Loading...
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI core. */
27
28#include <linux/export.h>
29#include <linux/idr.h>
30#include <linux/rfkill.h>
31#include <linux/debugfs.h>
32#include <linux/crypto.h>
33#include <linux/property.h>
34#include <asm/unaligned.h>
35
36#include <net/bluetooth/bluetooth.h>
37#include <net/bluetooth/hci_core.h>
38#include <net/bluetooth/l2cap.h>
39#include <net/bluetooth/mgmt.h>
40
41#include "hci_request.h"
42#include "hci_debugfs.h"
43#include "smp.h"
44#include "leds.h"
45
46static void hci_rx_work(struct work_struct *work);
47static void hci_cmd_work(struct work_struct *work);
48static void hci_tx_work(struct work_struct *work);
49
50/* HCI device list */
51LIST_HEAD(hci_dev_list);
52DEFINE_RWLOCK(hci_dev_list_lock);
53
54/* HCI callback list */
55LIST_HEAD(hci_cb_list);
56DEFINE_MUTEX(hci_cb_list_lock);
57
58/* HCI ID Numbering */
59static DEFINE_IDA(hci_index_ida);
60
61/* ---- HCI debugfs entries ---- */
62
63static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
64 size_t count, loff_t *ppos)
65{
66 struct hci_dev *hdev = file->private_data;
67 char buf[3];
68
69 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
70 buf[1] = '\n';
71 buf[2] = '\0';
72 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
73}
74
75static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
76 size_t count, loff_t *ppos)
77{
78 struct hci_dev *hdev = file->private_data;
79 struct sk_buff *skb;
80 bool enable;
81 int err;
82
83 if (!test_bit(HCI_UP, &hdev->flags))
84 return -ENETDOWN;
85
86 err = kstrtobool_from_user(user_buf, count, &enable);
87 if (err)
88 return err;
89
90 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
91 return -EALREADY;
92
93 hci_req_sync_lock(hdev);
94 if (enable)
95 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
96 HCI_CMD_TIMEOUT);
97 else
98 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
99 HCI_CMD_TIMEOUT);
100 hci_req_sync_unlock(hdev);
101
102 if (IS_ERR(skb))
103 return PTR_ERR(skb);
104
105 kfree_skb(skb);
106
107 hci_dev_change_flag(hdev, HCI_DUT_MODE);
108
109 return count;
110}
111
112static const struct file_operations dut_mode_fops = {
113 .open = simple_open,
114 .read = dut_mode_read,
115 .write = dut_mode_write,
116 .llseek = default_llseek,
117};
118
119static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
120 size_t count, loff_t *ppos)
121{
122 struct hci_dev *hdev = file->private_data;
123 char buf[3];
124
125 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
126 buf[1] = '\n';
127 buf[2] = '\0';
128 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
129}
130
131static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
132 size_t count, loff_t *ppos)
133{
134 struct hci_dev *hdev = file->private_data;
135 bool enable;
136 int err;
137
138 err = kstrtobool_from_user(user_buf, count, &enable);
139 if (err)
140 return err;
141
142 /* When the diagnostic flags are not persistent and the transport
143 * is not active or in user channel operation, then there is no need
144 * for the vendor callback. Instead just store the desired value and
145 * the setting will be programmed when the controller gets powered on.
146 */
147 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
148 (!test_bit(HCI_RUNNING, &hdev->flags) ||
149 hci_dev_test_flag(hdev, HCI_USER_CHANNEL)))
150 goto done;
151
152 hci_req_sync_lock(hdev);
153 err = hdev->set_diag(hdev, enable);
154 hci_req_sync_unlock(hdev);
155
156 if (err < 0)
157 return err;
158
159done:
160 if (enable)
161 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
162 else
163 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
164
165 return count;
166}
167
168static const struct file_operations vendor_diag_fops = {
169 .open = simple_open,
170 .read = vendor_diag_read,
171 .write = vendor_diag_write,
172 .llseek = default_llseek,
173};
174
175static void hci_debugfs_create_basic(struct hci_dev *hdev)
176{
177 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
178 &dut_mode_fops);
179
180 if (hdev->set_diag)
181 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
182 &vendor_diag_fops);
183}
184
185static int hci_reset_req(struct hci_request *req, unsigned long opt)
186{
187 BT_DBG("%s %ld", req->hdev->name, opt);
188
189 /* Reset device */
190 set_bit(HCI_RESET, &req->hdev->flags);
191 hci_req_add(req, HCI_OP_RESET, 0, NULL);
192 return 0;
193}
194
195static void bredr_init(struct hci_request *req)
196{
197 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
198
199 /* Read Local Supported Features */
200 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
201
202 /* Read Local Version */
203 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
204
205 /* Read BD Address */
206 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
207}
208
209static void amp_init1(struct hci_request *req)
210{
211 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
212
213 /* Read Local Version */
214 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
215
216 /* Read Local Supported Commands */
217 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
218
219 /* Read Local AMP Info */
220 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
221
222 /* Read Data Blk size */
223 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
224
225 /* Read Flow Control Mode */
226 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
227
228 /* Read Location Data */
229 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
230}
231
232static int amp_init2(struct hci_request *req)
233{
234 /* Read Local Supported Features. Not all AMP controllers
235 * support this so it's placed conditionally in the second
236 * stage init.
237 */
238 if (req->hdev->commands[14] & 0x20)
239 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
240
241 return 0;
242}
243
244static int hci_init1_req(struct hci_request *req, unsigned long opt)
245{
246 struct hci_dev *hdev = req->hdev;
247
248 BT_DBG("%s %ld", hdev->name, opt);
249
250 /* Reset */
251 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
252 hci_reset_req(req, 0);
253
254 switch (hdev->dev_type) {
255 case HCI_PRIMARY:
256 bredr_init(req);
257 break;
258 case HCI_AMP:
259 amp_init1(req);
260 break;
261 default:
262 bt_dev_err(hdev, "Unknown device type %d", hdev->dev_type);
263 break;
264 }
265
266 return 0;
267}
268
269static void bredr_setup(struct hci_request *req)
270{
271 __le16 param;
272 __u8 flt_type;
273
274 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
275 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
276
277 /* Read Class of Device */
278 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
279
280 /* Read Local Name */
281 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
282
283 /* Read Voice Setting */
284 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
285
286 /* Read Number of Supported IAC */
287 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
288
289 /* Read Current IAC LAP */
290 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
291
292 /* Clear Event Filters */
293 flt_type = HCI_FLT_CLEAR_ALL;
294 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
295
296 /* Connection accept timeout ~20 secs */
297 param = cpu_to_le16(0x7d00);
298 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
299}
300
301static void le_setup(struct hci_request *req)
302{
303 struct hci_dev *hdev = req->hdev;
304
305 /* Read LE Buffer Size */
306 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
307
308 /* Read LE Local Supported Features */
309 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
310
311 /* Read LE Supported States */
312 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
313
314 /* LE-only controllers have LE implicitly enabled */
315 if (!lmp_bredr_capable(hdev))
316 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
317}
318
319static void hci_setup_event_mask(struct hci_request *req)
320{
321 struct hci_dev *hdev = req->hdev;
322
323 /* The second byte is 0xff instead of 0x9f (two reserved bits
324 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
325 * command otherwise.
326 */
327 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
328
329 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
330 * any event mask for pre 1.2 devices.
331 */
332 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
333 return;
334
335 if (lmp_bredr_capable(hdev)) {
336 events[4] |= 0x01; /* Flow Specification Complete */
337 } else {
338 /* Use a different default for LE-only devices */
339 memset(events, 0, sizeof(events));
340 events[1] |= 0x20; /* Command Complete */
341 events[1] |= 0x40; /* Command Status */
342 events[1] |= 0x80; /* Hardware Error */
343
344 /* If the controller supports the Disconnect command, enable
345 * the corresponding event. In addition enable packet flow
346 * control related events.
347 */
348 if (hdev->commands[0] & 0x20) {
349 events[0] |= 0x10; /* Disconnection Complete */
350 events[2] |= 0x04; /* Number of Completed Packets */
351 events[3] |= 0x02; /* Data Buffer Overflow */
352 }
353
354 /* If the controller supports the Read Remote Version
355 * Information command, enable the corresponding event.
356 */
357 if (hdev->commands[2] & 0x80)
358 events[1] |= 0x08; /* Read Remote Version Information
359 * Complete
360 */
361
362 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
363 events[0] |= 0x80; /* Encryption Change */
364 events[5] |= 0x80; /* Encryption Key Refresh Complete */
365 }
366 }
367
368 if (lmp_inq_rssi_capable(hdev) ||
369 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
370 events[4] |= 0x02; /* Inquiry Result with RSSI */
371
372 if (lmp_ext_feat_capable(hdev))
373 events[4] |= 0x04; /* Read Remote Extended Features Complete */
374
375 if (lmp_esco_capable(hdev)) {
376 events[5] |= 0x08; /* Synchronous Connection Complete */
377 events[5] |= 0x10; /* Synchronous Connection Changed */
378 }
379
380 if (lmp_sniffsubr_capable(hdev))
381 events[5] |= 0x20; /* Sniff Subrating */
382
383 if (lmp_pause_enc_capable(hdev))
384 events[5] |= 0x80; /* Encryption Key Refresh Complete */
385
386 if (lmp_ext_inq_capable(hdev))
387 events[5] |= 0x40; /* Extended Inquiry Result */
388
389 if (lmp_no_flush_capable(hdev))
390 events[7] |= 0x01; /* Enhanced Flush Complete */
391
392 if (lmp_lsto_capable(hdev))
393 events[6] |= 0x80; /* Link Supervision Timeout Changed */
394
395 if (lmp_ssp_capable(hdev)) {
396 events[6] |= 0x01; /* IO Capability Request */
397 events[6] |= 0x02; /* IO Capability Response */
398 events[6] |= 0x04; /* User Confirmation Request */
399 events[6] |= 0x08; /* User Passkey Request */
400 events[6] |= 0x10; /* Remote OOB Data Request */
401 events[6] |= 0x20; /* Simple Pairing Complete */
402 events[7] |= 0x04; /* User Passkey Notification */
403 events[7] |= 0x08; /* Keypress Notification */
404 events[7] |= 0x10; /* Remote Host Supported
405 * Features Notification
406 */
407 }
408
409 if (lmp_le_capable(hdev))
410 events[7] |= 0x20; /* LE Meta-Event */
411
412 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
413}
414
415static int hci_init2_req(struct hci_request *req, unsigned long opt)
416{
417 struct hci_dev *hdev = req->hdev;
418
419 if (hdev->dev_type == HCI_AMP)
420 return amp_init2(req);
421
422 if (lmp_bredr_capable(hdev))
423 bredr_setup(req);
424 else
425 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
426
427 if (lmp_le_capable(hdev))
428 le_setup(req);
429
430 /* All Bluetooth 1.2 and later controllers should support the
431 * HCI command for reading the local supported commands.
432 *
433 * Unfortunately some controllers indicate Bluetooth 1.2 support,
434 * but do not have support for this command. If that is the case,
435 * the driver can quirk the behavior and skip reading the local
436 * supported commands.
437 */
438 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
439 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
440 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
441
442 if (lmp_ssp_capable(hdev)) {
443 /* When SSP is available, then the host features page
444 * should also be available as well. However some
445 * controllers list the max_page as 0 as long as SSP
446 * has not been enabled. To achieve proper debugging
447 * output, force the minimum max_page to 1 at least.
448 */
449 hdev->max_page = 0x01;
450
451 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
452 u8 mode = 0x01;
453
454 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
455 sizeof(mode), &mode);
456 } else {
457 struct hci_cp_write_eir cp;
458
459 memset(hdev->eir, 0, sizeof(hdev->eir));
460 memset(&cp, 0, sizeof(cp));
461
462 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
463 }
464 }
465
466 if (lmp_inq_rssi_capable(hdev) ||
467 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
468 u8 mode;
469
470 /* If Extended Inquiry Result events are supported, then
471 * they are clearly preferred over Inquiry Result with RSSI
472 * events.
473 */
474 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
475
476 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
477 }
478
479 if (lmp_inq_tx_pwr_capable(hdev))
480 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
481
482 if (lmp_ext_feat_capable(hdev)) {
483 struct hci_cp_read_local_ext_features cp;
484
485 cp.page = 0x01;
486 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
487 sizeof(cp), &cp);
488 }
489
490 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
491 u8 enable = 1;
492 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
493 &enable);
494 }
495
496 return 0;
497}
498
499static void hci_setup_link_policy(struct hci_request *req)
500{
501 struct hci_dev *hdev = req->hdev;
502 struct hci_cp_write_def_link_policy cp;
503 u16 link_policy = 0;
504
505 if (lmp_rswitch_capable(hdev))
506 link_policy |= HCI_LP_RSWITCH;
507 if (lmp_hold_capable(hdev))
508 link_policy |= HCI_LP_HOLD;
509 if (lmp_sniff_capable(hdev))
510 link_policy |= HCI_LP_SNIFF;
511 if (lmp_park_capable(hdev))
512 link_policy |= HCI_LP_PARK;
513
514 cp.policy = cpu_to_le16(link_policy);
515 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
516}
517
518static void hci_set_le_support(struct hci_request *req)
519{
520 struct hci_dev *hdev = req->hdev;
521 struct hci_cp_write_le_host_supported cp;
522
523 /* LE-only devices do not support explicit enablement */
524 if (!lmp_bredr_capable(hdev))
525 return;
526
527 memset(&cp, 0, sizeof(cp));
528
529 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
530 cp.le = 0x01;
531 cp.simul = 0x00;
532 }
533
534 if (cp.le != lmp_host_le_capable(hdev))
535 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
536 &cp);
537}
538
539static void hci_set_event_mask_page_2(struct hci_request *req)
540{
541 struct hci_dev *hdev = req->hdev;
542 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
543 bool changed = false;
544
545 /* If Connectionless Slave Broadcast master role is supported
546 * enable all necessary events for it.
547 */
548 if (lmp_csb_master_capable(hdev)) {
549 events[1] |= 0x40; /* Triggered Clock Capture */
550 events[1] |= 0x80; /* Synchronization Train Complete */
551 events[2] |= 0x10; /* Slave Page Response Timeout */
552 events[2] |= 0x20; /* CSB Channel Map Change */
553 changed = true;
554 }
555
556 /* If Connectionless Slave Broadcast slave role is supported
557 * enable all necessary events for it.
558 */
559 if (lmp_csb_slave_capable(hdev)) {
560 events[2] |= 0x01; /* Synchronization Train Received */
561 events[2] |= 0x02; /* CSB Receive */
562 events[2] |= 0x04; /* CSB Timeout */
563 events[2] |= 0x08; /* Truncated Page Complete */
564 changed = true;
565 }
566
567 /* Enable Authenticated Payload Timeout Expired event if supported */
568 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
569 events[2] |= 0x80;
570 changed = true;
571 }
572
573 /* Some Broadcom based controllers indicate support for Set Event
574 * Mask Page 2 command, but then actually do not support it. Since
575 * the default value is all bits set to zero, the command is only
576 * required if the event mask has to be changed. In case no change
577 * to the event mask is needed, skip this command.
578 */
579 if (changed)
580 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
581 sizeof(events), events);
582}
583
584static int hci_init3_req(struct hci_request *req, unsigned long opt)
585{
586 struct hci_dev *hdev = req->hdev;
587 u8 p;
588
589 hci_setup_event_mask(req);
590
591 if (hdev->commands[6] & 0x20 &&
592 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
593 struct hci_cp_read_stored_link_key cp;
594
595 bacpy(&cp.bdaddr, BDADDR_ANY);
596 cp.read_all = 0x01;
597 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
598 }
599
600 if (hdev->commands[5] & 0x10)
601 hci_setup_link_policy(req);
602
603 if (hdev->commands[8] & 0x01)
604 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
605
606 /* Some older Broadcom based Bluetooth 1.2 controllers do not
607 * support the Read Page Scan Type command. Check support for
608 * this command in the bit mask of supported commands.
609 */
610 if (hdev->commands[13] & 0x01)
611 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
612
613 if (lmp_le_capable(hdev)) {
614 u8 events[8];
615
616 memset(events, 0, sizeof(events));
617
618 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
619 events[0] |= 0x10; /* LE Long Term Key Request */
620
621 /* If controller supports the Connection Parameters Request
622 * Link Layer Procedure, enable the corresponding event.
623 */
624 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
625 events[0] |= 0x20; /* LE Remote Connection
626 * Parameter Request
627 */
628
629 /* If the controller supports the Data Length Extension
630 * feature, enable the corresponding event.
631 */
632 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
633 events[0] |= 0x40; /* LE Data Length Change */
634
635 /* If the controller supports Extended Scanner Filter
636 * Policies, enable the correspondig event.
637 */
638 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
639 events[1] |= 0x04; /* LE Direct Advertising
640 * Report
641 */
642
643 /* If the controller supports Channel Selection Algorithm #2
644 * feature, enable the corresponding event.
645 */
646 if (hdev->le_features[1] & HCI_LE_CHAN_SEL_ALG2)
647 events[2] |= 0x08; /* LE Channel Selection
648 * Algorithm
649 */
650
651 /* If the controller supports the LE Set Scan Enable command,
652 * enable the corresponding advertising report event.
653 */
654 if (hdev->commands[26] & 0x08)
655 events[0] |= 0x02; /* LE Advertising Report */
656
657 /* If the controller supports the LE Create Connection
658 * command, enable the corresponding event.
659 */
660 if (hdev->commands[26] & 0x10)
661 events[0] |= 0x01; /* LE Connection Complete */
662
663 /* If the controller supports the LE Connection Update
664 * command, enable the corresponding event.
665 */
666 if (hdev->commands[27] & 0x04)
667 events[0] |= 0x04; /* LE Connection Update
668 * Complete
669 */
670
671 /* If the controller supports the LE Read Remote Used Features
672 * command, enable the corresponding event.
673 */
674 if (hdev->commands[27] & 0x20)
675 events[0] |= 0x08; /* LE Read Remote Used
676 * Features Complete
677 */
678
679 /* If the controller supports the LE Read Local P-256
680 * Public Key command, enable the corresponding event.
681 */
682 if (hdev->commands[34] & 0x02)
683 events[0] |= 0x80; /* LE Read Local P-256
684 * Public Key Complete
685 */
686
687 /* If the controller supports the LE Generate DHKey
688 * command, enable the corresponding event.
689 */
690 if (hdev->commands[34] & 0x04)
691 events[1] |= 0x01; /* LE Generate DHKey Complete */
692
693 /* If the controller supports the LE Set Default PHY or
694 * LE Set PHY commands, enable the corresponding event.
695 */
696 if (hdev->commands[35] & (0x20 | 0x40))
697 events[1] |= 0x08; /* LE PHY Update Complete */
698
699 /* If the controller supports LE Set Extended Scan Parameters
700 * and LE Set Extended Scan Enable commands, enable the
701 * corresponding event.
702 */
703 if (use_ext_scan(hdev))
704 events[1] |= 0x10; /* LE Extended Advertising
705 * Report
706 */
707
708 /* If the controller supports the LE Extended Create Connection
709 * command, enable the corresponding event.
710 */
711 if (use_ext_conn(hdev))
712 events[1] |= 0x02; /* LE Enhanced Connection
713 * Complete
714 */
715
716 /* If the controller supports the LE Extended Advertising
717 * command, enable the corresponding event.
718 */
719 if (ext_adv_capable(hdev))
720 events[2] |= 0x02; /* LE Advertising Set
721 * Terminated
722 */
723
724 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
725 events);
726
727 /* Read LE Advertising Channel TX Power */
728 if ((hdev->commands[25] & 0x40) && !ext_adv_capable(hdev)) {
729 /* HCI TS spec forbids mixing of legacy and extended
730 * advertising commands wherein READ_ADV_TX_POWER is
731 * also included. So do not call it if extended adv
732 * is supported otherwise controller will return
733 * COMMAND_DISALLOWED for extended commands.
734 */
735 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
736 }
737
738 if (hdev->commands[26] & 0x40) {
739 /* Read LE White List Size */
740 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
741 0, NULL);
742 }
743
744 if (hdev->commands[26] & 0x80) {
745 /* Clear LE White List */
746 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
747 }
748
749 if (hdev->commands[34] & 0x40) {
750 /* Read LE Resolving List Size */
751 hci_req_add(req, HCI_OP_LE_READ_RESOLV_LIST_SIZE,
752 0, NULL);
753 }
754
755 if (hdev->commands[34] & 0x20) {
756 /* Clear LE Resolving List */
757 hci_req_add(req, HCI_OP_LE_CLEAR_RESOLV_LIST, 0, NULL);
758 }
759
760 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
761 /* Read LE Maximum Data Length */
762 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
763
764 /* Read LE Suggested Default Data Length */
765 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
766 }
767
768 if (ext_adv_capable(hdev)) {
769 /* Read LE Number of Supported Advertising Sets */
770 hci_req_add(req, HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
771 0, NULL);
772 }
773
774 hci_set_le_support(req);
775 }
776
777 /* Read features beyond page 1 if available */
778 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
779 struct hci_cp_read_local_ext_features cp;
780
781 cp.page = p;
782 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
783 sizeof(cp), &cp);
784 }
785
786 return 0;
787}
788
789static int hci_init4_req(struct hci_request *req, unsigned long opt)
790{
791 struct hci_dev *hdev = req->hdev;
792
793 /* Some Broadcom based Bluetooth controllers do not support the
794 * Delete Stored Link Key command. They are clearly indicating its
795 * absence in the bit mask of supported commands.
796 *
797 * Check the supported commands and only if the the command is marked
798 * as supported send it. If not supported assume that the controller
799 * does not have actual support for stored link keys which makes this
800 * command redundant anyway.
801 *
802 * Some controllers indicate that they support handling deleting
803 * stored link keys, but they don't. The quirk lets a driver
804 * just disable this command.
805 */
806 if (hdev->commands[6] & 0x80 &&
807 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
808 struct hci_cp_delete_stored_link_key cp;
809
810 bacpy(&cp.bdaddr, BDADDR_ANY);
811 cp.delete_all = 0x01;
812 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
813 sizeof(cp), &cp);
814 }
815
816 /* Set event mask page 2 if the HCI command for it is supported */
817 if (hdev->commands[22] & 0x04)
818 hci_set_event_mask_page_2(req);
819
820 /* Read local codec list if the HCI command is supported */
821 if (hdev->commands[29] & 0x20)
822 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
823
824 /* Get MWS transport configuration if the HCI command is supported */
825 if (hdev->commands[30] & 0x08)
826 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
827
828 /* Check for Synchronization Train support */
829 if (lmp_sync_train_capable(hdev))
830 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
831
832 /* Enable Secure Connections if supported and configured */
833 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
834 bredr_sc_enabled(hdev)) {
835 u8 support = 0x01;
836
837 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
838 sizeof(support), &support);
839 }
840
841 /* Set Suggested Default Data Length to maximum if supported */
842 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
843 struct hci_cp_le_write_def_data_len cp;
844
845 cp.tx_len = hdev->le_max_tx_len;
846 cp.tx_time = hdev->le_max_tx_time;
847 hci_req_add(req, HCI_OP_LE_WRITE_DEF_DATA_LEN, sizeof(cp), &cp);
848 }
849
850 /* Set Default PHY parameters if command is supported */
851 if (hdev->commands[35] & 0x20) {
852 struct hci_cp_le_set_default_phy cp;
853
854 cp.all_phys = 0x00;
855 cp.tx_phys = hdev->le_tx_def_phys;
856 cp.rx_phys = hdev->le_rx_def_phys;
857
858 hci_req_add(req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp), &cp);
859 }
860
861 return 0;
862}
863
864static int __hci_init(struct hci_dev *hdev)
865{
866 int err;
867
868 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
869 if (err < 0)
870 return err;
871
872 if (hci_dev_test_flag(hdev, HCI_SETUP))
873 hci_debugfs_create_basic(hdev);
874
875 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
876 if (err < 0)
877 return err;
878
879 /* HCI_PRIMARY covers both single-mode LE, BR/EDR and dual-mode
880 * BR/EDR/LE type controllers. AMP controllers only need the
881 * first two stages of init.
882 */
883 if (hdev->dev_type != HCI_PRIMARY)
884 return 0;
885
886 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
887 if (err < 0)
888 return err;
889
890 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
891 if (err < 0)
892 return err;
893
894 /* This function is only called when the controller is actually in
895 * configured state. When the controller is marked as unconfigured,
896 * this initialization procedure is not run.
897 *
898 * It means that it is possible that a controller runs through its
899 * setup phase and then discovers missing settings. If that is the
900 * case, then this function will not be called. It then will only
901 * be called during the config phase.
902 *
903 * So only when in setup phase or config phase, create the debugfs
904 * entries and register the SMP channels.
905 */
906 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
907 !hci_dev_test_flag(hdev, HCI_CONFIG))
908 return 0;
909
910 hci_debugfs_create_common(hdev);
911
912 if (lmp_bredr_capable(hdev))
913 hci_debugfs_create_bredr(hdev);
914
915 if (lmp_le_capable(hdev))
916 hci_debugfs_create_le(hdev);
917
918 return 0;
919}
920
921static int hci_init0_req(struct hci_request *req, unsigned long opt)
922{
923 struct hci_dev *hdev = req->hdev;
924
925 BT_DBG("%s %ld", hdev->name, opt);
926
927 /* Reset */
928 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
929 hci_reset_req(req, 0);
930
931 /* Read Local Version */
932 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
933
934 /* Read BD Address */
935 if (hdev->set_bdaddr)
936 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
937
938 return 0;
939}
940
941static int __hci_unconf_init(struct hci_dev *hdev)
942{
943 int err;
944
945 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
946 return 0;
947
948 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
949 if (err < 0)
950 return err;
951
952 if (hci_dev_test_flag(hdev, HCI_SETUP))
953 hci_debugfs_create_basic(hdev);
954
955 return 0;
956}
957
958static int hci_scan_req(struct hci_request *req, unsigned long opt)
959{
960 __u8 scan = opt;
961
962 BT_DBG("%s %x", req->hdev->name, scan);
963
964 /* Inquiry and Page scans */
965 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
966 return 0;
967}
968
969static int hci_auth_req(struct hci_request *req, unsigned long opt)
970{
971 __u8 auth = opt;
972
973 BT_DBG("%s %x", req->hdev->name, auth);
974
975 /* Authentication */
976 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
977 return 0;
978}
979
980static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
981{
982 __u8 encrypt = opt;
983
984 BT_DBG("%s %x", req->hdev->name, encrypt);
985
986 /* Encryption */
987 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
988 return 0;
989}
990
991static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
992{
993 __le16 policy = cpu_to_le16(opt);
994
995 BT_DBG("%s %x", req->hdev->name, policy);
996
997 /* Default link policy */
998 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
999 return 0;
1000}
1001
1002/* Get HCI device by index.
1003 * Device is held on return. */
1004struct hci_dev *hci_dev_get(int index)
1005{
1006 struct hci_dev *hdev = NULL, *d;
1007
1008 BT_DBG("%d", index);
1009
1010 if (index < 0)
1011 return NULL;
1012
1013 read_lock(&hci_dev_list_lock);
1014 list_for_each_entry(d, &hci_dev_list, list) {
1015 if (d->id == index) {
1016 hdev = hci_dev_hold(d);
1017 break;
1018 }
1019 }
1020 read_unlock(&hci_dev_list_lock);
1021 return hdev;
1022}
1023
1024/* ---- Inquiry support ---- */
1025
1026bool hci_discovery_active(struct hci_dev *hdev)
1027{
1028 struct discovery_state *discov = &hdev->discovery;
1029
1030 switch (discov->state) {
1031 case DISCOVERY_FINDING:
1032 case DISCOVERY_RESOLVING:
1033 return true;
1034
1035 default:
1036 return false;
1037 }
1038}
1039
1040void hci_discovery_set_state(struct hci_dev *hdev, int state)
1041{
1042 int old_state = hdev->discovery.state;
1043
1044 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1045
1046 if (old_state == state)
1047 return;
1048
1049 hdev->discovery.state = state;
1050
1051 switch (state) {
1052 case DISCOVERY_STOPPED:
1053 hci_update_background_scan(hdev);
1054
1055 if (old_state != DISCOVERY_STARTING)
1056 mgmt_discovering(hdev, 0);
1057 break;
1058 case DISCOVERY_STARTING:
1059 break;
1060 case DISCOVERY_FINDING:
1061 mgmt_discovering(hdev, 1);
1062 break;
1063 case DISCOVERY_RESOLVING:
1064 break;
1065 case DISCOVERY_STOPPING:
1066 break;
1067 }
1068}
1069
1070void hci_inquiry_cache_flush(struct hci_dev *hdev)
1071{
1072 struct discovery_state *cache = &hdev->discovery;
1073 struct inquiry_entry *p, *n;
1074
1075 list_for_each_entry_safe(p, n, &cache->all, all) {
1076 list_del(&p->all);
1077 kfree(p);
1078 }
1079
1080 INIT_LIST_HEAD(&cache->unknown);
1081 INIT_LIST_HEAD(&cache->resolve);
1082}
1083
1084struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1085 bdaddr_t *bdaddr)
1086{
1087 struct discovery_state *cache = &hdev->discovery;
1088 struct inquiry_entry *e;
1089
1090 BT_DBG("cache %p, %pMR", cache, bdaddr);
1091
1092 list_for_each_entry(e, &cache->all, all) {
1093 if (!bacmp(&e->data.bdaddr, bdaddr))
1094 return e;
1095 }
1096
1097 return NULL;
1098}
1099
1100struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1101 bdaddr_t *bdaddr)
1102{
1103 struct discovery_state *cache = &hdev->discovery;
1104 struct inquiry_entry *e;
1105
1106 BT_DBG("cache %p, %pMR", cache, bdaddr);
1107
1108 list_for_each_entry(e, &cache->unknown, list) {
1109 if (!bacmp(&e->data.bdaddr, bdaddr))
1110 return e;
1111 }
1112
1113 return NULL;
1114}
1115
1116struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1117 bdaddr_t *bdaddr,
1118 int state)
1119{
1120 struct discovery_state *cache = &hdev->discovery;
1121 struct inquiry_entry *e;
1122
1123 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1124
1125 list_for_each_entry(e, &cache->resolve, list) {
1126 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1127 return e;
1128 if (!bacmp(&e->data.bdaddr, bdaddr))
1129 return e;
1130 }
1131
1132 return NULL;
1133}
1134
1135void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1136 struct inquiry_entry *ie)
1137{
1138 struct discovery_state *cache = &hdev->discovery;
1139 struct list_head *pos = &cache->resolve;
1140 struct inquiry_entry *p;
1141
1142 list_del(&ie->list);
1143
1144 list_for_each_entry(p, &cache->resolve, list) {
1145 if (p->name_state != NAME_PENDING &&
1146 abs(p->data.rssi) >= abs(ie->data.rssi))
1147 break;
1148 pos = &p->list;
1149 }
1150
1151 list_add(&ie->list, pos);
1152}
1153
1154u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1155 bool name_known)
1156{
1157 struct discovery_state *cache = &hdev->discovery;
1158 struct inquiry_entry *ie;
1159 u32 flags = 0;
1160
1161 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1162
1163 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1164
1165 if (!data->ssp_mode)
1166 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1167
1168 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1169 if (ie) {
1170 if (!ie->data.ssp_mode)
1171 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1172
1173 if (ie->name_state == NAME_NEEDED &&
1174 data->rssi != ie->data.rssi) {
1175 ie->data.rssi = data->rssi;
1176 hci_inquiry_cache_update_resolve(hdev, ie);
1177 }
1178
1179 goto update;
1180 }
1181
1182 /* Entry not in the cache. Add new one. */
1183 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1184 if (!ie) {
1185 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1186 goto done;
1187 }
1188
1189 list_add(&ie->all, &cache->all);
1190
1191 if (name_known) {
1192 ie->name_state = NAME_KNOWN;
1193 } else {
1194 ie->name_state = NAME_NOT_KNOWN;
1195 list_add(&ie->list, &cache->unknown);
1196 }
1197
1198update:
1199 if (name_known && ie->name_state != NAME_KNOWN &&
1200 ie->name_state != NAME_PENDING) {
1201 ie->name_state = NAME_KNOWN;
1202 list_del(&ie->list);
1203 }
1204
1205 memcpy(&ie->data, data, sizeof(*data));
1206 ie->timestamp = jiffies;
1207 cache->timestamp = jiffies;
1208
1209 if (ie->name_state == NAME_NOT_KNOWN)
1210 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1211
1212done:
1213 return flags;
1214}
1215
1216static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1217{
1218 struct discovery_state *cache = &hdev->discovery;
1219 struct inquiry_info *info = (struct inquiry_info *) buf;
1220 struct inquiry_entry *e;
1221 int copied = 0;
1222
1223 list_for_each_entry(e, &cache->all, all) {
1224 struct inquiry_data *data = &e->data;
1225
1226 if (copied >= num)
1227 break;
1228
1229 bacpy(&info->bdaddr, &data->bdaddr);
1230 info->pscan_rep_mode = data->pscan_rep_mode;
1231 info->pscan_period_mode = data->pscan_period_mode;
1232 info->pscan_mode = data->pscan_mode;
1233 memcpy(info->dev_class, data->dev_class, 3);
1234 info->clock_offset = data->clock_offset;
1235
1236 info++;
1237 copied++;
1238 }
1239
1240 BT_DBG("cache %p, copied %d", cache, copied);
1241 return copied;
1242}
1243
1244static int hci_inq_req(struct hci_request *req, unsigned long opt)
1245{
1246 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1247 struct hci_dev *hdev = req->hdev;
1248 struct hci_cp_inquiry cp;
1249
1250 BT_DBG("%s", hdev->name);
1251
1252 if (test_bit(HCI_INQUIRY, &hdev->flags))
1253 return 0;
1254
1255 /* Start Inquiry */
1256 memcpy(&cp.lap, &ir->lap, 3);
1257 cp.length = ir->length;
1258 cp.num_rsp = ir->num_rsp;
1259 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1260
1261 return 0;
1262}
1263
1264int hci_inquiry(void __user *arg)
1265{
1266 __u8 __user *ptr = arg;
1267 struct hci_inquiry_req ir;
1268 struct hci_dev *hdev;
1269 int err = 0, do_inquiry = 0, max_rsp;
1270 long timeo;
1271 __u8 *buf;
1272
1273 if (copy_from_user(&ir, ptr, sizeof(ir)))
1274 return -EFAULT;
1275
1276 hdev = hci_dev_get(ir.dev_id);
1277 if (!hdev)
1278 return -ENODEV;
1279
1280 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1281 err = -EBUSY;
1282 goto done;
1283 }
1284
1285 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1286 err = -EOPNOTSUPP;
1287 goto done;
1288 }
1289
1290 if (hdev->dev_type != HCI_PRIMARY) {
1291 err = -EOPNOTSUPP;
1292 goto done;
1293 }
1294
1295 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1296 err = -EOPNOTSUPP;
1297 goto done;
1298 }
1299
1300 hci_dev_lock(hdev);
1301 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1302 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1303 hci_inquiry_cache_flush(hdev);
1304 do_inquiry = 1;
1305 }
1306 hci_dev_unlock(hdev);
1307
1308 timeo = ir.length * msecs_to_jiffies(2000);
1309
1310 if (do_inquiry) {
1311 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1312 timeo, NULL);
1313 if (err < 0)
1314 goto done;
1315
1316 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1317 * cleared). If it is interrupted by a signal, return -EINTR.
1318 */
1319 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1320 TASK_INTERRUPTIBLE))
1321 return -EINTR;
1322 }
1323
1324 /* for unlimited number of responses we will use buffer with
1325 * 255 entries
1326 */
1327 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1328
1329 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1330 * copy it to the user space.
1331 */
1332 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
1333 if (!buf) {
1334 err = -ENOMEM;
1335 goto done;
1336 }
1337
1338 hci_dev_lock(hdev);
1339 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1340 hci_dev_unlock(hdev);
1341
1342 BT_DBG("num_rsp %d", ir.num_rsp);
1343
1344 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1345 ptr += sizeof(ir);
1346 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1347 ir.num_rsp))
1348 err = -EFAULT;
1349 } else
1350 err = -EFAULT;
1351
1352 kfree(buf);
1353
1354done:
1355 hci_dev_put(hdev);
1356 return err;
1357}
1358
1359/**
1360 * hci_dev_get_bd_addr_from_property - Get the Bluetooth Device Address
1361 * (BD_ADDR) for a HCI device from
1362 * a firmware node property.
1363 * @hdev: The HCI device
1364 *
1365 * Search the firmware node for 'local-bd-address'.
1366 *
1367 * All-zero BD addresses are rejected, because those could be properties
1368 * that exist in the firmware tables, but were not updated by the firmware. For
1369 * example, the DTS could define 'local-bd-address', with zero BD addresses.
1370 */
1371static void hci_dev_get_bd_addr_from_property(struct hci_dev *hdev)
1372{
1373 struct fwnode_handle *fwnode = dev_fwnode(hdev->dev.parent);
1374 bdaddr_t ba;
1375 int ret;
1376
1377 ret = fwnode_property_read_u8_array(fwnode, "local-bd-address",
1378 (u8 *)&ba, sizeof(ba));
1379 if (ret < 0 || !bacmp(&ba, BDADDR_ANY))
1380 return;
1381
1382 bacpy(&hdev->public_addr, &ba);
1383}
1384
1385static int hci_dev_do_open(struct hci_dev *hdev)
1386{
1387 int ret = 0;
1388
1389 BT_DBG("%s %p", hdev->name, hdev);
1390
1391 hci_req_sync_lock(hdev);
1392
1393 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1394 ret = -ENODEV;
1395 goto done;
1396 }
1397
1398 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1399 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1400 /* Check for rfkill but allow the HCI setup stage to
1401 * proceed (which in itself doesn't cause any RF activity).
1402 */
1403 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1404 ret = -ERFKILL;
1405 goto done;
1406 }
1407
1408 /* Check for valid public address or a configured static
1409 * random adddress, but let the HCI setup proceed to
1410 * be able to determine if there is a public address
1411 * or not.
1412 *
1413 * In case of user channel usage, it is not important
1414 * if a public address or static random address is
1415 * available.
1416 *
1417 * This check is only valid for BR/EDR controllers
1418 * since AMP controllers do not have an address.
1419 */
1420 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1421 hdev->dev_type == HCI_PRIMARY &&
1422 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1423 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1424 ret = -EADDRNOTAVAIL;
1425 goto done;
1426 }
1427 }
1428
1429 if (test_bit(HCI_UP, &hdev->flags)) {
1430 ret = -EALREADY;
1431 goto done;
1432 }
1433
1434 if (hdev->open(hdev)) {
1435 ret = -EIO;
1436 goto done;
1437 }
1438
1439 set_bit(HCI_RUNNING, &hdev->flags);
1440 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1441
1442 atomic_set(&hdev->cmd_cnt, 1);
1443 set_bit(HCI_INIT, &hdev->flags);
1444
1445 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
1446 test_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks)) {
1447 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1448
1449 if (hdev->setup)
1450 ret = hdev->setup(hdev);
1451
1452 if (ret)
1453 goto setup_failed;
1454
1455 if (test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) {
1456 if (!bacmp(&hdev->public_addr, BDADDR_ANY))
1457 hci_dev_get_bd_addr_from_property(hdev);
1458
1459 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1460 hdev->set_bdaddr)
1461 ret = hdev->set_bdaddr(hdev,
1462 &hdev->public_addr);
1463 }
1464
1465setup_failed:
1466 /* The transport driver can set these quirks before
1467 * creating the HCI device or in its setup callback.
1468 *
1469 * In case any of them is set, the controller has to
1470 * start up as unconfigured.
1471 */
1472 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1473 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1474 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1475
1476 /* For an unconfigured controller it is required to
1477 * read at least the version information provided by
1478 * the Read Local Version Information command.
1479 *
1480 * If the set_bdaddr driver callback is provided, then
1481 * also the original Bluetooth public device address
1482 * will be read using the Read BD Address command.
1483 */
1484 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1485 ret = __hci_unconf_init(hdev);
1486 }
1487
1488 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1489 /* If public address change is configured, ensure that
1490 * the address gets programmed. If the driver does not
1491 * support changing the public address, fail the power
1492 * on procedure.
1493 */
1494 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1495 hdev->set_bdaddr)
1496 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1497 else
1498 ret = -EADDRNOTAVAIL;
1499 }
1500
1501 if (!ret) {
1502 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1503 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1504 ret = __hci_init(hdev);
1505 if (!ret && hdev->post_init)
1506 ret = hdev->post_init(hdev);
1507 }
1508 }
1509
1510 /* If the HCI Reset command is clearing all diagnostic settings,
1511 * then they need to be reprogrammed after the init procedure
1512 * completed.
1513 */
1514 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1515 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1516 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1517 ret = hdev->set_diag(hdev, true);
1518
1519 clear_bit(HCI_INIT, &hdev->flags);
1520
1521 if (!ret) {
1522 hci_dev_hold(hdev);
1523 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1524 hci_adv_instances_set_rpa_expired(hdev, true);
1525 set_bit(HCI_UP, &hdev->flags);
1526 hci_sock_dev_event(hdev, HCI_DEV_UP);
1527 hci_leds_update_powered(hdev, true);
1528 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1529 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1530 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1531 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1532 hci_dev_test_flag(hdev, HCI_MGMT) &&
1533 hdev->dev_type == HCI_PRIMARY) {
1534 ret = __hci_req_hci_power_on(hdev);
1535 mgmt_power_on(hdev, ret);
1536 }
1537 } else {
1538 /* Init failed, cleanup */
1539 flush_work(&hdev->tx_work);
1540 flush_work(&hdev->cmd_work);
1541 flush_work(&hdev->rx_work);
1542
1543 skb_queue_purge(&hdev->cmd_q);
1544 skb_queue_purge(&hdev->rx_q);
1545
1546 if (hdev->flush)
1547 hdev->flush(hdev);
1548
1549 if (hdev->sent_cmd) {
1550 kfree_skb(hdev->sent_cmd);
1551 hdev->sent_cmd = NULL;
1552 }
1553
1554 clear_bit(HCI_RUNNING, &hdev->flags);
1555 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1556
1557 hdev->close(hdev);
1558 hdev->flags &= BIT(HCI_RAW);
1559 }
1560
1561done:
1562 hci_req_sync_unlock(hdev);
1563 return ret;
1564}
1565
1566/* ---- HCI ioctl helpers ---- */
1567
1568int hci_dev_open(__u16 dev)
1569{
1570 struct hci_dev *hdev;
1571 int err;
1572
1573 hdev = hci_dev_get(dev);
1574 if (!hdev)
1575 return -ENODEV;
1576
1577 /* Devices that are marked as unconfigured can only be powered
1578 * up as user channel. Trying to bring them up as normal devices
1579 * will result into a failure. Only user channel operation is
1580 * possible.
1581 *
1582 * When this function is called for a user channel, the flag
1583 * HCI_USER_CHANNEL will be set first before attempting to
1584 * open the device.
1585 */
1586 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1587 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1588 err = -EOPNOTSUPP;
1589 goto done;
1590 }
1591
1592 /* We need to ensure that no other power on/off work is pending
1593 * before proceeding to call hci_dev_do_open. This is
1594 * particularly important if the setup procedure has not yet
1595 * completed.
1596 */
1597 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1598 cancel_delayed_work(&hdev->power_off);
1599
1600 /* After this call it is guaranteed that the setup procedure
1601 * has finished. This means that error conditions like RFKILL
1602 * or no valid public or static random address apply.
1603 */
1604 flush_workqueue(hdev->req_workqueue);
1605
1606 /* For controllers not using the management interface and that
1607 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1608 * so that pairing works for them. Once the management interface
1609 * is in use this bit will be cleared again and userspace has
1610 * to explicitly enable it.
1611 */
1612 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1613 !hci_dev_test_flag(hdev, HCI_MGMT))
1614 hci_dev_set_flag(hdev, HCI_BONDABLE);
1615
1616 err = hci_dev_do_open(hdev);
1617
1618done:
1619 hci_dev_put(hdev);
1620 return err;
1621}
1622
1623/* This function requires the caller holds hdev->lock */
1624static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1625{
1626 struct hci_conn_params *p;
1627
1628 list_for_each_entry(p, &hdev->le_conn_params, list) {
1629 if (p->conn) {
1630 hci_conn_drop(p->conn);
1631 hci_conn_put(p->conn);
1632 p->conn = NULL;
1633 }
1634 list_del_init(&p->action);
1635 }
1636
1637 BT_DBG("All LE pending actions cleared");
1638}
1639
1640int hci_dev_do_close(struct hci_dev *hdev)
1641{
1642 bool auto_off;
1643
1644 BT_DBG("%s %p", hdev->name, hdev);
1645
1646 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1647 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1648 test_bit(HCI_UP, &hdev->flags)) {
1649 /* Execute vendor specific shutdown routine */
1650 if (hdev->shutdown)
1651 hdev->shutdown(hdev);
1652 }
1653
1654 cancel_delayed_work(&hdev->power_off);
1655
1656 hci_request_cancel_all(hdev);
1657 hci_req_sync_lock(hdev);
1658
1659 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1660 cancel_delayed_work_sync(&hdev->cmd_timer);
1661 hci_req_sync_unlock(hdev);
1662 return 0;
1663 }
1664
1665 hci_leds_update_powered(hdev, false);
1666
1667 /* Flush RX and TX works */
1668 flush_work(&hdev->tx_work);
1669 flush_work(&hdev->rx_work);
1670
1671 if (hdev->discov_timeout > 0) {
1672 hdev->discov_timeout = 0;
1673 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1674 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1675 }
1676
1677 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1678 cancel_delayed_work(&hdev->service_cache);
1679
1680 if (hci_dev_test_flag(hdev, HCI_MGMT)) {
1681 struct adv_info *adv_instance;
1682
1683 cancel_delayed_work_sync(&hdev->rpa_expired);
1684
1685 list_for_each_entry(adv_instance, &hdev->adv_instances, list)
1686 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1687 }
1688
1689 /* Avoid potential lockdep warnings from the *_flush() calls by
1690 * ensuring the workqueue is empty up front.
1691 */
1692 drain_workqueue(hdev->workqueue);
1693
1694 hci_dev_lock(hdev);
1695
1696 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1697
1698 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1699
1700 if (!auto_off && hdev->dev_type == HCI_PRIMARY &&
1701 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1702 hci_dev_test_flag(hdev, HCI_MGMT))
1703 __mgmt_power_off(hdev);
1704
1705 hci_inquiry_cache_flush(hdev);
1706 hci_pend_le_actions_clear(hdev);
1707 hci_conn_hash_flush(hdev);
1708 hci_dev_unlock(hdev);
1709
1710 smp_unregister(hdev);
1711
1712 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1713
1714 if (hdev->flush)
1715 hdev->flush(hdev);
1716
1717 /* Reset device */
1718 skb_queue_purge(&hdev->cmd_q);
1719 atomic_set(&hdev->cmd_cnt, 1);
1720 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1721 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1722 set_bit(HCI_INIT, &hdev->flags);
1723 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1724 clear_bit(HCI_INIT, &hdev->flags);
1725 }
1726
1727 /* flush cmd work */
1728 flush_work(&hdev->cmd_work);
1729
1730 /* Drop queues */
1731 skb_queue_purge(&hdev->rx_q);
1732 skb_queue_purge(&hdev->cmd_q);
1733 skb_queue_purge(&hdev->raw_q);
1734
1735 /* Drop last sent command */
1736 if (hdev->sent_cmd) {
1737 cancel_delayed_work_sync(&hdev->cmd_timer);
1738 kfree_skb(hdev->sent_cmd);
1739 hdev->sent_cmd = NULL;
1740 }
1741
1742 clear_bit(HCI_RUNNING, &hdev->flags);
1743 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1744
1745 /* After this point our queues are empty
1746 * and no tasks are scheduled. */
1747 hdev->close(hdev);
1748
1749 /* Clear flags */
1750 hdev->flags &= BIT(HCI_RAW);
1751 hci_dev_clear_volatile_flags(hdev);
1752
1753 /* Controller radio is available but is currently powered down */
1754 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1755
1756 memset(hdev->eir, 0, sizeof(hdev->eir));
1757 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1758 bacpy(&hdev->random_addr, BDADDR_ANY);
1759
1760 hci_req_sync_unlock(hdev);
1761
1762 hci_dev_put(hdev);
1763 return 0;
1764}
1765
1766int hci_dev_close(__u16 dev)
1767{
1768 struct hci_dev *hdev;
1769 int err;
1770
1771 hdev = hci_dev_get(dev);
1772 if (!hdev)
1773 return -ENODEV;
1774
1775 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1776 err = -EBUSY;
1777 goto done;
1778 }
1779
1780 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1781 cancel_delayed_work(&hdev->power_off);
1782
1783 err = hci_dev_do_close(hdev);
1784
1785done:
1786 hci_dev_put(hdev);
1787 return err;
1788}
1789
1790static int hci_dev_do_reset(struct hci_dev *hdev)
1791{
1792 int ret;
1793
1794 BT_DBG("%s %p", hdev->name, hdev);
1795
1796 hci_req_sync_lock(hdev);
1797
1798 /* Drop queues */
1799 skb_queue_purge(&hdev->rx_q);
1800 skb_queue_purge(&hdev->cmd_q);
1801
1802 /* Avoid potential lockdep warnings from the *_flush() calls by
1803 * ensuring the workqueue is empty up front.
1804 */
1805 drain_workqueue(hdev->workqueue);
1806
1807 hci_dev_lock(hdev);
1808 hci_inquiry_cache_flush(hdev);
1809 hci_conn_hash_flush(hdev);
1810 hci_dev_unlock(hdev);
1811
1812 if (hdev->flush)
1813 hdev->flush(hdev);
1814
1815 atomic_set(&hdev->cmd_cnt, 1);
1816 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1817
1818 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1819
1820 hci_req_sync_unlock(hdev);
1821 return ret;
1822}
1823
1824int hci_dev_reset(__u16 dev)
1825{
1826 struct hci_dev *hdev;
1827 int err;
1828
1829 hdev = hci_dev_get(dev);
1830 if (!hdev)
1831 return -ENODEV;
1832
1833 if (!test_bit(HCI_UP, &hdev->flags)) {
1834 err = -ENETDOWN;
1835 goto done;
1836 }
1837
1838 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1839 err = -EBUSY;
1840 goto done;
1841 }
1842
1843 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1844 err = -EOPNOTSUPP;
1845 goto done;
1846 }
1847
1848 err = hci_dev_do_reset(hdev);
1849
1850done:
1851 hci_dev_put(hdev);
1852 return err;
1853}
1854
1855int hci_dev_reset_stat(__u16 dev)
1856{
1857 struct hci_dev *hdev;
1858 int ret = 0;
1859
1860 hdev = hci_dev_get(dev);
1861 if (!hdev)
1862 return -ENODEV;
1863
1864 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1865 ret = -EBUSY;
1866 goto done;
1867 }
1868
1869 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1870 ret = -EOPNOTSUPP;
1871 goto done;
1872 }
1873
1874 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1875
1876done:
1877 hci_dev_put(hdev);
1878 return ret;
1879}
1880
1881static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1882{
1883 bool conn_changed, discov_changed;
1884
1885 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1886
1887 if ((scan & SCAN_PAGE))
1888 conn_changed = !hci_dev_test_and_set_flag(hdev,
1889 HCI_CONNECTABLE);
1890 else
1891 conn_changed = hci_dev_test_and_clear_flag(hdev,
1892 HCI_CONNECTABLE);
1893
1894 if ((scan & SCAN_INQUIRY)) {
1895 discov_changed = !hci_dev_test_and_set_flag(hdev,
1896 HCI_DISCOVERABLE);
1897 } else {
1898 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1899 discov_changed = hci_dev_test_and_clear_flag(hdev,
1900 HCI_DISCOVERABLE);
1901 }
1902
1903 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1904 return;
1905
1906 if (conn_changed || discov_changed) {
1907 /* In case this was disabled through mgmt */
1908 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1909
1910 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1911 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1912
1913 mgmt_new_settings(hdev);
1914 }
1915}
1916
1917int hci_dev_cmd(unsigned int cmd, void __user *arg)
1918{
1919 struct hci_dev *hdev;
1920 struct hci_dev_req dr;
1921 int err = 0;
1922
1923 if (copy_from_user(&dr, arg, sizeof(dr)))
1924 return -EFAULT;
1925
1926 hdev = hci_dev_get(dr.dev_id);
1927 if (!hdev)
1928 return -ENODEV;
1929
1930 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1931 err = -EBUSY;
1932 goto done;
1933 }
1934
1935 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1936 err = -EOPNOTSUPP;
1937 goto done;
1938 }
1939
1940 if (hdev->dev_type != HCI_PRIMARY) {
1941 err = -EOPNOTSUPP;
1942 goto done;
1943 }
1944
1945 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1946 err = -EOPNOTSUPP;
1947 goto done;
1948 }
1949
1950 switch (cmd) {
1951 case HCISETAUTH:
1952 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1953 HCI_INIT_TIMEOUT, NULL);
1954 break;
1955
1956 case HCISETENCRYPT:
1957 if (!lmp_encrypt_capable(hdev)) {
1958 err = -EOPNOTSUPP;
1959 break;
1960 }
1961
1962 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1963 /* Auth must be enabled first */
1964 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1965 HCI_INIT_TIMEOUT, NULL);
1966 if (err)
1967 break;
1968 }
1969
1970 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1971 HCI_INIT_TIMEOUT, NULL);
1972 break;
1973
1974 case HCISETSCAN:
1975 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1976 HCI_INIT_TIMEOUT, NULL);
1977
1978 /* Ensure that the connectable and discoverable states
1979 * get correctly modified as this was a non-mgmt change.
1980 */
1981 if (!err)
1982 hci_update_scan_state(hdev, dr.dev_opt);
1983 break;
1984
1985 case HCISETLINKPOL:
1986 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1987 HCI_INIT_TIMEOUT, NULL);
1988 break;
1989
1990 case HCISETLINKMODE:
1991 hdev->link_mode = ((__u16) dr.dev_opt) &
1992 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1993 break;
1994
1995 case HCISETPTYPE:
1996 if (hdev->pkt_type == (__u16) dr.dev_opt)
1997 break;
1998
1999 hdev->pkt_type = (__u16) dr.dev_opt;
2000 mgmt_phy_configuration_changed(hdev, NULL);
2001 break;
2002
2003 case HCISETACLMTU:
2004 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
2005 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
2006 break;
2007
2008 case HCISETSCOMTU:
2009 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
2010 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
2011 break;
2012
2013 default:
2014 err = -EINVAL;
2015 break;
2016 }
2017
2018done:
2019 hci_dev_put(hdev);
2020 return err;
2021}
2022
2023int hci_get_dev_list(void __user *arg)
2024{
2025 struct hci_dev *hdev;
2026 struct hci_dev_list_req *dl;
2027 struct hci_dev_req *dr;
2028 int n = 0, size, err;
2029 __u16 dev_num;
2030
2031 if (get_user(dev_num, (__u16 __user *) arg))
2032 return -EFAULT;
2033
2034 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
2035 return -EINVAL;
2036
2037 size = sizeof(*dl) + dev_num * sizeof(*dr);
2038
2039 dl = kzalloc(size, GFP_KERNEL);
2040 if (!dl)
2041 return -ENOMEM;
2042
2043 dr = dl->dev_req;
2044
2045 read_lock(&hci_dev_list_lock);
2046 list_for_each_entry(hdev, &hci_dev_list, list) {
2047 unsigned long flags = hdev->flags;
2048
2049 /* When the auto-off is configured it means the transport
2050 * is running, but in that case still indicate that the
2051 * device is actually down.
2052 */
2053 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
2054 flags &= ~BIT(HCI_UP);
2055
2056 (dr + n)->dev_id = hdev->id;
2057 (dr + n)->dev_opt = flags;
2058
2059 if (++n >= dev_num)
2060 break;
2061 }
2062 read_unlock(&hci_dev_list_lock);
2063
2064 dl->dev_num = n;
2065 size = sizeof(*dl) + n * sizeof(*dr);
2066
2067 err = copy_to_user(arg, dl, size);
2068 kfree(dl);
2069
2070 return err ? -EFAULT : 0;
2071}
2072
2073int hci_get_dev_info(void __user *arg)
2074{
2075 struct hci_dev *hdev;
2076 struct hci_dev_info di;
2077 unsigned long flags;
2078 int err = 0;
2079
2080 if (copy_from_user(&di, arg, sizeof(di)))
2081 return -EFAULT;
2082
2083 hdev = hci_dev_get(di.dev_id);
2084 if (!hdev)
2085 return -ENODEV;
2086
2087 /* When the auto-off is configured it means the transport
2088 * is running, but in that case still indicate that the
2089 * device is actually down.
2090 */
2091 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
2092 flags = hdev->flags & ~BIT(HCI_UP);
2093 else
2094 flags = hdev->flags;
2095
2096 strcpy(di.name, hdev->name);
2097 di.bdaddr = hdev->bdaddr;
2098 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2099 di.flags = flags;
2100 di.pkt_type = hdev->pkt_type;
2101 if (lmp_bredr_capable(hdev)) {
2102 di.acl_mtu = hdev->acl_mtu;
2103 di.acl_pkts = hdev->acl_pkts;
2104 di.sco_mtu = hdev->sco_mtu;
2105 di.sco_pkts = hdev->sco_pkts;
2106 } else {
2107 di.acl_mtu = hdev->le_mtu;
2108 di.acl_pkts = hdev->le_pkts;
2109 di.sco_mtu = 0;
2110 di.sco_pkts = 0;
2111 }
2112 di.link_policy = hdev->link_policy;
2113 di.link_mode = hdev->link_mode;
2114
2115 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2116 memcpy(&di.features, &hdev->features, sizeof(di.features));
2117
2118 if (copy_to_user(arg, &di, sizeof(di)))
2119 err = -EFAULT;
2120
2121 hci_dev_put(hdev);
2122
2123 return err;
2124}
2125
2126/* ---- Interface to HCI drivers ---- */
2127
2128static int hci_rfkill_set_block(void *data, bool blocked)
2129{
2130 struct hci_dev *hdev = data;
2131
2132 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2133
2134 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2135 return -EBUSY;
2136
2137 if (blocked) {
2138 hci_dev_set_flag(hdev, HCI_RFKILLED);
2139 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2140 !hci_dev_test_flag(hdev, HCI_CONFIG))
2141 hci_dev_do_close(hdev);
2142 } else {
2143 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2144 }
2145
2146 return 0;
2147}
2148
2149static const struct rfkill_ops hci_rfkill_ops = {
2150 .set_block = hci_rfkill_set_block,
2151};
2152
2153static void hci_power_on(struct work_struct *work)
2154{
2155 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2156 int err;
2157
2158 BT_DBG("%s", hdev->name);
2159
2160 if (test_bit(HCI_UP, &hdev->flags) &&
2161 hci_dev_test_flag(hdev, HCI_MGMT) &&
2162 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2163 cancel_delayed_work(&hdev->power_off);
2164 hci_req_sync_lock(hdev);
2165 err = __hci_req_hci_power_on(hdev);
2166 hci_req_sync_unlock(hdev);
2167 mgmt_power_on(hdev, err);
2168 return;
2169 }
2170
2171 err = hci_dev_do_open(hdev);
2172 if (err < 0) {
2173 hci_dev_lock(hdev);
2174 mgmt_set_powered_failed(hdev, err);
2175 hci_dev_unlock(hdev);
2176 return;
2177 }
2178
2179 /* During the HCI setup phase, a few error conditions are
2180 * ignored and they need to be checked now. If they are still
2181 * valid, it is important to turn the device back off.
2182 */
2183 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2184 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2185 (hdev->dev_type == HCI_PRIMARY &&
2186 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2187 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2188 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2189 hci_dev_do_close(hdev);
2190 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2191 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2192 HCI_AUTO_OFF_TIMEOUT);
2193 }
2194
2195 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2196 /* For unconfigured devices, set the HCI_RAW flag
2197 * so that userspace can easily identify them.
2198 */
2199 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2200 set_bit(HCI_RAW, &hdev->flags);
2201
2202 /* For fully configured devices, this will send
2203 * the Index Added event. For unconfigured devices,
2204 * it will send Unconfigued Index Added event.
2205 *
2206 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2207 * and no event will be send.
2208 */
2209 mgmt_index_added(hdev);
2210 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2211 /* When the controller is now configured, then it
2212 * is important to clear the HCI_RAW flag.
2213 */
2214 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2215 clear_bit(HCI_RAW, &hdev->flags);
2216
2217 /* Powering on the controller with HCI_CONFIG set only
2218 * happens with the transition from unconfigured to
2219 * configured. This will send the Index Added event.
2220 */
2221 mgmt_index_added(hdev);
2222 }
2223}
2224
2225static void hci_power_off(struct work_struct *work)
2226{
2227 struct hci_dev *hdev = container_of(work, struct hci_dev,
2228 power_off.work);
2229
2230 BT_DBG("%s", hdev->name);
2231
2232 hci_dev_do_close(hdev);
2233}
2234
2235static void hci_error_reset(struct work_struct *work)
2236{
2237 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2238
2239 BT_DBG("%s", hdev->name);
2240
2241 if (hdev->hw_error)
2242 hdev->hw_error(hdev, hdev->hw_error_code);
2243 else
2244 bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
2245
2246 if (hci_dev_do_close(hdev))
2247 return;
2248
2249 hci_dev_do_open(hdev);
2250}
2251
2252void hci_uuids_clear(struct hci_dev *hdev)
2253{
2254 struct bt_uuid *uuid, *tmp;
2255
2256 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2257 list_del(&uuid->list);
2258 kfree(uuid);
2259 }
2260}
2261
2262void hci_link_keys_clear(struct hci_dev *hdev)
2263{
2264 struct link_key *key;
2265
2266 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2267 list_del_rcu(&key->list);
2268 kfree_rcu(key, rcu);
2269 }
2270}
2271
2272void hci_smp_ltks_clear(struct hci_dev *hdev)
2273{
2274 struct smp_ltk *k;
2275
2276 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2277 list_del_rcu(&k->list);
2278 kfree_rcu(k, rcu);
2279 }
2280}
2281
2282void hci_smp_irks_clear(struct hci_dev *hdev)
2283{
2284 struct smp_irk *k;
2285
2286 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2287 list_del_rcu(&k->list);
2288 kfree_rcu(k, rcu);
2289 }
2290}
2291
2292struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2293{
2294 struct link_key *k;
2295
2296 rcu_read_lock();
2297 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2298 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2299 rcu_read_unlock();
2300 return k;
2301 }
2302 }
2303 rcu_read_unlock();
2304
2305 return NULL;
2306}
2307
2308static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2309 u8 key_type, u8 old_key_type)
2310{
2311 /* Legacy key */
2312 if (key_type < 0x03)
2313 return true;
2314
2315 /* Debug keys are insecure so don't store them persistently */
2316 if (key_type == HCI_LK_DEBUG_COMBINATION)
2317 return false;
2318
2319 /* Changed combination key and there's no previous one */
2320 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2321 return false;
2322
2323 /* Security mode 3 case */
2324 if (!conn)
2325 return true;
2326
2327 /* BR/EDR key derived using SC from an LE link */
2328 if (conn->type == LE_LINK)
2329 return true;
2330
2331 /* Neither local nor remote side had no-bonding as requirement */
2332 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2333 return true;
2334
2335 /* Local side had dedicated bonding as requirement */
2336 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2337 return true;
2338
2339 /* Remote side had dedicated bonding as requirement */
2340 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2341 return true;
2342
2343 /* If none of the above criteria match, then don't store the key
2344 * persistently */
2345 return false;
2346}
2347
2348static u8 ltk_role(u8 type)
2349{
2350 if (type == SMP_LTK)
2351 return HCI_ROLE_MASTER;
2352
2353 return HCI_ROLE_SLAVE;
2354}
2355
2356struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2357 u8 addr_type, u8 role)
2358{
2359 struct smp_ltk *k;
2360
2361 rcu_read_lock();
2362 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2363 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2364 continue;
2365
2366 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2367 rcu_read_unlock();
2368 return k;
2369 }
2370 }
2371 rcu_read_unlock();
2372
2373 return NULL;
2374}
2375
2376struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2377{
2378 struct smp_irk *irk;
2379
2380 rcu_read_lock();
2381 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2382 if (!bacmp(&irk->rpa, rpa)) {
2383 rcu_read_unlock();
2384 return irk;
2385 }
2386 }
2387
2388 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2389 if (smp_irk_matches(hdev, irk->val, rpa)) {
2390 bacpy(&irk->rpa, rpa);
2391 rcu_read_unlock();
2392 return irk;
2393 }
2394 }
2395 rcu_read_unlock();
2396
2397 return NULL;
2398}
2399
2400struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2401 u8 addr_type)
2402{
2403 struct smp_irk *irk;
2404
2405 /* Identity Address must be public or static random */
2406 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2407 return NULL;
2408
2409 rcu_read_lock();
2410 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2411 if (addr_type == irk->addr_type &&
2412 bacmp(bdaddr, &irk->bdaddr) == 0) {
2413 rcu_read_unlock();
2414 return irk;
2415 }
2416 }
2417 rcu_read_unlock();
2418
2419 return NULL;
2420}
2421
2422struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2423 bdaddr_t *bdaddr, u8 *val, u8 type,
2424 u8 pin_len, bool *persistent)
2425{
2426 struct link_key *key, *old_key;
2427 u8 old_key_type;
2428
2429 old_key = hci_find_link_key(hdev, bdaddr);
2430 if (old_key) {
2431 old_key_type = old_key->type;
2432 key = old_key;
2433 } else {
2434 old_key_type = conn ? conn->key_type : 0xff;
2435 key = kzalloc(sizeof(*key), GFP_KERNEL);
2436 if (!key)
2437 return NULL;
2438 list_add_rcu(&key->list, &hdev->link_keys);
2439 }
2440
2441 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2442
2443 /* Some buggy controller combinations generate a changed
2444 * combination key for legacy pairing even when there's no
2445 * previous key */
2446 if (type == HCI_LK_CHANGED_COMBINATION &&
2447 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2448 type = HCI_LK_COMBINATION;
2449 if (conn)
2450 conn->key_type = type;
2451 }
2452
2453 bacpy(&key->bdaddr, bdaddr);
2454 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2455 key->pin_len = pin_len;
2456
2457 if (type == HCI_LK_CHANGED_COMBINATION)
2458 key->type = old_key_type;
2459 else
2460 key->type = type;
2461
2462 if (persistent)
2463 *persistent = hci_persistent_key(hdev, conn, type,
2464 old_key_type);
2465
2466 return key;
2467}
2468
2469struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2470 u8 addr_type, u8 type, u8 authenticated,
2471 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2472{
2473 struct smp_ltk *key, *old_key;
2474 u8 role = ltk_role(type);
2475
2476 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2477 if (old_key)
2478 key = old_key;
2479 else {
2480 key = kzalloc(sizeof(*key), GFP_KERNEL);
2481 if (!key)
2482 return NULL;
2483 list_add_rcu(&key->list, &hdev->long_term_keys);
2484 }
2485
2486 bacpy(&key->bdaddr, bdaddr);
2487 key->bdaddr_type = addr_type;
2488 memcpy(key->val, tk, sizeof(key->val));
2489 key->authenticated = authenticated;
2490 key->ediv = ediv;
2491 key->rand = rand;
2492 key->enc_size = enc_size;
2493 key->type = type;
2494
2495 return key;
2496}
2497
2498struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2499 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2500{
2501 struct smp_irk *irk;
2502
2503 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2504 if (!irk) {
2505 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2506 if (!irk)
2507 return NULL;
2508
2509 bacpy(&irk->bdaddr, bdaddr);
2510 irk->addr_type = addr_type;
2511
2512 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2513 }
2514
2515 memcpy(irk->val, val, 16);
2516 bacpy(&irk->rpa, rpa);
2517
2518 return irk;
2519}
2520
2521int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2522{
2523 struct link_key *key;
2524
2525 key = hci_find_link_key(hdev, bdaddr);
2526 if (!key)
2527 return -ENOENT;
2528
2529 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2530
2531 list_del_rcu(&key->list);
2532 kfree_rcu(key, rcu);
2533
2534 return 0;
2535}
2536
2537int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2538{
2539 struct smp_ltk *k;
2540 int removed = 0;
2541
2542 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2543 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2544 continue;
2545
2546 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2547
2548 list_del_rcu(&k->list);
2549 kfree_rcu(k, rcu);
2550 removed++;
2551 }
2552
2553 return removed ? 0 : -ENOENT;
2554}
2555
2556void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2557{
2558 struct smp_irk *k;
2559
2560 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2561 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2562 continue;
2563
2564 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2565
2566 list_del_rcu(&k->list);
2567 kfree_rcu(k, rcu);
2568 }
2569}
2570
2571bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2572{
2573 struct smp_ltk *k;
2574 struct smp_irk *irk;
2575 u8 addr_type;
2576
2577 if (type == BDADDR_BREDR) {
2578 if (hci_find_link_key(hdev, bdaddr))
2579 return true;
2580 return false;
2581 }
2582
2583 /* Convert to HCI addr type which struct smp_ltk uses */
2584 if (type == BDADDR_LE_PUBLIC)
2585 addr_type = ADDR_LE_DEV_PUBLIC;
2586 else
2587 addr_type = ADDR_LE_DEV_RANDOM;
2588
2589 irk = hci_get_irk(hdev, bdaddr, addr_type);
2590 if (irk) {
2591 bdaddr = &irk->bdaddr;
2592 addr_type = irk->addr_type;
2593 }
2594
2595 rcu_read_lock();
2596 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2597 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2598 rcu_read_unlock();
2599 return true;
2600 }
2601 }
2602 rcu_read_unlock();
2603
2604 return false;
2605}
2606
2607/* HCI command timer function */
2608static void hci_cmd_timeout(struct work_struct *work)
2609{
2610 struct hci_dev *hdev = container_of(work, struct hci_dev,
2611 cmd_timer.work);
2612
2613 if (hdev->sent_cmd) {
2614 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2615 u16 opcode = __le16_to_cpu(sent->opcode);
2616
2617 bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
2618 } else {
2619 bt_dev_err(hdev, "command tx timeout");
2620 }
2621
2622 if (hdev->cmd_timeout)
2623 hdev->cmd_timeout(hdev);
2624
2625 atomic_set(&hdev->cmd_cnt, 1);
2626 queue_work(hdev->workqueue, &hdev->cmd_work);
2627}
2628
2629struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2630 bdaddr_t *bdaddr, u8 bdaddr_type)
2631{
2632 struct oob_data *data;
2633
2634 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2635 if (bacmp(bdaddr, &data->bdaddr) != 0)
2636 continue;
2637 if (data->bdaddr_type != bdaddr_type)
2638 continue;
2639 return data;
2640 }
2641
2642 return NULL;
2643}
2644
2645int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2646 u8 bdaddr_type)
2647{
2648 struct oob_data *data;
2649
2650 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2651 if (!data)
2652 return -ENOENT;
2653
2654 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2655
2656 list_del(&data->list);
2657 kfree(data);
2658
2659 return 0;
2660}
2661
2662void hci_remote_oob_data_clear(struct hci_dev *hdev)
2663{
2664 struct oob_data *data, *n;
2665
2666 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2667 list_del(&data->list);
2668 kfree(data);
2669 }
2670}
2671
2672int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2673 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2674 u8 *hash256, u8 *rand256)
2675{
2676 struct oob_data *data;
2677
2678 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2679 if (!data) {
2680 data = kmalloc(sizeof(*data), GFP_KERNEL);
2681 if (!data)
2682 return -ENOMEM;
2683
2684 bacpy(&data->bdaddr, bdaddr);
2685 data->bdaddr_type = bdaddr_type;
2686 list_add(&data->list, &hdev->remote_oob_data);
2687 }
2688
2689 if (hash192 && rand192) {
2690 memcpy(data->hash192, hash192, sizeof(data->hash192));
2691 memcpy(data->rand192, rand192, sizeof(data->rand192));
2692 if (hash256 && rand256)
2693 data->present = 0x03;
2694 } else {
2695 memset(data->hash192, 0, sizeof(data->hash192));
2696 memset(data->rand192, 0, sizeof(data->rand192));
2697 if (hash256 && rand256)
2698 data->present = 0x02;
2699 else
2700 data->present = 0x00;
2701 }
2702
2703 if (hash256 && rand256) {
2704 memcpy(data->hash256, hash256, sizeof(data->hash256));
2705 memcpy(data->rand256, rand256, sizeof(data->rand256));
2706 } else {
2707 memset(data->hash256, 0, sizeof(data->hash256));
2708 memset(data->rand256, 0, sizeof(data->rand256));
2709 if (hash192 && rand192)
2710 data->present = 0x01;
2711 }
2712
2713 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2714
2715 return 0;
2716}
2717
2718/* This function requires the caller holds hdev->lock */
2719struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2720{
2721 struct adv_info *adv_instance;
2722
2723 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2724 if (adv_instance->instance == instance)
2725 return adv_instance;
2726 }
2727
2728 return NULL;
2729}
2730
2731/* This function requires the caller holds hdev->lock */
2732struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2733{
2734 struct adv_info *cur_instance;
2735
2736 cur_instance = hci_find_adv_instance(hdev, instance);
2737 if (!cur_instance)
2738 return NULL;
2739
2740 if (cur_instance == list_last_entry(&hdev->adv_instances,
2741 struct adv_info, list))
2742 return list_first_entry(&hdev->adv_instances,
2743 struct adv_info, list);
2744 else
2745 return list_next_entry(cur_instance, list);
2746}
2747
2748/* This function requires the caller holds hdev->lock */
2749int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2750{
2751 struct adv_info *adv_instance;
2752
2753 adv_instance = hci_find_adv_instance(hdev, instance);
2754 if (!adv_instance)
2755 return -ENOENT;
2756
2757 BT_DBG("%s removing %dMR", hdev->name, instance);
2758
2759 if (hdev->cur_adv_instance == instance) {
2760 if (hdev->adv_instance_timeout) {
2761 cancel_delayed_work(&hdev->adv_instance_expire);
2762 hdev->adv_instance_timeout = 0;
2763 }
2764 hdev->cur_adv_instance = 0x00;
2765 }
2766
2767 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
2768
2769 list_del(&adv_instance->list);
2770 kfree(adv_instance);
2771
2772 hdev->adv_instance_cnt--;
2773
2774 return 0;
2775}
2776
2777void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
2778{
2779 struct adv_info *adv_instance, *n;
2780
2781 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
2782 adv_instance->rpa_expired = rpa_expired;
2783}
2784
2785/* This function requires the caller holds hdev->lock */
2786void hci_adv_instances_clear(struct hci_dev *hdev)
2787{
2788 struct adv_info *adv_instance, *n;
2789
2790 if (hdev->adv_instance_timeout) {
2791 cancel_delayed_work(&hdev->adv_instance_expire);
2792 hdev->adv_instance_timeout = 0;
2793 }
2794
2795 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2796 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
2797 list_del(&adv_instance->list);
2798 kfree(adv_instance);
2799 }
2800
2801 hdev->adv_instance_cnt = 0;
2802 hdev->cur_adv_instance = 0x00;
2803}
2804
2805static void adv_instance_rpa_expired(struct work_struct *work)
2806{
2807 struct adv_info *adv_instance = container_of(work, struct adv_info,
2808 rpa_expired_cb.work);
2809
2810 BT_DBG("");
2811
2812 adv_instance->rpa_expired = true;
2813}
2814
2815/* This function requires the caller holds hdev->lock */
2816int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2817 u16 adv_data_len, u8 *adv_data,
2818 u16 scan_rsp_len, u8 *scan_rsp_data,
2819 u16 timeout, u16 duration)
2820{
2821 struct adv_info *adv_instance;
2822
2823 adv_instance = hci_find_adv_instance(hdev, instance);
2824 if (adv_instance) {
2825 memset(adv_instance->adv_data, 0,
2826 sizeof(adv_instance->adv_data));
2827 memset(adv_instance->scan_rsp_data, 0,
2828 sizeof(adv_instance->scan_rsp_data));
2829 } else {
2830 if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
2831 instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2832 return -EOVERFLOW;
2833
2834 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2835 if (!adv_instance)
2836 return -ENOMEM;
2837
2838 adv_instance->pending = true;
2839 adv_instance->instance = instance;
2840 list_add(&adv_instance->list, &hdev->adv_instances);
2841 hdev->adv_instance_cnt++;
2842 }
2843
2844 adv_instance->flags = flags;
2845 adv_instance->adv_data_len = adv_data_len;
2846 adv_instance->scan_rsp_len = scan_rsp_len;
2847
2848 if (adv_data_len)
2849 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2850
2851 if (scan_rsp_len)
2852 memcpy(adv_instance->scan_rsp_data,
2853 scan_rsp_data, scan_rsp_len);
2854
2855 adv_instance->timeout = timeout;
2856 adv_instance->remaining_time = timeout;
2857
2858 if (duration == 0)
2859 adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2860 else
2861 adv_instance->duration = duration;
2862
2863 adv_instance->tx_power = HCI_TX_POWER_INVALID;
2864
2865 INIT_DELAYED_WORK(&adv_instance->rpa_expired_cb,
2866 adv_instance_rpa_expired);
2867
2868 BT_DBG("%s for %dMR", hdev->name, instance);
2869
2870 return 0;
2871}
2872
2873struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2874 bdaddr_t *bdaddr, u8 type)
2875{
2876 struct bdaddr_list *b;
2877
2878 list_for_each_entry(b, bdaddr_list, list) {
2879 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2880 return b;
2881 }
2882
2883 return NULL;
2884}
2885
2886struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
2887 struct list_head *bdaddr_list, bdaddr_t *bdaddr,
2888 u8 type)
2889{
2890 struct bdaddr_list_with_irk *b;
2891
2892 list_for_each_entry(b, bdaddr_list, list) {
2893 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2894 return b;
2895 }
2896
2897 return NULL;
2898}
2899
2900void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2901{
2902 struct bdaddr_list *b, *n;
2903
2904 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2905 list_del(&b->list);
2906 kfree(b);
2907 }
2908}
2909
2910int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2911{
2912 struct bdaddr_list *entry;
2913
2914 if (!bacmp(bdaddr, BDADDR_ANY))
2915 return -EBADF;
2916
2917 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2918 return -EEXIST;
2919
2920 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2921 if (!entry)
2922 return -ENOMEM;
2923
2924 bacpy(&entry->bdaddr, bdaddr);
2925 entry->bdaddr_type = type;
2926
2927 list_add(&entry->list, list);
2928
2929 return 0;
2930}
2931
2932int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2933 u8 type, u8 *peer_irk, u8 *local_irk)
2934{
2935 struct bdaddr_list_with_irk *entry;
2936
2937 if (!bacmp(bdaddr, BDADDR_ANY))
2938 return -EBADF;
2939
2940 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2941 return -EEXIST;
2942
2943 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2944 if (!entry)
2945 return -ENOMEM;
2946
2947 bacpy(&entry->bdaddr, bdaddr);
2948 entry->bdaddr_type = type;
2949
2950 if (peer_irk)
2951 memcpy(entry->peer_irk, peer_irk, 16);
2952
2953 if (local_irk)
2954 memcpy(entry->local_irk, local_irk, 16);
2955
2956 list_add(&entry->list, list);
2957
2958 return 0;
2959}
2960
2961int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2962{
2963 struct bdaddr_list *entry;
2964
2965 if (!bacmp(bdaddr, BDADDR_ANY)) {
2966 hci_bdaddr_list_clear(list);
2967 return 0;
2968 }
2969
2970 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2971 if (!entry)
2972 return -ENOENT;
2973
2974 list_del(&entry->list);
2975 kfree(entry);
2976
2977 return 0;
2978}
2979
2980int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2981 u8 type)
2982{
2983 struct bdaddr_list_with_irk *entry;
2984
2985 if (!bacmp(bdaddr, BDADDR_ANY)) {
2986 hci_bdaddr_list_clear(list);
2987 return 0;
2988 }
2989
2990 entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
2991 if (!entry)
2992 return -ENOENT;
2993
2994 list_del(&entry->list);
2995 kfree(entry);
2996
2997 return 0;
2998}
2999
3000/* This function requires the caller holds hdev->lock */
3001struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3002 bdaddr_t *addr, u8 addr_type)
3003{
3004 struct hci_conn_params *params;
3005
3006 list_for_each_entry(params, &hdev->le_conn_params, list) {
3007 if (bacmp(¶ms->addr, addr) == 0 &&
3008 params->addr_type == addr_type) {
3009 return params;
3010 }
3011 }
3012
3013 return NULL;
3014}
3015
3016/* This function requires the caller holds hdev->lock */
3017struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
3018 bdaddr_t *addr, u8 addr_type)
3019{
3020 struct hci_conn_params *param;
3021
3022 list_for_each_entry(param, list, action) {
3023 if (bacmp(¶m->addr, addr) == 0 &&
3024 param->addr_type == addr_type)
3025 return param;
3026 }
3027
3028 return NULL;
3029}
3030
3031/* This function requires the caller holds hdev->lock */
3032struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
3033 bdaddr_t *addr, u8 addr_type)
3034{
3035 struct hci_conn_params *params;
3036
3037 params = hci_conn_params_lookup(hdev, addr, addr_type);
3038 if (params)
3039 return params;
3040
3041 params = kzalloc(sizeof(*params), GFP_KERNEL);
3042 if (!params) {
3043 bt_dev_err(hdev, "out of memory");
3044 return NULL;
3045 }
3046
3047 bacpy(¶ms->addr, addr);
3048 params->addr_type = addr_type;
3049
3050 list_add(¶ms->list, &hdev->le_conn_params);
3051 INIT_LIST_HEAD(¶ms->action);
3052
3053 params->conn_min_interval = hdev->le_conn_min_interval;
3054 params->conn_max_interval = hdev->le_conn_max_interval;
3055 params->conn_latency = hdev->le_conn_latency;
3056 params->supervision_timeout = hdev->le_supv_timeout;
3057 params->auto_connect = HCI_AUTO_CONN_DISABLED;
3058
3059 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3060
3061 return params;
3062}
3063
3064static void hci_conn_params_free(struct hci_conn_params *params)
3065{
3066 if (params->conn) {
3067 hci_conn_drop(params->conn);
3068 hci_conn_put(params->conn);
3069 }
3070
3071 list_del(¶ms->action);
3072 list_del(¶ms->list);
3073 kfree(params);
3074}
3075
3076/* This function requires the caller holds hdev->lock */
3077void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3078{
3079 struct hci_conn_params *params;
3080
3081 params = hci_conn_params_lookup(hdev, addr, addr_type);
3082 if (!params)
3083 return;
3084
3085 hci_conn_params_free(params);
3086
3087 hci_update_background_scan(hdev);
3088
3089 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3090}
3091
3092/* This function requires the caller holds hdev->lock */
3093void hci_conn_params_clear_disabled(struct hci_dev *hdev)
3094{
3095 struct hci_conn_params *params, *tmp;
3096
3097 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
3098 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
3099 continue;
3100
3101 /* If trying to estabilish one time connection to disabled
3102 * device, leave the params, but mark them as just once.
3103 */
3104 if (params->explicit_connect) {
3105 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3106 continue;
3107 }
3108
3109 list_del(¶ms->list);
3110 kfree(params);
3111 }
3112
3113 BT_DBG("All LE disabled connection parameters were removed");
3114}
3115
3116/* This function requires the caller holds hdev->lock */
3117static void hci_conn_params_clear_all(struct hci_dev *hdev)
3118{
3119 struct hci_conn_params *params, *tmp;
3120
3121 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
3122 hci_conn_params_free(params);
3123
3124 BT_DBG("All LE connection parameters were removed");
3125}
3126
3127/* Copy the Identity Address of the controller.
3128 *
3129 * If the controller has a public BD_ADDR, then by default use that one.
3130 * If this is a LE only controller without a public address, default to
3131 * the static random address.
3132 *
3133 * For debugging purposes it is possible to force controllers with a
3134 * public address to use the static random address instead.
3135 *
3136 * In case BR/EDR has been disabled on a dual-mode controller and
3137 * userspace has configured a static address, then that address
3138 * becomes the identity address instead of the public BR/EDR address.
3139 */
3140void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
3141 u8 *bdaddr_type)
3142{
3143 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
3144 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
3145 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
3146 bacmp(&hdev->static_addr, BDADDR_ANY))) {
3147 bacpy(bdaddr, &hdev->static_addr);
3148 *bdaddr_type = ADDR_LE_DEV_RANDOM;
3149 } else {
3150 bacpy(bdaddr, &hdev->bdaddr);
3151 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
3152 }
3153}
3154
3155/* Alloc HCI device */
3156struct hci_dev *hci_alloc_dev(void)
3157{
3158 struct hci_dev *hdev;
3159
3160 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
3161 if (!hdev)
3162 return NULL;
3163
3164 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
3165 hdev->esco_type = (ESCO_HV1);
3166 hdev->link_mode = (HCI_LM_ACCEPT);
3167 hdev->num_iac = 0x01; /* One IAC support is mandatory */
3168 hdev->io_capability = 0x03; /* No Input No Output */
3169 hdev->manufacturer = 0xffff; /* Default to internal use */
3170 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
3171 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
3172 hdev->adv_instance_cnt = 0;
3173 hdev->cur_adv_instance = 0x00;
3174 hdev->adv_instance_timeout = 0;
3175
3176 hdev->sniff_max_interval = 800;
3177 hdev->sniff_min_interval = 80;
3178
3179 hdev->le_adv_channel_map = 0x07;
3180 hdev->le_adv_min_interval = 0x0800;
3181 hdev->le_adv_max_interval = 0x0800;
3182 hdev->le_scan_interval = 0x0060;
3183 hdev->le_scan_window = 0x0030;
3184 hdev->le_conn_min_interval = 0x0018;
3185 hdev->le_conn_max_interval = 0x0028;
3186 hdev->le_conn_latency = 0x0000;
3187 hdev->le_supv_timeout = 0x002a;
3188 hdev->le_def_tx_len = 0x001b;
3189 hdev->le_def_tx_time = 0x0148;
3190 hdev->le_max_tx_len = 0x001b;
3191 hdev->le_max_tx_time = 0x0148;
3192 hdev->le_max_rx_len = 0x001b;
3193 hdev->le_max_rx_time = 0x0148;
3194 hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
3195 hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
3196 hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
3197 hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
3198 hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
3199
3200 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3201 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
3202 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
3203 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
3204 hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
3205 hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
3206
3207 mutex_init(&hdev->lock);
3208 mutex_init(&hdev->req_lock);
3209
3210 INIT_LIST_HEAD(&hdev->mgmt_pending);
3211 INIT_LIST_HEAD(&hdev->blacklist);
3212 INIT_LIST_HEAD(&hdev->whitelist);
3213 INIT_LIST_HEAD(&hdev->uuids);
3214 INIT_LIST_HEAD(&hdev->link_keys);
3215 INIT_LIST_HEAD(&hdev->long_term_keys);
3216 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
3217 INIT_LIST_HEAD(&hdev->remote_oob_data);
3218 INIT_LIST_HEAD(&hdev->le_white_list);
3219 INIT_LIST_HEAD(&hdev->le_resolv_list);
3220 INIT_LIST_HEAD(&hdev->le_conn_params);
3221 INIT_LIST_HEAD(&hdev->pend_le_conns);
3222 INIT_LIST_HEAD(&hdev->pend_le_reports);
3223 INIT_LIST_HEAD(&hdev->conn_hash.list);
3224 INIT_LIST_HEAD(&hdev->adv_instances);
3225
3226 INIT_WORK(&hdev->rx_work, hci_rx_work);
3227 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
3228 INIT_WORK(&hdev->tx_work, hci_tx_work);
3229 INIT_WORK(&hdev->power_on, hci_power_on);
3230 INIT_WORK(&hdev->error_reset, hci_error_reset);
3231
3232 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
3233
3234 skb_queue_head_init(&hdev->rx_q);
3235 skb_queue_head_init(&hdev->cmd_q);
3236 skb_queue_head_init(&hdev->raw_q);
3237
3238 init_waitqueue_head(&hdev->req_wait_q);
3239
3240 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3241
3242 hci_request_setup(hdev);
3243
3244 hci_init_sysfs(hdev);
3245 discovery_init(hdev);
3246
3247 return hdev;
3248}
3249EXPORT_SYMBOL(hci_alloc_dev);
3250
3251/* Free HCI device */
3252void hci_free_dev(struct hci_dev *hdev)
3253{
3254 /* will free via device release */
3255 put_device(&hdev->dev);
3256}
3257EXPORT_SYMBOL(hci_free_dev);
3258
3259/* Register HCI device */
3260int hci_register_dev(struct hci_dev *hdev)
3261{
3262 int id, error;
3263
3264 if (!hdev->open || !hdev->close || !hdev->send)
3265 return -EINVAL;
3266
3267 /* Do not allow HCI_AMP devices to register at index 0,
3268 * so the index can be used as the AMP controller ID.
3269 */
3270 switch (hdev->dev_type) {
3271 case HCI_PRIMARY:
3272 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3273 break;
3274 case HCI_AMP:
3275 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3276 break;
3277 default:
3278 return -EINVAL;
3279 }
3280
3281 if (id < 0)
3282 return id;
3283
3284 sprintf(hdev->name, "hci%d", id);
3285 hdev->id = id;
3286
3287 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3288
3289 hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
3290 if (!hdev->workqueue) {
3291 error = -ENOMEM;
3292 goto err;
3293 }
3294
3295 hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
3296 hdev->name);
3297 if (!hdev->req_workqueue) {
3298 destroy_workqueue(hdev->workqueue);
3299 error = -ENOMEM;
3300 goto err;
3301 }
3302
3303 if (!IS_ERR_OR_NULL(bt_debugfs))
3304 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3305
3306 dev_set_name(&hdev->dev, "%s", hdev->name);
3307
3308 error = device_add(&hdev->dev);
3309 if (error < 0)
3310 goto err_wqueue;
3311
3312 hci_leds_init(hdev);
3313
3314 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3315 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3316 hdev);
3317 if (hdev->rfkill) {
3318 if (rfkill_register(hdev->rfkill) < 0) {
3319 rfkill_destroy(hdev->rfkill);
3320 hdev->rfkill = NULL;
3321 }
3322 }
3323
3324 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3325 hci_dev_set_flag(hdev, HCI_RFKILLED);
3326
3327 hci_dev_set_flag(hdev, HCI_SETUP);
3328 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3329
3330 if (hdev->dev_type == HCI_PRIMARY) {
3331 /* Assume BR/EDR support until proven otherwise (such as
3332 * through reading supported features during init.
3333 */
3334 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3335 }
3336
3337 write_lock(&hci_dev_list_lock);
3338 list_add(&hdev->list, &hci_dev_list);
3339 write_unlock(&hci_dev_list_lock);
3340
3341 /* Devices that are marked for raw-only usage are unconfigured
3342 * and should not be included in normal operation.
3343 */
3344 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3345 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3346
3347 hci_sock_dev_event(hdev, HCI_DEV_REG);
3348 hci_dev_hold(hdev);
3349
3350 queue_work(hdev->req_workqueue, &hdev->power_on);
3351
3352 return id;
3353
3354err_wqueue:
3355 destroy_workqueue(hdev->workqueue);
3356 destroy_workqueue(hdev->req_workqueue);
3357err:
3358 ida_simple_remove(&hci_index_ida, hdev->id);
3359
3360 return error;
3361}
3362EXPORT_SYMBOL(hci_register_dev);
3363
3364/* Unregister HCI device */
3365void hci_unregister_dev(struct hci_dev *hdev)
3366{
3367 int id;
3368
3369 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3370
3371 hci_dev_set_flag(hdev, HCI_UNREGISTER);
3372
3373 id = hdev->id;
3374
3375 write_lock(&hci_dev_list_lock);
3376 list_del(&hdev->list);
3377 write_unlock(&hci_dev_list_lock);
3378
3379 cancel_work_sync(&hdev->power_on);
3380
3381 hci_dev_do_close(hdev);
3382
3383 if (!test_bit(HCI_INIT, &hdev->flags) &&
3384 !hci_dev_test_flag(hdev, HCI_SETUP) &&
3385 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3386 hci_dev_lock(hdev);
3387 mgmt_index_removed(hdev);
3388 hci_dev_unlock(hdev);
3389 }
3390
3391 /* mgmt_index_removed should take care of emptying the
3392 * pending list */
3393 BUG_ON(!list_empty(&hdev->mgmt_pending));
3394
3395 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3396
3397 if (hdev->rfkill) {
3398 rfkill_unregister(hdev->rfkill);
3399 rfkill_destroy(hdev->rfkill);
3400 }
3401
3402 device_del(&hdev->dev);
3403
3404 debugfs_remove_recursive(hdev->debugfs);
3405 kfree_const(hdev->hw_info);
3406 kfree_const(hdev->fw_info);
3407
3408 destroy_workqueue(hdev->workqueue);
3409 destroy_workqueue(hdev->req_workqueue);
3410
3411 hci_dev_lock(hdev);
3412 hci_bdaddr_list_clear(&hdev->blacklist);
3413 hci_bdaddr_list_clear(&hdev->whitelist);
3414 hci_uuids_clear(hdev);
3415 hci_link_keys_clear(hdev);
3416 hci_smp_ltks_clear(hdev);
3417 hci_smp_irks_clear(hdev);
3418 hci_remote_oob_data_clear(hdev);
3419 hci_adv_instances_clear(hdev);
3420 hci_bdaddr_list_clear(&hdev->le_white_list);
3421 hci_bdaddr_list_clear(&hdev->le_resolv_list);
3422 hci_conn_params_clear_all(hdev);
3423 hci_discovery_filter_clear(hdev);
3424 hci_dev_unlock(hdev);
3425
3426 hci_dev_put(hdev);
3427
3428 ida_simple_remove(&hci_index_ida, id);
3429}
3430EXPORT_SYMBOL(hci_unregister_dev);
3431
3432/* Suspend HCI device */
3433int hci_suspend_dev(struct hci_dev *hdev)
3434{
3435 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3436 return 0;
3437}
3438EXPORT_SYMBOL(hci_suspend_dev);
3439
3440/* Resume HCI device */
3441int hci_resume_dev(struct hci_dev *hdev)
3442{
3443 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3444 return 0;
3445}
3446EXPORT_SYMBOL(hci_resume_dev);
3447
3448/* Reset HCI device */
3449int hci_reset_dev(struct hci_dev *hdev)
3450{
3451 static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3452 struct sk_buff *skb;
3453
3454 skb = bt_skb_alloc(3, GFP_ATOMIC);
3455 if (!skb)
3456 return -ENOMEM;
3457
3458 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3459 skb_put_data(skb, hw_err, 3);
3460
3461 /* Send Hardware Error to upper stack */
3462 return hci_recv_frame(hdev, skb);
3463}
3464EXPORT_SYMBOL(hci_reset_dev);
3465
3466/* Receive frame from HCI drivers */
3467int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3468{
3469 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3470 && !test_bit(HCI_INIT, &hdev->flags))) {
3471 kfree_skb(skb);
3472 return -ENXIO;
3473 }
3474
3475 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3476 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3477 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3478 kfree_skb(skb);
3479 return -EINVAL;
3480 }
3481
3482 /* Incoming skb */
3483 bt_cb(skb)->incoming = 1;
3484
3485 /* Time stamp */
3486 __net_timestamp(skb);
3487
3488 skb_queue_tail(&hdev->rx_q, skb);
3489 queue_work(hdev->workqueue, &hdev->rx_work);
3490
3491 return 0;
3492}
3493EXPORT_SYMBOL(hci_recv_frame);
3494
3495/* Receive diagnostic message from HCI drivers */
3496int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3497{
3498 /* Mark as diagnostic packet */
3499 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3500
3501 /* Time stamp */
3502 __net_timestamp(skb);
3503
3504 skb_queue_tail(&hdev->rx_q, skb);
3505 queue_work(hdev->workqueue, &hdev->rx_work);
3506
3507 return 0;
3508}
3509EXPORT_SYMBOL(hci_recv_diag);
3510
3511void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
3512{
3513 va_list vargs;
3514
3515 va_start(vargs, fmt);
3516 kfree_const(hdev->hw_info);
3517 hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
3518 va_end(vargs);
3519}
3520EXPORT_SYMBOL(hci_set_hw_info);
3521
3522void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
3523{
3524 va_list vargs;
3525
3526 va_start(vargs, fmt);
3527 kfree_const(hdev->fw_info);
3528 hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
3529 va_end(vargs);
3530}
3531EXPORT_SYMBOL(hci_set_fw_info);
3532
3533/* ---- Interface to upper protocols ---- */
3534
3535int hci_register_cb(struct hci_cb *cb)
3536{
3537 BT_DBG("%p name %s", cb, cb->name);
3538
3539 mutex_lock(&hci_cb_list_lock);
3540 list_add_tail(&cb->list, &hci_cb_list);
3541 mutex_unlock(&hci_cb_list_lock);
3542
3543 return 0;
3544}
3545EXPORT_SYMBOL(hci_register_cb);
3546
3547int hci_unregister_cb(struct hci_cb *cb)
3548{
3549 BT_DBG("%p name %s", cb, cb->name);
3550
3551 mutex_lock(&hci_cb_list_lock);
3552 list_del(&cb->list);
3553 mutex_unlock(&hci_cb_list_lock);
3554
3555 return 0;
3556}
3557EXPORT_SYMBOL(hci_unregister_cb);
3558
3559static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3560{
3561 int err;
3562
3563 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3564 skb->len);
3565
3566 /* Time stamp */
3567 __net_timestamp(skb);
3568
3569 /* Send copy to monitor */
3570 hci_send_to_monitor(hdev, skb);
3571
3572 if (atomic_read(&hdev->promisc)) {
3573 /* Send copy to the sockets */
3574 hci_send_to_sock(hdev, skb);
3575 }
3576
3577 /* Get rid of skb owner, prior to sending to the driver. */
3578 skb_orphan(skb);
3579
3580 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3581 kfree_skb(skb);
3582 return;
3583 }
3584
3585 err = hdev->send(hdev, skb);
3586 if (err < 0) {
3587 bt_dev_err(hdev, "sending frame failed (%d)", err);
3588 kfree_skb(skb);
3589 }
3590}
3591
3592/* Send HCI command */
3593int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3594 const void *param)
3595{
3596 struct sk_buff *skb;
3597
3598 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3599
3600 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3601 if (!skb) {
3602 bt_dev_err(hdev, "no memory for command");
3603 return -ENOMEM;
3604 }
3605
3606 /* Stand-alone HCI commands must be flagged as
3607 * single-command requests.
3608 */
3609 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3610
3611 skb_queue_tail(&hdev->cmd_q, skb);
3612 queue_work(hdev->workqueue, &hdev->cmd_work);
3613
3614 return 0;
3615}
3616
3617int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
3618 const void *param)
3619{
3620 struct sk_buff *skb;
3621
3622 if (hci_opcode_ogf(opcode) != 0x3f) {
3623 /* A controller receiving a command shall respond with either
3624 * a Command Status Event or a Command Complete Event.
3625 * Therefore, all standard HCI commands must be sent via the
3626 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
3627 * Some vendors do not comply with this rule for vendor-specific
3628 * commands and do not return any event. We want to support
3629 * unresponded commands for such cases only.
3630 */
3631 bt_dev_err(hdev, "unresponded command not supported");
3632 return -EINVAL;
3633 }
3634
3635 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3636 if (!skb) {
3637 bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
3638 opcode);
3639 return -ENOMEM;
3640 }
3641
3642 hci_send_frame(hdev, skb);
3643
3644 return 0;
3645}
3646EXPORT_SYMBOL(__hci_cmd_send);
3647
3648/* Get data from the previously sent command */
3649void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3650{
3651 struct hci_command_hdr *hdr;
3652
3653 if (!hdev->sent_cmd)
3654 return NULL;
3655
3656 hdr = (void *) hdev->sent_cmd->data;
3657
3658 if (hdr->opcode != cpu_to_le16(opcode))
3659 return NULL;
3660
3661 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3662
3663 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3664}
3665
3666/* Send HCI command and wait for command commplete event */
3667struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3668 const void *param, u32 timeout)
3669{
3670 struct sk_buff *skb;
3671
3672 if (!test_bit(HCI_UP, &hdev->flags))
3673 return ERR_PTR(-ENETDOWN);
3674
3675 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3676
3677 hci_req_sync_lock(hdev);
3678 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3679 hci_req_sync_unlock(hdev);
3680
3681 return skb;
3682}
3683EXPORT_SYMBOL(hci_cmd_sync);
3684
3685/* Send ACL data */
3686static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3687{
3688 struct hci_acl_hdr *hdr;
3689 int len = skb->len;
3690
3691 skb_push(skb, HCI_ACL_HDR_SIZE);
3692 skb_reset_transport_header(skb);
3693 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3694 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3695 hdr->dlen = cpu_to_le16(len);
3696}
3697
3698static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3699 struct sk_buff *skb, __u16 flags)
3700{
3701 struct hci_conn *conn = chan->conn;
3702 struct hci_dev *hdev = conn->hdev;
3703 struct sk_buff *list;
3704
3705 skb->len = skb_headlen(skb);
3706 skb->data_len = 0;
3707
3708 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3709
3710 switch (hdev->dev_type) {
3711 case HCI_PRIMARY:
3712 hci_add_acl_hdr(skb, conn->handle, flags);
3713 break;
3714 case HCI_AMP:
3715 hci_add_acl_hdr(skb, chan->handle, flags);
3716 break;
3717 default:
3718 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3719 return;
3720 }
3721
3722 list = skb_shinfo(skb)->frag_list;
3723 if (!list) {
3724 /* Non fragmented */
3725 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3726
3727 skb_queue_tail(queue, skb);
3728 } else {
3729 /* Fragmented */
3730 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3731
3732 skb_shinfo(skb)->frag_list = NULL;
3733
3734 /* Queue all fragments atomically. We need to use spin_lock_bh
3735 * here because of 6LoWPAN links, as there this function is
3736 * called from softirq and using normal spin lock could cause
3737 * deadlocks.
3738 */
3739 spin_lock_bh(&queue->lock);
3740
3741 __skb_queue_tail(queue, skb);
3742
3743 flags &= ~ACL_START;
3744 flags |= ACL_CONT;
3745 do {
3746 skb = list; list = list->next;
3747
3748 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3749 hci_add_acl_hdr(skb, conn->handle, flags);
3750
3751 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3752
3753 __skb_queue_tail(queue, skb);
3754 } while (list);
3755
3756 spin_unlock_bh(&queue->lock);
3757 }
3758}
3759
3760void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3761{
3762 struct hci_dev *hdev = chan->conn->hdev;
3763
3764 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3765
3766 hci_queue_acl(chan, &chan->data_q, skb, flags);
3767
3768 queue_work(hdev->workqueue, &hdev->tx_work);
3769}
3770
3771/* Send SCO data */
3772void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3773{
3774 struct hci_dev *hdev = conn->hdev;
3775 struct hci_sco_hdr hdr;
3776
3777 BT_DBG("%s len %d", hdev->name, skb->len);
3778
3779 hdr.handle = cpu_to_le16(conn->handle);
3780 hdr.dlen = skb->len;
3781
3782 skb_push(skb, HCI_SCO_HDR_SIZE);
3783 skb_reset_transport_header(skb);
3784 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3785
3786 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3787
3788 skb_queue_tail(&conn->data_q, skb);
3789 queue_work(hdev->workqueue, &hdev->tx_work);
3790}
3791
3792/* ---- HCI TX task (outgoing data) ---- */
3793
3794/* HCI Connection scheduler */
3795static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3796 int *quote)
3797{
3798 struct hci_conn_hash *h = &hdev->conn_hash;
3799 struct hci_conn *conn = NULL, *c;
3800 unsigned int num = 0, min = ~0;
3801
3802 /* We don't have to lock device here. Connections are always
3803 * added and removed with TX task disabled. */
3804
3805 rcu_read_lock();
3806
3807 list_for_each_entry_rcu(c, &h->list, list) {
3808 if (c->type != type || skb_queue_empty(&c->data_q))
3809 continue;
3810
3811 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3812 continue;
3813
3814 num++;
3815
3816 if (c->sent < min) {
3817 min = c->sent;
3818 conn = c;
3819 }
3820
3821 if (hci_conn_num(hdev, type) == num)
3822 break;
3823 }
3824
3825 rcu_read_unlock();
3826
3827 if (conn) {
3828 int cnt, q;
3829
3830 switch (conn->type) {
3831 case ACL_LINK:
3832 cnt = hdev->acl_cnt;
3833 break;
3834 case SCO_LINK:
3835 case ESCO_LINK:
3836 cnt = hdev->sco_cnt;
3837 break;
3838 case LE_LINK:
3839 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3840 break;
3841 default:
3842 cnt = 0;
3843 bt_dev_err(hdev, "unknown link type %d", conn->type);
3844 }
3845
3846 q = cnt / num;
3847 *quote = q ? q : 1;
3848 } else
3849 *quote = 0;
3850
3851 BT_DBG("conn %p quote %d", conn, *quote);
3852 return conn;
3853}
3854
3855static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3856{
3857 struct hci_conn_hash *h = &hdev->conn_hash;
3858 struct hci_conn *c;
3859
3860 bt_dev_err(hdev, "link tx timeout");
3861
3862 rcu_read_lock();
3863
3864 /* Kill stalled connections */
3865 list_for_each_entry_rcu(c, &h->list, list) {
3866 if (c->type == type && c->sent) {
3867 bt_dev_err(hdev, "killing stalled connection %pMR",
3868 &c->dst);
3869 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3870 }
3871 }
3872
3873 rcu_read_unlock();
3874}
3875
3876static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3877 int *quote)
3878{
3879 struct hci_conn_hash *h = &hdev->conn_hash;
3880 struct hci_chan *chan = NULL;
3881 unsigned int num = 0, min = ~0, cur_prio = 0;
3882 struct hci_conn *conn;
3883 int cnt, q, conn_num = 0;
3884
3885 BT_DBG("%s", hdev->name);
3886
3887 rcu_read_lock();
3888
3889 list_for_each_entry_rcu(conn, &h->list, list) {
3890 struct hci_chan *tmp;
3891
3892 if (conn->type != type)
3893 continue;
3894
3895 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3896 continue;
3897
3898 conn_num++;
3899
3900 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3901 struct sk_buff *skb;
3902
3903 if (skb_queue_empty(&tmp->data_q))
3904 continue;
3905
3906 skb = skb_peek(&tmp->data_q);
3907 if (skb->priority < cur_prio)
3908 continue;
3909
3910 if (skb->priority > cur_prio) {
3911 num = 0;
3912 min = ~0;
3913 cur_prio = skb->priority;
3914 }
3915
3916 num++;
3917
3918 if (conn->sent < min) {
3919 min = conn->sent;
3920 chan = tmp;
3921 }
3922 }
3923
3924 if (hci_conn_num(hdev, type) == conn_num)
3925 break;
3926 }
3927
3928 rcu_read_unlock();
3929
3930 if (!chan)
3931 return NULL;
3932
3933 switch (chan->conn->type) {
3934 case ACL_LINK:
3935 cnt = hdev->acl_cnt;
3936 break;
3937 case AMP_LINK:
3938 cnt = hdev->block_cnt;
3939 break;
3940 case SCO_LINK:
3941 case ESCO_LINK:
3942 cnt = hdev->sco_cnt;
3943 break;
3944 case LE_LINK:
3945 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3946 break;
3947 default:
3948 cnt = 0;
3949 bt_dev_err(hdev, "unknown link type %d", chan->conn->type);
3950 }
3951
3952 q = cnt / num;
3953 *quote = q ? q : 1;
3954 BT_DBG("chan %p quote %d", chan, *quote);
3955 return chan;
3956}
3957
3958static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3959{
3960 struct hci_conn_hash *h = &hdev->conn_hash;
3961 struct hci_conn *conn;
3962 int num = 0;
3963
3964 BT_DBG("%s", hdev->name);
3965
3966 rcu_read_lock();
3967
3968 list_for_each_entry_rcu(conn, &h->list, list) {
3969 struct hci_chan *chan;
3970
3971 if (conn->type != type)
3972 continue;
3973
3974 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3975 continue;
3976
3977 num++;
3978
3979 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3980 struct sk_buff *skb;
3981
3982 if (chan->sent) {
3983 chan->sent = 0;
3984 continue;
3985 }
3986
3987 if (skb_queue_empty(&chan->data_q))
3988 continue;
3989
3990 skb = skb_peek(&chan->data_q);
3991 if (skb->priority >= HCI_PRIO_MAX - 1)
3992 continue;
3993
3994 skb->priority = HCI_PRIO_MAX - 1;
3995
3996 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3997 skb->priority);
3998 }
3999
4000 if (hci_conn_num(hdev, type) == num)
4001 break;
4002 }
4003
4004 rcu_read_unlock();
4005
4006}
4007
4008static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
4009{
4010 /* Calculate count of blocks used by this packet */
4011 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
4012}
4013
4014static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
4015{
4016 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
4017 /* ACL tx timeout must be longer than maximum
4018 * link supervision timeout (40.9 seconds) */
4019 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
4020 HCI_ACL_TX_TIMEOUT))
4021 hci_link_tx_to(hdev, ACL_LINK);
4022 }
4023}
4024
4025static void hci_sched_acl_pkt(struct hci_dev *hdev)
4026{
4027 unsigned int cnt = hdev->acl_cnt;
4028 struct hci_chan *chan;
4029 struct sk_buff *skb;
4030 int quote;
4031
4032 __check_timeout(hdev, cnt);
4033
4034 while (hdev->acl_cnt &&
4035 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
4036 u32 priority = (skb_peek(&chan->data_q))->priority;
4037 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4038 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4039 skb->len, skb->priority);
4040
4041 /* Stop if priority has changed */
4042 if (skb->priority < priority)
4043 break;
4044
4045 skb = skb_dequeue(&chan->data_q);
4046
4047 hci_conn_enter_active_mode(chan->conn,
4048 bt_cb(skb)->force_active);
4049
4050 hci_send_frame(hdev, skb);
4051 hdev->acl_last_tx = jiffies;
4052
4053 hdev->acl_cnt--;
4054 chan->sent++;
4055 chan->conn->sent++;
4056 }
4057 }
4058
4059 if (cnt != hdev->acl_cnt)
4060 hci_prio_recalculate(hdev, ACL_LINK);
4061}
4062
4063static void hci_sched_acl_blk(struct hci_dev *hdev)
4064{
4065 unsigned int cnt = hdev->block_cnt;
4066 struct hci_chan *chan;
4067 struct sk_buff *skb;
4068 int quote;
4069 u8 type;
4070
4071 __check_timeout(hdev, cnt);
4072
4073 BT_DBG("%s", hdev->name);
4074
4075 if (hdev->dev_type == HCI_AMP)
4076 type = AMP_LINK;
4077 else
4078 type = ACL_LINK;
4079
4080 while (hdev->block_cnt > 0 &&
4081 (chan = hci_chan_sent(hdev, type, "e))) {
4082 u32 priority = (skb_peek(&chan->data_q))->priority;
4083 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
4084 int blocks;
4085
4086 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4087 skb->len, skb->priority);
4088
4089 /* Stop if priority has changed */
4090 if (skb->priority < priority)
4091 break;
4092
4093 skb = skb_dequeue(&chan->data_q);
4094
4095 blocks = __get_blocks(hdev, skb);
4096 if (blocks > hdev->block_cnt)
4097 return;
4098
4099 hci_conn_enter_active_mode(chan->conn,
4100 bt_cb(skb)->force_active);
4101
4102 hci_send_frame(hdev, skb);
4103 hdev->acl_last_tx = jiffies;
4104
4105 hdev->block_cnt -= blocks;
4106 quote -= blocks;
4107
4108 chan->sent += blocks;
4109 chan->conn->sent += blocks;
4110 }
4111 }
4112
4113 if (cnt != hdev->block_cnt)
4114 hci_prio_recalculate(hdev, type);
4115}
4116
4117static void hci_sched_acl(struct hci_dev *hdev)
4118{
4119 BT_DBG("%s", hdev->name);
4120
4121 /* No ACL link over BR/EDR controller */
4122 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_PRIMARY)
4123 return;
4124
4125 /* No AMP link over AMP controller */
4126 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
4127 return;
4128
4129 switch (hdev->flow_ctl_mode) {
4130 case HCI_FLOW_CTL_MODE_PACKET_BASED:
4131 hci_sched_acl_pkt(hdev);
4132 break;
4133
4134 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
4135 hci_sched_acl_blk(hdev);
4136 break;
4137 }
4138}
4139
4140/* Schedule SCO */
4141static void hci_sched_sco(struct hci_dev *hdev)
4142{
4143 struct hci_conn *conn;
4144 struct sk_buff *skb;
4145 int quote;
4146
4147 BT_DBG("%s", hdev->name);
4148
4149 if (!hci_conn_num(hdev, SCO_LINK))
4150 return;
4151
4152 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
4153 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4154 BT_DBG("skb %p len %d", skb, skb->len);
4155 hci_send_frame(hdev, skb);
4156
4157 conn->sent++;
4158 if (conn->sent == ~0)
4159 conn->sent = 0;
4160 }
4161 }
4162}
4163
4164static void hci_sched_esco(struct hci_dev *hdev)
4165{
4166 struct hci_conn *conn;
4167 struct sk_buff *skb;
4168 int quote;
4169
4170 BT_DBG("%s", hdev->name);
4171
4172 if (!hci_conn_num(hdev, ESCO_LINK))
4173 return;
4174
4175 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
4176 "e))) {
4177 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4178 BT_DBG("skb %p len %d", skb, skb->len);
4179 hci_send_frame(hdev, skb);
4180
4181 conn->sent++;
4182 if (conn->sent == ~0)
4183 conn->sent = 0;
4184 }
4185 }
4186}
4187
4188static void hci_sched_le(struct hci_dev *hdev)
4189{
4190 struct hci_chan *chan;
4191 struct sk_buff *skb;
4192 int quote, cnt, tmp;
4193
4194 BT_DBG("%s", hdev->name);
4195
4196 if (!hci_conn_num(hdev, LE_LINK))
4197 return;
4198
4199 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
4200 /* LE tx timeout must be longer than maximum
4201 * link supervision timeout (40.9 seconds) */
4202 if (!hdev->le_cnt && hdev->le_pkts &&
4203 time_after(jiffies, hdev->le_last_tx + HZ * 45))
4204 hci_link_tx_to(hdev, LE_LINK);
4205 }
4206
4207 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
4208 tmp = cnt;
4209 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
4210 u32 priority = (skb_peek(&chan->data_q))->priority;
4211 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4212 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4213 skb->len, skb->priority);
4214
4215 /* Stop if priority has changed */
4216 if (skb->priority < priority)
4217 break;
4218
4219 skb = skb_dequeue(&chan->data_q);
4220
4221 hci_send_frame(hdev, skb);
4222 hdev->le_last_tx = jiffies;
4223
4224 cnt--;
4225 chan->sent++;
4226 chan->conn->sent++;
4227 }
4228 }
4229
4230 if (hdev->le_pkts)
4231 hdev->le_cnt = cnt;
4232 else
4233 hdev->acl_cnt = cnt;
4234
4235 if (cnt != tmp)
4236 hci_prio_recalculate(hdev, LE_LINK);
4237}
4238
4239static void hci_tx_work(struct work_struct *work)
4240{
4241 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4242 struct sk_buff *skb;
4243
4244 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4245 hdev->sco_cnt, hdev->le_cnt);
4246
4247 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4248 /* Schedule queues and send stuff to HCI driver */
4249 hci_sched_acl(hdev);
4250 hci_sched_sco(hdev);
4251 hci_sched_esco(hdev);
4252 hci_sched_le(hdev);
4253 }
4254
4255 /* Send next queued raw (unknown type) packet */
4256 while ((skb = skb_dequeue(&hdev->raw_q)))
4257 hci_send_frame(hdev, skb);
4258}
4259
4260/* ----- HCI RX task (incoming data processing) ----- */
4261
4262/* ACL data packet */
4263static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4264{
4265 struct hci_acl_hdr *hdr = (void *) skb->data;
4266 struct hci_conn *conn;
4267 __u16 handle, flags;
4268
4269 skb_pull(skb, HCI_ACL_HDR_SIZE);
4270
4271 handle = __le16_to_cpu(hdr->handle);
4272 flags = hci_flags(handle);
4273 handle = hci_handle(handle);
4274
4275 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4276 handle, flags);
4277
4278 hdev->stat.acl_rx++;
4279
4280 hci_dev_lock(hdev);
4281 conn = hci_conn_hash_lookup_handle(hdev, handle);
4282 hci_dev_unlock(hdev);
4283
4284 if (conn) {
4285 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
4286
4287 /* Send to upper protocol */
4288 l2cap_recv_acldata(conn, skb, flags);
4289 return;
4290 } else {
4291 bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
4292 handle);
4293 }
4294
4295 kfree_skb(skb);
4296}
4297
4298/* SCO data packet */
4299static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4300{
4301 struct hci_sco_hdr *hdr = (void *) skb->data;
4302 struct hci_conn *conn;
4303 __u16 handle;
4304
4305 skb_pull(skb, HCI_SCO_HDR_SIZE);
4306
4307 handle = __le16_to_cpu(hdr->handle);
4308
4309 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4310
4311 hdev->stat.sco_rx++;
4312
4313 hci_dev_lock(hdev);
4314 conn = hci_conn_hash_lookup_handle(hdev, handle);
4315 hci_dev_unlock(hdev);
4316
4317 if (conn) {
4318 /* Send to upper protocol */
4319 sco_recv_scodata(conn, skb);
4320 return;
4321 } else {
4322 bt_dev_err(hdev, "SCO packet for unknown connection handle %d",
4323 handle);
4324 }
4325
4326 kfree_skb(skb);
4327}
4328
4329static bool hci_req_is_complete(struct hci_dev *hdev)
4330{
4331 struct sk_buff *skb;
4332
4333 skb = skb_peek(&hdev->cmd_q);
4334 if (!skb)
4335 return true;
4336
4337 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4338}
4339
4340static void hci_resend_last(struct hci_dev *hdev)
4341{
4342 struct hci_command_hdr *sent;
4343 struct sk_buff *skb;
4344 u16 opcode;
4345
4346 if (!hdev->sent_cmd)
4347 return;
4348
4349 sent = (void *) hdev->sent_cmd->data;
4350 opcode = __le16_to_cpu(sent->opcode);
4351 if (opcode == HCI_OP_RESET)
4352 return;
4353
4354 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4355 if (!skb)
4356 return;
4357
4358 skb_queue_head(&hdev->cmd_q, skb);
4359 queue_work(hdev->workqueue, &hdev->cmd_work);
4360}
4361
4362void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4363 hci_req_complete_t *req_complete,
4364 hci_req_complete_skb_t *req_complete_skb)
4365{
4366 struct sk_buff *skb;
4367 unsigned long flags;
4368
4369 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4370
4371 /* If the completed command doesn't match the last one that was
4372 * sent we need to do special handling of it.
4373 */
4374 if (!hci_sent_cmd_data(hdev, opcode)) {
4375 /* Some CSR based controllers generate a spontaneous
4376 * reset complete event during init and any pending
4377 * command will never be completed. In such a case we
4378 * need to resend whatever was the last sent
4379 * command.
4380 */
4381 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4382 hci_resend_last(hdev);
4383
4384 return;
4385 }
4386
4387 /* If we reach this point this event matches the last command sent */
4388 hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
4389
4390 /* If the command succeeded and there's still more commands in
4391 * this request the request is not yet complete.
4392 */
4393 if (!status && !hci_req_is_complete(hdev))
4394 return;
4395
4396 /* If this was the last command in a request the complete
4397 * callback would be found in hdev->sent_cmd instead of the
4398 * command queue (hdev->cmd_q).
4399 */
4400 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4401 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4402 return;
4403 }
4404
4405 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4406 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4407 return;
4408 }
4409
4410 /* Remove all pending commands belonging to this request */
4411 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4412 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4413 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4414 __skb_queue_head(&hdev->cmd_q, skb);
4415 break;
4416 }
4417
4418 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4419 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4420 else
4421 *req_complete = bt_cb(skb)->hci.req_complete;
4422 kfree_skb(skb);
4423 }
4424 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4425}
4426
4427static void hci_rx_work(struct work_struct *work)
4428{
4429 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4430 struct sk_buff *skb;
4431
4432 BT_DBG("%s", hdev->name);
4433
4434 while ((skb = skb_dequeue(&hdev->rx_q))) {
4435 /* Send copy to monitor */
4436 hci_send_to_monitor(hdev, skb);
4437
4438 if (atomic_read(&hdev->promisc)) {
4439 /* Send copy to the sockets */
4440 hci_send_to_sock(hdev, skb);
4441 }
4442
4443 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4444 kfree_skb(skb);
4445 continue;
4446 }
4447
4448 if (test_bit(HCI_INIT, &hdev->flags)) {
4449 /* Don't process data packets in this states. */
4450 switch (hci_skb_pkt_type(skb)) {
4451 case HCI_ACLDATA_PKT:
4452 case HCI_SCODATA_PKT:
4453 kfree_skb(skb);
4454 continue;
4455 }
4456 }
4457
4458 /* Process frame */
4459 switch (hci_skb_pkt_type(skb)) {
4460 case HCI_EVENT_PKT:
4461 BT_DBG("%s Event packet", hdev->name);
4462 hci_event_packet(hdev, skb);
4463 break;
4464
4465 case HCI_ACLDATA_PKT:
4466 BT_DBG("%s ACL data packet", hdev->name);
4467 hci_acldata_packet(hdev, skb);
4468 break;
4469
4470 case HCI_SCODATA_PKT:
4471 BT_DBG("%s SCO data packet", hdev->name);
4472 hci_scodata_packet(hdev, skb);
4473 break;
4474
4475 default:
4476 kfree_skb(skb);
4477 break;
4478 }
4479 }
4480}
4481
4482static void hci_cmd_work(struct work_struct *work)
4483{
4484 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4485 struct sk_buff *skb;
4486
4487 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4488 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4489
4490 /* Send queued commands */
4491 if (atomic_read(&hdev->cmd_cnt)) {
4492 skb = skb_dequeue(&hdev->cmd_q);
4493 if (!skb)
4494 return;
4495
4496 kfree_skb(hdev->sent_cmd);
4497
4498 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4499 if (hdev->sent_cmd) {
4500 if (hci_req_status_pend(hdev))
4501 hci_dev_set_flag(hdev, HCI_CMD_PENDING);
4502 atomic_dec(&hdev->cmd_cnt);
4503 hci_send_frame(hdev, skb);
4504 if (test_bit(HCI_RESET, &hdev->flags))
4505 cancel_delayed_work(&hdev->cmd_timer);
4506 else
4507 schedule_delayed_work(&hdev->cmd_timer,
4508 HCI_CMD_TIMEOUT);
4509 } else {
4510 skb_queue_head(&hdev->cmd_q, skb);
4511 queue_work(hdev->workqueue, &hdev->cmd_work);
4512 }
4513 }
4514}
1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24*/
25
26/* Bluetooth HCI core. */
27
28#include <linux/export.h>
29#include <linux/idr.h>
30#include <linux/rfkill.h>
31#include <linux/debugfs.h>
32#include <linux/crypto.h>
33#include <asm/unaligned.h>
34
35#include <net/bluetooth/bluetooth.h>
36#include <net/bluetooth/hci_core.h>
37#include <net/bluetooth/l2cap.h>
38#include <net/bluetooth/mgmt.h>
39
40#include "hci_request.h"
41#include "hci_debugfs.h"
42#include "smp.h"
43#include "leds.h"
44
45static void hci_rx_work(struct work_struct *work);
46static void hci_cmd_work(struct work_struct *work);
47static void hci_tx_work(struct work_struct *work);
48
49/* HCI device list */
50LIST_HEAD(hci_dev_list);
51DEFINE_RWLOCK(hci_dev_list_lock);
52
53/* HCI callback list */
54LIST_HEAD(hci_cb_list);
55DEFINE_MUTEX(hci_cb_list_lock);
56
57/* HCI ID Numbering */
58static DEFINE_IDA(hci_index_ida);
59
60/* ---- HCI debugfs entries ---- */
61
62static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
63 size_t count, loff_t *ppos)
64{
65 struct hci_dev *hdev = file->private_data;
66 char buf[3];
67
68 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
69 buf[1] = '\n';
70 buf[2] = '\0';
71 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
72}
73
74static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
75 size_t count, loff_t *ppos)
76{
77 struct hci_dev *hdev = file->private_data;
78 struct sk_buff *skb;
79 char buf[32];
80 size_t buf_size = min(count, (sizeof(buf)-1));
81 bool enable;
82
83 if (!test_bit(HCI_UP, &hdev->flags))
84 return -ENETDOWN;
85
86 if (copy_from_user(buf, user_buf, buf_size))
87 return -EFAULT;
88
89 buf[buf_size] = '\0';
90 if (strtobool(buf, &enable))
91 return -EINVAL;
92
93 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
94 return -EALREADY;
95
96 hci_req_sync_lock(hdev);
97 if (enable)
98 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
99 HCI_CMD_TIMEOUT);
100 else
101 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
102 HCI_CMD_TIMEOUT);
103 hci_req_sync_unlock(hdev);
104
105 if (IS_ERR(skb))
106 return PTR_ERR(skb);
107
108 kfree_skb(skb);
109
110 hci_dev_change_flag(hdev, HCI_DUT_MODE);
111
112 return count;
113}
114
115static const struct file_operations dut_mode_fops = {
116 .open = simple_open,
117 .read = dut_mode_read,
118 .write = dut_mode_write,
119 .llseek = default_llseek,
120};
121
122static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
123 size_t count, loff_t *ppos)
124{
125 struct hci_dev *hdev = file->private_data;
126 char buf[3];
127
128 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
129 buf[1] = '\n';
130 buf[2] = '\0';
131 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
132}
133
134static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
135 size_t count, loff_t *ppos)
136{
137 struct hci_dev *hdev = file->private_data;
138 char buf[32];
139 size_t buf_size = min(count, (sizeof(buf)-1));
140 bool enable;
141 int err;
142
143 if (copy_from_user(buf, user_buf, buf_size))
144 return -EFAULT;
145
146 buf[buf_size] = '\0';
147 if (strtobool(buf, &enable))
148 return -EINVAL;
149
150 /* When the diagnostic flags are not persistent and the transport
151 * is not active, then there is no need for the vendor callback.
152 *
153 * Instead just store the desired value. If needed the setting
154 * will be programmed when the controller gets powered on.
155 */
156 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
157 !test_bit(HCI_RUNNING, &hdev->flags))
158 goto done;
159
160 hci_req_sync_lock(hdev);
161 err = hdev->set_diag(hdev, enable);
162 hci_req_sync_unlock(hdev);
163
164 if (err < 0)
165 return err;
166
167done:
168 if (enable)
169 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
170 else
171 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
172
173 return count;
174}
175
176static const struct file_operations vendor_diag_fops = {
177 .open = simple_open,
178 .read = vendor_diag_read,
179 .write = vendor_diag_write,
180 .llseek = default_llseek,
181};
182
183static void hci_debugfs_create_basic(struct hci_dev *hdev)
184{
185 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
186 &dut_mode_fops);
187
188 if (hdev->set_diag)
189 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
190 &vendor_diag_fops);
191}
192
193static int hci_reset_req(struct hci_request *req, unsigned long opt)
194{
195 BT_DBG("%s %ld", req->hdev->name, opt);
196
197 /* Reset device */
198 set_bit(HCI_RESET, &req->hdev->flags);
199 hci_req_add(req, HCI_OP_RESET, 0, NULL);
200 return 0;
201}
202
203static void bredr_init(struct hci_request *req)
204{
205 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
206
207 /* Read Local Supported Features */
208 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
209
210 /* Read Local Version */
211 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
212
213 /* Read BD Address */
214 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
215}
216
217static void amp_init1(struct hci_request *req)
218{
219 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
220
221 /* Read Local Version */
222 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
223
224 /* Read Local Supported Commands */
225 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
226
227 /* Read Local AMP Info */
228 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
229
230 /* Read Data Blk size */
231 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
232
233 /* Read Flow Control Mode */
234 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
235
236 /* Read Location Data */
237 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
238}
239
240static int amp_init2(struct hci_request *req)
241{
242 /* Read Local Supported Features. Not all AMP controllers
243 * support this so it's placed conditionally in the second
244 * stage init.
245 */
246 if (req->hdev->commands[14] & 0x20)
247 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
248
249 return 0;
250}
251
252static int hci_init1_req(struct hci_request *req, unsigned long opt)
253{
254 struct hci_dev *hdev = req->hdev;
255
256 BT_DBG("%s %ld", hdev->name, opt);
257
258 /* Reset */
259 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
260 hci_reset_req(req, 0);
261
262 switch (hdev->dev_type) {
263 case HCI_BREDR:
264 bredr_init(req);
265 break;
266
267 case HCI_AMP:
268 amp_init1(req);
269 break;
270
271 default:
272 BT_ERR("Unknown device type %d", hdev->dev_type);
273 break;
274 }
275
276 return 0;
277}
278
279static void bredr_setup(struct hci_request *req)
280{
281 __le16 param;
282 __u8 flt_type;
283
284 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
285 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
286
287 /* Read Class of Device */
288 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
289
290 /* Read Local Name */
291 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
292
293 /* Read Voice Setting */
294 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
295
296 /* Read Number of Supported IAC */
297 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
298
299 /* Read Current IAC LAP */
300 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
301
302 /* Clear Event Filters */
303 flt_type = HCI_FLT_CLEAR_ALL;
304 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
305
306 /* Connection accept timeout ~20 secs */
307 param = cpu_to_le16(0x7d00);
308 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
309}
310
311static void le_setup(struct hci_request *req)
312{
313 struct hci_dev *hdev = req->hdev;
314
315 /* Read LE Buffer Size */
316 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
317
318 /* Read LE Local Supported Features */
319 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
320
321 /* Read LE Supported States */
322 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
323
324 /* LE-only controllers have LE implicitly enabled */
325 if (!lmp_bredr_capable(hdev))
326 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
327}
328
329static void hci_setup_event_mask(struct hci_request *req)
330{
331 struct hci_dev *hdev = req->hdev;
332
333 /* The second byte is 0xff instead of 0x9f (two reserved bits
334 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
335 * command otherwise.
336 */
337 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
338
339 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
340 * any event mask for pre 1.2 devices.
341 */
342 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
343 return;
344
345 if (lmp_bredr_capable(hdev)) {
346 events[4] |= 0x01; /* Flow Specification Complete */
347 } else {
348 /* Use a different default for LE-only devices */
349 memset(events, 0, sizeof(events));
350 events[1] |= 0x20; /* Command Complete */
351 events[1] |= 0x40; /* Command Status */
352 events[1] |= 0x80; /* Hardware Error */
353
354 /* If the controller supports the Disconnect command, enable
355 * the corresponding event. In addition enable packet flow
356 * control related events.
357 */
358 if (hdev->commands[0] & 0x20) {
359 events[0] |= 0x10; /* Disconnection Complete */
360 events[2] |= 0x04; /* Number of Completed Packets */
361 events[3] |= 0x02; /* Data Buffer Overflow */
362 }
363
364 /* If the controller supports the Read Remote Version
365 * Information command, enable the corresponding event.
366 */
367 if (hdev->commands[2] & 0x80)
368 events[1] |= 0x08; /* Read Remote Version Information
369 * Complete
370 */
371
372 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
373 events[0] |= 0x80; /* Encryption Change */
374 events[5] |= 0x80; /* Encryption Key Refresh Complete */
375 }
376 }
377
378 if (lmp_inq_rssi_capable(hdev) ||
379 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
380 events[4] |= 0x02; /* Inquiry Result with RSSI */
381
382 if (lmp_ext_feat_capable(hdev))
383 events[4] |= 0x04; /* Read Remote Extended Features Complete */
384
385 if (lmp_esco_capable(hdev)) {
386 events[5] |= 0x08; /* Synchronous Connection Complete */
387 events[5] |= 0x10; /* Synchronous Connection Changed */
388 }
389
390 if (lmp_sniffsubr_capable(hdev))
391 events[5] |= 0x20; /* Sniff Subrating */
392
393 if (lmp_pause_enc_capable(hdev))
394 events[5] |= 0x80; /* Encryption Key Refresh Complete */
395
396 if (lmp_ext_inq_capable(hdev))
397 events[5] |= 0x40; /* Extended Inquiry Result */
398
399 if (lmp_no_flush_capable(hdev))
400 events[7] |= 0x01; /* Enhanced Flush Complete */
401
402 if (lmp_lsto_capable(hdev))
403 events[6] |= 0x80; /* Link Supervision Timeout Changed */
404
405 if (lmp_ssp_capable(hdev)) {
406 events[6] |= 0x01; /* IO Capability Request */
407 events[6] |= 0x02; /* IO Capability Response */
408 events[6] |= 0x04; /* User Confirmation Request */
409 events[6] |= 0x08; /* User Passkey Request */
410 events[6] |= 0x10; /* Remote OOB Data Request */
411 events[6] |= 0x20; /* Simple Pairing Complete */
412 events[7] |= 0x04; /* User Passkey Notification */
413 events[7] |= 0x08; /* Keypress Notification */
414 events[7] |= 0x10; /* Remote Host Supported
415 * Features Notification
416 */
417 }
418
419 if (lmp_le_capable(hdev))
420 events[7] |= 0x20; /* LE Meta-Event */
421
422 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
423}
424
425static int hci_init2_req(struct hci_request *req, unsigned long opt)
426{
427 struct hci_dev *hdev = req->hdev;
428
429 if (hdev->dev_type == HCI_AMP)
430 return amp_init2(req);
431
432 if (lmp_bredr_capable(hdev))
433 bredr_setup(req);
434 else
435 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
436
437 if (lmp_le_capable(hdev))
438 le_setup(req);
439
440 /* All Bluetooth 1.2 and later controllers should support the
441 * HCI command for reading the local supported commands.
442 *
443 * Unfortunately some controllers indicate Bluetooth 1.2 support,
444 * but do not have support for this command. If that is the case,
445 * the driver can quirk the behavior and skip reading the local
446 * supported commands.
447 */
448 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
449 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
450 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
451
452 if (lmp_ssp_capable(hdev)) {
453 /* When SSP is available, then the host features page
454 * should also be available as well. However some
455 * controllers list the max_page as 0 as long as SSP
456 * has not been enabled. To achieve proper debugging
457 * output, force the minimum max_page to 1 at least.
458 */
459 hdev->max_page = 0x01;
460
461 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
462 u8 mode = 0x01;
463
464 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
465 sizeof(mode), &mode);
466 } else {
467 struct hci_cp_write_eir cp;
468
469 memset(hdev->eir, 0, sizeof(hdev->eir));
470 memset(&cp, 0, sizeof(cp));
471
472 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
473 }
474 }
475
476 if (lmp_inq_rssi_capable(hdev) ||
477 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
478 u8 mode;
479
480 /* If Extended Inquiry Result events are supported, then
481 * they are clearly preferred over Inquiry Result with RSSI
482 * events.
483 */
484 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
485
486 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
487 }
488
489 if (lmp_inq_tx_pwr_capable(hdev))
490 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
491
492 if (lmp_ext_feat_capable(hdev)) {
493 struct hci_cp_read_local_ext_features cp;
494
495 cp.page = 0x01;
496 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
497 sizeof(cp), &cp);
498 }
499
500 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
501 u8 enable = 1;
502 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
503 &enable);
504 }
505
506 return 0;
507}
508
509static void hci_setup_link_policy(struct hci_request *req)
510{
511 struct hci_dev *hdev = req->hdev;
512 struct hci_cp_write_def_link_policy cp;
513 u16 link_policy = 0;
514
515 if (lmp_rswitch_capable(hdev))
516 link_policy |= HCI_LP_RSWITCH;
517 if (lmp_hold_capable(hdev))
518 link_policy |= HCI_LP_HOLD;
519 if (lmp_sniff_capable(hdev))
520 link_policy |= HCI_LP_SNIFF;
521 if (lmp_park_capable(hdev))
522 link_policy |= HCI_LP_PARK;
523
524 cp.policy = cpu_to_le16(link_policy);
525 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
526}
527
528static void hci_set_le_support(struct hci_request *req)
529{
530 struct hci_dev *hdev = req->hdev;
531 struct hci_cp_write_le_host_supported cp;
532
533 /* LE-only devices do not support explicit enablement */
534 if (!lmp_bredr_capable(hdev))
535 return;
536
537 memset(&cp, 0, sizeof(cp));
538
539 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
540 cp.le = 0x01;
541 cp.simul = 0x00;
542 }
543
544 if (cp.le != lmp_host_le_capable(hdev))
545 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
546 &cp);
547}
548
549static void hci_set_event_mask_page_2(struct hci_request *req)
550{
551 struct hci_dev *hdev = req->hdev;
552 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
553
554 /* If Connectionless Slave Broadcast master role is supported
555 * enable all necessary events for it.
556 */
557 if (lmp_csb_master_capable(hdev)) {
558 events[1] |= 0x40; /* Triggered Clock Capture */
559 events[1] |= 0x80; /* Synchronization Train Complete */
560 events[2] |= 0x10; /* Slave Page Response Timeout */
561 events[2] |= 0x20; /* CSB Channel Map Change */
562 }
563
564 /* If Connectionless Slave Broadcast slave role is supported
565 * enable all necessary events for it.
566 */
567 if (lmp_csb_slave_capable(hdev)) {
568 events[2] |= 0x01; /* Synchronization Train Received */
569 events[2] |= 0x02; /* CSB Receive */
570 events[2] |= 0x04; /* CSB Timeout */
571 events[2] |= 0x08; /* Truncated Page Complete */
572 }
573
574 /* Enable Authenticated Payload Timeout Expired event if supported */
575 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
576 events[2] |= 0x80;
577
578 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
579}
580
581static int hci_init3_req(struct hci_request *req, unsigned long opt)
582{
583 struct hci_dev *hdev = req->hdev;
584 u8 p;
585
586 hci_setup_event_mask(req);
587
588 if (hdev->commands[6] & 0x20 &&
589 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
590 struct hci_cp_read_stored_link_key cp;
591
592 bacpy(&cp.bdaddr, BDADDR_ANY);
593 cp.read_all = 0x01;
594 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
595 }
596
597 if (hdev->commands[5] & 0x10)
598 hci_setup_link_policy(req);
599
600 if (hdev->commands[8] & 0x01)
601 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
602
603 /* Some older Broadcom based Bluetooth 1.2 controllers do not
604 * support the Read Page Scan Type command. Check support for
605 * this command in the bit mask of supported commands.
606 */
607 if (hdev->commands[13] & 0x01)
608 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
609
610 if (lmp_le_capable(hdev)) {
611 u8 events[8];
612
613 memset(events, 0, sizeof(events));
614
615 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
616 events[0] |= 0x10; /* LE Long Term Key Request */
617
618 /* If controller supports the Connection Parameters Request
619 * Link Layer Procedure, enable the corresponding event.
620 */
621 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
622 events[0] |= 0x20; /* LE Remote Connection
623 * Parameter Request
624 */
625
626 /* If the controller supports the Data Length Extension
627 * feature, enable the corresponding event.
628 */
629 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
630 events[0] |= 0x40; /* LE Data Length Change */
631
632 /* If the controller supports Extended Scanner Filter
633 * Policies, enable the correspondig event.
634 */
635 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
636 events[1] |= 0x04; /* LE Direct Advertising
637 * Report
638 */
639
640 /* If the controller supports the LE Set Scan Enable command,
641 * enable the corresponding advertising report event.
642 */
643 if (hdev->commands[26] & 0x08)
644 events[0] |= 0x02; /* LE Advertising Report */
645
646 /* If the controller supports the LE Create Connection
647 * command, enable the corresponding event.
648 */
649 if (hdev->commands[26] & 0x10)
650 events[0] |= 0x01; /* LE Connection Complete */
651
652 /* If the controller supports the LE Connection Update
653 * command, enable the corresponding event.
654 */
655 if (hdev->commands[27] & 0x04)
656 events[0] |= 0x04; /* LE Connection Update
657 * Complete
658 */
659
660 /* If the controller supports the LE Read Remote Used Features
661 * command, enable the corresponding event.
662 */
663 if (hdev->commands[27] & 0x20)
664 events[0] |= 0x08; /* LE Read Remote Used
665 * Features Complete
666 */
667
668 /* If the controller supports the LE Read Local P-256
669 * Public Key command, enable the corresponding event.
670 */
671 if (hdev->commands[34] & 0x02)
672 events[0] |= 0x80; /* LE Read Local P-256
673 * Public Key Complete
674 */
675
676 /* If the controller supports the LE Generate DHKey
677 * command, enable the corresponding event.
678 */
679 if (hdev->commands[34] & 0x04)
680 events[1] |= 0x01; /* LE Generate DHKey Complete */
681
682 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
683 events);
684
685 if (hdev->commands[25] & 0x40) {
686 /* Read LE Advertising Channel TX Power */
687 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
688 }
689
690 if (hdev->commands[26] & 0x40) {
691 /* Read LE White List Size */
692 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
693 0, NULL);
694 }
695
696 if (hdev->commands[26] & 0x80) {
697 /* Clear LE White List */
698 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
699 }
700
701 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
702 /* Read LE Maximum Data Length */
703 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
704
705 /* Read LE Suggested Default Data Length */
706 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
707 }
708
709 hci_set_le_support(req);
710 }
711
712 /* Read features beyond page 1 if available */
713 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
714 struct hci_cp_read_local_ext_features cp;
715
716 cp.page = p;
717 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
718 sizeof(cp), &cp);
719 }
720
721 return 0;
722}
723
724static int hci_init4_req(struct hci_request *req, unsigned long opt)
725{
726 struct hci_dev *hdev = req->hdev;
727
728 /* Some Broadcom based Bluetooth controllers do not support the
729 * Delete Stored Link Key command. They are clearly indicating its
730 * absence in the bit mask of supported commands.
731 *
732 * Check the supported commands and only if the the command is marked
733 * as supported send it. If not supported assume that the controller
734 * does not have actual support for stored link keys which makes this
735 * command redundant anyway.
736 *
737 * Some controllers indicate that they support handling deleting
738 * stored link keys, but they don't. The quirk lets a driver
739 * just disable this command.
740 */
741 if (hdev->commands[6] & 0x80 &&
742 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
743 struct hci_cp_delete_stored_link_key cp;
744
745 bacpy(&cp.bdaddr, BDADDR_ANY);
746 cp.delete_all = 0x01;
747 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
748 sizeof(cp), &cp);
749 }
750
751 /* Set event mask page 2 if the HCI command for it is supported */
752 if (hdev->commands[22] & 0x04)
753 hci_set_event_mask_page_2(req);
754
755 /* Read local codec list if the HCI command is supported */
756 if (hdev->commands[29] & 0x20)
757 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
758
759 /* Get MWS transport configuration if the HCI command is supported */
760 if (hdev->commands[30] & 0x08)
761 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
762
763 /* Check for Synchronization Train support */
764 if (lmp_sync_train_capable(hdev))
765 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
766
767 /* Enable Secure Connections if supported and configured */
768 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
769 bredr_sc_enabled(hdev)) {
770 u8 support = 0x01;
771
772 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
773 sizeof(support), &support);
774 }
775
776 return 0;
777}
778
779static int __hci_init(struct hci_dev *hdev)
780{
781 int err;
782
783 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
784 if (err < 0)
785 return err;
786
787 if (hci_dev_test_flag(hdev, HCI_SETUP))
788 hci_debugfs_create_basic(hdev);
789
790 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
791 if (err < 0)
792 return err;
793
794 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
795 * BR/EDR/LE type controllers. AMP controllers only need the
796 * first two stages of init.
797 */
798 if (hdev->dev_type != HCI_BREDR)
799 return 0;
800
801 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
802 if (err < 0)
803 return err;
804
805 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
806 if (err < 0)
807 return err;
808
809 /* This function is only called when the controller is actually in
810 * configured state. When the controller is marked as unconfigured,
811 * this initialization procedure is not run.
812 *
813 * It means that it is possible that a controller runs through its
814 * setup phase and then discovers missing settings. If that is the
815 * case, then this function will not be called. It then will only
816 * be called during the config phase.
817 *
818 * So only when in setup phase or config phase, create the debugfs
819 * entries and register the SMP channels.
820 */
821 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
822 !hci_dev_test_flag(hdev, HCI_CONFIG))
823 return 0;
824
825 hci_debugfs_create_common(hdev);
826
827 if (lmp_bredr_capable(hdev))
828 hci_debugfs_create_bredr(hdev);
829
830 if (lmp_le_capable(hdev))
831 hci_debugfs_create_le(hdev);
832
833 return 0;
834}
835
836static int hci_init0_req(struct hci_request *req, unsigned long opt)
837{
838 struct hci_dev *hdev = req->hdev;
839
840 BT_DBG("%s %ld", hdev->name, opt);
841
842 /* Reset */
843 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
844 hci_reset_req(req, 0);
845
846 /* Read Local Version */
847 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
848
849 /* Read BD Address */
850 if (hdev->set_bdaddr)
851 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
852
853 return 0;
854}
855
856static int __hci_unconf_init(struct hci_dev *hdev)
857{
858 int err;
859
860 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
861 return 0;
862
863 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
864 if (err < 0)
865 return err;
866
867 if (hci_dev_test_flag(hdev, HCI_SETUP))
868 hci_debugfs_create_basic(hdev);
869
870 return 0;
871}
872
873static int hci_scan_req(struct hci_request *req, unsigned long opt)
874{
875 __u8 scan = opt;
876
877 BT_DBG("%s %x", req->hdev->name, scan);
878
879 /* Inquiry and Page scans */
880 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
881 return 0;
882}
883
884static int hci_auth_req(struct hci_request *req, unsigned long opt)
885{
886 __u8 auth = opt;
887
888 BT_DBG("%s %x", req->hdev->name, auth);
889
890 /* Authentication */
891 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
892 return 0;
893}
894
895static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
896{
897 __u8 encrypt = opt;
898
899 BT_DBG("%s %x", req->hdev->name, encrypt);
900
901 /* Encryption */
902 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
903 return 0;
904}
905
906static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
907{
908 __le16 policy = cpu_to_le16(opt);
909
910 BT_DBG("%s %x", req->hdev->name, policy);
911
912 /* Default link policy */
913 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
914 return 0;
915}
916
917/* Get HCI device by index.
918 * Device is held on return. */
919struct hci_dev *hci_dev_get(int index)
920{
921 struct hci_dev *hdev = NULL, *d;
922
923 BT_DBG("%d", index);
924
925 if (index < 0)
926 return NULL;
927
928 read_lock(&hci_dev_list_lock);
929 list_for_each_entry(d, &hci_dev_list, list) {
930 if (d->id == index) {
931 hdev = hci_dev_hold(d);
932 break;
933 }
934 }
935 read_unlock(&hci_dev_list_lock);
936 return hdev;
937}
938
939/* ---- Inquiry support ---- */
940
941bool hci_discovery_active(struct hci_dev *hdev)
942{
943 struct discovery_state *discov = &hdev->discovery;
944
945 switch (discov->state) {
946 case DISCOVERY_FINDING:
947 case DISCOVERY_RESOLVING:
948 return true;
949
950 default:
951 return false;
952 }
953}
954
955void hci_discovery_set_state(struct hci_dev *hdev, int state)
956{
957 int old_state = hdev->discovery.state;
958
959 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
960
961 if (old_state == state)
962 return;
963
964 hdev->discovery.state = state;
965
966 switch (state) {
967 case DISCOVERY_STOPPED:
968 hci_update_background_scan(hdev);
969
970 if (old_state != DISCOVERY_STARTING)
971 mgmt_discovering(hdev, 0);
972 break;
973 case DISCOVERY_STARTING:
974 break;
975 case DISCOVERY_FINDING:
976 mgmt_discovering(hdev, 1);
977 break;
978 case DISCOVERY_RESOLVING:
979 break;
980 case DISCOVERY_STOPPING:
981 break;
982 }
983}
984
985void hci_inquiry_cache_flush(struct hci_dev *hdev)
986{
987 struct discovery_state *cache = &hdev->discovery;
988 struct inquiry_entry *p, *n;
989
990 list_for_each_entry_safe(p, n, &cache->all, all) {
991 list_del(&p->all);
992 kfree(p);
993 }
994
995 INIT_LIST_HEAD(&cache->unknown);
996 INIT_LIST_HEAD(&cache->resolve);
997}
998
999struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1000 bdaddr_t *bdaddr)
1001{
1002 struct discovery_state *cache = &hdev->discovery;
1003 struct inquiry_entry *e;
1004
1005 BT_DBG("cache %p, %pMR", cache, bdaddr);
1006
1007 list_for_each_entry(e, &cache->all, all) {
1008 if (!bacmp(&e->data.bdaddr, bdaddr))
1009 return e;
1010 }
1011
1012 return NULL;
1013}
1014
1015struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1016 bdaddr_t *bdaddr)
1017{
1018 struct discovery_state *cache = &hdev->discovery;
1019 struct inquiry_entry *e;
1020
1021 BT_DBG("cache %p, %pMR", cache, bdaddr);
1022
1023 list_for_each_entry(e, &cache->unknown, list) {
1024 if (!bacmp(&e->data.bdaddr, bdaddr))
1025 return e;
1026 }
1027
1028 return NULL;
1029}
1030
1031struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1032 bdaddr_t *bdaddr,
1033 int state)
1034{
1035 struct discovery_state *cache = &hdev->discovery;
1036 struct inquiry_entry *e;
1037
1038 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1039
1040 list_for_each_entry(e, &cache->resolve, list) {
1041 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1042 return e;
1043 if (!bacmp(&e->data.bdaddr, bdaddr))
1044 return e;
1045 }
1046
1047 return NULL;
1048}
1049
1050void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1051 struct inquiry_entry *ie)
1052{
1053 struct discovery_state *cache = &hdev->discovery;
1054 struct list_head *pos = &cache->resolve;
1055 struct inquiry_entry *p;
1056
1057 list_del(&ie->list);
1058
1059 list_for_each_entry(p, &cache->resolve, list) {
1060 if (p->name_state != NAME_PENDING &&
1061 abs(p->data.rssi) >= abs(ie->data.rssi))
1062 break;
1063 pos = &p->list;
1064 }
1065
1066 list_add(&ie->list, pos);
1067}
1068
1069u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1070 bool name_known)
1071{
1072 struct discovery_state *cache = &hdev->discovery;
1073 struct inquiry_entry *ie;
1074 u32 flags = 0;
1075
1076 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1077
1078 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1079
1080 if (!data->ssp_mode)
1081 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1082
1083 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1084 if (ie) {
1085 if (!ie->data.ssp_mode)
1086 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1087
1088 if (ie->name_state == NAME_NEEDED &&
1089 data->rssi != ie->data.rssi) {
1090 ie->data.rssi = data->rssi;
1091 hci_inquiry_cache_update_resolve(hdev, ie);
1092 }
1093
1094 goto update;
1095 }
1096
1097 /* Entry not in the cache. Add new one. */
1098 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1099 if (!ie) {
1100 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1101 goto done;
1102 }
1103
1104 list_add(&ie->all, &cache->all);
1105
1106 if (name_known) {
1107 ie->name_state = NAME_KNOWN;
1108 } else {
1109 ie->name_state = NAME_NOT_KNOWN;
1110 list_add(&ie->list, &cache->unknown);
1111 }
1112
1113update:
1114 if (name_known && ie->name_state != NAME_KNOWN &&
1115 ie->name_state != NAME_PENDING) {
1116 ie->name_state = NAME_KNOWN;
1117 list_del(&ie->list);
1118 }
1119
1120 memcpy(&ie->data, data, sizeof(*data));
1121 ie->timestamp = jiffies;
1122 cache->timestamp = jiffies;
1123
1124 if (ie->name_state == NAME_NOT_KNOWN)
1125 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1126
1127done:
1128 return flags;
1129}
1130
1131static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1132{
1133 struct discovery_state *cache = &hdev->discovery;
1134 struct inquiry_info *info = (struct inquiry_info *) buf;
1135 struct inquiry_entry *e;
1136 int copied = 0;
1137
1138 list_for_each_entry(e, &cache->all, all) {
1139 struct inquiry_data *data = &e->data;
1140
1141 if (copied >= num)
1142 break;
1143
1144 bacpy(&info->bdaddr, &data->bdaddr);
1145 info->pscan_rep_mode = data->pscan_rep_mode;
1146 info->pscan_period_mode = data->pscan_period_mode;
1147 info->pscan_mode = data->pscan_mode;
1148 memcpy(info->dev_class, data->dev_class, 3);
1149 info->clock_offset = data->clock_offset;
1150
1151 info++;
1152 copied++;
1153 }
1154
1155 BT_DBG("cache %p, copied %d", cache, copied);
1156 return copied;
1157}
1158
1159static int hci_inq_req(struct hci_request *req, unsigned long opt)
1160{
1161 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1162 struct hci_dev *hdev = req->hdev;
1163 struct hci_cp_inquiry cp;
1164
1165 BT_DBG("%s", hdev->name);
1166
1167 if (test_bit(HCI_INQUIRY, &hdev->flags))
1168 return 0;
1169
1170 /* Start Inquiry */
1171 memcpy(&cp.lap, &ir->lap, 3);
1172 cp.length = ir->length;
1173 cp.num_rsp = ir->num_rsp;
1174 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1175
1176 return 0;
1177}
1178
1179int hci_inquiry(void __user *arg)
1180{
1181 __u8 __user *ptr = arg;
1182 struct hci_inquiry_req ir;
1183 struct hci_dev *hdev;
1184 int err = 0, do_inquiry = 0, max_rsp;
1185 long timeo;
1186 __u8 *buf;
1187
1188 if (copy_from_user(&ir, ptr, sizeof(ir)))
1189 return -EFAULT;
1190
1191 hdev = hci_dev_get(ir.dev_id);
1192 if (!hdev)
1193 return -ENODEV;
1194
1195 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1196 err = -EBUSY;
1197 goto done;
1198 }
1199
1200 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1201 err = -EOPNOTSUPP;
1202 goto done;
1203 }
1204
1205 if (hdev->dev_type != HCI_BREDR) {
1206 err = -EOPNOTSUPP;
1207 goto done;
1208 }
1209
1210 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1211 err = -EOPNOTSUPP;
1212 goto done;
1213 }
1214
1215 hci_dev_lock(hdev);
1216 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1217 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1218 hci_inquiry_cache_flush(hdev);
1219 do_inquiry = 1;
1220 }
1221 hci_dev_unlock(hdev);
1222
1223 timeo = ir.length * msecs_to_jiffies(2000);
1224
1225 if (do_inquiry) {
1226 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1227 timeo, NULL);
1228 if (err < 0)
1229 goto done;
1230
1231 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1232 * cleared). If it is interrupted by a signal, return -EINTR.
1233 */
1234 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1235 TASK_INTERRUPTIBLE))
1236 return -EINTR;
1237 }
1238
1239 /* for unlimited number of responses we will use buffer with
1240 * 255 entries
1241 */
1242 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1243
1244 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1245 * copy it to the user space.
1246 */
1247 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1248 if (!buf) {
1249 err = -ENOMEM;
1250 goto done;
1251 }
1252
1253 hci_dev_lock(hdev);
1254 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1255 hci_dev_unlock(hdev);
1256
1257 BT_DBG("num_rsp %d", ir.num_rsp);
1258
1259 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1260 ptr += sizeof(ir);
1261 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1262 ir.num_rsp))
1263 err = -EFAULT;
1264 } else
1265 err = -EFAULT;
1266
1267 kfree(buf);
1268
1269done:
1270 hci_dev_put(hdev);
1271 return err;
1272}
1273
1274static int hci_dev_do_open(struct hci_dev *hdev)
1275{
1276 int ret = 0;
1277
1278 BT_DBG("%s %p", hdev->name, hdev);
1279
1280 hci_req_sync_lock(hdev);
1281
1282 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1283 ret = -ENODEV;
1284 goto done;
1285 }
1286
1287 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1288 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1289 /* Check for rfkill but allow the HCI setup stage to
1290 * proceed (which in itself doesn't cause any RF activity).
1291 */
1292 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1293 ret = -ERFKILL;
1294 goto done;
1295 }
1296
1297 /* Check for valid public address or a configured static
1298 * random adddress, but let the HCI setup proceed to
1299 * be able to determine if there is a public address
1300 * or not.
1301 *
1302 * In case of user channel usage, it is not important
1303 * if a public address or static random address is
1304 * available.
1305 *
1306 * This check is only valid for BR/EDR controllers
1307 * since AMP controllers do not have an address.
1308 */
1309 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1310 hdev->dev_type == HCI_BREDR &&
1311 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1312 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1313 ret = -EADDRNOTAVAIL;
1314 goto done;
1315 }
1316 }
1317
1318 if (test_bit(HCI_UP, &hdev->flags)) {
1319 ret = -EALREADY;
1320 goto done;
1321 }
1322
1323 if (hdev->open(hdev)) {
1324 ret = -EIO;
1325 goto done;
1326 }
1327
1328 set_bit(HCI_RUNNING, &hdev->flags);
1329 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1330
1331 atomic_set(&hdev->cmd_cnt, 1);
1332 set_bit(HCI_INIT, &hdev->flags);
1333
1334 if (hci_dev_test_flag(hdev, HCI_SETUP)) {
1335 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1336
1337 if (hdev->setup)
1338 ret = hdev->setup(hdev);
1339
1340 /* The transport driver can set these quirks before
1341 * creating the HCI device or in its setup callback.
1342 *
1343 * In case any of them is set, the controller has to
1344 * start up as unconfigured.
1345 */
1346 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1347 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1348 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1349
1350 /* For an unconfigured controller it is required to
1351 * read at least the version information provided by
1352 * the Read Local Version Information command.
1353 *
1354 * If the set_bdaddr driver callback is provided, then
1355 * also the original Bluetooth public device address
1356 * will be read using the Read BD Address command.
1357 */
1358 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1359 ret = __hci_unconf_init(hdev);
1360 }
1361
1362 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1363 /* If public address change is configured, ensure that
1364 * the address gets programmed. If the driver does not
1365 * support changing the public address, fail the power
1366 * on procedure.
1367 */
1368 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1369 hdev->set_bdaddr)
1370 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1371 else
1372 ret = -EADDRNOTAVAIL;
1373 }
1374
1375 if (!ret) {
1376 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1377 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1378 ret = __hci_init(hdev);
1379 if (!ret && hdev->post_init)
1380 ret = hdev->post_init(hdev);
1381 }
1382 }
1383
1384 /* If the HCI Reset command is clearing all diagnostic settings,
1385 * then they need to be reprogrammed after the init procedure
1386 * completed.
1387 */
1388 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1389 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1390 ret = hdev->set_diag(hdev, true);
1391
1392 clear_bit(HCI_INIT, &hdev->flags);
1393
1394 if (!ret) {
1395 hci_dev_hold(hdev);
1396 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1397 set_bit(HCI_UP, &hdev->flags);
1398 hci_sock_dev_event(hdev, HCI_DEV_UP);
1399 hci_leds_update_powered(hdev, true);
1400 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1401 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1402 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1403 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1404 hci_dev_test_flag(hdev, HCI_MGMT) &&
1405 hdev->dev_type == HCI_BREDR) {
1406 ret = __hci_req_hci_power_on(hdev);
1407 mgmt_power_on(hdev, ret);
1408 }
1409 } else {
1410 /* Init failed, cleanup */
1411 flush_work(&hdev->tx_work);
1412 flush_work(&hdev->cmd_work);
1413 flush_work(&hdev->rx_work);
1414
1415 skb_queue_purge(&hdev->cmd_q);
1416 skb_queue_purge(&hdev->rx_q);
1417
1418 if (hdev->flush)
1419 hdev->flush(hdev);
1420
1421 if (hdev->sent_cmd) {
1422 kfree_skb(hdev->sent_cmd);
1423 hdev->sent_cmd = NULL;
1424 }
1425
1426 clear_bit(HCI_RUNNING, &hdev->flags);
1427 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1428
1429 hdev->close(hdev);
1430 hdev->flags &= BIT(HCI_RAW);
1431 }
1432
1433done:
1434 hci_req_sync_unlock(hdev);
1435 return ret;
1436}
1437
1438/* ---- HCI ioctl helpers ---- */
1439
1440int hci_dev_open(__u16 dev)
1441{
1442 struct hci_dev *hdev;
1443 int err;
1444
1445 hdev = hci_dev_get(dev);
1446 if (!hdev)
1447 return -ENODEV;
1448
1449 /* Devices that are marked as unconfigured can only be powered
1450 * up as user channel. Trying to bring them up as normal devices
1451 * will result into a failure. Only user channel operation is
1452 * possible.
1453 *
1454 * When this function is called for a user channel, the flag
1455 * HCI_USER_CHANNEL will be set first before attempting to
1456 * open the device.
1457 */
1458 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1459 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1460 err = -EOPNOTSUPP;
1461 goto done;
1462 }
1463
1464 /* We need to ensure that no other power on/off work is pending
1465 * before proceeding to call hci_dev_do_open. This is
1466 * particularly important if the setup procedure has not yet
1467 * completed.
1468 */
1469 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1470 cancel_delayed_work(&hdev->power_off);
1471
1472 /* After this call it is guaranteed that the setup procedure
1473 * has finished. This means that error conditions like RFKILL
1474 * or no valid public or static random address apply.
1475 */
1476 flush_workqueue(hdev->req_workqueue);
1477
1478 /* For controllers not using the management interface and that
1479 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1480 * so that pairing works for them. Once the management interface
1481 * is in use this bit will be cleared again and userspace has
1482 * to explicitly enable it.
1483 */
1484 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1485 !hci_dev_test_flag(hdev, HCI_MGMT))
1486 hci_dev_set_flag(hdev, HCI_BONDABLE);
1487
1488 err = hci_dev_do_open(hdev);
1489
1490done:
1491 hci_dev_put(hdev);
1492 return err;
1493}
1494
1495/* This function requires the caller holds hdev->lock */
1496static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1497{
1498 struct hci_conn_params *p;
1499
1500 list_for_each_entry(p, &hdev->le_conn_params, list) {
1501 if (p->conn) {
1502 hci_conn_drop(p->conn);
1503 hci_conn_put(p->conn);
1504 p->conn = NULL;
1505 }
1506 list_del_init(&p->action);
1507 }
1508
1509 BT_DBG("All LE pending actions cleared");
1510}
1511
1512int hci_dev_do_close(struct hci_dev *hdev)
1513{
1514 bool auto_off;
1515
1516 BT_DBG("%s %p", hdev->name, hdev);
1517
1518 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1519 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1520 test_bit(HCI_UP, &hdev->flags)) {
1521 /* Execute vendor specific shutdown routine */
1522 if (hdev->shutdown)
1523 hdev->shutdown(hdev);
1524 }
1525
1526 cancel_delayed_work(&hdev->power_off);
1527
1528 hci_request_cancel_all(hdev);
1529 hci_req_sync_lock(hdev);
1530
1531 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1532 cancel_delayed_work_sync(&hdev->cmd_timer);
1533 hci_req_sync_unlock(hdev);
1534 return 0;
1535 }
1536
1537 hci_leds_update_powered(hdev, false);
1538
1539 /* Flush RX and TX works */
1540 flush_work(&hdev->tx_work);
1541 flush_work(&hdev->rx_work);
1542
1543 if (hdev->discov_timeout > 0) {
1544 hdev->discov_timeout = 0;
1545 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1546 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1547 }
1548
1549 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1550 cancel_delayed_work(&hdev->service_cache);
1551
1552 if (hci_dev_test_flag(hdev, HCI_MGMT))
1553 cancel_delayed_work_sync(&hdev->rpa_expired);
1554
1555 /* Avoid potential lockdep warnings from the *_flush() calls by
1556 * ensuring the workqueue is empty up front.
1557 */
1558 drain_workqueue(hdev->workqueue);
1559
1560 hci_dev_lock(hdev);
1561
1562 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1563
1564 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1565
1566 if (!auto_off && hdev->dev_type == HCI_BREDR &&
1567 hci_dev_test_flag(hdev, HCI_MGMT))
1568 __mgmt_power_off(hdev);
1569
1570 hci_inquiry_cache_flush(hdev);
1571 hci_pend_le_actions_clear(hdev);
1572 hci_conn_hash_flush(hdev);
1573 hci_dev_unlock(hdev);
1574
1575 smp_unregister(hdev);
1576
1577 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1578
1579 if (hdev->flush)
1580 hdev->flush(hdev);
1581
1582 /* Reset device */
1583 skb_queue_purge(&hdev->cmd_q);
1584 atomic_set(&hdev->cmd_cnt, 1);
1585 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1586 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1587 set_bit(HCI_INIT, &hdev->flags);
1588 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1589 clear_bit(HCI_INIT, &hdev->flags);
1590 }
1591
1592 /* flush cmd work */
1593 flush_work(&hdev->cmd_work);
1594
1595 /* Drop queues */
1596 skb_queue_purge(&hdev->rx_q);
1597 skb_queue_purge(&hdev->cmd_q);
1598 skb_queue_purge(&hdev->raw_q);
1599
1600 /* Drop last sent command */
1601 if (hdev->sent_cmd) {
1602 cancel_delayed_work_sync(&hdev->cmd_timer);
1603 kfree_skb(hdev->sent_cmd);
1604 hdev->sent_cmd = NULL;
1605 }
1606
1607 clear_bit(HCI_RUNNING, &hdev->flags);
1608 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1609
1610 /* After this point our queues are empty
1611 * and no tasks are scheduled. */
1612 hdev->close(hdev);
1613
1614 /* Clear flags */
1615 hdev->flags &= BIT(HCI_RAW);
1616 hci_dev_clear_volatile_flags(hdev);
1617
1618 /* Controller radio is available but is currently powered down */
1619 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1620
1621 memset(hdev->eir, 0, sizeof(hdev->eir));
1622 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1623 bacpy(&hdev->random_addr, BDADDR_ANY);
1624
1625 hci_req_sync_unlock(hdev);
1626
1627 hci_dev_put(hdev);
1628 return 0;
1629}
1630
1631int hci_dev_close(__u16 dev)
1632{
1633 struct hci_dev *hdev;
1634 int err;
1635
1636 hdev = hci_dev_get(dev);
1637 if (!hdev)
1638 return -ENODEV;
1639
1640 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1641 err = -EBUSY;
1642 goto done;
1643 }
1644
1645 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1646 cancel_delayed_work(&hdev->power_off);
1647
1648 err = hci_dev_do_close(hdev);
1649
1650done:
1651 hci_dev_put(hdev);
1652 return err;
1653}
1654
1655static int hci_dev_do_reset(struct hci_dev *hdev)
1656{
1657 int ret;
1658
1659 BT_DBG("%s %p", hdev->name, hdev);
1660
1661 hci_req_sync_lock(hdev);
1662
1663 /* Drop queues */
1664 skb_queue_purge(&hdev->rx_q);
1665 skb_queue_purge(&hdev->cmd_q);
1666
1667 /* Avoid potential lockdep warnings from the *_flush() calls by
1668 * ensuring the workqueue is empty up front.
1669 */
1670 drain_workqueue(hdev->workqueue);
1671
1672 hci_dev_lock(hdev);
1673 hci_inquiry_cache_flush(hdev);
1674 hci_conn_hash_flush(hdev);
1675 hci_dev_unlock(hdev);
1676
1677 if (hdev->flush)
1678 hdev->flush(hdev);
1679
1680 atomic_set(&hdev->cmd_cnt, 1);
1681 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1682
1683 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1684
1685 hci_req_sync_unlock(hdev);
1686 return ret;
1687}
1688
1689int hci_dev_reset(__u16 dev)
1690{
1691 struct hci_dev *hdev;
1692 int err;
1693
1694 hdev = hci_dev_get(dev);
1695 if (!hdev)
1696 return -ENODEV;
1697
1698 if (!test_bit(HCI_UP, &hdev->flags)) {
1699 err = -ENETDOWN;
1700 goto done;
1701 }
1702
1703 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1704 err = -EBUSY;
1705 goto done;
1706 }
1707
1708 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1709 err = -EOPNOTSUPP;
1710 goto done;
1711 }
1712
1713 err = hci_dev_do_reset(hdev);
1714
1715done:
1716 hci_dev_put(hdev);
1717 return err;
1718}
1719
1720int hci_dev_reset_stat(__u16 dev)
1721{
1722 struct hci_dev *hdev;
1723 int ret = 0;
1724
1725 hdev = hci_dev_get(dev);
1726 if (!hdev)
1727 return -ENODEV;
1728
1729 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1730 ret = -EBUSY;
1731 goto done;
1732 }
1733
1734 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1735 ret = -EOPNOTSUPP;
1736 goto done;
1737 }
1738
1739 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1740
1741done:
1742 hci_dev_put(hdev);
1743 return ret;
1744}
1745
1746static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1747{
1748 bool conn_changed, discov_changed;
1749
1750 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1751
1752 if ((scan & SCAN_PAGE))
1753 conn_changed = !hci_dev_test_and_set_flag(hdev,
1754 HCI_CONNECTABLE);
1755 else
1756 conn_changed = hci_dev_test_and_clear_flag(hdev,
1757 HCI_CONNECTABLE);
1758
1759 if ((scan & SCAN_INQUIRY)) {
1760 discov_changed = !hci_dev_test_and_set_flag(hdev,
1761 HCI_DISCOVERABLE);
1762 } else {
1763 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1764 discov_changed = hci_dev_test_and_clear_flag(hdev,
1765 HCI_DISCOVERABLE);
1766 }
1767
1768 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1769 return;
1770
1771 if (conn_changed || discov_changed) {
1772 /* In case this was disabled through mgmt */
1773 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1774
1775 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1776 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1777
1778 mgmt_new_settings(hdev);
1779 }
1780}
1781
1782int hci_dev_cmd(unsigned int cmd, void __user *arg)
1783{
1784 struct hci_dev *hdev;
1785 struct hci_dev_req dr;
1786 int err = 0;
1787
1788 if (copy_from_user(&dr, arg, sizeof(dr)))
1789 return -EFAULT;
1790
1791 hdev = hci_dev_get(dr.dev_id);
1792 if (!hdev)
1793 return -ENODEV;
1794
1795 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1796 err = -EBUSY;
1797 goto done;
1798 }
1799
1800 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1801 err = -EOPNOTSUPP;
1802 goto done;
1803 }
1804
1805 if (hdev->dev_type != HCI_BREDR) {
1806 err = -EOPNOTSUPP;
1807 goto done;
1808 }
1809
1810 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1811 err = -EOPNOTSUPP;
1812 goto done;
1813 }
1814
1815 switch (cmd) {
1816 case HCISETAUTH:
1817 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1818 HCI_INIT_TIMEOUT, NULL);
1819 break;
1820
1821 case HCISETENCRYPT:
1822 if (!lmp_encrypt_capable(hdev)) {
1823 err = -EOPNOTSUPP;
1824 break;
1825 }
1826
1827 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1828 /* Auth must be enabled first */
1829 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1830 HCI_INIT_TIMEOUT, NULL);
1831 if (err)
1832 break;
1833 }
1834
1835 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1836 HCI_INIT_TIMEOUT, NULL);
1837 break;
1838
1839 case HCISETSCAN:
1840 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1841 HCI_INIT_TIMEOUT, NULL);
1842
1843 /* Ensure that the connectable and discoverable states
1844 * get correctly modified as this was a non-mgmt change.
1845 */
1846 if (!err)
1847 hci_update_scan_state(hdev, dr.dev_opt);
1848 break;
1849
1850 case HCISETLINKPOL:
1851 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1852 HCI_INIT_TIMEOUT, NULL);
1853 break;
1854
1855 case HCISETLINKMODE:
1856 hdev->link_mode = ((__u16) dr.dev_opt) &
1857 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1858 break;
1859
1860 case HCISETPTYPE:
1861 hdev->pkt_type = (__u16) dr.dev_opt;
1862 break;
1863
1864 case HCISETACLMTU:
1865 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
1866 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1867 break;
1868
1869 case HCISETSCOMTU:
1870 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
1871 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1872 break;
1873
1874 default:
1875 err = -EINVAL;
1876 break;
1877 }
1878
1879done:
1880 hci_dev_put(hdev);
1881 return err;
1882}
1883
1884int hci_get_dev_list(void __user *arg)
1885{
1886 struct hci_dev *hdev;
1887 struct hci_dev_list_req *dl;
1888 struct hci_dev_req *dr;
1889 int n = 0, size, err;
1890 __u16 dev_num;
1891
1892 if (get_user(dev_num, (__u16 __user *) arg))
1893 return -EFAULT;
1894
1895 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1896 return -EINVAL;
1897
1898 size = sizeof(*dl) + dev_num * sizeof(*dr);
1899
1900 dl = kzalloc(size, GFP_KERNEL);
1901 if (!dl)
1902 return -ENOMEM;
1903
1904 dr = dl->dev_req;
1905
1906 read_lock(&hci_dev_list_lock);
1907 list_for_each_entry(hdev, &hci_dev_list, list) {
1908 unsigned long flags = hdev->flags;
1909
1910 /* When the auto-off is configured it means the transport
1911 * is running, but in that case still indicate that the
1912 * device is actually down.
1913 */
1914 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1915 flags &= ~BIT(HCI_UP);
1916
1917 (dr + n)->dev_id = hdev->id;
1918 (dr + n)->dev_opt = flags;
1919
1920 if (++n >= dev_num)
1921 break;
1922 }
1923 read_unlock(&hci_dev_list_lock);
1924
1925 dl->dev_num = n;
1926 size = sizeof(*dl) + n * sizeof(*dr);
1927
1928 err = copy_to_user(arg, dl, size);
1929 kfree(dl);
1930
1931 return err ? -EFAULT : 0;
1932}
1933
1934int hci_get_dev_info(void __user *arg)
1935{
1936 struct hci_dev *hdev;
1937 struct hci_dev_info di;
1938 unsigned long flags;
1939 int err = 0;
1940
1941 if (copy_from_user(&di, arg, sizeof(di)))
1942 return -EFAULT;
1943
1944 hdev = hci_dev_get(di.dev_id);
1945 if (!hdev)
1946 return -ENODEV;
1947
1948 /* When the auto-off is configured it means the transport
1949 * is running, but in that case still indicate that the
1950 * device is actually down.
1951 */
1952 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1953 flags = hdev->flags & ~BIT(HCI_UP);
1954 else
1955 flags = hdev->flags;
1956
1957 strcpy(di.name, hdev->name);
1958 di.bdaddr = hdev->bdaddr;
1959 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
1960 di.flags = flags;
1961 di.pkt_type = hdev->pkt_type;
1962 if (lmp_bredr_capable(hdev)) {
1963 di.acl_mtu = hdev->acl_mtu;
1964 di.acl_pkts = hdev->acl_pkts;
1965 di.sco_mtu = hdev->sco_mtu;
1966 di.sco_pkts = hdev->sco_pkts;
1967 } else {
1968 di.acl_mtu = hdev->le_mtu;
1969 di.acl_pkts = hdev->le_pkts;
1970 di.sco_mtu = 0;
1971 di.sco_pkts = 0;
1972 }
1973 di.link_policy = hdev->link_policy;
1974 di.link_mode = hdev->link_mode;
1975
1976 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1977 memcpy(&di.features, &hdev->features, sizeof(di.features));
1978
1979 if (copy_to_user(arg, &di, sizeof(di)))
1980 err = -EFAULT;
1981
1982 hci_dev_put(hdev);
1983
1984 return err;
1985}
1986
1987/* ---- Interface to HCI drivers ---- */
1988
1989static int hci_rfkill_set_block(void *data, bool blocked)
1990{
1991 struct hci_dev *hdev = data;
1992
1993 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1994
1995 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1996 return -EBUSY;
1997
1998 if (blocked) {
1999 hci_dev_set_flag(hdev, HCI_RFKILLED);
2000 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2001 !hci_dev_test_flag(hdev, HCI_CONFIG))
2002 hci_dev_do_close(hdev);
2003 } else {
2004 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2005 }
2006
2007 return 0;
2008}
2009
2010static const struct rfkill_ops hci_rfkill_ops = {
2011 .set_block = hci_rfkill_set_block,
2012};
2013
2014static void hci_power_on(struct work_struct *work)
2015{
2016 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2017 int err;
2018
2019 BT_DBG("%s", hdev->name);
2020
2021 if (test_bit(HCI_UP, &hdev->flags) &&
2022 hci_dev_test_flag(hdev, HCI_MGMT) &&
2023 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2024 cancel_delayed_work(&hdev->power_off);
2025 hci_req_sync_lock(hdev);
2026 err = __hci_req_hci_power_on(hdev);
2027 hci_req_sync_unlock(hdev);
2028 mgmt_power_on(hdev, err);
2029 return;
2030 }
2031
2032 err = hci_dev_do_open(hdev);
2033 if (err < 0) {
2034 hci_dev_lock(hdev);
2035 mgmt_set_powered_failed(hdev, err);
2036 hci_dev_unlock(hdev);
2037 return;
2038 }
2039
2040 /* During the HCI setup phase, a few error conditions are
2041 * ignored and they need to be checked now. If they are still
2042 * valid, it is important to turn the device back off.
2043 */
2044 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2045 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2046 (hdev->dev_type == HCI_BREDR &&
2047 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2048 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2049 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2050 hci_dev_do_close(hdev);
2051 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2052 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2053 HCI_AUTO_OFF_TIMEOUT);
2054 }
2055
2056 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2057 /* For unconfigured devices, set the HCI_RAW flag
2058 * so that userspace can easily identify them.
2059 */
2060 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2061 set_bit(HCI_RAW, &hdev->flags);
2062
2063 /* For fully configured devices, this will send
2064 * the Index Added event. For unconfigured devices,
2065 * it will send Unconfigued Index Added event.
2066 *
2067 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2068 * and no event will be send.
2069 */
2070 mgmt_index_added(hdev);
2071 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2072 /* When the controller is now configured, then it
2073 * is important to clear the HCI_RAW flag.
2074 */
2075 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2076 clear_bit(HCI_RAW, &hdev->flags);
2077
2078 /* Powering on the controller with HCI_CONFIG set only
2079 * happens with the transition from unconfigured to
2080 * configured. This will send the Index Added event.
2081 */
2082 mgmt_index_added(hdev);
2083 }
2084}
2085
2086static void hci_power_off(struct work_struct *work)
2087{
2088 struct hci_dev *hdev = container_of(work, struct hci_dev,
2089 power_off.work);
2090
2091 BT_DBG("%s", hdev->name);
2092
2093 hci_dev_do_close(hdev);
2094}
2095
2096static void hci_error_reset(struct work_struct *work)
2097{
2098 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2099
2100 BT_DBG("%s", hdev->name);
2101
2102 if (hdev->hw_error)
2103 hdev->hw_error(hdev, hdev->hw_error_code);
2104 else
2105 BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2106 hdev->hw_error_code);
2107
2108 if (hci_dev_do_close(hdev))
2109 return;
2110
2111 hci_dev_do_open(hdev);
2112}
2113
2114void hci_uuids_clear(struct hci_dev *hdev)
2115{
2116 struct bt_uuid *uuid, *tmp;
2117
2118 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2119 list_del(&uuid->list);
2120 kfree(uuid);
2121 }
2122}
2123
2124void hci_link_keys_clear(struct hci_dev *hdev)
2125{
2126 struct link_key *key;
2127
2128 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2129 list_del_rcu(&key->list);
2130 kfree_rcu(key, rcu);
2131 }
2132}
2133
2134void hci_smp_ltks_clear(struct hci_dev *hdev)
2135{
2136 struct smp_ltk *k;
2137
2138 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2139 list_del_rcu(&k->list);
2140 kfree_rcu(k, rcu);
2141 }
2142}
2143
2144void hci_smp_irks_clear(struct hci_dev *hdev)
2145{
2146 struct smp_irk *k;
2147
2148 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2149 list_del_rcu(&k->list);
2150 kfree_rcu(k, rcu);
2151 }
2152}
2153
2154struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2155{
2156 struct link_key *k;
2157
2158 rcu_read_lock();
2159 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2160 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2161 rcu_read_unlock();
2162 return k;
2163 }
2164 }
2165 rcu_read_unlock();
2166
2167 return NULL;
2168}
2169
2170static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2171 u8 key_type, u8 old_key_type)
2172{
2173 /* Legacy key */
2174 if (key_type < 0x03)
2175 return true;
2176
2177 /* Debug keys are insecure so don't store them persistently */
2178 if (key_type == HCI_LK_DEBUG_COMBINATION)
2179 return false;
2180
2181 /* Changed combination key and there's no previous one */
2182 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2183 return false;
2184
2185 /* Security mode 3 case */
2186 if (!conn)
2187 return true;
2188
2189 /* BR/EDR key derived using SC from an LE link */
2190 if (conn->type == LE_LINK)
2191 return true;
2192
2193 /* Neither local nor remote side had no-bonding as requirement */
2194 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2195 return true;
2196
2197 /* Local side had dedicated bonding as requirement */
2198 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2199 return true;
2200
2201 /* Remote side had dedicated bonding as requirement */
2202 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2203 return true;
2204
2205 /* If none of the above criteria match, then don't store the key
2206 * persistently */
2207 return false;
2208}
2209
2210static u8 ltk_role(u8 type)
2211{
2212 if (type == SMP_LTK)
2213 return HCI_ROLE_MASTER;
2214
2215 return HCI_ROLE_SLAVE;
2216}
2217
2218struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2219 u8 addr_type, u8 role)
2220{
2221 struct smp_ltk *k;
2222
2223 rcu_read_lock();
2224 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2225 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2226 continue;
2227
2228 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2229 rcu_read_unlock();
2230 return k;
2231 }
2232 }
2233 rcu_read_unlock();
2234
2235 return NULL;
2236}
2237
2238struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2239{
2240 struct smp_irk *irk;
2241
2242 rcu_read_lock();
2243 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2244 if (!bacmp(&irk->rpa, rpa)) {
2245 rcu_read_unlock();
2246 return irk;
2247 }
2248 }
2249
2250 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2251 if (smp_irk_matches(hdev, irk->val, rpa)) {
2252 bacpy(&irk->rpa, rpa);
2253 rcu_read_unlock();
2254 return irk;
2255 }
2256 }
2257 rcu_read_unlock();
2258
2259 return NULL;
2260}
2261
2262struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2263 u8 addr_type)
2264{
2265 struct smp_irk *irk;
2266
2267 /* Identity Address must be public or static random */
2268 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2269 return NULL;
2270
2271 rcu_read_lock();
2272 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2273 if (addr_type == irk->addr_type &&
2274 bacmp(bdaddr, &irk->bdaddr) == 0) {
2275 rcu_read_unlock();
2276 return irk;
2277 }
2278 }
2279 rcu_read_unlock();
2280
2281 return NULL;
2282}
2283
2284struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2285 bdaddr_t *bdaddr, u8 *val, u8 type,
2286 u8 pin_len, bool *persistent)
2287{
2288 struct link_key *key, *old_key;
2289 u8 old_key_type;
2290
2291 old_key = hci_find_link_key(hdev, bdaddr);
2292 if (old_key) {
2293 old_key_type = old_key->type;
2294 key = old_key;
2295 } else {
2296 old_key_type = conn ? conn->key_type : 0xff;
2297 key = kzalloc(sizeof(*key), GFP_KERNEL);
2298 if (!key)
2299 return NULL;
2300 list_add_rcu(&key->list, &hdev->link_keys);
2301 }
2302
2303 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2304
2305 /* Some buggy controller combinations generate a changed
2306 * combination key for legacy pairing even when there's no
2307 * previous key */
2308 if (type == HCI_LK_CHANGED_COMBINATION &&
2309 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2310 type = HCI_LK_COMBINATION;
2311 if (conn)
2312 conn->key_type = type;
2313 }
2314
2315 bacpy(&key->bdaddr, bdaddr);
2316 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2317 key->pin_len = pin_len;
2318
2319 if (type == HCI_LK_CHANGED_COMBINATION)
2320 key->type = old_key_type;
2321 else
2322 key->type = type;
2323
2324 if (persistent)
2325 *persistent = hci_persistent_key(hdev, conn, type,
2326 old_key_type);
2327
2328 return key;
2329}
2330
2331struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2332 u8 addr_type, u8 type, u8 authenticated,
2333 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2334{
2335 struct smp_ltk *key, *old_key;
2336 u8 role = ltk_role(type);
2337
2338 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2339 if (old_key)
2340 key = old_key;
2341 else {
2342 key = kzalloc(sizeof(*key), GFP_KERNEL);
2343 if (!key)
2344 return NULL;
2345 list_add_rcu(&key->list, &hdev->long_term_keys);
2346 }
2347
2348 bacpy(&key->bdaddr, bdaddr);
2349 key->bdaddr_type = addr_type;
2350 memcpy(key->val, tk, sizeof(key->val));
2351 key->authenticated = authenticated;
2352 key->ediv = ediv;
2353 key->rand = rand;
2354 key->enc_size = enc_size;
2355 key->type = type;
2356
2357 return key;
2358}
2359
2360struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2361 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2362{
2363 struct smp_irk *irk;
2364
2365 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2366 if (!irk) {
2367 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2368 if (!irk)
2369 return NULL;
2370
2371 bacpy(&irk->bdaddr, bdaddr);
2372 irk->addr_type = addr_type;
2373
2374 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2375 }
2376
2377 memcpy(irk->val, val, 16);
2378 bacpy(&irk->rpa, rpa);
2379
2380 return irk;
2381}
2382
2383int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2384{
2385 struct link_key *key;
2386
2387 key = hci_find_link_key(hdev, bdaddr);
2388 if (!key)
2389 return -ENOENT;
2390
2391 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2392
2393 list_del_rcu(&key->list);
2394 kfree_rcu(key, rcu);
2395
2396 return 0;
2397}
2398
2399int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2400{
2401 struct smp_ltk *k;
2402 int removed = 0;
2403
2404 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2405 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2406 continue;
2407
2408 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2409
2410 list_del_rcu(&k->list);
2411 kfree_rcu(k, rcu);
2412 removed++;
2413 }
2414
2415 return removed ? 0 : -ENOENT;
2416}
2417
2418void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2419{
2420 struct smp_irk *k;
2421
2422 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2423 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2424 continue;
2425
2426 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2427
2428 list_del_rcu(&k->list);
2429 kfree_rcu(k, rcu);
2430 }
2431}
2432
2433bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2434{
2435 struct smp_ltk *k;
2436 struct smp_irk *irk;
2437 u8 addr_type;
2438
2439 if (type == BDADDR_BREDR) {
2440 if (hci_find_link_key(hdev, bdaddr))
2441 return true;
2442 return false;
2443 }
2444
2445 /* Convert to HCI addr type which struct smp_ltk uses */
2446 if (type == BDADDR_LE_PUBLIC)
2447 addr_type = ADDR_LE_DEV_PUBLIC;
2448 else
2449 addr_type = ADDR_LE_DEV_RANDOM;
2450
2451 irk = hci_get_irk(hdev, bdaddr, addr_type);
2452 if (irk) {
2453 bdaddr = &irk->bdaddr;
2454 addr_type = irk->addr_type;
2455 }
2456
2457 rcu_read_lock();
2458 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2459 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2460 rcu_read_unlock();
2461 return true;
2462 }
2463 }
2464 rcu_read_unlock();
2465
2466 return false;
2467}
2468
2469/* HCI command timer function */
2470static void hci_cmd_timeout(struct work_struct *work)
2471{
2472 struct hci_dev *hdev = container_of(work, struct hci_dev,
2473 cmd_timer.work);
2474
2475 if (hdev->sent_cmd) {
2476 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2477 u16 opcode = __le16_to_cpu(sent->opcode);
2478
2479 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2480 } else {
2481 BT_ERR("%s command tx timeout", hdev->name);
2482 }
2483
2484 atomic_set(&hdev->cmd_cnt, 1);
2485 queue_work(hdev->workqueue, &hdev->cmd_work);
2486}
2487
2488struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2489 bdaddr_t *bdaddr, u8 bdaddr_type)
2490{
2491 struct oob_data *data;
2492
2493 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2494 if (bacmp(bdaddr, &data->bdaddr) != 0)
2495 continue;
2496 if (data->bdaddr_type != bdaddr_type)
2497 continue;
2498 return data;
2499 }
2500
2501 return NULL;
2502}
2503
2504int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2505 u8 bdaddr_type)
2506{
2507 struct oob_data *data;
2508
2509 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2510 if (!data)
2511 return -ENOENT;
2512
2513 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2514
2515 list_del(&data->list);
2516 kfree(data);
2517
2518 return 0;
2519}
2520
2521void hci_remote_oob_data_clear(struct hci_dev *hdev)
2522{
2523 struct oob_data *data, *n;
2524
2525 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2526 list_del(&data->list);
2527 kfree(data);
2528 }
2529}
2530
2531int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2532 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2533 u8 *hash256, u8 *rand256)
2534{
2535 struct oob_data *data;
2536
2537 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2538 if (!data) {
2539 data = kmalloc(sizeof(*data), GFP_KERNEL);
2540 if (!data)
2541 return -ENOMEM;
2542
2543 bacpy(&data->bdaddr, bdaddr);
2544 data->bdaddr_type = bdaddr_type;
2545 list_add(&data->list, &hdev->remote_oob_data);
2546 }
2547
2548 if (hash192 && rand192) {
2549 memcpy(data->hash192, hash192, sizeof(data->hash192));
2550 memcpy(data->rand192, rand192, sizeof(data->rand192));
2551 if (hash256 && rand256)
2552 data->present = 0x03;
2553 } else {
2554 memset(data->hash192, 0, sizeof(data->hash192));
2555 memset(data->rand192, 0, sizeof(data->rand192));
2556 if (hash256 && rand256)
2557 data->present = 0x02;
2558 else
2559 data->present = 0x00;
2560 }
2561
2562 if (hash256 && rand256) {
2563 memcpy(data->hash256, hash256, sizeof(data->hash256));
2564 memcpy(data->rand256, rand256, sizeof(data->rand256));
2565 } else {
2566 memset(data->hash256, 0, sizeof(data->hash256));
2567 memset(data->rand256, 0, sizeof(data->rand256));
2568 if (hash192 && rand192)
2569 data->present = 0x01;
2570 }
2571
2572 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2573
2574 return 0;
2575}
2576
2577/* This function requires the caller holds hdev->lock */
2578struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2579{
2580 struct adv_info *adv_instance;
2581
2582 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2583 if (adv_instance->instance == instance)
2584 return adv_instance;
2585 }
2586
2587 return NULL;
2588}
2589
2590/* This function requires the caller holds hdev->lock */
2591struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2592{
2593 struct adv_info *cur_instance;
2594
2595 cur_instance = hci_find_adv_instance(hdev, instance);
2596 if (!cur_instance)
2597 return NULL;
2598
2599 if (cur_instance == list_last_entry(&hdev->adv_instances,
2600 struct adv_info, list))
2601 return list_first_entry(&hdev->adv_instances,
2602 struct adv_info, list);
2603 else
2604 return list_next_entry(cur_instance, list);
2605}
2606
2607/* This function requires the caller holds hdev->lock */
2608int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2609{
2610 struct adv_info *adv_instance;
2611
2612 adv_instance = hci_find_adv_instance(hdev, instance);
2613 if (!adv_instance)
2614 return -ENOENT;
2615
2616 BT_DBG("%s removing %dMR", hdev->name, instance);
2617
2618 if (hdev->cur_adv_instance == instance) {
2619 if (hdev->adv_instance_timeout) {
2620 cancel_delayed_work(&hdev->adv_instance_expire);
2621 hdev->adv_instance_timeout = 0;
2622 }
2623 hdev->cur_adv_instance = 0x00;
2624 }
2625
2626 list_del(&adv_instance->list);
2627 kfree(adv_instance);
2628
2629 hdev->adv_instance_cnt--;
2630
2631 return 0;
2632}
2633
2634/* This function requires the caller holds hdev->lock */
2635void hci_adv_instances_clear(struct hci_dev *hdev)
2636{
2637 struct adv_info *adv_instance, *n;
2638
2639 if (hdev->adv_instance_timeout) {
2640 cancel_delayed_work(&hdev->adv_instance_expire);
2641 hdev->adv_instance_timeout = 0;
2642 }
2643
2644 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2645 list_del(&adv_instance->list);
2646 kfree(adv_instance);
2647 }
2648
2649 hdev->adv_instance_cnt = 0;
2650 hdev->cur_adv_instance = 0x00;
2651}
2652
2653/* This function requires the caller holds hdev->lock */
2654int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2655 u16 adv_data_len, u8 *adv_data,
2656 u16 scan_rsp_len, u8 *scan_rsp_data,
2657 u16 timeout, u16 duration)
2658{
2659 struct adv_info *adv_instance;
2660
2661 adv_instance = hci_find_adv_instance(hdev, instance);
2662 if (adv_instance) {
2663 memset(adv_instance->adv_data, 0,
2664 sizeof(adv_instance->adv_data));
2665 memset(adv_instance->scan_rsp_data, 0,
2666 sizeof(adv_instance->scan_rsp_data));
2667 } else {
2668 if (hdev->adv_instance_cnt >= HCI_MAX_ADV_INSTANCES ||
2669 instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2670 return -EOVERFLOW;
2671
2672 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2673 if (!adv_instance)
2674 return -ENOMEM;
2675
2676 adv_instance->pending = true;
2677 adv_instance->instance = instance;
2678 list_add(&adv_instance->list, &hdev->adv_instances);
2679 hdev->adv_instance_cnt++;
2680 }
2681
2682 adv_instance->flags = flags;
2683 adv_instance->adv_data_len = adv_data_len;
2684 adv_instance->scan_rsp_len = scan_rsp_len;
2685
2686 if (adv_data_len)
2687 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2688
2689 if (scan_rsp_len)
2690 memcpy(adv_instance->scan_rsp_data,
2691 scan_rsp_data, scan_rsp_len);
2692
2693 adv_instance->timeout = timeout;
2694 adv_instance->remaining_time = timeout;
2695
2696 if (duration == 0)
2697 adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2698 else
2699 adv_instance->duration = duration;
2700
2701 BT_DBG("%s for %dMR", hdev->name, instance);
2702
2703 return 0;
2704}
2705
2706struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2707 bdaddr_t *bdaddr, u8 type)
2708{
2709 struct bdaddr_list *b;
2710
2711 list_for_each_entry(b, bdaddr_list, list) {
2712 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2713 return b;
2714 }
2715
2716 return NULL;
2717}
2718
2719void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2720{
2721 struct bdaddr_list *b, *n;
2722
2723 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2724 list_del(&b->list);
2725 kfree(b);
2726 }
2727}
2728
2729int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2730{
2731 struct bdaddr_list *entry;
2732
2733 if (!bacmp(bdaddr, BDADDR_ANY))
2734 return -EBADF;
2735
2736 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2737 return -EEXIST;
2738
2739 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2740 if (!entry)
2741 return -ENOMEM;
2742
2743 bacpy(&entry->bdaddr, bdaddr);
2744 entry->bdaddr_type = type;
2745
2746 list_add(&entry->list, list);
2747
2748 return 0;
2749}
2750
2751int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2752{
2753 struct bdaddr_list *entry;
2754
2755 if (!bacmp(bdaddr, BDADDR_ANY)) {
2756 hci_bdaddr_list_clear(list);
2757 return 0;
2758 }
2759
2760 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2761 if (!entry)
2762 return -ENOENT;
2763
2764 list_del(&entry->list);
2765 kfree(entry);
2766
2767 return 0;
2768}
2769
2770/* This function requires the caller holds hdev->lock */
2771struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2772 bdaddr_t *addr, u8 addr_type)
2773{
2774 struct hci_conn_params *params;
2775
2776 list_for_each_entry(params, &hdev->le_conn_params, list) {
2777 if (bacmp(¶ms->addr, addr) == 0 &&
2778 params->addr_type == addr_type) {
2779 return params;
2780 }
2781 }
2782
2783 return NULL;
2784}
2785
2786/* This function requires the caller holds hdev->lock */
2787struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2788 bdaddr_t *addr, u8 addr_type)
2789{
2790 struct hci_conn_params *param;
2791
2792 list_for_each_entry(param, list, action) {
2793 if (bacmp(¶m->addr, addr) == 0 &&
2794 param->addr_type == addr_type)
2795 return param;
2796 }
2797
2798 return NULL;
2799}
2800
2801/* This function requires the caller holds hdev->lock */
2802struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2803 bdaddr_t *addr, u8 addr_type)
2804{
2805 struct hci_conn_params *params;
2806
2807 params = hci_conn_params_lookup(hdev, addr, addr_type);
2808 if (params)
2809 return params;
2810
2811 params = kzalloc(sizeof(*params), GFP_KERNEL);
2812 if (!params) {
2813 BT_ERR("Out of memory");
2814 return NULL;
2815 }
2816
2817 bacpy(¶ms->addr, addr);
2818 params->addr_type = addr_type;
2819
2820 list_add(¶ms->list, &hdev->le_conn_params);
2821 INIT_LIST_HEAD(¶ms->action);
2822
2823 params->conn_min_interval = hdev->le_conn_min_interval;
2824 params->conn_max_interval = hdev->le_conn_max_interval;
2825 params->conn_latency = hdev->le_conn_latency;
2826 params->supervision_timeout = hdev->le_supv_timeout;
2827 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2828
2829 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2830
2831 return params;
2832}
2833
2834static void hci_conn_params_free(struct hci_conn_params *params)
2835{
2836 if (params->conn) {
2837 hci_conn_drop(params->conn);
2838 hci_conn_put(params->conn);
2839 }
2840
2841 list_del(¶ms->action);
2842 list_del(¶ms->list);
2843 kfree(params);
2844}
2845
2846/* This function requires the caller holds hdev->lock */
2847void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2848{
2849 struct hci_conn_params *params;
2850
2851 params = hci_conn_params_lookup(hdev, addr, addr_type);
2852 if (!params)
2853 return;
2854
2855 hci_conn_params_free(params);
2856
2857 hci_update_background_scan(hdev);
2858
2859 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2860}
2861
2862/* This function requires the caller holds hdev->lock */
2863void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2864{
2865 struct hci_conn_params *params, *tmp;
2866
2867 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2868 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2869 continue;
2870
2871 /* If trying to estabilish one time connection to disabled
2872 * device, leave the params, but mark them as just once.
2873 */
2874 if (params->explicit_connect) {
2875 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2876 continue;
2877 }
2878
2879 list_del(¶ms->list);
2880 kfree(params);
2881 }
2882
2883 BT_DBG("All LE disabled connection parameters were removed");
2884}
2885
2886/* This function requires the caller holds hdev->lock */
2887static void hci_conn_params_clear_all(struct hci_dev *hdev)
2888{
2889 struct hci_conn_params *params, *tmp;
2890
2891 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2892 hci_conn_params_free(params);
2893
2894 BT_DBG("All LE connection parameters were removed");
2895}
2896
2897/* Copy the Identity Address of the controller.
2898 *
2899 * If the controller has a public BD_ADDR, then by default use that one.
2900 * If this is a LE only controller without a public address, default to
2901 * the static random address.
2902 *
2903 * For debugging purposes it is possible to force controllers with a
2904 * public address to use the static random address instead.
2905 *
2906 * In case BR/EDR has been disabled on a dual-mode controller and
2907 * userspace has configured a static address, then that address
2908 * becomes the identity address instead of the public BR/EDR address.
2909 */
2910void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2911 u8 *bdaddr_type)
2912{
2913 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2914 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2915 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2916 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2917 bacpy(bdaddr, &hdev->static_addr);
2918 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2919 } else {
2920 bacpy(bdaddr, &hdev->bdaddr);
2921 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2922 }
2923}
2924
2925/* Alloc HCI device */
2926struct hci_dev *hci_alloc_dev(void)
2927{
2928 struct hci_dev *hdev;
2929
2930 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2931 if (!hdev)
2932 return NULL;
2933
2934 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2935 hdev->esco_type = (ESCO_HV1);
2936 hdev->link_mode = (HCI_LM_ACCEPT);
2937 hdev->num_iac = 0x01; /* One IAC support is mandatory */
2938 hdev->io_capability = 0x03; /* No Input No Output */
2939 hdev->manufacturer = 0xffff; /* Default to internal use */
2940 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2941 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2942 hdev->adv_instance_cnt = 0;
2943 hdev->cur_adv_instance = 0x00;
2944 hdev->adv_instance_timeout = 0;
2945
2946 hdev->sniff_max_interval = 800;
2947 hdev->sniff_min_interval = 80;
2948
2949 hdev->le_adv_channel_map = 0x07;
2950 hdev->le_adv_min_interval = 0x0800;
2951 hdev->le_adv_max_interval = 0x0800;
2952 hdev->le_scan_interval = 0x0060;
2953 hdev->le_scan_window = 0x0030;
2954 hdev->le_conn_min_interval = 0x0028;
2955 hdev->le_conn_max_interval = 0x0038;
2956 hdev->le_conn_latency = 0x0000;
2957 hdev->le_supv_timeout = 0x002a;
2958 hdev->le_def_tx_len = 0x001b;
2959 hdev->le_def_tx_time = 0x0148;
2960 hdev->le_max_tx_len = 0x001b;
2961 hdev->le_max_tx_time = 0x0148;
2962 hdev->le_max_rx_len = 0x001b;
2963 hdev->le_max_rx_time = 0x0148;
2964
2965 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2966 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2967 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2968 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2969
2970 mutex_init(&hdev->lock);
2971 mutex_init(&hdev->req_lock);
2972
2973 INIT_LIST_HEAD(&hdev->mgmt_pending);
2974 INIT_LIST_HEAD(&hdev->blacklist);
2975 INIT_LIST_HEAD(&hdev->whitelist);
2976 INIT_LIST_HEAD(&hdev->uuids);
2977 INIT_LIST_HEAD(&hdev->link_keys);
2978 INIT_LIST_HEAD(&hdev->long_term_keys);
2979 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2980 INIT_LIST_HEAD(&hdev->remote_oob_data);
2981 INIT_LIST_HEAD(&hdev->le_white_list);
2982 INIT_LIST_HEAD(&hdev->le_conn_params);
2983 INIT_LIST_HEAD(&hdev->pend_le_conns);
2984 INIT_LIST_HEAD(&hdev->pend_le_reports);
2985 INIT_LIST_HEAD(&hdev->conn_hash.list);
2986 INIT_LIST_HEAD(&hdev->adv_instances);
2987
2988 INIT_WORK(&hdev->rx_work, hci_rx_work);
2989 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2990 INIT_WORK(&hdev->tx_work, hci_tx_work);
2991 INIT_WORK(&hdev->power_on, hci_power_on);
2992 INIT_WORK(&hdev->error_reset, hci_error_reset);
2993
2994 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2995
2996 skb_queue_head_init(&hdev->rx_q);
2997 skb_queue_head_init(&hdev->cmd_q);
2998 skb_queue_head_init(&hdev->raw_q);
2999
3000 init_waitqueue_head(&hdev->req_wait_q);
3001
3002 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3003
3004 hci_request_setup(hdev);
3005
3006 hci_init_sysfs(hdev);
3007 discovery_init(hdev);
3008
3009 return hdev;
3010}
3011EXPORT_SYMBOL(hci_alloc_dev);
3012
3013/* Free HCI device */
3014void hci_free_dev(struct hci_dev *hdev)
3015{
3016 /* will free via device release */
3017 put_device(&hdev->dev);
3018}
3019EXPORT_SYMBOL(hci_free_dev);
3020
3021/* Register HCI device */
3022int hci_register_dev(struct hci_dev *hdev)
3023{
3024 int id, error;
3025
3026 if (!hdev->open || !hdev->close || !hdev->send)
3027 return -EINVAL;
3028
3029 /* Do not allow HCI_AMP devices to register at index 0,
3030 * so the index can be used as the AMP controller ID.
3031 */
3032 switch (hdev->dev_type) {
3033 case HCI_BREDR:
3034 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3035 break;
3036 case HCI_AMP:
3037 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3038 break;
3039 default:
3040 return -EINVAL;
3041 }
3042
3043 if (id < 0)
3044 return id;
3045
3046 sprintf(hdev->name, "hci%d", id);
3047 hdev->id = id;
3048
3049 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3050
3051 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3052 WQ_MEM_RECLAIM, 1, hdev->name);
3053 if (!hdev->workqueue) {
3054 error = -ENOMEM;
3055 goto err;
3056 }
3057
3058 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3059 WQ_MEM_RECLAIM, 1, hdev->name);
3060 if (!hdev->req_workqueue) {
3061 destroy_workqueue(hdev->workqueue);
3062 error = -ENOMEM;
3063 goto err;
3064 }
3065
3066 if (!IS_ERR_OR_NULL(bt_debugfs))
3067 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3068
3069 dev_set_name(&hdev->dev, "%s", hdev->name);
3070
3071 error = device_add(&hdev->dev);
3072 if (error < 0)
3073 goto err_wqueue;
3074
3075 hci_leds_init(hdev);
3076
3077 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3078 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3079 hdev);
3080 if (hdev->rfkill) {
3081 if (rfkill_register(hdev->rfkill) < 0) {
3082 rfkill_destroy(hdev->rfkill);
3083 hdev->rfkill = NULL;
3084 }
3085 }
3086
3087 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3088 hci_dev_set_flag(hdev, HCI_RFKILLED);
3089
3090 hci_dev_set_flag(hdev, HCI_SETUP);
3091 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3092
3093 if (hdev->dev_type == HCI_BREDR) {
3094 /* Assume BR/EDR support until proven otherwise (such as
3095 * through reading supported features during init.
3096 */
3097 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3098 }
3099
3100 write_lock(&hci_dev_list_lock);
3101 list_add(&hdev->list, &hci_dev_list);
3102 write_unlock(&hci_dev_list_lock);
3103
3104 /* Devices that are marked for raw-only usage are unconfigured
3105 * and should not be included in normal operation.
3106 */
3107 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3108 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3109
3110 hci_sock_dev_event(hdev, HCI_DEV_REG);
3111 hci_dev_hold(hdev);
3112
3113 queue_work(hdev->req_workqueue, &hdev->power_on);
3114
3115 return id;
3116
3117err_wqueue:
3118 destroy_workqueue(hdev->workqueue);
3119 destroy_workqueue(hdev->req_workqueue);
3120err:
3121 ida_simple_remove(&hci_index_ida, hdev->id);
3122
3123 return error;
3124}
3125EXPORT_SYMBOL(hci_register_dev);
3126
3127/* Unregister HCI device */
3128void hci_unregister_dev(struct hci_dev *hdev)
3129{
3130 int id;
3131
3132 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3133
3134 hci_dev_set_flag(hdev, HCI_UNREGISTER);
3135
3136 id = hdev->id;
3137
3138 write_lock(&hci_dev_list_lock);
3139 list_del(&hdev->list);
3140 write_unlock(&hci_dev_list_lock);
3141
3142 hci_dev_do_close(hdev);
3143
3144 cancel_work_sync(&hdev->power_on);
3145
3146 if (!test_bit(HCI_INIT, &hdev->flags) &&
3147 !hci_dev_test_flag(hdev, HCI_SETUP) &&
3148 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3149 hci_dev_lock(hdev);
3150 mgmt_index_removed(hdev);
3151 hci_dev_unlock(hdev);
3152 }
3153
3154 /* mgmt_index_removed should take care of emptying the
3155 * pending list */
3156 BUG_ON(!list_empty(&hdev->mgmt_pending));
3157
3158 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3159
3160 if (hdev->rfkill) {
3161 rfkill_unregister(hdev->rfkill);
3162 rfkill_destroy(hdev->rfkill);
3163 }
3164
3165 device_del(&hdev->dev);
3166
3167 debugfs_remove_recursive(hdev->debugfs);
3168
3169 destroy_workqueue(hdev->workqueue);
3170 destroy_workqueue(hdev->req_workqueue);
3171
3172 hci_dev_lock(hdev);
3173 hci_bdaddr_list_clear(&hdev->blacklist);
3174 hci_bdaddr_list_clear(&hdev->whitelist);
3175 hci_uuids_clear(hdev);
3176 hci_link_keys_clear(hdev);
3177 hci_smp_ltks_clear(hdev);
3178 hci_smp_irks_clear(hdev);
3179 hci_remote_oob_data_clear(hdev);
3180 hci_adv_instances_clear(hdev);
3181 hci_bdaddr_list_clear(&hdev->le_white_list);
3182 hci_conn_params_clear_all(hdev);
3183 hci_discovery_filter_clear(hdev);
3184 hci_dev_unlock(hdev);
3185
3186 hci_dev_put(hdev);
3187
3188 ida_simple_remove(&hci_index_ida, id);
3189}
3190EXPORT_SYMBOL(hci_unregister_dev);
3191
3192/* Suspend HCI device */
3193int hci_suspend_dev(struct hci_dev *hdev)
3194{
3195 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3196 return 0;
3197}
3198EXPORT_SYMBOL(hci_suspend_dev);
3199
3200/* Resume HCI device */
3201int hci_resume_dev(struct hci_dev *hdev)
3202{
3203 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3204 return 0;
3205}
3206EXPORT_SYMBOL(hci_resume_dev);
3207
3208/* Reset HCI device */
3209int hci_reset_dev(struct hci_dev *hdev)
3210{
3211 const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3212 struct sk_buff *skb;
3213
3214 skb = bt_skb_alloc(3, GFP_ATOMIC);
3215 if (!skb)
3216 return -ENOMEM;
3217
3218 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3219 memcpy(skb_put(skb, 3), hw_err, 3);
3220
3221 /* Send Hardware Error to upper stack */
3222 return hci_recv_frame(hdev, skb);
3223}
3224EXPORT_SYMBOL(hci_reset_dev);
3225
3226/* Receive frame from HCI drivers */
3227int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3228{
3229 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3230 && !test_bit(HCI_INIT, &hdev->flags))) {
3231 kfree_skb(skb);
3232 return -ENXIO;
3233 }
3234
3235 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3236 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3237 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3238 kfree_skb(skb);
3239 return -EINVAL;
3240 }
3241
3242 /* Incoming skb */
3243 bt_cb(skb)->incoming = 1;
3244
3245 /* Time stamp */
3246 __net_timestamp(skb);
3247
3248 skb_queue_tail(&hdev->rx_q, skb);
3249 queue_work(hdev->workqueue, &hdev->rx_work);
3250
3251 return 0;
3252}
3253EXPORT_SYMBOL(hci_recv_frame);
3254
3255/* Receive diagnostic message from HCI drivers */
3256int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3257{
3258 /* Mark as diagnostic packet */
3259 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3260
3261 /* Time stamp */
3262 __net_timestamp(skb);
3263
3264 skb_queue_tail(&hdev->rx_q, skb);
3265 queue_work(hdev->workqueue, &hdev->rx_work);
3266
3267 return 0;
3268}
3269EXPORT_SYMBOL(hci_recv_diag);
3270
3271/* ---- Interface to upper protocols ---- */
3272
3273int hci_register_cb(struct hci_cb *cb)
3274{
3275 BT_DBG("%p name %s", cb, cb->name);
3276
3277 mutex_lock(&hci_cb_list_lock);
3278 list_add_tail(&cb->list, &hci_cb_list);
3279 mutex_unlock(&hci_cb_list_lock);
3280
3281 return 0;
3282}
3283EXPORT_SYMBOL(hci_register_cb);
3284
3285int hci_unregister_cb(struct hci_cb *cb)
3286{
3287 BT_DBG("%p name %s", cb, cb->name);
3288
3289 mutex_lock(&hci_cb_list_lock);
3290 list_del(&cb->list);
3291 mutex_unlock(&hci_cb_list_lock);
3292
3293 return 0;
3294}
3295EXPORT_SYMBOL(hci_unregister_cb);
3296
3297static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3298{
3299 int err;
3300
3301 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3302 skb->len);
3303
3304 /* Time stamp */
3305 __net_timestamp(skb);
3306
3307 /* Send copy to monitor */
3308 hci_send_to_monitor(hdev, skb);
3309
3310 if (atomic_read(&hdev->promisc)) {
3311 /* Send copy to the sockets */
3312 hci_send_to_sock(hdev, skb);
3313 }
3314
3315 /* Get rid of skb owner, prior to sending to the driver. */
3316 skb_orphan(skb);
3317
3318 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3319 kfree_skb(skb);
3320 return;
3321 }
3322
3323 err = hdev->send(hdev, skb);
3324 if (err < 0) {
3325 BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3326 kfree_skb(skb);
3327 }
3328}
3329
3330/* Send HCI command */
3331int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3332 const void *param)
3333{
3334 struct sk_buff *skb;
3335
3336 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3337
3338 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3339 if (!skb) {
3340 BT_ERR("%s no memory for command", hdev->name);
3341 return -ENOMEM;
3342 }
3343
3344 /* Stand-alone HCI commands must be flagged as
3345 * single-command requests.
3346 */
3347 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3348
3349 skb_queue_tail(&hdev->cmd_q, skb);
3350 queue_work(hdev->workqueue, &hdev->cmd_work);
3351
3352 return 0;
3353}
3354
3355/* Get data from the previously sent command */
3356void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3357{
3358 struct hci_command_hdr *hdr;
3359
3360 if (!hdev->sent_cmd)
3361 return NULL;
3362
3363 hdr = (void *) hdev->sent_cmd->data;
3364
3365 if (hdr->opcode != cpu_to_le16(opcode))
3366 return NULL;
3367
3368 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3369
3370 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3371}
3372
3373/* Send HCI command and wait for command commplete event */
3374struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3375 const void *param, u32 timeout)
3376{
3377 struct sk_buff *skb;
3378
3379 if (!test_bit(HCI_UP, &hdev->flags))
3380 return ERR_PTR(-ENETDOWN);
3381
3382 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3383
3384 hci_req_sync_lock(hdev);
3385 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3386 hci_req_sync_unlock(hdev);
3387
3388 return skb;
3389}
3390EXPORT_SYMBOL(hci_cmd_sync);
3391
3392/* Send ACL data */
3393static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3394{
3395 struct hci_acl_hdr *hdr;
3396 int len = skb->len;
3397
3398 skb_push(skb, HCI_ACL_HDR_SIZE);
3399 skb_reset_transport_header(skb);
3400 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3401 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3402 hdr->dlen = cpu_to_le16(len);
3403}
3404
3405static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3406 struct sk_buff *skb, __u16 flags)
3407{
3408 struct hci_conn *conn = chan->conn;
3409 struct hci_dev *hdev = conn->hdev;
3410 struct sk_buff *list;
3411
3412 skb->len = skb_headlen(skb);
3413 skb->data_len = 0;
3414
3415 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3416
3417 switch (hdev->dev_type) {
3418 case HCI_BREDR:
3419 hci_add_acl_hdr(skb, conn->handle, flags);
3420 break;
3421 case HCI_AMP:
3422 hci_add_acl_hdr(skb, chan->handle, flags);
3423 break;
3424 default:
3425 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3426 return;
3427 }
3428
3429 list = skb_shinfo(skb)->frag_list;
3430 if (!list) {
3431 /* Non fragmented */
3432 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3433
3434 skb_queue_tail(queue, skb);
3435 } else {
3436 /* Fragmented */
3437 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3438
3439 skb_shinfo(skb)->frag_list = NULL;
3440
3441 /* Queue all fragments atomically. We need to use spin_lock_bh
3442 * here because of 6LoWPAN links, as there this function is
3443 * called from softirq and using normal spin lock could cause
3444 * deadlocks.
3445 */
3446 spin_lock_bh(&queue->lock);
3447
3448 __skb_queue_tail(queue, skb);
3449
3450 flags &= ~ACL_START;
3451 flags |= ACL_CONT;
3452 do {
3453 skb = list; list = list->next;
3454
3455 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3456 hci_add_acl_hdr(skb, conn->handle, flags);
3457
3458 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3459
3460 __skb_queue_tail(queue, skb);
3461 } while (list);
3462
3463 spin_unlock_bh(&queue->lock);
3464 }
3465}
3466
3467void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3468{
3469 struct hci_dev *hdev = chan->conn->hdev;
3470
3471 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3472
3473 hci_queue_acl(chan, &chan->data_q, skb, flags);
3474
3475 queue_work(hdev->workqueue, &hdev->tx_work);
3476}
3477
3478/* Send SCO data */
3479void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3480{
3481 struct hci_dev *hdev = conn->hdev;
3482 struct hci_sco_hdr hdr;
3483
3484 BT_DBG("%s len %d", hdev->name, skb->len);
3485
3486 hdr.handle = cpu_to_le16(conn->handle);
3487 hdr.dlen = skb->len;
3488
3489 skb_push(skb, HCI_SCO_HDR_SIZE);
3490 skb_reset_transport_header(skb);
3491 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3492
3493 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3494
3495 skb_queue_tail(&conn->data_q, skb);
3496 queue_work(hdev->workqueue, &hdev->tx_work);
3497}
3498
3499/* ---- HCI TX task (outgoing data) ---- */
3500
3501/* HCI Connection scheduler */
3502static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3503 int *quote)
3504{
3505 struct hci_conn_hash *h = &hdev->conn_hash;
3506 struct hci_conn *conn = NULL, *c;
3507 unsigned int num = 0, min = ~0;
3508
3509 /* We don't have to lock device here. Connections are always
3510 * added and removed with TX task disabled. */
3511
3512 rcu_read_lock();
3513
3514 list_for_each_entry_rcu(c, &h->list, list) {
3515 if (c->type != type || skb_queue_empty(&c->data_q))
3516 continue;
3517
3518 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3519 continue;
3520
3521 num++;
3522
3523 if (c->sent < min) {
3524 min = c->sent;
3525 conn = c;
3526 }
3527
3528 if (hci_conn_num(hdev, type) == num)
3529 break;
3530 }
3531
3532 rcu_read_unlock();
3533
3534 if (conn) {
3535 int cnt, q;
3536
3537 switch (conn->type) {
3538 case ACL_LINK:
3539 cnt = hdev->acl_cnt;
3540 break;
3541 case SCO_LINK:
3542 case ESCO_LINK:
3543 cnt = hdev->sco_cnt;
3544 break;
3545 case LE_LINK:
3546 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3547 break;
3548 default:
3549 cnt = 0;
3550 BT_ERR("Unknown link type");
3551 }
3552
3553 q = cnt / num;
3554 *quote = q ? q : 1;
3555 } else
3556 *quote = 0;
3557
3558 BT_DBG("conn %p quote %d", conn, *quote);
3559 return conn;
3560}
3561
3562static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3563{
3564 struct hci_conn_hash *h = &hdev->conn_hash;
3565 struct hci_conn *c;
3566
3567 BT_ERR("%s link tx timeout", hdev->name);
3568
3569 rcu_read_lock();
3570
3571 /* Kill stalled connections */
3572 list_for_each_entry_rcu(c, &h->list, list) {
3573 if (c->type == type && c->sent) {
3574 BT_ERR("%s killing stalled connection %pMR",
3575 hdev->name, &c->dst);
3576 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3577 }
3578 }
3579
3580 rcu_read_unlock();
3581}
3582
3583static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3584 int *quote)
3585{
3586 struct hci_conn_hash *h = &hdev->conn_hash;
3587 struct hci_chan *chan = NULL;
3588 unsigned int num = 0, min = ~0, cur_prio = 0;
3589 struct hci_conn *conn;
3590 int cnt, q, conn_num = 0;
3591
3592 BT_DBG("%s", hdev->name);
3593
3594 rcu_read_lock();
3595
3596 list_for_each_entry_rcu(conn, &h->list, list) {
3597 struct hci_chan *tmp;
3598
3599 if (conn->type != type)
3600 continue;
3601
3602 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3603 continue;
3604
3605 conn_num++;
3606
3607 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3608 struct sk_buff *skb;
3609
3610 if (skb_queue_empty(&tmp->data_q))
3611 continue;
3612
3613 skb = skb_peek(&tmp->data_q);
3614 if (skb->priority < cur_prio)
3615 continue;
3616
3617 if (skb->priority > cur_prio) {
3618 num = 0;
3619 min = ~0;
3620 cur_prio = skb->priority;
3621 }
3622
3623 num++;
3624
3625 if (conn->sent < min) {
3626 min = conn->sent;
3627 chan = tmp;
3628 }
3629 }
3630
3631 if (hci_conn_num(hdev, type) == conn_num)
3632 break;
3633 }
3634
3635 rcu_read_unlock();
3636
3637 if (!chan)
3638 return NULL;
3639
3640 switch (chan->conn->type) {
3641 case ACL_LINK:
3642 cnt = hdev->acl_cnt;
3643 break;
3644 case AMP_LINK:
3645 cnt = hdev->block_cnt;
3646 break;
3647 case SCO_LINK:
3648 case ESCO_LINK:
3649 cnt = hdev->sco_cnt;
3650 break;
3651 case LE_LINK:
3652 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3653 break;
3654 default:
3655 cnt = 0;
3656 BT_ERR("Unknown link type");
3657 }
3658
3659 q = cnt / num;
3660 *quote = q ? q : 1;
3661 BT_DBG("chan %p quote %d", chan, *quote);
3662 return chan;
3663}
3664
3665static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3666{
3667 struct hci_conn_hash *h = &hdev->conn_hash;
3668 struct hci_conn *conn;
3669 int num = 0;
3670
3671 BT_DBG("%s", hdev->name);
3672
3673 rcu_read_lock();
3674
3675 list_for_each_entry_rcu(conn, &h->list, list) {
3676 struct hci_chan *chan;
3677
3678 if (conn->type != type)
3679 continue;
3680
3681 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3682 continue;
3683
3684 num++;
3685
3686 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3687 struct sk_buff *skb;
3688
3689 if (chan->sent) {
3690 chan->sent = 0;
3691 continue;
3692 }
3693
3694 if (skb_queue_empty(&chan->data_q))
3695 continue;
3696
3697 skb = skb_peek(&chan->data_q);
3698 if (skb->priority >= HCI_PRIO_MAX - 1)
3699 continue;
3700
3701 skb->priority = HCI_PRIO_MAX - 1;
3702
3703 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3704 skb->priority);
3705 }
3706
3707 if (hci_conn_num(hdev, type) == num)
3708 break;
3709 }
3710
3711 rcu_read_unlock();
3712
3713}
3714
3715static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3716{
3717 /* Calculate count of blocks used by this packet */
3718 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3719}
3720
3721static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3722{
3723 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3724 /* ACL tx timeout must be longer than maximum
3725 * link supervision timeout (40.9 seconds) */
3726 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3727 HCI_ACL_TX_TIMEOUT))
3728 hci_link_tx_to(hdev, ACL_LINK);
3729 }
3730}
3731
3732static void hci_sched_acl_pkt(struct hci_dev *hdev)
3733{
3734 unsigned int cnt = hdev->acl_cnt;
3735 struct hci_chan *chan;
3736 struct sk_buff *skb;
3737 int quote;
3738
3739 __check_timeout(hdev, cnt);
3740
3741 while (hdev->acl_cnt &&
3742 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3743 u32 priority = (skb_peek(&chan->data_q))->priority;
3744 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3745 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3746 skb->len, skb->priority);
3747
3748 /* Stop if priority has changed */
3749 if (skb->priority < priority)
3750 break;
3751
3752 skb = skb_dequeue(&chan->data_q);
3753
3754 hci_conn_enter_active_mode(chan->conn,
3755 bt_cb(skb)->force_active);
3756
3757 hci_send_frame(hdev, skb);
3758 hdev->acl_last_tx = jiffies;
3759
3760 hdev->acl_cnt--;
3761 chan->sent++;
3762 chan->conn->sent++;
3763 }
3764 }
3765
3766 if (cnt != hdev->acl_cnt)
3767 hci_prio_recalculate(hdev, ACL_LINK);
3768}
3769
3770static void hci_sched_acl_blk(struct hci_dev *hdev)
3771{
3772 unsigned int cnt = hdev->block_cnt;
3773 struct hci_chan *chan;
3774 struct sk_buff *skb;
3775 int quote;
3776 u8 type;
3777
3778 __check_timeout(hdev, cnt);
3779
3780 BT_DBG("%s", hdev->name);
3781
3782 if (hdev->dev_type == HCI_AMP)
3783 type = AMP_LINK;
3784 else
3785 type = ACL_LINK;
3786
3787 while (hdev->block_cnt > 0 &&
3788 (chan = hci_chan_sent(hdev, type, "e))) {
3789 u32 priority = (skb_peek(&chan->data_q))->priority;
3790 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3791 int blocks;
3792
3793 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3794 skb->len, skb->priority);
3795
3796 /* Stop if priority has changed */
3797 if (skb->priority < priority)
3798 break;
3799
3800 skb = skb_dequeue(&chan->data_q);
3801
3802 blocks = __get_blocks(hdev, skb);
3803 if (blocks > hdev->block_cnt)
3804 return;
3805
3806 hci_conn_enter_active_mode(chan->conn,
3807 bt_cb(skb)->force_active);
3808
3809 hci_send_frame(hdev, skb);
3810 hdev->acl_last_tx = jiffies;
3811
3812 hdev->block_cnt -= blocks;
3813 quote -= blocks;
3814
3815 chan->sent += blocks;
3816 chan->conn->sent += blocks;
3817 }
3818 }
3819
3820 if (cnt != hdev->block_cnt)
3821 hci_prio_recalculate(hdev, type);
3822}
3823
3824static void hci_sched_acl(struct hci_dev *hdev)
3825{
3826 BT_DBG("%s", hdev->name);
3827
3828 /* No ACL link over BR/EDR controller */
3829 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3830 return;
3831
3832 /* No AMP link over AMP controller */
3833 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3834 return;
3835
3836 switch (hdev->flow_ctl_mode) {
3837 case HCI_FLOW_CTL_MODE_PACKET_BASED:
3838 hci_sched_acl_pkt(hdev);
3839 break;
3840
3841 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3842 hci_sched_acl_blk(hdev);
3843 break;
3844 }
3845}
3846
3847/* Schedule SCO */
3848static void hci_sched_sco(struct hci_dev *hdev)
3849{
3850 struct hci_conn *conn;
3851 struct sk_buff *skb;
3852 int quote;
3853
3854 BT_DBG("%s", hdev->name);
3855
3856 if (!hci_conn_num(hdev, SCO_LINK))
3857 return;
3858
3859 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
3860 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3861 BT_DBG("skb %p len %d", skb, skb->len);
3862 hci_send_frame(hdev, skb);
3863
3864 conn->sent++;
3865 if (conn->sent == ~0)
3866 conn->sent = 0;
3867 }
3868 }
3869}
3870
3871static void hci_sched_esco(struct hci_dev *hdev)
3872{
3873 struct hci_conn *conn;
3874 struct sk_buff *skb;
3875 int quote;
3876
3877 BT_DBG("%s", hdev->name);
3878
3879 if (!hci_conn_num(hdev, ESCO_LINK))
3880 return;
3881
3882 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3883 "e))) {
3884 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3885 BT_DBG("skb %p len %d", skb, skb->len);
3886 hci_send_frame(hdev, skb);
3887
3888 conn->sent++;
3889 if (conn->sent == ~0)
3890 conn->sent = 0;
3891 }
3892 }
3893}
3894
3895static void hci_sched_le(struct hci_dev *hdev)
3896{
3897 struct hci_chan *chan;
3898 struct sk_buff *skb;
3899 int quote, cnt, tmp;
3900
3901 BT_DBG("%s", hdev->name);
3902
3903 if (!hci_conn_num(hdev, LE_LINK))
3904 return;
3905
3906 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3907 /* LE tx timeout must be longer than maximum
3908 * link supervision timeout (40.9 seconds) */
3909 if (!hdev->le_cnt && hdev->le_pkts &&
3910 time_after(jiffies, hdev->le_last_tx + HZ * 45))
3911 hci_link_tx_to(hdev, LE_LINK);
3912 }
3913
3914 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3915 tmp = cnt;
3916 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
3917 u32 priority = (skb_peek(&chan->data_q))->priority;
3918 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3919 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3920 skb->len, skb->priority);
3921
3922 /* Stop if priority has changed */
3923 if (skb->priority < priority)
3924 break;
3925
3926 skb = skb_dequeue(&chan->data_q);
3927
3928 hci_send_frame(hdev, skb);
3929 hdev->le_last_tx = jiffies;
3930
3931 cnt--;
3932 chan->sent++;
3933 chan->conn->sent++;
3934 }
3935 }
3936
3937 if (hdev->le_pkts)
3938 hdev->le_cnt = cnt;
3939 else
3940 hdev->acl_cnt = cnt;
3941
3942 if (cnt != tmp)
3943 hci_prio_recalculate(hdev, LE_LINK);
3944}
3945
3946static void hci_tx_work(struct work_struct *work)
3947{
3948 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3949 struct sk_buff *skb;
3950
3951 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3952 hdev->sco_cnt, hdev->le_cnt);
3953
3954 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3955 /* Schedule queues and send stuff to HCI driver */
3956 hci_sched_acl(hdev);
3957 hci_sched_sco(hdev);
3958 hci_sched_esco(hdev);
3959 hci_sched_le(hdev);
3960 }
3961
3962 /* Send next queued raw (unknown type) packet */
3963 while ((skb = skb_dequeue(&hdev->raw_q)))
3964 hci_send_frame(hdev, skb);
3965}
3966
3967/* ----- HCI RX task (incoming data processing) ----- */
3968
3969/* ACL data packet */
3970static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3971{
3972 struct hci_acl_hdr *hdr = (void *) skb->data;
3973 struct hci_conn *conn;
3974 __u16 handle, flags;
3975
3976 skb_pull(skb, HCI_ACL_HDR_SIZE);
3977
3978 handle = __le16_to_cpu(hdr->handle);
3979 flags = hci_flags(handle);
3980 handle = hci_handle(handle);
3981
3982 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3983 handle, flags);
3984
3985 hdev->stat.acl_rx++;
3986
3987 hci_dev_lock(hdev);
3988 conn = hci_conn_hash_lookup_handle(hdev, handle);
3989 hci_dev_unlock(hdev);
3990
3991 if (conn) {
3992 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3993
3994 /* Send to upper protocol */
3995 l2cap_recv_acldata(conn, skb, flags);
3996 return;
3997 } else {
3998 BT_ERR("%s ACL packet for unknown connection handle %d",
3999 hdev->name, handle);
4000 }
4001
4002 kfree_skb(skb);
4003}
4004
4005/* SCO data packet */
4006static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4007{
4008 struct hci_sco_hdr *hdr = (void *) skb->data;
4009 struct hci_conn *conn;
4010 __u16 handle;
4011
4012 skb_pull(skb, HCI_SCO_HDR_SIZE);
4013
4014 handle = __le16_to_cpu(hdr->handle);
4015
4016 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4017
4018 hdev->stat.sco_rx++;
4019
4020 hci_dev_lock(hdev);
4021 conn = hci_conn_hash_lookup_handle(hdev, handle);
4022 hci_dev_unlock(hdev);
4023
4024 if (conn) {
4025 /* Send to upper protocol */
4026 sco_recv_scodata(conn, skb);
4027 return;
4028 } else {
4029 BT_ERR("%s SCO packet for unknown connection handle %d",
4030 hdev->name, handle);
4031 }
4032
4033 kfree_skb(skb);
4034}
4035
4036static bool hci_req_is_complete(struct hci_dev *hdev)
4037{
4038 struct sk_buff *skb;
4039
4040 skb = skb_peek(&hdev->cmd_q);
4041 if (!skb)
4042 return true;
4043
4044 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4045}
4046
4047static void hci_resend_last(struct hci_dev *hdev)
4048{
4049 struct hci_command_hdr *sent;
4050 struct sk_buff *skb;
4051 u16 opcode;
4052
4053 if (!hdev->sent_cmd)
4054 return;
4055
4056 sent = (void *) hdev->sent_cmd->data;
4057 opcode = __le16_to_cpu(sent->opcode);
4058 if (opcode == HCI_OP_RESET)
4059 return;
4060
4061 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4062 if (!skb)
4063 return;
4064
4065 skb_queue_head(&hdev->cmd_q, skb);
4066 queue_work(hdev->workqueue, &hdev->cmd_work);
4067}
4068
4069void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4070 hci_req_complete_t *req_complete,
4071 hci_req_complete_skb_t *req_complete_skb)
4072{
4073 struct sk_buff *skb;
4074 unsigned long flags;
4075
4076 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4077
4078 /* If the completed command doesn't match the last one that was
4079 * sent we need to do special handling of it.
4080 */
4081 if (!hci_sent_cmd_data(hdev, opcode)) {
4082 /* Some CSR based controllers generate a spontaneous
4083 * reset complete event during init and any pending
4084 * command will never be completed. In such a case we
4085 * need to resend whatever was the last sent
4086 * command.
4087 */
4088 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4089 hci_resend_last(hdev);
4090
4091 return;
4092 }
4093
4094 /* If the command succeeded and there's still more commands in
4095 * this request the request is not yet complete.
4096 */
4097 if (!status && !hci_req_is_complete(hdev))
4098 return;
4099
4100 /* If this was the last command in a request the complete
4101 * callback would be found in hdev->sent_cmd instead of the
4102 * command queue (hdev->cmd_q).
4103 */
4104 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4105 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4106 return;
4107 }
4108
4109 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4110 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4111 return;
4112 }
4113
4114 /* Remove all pending commands belonging to this request */
4115 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4116 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4117 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4118 __skb_queue_head(&hdev->cmd_q, skb);
4119 break;
4120 }
4121
4122 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4123 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4124 else
4125 *req_complete = bt_cb(skb)->hci.req_complete;
4126 kfree_skb(skb);
4127 }
4128 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4129}
4130
4131static void hci_rx_work(struct work_struct *work)
4132{
4133 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4134 struct sk_buff *skb;
4135
4136 BT_DBG("%s", hdev->name);
4137
4138 while ((skb = skb_dequeue(&hdev->rx_q))) {
4139 /* Send copy to monitor */
4140 hci_send_to_monitor(hdev, skb);
4141
4142 if (atomic_read(&hdev->promisc)) {
4143 /* Send copy to the sockets */
4144 hci_send_to_sock(hdev, skb);
4145 }
4146
4147 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4148 kfree_skb(skb);
4149 continue;
4150 }
4151
4152 if (test_bit(HCI_INIT, &hdev->flags)) {
4153 /* Don't process data packets in this states. */
4154 switch (hci_skb_pkt_type(skb)) {
4155 case HCI_ACLDATA_PKT:
4156 case HCI_SCODATA_PKT:
4157 kfree_skb(skb);
4158 continue;
4159 }
4160 }
4161
4162 /* Process frame */
4163 switch (hci_skb_pkt_type(skb)) {
4164 case HCI_EVENT_PKT:
4165 BT_DBG("%s Event packet", hdev->name);
4166 hci_event_packet(hdev, skb);
4167 break;
4168
4169 case HCI_ACLDATA_PKT:
4170 BT_DBG("%s ACL data packet", hdev->name);
4171 hci_acldata_packet(hdev, skb);
4172 break;
4173
4174 case HCI_SCODATA_PKT:
4175 BT_DBG("%s SCO data packet", hdev->name);
4176 hci_scodata_packet(hdev, skb);
4177 break;
4178
4179 default:
4180 kfree_skb(skb);
4181 break;
4182 }
4183 }
4184}
4185
4186static void hci_cmd_work(struct work_struct *work)
4187{
4188 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4189 struct sk_buff *skb;
4190
4191 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4192 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4193
4194 /* Send queued commands */
4195 if (atomic_read(&hdev->cmd_cnt)) {
4196 skb = skb_dequeue(&hdev->cmd_q);
4197 if (!skb)
4198 return;
4199
4200 kfree_skb(hdev->sent_cmd);
4201
4202 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4203 if (hdev->sent_cmd) {
4204 atomic_dec(&hdev->cmd_cnt);
4205 hci_send_frame(hdev, skb);
4206 if (test_bit(HCI_RESET, &hdev->flags))
4207 cancel_delayed_work(&hdev->cmd_timer);
4208 else
4209 schedule_delayed_work(&hdev->cmd_timer,
4210 HCI_CMD_TIMEOUT);
4211 } else {
4212 skb_queue_head(&hdev->cmd_q, skb);
4213 queue_work(hdev->workqueue, &hdev->cmd_work);
4214 }
4215 }
4216}