2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI core. */
28 #include <linux/export.h>
29 #include <linux/idr.h>
30 #include <linux/rfkill.h>
31 #include <linux/debugfs.h>
32 #include <linux/crypto.h>
33 #include <asm/unaligned.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 #include <net/bluetooth/mgmt.h>
40 #include "hci_request.h"
41 #include "hci_debugfs.h"
45 static void hci_rx_work(struct work_struct *work);
46 static void hci_cmd_work(struct work_struct *work);
47 static void hci_tx_work(struct work_struct *work);
50 LIST_HEAD(hci_dev_list);
51 DEFINE_RWLOCK(hci_dev_list_lock);
53 /* HCI callback list */
54 LIST_HEAD(hci_cb_list);
55 DEFINE_MUTEX(hci_cb_list_lock);
57 /* HCI ID Numbering */
58 static DEFINE_IDA(hci_index_ida);
60 /* ---- HCI debugfs entries ---- */
62 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
63 size_t count, loff_t *ppos)
65 struct hci_dev *hdev = file->private_data;
68 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
71 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
74 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
75 size_t count, loff_t *ppos)
77 struct hci_dev *hdev = file->private_data;
80 size_t buf_size = min(count, (sizeof(buf)-1));
83 if (!test_bit(HCI_UP, &hdev->flags))
86 if (copy_from_user(buf, user_buf, buf_size))
90 if (strtobool(buf, &enable))
93 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
96 hci_req_sync_lock(hdev);
98 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
101 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
103 hci_req_sync_unlock(hdev);
110 hci_dev_change_flag(hdev, HCI_DUT_MODE);
115 static const struct file_operations dut_mode_fops = {
117 .read = dut_mode_read,
118 .write = dut_mode_write,
119 .llseek = default_llseek,
122 static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
123 size_t count, loff_t *ppos)
125 struct hci_dev *hdev = file->private_data;
128 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
131 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
134 static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
135 size_t count, loff_t *ppos)
137 struct hci_dev *hdev = file->private_data;
139 size_t buf_size = min(count, (sizeof(buf)-1));
143 if (copy_from_user(buf, user_buf, buf_size))
146 buf[buf_size] = '\0';
147 if (strtobool(buf, &enable))
150 /* When the diagnostic flags are not persistent and the transport
151 * is not active, then there is no need for the vendor callback.
153 * Instead just store the desired value. If needed the setting
154 * will be programmed when the controller gets powered on.
156 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
157 !test_bit(HCI_RUNNING, &hdev->flags))
160 hci_req_sync_lock(hdev);
161 err = hdev->set_diag(hdev, enable);
162 hci_req_sync_unlock(hdev);
169 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
171 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
176 static const struct file_operations vendor_diag_fops = {
178 .read = vendor_diag_read,
179 .write = vendor_diag_write,
180 .llseek = default_llseek,
183 static void hci_debugfs_create_basic(struct hci_dev *hdev)
185 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
189 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
193 static int hci_reset_req(struct hci_request *req, unsigned long opt)
195 BT_DBG("%s %ld", req->hdev->name, opt);
198 set_bit(HCI_RESET, &req->hdev->flags);
199 hci_req_add(req, HCI_OP_RESET, 0, NULL);
203 static void bredr_init(struct hci_request *req)
205 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
207 /* Read Local Supported Features */
208 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
210 /* Read Local Version */
211 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
213 /* Read BD Address */
214 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
217 static void amp_init1(struct hci_request *req)
219 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
221 /* Read Local Version */
222 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
224 /* Read Local Supported Commands */
225 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
227 /* Read Local AMP Info */
228 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
230 /* Read Data Blk size */
231 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
233 /* Read Flow Control Mode */
234 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
236 /* Read Location Data */
237 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
240 static int amp_init2(struct hci_request *req)
242 /* Read Local Supported Features. Not all AMP controllers
243 * support this so it's placed conditionally in the second
246 if (req->hdev->commands[14] & 0x20)
247 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
252 static int hci_init1_req(struct hci_request *req, unsigned long opt)
254 struct hci_dev *hdev = req->hdev;
256 BT_DBG("%s %ld", hdev->name, opt);
259 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
260 hci_reset_req(req, 0);
262 switch (hdev->dev_type) {
272 BT_ERR("Unknown device type %d", hdev->dev_type);
279 static void bredr_setup(struct hci_request *req)
284 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
285 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
287 /* Read Class of Device */
288 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
290 /* Read Local Name */
291 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
293 /* Read Voice Setting */
294 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
296 /* Read Number of Supported IAC */
297 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
299 /* Read Current IAC LAP */
300 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
302 /* Clear Event Filters */
303 flt_type = HCI_FLT_CLEAR_ALL;
304 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
306 /* Connection accept timeout ~20 secs */
307 param = cpu_to_le16(0x7d00);
308 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
311 static void le_setup(struct hci_request *req)
313 struct hci_dev *hdev = req->hdev;
315 /* Read LE Buffer Size */
316 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
318 /* Read LE Local Supported Features */
319 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
321 /* Read LE Supported States */
322 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
324 /* LE-only controllers have LE implicitly enabled */
325 if (!lmp_bredr_capable(hdev))
326 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
329 static void hci_setup_event_mask(struct hci_request *req)
331 struct hci_dev *hdev = req->hdev;
333 /* The second byte is 0xff instead of 0x9f (two reserved bits
334 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
337 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
339 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
340 * any event mask for pre 1.2 devices.
342 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
345 if (lmp_bredr_capable(hdev)) {
346 events[4] |= 0x01; /* Flow Specification Complete */
348 /* Use a different default for LE-only devices */
349 memset(events, 0, sizeof(events));
350 events[1] |= 0x20; /* Command Complete */
351 events[1] |= 0x40; /* Command Status */
352 events[1] |= 0x80; /* Hardware Error */
354 /* If the controller supports the Disconnect command, enable
355 * the corresponding event. In addition enable packet flow
356 * control related events.
358 if (hdev->commands[0] & 0x20) {
359 events[0] |= 0x10; /* Disconnection Complete */
360 events[2] |= 0x04; /* Number of Completed Packets */
361 events[3] |= 0x02; /* Data Buffer Overflow */
364 /* If the controller supports the Read Remote Version
365 * Information command, enable the corresponding event.
367 if (hdev->commands[2] & 0x80)
368 events[1] |= 0x08; /* Read Remote Version Information
372 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
373 events[0] |= 0x80; /* Encryption Change */
374 events[5] |= 0x80; /* Encryption Key Refresh Complete */
378 if (lmp_inq_rssi_capable(hdev) ||
379 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
380 events[4] |= 0x02; /* Inquiry Result with RSSI */
382 if (lmp_ext_feat_capable(hdev))
383 events[4] |= 0x04; /* Read Remote Extended Features Complete */
385 if (lmp_esco_capable(hdev)) {
386 events[5] |= 0x08; /* Synchronous Connection Complete */
387 events[5] |= 0x10; /* Synchronous Connection Changed */
390 if (lmp_sniffsubr_capable(hdev))
391 events[5] |= 0x20; /* Sniff Subrating */
393 if (lmp_pause_enc_capable(hdev))
394 events[5] |= 0x80; /* Encryption Key Refresh Complete */
396 if (lmp_ext_inq_capable(hdev))
397 events[5] |= 0x40; /* Extended Inquiry Result */
399 if (lmp_no_flush_capable(hdev))
400 events[7] |= 0x01; /* Enhanced Flush Complete */
402 if (lmp_lsto_capable(hdev))
403 events[6] |= 0x80; /* Link Supervision Timeout Changed */
405 if (lmp_ssp_capable(hdev)) {
406 events[6] |= 0x01; /* IO Capability Request */
407 events[6] |= 0x02; /* IO Capability Response */
408 events[6] |= 0x04; /* User Confirmation Request */
409 events[6] |= 0x08; /* User Passkey Request */
410 events[6] |= 0x10; /* Remote OOB Data Request */
411 events[6] |= 0x20; /* Simple Pairing Complete */
412 events[7] |= 0x04; /* User Passkey Notification */
413 events[7] |= 0x08; /* Keypress Notification */
414 events[7] |= 0x10; /* Remote Host Supported
415 * Features Notification
419 if (lmp_le_capable(hdev))
420 events[7] |= 0x20; /* LE Meta-Event */
422 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
425 static int hci_init2_req(struct hci_request *req, unsigned long opt)
427 struct hci_dev *hdev = req->hdev;
429 if (hdev->dev_type == HCI_AMP)
430 return amp_init2(req);
432 if (lmp_bredr_capable(hdev))
435 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
437 if (lmp_le_capable(hdev))
440 /* All Bluetooth 1.2 and later controllers should support the
441 * HCI command for reading the local supported commands.
443 * Unfortunately some controllers indicate Bluetooth 1.2 support,
444 * but do not have support for this command. If that is the case,
445 * the driver can quirk the behavior and skip reading the local
446 * supported commands.
448 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
449 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
450 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
452 if (lmp_ssp_capable(hdev)) {
453 /* When SSP is available, then the host features page
454 * should also be available as well. However some
455 * controllers list the max_page as 0 as long as SSP
456 * has not been enabled. To achieve proper debugging
457 * output, force the minimum max_page to 1 at least.
459 hdev->max_page = 0x01;
461 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
464 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
465 sizeof(mode), &mode);
467 struct hci_cp_write_eir cp;
469 memset(hdev->eir, 0, sizeof(hdev->eir));
470 memset(&cp, 0, sizeof(cp));
472 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
476 if (lmp_inq_rssi_capable(hdev) ||
477 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
480 /* If Extended Inquiry Result events are supported, then
481 * they are clearly preferred over Inquiry Result with RSSI
484 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
486 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
489 if (lmp_inq_tx_pwr_capable(hdev))
490 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
492 if (lmp_ext_feat_capable(hdev)) {
493 struct hci_cp_read_local_ext_features cp;
496 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
500 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
502 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
509 static void hci_setup_link_policy(struct hci_request *req)
511 struct hci_dev *hdev = req->hdev;
512 struct hci_cp_write_def_link_policy cp;
515 if (lmp_rswitch_capable(hdev))
516 link_policy |= HCI_LP_RSWITCH;
517 if (lmp_hold_capable(hdev))
518 link_policy |= HCI_LP_HOLD;
519 if (lmp_sniff_capable(hdev))
520 link_policy |= HCI_LP_SNIFF;
521 if (lmp_park_capable(hdev))
522 link_policy |= HCI_LP_PARK;
524 cp.policy = cpu_to_le16(link_policy);
525 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
528 static void hci_set_le_support(struct hci_request *req)
530 struct hci_dev *hdev = req->hdev;
531 struct hci_cp_write_le_host_supported cp;
533 /* LE-only devices do not support explicit enablement */
534 if (!lmp_bredr_capable(hdev))
537 memset(&cp, 0, sizeof(cp));
539 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
544 if (cp.le != lmp_host_le_capable(hdev))
545 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
549 static void hci_set_event_mask_page_2(struct hci_request *req)
551 struct hci_dev *hdev = req->hdev;
552 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
554 /* If Connectionless Slave Broadcast master role is supported
555 * enable all necessary events for it.
557 if (lmp_csb_master_capable(hdev)) {
558 events[1] |= 0x40; /* Triggered Clock Capture */
559 events[1] |= 0x80; /* Synchronization Train Complete */
560 events[2] |= 0x10; /* Slave Page Response Timeout */
561 events[2] |= 0x20; /* CSB Channel Map Change */
564 /* If Connectionless Slave Broadcast slave role is supported
565 * enable all necessary events for it.
567 if (lmp_csb_slave_capable(hdev)) {
568 events[2] |= 0x01; /* Synchronization Train Received */
569 events[2] |= 0x02; /* CSB Receive */
570 events[2] |= 0x04; /* CSB Timeout */
571 events[2] |= 0x08; /* Truncated Page Complete */
574 /* Enable Authenticated Payload Timeout Expired event if supported */
575 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
578 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
581 static int hci_init3_req(struct hci_request *req, unsigned long opt)
583 struct hci_dev *hdev = req->hdev;
586 hci_setup_event_mask(req);
588 if (hdev->commands[6] & 0x20 &&
589 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
590 struct hci_cp_read_stored_link_key cp;
592 bacpy(&cp.bdaddr, BDADDR_ANY);
594 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
597 if (hdev->commands[5] & 0x10)
598 hci_setup_link_policy(req);
600 if (hdev->commands[8] & 0x01)
601 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
603 /* Some older Broadcom based Bluetooth 1.2 controllers do not
604 * support the Read Page Scan Type command. Check support for
605 * this command in the bit mask of supported commands.
607 if (hdev->commands[13] & 0x01)
608 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
610 if (lmp_le_capable(hdev)) {
613 memset(events, 0, sizeof(events));
615 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
616 events[0] |= 0x10; /* LE Long Term Key Request */
618 /* If controller supports the Connection Parameters Request
619 * Link Layer Procedure, enable the corresponding event.
621 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
622 events[0] |= 0x20; /* LE Remote Connection
626 /* If the controller supports the Data Length Extension
627 * feature, enable the corresponding event.
629 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
630 events[0] |= 0x40; /* LE Data Length Change */
632 /* If the controller supports Extended Scanner Filter
633 * Policies, enable the correspondig event.
635 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
636 events[1] |= 0x04; /* LE Direct Advertising
640 /* If the controller supports the LE Set Scan Enable command,
641 * enable the corresponding advertising report event.
643 if (hdev->commands[26] & 0x08)
644 events[0] |= 0x02; /* LE Advertising Report */
646 /* If the controller supports the LE Create Connection
647 * command, enable the corresponding event.
649 if (hdev->commands[26] & 0x10)
650 events[0] |= 0x01; /* LE Connection Complete */
652 /* If the controller supports the LE Connection Update
653 * command, enable the corresponding event.
655 if (hdev->commands[27] & 0x04)
656 events[0] |= 0x04; /* LE Connection Update
660 /* If the controller supports the LE Read Remote Used Features
661 * command, enable the corresponding event.
663 if (hdev->commands[27] & 0x20)
664 events[0] |= 0x08; /* LE Read Remote Used
668 /* If the controller supports the LE Read Local P-256
669 * Public Key command, enable the corresponding event.
671 if (hdev->commands[34] & 0x02)
672 events[0] |= 0x80; /* LE Read Local P-256
673 * Public Key Complete
676 /* If the controller supports the LE Generate DHKey
677 * command, enable the corresponding event.
679 if (hdev->commands[34] & 0x04)
680 events[1] |= 0x01; /* LE Generate DHKey Complete */
682 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
685 if (hdev->commands[25] & 0x40) {
686 /* Read LE Advertising Channel TX Power */
687 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
690 if (hdev->commands[26] & 0x40) {
691 /* Read LE White List Size */
692 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
696 if (hdev->commands[26] & 0x80) {
697 /* Clear LE White List */
698 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
701 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
702 /* Read LE Maximum Data Length */
703 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
705 /* Read LE Suggested Default Data Length */
706 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
709 hci_set_le_support(req);
712 /* Read features beyond page 1 if available */
713 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
714 struct hci_cp_read_local_ext_features cp;
717 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
724 static int hci_init4_req(struct hci_request *req, unsigned long opt)
726 struct hci_dev *hdev = req->hdev;
728 /* Some Broadcom based Bluetooth controllers do not support the
729 * Delete Stored Link Key command. They are clearly indicating its
730 * absence in the bit mask of supported commands.
732 * Check the supported commands and only if the the command is marked
733 * as supported send it. If not supported assume that the controller
734 * does not have actual support for stored link keys which makes this
735 * command redundant anyway.
737 * Some controllers indicate that they support handling deleting
738 * stored link keys, but they don't. The quirk lets a driver
739 * just disable this command.
741 if (hdev->commands[6] & 0x80 &&
742 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
743 struct hci_cp_delete_stored_link_key cp;
745 bacpy(&cp.bdaddr, BDADDR_ANY);
746 cp.delete_all = 0x01;
747 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
751 /* Set event mask page 2 if the HCI command for it is supported */
752 if (hdev->commands[22] & 0x04)
753 hci_set_event_mask_page_2(req);
755 /* Read local codec list if the HCI command is supported */
756 if (hdev->commands[29] & 0x20)
757 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
759 /* Get MWS transport configuration if the HCI command is supported */
760 if (hdev->commands[30] & 0x08)
761 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
763 /* Check for Synchronization Train support */
764 if (lmp_sync_train_capable(hdev))
765 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
767 /* Enable Secure Connections if supported and configured */
768 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
769 bredr_sc_enabled(hdev)) {
772 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
773 sizeof(support), &support);
779 static int __hci_init(struct hci_dev *hdev)
783 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
787 if (hci_dev_test_flag(hdev, HCI_SETUP))
788 hci_debugfs_create_basic(hdev);
790 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
794 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
795 * BR/EDR/LE type controllers. AMP controllers only need the
796 * first two stages of init.
798 if (hdev->dev_type != HCI_BREDR)
801 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
805 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
809 /* This function is only called when the controller is actually in
810 * configured state. When the controller is marked as unconfigured,
811 * this initialization procedure is not run.
813 * It means that it is possible that a controller runs through its
814 * setup phase and then discovers missing settings. If that is the
815 * case, then this function will not be called. It then will only
816 * be called during the config phase.
818 * So only when in setup phase or config phase, create the debugfs
819 * entries and register the SMP channels.
821 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
822 !hci_dev_test_flag(hdev, HCI_CONFIG))
825 hci_debugfs_create_common(hdev);
827 if (lmp_bredr_capable(hdev))
828 hci_debugfs_create_bredr(hdev);
830 if (lmp_le_capable(hdev))
831 hci_debugfs_create_le(hdev);
836 static int hci_init0_req(struct hci_request *req, unsigned long opt)
838 struct hci_dev *hdev = req->hdev;
840 BT_DBG("%s %ld", hdev->name, opt);
843 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
844 hci_reset_req(req, 0);
846 /* Read Local Version */
847 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
849 /* Read BD Address */
850 if (hdev->set_bdaddr)
851 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
856 static int __hci_unconf_init(struct hci_dev *hdev)
860 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
863 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
867 if (hci_dev_test_flag(hdev, HCI_SETUP))
868 hci_debugfs_create_basic(hdev);
873 static int hci_scan_req(struct hci_request *req, unsigned long opt)
877 BT_DBG("%s %x", req->hdev->name, scan);
879 /* Inquiry and Page scans */
880 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
884 static int hci_auth_req(struct hci_request *req, unsigned long opt)
888 BT_DBG("%s %x", req->hdev->name, auth);
891 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
895 static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
899 BT_DBG("%s %x", req->hdev->name, encrypt);
902 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
906 static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
908 __le16 policy = cpu_to_le16(opt);
910 BT_DBG("%s %x", req->hdev->name, policy);
912 /* Default link policy */
913 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
917 /* Get HCI device by index.
918 * Device is held on return. */
919 struct hci_dev *hci_dev_get(int index)
921 struct hci_dev *hdev = NULL, *d;
928 read_lock(&hci_dev_list_lock);
929 list_for_each_entry(d, &hci_dev_list, list) {
930 if (d->id == index) {
931 hdev = hci_dev_hold(d);
935 read_unlock(&hci_dev_list_lock);
939 /* ---- Inquiry support ---- */
941 bool hci_discovery_active(struct hci_dev *hdev)
943 struct discovery_state *discov = &hdev->discovery;
945 switch (discov->state) {
946 case DISCOVERY_FINDING:
947 case DISCOVERY_RESOLVING:
955 void hci_discovery_set_state(struct hci_dev *hdev, int state)
957 int old_state = hdev->discovery.state;
959 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
961 if (old_state == state)
964 hdev->discovery.state = state;
967 case DISCOVERY_STOPPED:
968 hci_update_background_scan(hdev);
970 if (old_state != DISCOVERY_STARTING)
971 mgmt_discovering(hdev, 0);
973 case DISCOVERY_STARTING:
975 case DISCOVERY_FINDING:
976 mgmt_discovering(hdev, 1);
978 case DISCOVERY_RESOLVING:
980 case DISCOVERY_STOPPING:
985 void hci_inquiry_cache_flush(struct hci_dev *hdev)
987 struct discovery_state *cache = &hdev->discovery;
988 struct inquiry_entry *p, *n;
990 list_for_each_entry_safe(p, n, &cache->all, all) {
995 INIT_LIST_HEAD(&cache->unknown);
996 INIT_LIST_HEAD(&cache->resolve);
999 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1002 struct discovery_state *cache = &hdev->discovery;
1003 struct inquiry_entry *e;
1005 BT_DBG("cache %p, %pMR", cache, bdaddr);
1007 list_for_each_entry(e, &cache->all, all) {
1008 if (!bacmp(&e->data.bdaddr, bdaddr))
1015 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1018 struct discovery_state *cache = &hdev->discovery;
1019 struct inquiry_entry *e;
1021 BT_DBG("cache %p, %pMR", cache, bdaddr);
1023 list_for_each_entry(e, &cache->unknown, list) {
1024 if (!bacmp(&e->data.bdaddr, bdaddr))
1031 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1035 struct discovery_state *cache = &hdev->discovery;
1036 struct inquiry_entry *e;
1038 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1040 list_for_each_entry(e, &cache->resolve, list) {
1041 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1043 if (!bacmp(&e->data.bdaddr, bdaddr))
1050 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1051 struct inquiry_entry *ie)
1053 struct discovery_state *cache = &hdev->discovery;
1054 struct list_head *pos = &cache->resolve;
1055 struct inquiry_entry *p;
1057 list_del(&ie->list);
1059 list_for_each_entry(p, &cache->resolve, list) {
1060 if (p->name_state != NAME_PENDING &&
1061 abs(p->data.rssi) >= abs(ie->data.rssi))
1066 list_add(&ie->list, pos);
1069 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1072 struct discovery_state *cache = &hdev->discovery;
1073 struct inquiry_entry *ie;
1076 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1078 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1080 if (!data->ssp_mode)
1081 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1083 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1085 if (!ie->data.ssp_mode)
1086 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1088 if (ie->name_state == NAME_NEEDED &&
1089 data->rssi != ie->data.rssi) {
1090 ie->data.rssi = data->rssi;
1091 hci_inquiry_cache_update_resolve(hdev, ie);
1097 /* Entry not in the cache. Add new one. */
1098 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1100 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1104 list_add(&ie->all, &cache->all);
1107 ie->name_state = NAME_KNOWN;
1109 ie->name_state = NAME_NOT_KNOWN;
1110 list_add(&ie->list, &cache->unknown);
1114 if (name_known && ie->name_state != NAME_KNOWN &&
1115 ie->name_state != NAME_PENDING) {
1116 ie->name_state = NAME_KNOWN;
1117 list_del(&ie->list);
1120 memcpy(&ie->data, data, sizeof(*data));
1121 ie->timestamp = jiffies;
1122 cache->timestamp = jiffies;
1124 if (ie->name_state == NAME_NOT_KNOWN)
1125 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1131 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1133 struct discovery_state *cache = &hdev->discovery;
1134 struct inquiry_info *info = (struct inquiry_info *) buf;
1135 struct inquiry_entry *e;
1138 list_for_each_entry(e, &cache->all, all) {
1139 struct inquiry_data *data = &e->data;
1144 bacpy(&info->bdaddr, &data->bdaddr);
1145 info->pscan_rep_mode = data->pscan_rep_mode;
1146 info->pscan_period_mode = data->pscan_period_mode;
1147 info->pscan_mode = data->pscan_mode;
1148 memcpy(info->dev_class, data->dev_class, 3);
1149 info->clock_offset = data->clock_offset;
1155 BT_DBG("cache %p, copied %d", cache, copied);
1159 static int hci_inq_req(struct hci_request *req, unsigned long opt)
1161 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1162 struct hci_dev *hdev = req->hdev;
1163 struct hci_cp_inquiry cp;
1165 BT_DBG("%s", hdev->name);
1167 if (test_bit(HCI_INQUIRY, &hdev->flags))
1171 memcpy(&cp.lap, &ir->lap, 3);
1172 cp.length = ir->length;
1173 cp.num_rsp = ir->num_rsp;
1174 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1179 int hci_inquiry(void __user *arg)
1181 __u8 __user *ptr = arg;
1182 struct hci_inquiry_req ir;
1183 struct hci_dev *hdev;
1184 int err = 0, do_inquiry = 0, max_rsp;
1188 if (copy_from_user(&ir, ptr, sizeof(ir)))
1191 hdev = hci_dev_get(ir.dev_id);
1195 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1200 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1205 if (hdev->dev_type != HCI_BREDR) {
1210 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1216 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1217 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1218 hci_inquiry_cache_flush(hdev);
1221 hci_dev_unlock(hdev);
1223 timeo = ir.length * msecs_to_jiffies(2000);
1226 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1231 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1232 * cleared). If it is interrupted by a signal, return -EINTR.
1234 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1235 TASK_INTERRUPTIBLE))
1239 /* for unlimited number of responses we will use buffer with
1242 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1244 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1245 * copy it to the user space.
1247 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1254 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1255 hci_dev_unlock(hdev);
1257 BT_DBG("num_rsp %d", ir.num_rsp);
1259 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1261 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1274 static int hci_dev_do_open(struct hci_dev *hdev)
1278 BT_DBG("%s %p", hdev->name, hdev);
1280 hci_req_sync_lock(hdev);
1282 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1287 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1288 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1289 /* Check for rfkill but allow the HCI setup stage to
1290 * proceed (which in itself doesn't cause any RF activity).
1292 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1297 /* Check for valid public address or a configured static
1298 * random adddress, but let the HCI setup proceed to
1299 * be able to determine if there is a public address
1302 * In case of user channel usage, it is not important
1303 * if a public address or static random address is
1306 * This check is only valid for BR/EDR controllers
1307 * since AMP controllers do not have an address.
1309 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1310 hdev->dev_type == HCI_BREDR &&
1311 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1312 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1313 ret = -EADDRNOTAVAIL;
1318 if (test_bit(HCI_UP, &hdev->flags)) {
1323 if (hdev->open(hdev)) {
1328 set_bit(HCI_RUNNING, &hdev->flags);
1329 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1331 atomic_set(&hdev->cmd_cnt, 1);
1332 set_bit(HCI_INIT, &hdev->flags);
1334 if (hci_dev_test_flag(hdev, HCI_SETUP)) {
1335 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1338 ret = hdev->setup(hdev);
1340 /* The transport driver can set these quirks before
1341 * creating the HCI device or in its setup callback.
1343 * In case any of them is set, the controller has to
1344 * start up as unconfigured.
1346 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1347 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1348 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1350 /* For an unconfigured controller it is required to
1351 * read at least the version information provided by
1352 * the Read Local Version Information command.
1354 * If the set_bdaddr driver callback is provided, then
1355 * also the original Bluetooth public device address
1356 * will be read using the Read BD Address command.
1358 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1359 ret = __hci_unconf_init(hdev);
1362 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1363 /* If public address change is configured, ensure that
1364 * the address gets programmed. If the driver does not
1365 * support changing the public address, fail the power
1368 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1370 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1372 ret = -EADDRNOTAVAIL;
1376 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1377 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1378 ret = __hci_init(hdev);
1379 if (!ret && hdev->post_init)
1380 ret = hdev->post_init(hdev);
1384 /* If the HCI Reset command is clearing all diagnostic settings,
1385 * then they need to be reprogrammed after the init procedure
1388 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1389 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1390 ret = hdev->set_diag(hdev, true);
1392 clear_bit(HCI_INIT, &hdev->flags);
1396 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1397 set_bit(HCI_UP, &hdev->flags);
1398 hci_sock_dev_event(hdev, HCI_DEV_UP);
1399 hci_leds_update_powered(hdev, true);
1400 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1401 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1402 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1403 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1404 hci_dev_test_flag(hdev, HCI_MGMT) &&
1405 hdev->dev_type == HCI_BREDR) {
1406 ret = __hci_req_hci_power_on(hdev);
1407 mgmt_power_on(hdev, ret);
1410 /* Init failed, cleanup */
1411 flush_work(&hdev->tx_work);
1412 flush_work(&hdev->cmd_work);
1413 flush_work(&hdev->rx_work);
1415 skb_queue_purge(&hdev->cmd_q);
1416 skb_queue_purge(&hdev->rx_q);
1421 if (hdev->sent_cmd) {
1422 kfree_skb(hdev->sent_cmd);
1423 hdev->sent_cmd = NULL;
1426 clear_bit(HCI_RUNNING, &hdev->flags);
1427 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1430 hdev->flags &= BIT(HCI_RAW);
1434 hci_req_sync_unlock(hdev);
1438 /* ---- HCI ioctl helpers ---- */
1440 int hci_dev_open(__u16 dev)
1442 struct hci_dev *hdev;
1445 hdev = hci_dev_get(dev);
1449 /* Devices that are marked as unconfigured can only be powered
1450 * up as user channel. Trying to bring them up as normal devices
1451 * will result into a failure. Only user channel operation is
1454 * When this function is called for a user channel, the flag
1455 * HCI_USER_CHANNEL will be set first before attempting to
1458 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1459 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1464 /* We need to ensure that no other power on/off work is pending
1465 * before proceeding to call hci_dev_do_open. This is
1466 * particularly important if the setup procedure has not yet
1469 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1470 cancel_delayed_work(&hdev->power_off);
1472 /* After this call it is guaranteed that the setup procedure
1473 * has finished. This means that error conditions like RFKILL
1474 * or no valid public or static random address apply.
1476 flush_workqueue(hdev->req_workqueue);
1478 /* For controllers not using the management interface and that
1479 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1480 * so that pairing works for them. Once the management interface
1481 * is in use this bit will be cleared again and userspace has
1482 * to explicitly enable it.
1484 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1485 !hci_dev_test_flag(hdev, HCI_MGMT))
1486 hci_dev_set_flag(hdev, HCI_BONDABLE);
1488 err = hci_dev_do_open(hdev);
1495 /* This function requires the caller holds hdev->lock */
1496 static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1498 struct hci_conn_params *p;
1500 list_for_each_entry(p, &hdev->le_conn_params, list) {
1502 hci_conn_drop(p->conn);
1503 hci_conn_put(p->conn);
1506 list_del_init(&p->action);
1509 BT_DBG("All LE pending actions cleared");
1512 int hci_dev_do_close(struct hci_dev *hdev)
1516 BT_DBG("%s %p", hdev->name, hdev);
1518 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1519 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1520 test_bit(HCI_UP, &hdev->flags)) {
1521 /* Execute vendor specific shutdown routine */
1523 hdev->shutdown(hdev);
1526 cancel_delayed_work(&hdev->power_off);
1528 hci_request_cancel_all(hdev);
1529 hci_req_sync_lock(hdev);
1531 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1532 cancel_delayed_work_sync(&hdev->cmd_timer);
1533 hci_req_sync_unlock(hdev);
1537 hci_leds_update_powered(hdev, false);
1539 /* Flush RX and TX works */
1540 flush_work(&hdev->tx_work);
1541 flush_work(&hdev->rx_work);
1543 if (hdev->discov_timeout > 0) {
1544 hdev->discov_timeout = 0;
1545 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1546 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1549 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1550 cancel_delayed_work(&hdev->service_cache);
1552 if (hci_dev_test_flag(hdev, HCI_MGMT))
1553 cancel_delayed_work_sync(&hdev->rpa_expired);
1555 /* Avoid potential lockdep warnings from the *_flush() calls by
1556 * ensuring the workqueue is empty up front.
1558 drain_workqueue(hdev->workqueue);
1562 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1564 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1566 if (!auto_off && hdev->dev_type == HCI_BREDR &&
1567 hci_dev_test_flag(hdev, HCI_MGMT))
1568 __mgmt_power_off(hdev);
1570 hci_inquiry_cache_flush(hdev);
1571 hci_pend_le_actions_clear(hdev);
1572 hci_conn_hash_flush(hdev);
1573 hci_dev_unlock(hdev);
1575 smp_unregister(hdev);
1577 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1583 skb_queue_purge(&hdev->cmd_q);
1584 atomic_set(&hdev->cmd_cnt, 1);
1585 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1586 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1587 set_bit(HCI_INIT, &hdev->flags);
1588 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1589 clear_bit(HCI_INIT, &hdev->flags);
1592 /* flush cmd work */
1593 flush_work(&hdev->cmd_work);
1596 skb_queue_purge(&hdev->rx_q);
1597 skb_queue_purge(&hdev->cmd_q);
1598 skb_queue_purge(&hdev->raw_q);
1600 /* Drop last sent command */
1601 if (hdev->sent_cmd) {
1602 cancel_delayed_work_sync(&hdev->cmd_timer);
1603 kfree_skb(hdev->sent_cmd);
1604 hdev->sent_cmd = NULL;
1607 clear_bit(HCI_RUNNING, &hdev->flags);
1608 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1610 /* After this point our queues are empty
1611 * and no tasks are scheduled. */
1615 hdev->flags &= BIT(HCI_RAW);
1616 hci_dev_clear_volatile_flags(hdev);
1618 /* Controller radio is available but is currently powered down */
1619 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1621 memset(hdev->eir, 0, sizeof(hdev->eir));
1622 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1623 bacpy(&hdev->random_addr, BDADDR_ANY);
1625 hci_req_sync_unlock(hdev);
1631 int hci_dev_close(__u16 dev)
1633 struct hci_dev *hdev;
1636 hdev = hci_dev_get(dev);
1640 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1645 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1646 cancel_delayed_work(&hdev->power_off);
1648 err = hci_dev_do_close(hdev);
1655 static int hci_dev_do_reset(struct hci_dev *hdev)
1659 BT_DBG("%s %p", hdev->name, hdev);
1661 hci_req_sync_lock(hdev);
1664 skb_queue_purge(&hdev->rx_q);
1665 skb_queue_purge(&hdev->cmd_q);
1667 /* Avoid potential lockdep warnings from the *_flush() calls by
1668 * ensuring the workqueue is empty up front.
1670 drain_workqueue(hdev->workqueue);
1673 hci_inquiry_cache_flush(hdev);
1674 hci_conn_hash_flush(hdev);
1675 hci_dev_unlock(hdev);
1680 atomic_set(&hdev->cmd_cnt, 1);
1681 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1683 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1685 hci_req_sync_unlock(hdev);
1689 int hci_dev_reset(__u16 dev)
1691 struct hci_dev *hdev;
1694 hdev = hci_dev_get(dev);
1698 if (!test_bit(HCI_UP, &hdev->flags)) {
1703 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1708 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1713 err = hci_dev_do_reset(hdev);
1720 int hci_dev_reset_stat(__u16 dev)
1722 struct hci_dev *hdev;
1725 hdev = hci_dev_get(dev);
1729 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1734 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1739 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1746 static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1748 bool conn_changed, discov_changed;
1750 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1752 if ((scan & SCAN_PAGE))
1753 conn_changed = !hci_dev_test_and_set_flag(hdev,
1756 conn_changed = hci_dev_test_and_clear_flag(hdev,
1759 if ((scan & SCAN_INQUIRY)) {
1760 discov_changed = !hci_dev_test_and_set_flag(hdev,
1763 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1764 discov_changed = hci_dev_test_and_clear_flag(hdev,
1768 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1771 if (conn_changed || discov_changed) {
1772 /* In case this was disabled through mgmt */
1773 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1775 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1776 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1778 mgmt_new_settings(hdev);
1782 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1784 struct hci_dev *hdev;
1785 struct hci_dev_req dr;
1788 if (copy_from_user(&dr, arg, sizeof(dr)))
1791 hdev = hci_dev_get(dr.dev_id);
1795 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1800 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1805 if (hdev->dev_type != HCI_BREDR) {
1810 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1817 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1818 HCI_INIT_TIMEOUT, NULL);
1822 if (!lmp_encrypt_capable(hdev)) {
1827 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1828 /* Auth must be enabled first */
1829 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1830 HCI_INIT_TIMEOUT, NULL);
1835 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1836 HCI_INIT_TIMEOUT, NULL);
1840 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1841 HCI_INIT_TIMEOUT, NULL);
1843 /* Ensure that the connectable and discoverable states
1844 * get correctly modified as this was a non-mgmt change.
1847 hci_update_scan_state(hdev, dr.dev_opt);
1851 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1852 HCI_INIT_TIMEOUT, NULL);
1855 case HCISETLINKMODE:
1856 hdev->link_mode = ((__u16) dr.dev_opt) &
1857 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1861 hdev->pkt_type = (__u16) dr.dev_opt;
1865 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
1866 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1870 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
1871 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1884 int hci_get_dev_list(void __user *arg)
1886 struct hci_dev *hdev;
1887 struct hci_dev_list_req *dl;
1888 struct hci_dev_req *dr;
1889 int n = 0, size, err;
1892 if (get_user(dev_num, (__u16 __user *) arg))
1895 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1898 size = sizeof(*dl) + dev_num * sizeof(*dr);
1900 dl = kzalloc(size, GFP_KERNEL);
1906 read_lock(&hci_dev_list_lock);
1907 list_for_each_entry(hdev, &hci_dev_list, list) {
1908 unsigned long flags = hdev->flags;
1910 /* When the auto-off is configured it means the transport
1911 * is running, but in that case still indicate that the
1912 * device is actually down.
1914 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1915 flags &= ~BIT(HCI_UP);
1917 (dr + n)->dev_id = hdev->id;
1918 (dr + n)->dev_opt = flags;
1923 read_unlock(&hci_dev_list_lock);
1926 size = sizeof(*dl) + n * sizeof(*dr);
1928 err = copy_to_user(arg, dl, size);
1931 return err ? -EFAULT : 0;
1934 int hci_get_dev_info(void __user *arg)
1936 struct hci_dev *hdev;
1937 struct hci_dev_info di;
1938 unsigned long flags;
1941 if (copy_from_user(&di, arg, sizeof(di)))
1944 hdev = hci_dev_get(di.dev_id);
1948 /* When the auto-off is configured it means the transport
1949 * is running, but in that case still indicate that the
1950 * device is actually down.
1952 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1953 flags = hdev->flags & ~BIT(HCI_UP);
1955 flags = hdev->flags;
1957 strcpy(di.name, hdev->name);
1958 di.bdaddr = hdev->bdaddr;
1959 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
1961 di.pkt_type = hdev->pkt_type;
1962 if (lmp_bredr_capable(hdev)) {
1963 di.acl_mtu = hdev->acl_mtu;
1964 di.acl_pkts = hdev->acl_pkts;
1965 di.sco_mtu = hdev->sco_mtu;
1966 di.sco_pkts = hdev->sco_pkts;
1968 di.acl_mtu = hdev->le_mtu;
1969 di.acl_pkts = hdev->le_pkts;
1973 di.link_policy = hdev->link_policy;
1974 di.link_mode = hdev->link_mode;
1976 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1977 memcpy(&di.features, &hdev->features, sizeof(di.features));
1979 if (copy_to_user(arg, &di, sizeof(di)))
1987 /* ---- Interface to HCI drivers ---- */
1989 static int hci_rfkill_set_block(void *data, bool blocked)
1991 struct hci_dev *hdev = data;
1993 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1995 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1999 hci_dev_set_flag(hdev, HCI_RFKILLED);
2000 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2001 !hci_dev_test_flag(hdev, HCI_CONFIG))
2002 hci_dev_do_close(hdev);
2004 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2010 static const struct rfkill_ops hci_rfkill_ops = {
2011 .set_block = hci_rfkill_set_block,
2014 static void hci_power_on(struct work_struct *work)
2016 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2019 BT_DBG("%s", hdev->name);
2021 if (test_bit(HCI_UP, &hdev->flags) &&
2022 hci_dev_test_flag(hdev, HCI_MGMT) &&
2023 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2024 cancel_delayed_work(&hdev->power_off);
2025 hci_req_sync_lock(hdev);
2026 err = __hci_req_hci_power_on(hdev);
2027 hci_req_sync_unlock(hdev);
2028 mgmt_power_on(hdev, err);
2032 err = hci_dev_do_open(hdev);
2035 mgmt_set_powered_failed(hdev, err);
2036 hci_dev_unlock(hdev);
2040 /* During the HCI setup phase, a few error conditions are
2041 * ignored and they need to be checked now. If they are still
2042 * valid, it is important to turn the device back off.
2044 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2045 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2046 (hdev->dev_type == HCI_BREDR &&
2047 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2048 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2049 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2050 hci_dev_do_close(hdev);
2051 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2052 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2053 HCI_AUTO_OFF_TIMEOUT);
2056 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2057 /* For unconfigured devices, set the HCI_RAW flag
2058 * so that userspace can easily identify them.
2060 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2061 set_bit(HCI_RAW, &hdev->flags);
2063 /* For fully configured devices, this will send
2064 * the Index Added event. For unconfigured devices,
2065 * it will send Unconfigued Index Added event.
2067 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2068 * and no event will be send.
2070 mgmt_index_added(hdev);
2071 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2072 /* When the controller is now configured, then it
2073 * is important to clear the HCI_RAW flag.
2075 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2076 clear_bit(HCI_RAW, &hdev->flags);
2078 /* Powering on the controller with HCI_CONFIG set only
2079 * happens with the transition from unconfigured to
2080 * configured. This will send the Index Added event.
2082 mgmt_index_added(hdev);
2086 static void hci_power_off(struct work_struct *work)
2088 struct hci_dev *hdev = container_of(work, struct hci_dev,
2091 BT_DBG("%s", hdev->name);
2093 hci_dev_do_close(hdev);
2096 static void hci_error_reset(struct work_struct *work)
2098 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2100 BT_DBG("%s", hdev->name);
2103 hdev->hw_error(hdev, hdev->hw_error_code);
2105 BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2106 hdev->hw_error_code);
2108 if (hci_dev_do_close(hdev))
2111 hci_dev_do_open(hdev);
2114 void hci_uuids_clear(struct hci_dev *hdev)
2116 struct bt_uuid *uuid, *tmp;
2118 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2119 list_del(&uuid->list);
2124 void hci_link_keys_clear(struct hci_dev *hdev)
2126 struct link_key *key;
2128 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2129 list_del_rcu(&key->list);
2130 kfree_rcu(key, rcu);
2134 void hci_smp_ltks_clear(struct hci_dev *hdev)
2138 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2139 list_del_rcu(&k->list);
2144 void hci_smp_irks_clear(struct hci_dev *hdev)
2148 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2149 list_del_rcu(&k->list);
2154 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2159 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2160 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2170 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2171 u8 key_type, u8 old_key_type)
2174 if (key_type < 0x03)
2177 /* Debug keys are insecure so don't store them persistently */
2178 if (key_type == HCI_LK_DEBUG_COMBINATION)
2181 /* Changed combination key and there's no previous one */
2182 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2185 /* Security mode 3 case */
2189 /* BR/EDR key derived using SC from an LE link */
2190 if (conn->type == LE_LINK)
2193 /* Neither local nor remote side had no-bonding as requirement */
2194 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2197 /* Local side had dedicated bonding as requirement */
2198 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2201 /* Remote side had dedicated bonding as requirement */
2202 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2205 /* If none of the above criteria match, then don't store the key
2210 static u8 ltk_role(u8 type)
2212 if (type == SMP_LTK)
2213 return HCI_ROLE_MASTER;
2215 return HCI_ROLE_SLAVE;
2218 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2219 u8 addr_type, u8 role)
2224 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2225 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2228 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2238 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2240 struct smp_irk *irk;
2243 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2244 if (!bacmp(&irk->rpa, rpa)) {
2250 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2251 if (smp_irk_matches(hdev, irk->val, rpa)) {
2252 bacpy(&irk->rpa, rpa);
2262 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2265 struct smp_irk *irk;
2267 /* Identity Address must be public or static random */
2268 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2272 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2273 if (addr_type == irk->addr_type &&
2274 bacmp(bdaddr, &irk->bdaddr) == 0) {
2284 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2285 bdaddr_t *bdaddr, u8 *val, u8 type,
2286 u8 pin_len, bool *persistent)
2288 struct link_key *key, *old_key;
2291 old_key = hci_find_link_key(hdev, bdaddr);
2293 old_key_type = old_key->type;
2296 old_key_type = conn ? conn->key_type : 0xff;
2297 key = kzalloc(sizeof(*key), GFP_KERNEL);
2300 list_add_rcu(&key->list, &hdev->link_keys);
2303 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2305 /* Some buggy controller combinations generate a changed
2306 * combination key for legacy pairing even when there's no
2308 if (type == HCI_LK_CHANGED_COMBINATION &&
2309 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2310 type = HCI_LK_COMBINATION;
2312 conn->key_type = type;
2315 bacpy(&key->bdaddr, bdaddr);
2316 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2317 key->pin_len = pin_len;
2319 if (type == HCI_LK_CHANGED_COMBINATION)
2320 key->type = old_key_type;
2325 *persistent = hci_persistent_key(hdev, conn, type,
2331 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2332 u8 addr_type, u8 type, u8 authenticated,
2333 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2335 struct smp_ltk *key, *old_key;
2336 u8 role = ltk_role(type);
2338 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2342 key = kzalloc(sizeof(*key), GFP_KERNEL);
2345 list_add_rcu(&key->list, &hdev->long_term_keys);
2348 bacpy(&key->bdaddr, bdaddr);
2349 key->bdaddr_type = addr_type;
2350 memcpy(key->val, tk, sizeof(key->val));
2351 key->authenticated = authenticated;
2354 key->enc_size = enc_size;
2360 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2361 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2363 struct smp_irk *irk;
2365 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2367 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2371 bacpy(&irk->bdaddr, bdaddr);
2372 irk->addr_type = addr_type;
2374 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2377 memcpy(irk->val, val, 16);
2378 bacpy(&irk->rpa, rpa);
2383 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2385 struct link_key *key;
2387 key = hci_find_link_key(hdev, bdaddr);
2391 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2393 list_del_rcu(&key->list);
2394 kfree_rcu(key, rcu);
2399 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2404 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2405 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2408 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2410 list_del_rcu(&k->list);
2415 return removed ? 0 : -ENOENT;
2418 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2422 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2423 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2426 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2428 list_del_rcu(&k->list);
2433 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2436 struct smp_irk *irk;
2439 if (type == BDADDR_BREDR) {
2440 if (hci_find_link_key(hdev, bdaddr))
2445 /* Convert to HCI addr type which struct smp_ltk uses */
2446 if (type == BDADDR_LE_PUBLIC)
2447 addr_type = ADDR_LE_DEV_PUBLIC;
2449 addr_type = ADDR_LE_DEV_RANDOM;
2451 irk = hci_get_irk(hdev, bdaddr, addr_type);
2453 bdaddr = &irk->bdaddr;
2454 addr_type = irk->addr_type;
2458 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2459 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2469 /* HCI command timer function */
2470 static void hci_cmd_timeout(struct work_struct *work)
2472 struct hci_dev *hdev = container_of(work, struct hci_dev,
2475 if (hdev->sent_cmd) {
2476 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2477 u16 opcode = __le16_to_cpu(sent->opcode);
2479 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2481 BT_ERR("%s command tx timeout", hdev->name);
2484 atomic_set(&hdev->cmd_cnt, 1);
2485 queue_work(hdev->workqueue, &hdev->cmd_work);
2488 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2489 bdaddr_t *bdaddr, u8 bdaddr_type)
2491 struct oob_data *data;
2493 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2494 if (bacmp(bdaddr, &data->bdaddr) != 0)
2496 if (data->bdaddr_type != bdaddr_type)
2504 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2507 struct oob_data *data;
2509 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2513 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2515 list_del(&data->list);
2521 void hci_remote_oob_data_clear(struct hci_dev *hdev)
2523 struct oob_data *data, *n;
2525 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2526 list_del(&data->list);
2531 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2532 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2533 u8 *hash256, u8 *rand256)
2535 struct oob_data *data;
2537 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2539 data = kmalloc(sizeof(*data), GFP_KERNEL);
2543 bacpy(&data->bdaddr, bdaddr);
2544 data->bdaddr_type = bdaddr_type;
2545 list_add(&data->list, &hdev->remote_oob_data);
2548 if (hash192 && rand192) {
2549 memcpy(data->hash192, hash192, sizeof(data->hash192));
2550 memcpy(data->rand192, rand192, sizeof(data->rand192));
2551 if (hash256 && rand256)
2552 data->present = 0x03;
2554 memset(data->hash192, 0, sizeof(data->hash192));
2555 memset(data->rand192, 0, sizeof(data->rand192));
2556 if (hash256 && rand256)
2557 data->present = 0x02;
2559 data->present = 0x00;
2562 if (hash256 && rand256) {
2563 memcpy(data->hash256, hash256, sizeof(data->hash256));
2564 memcpy(data->rand256, rand256, sizeof(data->rand256));
2566 memset(data->hash256, 0, sizeof(data->hash256));
2567 memset(data->rand256, 0, sizeof(data->rand256));
2568 if (hash192 && rand192)
2569 data->present = 0x01;
2572 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2577 /* This function requires the caller holds hdev->lock */
2578 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2580 struct adv_info *adv_instance;
2582 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2583 if (adv_instance->instance == instance)
2584 return adv_instance;
2590 /* This function requires the caller holds hdev->lock */
2591 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2593 struct adv_info *cur_instance;
2595 cur_instance = hci_find_adv_instance(hdev, instance);
2599 if (cur_instance == list_last_entry(&hdev->adv_instances,
2600 struct adv_info, list))
2601 return list_first_entry(&hdev->adv_instances,
2602 struct adv_info, list);
2604 return list_next_entry(cur_instance, list);
2607 /* This function requires the caller holds hdev->lock */
2608 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2610 struct adv_info *adv_instance;
2612 adv_instance = hci_find_adv_instance(hdev, instance);
2616 BT_DBG("%s removing %dMR", hdev->name, instance);
2618 if (hdev->cur_adv_instance == instance) {
2619 if (hdev->adv_instance_timeout) {
2620 cancel_delayed_work(&hdev->adv_instance_expire);
2621 hdev->adv_instance_timeout = 0;
2623 hdev->cur_adv_instance = 0x00;
2626 list_del(&adv_instance->list);
2627 kfree(adv_instance);
2629 hdev->adv_instance_cnt--;
2634 /* This function requires the caller holds hdev->lock */
2635 void hci_adv_instances_clear(struct hci_dev *hdev)
2637 struct adv_info *adv_instance, *n;
2639 if (hdev->adv_instance_timeout) {
2640 cancel_delayed_work(&hdev->adv_instance_expire);
2641 hdev->adv_instance_timeout = 0;
2644 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2645 list_del(&adv_instance->list);
2646 kfree(adv_instance);
2649 hdev->adv_instance_cnt = 0;
2650 hdev->cur_adv_instance = 0x00;
2653 /* This function requires the caller holds hdev->lock */
2654 int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2655 u16 adv_data_len, u8 *adv_data,
2656 u16 scan_rsp_len, u8 *scan_rsp_data,
2657 u16 timeout, u16 duration)
2659 struct adv_info *adv_instance;
2661 adv_instance = hci_find_adv_instance(hdev, instance);
2663 memset(adv_instance->adv_data, 0,
2664 sizeof(adv_instance->adv_data));
2665 memset(adv_instance->scan_rsp_data, 0,
2666 sizeof(adv_instance->scan_rsp_data));
2668 if (hdev->adv_instance_cnt >= HCI_MAX_ADV_INSTANCES ||
2669 instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2672 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2676 adv_instance->pending = true;
2677 adv_instance->instance = instance;
2678 list_add(&adv_instance->list, &hdev->adv_instances);
2679 hdev->adv_instance_cnt++;
2682 adv_instance->flags = flags;
2683 adv_instance->adv_data_len = adv_data_len;
2684 adv_instance->scan_rsp_len = scan_rsp_len;
2687 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2690 memcpy(adv_instance->scan_rsp_data,
2691 scan_rsp_data, scan_rsp_len);
2693 adv_instance->timeout = timeout;
2694 adv_instance->remaining_time = timeout;
2697 adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2699 adv_instance->duration = duration;
2701 BT_DBG("%s for %dMR", hdev->name, instance);
2706 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2707 bdaddr_t *bdaddr, u8 type)
2709 struct bdaddr_list *b;
2711 list_for_each_entry(b, bdaddr_list, list) {
2712 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2719 void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2721 struct bdaddr_list *b, *n;
2723 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2729 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2731 struct bdaddr_list *entry;
2733 if (!bacmp(bdaddr, BDADDR_ANY))
2736 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2739 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2743 bacpy(&entry->bdaddr, bdaddr);
2744 entry->bdaddr_type = type;
2746 list_add(&entry->list, list);
2751 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2753 struct bdaddr_list *entry;
2755 if (!bacmp(bdaddr, BDADDR_ANY)) {
2756 hci_bdaddr_list_clear(list);
2760 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2764 list_del(&entry->list);
2770 /* This function requires the caller holds hdev->lock */
2771 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2772 bdaddr_t *addr, u8 addr_type)
2774 struct hci_conn_params *params;
2776 list_for_each_entry(params, &hdev->le_conn_params, list) {
2777 if (bacmp(¶ms->addr, addr) == 0 &&
2778 params->addr_type == addr_type) {
2786 /* This function requires the caller holds hdev->lock */
2787 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2788 bdaddr_t *addr, u8 addr_type)
2790 struct hci_conn_params *param;
2792 list_for_each_entry(param, list, action) {
2793 if (bacmp(¶m->addr, addr) == 0 &&
2794 param->addr_type == addr_type)
2801 /* This function requires the caller holds hdev->lock */
2802 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2803 bdaddr_t *addr, u8 addr_type)
2805 struct hci_conn_params *params;
2807 params = hci_conn_params_lookup(hdev, addr, addr_type);
2811 params = kzalloc(sizeof(*params), GFP_KERNEL);
2813 BT_ERR("Out of memory");
2817 bacpy(¶ms->addr, addr);
2818 params->addr_type = addr_type;
2820 list_add(¶ms->list, &hdev->le_conn_params);
2821 INIT_LIST_HEAD(¶ms->action);
2823 params->conn_min_interval = hdev->le_conn_min_interval;
2824 params->conn_max_interval = hdev->le_conn_max_interval;
2825 params->conn_latency = hdev->le_conn_latency;
2826 params->supervision_timeout = hdev->le_supv_timeout;
2827 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2829 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2834 static void hci_conn_params_free(struct hci_conn_params *params)
2837 hci_conn_drop(params->conn);
2838 hci_conn_put(params->conn);
2841 list_del(¶ms->action);
2842 list_del(¶ms->list);
2846 /* This function requires the caller holds hdev->lock */
2847 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2849 struct hci_conn_params *params;
2851 params = hci_conn_params_lookup(hdev, addr, addr_type);
2855 hci_conn_params_free(params);
2857 hci_update_background_scan(hdev);
2859 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2862 /* This function requires the caller holds hdev->lock */
2863 void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2865 struct hci_conn_params *params, *tmp;
2867 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2868 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2871 /* If trying to estabilish one time connection to disabled
2872 * device, leave the params, but mark them as just once.
2874 if (params->explicit_connect) {
2875 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2879 list_del(¶ms->list);
2883 BT_DBG("All LE disabled connection parameters were removed");
2886 /* This function requires the caller holds hdev->lock */
2887 static void hci_conn_params_clear_all(struct hci_dev *hdev)
2889 struct hci_conn_params *params, *tmp;
2891 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2892 hci_conn_params_free(params);
2894 BT_DBG("All LE connection parameters were removed");
2897 /* Copy the Identity Address of the controller.
2899 * If the controller has a public BD_ADDR, then by default use that one.
2900 * If this is a LE only controller without a public address, default to
2901 * the static random address.
2903 * For debugging purposes it is possible to force controllers with a
2904 * public address to use the static random address instead.
2906 * In case BR/EDR has been disabled on a dual-mode controller and
2907 * userspace has configured a static address, then that address
2908 * becomes the identity address instead of the public BR/EDR address.
2910 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2913 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2914 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2915 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2916 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2917 bacpy(bdaddr, &hdev->static_addr);
2918 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2920 bacpy(bdaddr, &hdev->bdaddr);
2921 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2925 /* Alloc HCI device */
2926 struct hci_dev *hci_alloc_dev(void)
2928 struct hci_dev *hdev;
2930 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2934 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2935 hdev->esco_type = (ESCO_HV1);
2936 hdev->link_mode = (HCI_LM_ACCEPT);
2937 hdev->num_iac = 0x01; /* One IAC support is mandatory */
2938 hdev->io_capability = 0x03; /* No Input No Output */
2939 hdev->manufacturer = 0xffff; /* Default to internal use */
2940 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2941 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2942 hdev->adv_instance_cnt = 0;
2943 hdev->cur_adv_instance = 0x00;
2944 hdev->adv_instance_timeout = 0;
2946 hdev->sniff_max_interval = 800;
2947 hdev->sniff_min_interval = 80;
2949 hdev->le_adv_channel_map = 0x07;
2950 hdev->le_adv_min_interval = 0x0800;
2951 hdev->le_adv_max_interval = 0x0800;
2952 hdev->le_scan_interval = 0x0060;
2953 hdev->le_scan_window = 0x0030;
2954 hdev->le_conn_min_interval = 0x0028;
2955 hdev->le_conn_max_interval = 0x0038;
2956 hdev->le_conn_latency = 0x0000;
2957 hdev->le_supv_timeout = 0x002a;
2958 hdev->le_def_tx_len = 0x001b;
2959 hdev->le_def_tx_time = 0x0148;
2960 hdev->le_max_tx_len = 0x001b;
2961 hdev->le_max_tx_time = 0x0148;
2962 hdev->le_max_rx_len = 0x001b;
2963 hdev->le_max_rx_time = 0x0148;
2965 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2966 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2967 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2968 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2970 mutex_init(&hdev->lock);
2971 mutex_init(&hdev->req_lock);
2973 INIT_LIST_HEAD(&hdev->mgmt_pending);
2974 INIT_LIST_HEAD(&hdev->blacklist);
2975 INIT_LIST_HEAD(&hdev->whitelist);
2976 INIT_LIST_HEAD(&hdev->uuids);
2977 INIT_LIST_HEAD(&hdev->link_keys);
2978 INIT_LIST_HEAD(&hdev->long_term_keys);
2979 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2980 INIT_LIST_HEAD(&hdev->remote_oob_data);
2981 INIT_LIST_HEAD(&hdev->le_white_list);
2982 INIT_LIST_HEAD(&hdev->le_conn_params);
2983 INIT_LIST_HEAD(&hdev->pend_le_conns);
2984 INIT_LIST_HEAD(&hdev->pend_le_reports);
2985 INIT_LIST_HEAD(&hdev->conn_hash.list);
2986 INIT_LIST_HEAD(&hdev->adv_instances);
2988 INIT_WORK(&hdev->rx_work, hci_rx_work);
2989 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2990 INIT_WORK(&hdev->tx_work, hci_tx_work);
2991 INIT_WORK(&hdev->power_on, hci_power_on);
2992 INIT_WORK(&hdev->error_reset, hci_error_reset);
2994 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2996 skb_queue_head_init(&hdev->rx_q);
2997 skb_queue_head_init(&hdev->cmd_q);
2998 skb_queue_head_init(&hdev->raw_q);
3000 init_waitqueue_head(&hdev->req_wait_q);
3002 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3004 hci_request_setup(hdev);
3006 hci_init_sysfs(hdev);
3007 discovery_init(hdev);
3011 EXPORT_SYMBOL(hci_alloc_dev);
3013 /* Free HCI device */
3014 void hci_free_dev(struct hci_dev *hdev)
3016 /* will free via device release */
3017 put_device(&hdev->dev);
3019 EXPORT_SYMBOL(hci_free_dev);
3021 /* Register HCI device */
3022 int hci_register_dev(struct hci_dev *hdev)
3026 if (!hdev->open || !hdev->close || !hdev->send)
3029 /* Do not allow HCI_AMP devices to register at index 0,
3030 * so the index can be used as the AMP controller ID.
3032 switch (hdev->dev_type) {
3034 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3037 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3046 sprintf(hdev->name, "hci%d", id);
3049 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3051 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3052 WQ_MEM_RECLAIM, 1, hdev->name);
3053 if (!hdev->workqueue) {
3058 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3059 WQ_MEM_RECLAIM, 1, hdev->name);
3060 if (!hdev->req_workqueue) {
3061 destroy_workqueue(hdev->workqueue);
3066 if (!IS_ERR_OR_NULL(bt_debugfs))
3067 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3069 dev_set_name(&hdev->dev, "%s", hdev->name);
3071 error = device_add(&hdev->dev);
3075 hci_leds_init(hdev);
3077 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3078 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3081 if (rfkill_register(hdev->rfkill) < 0) {
3082 rfkill_destroy(hdev->rfkill);
3083 hdev->rfkill = NULL;
3087 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3088 hci_dev_set_flag(hdev, HCI_RFKILLED);
3090 hci_dev_set_flag(hdev, HCI_SETUP);
3091 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3093 if (hdev->dev_type == HCI_BREDR) {
3094 /* Assume BR/EDR support until proven otherwise (such as
3095 * through reading supported features during init.
3097 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3100 write_lock(&hci_dev_list_lock);
3101 list_add(&hdev->list, &hci_dev_list);
3102 write_unlock(&hci_dev_list_lock);
3104 /* Devices that are marked for raw-only usage are unconfigured
3105 * and should not be included in normal operation.
3107 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3108 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3110 hci_sock_dev_event(hdev, HCI_DEV_REG);
3113 queue_work(hdev->req_workqueue, &hdev->power_on);
3118 destroy_workqueue(hdev->workqueue);
3119 destroy_workqueue(hdev->req_workqueue);
3121 ida_simple_remove(&hci_index_ida, hdev->id);
3125 EXPORT_SYMBOL(hci_register_dev);
3127 /* Unregister HCI device */
3128 void hci_unregister_dev(struct hci_dev *hdev)
3132 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3134 hci_dev_set_flag(hdev, HCI_UNREGISTER);
3138 write_lock(&hci_dev_list_lock);
3139 list_del(&hdev->list);
3140 write_unlock(&hci_dev_list_lock);
3142 hci_dev_do_close(hdev);
3144 cancel_work_sync(&hdev->power_on);
3146 if (!test_bit(HCI_INIT, &hdev->flags) &&
3147 !hci_dev_test_flag(hdev, HCI_SETUP) &&
3148 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3150 mgmt_index_removed(hdev);
3151 hci_dev_unlock(hdev);
3154 /* mgmt_index_removed should take care of emptying the
3156 BUG_ON(!list_empty(&hdev->mgmt_pending));
3158 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3161 rfkill_unregister(hdev->rfkill);
3162 rfkill_destroy(hdev->rfkill);
3165 device_del(&hdev->dev);
3167 debugfs_remove_recursive(hdev->debugfs);
3169 destroy_workqueue(hdev->workqueue);
3170 destroy_workqueue(hdev->req_workqueue);
3173 hci_bdaddr_list_clear(&hdev->blacklist);
3174 hci_bdaddr_list_clear(&hdev->whitelist);
3175 hci_uuids_clear(hdev);
3176 hci_link_keys_clear(hdev);
3177 hci_smp_ltks_clear(hdev);
3178 hci_smp_irks_clear(hdev);
3179 hci_remote_oob_data_clear(hdev);
3180 hci_adv_instances_clear(hdev);
3181 hci_bdaddr_list_clear(&hdev->le_white_list);
3182 hci_conn_params_clear_all(hdev);
3183 hci_discovery_filter_clear(hdev);
3184 hci_dev_unlock(hdev);
3188 ida_simple_remove(&hci_index_ida, id);
3190 EXPORT_SYMBOL(hci_unregister_dev);
3192 /* Suspend HCI device */
3193 int hci_suspend_dev(struct hci_dev *hdev)
3195 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3198 EXPORT_SYMBOL(hci_suspend_dev);
3200 /* Resume HCI device */
3201 int hci_resume_dev(struct hci_dev *hdev)
3203 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3206 EXPORT_SYMBOL(hci_resume_dev);
3208 /* Reset HCI device */
3209 int hci_reset_dev(struct hci_dev *hdev)
3211 const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3212 struct sk_buff *skb;
3214 skb = bt_skb_alloc(3, GFP_ATOMIC);
3218 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3219 memcpy(skb_put(skb, 3), hw_err, 3);
3221 /* Send Hardware Error to upper stack */
3222 return hci_recv_frame(hdev, skb);
3224 EXPORT_SYMBOL(hci_reset_dev);
3226 /* Receive frame from HCI drivers */
3227 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3229 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3230 && !test_bit(HCI_INIT, &hdev->flags))) {
3235 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3236 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3237 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3243 bt_cb(skb)->incoming = 1;
3246 __net_timestamp(skb);
3248 skb_queue_tail(&hdev->rx_q, skb);
3249 queue_work(hdev->workqueue, &hdev->rx_work);
3253 EXPORT_SYMBOL(hci_recv_frame);
3255 /* Receive diagnostic message from HCI drivers */
3256 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3258 /* Mark as diagnostic packet */
3259 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3262 __net_timestamp(skb);
3264 skb_queue_tail(&hdev->rx_q, skb);
3265 queue_work(hdev->workqueue, &hdev->rx_work);
3269 EXPORT_SYMBOL(hci_recv_diag);
3271 /* ---- Interface to upper protocols ---- */
3273 int hci_register_cb(struct hci_cb *cb)
3275 BT_DBG("%p name %s", cb, cb->name);
3277 mutex_lock(&hci_cb_list_lock);
3278 list_add_tail(&cb->list, &hci_cb_list);
3279 mutex_unlock(&hci_cb_list_lock);
3283 EXPORT_SYMBOL(hci_register_cb);
3285 int hci_unregister_cb(struct hci_cb *cb)
3287 BT_DBG("%p name %s", cb, cb->name);
3289 mutex_lock(&hci_cb_list_lock);
3290 list_del(&cb->list);
3291 mutex_unlock(&hci_cb_list_lock);
3295 EXPORT_SYMBOL(hci_unregister_cb);
3297 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3301 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3305 __net_timestamp(skb);
3307 /* Send copy to monitor */
3308 hci_send_to_monitor(hdev, skb);
3310 if (atomic_read(&hdev->promisc)) {
3311 /* Send copy to the sockets */
3312 hci_send_to_sock(hdev, skb);
3315 /* Get rid of skb owner, prior to sending to the driver. */
3318 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3323 err = hdev->send(hdev, skb);
3325 BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3330 /* Send HCI command */
3331 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3334 struct sk_buff *skb;
3336 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3338 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3340 BT_ERR("%s no memory for command", hdev->name);
3344 /* Stand-alone HCI commands must be flagged as
3345 * single-command requests.
3347 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3349 skb_queue_tail(&hdev->cmd_q, skb);
3350 queue_work(hdev->workqueue, &hdev->cmd_work);
3355 /* Get data from the previously sent command */
3356 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3358 struct hci_command_hdr *hdr;
3360 if (!hdev->sent_cmd)
3363 hdr = (void *) hdev->sent_cmd->data;
3365 if (hdr->opcode != cpu_to_le16(opcode))
3368 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3370 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3373 /* Send HCI command and wait for command commplete event */
3374 struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3375 const void *param, u32 timeout)
3377 struct sk_buff *skb;
3379 if (!test_bit(HCI_UP, &hdev->flags))
3380 return ERR_PTR(-ENETDOWN);
3382 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3384 hci_req_sync_lock(hdev);
3385 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3386 hci_req_sync_unlock(hdev);
3390 EXPORT_SYMBOL(hci_cmd_sync);
3393 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3395 struct hci_acl_hdr *hdr;
3398 skb_push(skb, HCI_ACL_HDR_SIZE);
3399 skb_reset_transport_header(skb);
3400 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3401 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3402 hdr->dlen = cpu_to_le16(len);
3405 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3406 struct sk_buff *skb, __u16 flags)
3408 struct hci_conn *conn = chan->conn;
3409 struct hci_dev *hdev = conn->hdev;
3410 struct sk_buff *list;
3412 skb->len = skb_headlen(skb);
3415 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3417 switch (hdev->dev_type) {
3419 hci_add_acl_hdr(skb, conn->handle, flags);
3422 hci_add_acl_hdr(skb, chan->handle, flags);
3425 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3429 list = skb_shinfo(skb)->frag_list;
3431 /* Non fragmented */
3432 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3434 skb_queue_tail(queue, skb);
3437 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3439 skb_shinfo(skb)->frag_list = NULL;
3441 /* Queue all fragments atomically. We need to use spin_lock_bh
3442 * here because of 6LoWPAN links, as there this function is
3443 * called from softirq and using normal spin lock could cause
3446 spin_lock_bh(&queue->lock);
3448 __skb_queue_tail(queue, skb);
3450 flags &= ~ACL_START;
3453 skb = list; list = list->next;
3455 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3456 hci_add_acl_hdr(skb, conn->handle, flags);
3458 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3460 __skb_queue_tail(queue, skb);
3463 spin_unlock_bh(&queue->lock);
3467 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3469 struct hci_dev *hdev = chan->conn->hdev;
3471 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3473 hci_queue_acl(chan, &chan->data_q, skb, flags);
3475 queue_work(hdev->workqueue, &hdev->tx_work);
3479 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3481 struct hci_dev *hdev = conn->hdev;
3482 struct hci_sco_hdr hdr;
3484 BT_DBG("%s len %d", hdev->name, skb->len);
3486 hdr.handle = cpu_to_le16(conn->handle);
3487 hdr.dlen = skb->len;
3489 skb_push(skb, HCI_SCO_HDR_SIZE);
3490 skb_reset_transport_header(skb);
3491 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3493 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3495 skb_queue_tail(&conn->data_q, skb);
3496 queue_work(hdev->workqueue, &hdev->tx_work);
3499 /* ---- HCI TX task (outgoing data) ---- */
3501 /* HCI Connection scheduler */
3502 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3505 struct hci_conn_hash *h = &hdev->conn_hash;
3506 struct hci_conn *conn = NULL, *c;
3507 unsigned int num = 0, min = ~0;
3509 /* We don't have to lock device here. Connections are always
3510 * added and removed with TX task disabled. */
3514 list_for_each_entry_rcu(c, &h->list, list) {
3515 if (c->type != type || skb_queue_empty(&c->data_q))
3518 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3523 if (c->sent < min) {
3528 if (hci_conn_num(hdev, type) == num)
3537 switch (conn->type) {
3539 cnt = hdev->acl_cnt;
3543 cnt = hdev->sco_cnt;
3546 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3550 BT_ERR("Unknown link type");
3558 BT_DBG("conn %p quote %d", conn, *quote);
3562 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3564 struct hci_conn_hash *h = &hdev->conn_hash;
3567 BT_ERR("%s link tx timeout", hdev->name);
3571 /* Kill stalled connections */
3572 list_for_each_entry_rcu(c, &h->list, list) {
3573 if (c->type == type && c->sent) {
3574 BT_ERR("%s killing stalled connection %pMR",
3575 hdev->name, &c->dst);
3576 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3583 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3586 struct hci_conn_hash *h = &hdev->conn_hash;
3587 struct hci_chan *chan = NULL;
3588 unsigned int num = 0, min = ~0, cur_prio = 0;
3589 struct hci_conn *conn;
3590 int cnt, q, conn_num = 0;
3592 BT_DBG("%s", hdev->name);
3596 list_for_each_entry_rcu(conn, &h->list, list) {
3597 struct hci_chan *tmp;
3599 if (conn->type != type)
3602 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3607 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3608 struct sk_buff *skb;
3610 if (skb_queue_empty(&tmp->data_q))
3613 skb = skb_peek(&tmp->data_q);
3614 if (skb->priority < cur_prio)
3617 if (skb->priority > cur_prio) {
3620 cur_prio = skb->priority;
3625 if (conn->sent < min) {
3631 if (hci_conn_num(hdev, type) == conn_num)
3640 switch (chan->conn->type) {
3642 cnt = hdev->acl_cnt;
3645 cnt = hdev->block_cnt;
3649 cnt = hdev->sco_cnt;
3652 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3656 BT_ERR("Unknown link type");
3661 BT_DBG("chan %p quote %d", chan, *quote);
3665 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3667 struct hci_conn_hash *h = &hdev->conn_hash;
3668 struct hci_conn *conn;
3671 BT_DBG("%s", hdev->name);
3675 list_for_each_entry_rcu(conn, &h->list, list) {
3676 struct hci_chan *chan;
3678 if (conn->type != type)
3681 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3686 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3687 struct sk_buff *skb;
3694 if (skb_queue_empty(&chan->data_q))
3697 skb = skb_peek(&chan->data_q);
3698 if (skb->priority >= HCI_PRIO_MAX - 1)
3701 skb->priority = HCI_PRIO_MAX - 1;
3703 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3707 if (hci_conn_num(hdev, type) == num)
3715 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3717 /* Calculate count of blocks used by this packet */
3718 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3721 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3723 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3724 /* ACL tx timeout must be longer than maximum
3725 * link supervision timeout (40.9 seconds) */
3726 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3727 HCI_ACL_TX_TIMEOUT))
3728 hci_link_tx_to(hdev, ACL_LINK);
3732 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3734 unsigned int cnt = hdev->acl_cnt;
3735 struct hci_chan *chan;
3736 struct sk_buff *skb;
3739 __check_timeout(hdev, cnt);
3741 while (hdev->acl_cnt &&
3742 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3743 u32 priority = (skb_peek(&chan->data_q))->priority;
3744 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3745 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3746 skb->len, skb->priority);
3748 /* Stop if priority has changed */
3749 if (skb->priority < priority)
3752 skb = skb_dequeue(&chan->data_q);
3754 hci_conn_enter_active_mode(chan->conn,
3755 bt_cb(skb)->force_active);
3757 hci_send_frame(hdev, skb);
3758 hdev->acl_last_tx = jiffies;
3766 if (cnt != hdev->acl_cnt)
3767 hci_prio_recalculate(hdev, ACL_LINK);
3770 static void hci_sched_acl_blk(struct hci_dev *hdev)
3772 unsigned int cnt = hdev->block_cnt;
3773 struct hci_chan *chan;
3774 struct sk_buff *skb;
3778 __check_timeout(hdev, cnt);
3780 BT_DBG("%s", hdev->name);
3782 if (hdev->dev_type == HCI_AMP)
3787 while (hdev->block_cnt > 0 &&
3788 (chan = hci_chan_sent(hdev, type, "e))) {
3789 u32 priority = (skb_peek(&chan->data_q))->priority;
3790 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3793 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3794 skb->len, skb->priority);
3796 /* Stop if priority has changed */
3797 if (skb->priority < priority)
3800 skb = skb_dequeue(&chan->data_q);
3802 blocks = __get_blocks(hdev, skb);
3803 if (blocks > hdev->block_cnt)
3806 hci_conn_enter_active_mode(chan->conn,
3807 bt_cb(skb)->force_active);
3809 hci_send_frame(hdev, skb);
3810 hdev->acl_last_tx = jiffies;
3812 hdev->block_cnt -= blocks;
3815 chan->sent += blocks;
3816 chan->conn->sent += blocks;
3820 if (cnt != hdev->block_cnt)
3821 hci_prio_recalculate(hdev, type);
3824 static void hci_sched_acl(struct hci_dev *hdev)
3826 BT_DBG("%s", hdev->name);
3828 /* No ACL link over BR/EDR controller */
3829 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3832 /* No AMP link over AMP controller */
3833 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3836 switch (hdev->flow_ctl_mode) {
3837 case HCI_FLOW_CTL_MODE_PACKET_BASED:
3838 hci_sched_acl_pkt(hdev);
3841 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3842 hci_sched_acl_blk(hdev);
3848 static void hci_sched_sco(struct hci_dev *hdev)
3850 struct hci_conn *conn;
3851 struct sk_buff *skb;
3854 BT_DBG("%s", hdev->name);
3856 if (!hci_conn_num(hdev, SCO_LINK))
3859 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
3860 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3861 BT_DBG("skb %p len %d", skb, skb->len);
3862 hci_send_frame(hdev, skb);
3865 if (conn->sent == ~0)
3871 static void hci_sched_esco(struct hci_dev *hdev)
3873 struct hci_conn *conn;
3874 struct sk_buff *skb;
3877 BT_DBG("%s", hdev->name);
3879 if (!hci_conn_num(hdev, ESCO_LINK))
3882 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3884 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3885 BT_DBG("skb %p len %d", skb, skb->len);
3886 hci_send_frame(hdev, skb);
3889 if (conn->sent == ~0)
3895 static void hci_sched_le(struct hci_dev *hdev)
3897 struct hci_chan *chan;
3898 struct sk_buff *skb;
3899 int quote, cnt, tmp;
3901 BT_DBG("%s", hdev->name);
3903 if (!hci_conn_num(hdev, LE_LINK))
3906 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3907 /* LE tx timeout must be longer than maximum
3908 * link supervision timeout (40.9 seconds) */
3909 if (!hdev->le_cnt && hdev->le_pkts &&
3910 time_after(jiffies, hdev->le_last_tx + HZ * 45))
3911 hci_link_tx_to(hdev, LE_LINK);
3914 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3916 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
3917 u32 priority = (skb_peek(&chan->data_q))->priority;
3918 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3919 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3920 skb->len, skb->priority);
3922 /* Stop if priority has changed */
3923 if (skb->priority < priority)
3926 skb = skb_dequeue(&chan->data_q);
3928 hci_send_frame(hdev, skb);
3929 hdev->le_last_tx = jiffies;
3940 hdev->acl_cnt = cnt;
3943 hci_prio_recalculate(hdev, LE_LINK);
3946 static void hci_tx_work(struct work_struct *work)
3948 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3949 struct sk_buff *skb;
3951 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3952 hdev->sco_cnt, hdev->le_cnt);
3954 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3955 /* Schedule queues and send stuff to HCI driver */
3956 hci_sched_acl(hdev);
3957 hci_sched_sco(hdev);
3958 hci_sched_esco(hdev);
3962 /* Send next queued raw (unknown type) packet */
3963 while ((skb = skb_dequeue(&hdev->raw_q)))
3964 hci_send_frame(hdev, skb);
3967 /* ----- HCI RX task (incoming data processing) ----- */
3969 /* ACL data packet */
3970 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3972 struct hci_acl_hdr *hdr = (void *) skb->data;
3973 struct hci_conn *conn;
3974 __u16 handle, flags;
3976 skb_pull(skb, HCI_ACL_HDR_SIZE);
3978 handle = __le16_to_cpu(hdr->handle);
3979 flags = hci_flags(handle);
3980 handle = hci_handle(handle);
3982 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3985 hdev->stat.acl_rx++;
3988 conn = hci_conn_hash_lookup_handle(hdev, handle);
3989 hci_dev_unlock(hdev);
3992 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3994 /* Send to upper protocol */
3995 l2cap_recv_acldata(conn, skb, flags);
3998 BT_ERR("%s ACL packet for unknown connection handle %d",
3999 hdev->name, handle);
4005 /* SCO data packet */
4006 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4008 struct hci_sco_hdr *hdr = (void *) skb->data;
4009 struct hci_conn *conn;
4012 skb_pull(skb, HCI_SCO_HDR_SIZE);
4014 handle = __le16_to_cpu(hdr->handle);
4016 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4018 hdev->stat.sco_rx++;
4021 conn = hci_conn_hash_lookup_handle(hdev, handle);
4022 hci_dev_unlock(hdev);
4025 /* Send to upper protocol */
4026 sco_recv_scodata(conn, skb);
4029 BT_ERR("%s SCO packet for unknown connection handle %d",
4030 hdev->name, handle);
4036 static bool hci_req_is_complete(struct hci_dev *hdev)
4038 struct sk_buff *skb;
4040 skb = skb_peek(&hdev->cmd_q);
4044 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4047 static void hci_resend_last(struct hci_dev *hdev)
4049 struct hci_command_hdr *sent;
4050 struct sk_buff *skb;
4053 if (!hdev->sent_cmd)
4056 sent = (void *) hdev->sent_cmd->data;
4057 opcode = __le16_to_cpu(sent->opcode);
4058 if (opcode == HCI_OP_RESET)
4061 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4065 skb_queue_head(&hdev->cmd_q, skb);
4066 queue_work(hdev->workqueue, &hdev->cmd_work);
4069 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4070 hci_req_complete_t *req_complete,
4071 hci_req_complete_skb_t *req_complete_skb)
4073 struct sk_buff *skb;
4074 unsigned long flags;
4076 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4078 /* If the completed command doesn't match the last one that was
4079 * sent we need to do special handling of it.
4081 if (!hci_sent_cmd_data(hdev, opcode)) {
4082 /* Some CSR based controllers generate a spontaneous
4083 * reset complete event during init and any pending
4084 * command will never be completed. In such a case we
4085 * need to resend whatever was the last sent
4088 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4089 hci_resend_last(hdev);
4094 /* If the command succeeded and there's still more commands in
4095 * this request the request is not yet complete.
4097 if (!status && !hci_req_is_complete(hdev))
4100 /* If this was the last command in a request the complete
4101 * callback would be found in hdev->sent_cmd instead of the
4102 * command queue (hdev->cmd_q).
4104 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4105 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4109 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4110 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4114 /* Remove all pending commands belonging to this request */
4115 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4116 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4117 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4118 __skb_queue_head(&hdev->cmd_q, skb);
4122 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4123 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4125 *req_complete = bt_cb(skb)->hci.req_complete;
4128 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4131 static void hci_rx_work(struct work_struct *work)
4133 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4134 struct sk_buff *skb;
4136 BT_DBG("%s", hdev->name);
4138 while ((skb = skb_dequeue(&hdev->rx_q))) {
4139 /* Send copy to monitor */
4140 hci_send_to_monitor(hdev, skb);
4142 if (atomic_read(&hdev->promisc)) {
4143 /* Send copy to the sockets */
4144 hci_send_to_sock(hdev, skb);
4147 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4152 if (test_bit(HCI_INIT, &hdev->flags)) {
4153 /* Don't process data packets in this states. */
4154 switch (hci_skb_pkt_type(skb)) {
4155 case HCI_ACLDATA_PKT:
4156 case HCI_SCODATA_PKT:
4163 switch (hci_skb_pkt_type(skb)) {
4165 BT_DBG("%s Event packet", hdev->name);
4166 hci_event_packet(hdev, skb);
4169 case HCI_ACLDATA_PKT:
4170 BT_DBG("%s ACL data packet", hdev->name);
4171 hci_acldata_packet(hdev, skb);
4174 case HCI_SCODATA_PKT:
4175 BT_DBG("%s SCO data packet", hdev->name);
4176 hci_scodata_packet(hdev, skb);
4186 static void hci_cmd_work(struct work_struct *work)
4188 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4189 struct sk_buff *skb;
4191 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4192 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4194 /* Send queued commands */
4195 if (atomic_read(&hdev->cmd_cnt)) {
4196 skb = skb_dequeue(&hdev->cmd_q);
4200 kfree_skb(hdev->sent_cmd);
4202 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4203 if (hdev->sent_cmd) {
4204 atomic_dec(&hdev->cmd_cnt);
4205 hci_send_frame(hdev, skb);
4206 if (test_bit(HCI_RESET, &hdev->flags))
4207 cancel_delayed_work(&hdev->cmd_timer);
4209 schedule_delayed_work(&hdev->cmd_timer,
4212 skb_queue_head(&hdev->cmd_q, skb);
4213 queue_work(hdev->workqueue, &hdev->cmd_work);
projects / cascardo / linux.git / blob