to monitor */
5092 hci_send_to_monitor(hdev, skb);
5093
5094 if (atomic_read(&hdev->promisc)) {
5095 /* Send copy to the sockets */
5096 hci_send_to_sock(hdev, skb);
5097 }
5098
5099 /* If the device has been opened in HCI_USER_CHANNEL,
5100 * the userspace has exclusive access to device.
5101 * When device is HCI_INIT, we still need to process
5102 * the data packets to the driver in order
5103 * to complete its setup().
5104 */
5105 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
5106 !test_bit(HCI_INIT, &hdev->flags)) {
5107 kfree_skb(skb);
5108 continue;
5109 }
5110
5111 if (test_bit(HCI_INIT, &hdev->flags)) {
5112 /* Don't process data packets in this states. */
5113 switch (hci_skb_pkt_type(skb)) {
5114 case HCI_ACLDATA_PKT:
5115 case HCI_SCODATA_PKT:
5116 case HCI_ISODATA_PKT:
5117 kfree_skb(skb);
5118 continue;
5119 }
5120 }
5121
5122 /* Process frame */
5123 switch (hci_skb_pkt_type(skb)) {
5124 case HCI_EVENT_PKT:
5125 BT_DBG("%s Event packet", hdev->name);
5126 hci_event_packet(hdev, skb);
5127 break;
5128
5129 case HCI_ACLDATA_PKT:
5130 BT_DBG("%s ACL data packet", hdev->name);
5131 hci_acldata_packet(hdev, skb);
5132 break;
5133
5134 case HCI_SCODATA_PKT:
5135 BT_DBG("%s SCO data packet", hdev->name);
5136 hci_scodata_packet(hdev, skb);
5137 break;
5138
5139 default:
5140 kfree_skb(skb);
5141 break;
5142 }
5143 }
5144}
5145
5146static void hci_cmd_work(struct work_struct *work)
5147{
5148 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
5149 struct sk_buff *skb;
5150
5151 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
5152 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
5153
5154 /* Send queued commands */
5155 if (atomic_read(&hdev->cmd_cnt)) {
5156 skb = skb_dequeue(&hdev->cmd_q);
5157 if (!skb)
5158 return;
5159
5160 kfree_skb(hdev->sent_cmd);
5161
5162 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
5163 if (hdev->sent_cmd) {
5164 if (hci_req_status_pend(hdev))
5165 hci_dev_set_flag(hdev, HCI_CMD_PENDING);
5166 atomic_dec(&hdev->cmd_cnt);
5167 hci_send_frame(hdev, skb);
5168 if (test_bit(HCI_RESET, &hdev->flags))
5169 cancel_delayed_work(&hdev->cmd_timer);
5170 else
5171 schedule_delayed_work(&hdev->cmd_timer,
5172 HCI_CMD_TIMEOUT);
5173 } else {
5174 skb_queue_head(&hdev->cmd_q, skb);
5175 queue_work(hdev->workqueue, &hdev->cmd_work);
5176 }
5177 }
5178}