~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/hci_core.c

Version: ~ [ linux-5.12-rc1 ] ~ [ linux-5.11.2 ] ~ [ linux-5.10.19 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.101 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.177 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.222 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.258 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.258 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (C) 2000-2001 Qualcomm Incorporated
  4    Copyright (C) 2011 ProFUSION Embedded Systems
  5 
  6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
  7 
  8    This program is free software; you can redistribute it and/or modify
  9    it under the terms of the GNU General Public License version 2 as
 10    published by the Free Software Foundation;
 11 
 12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 20 
 21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 23    SOFTWARE IS DISCLAIMED.
 24 */
 25 
 26 /* Bluetooth HCI core. */
 27 
 28 #include <linux/export.h>
 29 #include <linux/idr.h>
 30 #include <linux/rfkill.h>
 31 #include <linux/debugfs.h>
 32 #include <asm/unaligned.h>
 33 
 34 #include <net/bluetooth/bluetooth.h>
 35 #include <net/bluetooth/hci_core.h>
 36 
 37 static void hci_rx_work(struct work_struct *work);
 38 static void hci_cmd_work(struct work_struct *work);
 39 static void hci_tx_work(struct work_struct *work);
 40 
 41 /* HCI device list */
 42 LIST_HEAD(hci_dev_list);
 43 DEFINE_RWLOCK(hci_dev_list_lock);
 44 
 45 /* HCI callback list */
 46 LIST_HEAD(hci_cb_list);
 47 DEFINE_RWLOCK(hci_cb_list_lock);
 48 
 49 /* HCI ID Numbering */
 50 static DEFINE_IDA(hci_index_ida);
 51 
 52 /* ---- HCI notifications ---- */
 53 
 54 static void hci_notify(struct hci_dev *hdev, int event)
 55 {
 56         hci_sock_dev_event(hdev, event);
 57 }
 58 
 59 /* ---- HCI debugfs entries ---- */
 60 
 61 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
 62                              size_t count, loff_t *ppos)
 63 {
 64         struct hci_dev *hdev = file->private_data;
 65         char buf[3];
 66 
 67         buf[0] = test_bit(HCI_DUT_MODE, &hdev->dev_flags) ? 'Y': 'N';
 68         buf[1] = '\n';
 69         buf[2] = '\0';
 70         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
 71 }
 72 
 73 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
 74                               size_t count, loff_t *ppos)
 75 {
 76         struct hci_dev *hdev = file->private_data;
 77         struct sk_buff *skb;
 78         char buf[32];
 79         size_t buf_size = min(count, (sizeof(buf)-1));
 80         bool enable;
 81         int err;
 82 
 83         if (!test_bit(HCI_UP, &hdev->flags))
 84                 return -ENETDOWN;
 85 
 86         if (copy_from_user(buf, user_buf, buf_size))
 87                 return -EFAULT;
 88 
 89         buf[buf_size] = '\0';
 90         if (strtobool(buf, &enable))
 91                 return -EINVAL;
 92 
 93         if (enable == test_bit(HCI_DUT_MODE, &hdev->dev_flags))
 94                 return -EALREADY;
 95 
 96         hci_req_lock(hdev);
 97         if (enable)
 98                 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
 99                                      HCI_CMD_TIMEOUT);
100         else
101                 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
102                                      HCI_CMD_TIMEOUT);
103         hci_req_unlock(hdev);
104 
105         if (IS_ERR(skb))
106                 return PTR_ERR(skb);
107 
108         err = -bt_to_errno(skb->data[0]);
109         kfree_skb(skb);
110 
111         if (err < 0)
112                 return err;
113 
114         change_bit(HCI_DUT_MODE, &hdev->dev_flags);
115 
116         return count;
117 }
118 
119 static const struct file_operations dut_mode_fops = {
120         .open           = simple_open,
121         .read           = dut_mode_read,
122         .write          = dut_mode_write,
123         .llseek         = default_llseek,
124 };
125 
126 static int features_show(struct seq_file *f, void *ptr)
127 {
128         struct hci_dev *hdev = f->private;
129         u8 p;
130 
131         hci_dev_lock(hdev);
132         for (p = 0; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
133                 seq_printf(f, "%2u: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
134                            "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n", p,
135                            hdev->features[p][0], hdev->features[p][1],
136                            hdev->features[p][2], hdev->features[p][3],
137                            hdev->features[p][4], hdev->features[p][5],
138                            hdev->features[p][6], hdev->features[p][7]);
139         }
140         if (lmp_le_capable(hdev))
141                 seq_printf(f, "LE: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
142                            "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n",
143                            hdev->le_features[0], hdev->le_features[1],
144                            hdev->le_features[2], hdev->le_features[3],
145                            hdev->le_features[4], hdev->le_features[5],
146                            hdev->le_features[6], hdev->le_features[7]);
147         hci_dev_unlock(hdev);
148 
149         return 0;
150 }
151 
152 static int features_open(struct inode *inode, struct file *file)
153 {
154         return single_open(file, features_show, inode->i_private);
155 }
156 
157 static const struct file_operations features_fops = {
158         .open           = features_open,
159         .read           = seq_read,
160         .llseek         = seq_lseek,
161         .release        = single_release,
162 };
163 
164 static int blacklist_show(struct seq_file *f, void *p)
165 {
166         struct hci_dev *hdev = f->private;
167         struct bdaddr_list *b;
168 
169         hci_dev_lock(hdev);
170         list_for_each_entry(b, &hdev->blacklist, list)
171                 seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
172         hci_dev_unlock(hdev);
173 
174         return 0;
175 }
176 
177 static int blacklist_open(struct inode *inode, struct file *file)
178 {
179         return single_open(file, blacklist_show, inode->i_private);
180 }
181 
182 static const struct file_operations blacklist_fops = {
183         .open           = blacklist_open,
184         .read           = seq_read,
185         .llseek         = seq_lseek,
186         .release        = single_release,
187 };
188 
189 static int uuids_show(struct seq_file *f, void *p)
190 {
191         struct hci_dev *hdev = f->private;
192         struct bt_uuid *uuid;
193 
194         hci_dev_lock(hdev);
195         list_for_each_entry(uuid, &hdev->uuids, list) {
196                 u8 i, val[16];
197 
198                 /* The Bluetooth UUID values are stored in big endian,
199                  * but with reversed byte order. So convert them into
200                  * the right order for the %pUb modifier.
201                  */
202                 for (i = 0; i < 16; i++)
203                         val[i] = uuid->uuid[15 - i];
204 
205                 seq_printf(f, "%pUb\n", val);
206         }
207         hci_dev_unlock(hdev);
208 
209         return 0;
210 }
211 
212 static int uuids_open(struct inode *inode, struct file *file)
213 {
214         return single_open(file, uuids_show, inode->i_private);
215 }
216 
217 static const struct file_operations uuids_fops = {
218         .open           = uuids_open,
219         .read           = seq_read,
220         .llseek         = seq_lseek,
221         .release        = single_release,
222 };
223 
224 static int inquiry_cache_show(struct seq_file *f, void *p)
225 {
226         struct hci_dev *hdev = f->private;
227         struct discovery_state *cache = &hdev->discovery;
228         struct inquiry_entry *e;
229 
230         hci_dev_lock(hdev);
231 
232         list_for_each_entry(e, &cache->all, all) {
233                 struct inquiry_data *data = &e->data;
234                 seq_printf(f, "%pMR %d %d %d 0x%.2x%.2x%.2x 0x%.4x %d %d %u\n",
235                            &data->bdaddr,
236                            data->pscan_rep_mode, data->pscan_period_mode,
237                            data->pscan_mode, data->dev_class[2],
238                            data->dev_class[1], data->dev_class[0],
239                            __le16_to_cpu(data->clock_offset),
240                            data->rssi, data->ssp_mode, e->timestamp);
241         }
242 
243         hci_dev_unlock(hdev);
244 
245         return 0;
246 }
247 
248 static int inquiry_cache_open(struct inode *inode, struct file *file)
249 {
250         return single_open(file, inquiry_cache_show, inode->i_private);
251 }
252 
253 static const struct file_operations inquiry_cache_fops = {
254         .open           = inquiry_cache_open,
255         .read           = seq_read,
256         .llseek         = seq_lseek,
257         .release        = single_release,
258 };
259 
260 static int link_keys_show(struct seq_file *f, void *ptr)
261 {
262         struct hci_dev *hdev = f->private;
263         struct list_head *p, *n;
264 
265         hci_dev_lock(hdev);
266         list_for_each_safe(p, n, &hdev->link_keys) {
267                 struct link_key *key = list_entry(p, struct link_key, list);
268                 seq_printf(f, "%pMR %u %*phN %u\n", &key->bdaddr, key->type,
269                            HCI_LINK_KEY_SIZE, key->val, key->pin_len);
270         }
271         hci_dev_unlock(hdev);
272 
273         return 0;
274 }
275 
276 static int link_keys_open(struct inode *inode, struct file *file)
277 {
278         return single_open(file, link_keys_show, inode->i_private);
279 }
280 
281 static const struct file_operations link_keys_fops = {
282         .open           = link_keys_open,
283         .read           = seq_read,
284         .llseek         = seq_lseek,
285         .release        = single_release,
286 };
287 
288 static ssize_t use_debug_keys_read(struct file *file, char __user *user_buf,
289                                    size_t count, loff_t *ppos)
290 {
291         struct hci_dev *hdev = file->private_data;
292         char buf[3];
293 
294         buf[0] = test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) ? 'Y': 'N';
295         buf[1] = '\n';
296         buf[2] = '\0';
297         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
298 }
299 
300 static const struct file_operations use_debug_keys_fops = {
301         .open           = simple_open,
302         .read           = use_debug_keys_read,
303         .llseek         = default_llseek,
304 };
305 
306 static int dev_class_show(struct seq_file *f, void *ptr)
307 {
308         struct hci_dev *hdev = f->private;
309 
310         hci_dev_lock(hdev);
311         seq_printf(f, "0x%.2x%.2x%.2x\n", hdev->dev_class[2],
312                    hdev->dev_class[1], hdev->dev_class[0]);
313         hci_dev_unlock(hdev);
314 
315         return 0;
316 }
317 
318 static int dev_class_open(struct inode *inode, struct file *file)
319 {
320         return single_open(file, dev_class_show, inode->i_private);
321 }
322 
323 static const struct file_operations dev_class_fops = {
324         .open           = dev_class_open,
325         .read           = seq_read,
326         .llseek         = seq_lseek,
327         .release        = single_release,
328 };
329 
330 static int voice_setting_get(void *data, u64 *val)
331 {
332         struct hci_dev *hdev = data;
333 
334         hci_dev_lock(hdev);
335         *val = hdev->voice_setting;
336         hci_dev_unlock(hdev);
337 
338         return 0;
339 }
340 
341 DEFINE_SIMPLE_ATTRIBUTE(voice_setting_fops, voice_setting_get,
342                         NULL, "0x%4.4llx\n");
343 
344 static int auto_accept_delay_set(void *data, u64 val)
345 {
346         struct hci_dev *hdev = data;
347 
348         hci_dev_lock(hdev);
349         hdev->auto_accept_delay = val;
350         hci_dev_unlock(hdev);
351 
352         return 0;
353 }
354 
355 static int auto_accept_delay_get(void *data, u64 *val)
356 {
357         struct hci_dev *hdev = data;
358 
359         hci_dev_lock(hdev);
360         *val = hdev->auto_accept_delay;
361         hci_dev_unlock(hdev);
362 
363         return 0;
364 }
365 
366 DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
367                         auto_accept_delay_set, "%llu\n");
368 
369 static int ssp_debug_mode_set(void *data, u64 val)
370 {
371         struct hci_dev *hdev = data;
372         struct sk_buff *skb;
373         __u8 mode;
374         int err;
375 
376         if (val != 0 && val != 1)
377                 return -EINVAL;
378 
379         if (!test_bit(HCI_UP, &hdev->flags))
380                 return -ENETDOWN;
381 
382         hci_req_lock(hdev);
383         mode = val;
384         skb = __hci_cmd_sync(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE, sizeof(mode),
385                              &mode, HCI_CMD_TIMEOUT);
386         hci_req_unlock(hdev);
387 
388         if (IS_ERR(skb))
389                 return PTR_ERR(skb);
390 
391         err = -bt_to_errno(skb->data[0]);
392         kfree_skb(skb);
393 
394         if (err < 0)
395                 return err;
396 
397         hci_dev_lock(hdev);
398         hdev->ssp_debug_mode = val;
399         hci_dev_unlock(hdev);
400 
401         return 0;
402 }
403 
404 static int ssp_debug_mode_get(void *data, u64 *val)
405 {
406         struct hci_dev *hdev = data;
407 
408         hci_dev_lock(hdev);
409         *val = hdev->ssp_debug_mode;
410         hci_dev_unlock(hdev);
411 
412         return 0;
413 }
414 
415 DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get,
416                         ssp_debug_mode_set, "%llu\n");
417 
418 static int idle_timeout_set(void *data, u64 val)
419 {
420         struct hci_dev *hdev = data;
421 
422         if (val != 0 && (val < 500 || val > 3600000))
423                 return -EINVAL;
424 
425         hci_dev_lock(hdev);
426         hdev->idle_timeout = val;
427         hci_dev_unlock(hdev);
428 
429         return 0;
430 }
431 
432 static int idle_timeout_get(void *data, u64 *val)
433 {
434         struct hci_dev *hdev = data;
435 
436         hci_dev_lock(hdev);
437         *val = hdev->idle_timeout;
438         hci_dev_unlock(hdev);
439 
440         return 0;
441 }
442 
443 DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get,
444                         idle_timeout_set, "%llu\n");
445 
446 static int sniff_min_interval_set(void *data, u64 val)
447 {
448         struct hci_dev *hdev = data;
449 
450         if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
451                 return -EINVAL;
452 
453         hci_dev_lock(hdev);
454         hdev->sniff_min_interval = val;
455         hci_dev_unlock(hdev);
456 
457         return 0;
458 }
459 
460 static int sniff_min_interval_get(void *data, u64 *val)
461 {
462         struct hci_dev *hdev = data;
463 
464         hci_dev_lock(hdev);
465         *val = hdev->sniff_min_interval;
466         hci_dev_unlock(hdev);
467 
468         return 0;
469 }
470 
471 DEFINE_SIMPLE_ATTRIBUTE(sniff_min_interval_fops, sniff_min_interval_get,
472                         sniff_min_interval_set, "%llu\n");
473 
474 static int sniff_max_interval_set(void *data, u64 val)
475 {
476         struct hci_dev *hdev = data;
477 
478         if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
479                 return -EINVAL;
480 
481         hci_dev_lock(hdev);
482         hdev->sniff_max_interval = val;
483         hci_dev_unlock(hdev);
484 
485         return 0;
486 }
487 
488 static int sniff_max_interval_get(void *data, u64 *val)
489 {
490         struct hci_dev *hdev = data;
491 
492         hci_dev_lock(hdev);
493         *val = hdev->sniff_max_interval;
494         hci_dev_unlock(hdev);
495 
496         return 0;
497 }
498 
499 DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
500                         sniff_max_interval_set, "%llu\n");
501 
502 static int static_address_show(struct seq_file *f, void *p)
503 {
504         struct hci_dev *hdev = f->private;
505 
506         hci_dev_lock(hdev);
507         seq_printf(f, "%pMR\n", &hdev->static_addr);
508         hci_dev_unlock(hdev);
509 
510         return 0;
511 }
512 
513 static int static_address_open(struct inode *inode, struct file *file)
514 {
515         return single_open(file, static_address_show, inode->i_private);
516 }
517 
518 static const struct file_operations static_address_fops = {
519         .open           = static_address_open,
520         .read           = seq_read,
521         .llseek         = seq_lseek,
522         .release        = single_release,
523 };
524 
525 static int own_address_type_set(void *data, u64 val)
526 {
527         struct hci_dev *hdev = data;
528 
529         if (val != 0 && val != 1)
530                 return -EINVAL;
531 
532         hci_dev_lock(hdev);
533         hdev->own_addr_type = val;
534         hci_dev_unlock(hdev);
535 
536         return 0;
537 }
538 
539 static int own_address_type_get(void *data, u64 *val)
540 {
541         struct hci_dev *hdev = data;
542 
543         hci_dev_lock(hdev);
544         *val = hdev->own_addr_type;
545         hci_dev_unlock(hdev);
546 
547         return 0;
548 }
549 
550 DEFINE_SIMPLE_ATTRIBUTE(own_address_type_fops, own_address_type_get,
551                         own_address_type_set, "%llu\n");
552 
553 static int long_term_keys_show(struct seq_file *f, void *ptr)
554 {
555         struct hci_dev *hdev = f->private;
556         struct list_head *p, *n;
557 
558         hci_dev_lock(hdev);
559         list_for_each_safe(p, n, &hdev->link_keys) {
560                 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
561                 seq_printf(f, "%pMR (type %u) %u %u %u %.4x %*phN %*phN\\n",
562                            &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated,
563                            ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
564                            8, ltk->rand, 16, ltk->val);
565         }
566         hci_dev_unlock(hdev);
567 
568         return 0;
569 }
570 
571 static int long_term_keys_open(struct inode *inode, struct file *file)
572 {
573         return single_open(file, long_term_keys_show, inode->i_private);
574 }
575 
576 static const struct file_operations long_term_keys_fops = {
577         .open           = long_term_keys_open,
578         .read           = seq_read,
579         .llseek         = seq_lseek,
580         .release        = single_release,
581 };
582 
583 static int conn_min_interval_set(void *data, u64 val)
584 {
585         struct hci_dev *hdev = data;
586 
587         if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval)
588                 return -EINVAL;
589 
590         hci_dev_lock(hdev);
591         hdev->le_conn_min_interval = val;
592         hci_dev_unlock(hdev);
593 
594         return 0;
595 }
596 
597 static int conn_min_interval_get(void *data, u64 *val)
598 {
599         struct hci_dev *hdev = data;
600 
601         hci_dev_lock(hdev);
602         *val = hdev->le_conn_min_interval;
603         hci_dev_unlock(hdev);
604 
605         return 0;
606 }
607 
608 DEFINE_SIMPLE_ATTRIBUTE(conn_min_interval_fops, conn_min_interval_get,
609                         conn_min_interval_set, "%llu\n");
610 
611 static int conn_max_interval_set(void *data, u64 val)
612 {
613         struct hci_dev *hdev = data;
614 
615         if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval)
616                 return -EINVAL;
617 
618         hci_dev_lock(hdev);
619         hdev->le_conn_max_interval = val;
620         hci_dev_unlock(hdev);
621 
622         return 0;
623 }
624 
625 static int conn_max_interval_get(void *data, u64 *val)
626 {
627         struct hci_dev *hdev = data;
628 
629         hci_dev_lock(hdev);
630         *val = hdev->le_conn_max_interval;
631         hci_dev_unlock(hdev);
632 
633         return 0;
634 }
635 
636 DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get,
637                         conn_max_interval_set, "%llu\n");
638 
639 static ssize_t lowpan_read(struct file *file, char __user *user_buf,
640                            size_t count, loff_t *ppos)
641 {
642         struct hci_dev *hdev = file->private_data;
643         char buf[3];
644 
645         buf[0] = test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags) ? 'Y' : 'N';
646         buf[1] = '\n';
647         buf[2] = '\0';
648         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
649 }
650 
651 static ssize_t lowpan_write(struct file *fp, const char __user *user_buffer,
652                             size_t count, loff_t *position)
653 {
654         struct hci_dev *hdev = fp->private_data;
655         bool enable;
656         char buf[32];
657         size_t buf_size = min(count, (sizeof(buf)-1));
658 
659         if (copy_from_user(buf, user_buffer, buf_size))
660                 return -EFAULT;
661 
662         buf[buf_size] = '\0';
663 
664         if (strtobool(buf, &enable) < 0)
665                 return -EINVAL;
666 
667         if (enable == test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags))
668                 return -EALREADY;
669 
670         change_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags);
671 
672         return count;
673 }
674 
675 static const struct file_operations lowpan_debugfs_fops = {
676         .open           = simple_open,
677         .read           = lowpan_read,
678         .write          = lowpan_write,
679         .llseek         = default_llseek,
680 };
681 
682 /* ---- HCI requests ---- */
683 
684 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
685 {
686         BT_DBG("%s result 0x%2.2x", hdev->name, result);
687 
688         if (hdev->req_status == HCI_REQ_PEND) {
689                 hdev->req_result = result;
690                 hdev->req_status = HCI_REQ_DONE;
691                 wake_up_interruptible(&hdev->req_wait_q);
692         }
693 }
694 
695 static void hci_req_cancel(struct hci_dev *hdev, int err)
696 {
697         BT_DBG("%s err 0x%2.2x", hdev->name, err);
698 
699         if (hdev->req_status == HCI_REQ_PEND) {
700                 hdev->req_result = err;
701                 hdev->req_status = HCI_REQ_CANCELED;
702                 wake_up_interruptible(&hdev->req_wait_q);
703         }
704 }
705 
706 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
707                                             u8 event)
708 {
709         struct hci_ev_cmd_complete *ev;
710         struct hci_event_hdr *hdr;
711         struct sk_buff *skb;
712 
713         hci_dev_lock(hdev);
714 
715         skb = hdev->recv_evt;
716         hdev->recv_evt = NULL;
717 
718         hci_dev_unlock(hdev);
719 
720         if (!skb)
721                 return ERR_PTR(-ENODATA);
722 
723         if (skb->len < sizeof(*hdr)) {
724                 BT_ERR("Too short HCI event");
725                 goto failed;
726         }
727 
728         hdr = (void *) skb->data;
729         skb_pull(skb, HCI_EVENT_HDR_SIZE);
730 
731         if (event) {
732                 if (hdr->evt != event)
733                         goto failed;
734                 return skb;
735         }
736 
737         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
738                 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
739                 goto failed;
740         }
741 
742         if (skb->len < sizeof(*ev)) {
743                 BT_ERR("Too short cmd_complete event");
744                 goto failed;
745         }
746 
747         ev = (void *) skb->data;
748         skb_pull(skb, sizeof(*ev));
749 
750         if (opcode == __le16_to_cpu(ev->opcode))
751                 return skb;
752 
753         BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
754                __le16_to_cpu(ev->opcode));
755 
756 failed:
757         kfree_skb(skb);
758         return ERR_PTR(-ENODATA);
759 }
760 
761 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
762                                   const void *param, u8 event, u32 timeout)
763 {
764         DECLARE_WAITQUEUE(wait, current);
765         struct hci_request req;
766         int err = 0;
767 
768         BT_DBG("%s", hdev->name);
769 
770         hci_req_init(&req, hdev);
771 
772         hci_req_add_ev(&req, opcode, plen, param, event);
773 
774         hdev->req_status = HCI_REQ_PEND;
775 
776         err = hci_req_run(&req, hci_req_sync_complete);
777         if (err < 0)
778                 return ERR_PTR(err);
779 
780         add_wait_queue(&hdev->req_wait_q, &wait);
781         set_current_state(TASK_INTERRUPTIBLE);
782 
783         schedule_timeout(timeout);
784 
785         remove_wait_queue(&hdev->req_wait_q, &wait);
786 
787         if (signal_pending(current))
788                 return ERR_PTR(-EINTR);
789 
790         switch (hdev->req_status) {
791         case HCI_REQ_DONE:
792                 err = -bt_to_errno(hdev->req_result);
793                 break;
794 
795         case HCI_REQ_CANCELED:
796                 err = -hdev->req_result;
797                 break;
798 
799         default:
800                 err = -ETIMEDOUT;
801                 break;
802         }
803 
804         hdev->req_status = hdev->req_result = 0;
805 
806         BT_DBG("%s end: err %d", hdev->name, err);
807 
808         if (err < 0)
809                 return ERR_PTR(err);
810 
811         return hci_get_cmd_complete(hdev, opcode, event);
812 }
813 EXPORT_SYMBOL(__hci_cmd_sync_ev);
814 
815 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
816                                const void *param, u32 timeout)
817 {
818         return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
819 }
820 EXPORT_SYMBOL(__hci_cmd_sync);
821 
822 /* Execute request and wait for completion. */
823 static int __hci_req_sync(struct hci_dev *hdev,
824                           void (*func)(struct hci_request *req,
825                                       unsigned long opt),
826                           unsigned long opt, __u32 timeout)
827 {
828         struct hci_request req;
829         DECLARE_WAITQUEUE(wait, current);
830         int err = 0;
831 
832         BT_DBG("%s start", hdev->name);
833 
834         hci_req_init(&req, hdev);
835 
836         hdev->req_status = HCI_REQ_PEND;
837 
838         func(&req, opt);
839 
840         err = hci_req_run(&req, hci_req_sync_complete);
841         if (err < 0) {
842                 hdev->req_status = 0;
843 
844                 /* ENODATA means the HCI request command queue is empty.
845                  * This can happen when a request with conditionals doesn't
846                  * trigger any commands to be sent. This is normal behavior
847                  * and should not trigger an error return.
848                  */
849                 if (err == -ENODATA)
850                         return 0;
851 
852                 return err;
853         }
854 
855         add_wait_queue(&hdev->req_wait_q, &wait);
856         set_current_state(TASK_INTERRUPTIBLE);
857 
858         schedule_timeout(timeout);
859 
860         remove_wait_queue(&hdev->req_wait_q, &wait);
861 
862         if (signal_pending(current))
863                 return -EINTR;
864 
865         switch (hdev->req_status) {
866         case HCI_REQ_DONE:
867                 err = -bt_to_errno(hdev->req_result);
868                 break;
869 
870         case HCI_REQ_CANCELED:
871                 err = -hdev->req_result;
872                 break;
873 
874         default:
875                 err = -ETIMEDOUT;
876                 break;
877         }
878 
879         hdev->req_status = hdev->req_result = 0;
880 
881         BT_DBG("%s end: err %d", hdev->name, err);
882 
883         return err;
884 }
885 
886 static int hci_req_sync(struct hci_dev *hdev,
887                         void (*req)(struct hci_request *req,
888                                     unsigned long opt),
889                         unsigned long opt, __u32 timeout)
890 {
891         int ret;
892 
893         if (!test_bit(HCI_UP, &hdev->flags))
894                 return -ENETDOWN;
895 
896         /* Serialize all requests */
897         hci_req_lock(hdev);
898         ret = __hci_req_sync(hdev, req, opt, timeout);
899         hci_req_unlock(hdev);
900 
901         return ret;
902 }
903 
904 static void hci_reset_req(struct hci_request *req, unsigned long opt)
905 {
906         BT_DBG("%s %ld", req->hdev->name, opt);
907 
908         /* Reset device */
909         set_bit(HCI_RESET, &req->hdev->flags);
910         hci_req_add(req, HCI_OP_RESET, 0, NULL);
911 }
912 
913 static void bredr_init(struct hci_request *req)
914 {
915         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
916 
917         /* Read Local Supported Features */
918         hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
919 
920         /* Read Local Version */
921         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
922 
923         /* Read BD Address */
924         hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
925 }
926 
927 static void amp_init(struct hci_request *req)
928 {
929         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
930 
931         /* Read Local Version */
932         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
933 
934         /* Read Local Supported Commands */
935         hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
936 
937         /* Read Local Supported Features */
938         hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
939 
940         /* Read Local AMP Info */
941         hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
942 
943         /* Read Data Blk size */
944         hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
945 
946         /* Read Flow Control Mode */
947         hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
948 
949         /* Read Location Data */
950         hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
951 }
952 
953 static void hci_init1_req(struct hci_request *req, unsigned long opt)
954 {
955         struct hci_dev *hdev = req->hdev;
956 
957         BT_DBG("%s %ld", hdev->name, opt);
958 
959         /* Reset */
960         if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
961                 hci_reset_req(req, 0);
962 
963         switch (hdev->dev_type) {
964         case HCI_BREDR:
965                 bredr_init(req);
966                 break;
967 
968         case HCI_AMP:
969                 amp_init(req);
970                 break;
971 
972         default:
973                 BT_ERR("Unknown device type %d", hdev->dev_type);
974                 break;
975         }
976 }
977 
978 static void bredr_setup(struct hci_request *req)
979 {
980         struct hci_dev *hdev = req->hdev;
981 
982         __le16 param;
983         __u8 flt_type;
984 
985         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
986         hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
987 
988         /* Read Class of Device */
989         hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
990 
991         /* Read Local Name */
992         hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
993 
994         /* Read Voice Setting */
995         hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
996 
997         /* Read Number of Supported IAC */
998         hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
999 
1000         /* Read Current IAC LAP */
1001         hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
1002 
1003         /* Clear Event Filters */
1004         flt_type = HCI_FLT_CLEAR_ALL;
1005         hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
1006 
1007         /* Connection accept timeout ~20 secs */
1008         param = __constant_cpu_to_le16(0x7d00);
1009         hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
1010 
1011         /* AVM Berlin (31), aka "BlueFRITZ!", reports version 1.2,
1012          * but it does not support page scan related HCI commands.
1013          */
1014         if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1) {
1015                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
1016                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
1017         }
1018 }
1019 
1020 static void le_setup(struct hci_request *req)
1021 {
1022         struct hci_dev *hdev = req->hdev;
1023 
1024         /* Read LE Buffer Size */
1025         hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
1026 
1027         /* Read LE Local Supported Features */
1028         hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
1029 
1030         /* Read LE Advertising Channel TX Power */
1031         hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
1032 
1033         /* Read LE White List Size */
1034         hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
1035 
1036         /* Read LE Supported States */
1037         hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
1038 
1039         /* LE-only controllers have LE implicitly enabled */
1040         if (!lmp_bredr_capable(hdev))
1041                 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1042 }
1043 
1044 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
1045 {
1046         if (lmp_ext_inq_capable(hdev))
1047                 return 0x02;
1048 
1049         if (lmp_inq_rssi_capable(hdev))
1050                 return 0x01;
1051 
1052         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
1053             hdev->lmp_subver == 0x0757)
1054                 return 0x01;
1055 
1056         if (hdev->manufacturer == 15) {
1057                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
1058                         return 0x01;
1059                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
1060                         return 0x01;
1061                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
1062                         return 0x01;
1063         }
1064 
1065         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
1066             hdev->lmp_subver == 0x1805)
1067                 return 0x01;
1068 
1069         return 0x00;
1070 }
1071 
1072 static void hci_setup_inquiry_mode(struct hci_request *req)
1073 {
1074         u8 mode;
1075 
1076         mode = hci_get_inquiry_mode(req->hdev);
1077 
1078         hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
1079 }
1080 
1081 static void hci_setup_event_mask(struct hci_request *req)
1082 {
1083         struct hci_dev *hdev = req->hdev;
1084 
1085         /* The second byte is 0xff instead of 0x9f (two reserved bits
1086          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
1087          * command otherwise.
1088          */
1089         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
1090 
1091         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
1092          * any event mask for pre 1.2 devices.
1093          */
1094         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
1095                 return;
1096 
1097         if (lmp_bredr_capable(hdev)) {
1098                 events[4] |= 0x01; /* Flow Specification Complete */
1099                 events[4] |= 0x02; /* Inquiry Result with RSSI */
1100                 events[4] |= 0x04; /* Read Remote Extended Features Complete */
1101                 events[5] |= 0x08; /* Synchronous Connection Complete */
1102                 events[5] |= 0x10; /* Synchronous Connection Changed */
1103         } else {
1104                 /* Use a different default for LE-only devices */
1105                 memset(events, 0, sizeof(events));
1106                 events[0] |= 0x10; /* Disconnection Complete */
1107                 events[0] |= 0x80; /* Encryption Change */
1108                 events[1] |= 0x08; /* Read Remote Version Information Complete */
1109                 events[1] |= 0x20; /* Command Complete */
1110                 events[1] |= 0x40; /* Command Status */
1111                 events[1] |= 0x80; /* Hardware Error */
1112                 events[2] |= 0x04; /* Number of Completed Packets */
1113                 events[3] |= 0x02; /* Data Buffer Overflow */
1114                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
1115         }
1116 
1117         if (lmp_inq_rssi_capable(hdev))
1118                 events[4] |= 0x02; /* Inquiry Result with RSSI */
1119 
1120         if (lmp_sniffsubr_capable(hdev))
1121                 events[5] |= 0x20; /* Sniff Subrating */
1122 
1123         if (lmp_pause_enc_capable(hdev))
1124                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
1125 
1126         if (lmp_ext_inq_capable(hdev))
1127                 events[5] |= 0x40; /* Extended Inquiry Result */
1128 
1129         if (lmp_no_flush_capable(hdev))
1130                 events[7] |= 0x01; /* Enhanced Flush Complete */
1131 
1132         if (lmp_lsto_capable(hdev))
1133                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
1134 
1135         if (lmp_ssp_capable(hdev)) {
1136                 events[6] |= 0x01;      /* IO Capability Request */
1137                 events[6] |= 0x02;      /* IO Capability Response */
1138                 events[6] |= 0x04;      /* User Confirmation Request */
1139                 events[6] |= 0x08;      /* User Passkey Request */
1140                 events[6] |= 0x10;      /* Remote OOB Data Request */
1141                 events[6] |= 0x20;      /* Simple Pairing Complete */
1142                 events[7] |= 0x04;      /* User Passkey Notification */
1143                 events[7] |= 0x08;      /* Keypress Notification */
1144                 events[7] |= 0x10;      /* Remote Host Supported
1145                                          * Features Notification
1146                                          */
1147         }
1148 
1149         if (lmp_le_capable(hdev))
1150                 events[7] |= 0x20;      /* LE Meta-Event */
1151 
1152         hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
1153 
1154         if (lmp_le_capable(hdev)) {
1155                 memset(events, 0, sizeof(events));
1156                 events[0] = 0x1f;
1157                 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
1158                             sizeof(events), events);
1159         }
1160 }
1161 
1162 static void hci_init2_req(struct hci_request *req, unsigned long opt)
1163 {
1164         struct hci_dev *hdev = req->hdev;
1165 
1166         if (lmp_bredr_capable(hdev))
1167                 bredr_setup(req);
1168         else
1169                 clear_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
1170 
1171         if (lmp_le_capable(hdev))
1172                 le_setup(req);
1173 
1174         hci_setup_event_mask(req);
1175 
1176         /* AVM Berlin (31), aka "BlueFRITZ!", doesn't support the read
1177          * local supported commands HCI command.
1178          */
1179         if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1)
1180                 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
1181 
1182         if (lmp_ssp_capable(hdev)) {
1183                 /* When SSP is available, then the host features page
1184                  * should also be available as well. However some
1185                  * controllers list the max_page as 0 as long as SSP
1186                  * has not been enabled. To achieve proper debugging
1187                  * output, force the minimum max_page to 1 at least.
1188                  */
1189                 hdev->max_page = 0x01;
1190 
1191                 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
1192                         u8 mode = 0x01;
1193                         hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
1194                                     sizeof(mode), &mode);
1195                 } else {
1196                         struct hci_cp_write_eir cp;
1197 
1198                         memset(hdev->eir, 0, sizeof(hdev->eir));
1199                         memset(&cp, 0, sizeof(cp));
1200 
1201                         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
1202                 }
1203         }
1204 
1205         if (lmp_inq_rssi_capable(hdev))
1206                 hci_setup_inquiry_mode(req);
1207 
1208         if (lmp_inq_tx_pwr_capable(hdev))
1209                 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
1210 
1211         if (lmp_ext_feat_capable(hdev)) {
1212                 struct hci_cp_read_local_ext_features cp;
1213 
1214                 cp.page = 0x01;
1215                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1216                             sizeof(cp), &cp);
1217         }
1218 
1219         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
1220                 u8 enable = 1;
1221                 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
1222                             &enable);
1223         }
1224 }
1225 
1226 static void hci_setup_link_policy(struct hci_request *req)
1227 {
1228         struct hci_dev *hdev = req->hdev;
1229         struct hci_cp_write_def_link_policy cp;
1230         u16 link_policy = 0;
1231 
1232         if (lmp_rswitch_capable(hdev))
1233                 link_policy |= HCI_LP_RSWITCH;
1234         if (lmp_hold_capable(hdev))
1235                 link_policy |= HCI_LP_HOLD;
1236         if (lmp_sniff_capable(hdev))
1237                 link_policy |= HCI_LP_SNIFF;
1238         if (lmp_park_capable(hdev))
1239                 link_policy |= HCI_LP_PARK;
1240 
1241         cp.policy = cpu_to_le16(link_policy);
1242         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
1243 }
1244 
1245 static void hci_set_le_support(struct hci_request *req)
1246 {
1247         struct hci_dev *hdev = req->hdev;
1248         struct hci_cp_write_le_host_supported cp;
1249 
1250         /* LE-only devices do not support explicit enablement */
1251         if (!lmp_bredr_capable(hdev))
1252                 return;
1253 
1254         memset(&cp, 0, sizeof(cp));
1255 
1256         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
1257                 cp.le = 0x01;
1258                 cp.simul = lmp_le_br_capable(hdev);
1259         }
1260 
1261         if (cp.le != lmp_host_le_capable(hdev))
1262                 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
1263                             &cp);
1264 }
1265 
1266 static void hci_set_event_mask_page_2(struct hci_request *req)
1267 {
1268         struct hci_dev *hdev = req->hdev;
1269         u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1270 
1271         /* If Connectionless Slave Broadcast master role is supported
1272          * enable all necessary events for it.
1273          */
1274         if (lmp_csb_master_capable(hdev)) {
1275                 events[1] |= 0x40;      /* Triggered Clock Capture */
1276                 events[1] |= 0x80;      /* Synchronization Train Complete */
1277                 events[2] |= 0x10;      /* Slave Page Response Timeout */
1278                 events[2] |= 0x20;      /* CSB Channel Map Change */
1279         }
1280 
1281         /* If Connectionless Slave Broadcast slave role is supported
1282          * enable all necessary events for it.
1283          */
1284         if (lmp_csb_slave_capable(hdev)) {
1285                 events[2] |= 0x01;      /* Synchronization Train Received */
1286                 events[2] |= 0x02;      /* CSB Receive */
1287                 events[2] |= 0x04;      /* CSB Timeout */
1288                 events[2] |= 0x08;      /* Truncated Page Complete */
1289         }
1290 
1291         hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
1292 }
1293 
1294 static void hci_init3_req(struct hci_request *req, unsigned long opt)
1295 {
1296         struct hci_dev *hdev = req->hdev;
1297         u8 p;
1298 
1299         /* Some Broadcom based Bluetooth controllers do not support the
1300          * Delete Stored Link Key command. They are clearly indicating its
1301          * absence in the bit mask of supported commands.
1302          *
1303          * Check the supported commands and only if the the command is marked
1304          * as supported send it. If not supported assume that the controller
1305          * does not have actual support for stored link keys which makes this
1306          * command redundant anyway.
1307          *
1308          * Some controllers indicate that they support handling deleting
1309          * stored link keys, but they don't. The quirk lets a driver
1310          * just disable this command.
1311          */
1312         if (hdev->commands[6] & 0x80 &&
1313             !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
1314                 struct hci_cp_delete_stored_link_key cp;
1315 
1316                 bacpy(&cp.bdaddr, BDADDR_ANY);
1317                 cp.delete_all = 0x01;
1318                 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
1319                             sizeof(cp), &cp);
1320         }
1321 
1322         if (hdev->commands[5] & 0x10)
1323                 hci_setup_link_policy(req);
1324 
1325         if (lmp_le_capable(hdev)) {
1326                 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1327                         /* If the controller has a public BD_ADDR, then
1328                          * by default use that one. If this is a LE only
1329                          * controller without a public address, default
1330                          * to the random address.
1331                          */
1332                         if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1333                                 hdev->own_addr_type = ADDR_LE_DEV_PUBLIC;
1334                         else
1335                                 hdev->own_addr_type = ADDR_LE_DEV_RANDOM;
1336                 }
1337 
1338                 hci_set_le_support(req);
1339         }
1340 
1341         /* Read features beyond page 1 if available */
1342         for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
1343                 struct hci_cp_read_local_ext_features cp;
1344 
1345                 cp.page = p;
1346                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1347                             sizeof(cp), &cp);
1348         }
1349 }
1350 
1351 static void hci_init4_req(struct hci_request *req, unsigned long opt)
1352 {
1353         struct hci_dev *hdev = req->hdev;
1354 
1355         /* Set event mask page 2 if the HCI command for it is supported */
1356         if (hdev->commands[22] & 0x04)
1357                 hci_set_event_mask_page_2(req);
1358 
1359         /* Check for Synchronization Train support */
1360         if (lmp_sync_train_capable(hdev))
1361                 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1362 }
1363 
1364 static int __hci_init(struct hci_dev *hdev)
1365 {
1366         int err;
1367 
1368         err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
1369         if (err < 0)
1370                 return err;
1371 
1372         /* The Device Under Test (DUT) mode is special and available for
1373          * all controller types. So just create it early on.
1374          */
1375         if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1376                 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
1377                                     &dut_mode_fops);
1378         }
1379 
1380         /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
1381          * BR/EDR/LE type controllers. AMP controllers only need the
1382          * first stage init.
1383          */
1384         if (hdev->dev_type != HCI_BREDR)
1385                 return 0;
1386 
1387         err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
1388         if (err < 0)
1389                 return err;
1390 
1391         err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
1392         if (err < 0)
1393                 return err;
1394 
1395         err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT);
1396         if (err < 0)
1397                 return err;
1398 
1399         /* Only create debugfs entries during the initial setup
1400          * phase and not every time the controller gets powered on.
1401          */
1402         if (!test_bit(HCI_SETUP, &hdev->dev_flags))
1403                 return 0;
1404 
1405         debugfs_create_file("features", 0444, hdev->debugfs, hdev,
1406                             &features_fops);
1407         debugfs_create_u16("manufacturer", 0444, hdev->debugfs,
1408                            &hdev->manufacturer);
1409         debugfs_create_u8("hci_version", 0444, hdev->debugfs, &hdev->hci_ver);
1410         debugfs_create_u16("hci_revision", 0444, hdev->debugfs, &hdev->hci_rev);
1411         debugfs_create_file("blacklist", 0444, hdev->debugfs, hdev,
1412                             &blacklist_fops);
1413         debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
1414 
1415         if (lmp_bredr_capable(hdev)) {
1416                 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
1417                                     hdev, &inquiry_cache_fops);
1418                 debugfs_create_file("link_keys", 0400, hdev->debugfs,
1419                                     hdev, &link_keys_fops);
1420                 debugfs_create_file("use_debug_keys", 0444, hdev->debugfs,
1421                                     hdev, &use_debug_keys_fops);
1422                 debugfs_create_file("dev_class", 0444, hdev->debugfs,
1423                                     hdev, &dev_class_fops);
1424                 debugfs_create_file("voice_setting", 0444, hdev->debugfs,
1425                                     hdev, &voice_setting_fops);
1426         }
1427 
1428         if (lmp_ssp_capable(hdev)) {
1429                 debugfs_create_file("auto_accept_delay", 0644, hdev->debugfs,
1430                                     hdev, &auto_accept_delay_fops);
1431                 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs,
1432                                     hdev, &ssp_debug_mode_fops);
1433         }
1434 
1435         if (lmp_sniff_capable(hdev)) {
1436                 debugfs_create_file("idle_timeout", 0644, hdev->debugfs,
1437                                     hdev, &idle_timeout_fops);
1438                 debugfs_create_file("sniff_min_interval", 0644, hdev->debugfs,
1439                                     hdev, &sniff_min_interval_fops);
1440                 debugfs_create_file("sniff_max_interval", 0644, hdev->debugfs,
1441                                     hdev, &sniff_max_interval_fops);
1442         }
1443 
1444         if (lmp_le_capable(hdev)) {
1445                 debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1446                                   &hdev->le_white_list_size);
1447                 debugfs_create_file("static_address", 0444, hdev->debugfs,
1448                                    hdev, &static_address_fops);
1449                 debugfs_create_file("own_address_type", 0644, hdev->debugfs,
1450                                     hdev, &own_address_type_fops);
1451                 debugfs_create_file("long_term_keys", 0400, hdev->debugfs,
1452                                     hdev, &long_term_keys_fops);
1453                 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs,
1454                                     hdev, &conn_min_interval_fops);
1455                 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs,
1456                                     hdev, &conn_max_interval_fops);
1457                 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev,
1458                                     &lowpan_debugfs_fops);
1459         }
1460 
1461         return 0;
1462 }
1463 
1464 static void hci_scan_req(struct hci_request *req, unsigned long opt)
1465 {
1466         __u8 scan = opt;
1467 
1468         BT_DBG("%s %x", req->hdev->name, scan);
1469 
1470         /* Inquiry and Page scans */
1471         hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1472 }
1473 
1474 static void hci_auth_req(struct hci_request *req, unsigned long opt)
1475 {
1476         __u8 auth = opt;
1477 
1478         BT_DBG("%s %x", req->hdev->name, auth);
1479 
1480         /* Authentication */
1481         hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
1482 }
1483 
1484 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
1485 {
1486         __u8 encrypt = opt;
1487 
1488         BT_DBG("%s %x", req->hdev->name, encrypt);
1489 
1490         /* Encryption */
1491         hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
1492 }
1493 
1494 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
1495 {
1496         __le16 policy = cpu_to_le16(opt);
1497 
1498         BT_DBG("%s %x", req->hdev->name, policy);
1499 
1500         /* Default link policy */
1501         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
1502 }
1503 
1504 /* Get HCI device by index.
1505  * Device is held on return. */
1506 struct hci_dev *hci_dev_get(int index)
1507 {
1508         struct hci_dev *hdev = NULL, *d;
1509 
1510         BT_DBG("%d", index);
1511 
1512         if (index < 0)
1513                 return NULL;
1514 
1515         read_lock(&hci_dev_list_lock);
1516         list_for_each_entry(d, &hci_dev_list, list) {
1517                 if (d->id == index) {
1518                         hdev = hci_dev_hold(d);
1519                         break;
1520                 }
1521         }
1522         read_unlock(&hci_dev_list_lock);
1523         return hdev;
1524 }
1525 
1526 /* ---- Inquiry support ---- */
1527 
1528 bool hci_discovery_active(struct hci_dev *hdev)
1529 {
1530         struct discovery_state *discov = &hdev->discovery;
1531 
1532         switch (discov->state) {
1533         case DISCOVERY_FINDING:
1534         case DISCOVERY_RESOLVING:
1535                 return true;
1536 
1537         default:
1538                 return false;
1539         }
1540 }
1541 
1542 void hci_discovery_set_state(struct hci_dev *hdev, int state)
1543 {
1544         BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1545 
1546         if (hdev->discovery.state == state)
1547                 return;
1548 
1549         switch (state) {
1550         case DISCOVERY_STOPPED:
1551                 if (hdev->discovery.state != DISCOVERY_STARTING)
1552                         mgmt_discovering(hdev, 0);
1553                 break;
1554         case DISCOVERY_STARTING:
1555                 break;
1556         case DISCOVERY_FINDING:
1557                 mgmt_discovering(hdev, 1);
1558                 break;
1559         case DISCOVERY_RESOLVING:
1560                 break;
1561         case DISCOVERY_STOPPING:
1562                 break;
1563         }
1564 
1565         hdev->discovery.state = state;
1566 }
1567 
1568 void hci_inquiry_cache_flush(struct hci_dev *hdev)
1569 {
1570         struct discovery_state *cache = &hdev->discovery;
1571         struct inquiry_entry *p, *n;
1572 
1573         list_for_each_entry_safe(p, n, &cache->all, all) {
1574                 list_del(&p->all);
1575                 kfree(p);
1576         }
1577 
1578         INIT_LIST_HEAD(&cache->unknown);
1579         INIT_LIST_HEAD(&cache->resolve);
1580 }
1581 
1582 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1583                                                bdaddr_t *bdaddr)
1584 {
1585         struct discovery_state *cache = &hdev->discovery;
1586         struct inquiry_entry *e;
1587 
1588         BT_DBG("cache %p, %pMR", cache, bdaddr);
1589 
1590         list_for_each_entry(e, &cache->all, all) {
1591                 if (!bacmp(&e->data.bdaddr, bdaddr))
1592                         return e;
1593         }
1594 
1595         return NULL;
1596 }
1597 
1598 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1599                                                        bdaddr_t *bdaddr)
1600 {
1601         struct discovery_state *cache = &hdev->discovery;
1602         struct inquiry_entry *e;
1603 
1604         BT_DBG("cache %p, %pMR", cache, bdaddr);
1605 
1606         list_for_each_entry(e, &cache->unknown, list) {
1607                 if (!bacmp(&e->data.bdaddr, bdaddr))
1608                         return e;
1609         }
1610 
1611         return NULL;
1612 }
1613 
1614 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1615                                                        bdaddr_t *bdaddr,
1616                                                        int state)
1617 {
1618         struct discovery_state *cache = &hdev->discovery;
1619         struct inquiry_entry *e;
1620 
1621         BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1622 
1623         list_for_each_entry(e, &cache->resolve, list) {
1624                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1625                         return e;
1626                 if (!bacmp(&e->data.bdaddr, bdaddr))
1627                         return e;
1628         }
1629 
1630         return NULL;
1631 }
1632 
1633 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1634                                       struct inquiry_entry *ie)
1635 {
1636         struct discovery_state *cache = &hdev->discovery;
1637         struct list_head *pos = &cache->resolve;
1638         struct inquiry_entry *p;
1639 
1640         list_del(&ie->list);
1641 
1642         list_for_each_entry(p, &cache->resolve, list) {
1643                 if (p->name_state != NAME_PENDING &&
1644                     abs(p->data.rssi) >= abs(ie->data.rssi))
1645                         break;
1646                 pos = &p->list;
1647         }
1648 
1649         list_add(&ie->list, pos);
1650 }
1651 
1652 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1653                               bool name_known, bool *ssp)
1654 {
1655         struct discovery_state *cache = &hdev->discovery;
1656         struct inquiry_entry *ie;
1657 
1658         BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1659 
1660         hci_remove_remote_oob_data(hdev, &data->bdaddr);
1661 
1662         if (ssp)
1663                 *ssp = data->ssp_mode;
1664 
1665         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1666         if (ie) {
1667                 if (ie->data.ssp_mode && ssp)
1668                         *ssp = true;
1669 
1670                 if (ie->name_state == NAME_NEEDED &&
1671                     data->rssi != ie->data.rssi) {
1672                         ie->data.rssi = data->rssi;
1673                         hci_inquiry_cache_update_resolve(hdev, ie);
1674                 }
1675 
1676                 goto update;
1677         }
1678 
1679         /* Entry not in the cache. Add new one. */
1680         ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
1681         if (!ie)
1682                 return false;
1683 
1684         list_add(&ie->all, &cache->all);
1685 
1686         if (name_known) {
1687                 ie->name_state = NAME_KNOWN;
1688         } else {
1689                 ie->name_state = NAME_NOT_KNOWN;
1690                 list_add(&ie->list, &cache->unknown);
1691         }
1692 
1693 update:
1694         if (name_known && ie->name_state != NAME_KNOWN &&
1695             ie->name_state != NAME_PENDING) {
1696                 ie->name_state = NAME_KNOWN;
1697                 list_del(&ie->list);
1698         }
1699 
1700         memcpy(&ie->data, data, sizeof(*data));
1701         ie->timestamp = jiffies;
1702         cache->timestamp = jiffies;
1703 
1704         if (ie->name_state == NAME_NOT_KNOWN)
1705                 return false;
1706 
1707         return true;
1708 }
1709 
1710 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1711 {
1712         struct discovery_state *cache = &hdev->discovery;
1713         struct inquiry_info *info = (struct inquiry_info *) buf;
1714         struct inquiry_entry *e;
1715         int copied = 0;
1716 
1717         list_for_each_entry(e, &cache->all, all) {
1718                 struct inquiry_data *data = &e->data;
1719 
1720                 if (copied >= num)
1721                         break;
1722 
1723                 bacpy(&info->bdaddr, &data->bdaddr);
1724                 info->pscan_rep_mode    = data->pscan_rep_mode;
1725                 info->pscan_period_mode = data->pscan_period_mode;
1726                 info->pscan_mode        = data->pscan_mode;
1727                 memcpy(info->dev_class, data->dev_class, 3);
1728                 info->clock_offset      = data->clock_offset;
1729 
1730                 info++;
1731                 copied++;
1732         }
1733 
1734         BT_DBG("cache %p, copied %d", cache, copied);
1735         return copied;
1736 }
1737 
1738 static void hci_inq_req(struct hci_request *req, unsigned long opt)
1739 {
1740         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1741         struct hci_dev *hdev = req->hdev;
1742         struct hci_cp_inquiry cp;
1743 
1744         BT_DBG("%s", hdev->name);
1745 
1746         if (test_bit(HCI_INQUIRY, &hdev->flags))
1747                 return;
1748 
1749         /* Start Inquiry */
1750         memcpy(&cp.lap, &ir->lap, 3);
1751         cp.length  = ir->length;
1752         cp.num_rsp = ir->num_rsp;
1753         hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1754 }
1755 
1756 static int wait_inquiry(void *word)
1757 {
1758         schedule();
1759         return signal_pending(current);
1760 }
1761 
1762 int hci_inquiry(void __user *arg)
1763 {
1764         __u8 __user *ptr = arg;
1765         struct hci_inquiry_req ir;
1766         struct hci_dev *hdev;
1767         int err = 0, do_inquiry = 0, max_rsp;
1768         long timeo;
1769         __u8 *buf;
1770 
1771         if (copy_from_user(&ir, ptr, sizeof(ir)))
1772                 return -EFAULT;
1773 
1774         hdev = hci_dev_get(ir.dev_id);
1775         if (!hdev)
1776                 return -ENODEV;
1777 
1778         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1779                 err = -EBUSY;
1780                 goto done;
1781         }
1782 
1783         if (hdev->dev_type != HCI_BREDR) {
1784                 err = -EOPNOTSUPP;
1785                 goto done;
1786         }
1787 
1788         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1789                 err = -EOPNOTSUPP;
1790                 goto done;
1791         }
1792 
1793         hci_dev_lock(hdev);
1794         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1795             inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1796                 hci_inquiry_cache_flush(hdev);
1797                 do_inquiry = 1;
1798         }
1799         hci_dev_unlock(hdev);
1800 
1801         timeo = ir.length * msecs_to_jiffies(2000);
1802 
1803         if (do_inquiry) {
1804                 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1805                                    timeo);
1806                 if (err < 0)
1807                         goto done;
1808 
1809                 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1810                  * cleared). If it is interrupted by a signal, return -EINTR.
1811                  */
1812                 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
1813                                 TASK_INTERRUPTIBLE))
1814                         return -EINTR;
1815         }
1816 
1817         /* for unlimited number of responses we will use buffer with
1818          * 255 entries
1819          */
1820         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1821 
1822         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1823          * copy it to the user space.
1824          */
1825         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1826         if (!buf) {
1827                 err = -ENOMEM;
1828                 goto done;
1829         }
1830 
1831         hci_dev_lock(hdev);
1832         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1833         hci_dev_unlock(hdev);
1834 
1835         BT_DBG("num_rsp %d", ir.num_rsp);
1836 
1837         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1838                 ptr += sizeof(ir);
1839                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1840                                  ir.num_rsp))
1841                         err = -EFAULT;
1842         } else
1843                 err = -EFAULT;
1844 
1845         kfree(buf);
1846 
1847 done:
1848         hci_dev_put(hdev);
1849         return err;
1850 }
1851 
1852 static int hci_dev_do_open(struct hci_dev *hdev)
1853 {
1854         int ret = 0;
1855 
1856         BT_DBG("%s %p", hdev->name, hdev);
1857 
1858         hci_req_lock(hdev);
1859 
1860         if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1861                 ret = -ENODEV;
1862                 goto done;
1863         }
1864 
1865         if (!test_bit(HCI_SETUP, &hdev->dev_flags)) {
1866                 /* Check for rfkill but allow the HCI setup stage to
1867                  * proceed (which in itself doesn't cause any RF activity).
1868                  */
1869                 if (test_bit(HCI_RFKILLED, &hdev->dev_flags)) {
1870                         ret = -ERFKILL;
1871                         goto done;
1872                 }
1873 
1874                 /* Check for valid public address or a configured static
1875                  * random adddress, but let the HCI setup proceed to
1876                  * be able to determine if there is a public address
1877                  * or not.
1878                  *
1879                  * This check is only valid for BR/EDR controllers
1880                  * since AMP controllers do not have an address.
1881                  */
1882                 if (hdev->dev_type == HCI_BREDR &&
1883                     !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1884                     !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1885                         ret = -EADDRNOTAVAIL;
1886                         goto done;
1887                 }
1888         }
1889 
1890         if (test_bit(HCI_UP, &hdev->flags)) {
1891                 ret = -EALREADY;
1892                 goto done;
1893         }
1894 
1895         if (hdev->open(hdev)) {
1896                 ret = -EIO;
1897                 goto done;
1898         }
1899 
1900         atomic_set(&hdev->cmd_cnt, 1);
1901         set_bit(HCI_INIT, &hdev->flags);
1902 
1903         if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1904                 ret = hdev->setup(hdev);
1905 
1906         if (!ret) {
1907                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1908                         set_bit(HCI_RAW, &hdev->flags);
1909 
1910                 if (!test_bit(HCI_RAW, &hdev->flags) &&
1911                     !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
1912                         ret = __hci_init(hdev);
1913         }
1914 
1915         clear_bit(HCI_INIT, &hdev->flags);
1916 
1917         if (!ret) {
1918                 hci_dev_hold(hdev);
1919                 set_bit(HCI_UP, &hdev->flags);
1920                 hci_notify(hdev, HCI_DEV_UP);
1921                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1922                     !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
1923                     hdev->dev_type == HCI_BREDR) {
1924                         hci_dev_lock(hdev);
1925                         mgmt_powered(hdev, 1);
1926                         hci_dev_unlock(hdev);
1927                 }
1928         } else {
1929                 /* Init failed, cleanup */
1930                 flush_work(&hdev->tx_work);
1931                 flush_work(&hdev->cmd_work);
1932                 flush_work(&hdev->rx_work);
1933 
1934                 skb_queue_purge(&hdev->cmd_q);
1935                 skb_queue_purge(&hdev->rx_q);
1936 
1937                 if (hdev->flush)
1938                         hdev->flush(hdev);
1939 
1940                 if (hdev->sent_cmd) {
1941                         kfree_skb(hdev->sent_cmd);
1942                         hdev->sent_cmd = NULL;
1943                 }
1944 
1945                 hdev->close(hdev);
1946                 hdev->flags = 0;
1947         }
1948 
1949 done:
1950         hci_req_unlock(hdev);
1951         return ret;
1952 }
1953 
1954 /* ---- HCI ioctl helpers ---- */
1955 
1956 int hci_dev_open(__u16 dev)
1957 {
1958         struct hci_dev *hdev;
1959         int err;
1960 
1961         hdev = hci_dev_get(dev);
1962         if (!hdev)
1963                 return -ENODEV;
1964 
1965         /* We need to ensure that no other power on/off work is pending
1966          * before proceeding to call hci_dev_do_open. This is
1967          * particularly important if the setup procedure has not yet
1968          * completed.
1969          */
1970         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1971                 cancel_delayed_work(&hdev->power_off);
1972 
1973         /* After this call it is guaranteed that the setup procedure
1974          * has finished. This means that error conditions like RFKILL
1975          * or no valid public or static random address apply.
1976          */
1977         flush_workqueue(hdev->req_workqueue);
1978 
1979         err = hci_dev_do_open(hdev);
1980 
1981         hci_dev_put(hdev);
1982 
1983         return err;
1984 }
1985 
1986 static int hci_dev_do_close(struct hci_dev *hdev)
1987 {
1988         BT_DBG("%s %p", hdev->name, hdev);
1989 
1990         cancel_delayed_work(&hdev->power_off);
1991 
1992         hci_req_cancel(hdev, ENODEV);
1993         hci_req_lock(hdev);
1994 
1995         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1996                 del_timer_sync(&hdev->cmd_timer);
1997                 hci_req_unlock(hdev);
1998                 return 0;
1999         }
2000 
2001         /* Flush RX and TX works */
2002         flush_work(&hdev->tx_work);
2003         flush_work(&hdev->rx_work);
2004 
2005         if (hdev->discov_timeout > 0) {
2006                 cancel_delayed_work(&hdev->discov_off);
2007                 hdev->discov_timeout = 0;
2008                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
2009                 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
2010         }
2011 
2012         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
2013                 cancel_delayed_work(&hdev->service_cache);
2014 
2015         cancel_delayed_work_sync(&hdev->le_scan_disable);
2016 
2017         hci_dev_lock(hdev);
2018         hci_inquiry_cache_flush(hdev);
2019         hci_conn_hash_flush(hdev);
2020         hci_dev_unlock(hdev);
2021 
2022         hci_notify(hdev, HCI_DEV_DOWN);
2023 
2024         if (hdev->flush)
2025                 hdev->flush(hdev);
2026 
2027         /* Reset device */
2028         skb_queue_purge(&hdev->cmd_q);
2029         atomic_set(&hdev->cmd_cnt, 1);
2030         if (!test_bit(HCI_RAW, &hdev->flags) &&
2031             !test_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
2032             test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
2033                 set_bit(HCI_INIT, &hdev->flags);
2034                 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
2035                 clear_bit(HCI_INIT, &hdev->flags);
2036         }
2037 
2038         /* flush cmd  work */
2039         flush_work(&hdev->cmd_work);
2040 
2041         /* Drop queues */
2042         skb_queue_purge(&hdev->rx_q);
2043         skb_queue_purge(&hdev->cmd_q);
2044         skb_queue_purge(&hdev->raw_q);
2045 
2046         /* Drop last sent command */
2047         if (hdev->sent_cmd) {
2048                 del_timer_sync(&hdev->cmd_timer);
2049                 kfree_skb(hdev->sent_cmd);
2050                 hdev->sent_cmd = NULL;
2051         }
2052 
2053         kfree_skb(hdev->recv_evt);
2054         hdev->recv_evt = NULL;
2055 
2056         /* After this point our queues are empty
2057          * and no tasks are scheduled. */
2058         hdev->close(hdev);
2059 
2060         /* Clear flags */
2061         hdev->flags = 0;
2062         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
2063 
2064         if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2065                 if (hdev->dev_type == HCI_BREDR) {
2066                         hci_dev_lock(hdev);
2067                         mgmt_powered(hdev, 0);
2068                         hci_dev_unlock(hdev);
2069                 }
2070         }
2071 
2072         /* Controller radio is available but is currently powered down */
2073         hdev->amp_status = AMP_STATUS_POWERED_DOWN;
2074 
2075         memset(hdev->eir, 0, sizeof(hdev->eir));
2076         memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
2077 
2078         hci_req_unlock(hdev);
2079 
2080         hci_dev_put(hdev);
2081         return 0;
2082 }
2083 
2084 int hci_dev_close(__u16 dev)
2085 {
2086         struct hci_dev *hdev;
2087         int err;
2088 
2089         hdev = hci_dev_get(dev);
2090         if (!hdev)
2091                 return -ENODEV;
2092 
2093         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2094                 err = -EBUSY;
2095                 goto done;
2096         }
2097 
2098         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2099                 cancel_delayed_work(&hdev->power_off);
2100 
2101         err = hci_dev_do_close(hdev);
2102 
2103 done:
2104         hci_dev_put(hdev);
2105         return err;
2106 }
2107 
2108 int hci_dev_reset(__u16 dev)
2109 {
2110         struct hci_dev *hdev;
2111         int ret = 0;
2112 
2113         hdev = hci_dev_get(dev);
2114         if (!hdev)
2115                 return -ENODEV;
2116 
2117         hci_req_lock(hdev);
2118 
2119         if (!test_bit(HCI_UP, &hdev->flags)) {
2120                 ret = -ENETDOWN;
2121                 goto done;
2122         }
2123 
2124         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2125                 ret = -EBUSY;
2126                 goto done;
2127         }
2128 
2129         /* Drop queues */
2130         skb_queue_purge(&hdev->rx_q);
2131         skb_queue_purge(&hdev->cmd_q);
2132 
2133         hci_dev_lock(hdev);
2134         hci_inquiry_cache_flush(hdev);
2135         hci_conn_hash_flush(hdev);
2136         hci_dev_unlock(hdev);
2137 
2138         if (hdev->flush)
2139                 hdev->flush(hdev);
2140 
2141         atomic_set(&hdev->cmd_cnt, 1);
2142         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
2143 
2144         if (!test_bit(HCI_RAW, &hdev->flags))
2145                 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
2146 
2147 done:
2148         hci_req_unlock(hdev);
2149         hci_dev_put(hdev);
2150         return ret;
2151 }
2152 
2153 int hci_dev_reset_stat(__u16 dev)
2154 {
2155         struct hci_dev *hdev;
2156         int ret = 0;
2157 
2158         hdev = hci_dev_get(dev);
2159         if (!hdev)
2160                 return -ENODEV;
2161 
2162         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2163                 ret = -EBUSY;
2164                 goto done;
2165         }
2166 
2167         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
2168 
2169 done:
2170         hci_dev_put(hdev);
2171         return ret;
2172 }
2173 
2174 int hci_dev_cmd(unsigned int cmd, void __user *arg)
2175 {
2176         struct hci_dev *hdev;
2177         struct hci_dev_req dr;
2178         int err = 0;
2179 
2180         if (copy_from_user(&dr, arg, sizeof(dr)))
2181                 return -EFAULT;
2182 
2183         hdev = hci_dev_get(dr.dev_id);
2184         if (!hdev)
2185                 return -ENODEV;
2186 
2187         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2188                 err = -EBUSY;
2189                 goto done;
2190         }
2191 
2192         if (hdev->dev_type != HCI_BREDR) {
2193                 err = -EOPNOTSUPP;
2194                 goto done;
2195         }
2196 
2197         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
2198                 err = -EOPNOTSUPP;
2199                 goto done;
2200         }
2201 
2202         switch (cmd) {
2203         case HCISETAUTH:
2204                 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2205                                    HCI_INIT_TIMEOUT);
2206                 break;
2207 
2208         case HCISETENCRYPT:
2209                 if (!lmp_encrypt_capable(hdev)) {
2210                         err = -EOPNOTSUPP;
2211                         break;
2212                 }
2213 
2214                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
2215                         /* Auth must be enabled first */
2216                         err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2217                                            HCI_INIT_TIMEOUT);
2218                         if (err)
2219                                 break;
2220                 }
2221 
2222                 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
2223                                    HCI_INIT_TIMEOUT);
2224                 break;
2225 
2226         case HCISETSCAN:
2227                 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
2228                                    HCI_INIT_TIMEOUT);
2229                 break;
2230 
2231         case HCISETLINKPOL:
2232                 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
2233                                    HCI_INIT_TIMEOUT);
2234                 break;
2235 
2236         case HCISETLINKMODE:
2237                 hdev->link_mode = ((__u16) dr.dev_opt) &
2238                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
2239                 break;
2240 
2241         case HCISETPTYPE:
2242                 hdev->pkt_type = (__u16) dr.dev_opt;
2243                 break;
2244 
2245         case HCISETACLMTU:
2246                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
2247                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
2248                 break;
2249 
2250         case HCISETSCOMTU:
2251                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
2252                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
2253                 break;
2254 
2255         default:
2256                 err = -EINVAL;
2257                 break;
2258         }
2259 
2260 done:
2261         hci_dev_put(hdev);
2262         return err;
2263 }
2264 
2265 int hci_get_dev_list(void __user *arg)
2266 {
2267         struct hci_dev *hdev;
2268         struct hci_dev_list_req *dl;
2269         struct hci_dev_req *dr;
2270         int n = 0, size, err;
2271         __u16 dev_num;
2272 
2273         if (get_user(dev_num, (__u16 __user *) arg))
2274                 return -EFAULT;
2275 
2276         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
2277                 return -EINVAL;
2278 
2279         size = sizeof(*dl) + dev_num * sizeof(*dr);
2280 
2281         dl = kzalloc(size, GFP_KERNEL);
2282         if (!dl)
2283                 return -ENOMEM;
2284 
2285         dr = dl->dev_req;
2286 
2287         read_lock(&hci_dev_list_lock);
2288         list_for_each_entry(hdev, &hci_dev_list, list) {
2289                 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2290                         cancel_delayed_work(&hdev->power_off);
2291 
2292                 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2293                         set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2294 
2295                 (dr + n)->dev_id  = hdev->id;
2296                 (dr + n)->dev_opt = hdev->flags;
2297 
2298                 if (++n >= dev_num)
2299                         break;
2300         }
2301         read_unlock(&hci_dev_list_lock);
2302 
2303         dl->dev_num = n;
2304         size = sizeof(*dl) + n * sizeof(*dr);
2305 
2306         err = copy_to_user(arg, dl, size);
2307         kfree(dl);
2308 
2309         return err ? -EFAULT : 0;
2310 }
2311 
2312 int hci_get_dev_info(void __user *arg)
2313 {
2314         struct hci_dev *hdev;
2315         struct hci_dev_info di;
2316         int err = 0;
2317 
2318         if (copy_from_user(&di, arg, sizeof(di)))
2319                 return -EFAULT;
2320 
2321         hdev = hci_dev_get(di.dev_id);
2322         if (!hdev)
2323                 return -ENODEV;
2324 
2325         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2326                 cancel_delayed_work_sync(&hdev->power_off);
2327 
2328         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2329                 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2330 
2331         strcpy(di.name, hdev->name);
2332         di.bdaddr   = hdev->bdaddr;
2333         di.type     = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2334         di.flags    = hdev->flags;
2335         di.pkt_type = hdev->pkt_type;
2336         if (lmp_bredr_capable(hdev)) {
2337                 di.acl_mtu  = hdev->acl_mtu;
2338                 di.acl_pkts = hdev->acl_pkts;
2339                 di.sco_mtu  = hdev->sco_mtu;
2340                 di.sco_pkts = hdev->sco_pkts;
2341         } else {
2342                 di.acl_mtu  = hdev->le_mtu;
2343                 di.acl_pkts = hdev->le_pkts;
2344                 di.sco_mtu  = 0;
2345                 di.sco_pkts = 0;
2346         }
2347         di.link_policy = hdev->link_policy;
2348         di.link_mode   = hdev->link_mode;
2349 
2350         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2351         memcpy(&di.features, &hdev->features, sizeof(di.features));
2352 
2353         if (copy_to_user(arg, &di, sizeof(di)))
2354                 err = -EFAULT;
2355 
2356         hci_dev_put(hdev);
2357 
2358         return err;
2359 }
2360 
2361 /* ---- Interface to HCI drivers ---- */
2362 
2363 static int hci_rfkill_set_block(void *data, bool blocked)
2364 {
2365         struct hci_dev *hdev = data;
2366 
2367         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2368 
2369         if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
2370                 return -EBUSY;
2371 
2372         if (blocked) {
2373                 set_bit(HCI_RFKILLED, &hdev->dev_flags);
2374                 if (!test_bit(HCI_SETUP, &hdev->dev_flags))
2375                         hci_dev_do_close(hdev);
2376         } else {
2377                 clear_bit(HCI_RFKILLED, &hdev->dev_flags);
2378         }
2379 
2380         return 0;
2381 }
2382 
2383 static const struct rfkill_ops hci_rfkill_ops = {
2384         .set_block = hci_rfkill_set_block,
2385 };
2386 
2387 static void hci_power_on(struct work_struct *work)
2388 {
2389         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2390         int err;
2391 
2392         BT_DBG("%s", hdev->name);
2393 
2394         err = hci_dev_do_open(hdev);
2395         if (err < 0) {
2396                 mgmt_set_powered_failed(hdev, err);
2397                 return;
2398         }
2399 
2400         /* During the HCI setup phase, a few error conditions are
2401          * ignored and they need to be checked now. If they are still
2402          * valid, it is important to turn the device back off.
2403          */
2404         if (test_bit(HCI_RFKILLED, &hdev->dev_flags) ||
2405             (hdev->dev_type == HCI_BREDR &&
2406              !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2407              !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2408                 clear_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2409                 hci_dev_do_close(hdev);
2410         } else if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2411                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2412                                    HCI_AUTO_OFF_TIMEOUT);
2413         }
2414 
2415         if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
2416                 mgmt_index_added(hdev);
2417 }
2418 
2419 static void hci_power_off(struct work_struct *work)
2420 {
2421         struct hci_dev *hdev = container_of(work, struct hci_dev,
2422                                             power_off.work);
2423 
2424         BT_DBG("%s", hdev->name);
2425 
2426         hci_dev_do_close(hdev);
2427 }
2428 
2429 static void hci_discov_off(struct work_struct *work)
2430 {
2431         struct hci_dev *hdev;
2432 
2433         hdev = container_of(work, struct hci_dev, discov_off.work);
2434 
2435         BT_DBG("%s", hdev->name);
2436 
2437         mgmt_discoverable_timeout(hdev);
2438 }
2439 
2440 int hci_uuids_clear(struct hci_dev *hdev)
2441 {
2442         struct bt_uuid *uuid, *tmp;
2443 
2444         list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2445                 list_del(&uuid->list);
2446                 kfree(uuid);
2447         }
2448 
2449         return 0;
2450 }
2451 
2452 int hci_link_keys_clear(struct hci_dev *hdev)
2453 {
2454         struct list_head *p, *n;
2455 
2456         list_for_each_safe(p, n, &hdev->link_keys) {
2457                 struct link_key *key;
2458 
2459                 key = list_entry(p, struct link_key, list);
2460 
2461                 list_del(p);
2462                 kfree(key);
2463         }
2464 
2465         return 0;
2466 }
2467 
2468 int hci_smp_ltks_clear(struct hci_dev *hdev)
2469 {
2470         struct smp_ltk *k, *tmp;
2471 
2472         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2473                 list_del(&k->list);
2474                 kfree(k);
2475         }
2476 
2477         return 0;
2478 }
2479 
2480 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2481 {
2482         struct link_key *k;
2483 
2484         list_for_each_entry(k, &hdev->link_keys, list)
2485                 if (bacmp(bdaddr, &k->bdaddr) == 0)
2486                         return k;
2487 
2488         return NULL;
2489 }
2490 
2491 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2492                                u8 key_type, u8 old_key_type)
2493 {
2494         /* Legacy key */
2495         if (key_type < 0x03)
2496                 return true;
2497 
2498         /* Debug keys are insecure so don't store them persistently */
2499         if (key_type == HCI_LK_DEBUG_COMBINATION)
2500                 return false;
2501 
2502         /* Changed combination key and there's no previous one */
2503         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2504                 return false;
2505 
2506         /* Security mode 3 case */
2507         if (!conn)
2508                 return true;
2509 
2510         /* Neither local nor remote side had no-bonding as requirement */
2511         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2512                 return true;
2513 
2514         /* Local side had dedicated bonding as requirement */
2515         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2516                 return true;
2517 
2518         /* Remote side had dedicated bonding as requirement */
2519         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2520                 return true;
2521 
2522         /* If none of the above criteria match, then don't store the key
2523          * persistently */
2524         return false;
2525 }
2526 
2527 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
2528 {
2529         struct smp_ltk *k;
2530 
2531         list_for_each_entry(k, &hdev->long_term_keys, list) {
2532                 if (k->ediv != ediv ||
2533                     memcmp(rand, k->rand, sizeof(k->rand)))
2534                         continue;
2535 
2536                 return k;
2537         }
2538 
2539         return NULL;
2540 }
2541 
2542 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2543                                      u8 addr_type)
2544 {
2545         struct smp_ltk *k;
2546 
2547         list_for_each_entry(k, &hdev->long_term_keys, list)
2548                 if (addr_type == k->bdaddr_type &&
2549                     bacmp(bdaddr, &k->bdaddr) == 0)
2550                         return k;
2551 
2552         return NULL;
2553 }
2554 
2555 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2556                      bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
2557 {
2558         struct link_key *key, *old_key;
2559         u8 old_key_type;
2560         bool persistent;
2561 
2562         old_key = hci_find_link_key(hdev, bdaddr);
2563         if (old_key) {
2564                 old_key_type = old_key->type;
2565                 key = old_key;
2566         } else {
2567                 old_key_type = conn ? conn->key_type : 0xff;
2568                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
2569                 if (!key)
2570                         return -ENOMEM;
2571                 list_add(&key->list, &hdev->link_keys);
2572         }
2573 
2574         BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2575 
2576         /* Some buggy controller combinations generate a changed
2577          * combination key for legacy pairing even when there's no
2578          * previous key */
2579         if (type == HCI_LK_CHANGED_COMBINATION &&
2580             (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2581                 type = HCI_LK_COMBINATION;
2582                 if (conn)
2583                         conn->key_type = type;
2584         }
2585 
2586         bacpy(&key->bdaddr, bdaddr);
2587         memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2588         key->pin_len = pin_len;
2589 
2590         if (type == HCI_LK_CHANGED_COMBINATION)
2591                 key->type = old_key_type;
2592         else
2593                 key->type = type;
2594 
2595         if (!new_key)
2596                 return 0;
2597 
2598         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
2599 
2600         mgmt_new_link_key(hdev, key, persistent);
2601 
2602         if (conn)
2603                 conn->flush_key = !persistent;
2604 
2605         return 0;
2606 }
2607 
2608 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
2609                 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
2610                 ediv, u8 rand[8])
2611 {
2612         struct smp_ltk *key, *old_key;
2613 
2614         if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
2615                 return 0;
2616 
2617         old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
2618         if (old_key)
2619                 key = old_key;
2620         else {
2621                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
2622                 if (!key)
2623                         return -ENOMEM;
2624                 list_add(&key->list, &hdev->long_term_keys);
2625         }
2626 
2627         bacpy(&key->bdaddr, bdaddr);
2628         key->bdaddr_type = addr_type;
2629         memcpy(key->val, tk, sizeof(key->val));
2630         key->authenticated = authenticated;
2631         key->ediv = ediv;
2632         key->enc_size = enc_size;
2633         key->type = type;
2634         memcpy(key->rand, rand, sizeof(key->rand));
2635 
2636         if (!new_key)
2637                 return 0;
2638 
2639         if (type & HCI_SMP_LTK)
2640                 mgmt_new_ltk(hdev, key, 1);
2641 
2642         return 0;
2643 }
2644 
2645 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2646 {
2647         struct link_key *key;
2648 
2649         key = hci_find_link_key(hdev, bdaddr);
2650         if (!key)
2651                 return -ENOENT;
2652 
2653         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2654 
2655         list_del(&key->list);
2656         kfree(key);
2657 
2658         return 0;
2659 }
2660 
2661 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
2662 {
2663         struct smp_ltk *k, *tmp;
2664 
2665         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2666                 if (bacmp(bdaddr, &k->bdaddr))
2667                         continue;
2668 
2669                 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2670 
2671                 list_del(&k->list);
2672                 kfree(k);
2673         }
2674 
2675         return 0;
2676 }
2677 
2678 /* HCI command timer function */
2679 static void hci_cmd_timeout(unsigned long arg)
2680 {
2681         struct hci_dev *hdev = (void *) arg;
2682 
2683         if (hdev->sent_cmd) {
2684                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2685                 u16 opcode = __le16_to_cpu(sent->opcode);
2686 
2687                 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2688         } else {
2689                 BT_ERR("%s command tx timeout", hdev->name);
2690         }
2691 
2692         atomic_set(&hdev->cmd_cnt, 1);
2693         queue_work(hdev->workqueue, &hdev->cmd_work);
2694 }
2695 
2696 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2697                                           bdaddr_t *bdaddr)
2698 {
2699         struct oob_data *data;
2700 
2701         list_for_each_entry(data, &hdev->remote_oob_data, list)
2702                 if (bacmp(bdaddr, &data->bdaddr) == 0)
2703                         return data;
2704 
2705         return NULL;
2706 }
2707 
2708 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
2709 {
2710         struct oob_data *data;
2711 
2712         data = hci_find_remote_oob_data(hdev, bdaddr);
2713         if (!data)
2714                 return -ENOENT;
2715 
2716         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2717 
2718         list_del(&data->list);
2719         kfree(data);
2720 
2721         return 0;
2722 }
2723 
2724 int hci_remote_oob_data_clear(struct hci_dev *hdev)
2725 {
2726         struct oob_data *data, *n;
2727 
2728         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2729                 list_del(&data->list);
2730                 kfree(data);
2731         }
2732 
2733         return 0;
2734 }
2735 
2736 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
2737                             u8 *randomizer)
2738 {
2739         struct oob_data *data;
2740 
2741         data = hci_find_remote_oob_data(hdev, bdaddr);
2742 
2743         if (!data) {
2744                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
2745                 if (!data)
2746                         return -ENOMEM;
2747 
2748                 bacpy(&data->bdaddr, bdaddr);
2749                 list_add(&data->list, &hdev->remote_oob_data);
2750         }
2751 
2752         memcpy(data->hash, hash, sizeof(data->hash));
2753         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
2754 
2755         BT_DBG("%s for %pMR", hdev->name, bdaddr);
2756 
2757         return 0;
2758 }
2759 
2760 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
2761                                          bdaddr_t *bdaddr, u8 type)
2762 {
2763         struct bdaddr_list *b;
2764 
2765         list_for_each_entry(b, &hdev->blacklist, list) {
2766                 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2767                         return b;
2768         }
2769 
2770         return NULL;
2771 }
2772 
2773 int hci_blacklist_clear(struct hci_dev *hdev)
2774 {
2775         struct list_head *p, *n;
2776 
2777         list_for_each_safe(p, n, &hdev->blacklist) {
2778                 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
2779 
2780                 list_del(p);
2781                 kfree(b);
2782         }
2783 
2784         return 0;
2785 }
2786 
2787 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2788 {
2789         struct bdaddr_list *entry;
2790 
2791         if (!bacmp(bdaddr, BDADDR_ANY))
2792                 return -EBADF;
2793 
2794         if (hci_blacklist_lookup(hdev, bdaddr, type))
2795                 return -EEXIST;
2796 
2797         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
2798         if (!entry)
2799                 return -ENOMEM;
2800 
2801         bacpy(&entry->bdaddr, bdaddr);
2802         entry->bdaddr_type = type;
2803 
2804         list_add(&entry->list, &hdev->blacklist);
2805 
2806         return mgmt_device_blocked(hdev, bdaddr, type);
2807 }
2808 
2809 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2810 {
2811         struct bdaddr_list *entry;
2812 
2813         if (!bacmp(bdaddr, BDADDR_ANY))
2814                 return hci_blacklist_clear(hdev);
2815 
2816         entry = hci_blacklist_lookup(hdev, bdaddr, type);
2817         if (!entry)
2818                 return -ENOENT;
2819 
2820         list_del(&entry->list);
2821         kfree(entry);
2822 
2823         return mgmt_device_unblocked(hdev, bdaddr, type);
2824 }
2825 
2826 static void inquiry_complete(struct hci_dev *hdev, u8 status)
2827 {
2828         if (status) {
2829                 BT_ERR("Failed to start inquiry: status %d", status);
2830 
2831                 hci_dev_lock(hdev);
2832                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2833                 hci_dev_unlock(hdev);
2834                 return;
2835         }
2836 }
2837 
2838 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status)
2839 {
2840         /* General inquiry access code (GIAC) */
2841         u8 lap[3] = { 0x33, 0x8b, 0x9e };
2842         struct hci_request req;
2843         struct hci_cp_inquiry cp;
2844         int err;
2845 
2846         if (status) {
2847                 BT_ERR("Failed to disable LE scanning: status %d", status);
2848                 return;
2849         }
2850 
2851         switch (hdev->discovery.type) {
2852         case DISCOV_TYPE_LE:
2853                 hci_dev_lock(hdev);
2854                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2855                 hci_dev_unlock(hdev);
2856                 break;
2857 
2858         case DISCOV_TYPE_INTERLEAVED:
2859                 hci_req_init(&req, hdev);
2860 
2861                 memset(&cp, 0, sizeof(cp));
2862                 memcpy(&cp.lap, lap, sizeof(cp.lap));
2863                 cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
2864                 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2865 
2866                 hci_dev_lock(hdev);
2867 
2868                 hci_inquiry_cache_flush(hdev);
2869 
2870                 err = hci_req_run(&req, inquiry_complete);
2871                 if (err) {
2872                         BT_ERR("Inquiry request failed: err %d", err);
2873                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2874                 }
2875 
2876                 hci_dev_unlock(hdev);
2877                 break;
2878         }
2879 }
2880 
2881 static void le_scan_disable_work(struct work_struct *work)
2882 {
2883         struct hci_dev *hdev = container_of(work, struct hci_dev,
2884                                             le_scan_disable.work);
2885         struct hci_cp_le_set_scan_enable cp;
2886         struct hci_request req;
2887         int err;
2888 
2889         BT_DBG("%s", hdev->name);
2890 
2891         hci_req_init(&req, hdev);
2892 
2893         memset(&cp, 0, sizeof(cp));
2894         cp.enable = LE_SCAN_DISABLE;
2895         hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2896 
2897         err = hci_req_run(&req, le_scan_disable_work_complete);
2898         if (err)
2899                 BT_ERR("Disable LE scanning request failed: err %d", err);
2900 }
2901 
2902 /* Alloc HCI device */
2903 struct hci_dev *hci_alloc_dev(void)
2904 {
2905         struct hci_dev *hdev;
2906 
2907         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2908         if (!hdev)
2909                 return NULL;
2910 
2911         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2912         hdev->esco_type = (ESCO_HV1);
2913         hdev->link_mode = (HCI_LM_ACCEPT);
2914         hdev->num_iac = 0x01;           /* One IAC support is mandatory */
2915         hdev->io_capability = 0x03;     /* No Input No Output */
2916         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2917         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2918 
2919         hdev->sniff_max_interval = 800;
2920         hdev->sniff_min_interval = 80;
2921 
2922         hdev->le_scan_interval = 0x0060;
2923         hdev->le_scan_window = 0x0030;
2924         hdev->le_conn_min_interval = 0x0028;
2925         hdev->le_conn_max_interval = 0x0038;
2926 
2927         mutex_init(&hdev->lock);
2928         mutex_init(&hdev->req_lock);
2929 
2930         INIT_LIST_HEAD(&hdev->mgmt_pending);
2931         INIT_LIST_HEAD(&hdev->blacklist);
2932         INIT_LIST_HEAD(&hdev->uuids);
2933         INIT_LIST_HEAD(&hdev->link_keys);
2934         INIT_LIST_HEAD(&hdev->long_term_keys);
2935         INIT_LIST_HEAD(&hdev->remote_oob_data);
2936         INIT_LIST_HEAD(&hdev->conn_hash.list);
2937 
2938         INIT_WORK(&hdev->rx_work, hci_rx_work);
2939         INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2940         INIT_WORK(&hdev->tx_work, hci_tx_work);
2941         INIT_WORK(&hdev->power_on, hci_power_on);
2942 
2943         INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2944         INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2945         INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2946 
2947         skb_queue_head_init(&hdev->rx_q);
2948         skb_queue_head_init(&hdev->cmd_q);
2949         skb_queue_head_init(&hdev->raw_q);
2950 
2951         init_waitqueue_head(&hdev->req_wait_q);
2952 
2953         setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2954 
2955         hci_init_sysfs(hdev);
2956         discovery_init(hdev);
2957 
2958         return hdev;
2959 }
2960 EXPORT_SYMBOL(hci_alloc_dev);
2961 
2962 /* Free HCI device */
2963 void hci_free_dev(struct hci_dev *hdev)
2964 {
2965         /* will free via device release */
2966         put_device(&hdev->dev);
2967 }
2968 EXPORT_SYMBOL(hci_free_dev);
2969 
2970 /* Register HCI device */
2971 int hci_register_dev(struct hci_dev *hdev)
2972 {
2973         int id, error;
2974 
2975         if (!hdev->open || !hdev->close)
2976                 return -EINVAL;
2977 
2978         /* Do not allow HCI_AMP devices to register at index 0,
2979          * so the index can be used as the AMP controller ID.
2980          */
2981         switch (hdev->dev_type) {
2982         case HCI_BREDR:
2983                 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2984                 break;
2985         case HCI_AMP:
2986                 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2987                 break;
2988         default:
2989                 return -EINVAL;
2990         }
2991 
2992         if (id < 0)
2993                 return id;
2994 
2995         sprintf(hdev->name, "hci%d", id);
2996         hdev->id = id;
2997 
2998         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2999 
3000         hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3001                                           WQ_MEM_RECLAIM, 1, hdev->name);
3002         if (!hdev->workqueue) {
3003                 error = -ENOMEM;
3004                 goto err;
3005         }
3006 
3007         hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3008                                               WQ_MEM_RECLAIM, 1, hdev->name);
3009         if (!hdev->req_workqueue) {
3010                 destroy_workqueue(hdev->workqueue);
3011                 error = -ENOMEM;
3012                 goto err;
3013         }
3014 
3015         if (!IS_ERR_OR_NULL(bt_debugfs))
3016                 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3017 
3018         dev_set_name(&hdev->dev, "%s", hdev->name);
3019 
3020         error = device_add(&hdev->dev);
3021         if (error < 0)
3022                 goto err_wqueue;
3023 
3024         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3025                                     RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3026                                     hdev);
3027         if (hdev->rfkill) {
3028                 if (rfkill_register(hdev->rfkill) < 0) {
3029                         rfkill_destroy(hdev->rfkill);
3030                         hdev->rfkill = NULL;
3031                 }
3032         }
3033 
3034         if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3035                 set_bit(HCI_RFKILLED, &hdev->dev_flags);
3036 
3037         set_bit(HCI_SETUP, &hdev->dev_flags);
3038         set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
3039 
3040         if (hdev->dev_type == HCI_BREDR) {
3041                 /* Assume BR/EDR support until proven otherwise (such as
3042                  * through reading supported features during init.
3043                  */
3044                 set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
3045         }
3046 
3047         write_lock(&hci_dev_list_lock);
3048         list_add(&hdev->list, &hci_dev_list);
3049         write_unlock(&hci_dev_list_lock);
3050 
3051         hci_notify(hdev, HCI_DEV_REG);
3052         hci_dev_hold(hdev);
3053 
3054         queue_work(hdev->req_workqueue, &hdev->power_on);
3055 
3056         return id;
3057 
3058 err_wqueue:
3059         destroy_workqueue(hdev->workqueue);
3060         destroy_workqueue(hdev->req_workqueue);
3061 err:
3062         ida_simple_remove(&hci_index_ida, hdev->id);
3063 
3064         return error;
3065 }
3066 EXPORT_SYMBOL(hci_register_dev);
3067 
3068 /* Unregister HCI device */
3069 void hci_unregister_dev(struct hci_dev *hdev)
3070 {
3071         int i, id;
3072 
3073         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3074 
3075         set_bit(HCI_UNREGISTER, &hdev->dev_flags);
3076 
3077         id = hdev->id;
3078 
3079         write_lock(&hci_dev_list_lock);
3080         list_del(&hdev->list);
3081         write_unlock(&hci_dev_list_lock);
3082 
3083         hci_dev_do_close(hdev);
3084 
3085         for (i = 0; i < NUM_REASSEMBLY; i++)
3086                 kfree_skb(hdev->reassembly[i]);
3087 
3088         cancel_work_sync(&hdev->power_on);
3089 
3090         if (!test_bit(HCI_INIT, &hdev->flags) &&
3091             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
3092                 hci_dev_lock(hdev);
3093                 mgmt_index_removed(hdev);
3094                 hci_dev_unlock(hdev);
3095         }
3096 
3097         /* mgmt_index_removed should take care of emptying the
3098          * pending list */
3099         BUG_ON(!list_empty(&hdev->mgmt_pending));
3100 
3101         hci_notify(hdev, HCI_DEV_UNREG);
3102 
3103         if (hdev->rfkill) {
3104                 rfkill_unregister(hdev->rfkill);
3105                 rfkill_destroy(hdev->rfkill);
3106         }
3107 
3108         device_del(&hdev->dev);
3109 
3110         debugfs_remove_recursive(hdev->debugfs);
3111 
3112         destroy_workqueue(hdev->workqueue);
3113         destroy_workqueue(hdev->req_workqueue);
3114 
3115         hci_dev_lock(hdev);
3116         hci_blacklist_clear(hdev);
3117         hci_uuids_clear(hdev);
3118         hci_link_keys_clear(hdev);
3119         hci_smp_ltks_clear(hdev);
3120         hci_remote_oob_data_clear(hdev);
3121         hci_dev_unlock(hdev);
3122 
3123         hci_dev_put(hdev);
3124 
3125         ida_simple_remove(&hci_index_ida, id);
3126 }
3127 EXPORT_SYMBOL(hci_unregister_dev);
3128 
3129 /* Suspend HCI device */
3130 int hci_suspend_dev(struct hci_dev *hdev)
3131 {
3132         hci_notify(hdev, HCI_DEV_SUSPEND);
3133         return 0;
3134 }
3135 EXPORT_SYMBOL(hci_suspend_dev);
3136 
3137 /* Resume HCI device */
3138 int hci_resume_dev(struct hci_dev *hdev)
3139 {
3140         hci_notify(hdev, HCI_DEV_RESUME);
3141         return 0;
3142 }
3143 EXPORT_SYMBOL(hci_resume_dev);
3144 
3145 /* Receive frame from HCI drivers */
3146 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3147 {
3148         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3149                       && !test_bit(HCI_INIT, &hdev->flags))) {
3150                 kfree_skb(skb);
3151                 return -ENXIO;
3152         }
3153 
3154         /* Incoming skb */
3155         bt_cb(skb)->incoming = 1;
3156 
3157         /* Time stamp */
3158         __net_timestamp(skb);
3159 
3160         skb_queue_tail(&hdev->rx_q, skb);
3161         queue_work(hdev->workqueue, &hdev->rx_work);
3162 
3163         return 0;
3164 }
3165 EXPORT_SYMBOL(hci_recv_frame);
3166 
3167 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
3168                           int count, __u8 index)
3169 {
3170         int len = 0;
3171         int hlen = 0;
3172         int remain = count;
3173         struct sk_buff *skb;
3174         struct bt_skb_cb *scb;
3175 
3176         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
3177             index >= NUM_REASSEMBLY)
3178                 return -EILSEQ;
3179 
3180         skb = hdev->reassembly[index];
3181 
3182         if (!skb) {
3183                 switch (type) {
3184                 case HCI_ACLDATA_PKT:
3185                         len = HCI_MAX_FRAME_SIZE;
3186                         hlen = HCI_ACL_HDR_SIZE;
3187                         break;
3188                 case HCI_EVENT_PKT:
3189                         len = HCI_MAX_EVENT_SIZE;
3190                         hlen = HCI_EVENT_HDR_SIZE;
3191                         break;
3192                 case HCI_SCODATA_PKT:
3193                         len = HCI_MAX_SCO_SIZE;
3194                         hlen = HCI_SCO_HDR_SIZE;
3195                         break;
3196                 }
3197 
3198                 skb = bt_skb_alloc(len, GFP_ATOMIC);
3199                 if (!skb)
3200                         return -ENOMEM;
3201 
3202                 scb = (void *) skb->cb;
3203                 scb->expect = hlen;
3204                 scb->pkt_type = type;
3205 
3206                 hdev->reassembly[index] = skb;
3207         }
3208 
3209         while (count) {
3210                 scb = (void *) skb->cb;
3211                 len = min_t(uint, scb->expect, count);
3212 
3213                 memcpy(skb_put(skb, len), data, len);
3214 
3215                 count -= len;
3216                 data += len;
3217                 scb->expect -= len;
3218                 remain = count;
3219 
3220                 switch (type) {
3221                 case HCI_EVENT_PKT:
3222                         if (skb->len == HCI_EVENT_HDR_SIZE) {
3223                                 struct hci_event_hdr *h = hci_event_hdr(skb);
3224                                 scb->expect = h->plen;
3225 
3226                                 if (skb_tailroom(skb) < scb->expect) {
3227                                         kfree_skb(skb);
3228                                         hdev->reassembly[index] = NULL;
3229                                         return -ENOMEM;
3230                                 }
3231                         }
3232                         break;
3233 
3234                 case HCI_ACLDATA_PKT:
3235                         if (skb->len  == HCI_ACL_HDR_SIZE) {
3236                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
3237                                 scb->expect = __le16_to_cpu(h->dlen);
3238 
3239                                 if (skb_tailroom(skb) < scb->expect) {
3240                                         kfree_skb(skb);
3241                                         hdev->reassembly[index] = NULL;
3242                                         return -ENOMEM;
3243                                 }
3244                         }
3245                         break;
3246 
3247                 case HCI_SCODATA_PKT:
3248                         if (skb->len == HCI_SCO_HDR_SIZE) {
3249                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
3250                                 scb->expect = h->dlen;
3251 
3252                                 if (skb_tailroom(skb) < scb->expect) {
3253                                         kfree_skb(skb);
3254                                         hdev->reassembly[index] = NULL;
3255                                         return -ENOMEM;
3256                                 }
3257                         }
3258                         break;
3259                 }
3260 
3261                 if (scb->expect == 0) {
3262                         /* Complete frame */
3263 
3264                         bt_cb(skb)->pkt_type = type;
3265                         hci_recv_frame(hdev, skb);
3266 
3267                         hdev->reassembly[index] = NULL;
3268                         return remain;
3269                 }
3270         }
3271 
3272         return remain;
3273 }
3274 
3275 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
3276 {
3277         int rem = 0;
3278 
3279         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
3280                 return -EILSEQ;
3281 
3282         while (count) {
3283                 rem = hci_reassembly(hdev, type, data, count, type - 1);
3284                 if (rem < 0)
3285                         return rem;
3286 
3287                 data += (count - rem);
3288                 count = rem;
3289         }
3290 
3291         return rem;
3292 }
3293 EXPORT_SYMBOL(hci_recv_fragment);
3294 
3295 #define STREAM_REASSEMBLY 0
3296 
3297 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
3298 {
3299         int type;
3300         int rem = 0;
3301 
3302         while (count) {
3303                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
3304 
3305                 if (!skb) {
3306                         struct { char type; } *pkt;
3307 
3308                         /* Start of the frame */
3309                         pkt = data;
3310                         type = pkt->type;
3311 
3312                         data++;
3313                         count--;
3314                 } else
3315                         type = bt_cb(skb)->pkt_type;
3316 
3317                 rem = hci_reassembly(hdev, type, data, count,
3318                                      STREAM_REASSEMBLY);
3319                 if (rem < 0)
3320                         return rem;
3321 
3322                 data += (count - rem);
3323                 count = rem;
3324         }
3325 
3326         return rem;
3327 }
3328 EXPORT_SYMBOL(hci_recv_stream_fragment);
3329 
3330 /* ---- Interface to upper protocols ---- */
3331 
3332 int hci_register_cb(struct hci_cb *cb)
3333 {
3334         BT_DBG("%p name %s", cb, cb->name);
3335 
3336         write_lock(&hci_cb_list_lock);
3337         list_add(&cb->list, &hci_cb_list);
3338         write_unlock(&hci_cb_list_lock);
3339 
3340         return 0;
3341 }
3342 EXPORT_SYMBOL(hci_register_cb);
3343 
3344 int hci_unregister_cb(struct hci_cb *cb)
3345 {
3346         BT_DBG("%p name %s", cb, cb->name);
3347 
3348         write_lock(&hci_cb_list_lock);
3349         list_del(&cb->list);
3350         write_unlock(&hci_cb_list_lock);
3351 
3352         return 0;
3353 }
3354 EXPORT_SYMBOL(hci_unregister_cb);
3355 
3356 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3357 {
3358         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
3359 
3360         /* Time stamp */
3361         __net_timestamp(skb);
3362 
3363         /* Send copy to monitor */
3364         hci_send_to_monitor(hdev, skb);
3365 
3366         if (atomic_read(&hdev->promisc)) {
3367                 /* Send copy to the sockets */
3368                 hci_send_to_sock(hdev, skb);
3369         }
3370 
3371         /* Get rid of skb owner, prior to sending to the driver. */
3372         skb_orphan(skb);
3373 
3374         if (hdev->send(hdev, skb) < 0)
3375                 BT_ERR("%s sending frame failed", hdev->name);
3376 }
3377 
3378 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
3379 {
3380         skb_queue_head_init(&req->cmd_q);
3381         req->hdev = hdev;
3382         req->err = 0;
3383 }
3384 
3385 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
3386 {
3387         struct hci_dev *hdev = req->hdev;
3388         struct sk_buff *skb;
3389         unsigned long flags;
3390 
3391         BT_DBG("length %u", skb_queue_len(&req->cmd_q));
3392 
3393         /* If an error occured during request building, remove all HCI
3394          * commands queued on the HCI request queue.
3395          */
3396         if (req->err) {
3397                 skb_queue_purge(&req->cmd_q);
3398                 return req->err;
3399         }
3400 
3401         /* Do not allow empty requests */
3402         if (skb_queue_empty(&req->cmd_q))
3403                 return -ENODATA;
3404 
3405         skb = skb_peek_tail(&req->cmd_q);
3406         bt_cb(skb)->req.complete = complete;
3407 
3408         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3409         skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
3410         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3411 
3412         queue_work(hdev->workqueue, &hdev->cmd_work);
3413 
3414         return 0;
3415 }
3416 
3417 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
3418                                        u32 plen, const void *param)
3419 {
3420         int len = HCI_COMMAND_HDR_SIZE + plen;
3421         struct hci_command_hdr *hdr;
3422         struct sk_buff *skb;
3423 
3424         skb = bt_skb_alloc(len, GFP_ATOMIC);
3425         if (!skb)
3426                 return NULL;
3427 
3428         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
3429         hdr->opcode = cpu_to_le16(opcode);
3430         hdr->plen   = plen;
3431 
3432         if (plen)
3433                 memcpy(skb_put(skb, plen), param, plen);
3434 
3435         BT_DBG("skb len %d", skb->len);
3436 
3437         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
3438 
3439         return skb;
3440 }
3441 
3442 /* Send HCI command */
3443 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3444                  const void *param)
3445 {
3446         struct sk_buff *skb;
3447 
3448         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3449 
3450         skb = hci_prepare_cmd(hdev, opcode, plen, param);
3451         if (!skb) {
3452                 BT_ERR("%s no memory for command", hdev->name);
3453                 return -ENOMEM;
3454         }
3455 
3456         /* Stand-alone HCI commands must be flaged as
3457          * single-command requests.
3458          */
3459         bt_cb(skb)->req.start = true;
3460 
3461         skb_queue_tail(&hdev->cmd_q, skb);
3462         queue_work(hdev->workqueue, &hdev->cmd_work);
3463 
3464         return 0;
3465 }
3466 
3467 /* Queue a command to an asynchronous HCI request */
3468 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
3469                     const void *param, u8 event)
3470 {
3471         struct hci_dev *hdev = req->hdev;
3472         struct sk_buff *skb;
3473 
3474         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3475 
3476         /* If an error occured during request building, there is no point in
3477          * queueing the HCI command. We can simply return.
3478          */
3479         if (req->err)
3480                 return;
3481 
3482         skb = hci_prepare_cmd(hdev, opcode, plen, param);
3483         if (!skb) {
3484                 BT_ERR("%s no memory for command (opcode 0x%4.4x)",
3485                        hdev->name, opcode);
3486                 req->err = -ENOMEM;
3487                 return;
3488         }
3489 
3490         if (skb_queue_empty(&req->cmd_q))
3491                 bt_cb(skb)->req.start = true;
3492 
3493         bt_cb(skb)->req.event = event;
3494 
3495         skb_queue_tail(&req->cmd_q, skb);
3496 }
3497 
3498 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
3499                  const void *param)
3500 {
3501         hci_req_add_ev(req, opcode, plen, param, 0);
3502 }
3503 
3504 /* Get data from the previously sent command */
3505 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3506 {
3507         struct hci_command_hdr *hdr;
3508 
3509         if (!hdev->sent_cmd)
3510                 return NULL;
3511 
3512         hdr = (void *) hdev->sent_cmd->data;
3513 
3514         if (hdr->opcode != cpu_to_le16(opcode))
3515                 return NULL;
3516 
3517         BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3518 
3519         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3520 }
3521 
3522 /* Send ACL data */
3523 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3524 {
3525         struct hci_acl_hdr *hdr;
3526         int len = skb->len;
3527 
3528         skb_push(skb, HCI_ACL_HDR_SIZE);
3529         skb_reset_transport_header(skb);
3530         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3531         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3532         hdr->dlen   = cpu_to_le16(len);
3533 }
3534 
3535 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3536                           struct sk_buff *skb, __u16 flags)
3537 {
3538         struct hci_conn *conn = chan->conn;
3539         struct hci_dev *hdev = conn->hdev;
3540         struct sk_buff *list;
3541 
3542         skb->len = skb_headlen(skb);
3543         skb->data_len = 0;
3544 
3545         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3546 
3547         switch (hdev->dev_type) {
3548         case HCI_BREDR:
3549                 hci_add_acl_hdr(skb, conn->handle, flags);
3550                 break;
3551         case HCI_AMP:
3552                 hci_add_acl_hdr(skb, chan->handle, flags);
3553                 break;
3554         default:
3555                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3556                 return;
3557         }
3558 
3559         list = skb_shinfo(skb)->frag_list;
3560         if (!list) {
3561                 /* Non fragmented */
3562                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3563 
3564                 skb_queue_tail(queue, skb);
3565         } else {
3566                 /* Fragmented */
3567                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3568 
3569                 skb_shinfo(skb)->frag_list = NULL;
3570 
3571                 /* Queue all fragments atomically */
3572                 spin_lock(&queue->lock);
3573 
3574                 __skb_queue_tail(queue, skb);
3575 
3576                 flags &= ~ACL_START;
3577                 flags |= ACL_CONT;
3578                 do {
3579                         skb = list; list = list->next;
3580 
3581                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3582                         hci_add_acl_hdr(skb, conn->handle, flags);
3583 
3584                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3585 
3586                         __skb_queue_tail(queue, skb);
3587                 } while (list);
3588 
3589                 spin_unlock(&queue->lock);
3590         }
3591 }
3592 
3593 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3594 {
3595         struct hci_dev *hdev = chan->conn->hdev;
3596 
3597         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3598 
3599         hci_queue_acl(chan, &chan->data_q, skb, flags);
3600 
3601         queue_work(hdev->workqueue, &hdev->tx_work);
3602 }
3603 
3604 /* Send SCO data */
3605 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3606 {
3607         struct hci_dev *hdev = conn->hdev;
3608         struct hci_sco_hdr hdr;
3609 
3610         BT_DBG("%s len %d", hdev->name, skb->len);
3611 
3612         hdr.handle = cpu_to_le16(conn->handle);
3613         hdr.dlen   = skb->len;
3614 
3615         skb_push(skb, HCI_SCO_HDR_SIZE);
3616         skb_reset_transport_header(skb);
3617         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3618 
3619         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
3620 
3621         skb_queue_tail(&conn->data_q, skb);
3622         queue_work(hdev->workqueue, &hdev->tx_work);
3623 }
3624 
3625 /* ---- HCI TX task (outgoing data) ---- */
3626 
3627 /* HCI Connection scheduler */
3628 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3629                                      int *quote)
3630 {
3631         struct hci_conn_hash *h = &hdev->conn_hash;
3632         struct hci_conn *conn = NULL, *c;
3633         unsigned int num = 0, min = ~0;
3634 
3635         /* We don't have to lock device here. Connections are always
3636          * added and removed with TX task disabled. */
3637 
3638         rcu_read_lock();
3639 
3640         list_for_each_entry_rcu(c, &h->list, list) {
3641                 if (c->type != type || skb_queue_empty(&c->data_q))
3642                         continue;
3643 
3644                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3645                         continue;
3646 
3647                 num++;
3648 
3649                 if (c->sent < min) {
3650                         min  = c->sent;
3651                         conn = c;
3652                 }
3653 
3654                 if (hci_conn_num(hdev, type) == num)
3655                         break;
3656         }
3657 
3658         rcu_read_unlock();
3659 
3660         if (conn) {
3661                 int cnt, q;
3662 
3663                 switch (conn->type) {
3664                 case ACL_LINK:
3665                         cnt = hdev->acl_cnt;
3666                         break;
3667                 case SCO_LINK:
3668                 case ESCO_LINK:
3669                         cnt = hdev->sco_cnt;
3670                         break;
3671                 case LE_LINK:
3672                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3673                         break;
3674                 default:
3675                         cnt = 0;
3676                         BT_ERR("Unknown link type");
3677                 }
3678 
3679                 q = cnt / num;
3680                 *quote = q ? q : 1;
3681         } else
3682                 *quote = 0;
3683 
3684         BT_DBG("conn %p quote %d", conn, *quote);
3685         return conn;
3686 }
3687 
3688 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3689 {
3690         struct hci_conn_hash *h = &hdev->conn_hash;
3691         struct hci_conn *c;
3692 
3693         BT_ERR("%s link tx timeout", hdev->name);
3694 
3695         rcu_read_lock();
3696 
3697         /* Kill stalled connections */
3698         list_for_each_entry_rcu(c, &h->list, list) {
3699                 if (c->type == type && c->sent) {
3700                         BT_ERR("%s killing stalled connection %pMR",
3701                                hdev->name, &c->dst);
3702                         hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3703                 }
3704         }
3705 
3706         rcu_read_unlock();
3707 }
3708 
3709 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3710                                       int *quote)
3711 {
3712         struct hci_conn_hash *h = &hdev->conn_hash;
3713         struct hci_chan *chan = NULL;
3714         unsigned int num = 0, min = ~0, cur_prio = 0;
3715         struct hci_conn *conn;
3716         int cnt, q, conn_num = 0;
3717 
3718         BT_DBG("%s", hdev->name);
3719 
3720         rcu_read_lock();
3721 
3722         list_for_each_entry_rcu(conn, &h->list, list) {
3723                 struct hci_chan *tmp;
3724 
3725                 if (conn->type != type)
3726                         continue;
3727 
3728                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3729                         continue;
3730 
3731                 conn_num++;
3732 
3733                 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3734                         struct sk_buff *skb;
3735 
3736                         if (skb_queue_empty(&tmp->data_q))
3737                                 continue;
3738 
3739                         skb = skb_peek(&tmp->data_q);
3740                         if (skb->priority < cur_prio)
3741                                 continue;
3742 
3743                         if (skb->priority > cur_prio) {
3744                                 num = 0;
3745                                 min = ~0;
3746                                 cur_prio = skb->priority;
3747                         }
3748 
3749                         num++;
3750 
3751                         if (conn->sent < min) {
3752                                 min  = conn->sent;
3753                                 chan = tmp;
3754                         }
3755                 }
3756 
3757                 if (hci_conn_num(hdev, type) == conn_num)
3758                         break;
3759         }
3760 
3761         rcu_read_unlock();
3762 
3763         if (!chan)
3764                 return NULL;
3765 
3766         switch (chan->conn->type) {
3767         case ACL_LINK:
3768                 cnt = hdev->acl_cnt;
3769                 break;
3770         case AMP_LINK:
3771                 cnt = hdev->block_cnt;
3772                 break;
3773         case SCO_LINK:
3774         case ESCO_LINK:
3775                 cnt = hdev->sco_cnt;
3776                 break;
3777         case LE_LINK:
3778                 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3779                 break;
3780         default:
3781                 cnt = 0;
3782                 BT_ERR("Unknown link type");
3783         }
3784 
3785         q = cnt / num;
3786         *quote = q ? q : 1;
3787         BT_DBG("chan %p quote %d", chan, *quote);
3788         return chan;
3789 }
3790 
3791 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3792 {
3793         struct hci_conn_hash *h = &hdev->conn_hash;
3794         struct hci_conn *conn;
3795         int num = 0;
3796 
3797         BT_DBG("%s", hdev->name);
3798 
3799         rcu_read_lock();
3800 
3801         list_for_each_entry_rcu(conn, &h->list, list) {
3802                 struct hci_chan *chan;
3803 
3804                 if (conn->type != type)
3805                         continue;
3806 
3807                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3808                         continue;
3809 
3810                 num++;
3811 
3812                 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3813                         struct sk_buff *skb;
3814 
3815                         if (chan->sent) {
3816                                 chan->sent = 0;
3817                                 continue;
3818                         }
3819 
3820                         if (skb_queue_empty(&chan->data_q))
3821                                 continue;
3822 
3823                         skb = skb_peek(&chan->data_q);
3824                         if (skb->priority >= HCI_PRIO_MAX - 1)
3825                                 continue;
3826 
3827                         skb->priority = HCI_PRIO_MAX - 1;
3828 
3829                         BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3830                                skb->priority);
3831                 }
3832 
3833                 if (hci_conn_num(hdev, type) == num)
3834                         break;
3835         }
3836 
3837         rcu_read_unlock();
3838 
3839 }
3840 
3841 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3842 {
3843         /* Calculate count of blocks used by this packet */
3844         return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3845 }
3846 
3847 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3848 {
3849         if (!test_bit(HCI_RAW, &hdev->flags)) {
3850                 /* ACL tx timeout must be longer than maximum
3851                  * link supervision timeout (40.9 seconds) */
3852                 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3853                                        HCI_ACL_TX_TIMEOUT))
3854                         hci_link_tx_to(hdev, ACL_LINK);
3855         }
3856 }
3857 
3858 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3859 {
3860         unsigned int cnt = hdev->acl_cnt;
3861         struct hci_chan *chan;
3862         struct sk_buff *skb;
3863         int quote;
3864 
3865         __check_timeout(hdev, cnt);
3866 
3867         while (hdev->acl_cnt &&
3868                (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3869                 u32 priority = (skb_peek(&chan->data_q))->priority;
3870                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3871                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3872                                skb->len, skb->priority);
3873 
3874                         /* Stop if priority has changed */
3875                         if (skb->priority < priority)
3876                                 break;
3877 
3878                         skb = skb_dequeue(&chan->data_q);
3879 
3880                         hci_conn_enter_active_mode(chan->conn,
3881                                                    bt_cb(skb)->force_active);
3882 
3883                         hci_send_frame(hdev, skb);
3884                         hdev->acl_last_tx = jiffies;
3885 
3886                         hdev->acl_cnt--;
3887                         chan->sent++;
3888                         chan->conn->sent++;
3889                 }
3890         }
3891 
3892         if (cnt != hdev->acl_cnt)
3893                 hci_prio_recalculate(hdev, ACL_LINK);
3894 }
3895 
3896 static void hci_sched_acl_blk(struct hci_dev *hdev)
3897 {
3898         unsigned int cnt = hdev->block_cnt;
3899         struct hci_chan *chan;
3900         struct sk_buff *skb;
3901         int quote;
3902         u8 type;
3903 
3904         __check_timeout(hdev, cnt);
3905 
3906         BT_DBG("%s", hdev->name);
3907 
3908         if (hdev->dev_type == HCI_AMP)
3909                 type = AMP_LINK;
3910         else
3911                 type = ACL_LINK;
3912 
3913         while (hdev->block_cnt > 0 &&
3914                (chan = hci_chan_sent(hdev, type, &quote))) {
3915                 u32 priority = (skb_peek(&chan->data_q))->priority;
3916                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3917                         int blocks;
3918 
3919                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3920                                skb->len, skb->priority);
3921 
3922                         /* Stop if priority has changed */
3923                         if (skb->priority < priority)
3924                                 break;
3925 
3926                         skb = skb_dequeue(&chan->data_q);
3927 
3928                         blocks = __get_blocks(hdev, skb);
3929                         if (blocks > hdev->block_cnt)
3930                                 return;
3931 
3932                         hci_conn_enter_active_mode(chan->conn,
3933                                                    bt_cb(skb)->force_active);
3934 
3935                         hci_send_frame(hdev, skb);
3936                         hdev->acl_last_tx = jiffies;
3937 
3938                         hdev->block_cnt -= blocks;
3939                         quote -= blocks;
3940 
3941                         chan->sent += blocks;
3942                         chan->conn->sent += blocks;
3943                 }
3944         }
3945 
3946         if (cnt != hdev->block_cnt)
3947                 hci_prio_recalculate(hdev, type);
3948 }
3949 
3950 static void hci_sched_acl(struct hci_dev *hdev)
3951 {
3952         BT_DBG("%s", hdev->name);
3953 
3954         /* No ACL link over BR/EDR controller */
3955         if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3956                 return;
3957 
3958         /* No AMP link over AMP controller */
3959         if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3960                 return;
3961 
3962         switch (hdev->flow_ctl_mode) {
3963         case HCI_FLOW_CTL_MODE_PACKET_BASED:
3964                 hci_sched_acl_pkt(hdev);
3965                 break;
3966 
3967         case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3968                 hci_sched_acl_blk(hdev);
3969                 break;
3970         }
3971 }
3972 
3973 /* Schedule SCO */
3974 static void hci_sched_sco(struct hci_dev *hdev)
3975 {
3976         struct hci_conn *conn;
3977         struct sk_buff *skb;
3978         int quote;
3979 
3980         BT_DBG("%s", hdev->name);
3981 
3982         if (!hci_conn_num(hdev, SCO_LINK))
3983                 return;
3984 
3985         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3986                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3987                         BT_DBG("skb %p len %d", skb, skb->len);
3988                         hci_send_frame(hdev, skb);
3989 
3990                         conn->sent++;
3991                         if (conn->sent == ~0)
3992                                 conn->sent = 0;
3993                 }
3994         }
3995 }
3996 
3997 static void hci_sched_esco(struct hci_dev *hdev)
3998 {
3999         struct hci_conn *conn;
4000         struct sk_buff *skb;
4001         int quote;
4002 
4003         BT_DBG("%s", hdev->name);
4004 
4005         if (!hci_conn_num(hdev, ESCO_LINK))
4006                 return;
4007 
4008         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
4009                                                      &quote))) {
4010                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4011                         BT_DBG("skb %p len %d", skb, skb->len);
4012                         hci_send_frame(hdev, skb);
4013 
4014                         conn->sent++;
4015                         if (conn->sent == ~0)
4016                                 conn->sent = 0;
4017                 }
4018         }
4019 }
4020 
4021 static void hci_sched_le(struct hci_dev *hdev)
4022 {
4023         struct hci_chan *chan;
4024         struct sk_buff *skb;
4025         int quote, cnt, tmp;
4026 
4027         BT_DBG("%s", hdev->name);
4028 
4029         if (!hci_conn_num(hdev, LE_LINK))
4030                 return;
4031 
4032         if (!test_bit(HCI_RAW, &hdev->flags)) {
4033                 /* LE tx timeout must be longer than maximum
4034                  * link supervision timeout (40.9 seconds) */
4035                 if (!hdev->le_cnt && hdev->le_pkts &&
4036                     time_after(jiffies, hdev->le_last_tx + HZ * 45))
4037                         hci_link_tx_to(hdev, LE_LINK);
4038         }
4039 
4040         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
4041         tmp = cnt;
4042         while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
4043                 u32 priority = (skb_peek(&chan->data_q))->priority;
4044                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4045                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4046                                skb->len, skb->priority);
4047 
4048                         /* Stop if priority has changed */
4049                         if (skb->priority < priority)
4050                                 break;
4051 
4052                         skb = skb_dequeue(&chan->data_q);
4053 
4054                         hci_send_frame(hdev, skb);
4055                         hdev->le_last_tx = jiffies;
4056 
4057                         cnt--;
4058                         chan->sent++;
4059                         chan->conn->sent++;
4060                 }
4061         }
4062 
4063         if (hdev->le_pkts)
4064                 hdev->le_cnt = cnt;
4065         else
4066                 hdev->acl_cnt = cnt;
4067 
4068         if (cnt != tmp)
4069                 hci_prio_recalculate(hdev, LE_LINK);
4070 }
4071 
4072 static void hci_tx_work(struct work_struct *work)
4073 {
4074         struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4075         struct sk_buff *skb;
4076 
4077         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4078                hdev->sco_cnt, hdev->le_cnt);
4079 
4080         if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4081                 /* Schedule queues and send stuff to HCI driver */
4082                 hci_sched_acl(hdev);
4083                 hci_sched_sco(hdev);
4084                 hci_sched_esco(hdev);
4085                 hci_sched_le(hdev);
4086         }
4087 
4088         /* Send next queued raw (unknown type) packet */
4089         while ((skb = skb_dequeue(&hdev->raw_q)))
4090                 hci_send_frame(hdev, skb);
4091 }
4092 
4093 /* ----- HCI RX task (incoming data processing) ----- */
4094 
4095 /* ACL data packet */
4096 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4097 {
4098         struct hci_acl_hdr *hdr = (void *) skb->data;
4099         struct hci_conn *conn;
4100         __u16 handle, flags;
4101 
4102         skb_pull(skb, HCI_ACL_HDR_SIZE);
4103 
4104         handle = __le16_to_cpu(hdr->handle);
4105         flags  = hci_flags(handle);
4106         handle = hci_handle(handle);
4107 
4108         BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4109                handle, flags);
4110 
4111         hdev->stat.acl_rx++;
4112 
4113         hci_dev_lock(hdev);
4114         conn = hci_conn_hash_lookup_handle(hdev, handle);
4115         hci_dev_unlock(hdev);
4116 
4117         if (conn) {
4118                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
4119 
4120                 /* Send to upper protocol */
4121                 l2cap_recv_acldata(conn, skb, flags);
4122                 return;
4123         } else {
4124                 BT_ERR("%s ACL packet for unknown connection handle %d",
4125                        hdev->name, handle);
4126         }
4127 
4128         kfree_skb(skb);
4129 }
4130 
4131 /* SCO data packet */
4132 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4133 {
4134         struct hci_sco_hdr *hdr = (void *) skb->data;
4135         struct hci_conn *conn;
4136         __u16 handle;
4137 
4138         skb_pull(skb, HCI_SCO_HDR_SIZE);
4139 
4140         handle = __le16_to_cpu(hdr->handle);
4141 
4142         BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4143 
4144         hdev->stat.sco_rx++;
4145 
4146         hci_dev_lock(hdev);
4147         conn = hci_conn_hash_lookup_handle(hdev, handle);
4148         hci_dev_unlock(hdev);
4149 
4150         if (conn) {
4151                 /* Send to upper protocol */
4152                 sco_recv_scodata(conn, skb);
4153                 return;
4154         } else {
4155                 BT_ERR("%s SCO packet for unknown connection handle %d",
4156                        hdev->name, handle);
4157         }
4158 
4159         kfree_skb(skb);
4160 }
4161 
4162 static bool hci_req_is_complete(struct hci_dev *hdev)
4163 {
4164         struct sk_buff *skb;
4165 
4166         skb = skb_peek(&hdev->cmd_q);
4167         if (!skb)
4168                 return true;
4169 
4170         return bt_cb(skb)->req.start;
4171 }
4172 
4173 static void hci_resend_last(struct hci_dev *hdev)
4174 {
4175         struct hci_command_hdr *sent;
4176         struct sk_buff *skb;
4177         u16 opcode;
4178 
4179         if (!hdev->sent_cmd)
4180                 return;
4181 
4182         sent = (void *) hdev->sent_cmd->data;
4183         opcode = __le16_to_cpu(sent->opcode);
4184         if (opcode == HCI_OP_RESET)
4185                 return;
4186 
4187         skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4188         if (!skb)
4189                 return;
4190 
4191         skb_queue_head(&hdev->cmd_q, skb);
4192         queue_work(hdev->workqueue, &hdev->cmd_work);
4193 }
4194 
4195 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
4196 {
4197         hci_req_complete_t req_complete = NULL;
4198         struct sk_buff *skb;
4199         unsigned long flags;
4200 
4201         BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4202 
4203         /* If the completed command doesn't match the last one that was
4204          * sent we need to do special handling of it.
4205          */
4206         if (!hci_sent_cmd_data(hdev, opcode)) {
4207                 /* Some CSR based controllers generate a spontaneous
4208                  * reset complete event during init and any pending
4209                  * command will never be completed. In such a case we
4210                  * need to resend whatever was the last sent
4211                  * command.
4212                  */
4213                 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4214                         hci_resend_last(hdev);
4215 
4216                 return;
4217         }
4218 
4219         /* If the command succeeded and there's still more commands in
4220          * this request the request is not yet complete.
4221          */
4222         if (!status && !hci_req_is_complete(hdev))
4223                 return;
4224 
4225         /* If this was the last command in a request the complete
4226          * callback would be found in hdev->sent_cmd instead of the
4227          * command queue (hdev->cmd_q).
4228          */
4229         if (hdev->sent_cmd) {
4230                 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
4231 
4232                 if (req_complete) {
4233                         /* We must set the complete callback to NULL to
4234                          * avoid calling the callback more than once if
4235                          * this function gets called again.
4236                          */
4237                         bt_cb(hdev->sent_cmd)->req.complete = NULL;
4238 
4239                         goto call_complete;
4240                 }
4241         }
4242 
4243         /* Remove all pending commands belonging to this request */
4244         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4245         while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4246                 if (bt_cb(skb)->req.start) {
4247                         __skb_queue_head(&hdev->cmd_q, skb);
4248                         break;
4249                 }
4250 
4251                 req_complete = bt_cb(skb)->req.complete;
4252                 kfree_skb(skb);
4253         }
4254         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4255 
4256 call_complete:
4257         if (req_complete)
4258                 req_complete(hdev, status);
4259 }
4260 
4261 static void hci_rx_work(struct work_struct *work)
4262 {
4263         struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4264         struct sk_buff *skb;
4265 
4266         BT_DBG("%s", hdev->name);
4267 
4268         while ((skb = skb_dequeue(&hdev->rx_q))) {
4269                 /* Send copy to monitor */
4270                 hci_send_to_monitor(hdev, skb);
4271 
4272                 if (atomic_read(&hdev->promisc)) {
4273                         /* Send copy to the sockets */
4274                         hci_send_to_sock(hdev, skb);
4275                 }
4276 
4277                 if (test_bit(HCI_RAW, &hdev->flags) ||
4278                     test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4279                         kfree_skb(skb);
4280                         continue;
4281                 }
4282 
4283                 if (test_bit(HCI_INIT, &hdev->flags)) {
4284                         /* Don't process data packets in this states. */
4285                         switch (bt_cb(skb)->pkt_type) {
4286                         case HCI_ACLDATA_PKT:
4287                         case HCI_SCODATA_PKT:
4288                                 kfree_skb(skb);
4289                                 continue;
4290                         }
4291                 }
4292 
4293                 /* Process frame */
4294                 switch (bt_cb(skb)->pkt_type) {
4295                 case HCI_EVENT_PKT:
4296                         BT_DBG("%s Event packet", hdev->name);
4297                         hci_event_packet(hdev, skb);
4298                         break;
4299 
4300                 case HCI_ACLDATA_PKT:
4301                         BT_DBG("%s ACL data packet", hdev->name);
4302                         hci_acldata_packet(hdev, skb);
4303                         break;
4304 
4305                 case HCI_SCODATA_PKT:
4306                         BT_DBG("%s SCO data packet", hdev->name);
4307                         hci_scodata_packet(hdev, skb);
4308                         break;
4309 
4310                 default:
4311                         kfree_skb(skb);
4312                         break;
4313                 }
4314         }
4315 }
4316 
4317 static void hci_cmd_work(struct work_struct *work)
4318 {
4319         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4320         struct sk_buff *skb;
4321 
4322         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4323                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4324 
4325         /* Send queued commands */
4326         if (atomic_read(&hdev->cmd_cnt)) {
4327                 skb = skb_dequeue(&hdev->cmd_q);
4328                 if (!skb)
4329                         return;
4330 
4331                 kfree_skb(hdev->sent_cmd);
4332 
4333                 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4334                 if (hdev->sent_cmd) {
4335                         atomic_dec(&hdev->cmd_cnt);
4336                         hci_send_frame(hdev, skb);
4337                         if (test_bit(HCI_RESET, &hdev->flags))
4338                                 del_timer(&hdev->cmd_timer);
4339                         else
4340                                 mod_timer(&hdev->cmd_timer,
4341                                           jiffies + HCI_CMD_TIMEOUT);
4342                 } else {
4343                         skb_queue_head(&hdev->cmd_q, skb);
4344                         queue_work(hdev->workqueue, &hdev->cmd_work);
4345                 }
4346         }
4347 }
4348 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp