2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI core. */
28 #include <linux/export.h>
29 #include <linux/idr.h>
30 #include <linux/rfkill.h>
31 #include <linux/debugfs.h>
32 #include <linux/crypto.h>
33 #include <asm/unaligned.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
37 #include <net/bluetooth/l2cap.h>
38 #include <net/bluetooth/mgmt.h>
40 #include "hci_request.h"
41 #include "hci_debugfs.h"
45 static void hci_rx_work(struct work_struct *work);
46 static void hci_cmd_work(struct work_struct *work);
47 static void hci_tx_work(struct work_struct *work);
50 LIST_HEAD(hci_dev_list);
51 DEFINE_RWLOCK(hci_dev_list_lock);
53 /* HCI callback list */
54 LIST_HEAD(hci_cb_list);
55 DEFINE_MUTEX(hci_cb_list_lock);
57 /* HCI ID Numbering */
58 static DEFINE_IDA(hci_index_ida);
60 /* ---- HCI debugfs entries ---- */
62 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
63 size_t count, loff_t *ppos)
65 struct hci_dev *hdev = file->private_data;
68 buf[0] = hci_dev_test_flag(hdev, HCI_DUT_MODE) ? 'Y' : 'N';
71 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
74 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
75 size_t count, loff_t *ppos)
77 struct hci_dev *hdev = file->private_data;
80 size_t buf_size = min(count, (sizeof(buf)-1));
83 if (!test_bit(HCI_UP, &hdev->flags))
86 if (copy_from_user(buf, user_buf, buf_size))
90 if (strtobool(buf, &enable))
93 if (enable == hci_dev_test_flag(hdev, HCI_DUT_MODE))
96 hci_req_sync_lock(hdev);
98 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
101 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
103 hci_req_sync_unlock(hdev);
110 hci_dev_change_flag(hdev, HCI_DUT_MODE);
115 static const struct file_operations dut_mode_fops = {
117 .read = dut_mode_read,
118 .write = dut_mode_write,
119 .llseek = default_llseek,
122 static ssize_t vendor_diag_read(struct file *file, char __user *user_buf,
123 size_t count, loff_t *ppos)
125 struct hci_dev *hdev = file->private_data;
128 buf[0] = hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) ? 'Y' : 'N';
131 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
134 static ssize_t vendor_diag_write(struct file *file, const char __user *user_buf,
135 size_t count, loff_t *ppos)
137 struct hci_dev *hdev = file->private_data;
139 size_t buf_size = min(count, (sizeof(buf)-1));
143 if (copy_from_user(buf, user_buf, buf_size))
146 buf[buf_size] = '\0';
147 if (strtobool(buf, &enable))
150 /* When the diagnostic flags are not persistent and the transport
151 * is not active, then there is no need for the vendor callback.
153 * Instead just store the desired value. If needed the setting
154 * will be programmed when the controller gets powered on.
156 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
157 !test_bit(HCI_RUNNING, &hdev->flags))
160 hci_req_sync_lock(hdev);
161 err = hdev->set_diag(hdev, enable);
162 hci_req_sync_unlock(hdev);
169 hci_dev_set_flag(hdev, HCI_VENDOR_DIAG);
171 hci_dev_clear_flag(hdev, HCI_VENDOR_DIAG);
176 static const struct file_operations vendor_diag_fops = {
178 .read = vendor_diag_read,
179 .write = vendor_diag_write,
180 .llseek = default_llseek,
183 static void hci_debugfs_create_basic(struct hci_dev *hdev)
185 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
189 debugfs_create_file("vendor_diag", 0644, hdev->debugfs, hdev,
193 static int hci_reset_req(struct hci_request *req, unsigned long opt)
195 BT_DBG("%s %ld", req->hdev->name, opt);
198 set_bit(HCI_RESET, &req->hdev->flags);
199 hci_req_add(req, HCI_OP_RESET, 0, NULL);
203 static void bredr_init(struct hci_request *req)
205 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
207 /* Read Local Supported Features */
208 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
210 /* Read Local Version */
211 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
213 /* Read BD Address */
214 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
217 static void amp_init1(struct hci_request *req)
219 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
221 /* Read Local Version */
222 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
224 /* Read Local Supported Commands */
225 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
227 /* Read Local AMP Info */
228 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
230 /* Read Data Blk size */
231 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
233 /* Read Flow Control Mode */
234 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
236 /* Read Location Data */
237 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
240 static int amp_init2(struct hci_request *req)
242 /* Read Local Supported Features. Not all AMP controllers
243 * support this so it's placed conditionally in the second
246 if (req->hdev->commands[14] & 0x20)
247 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
252 static int hci_init1_req(struct hci_request *req, unsigned long opt)
254 struct hci_dev *hdev = req->hdev;
256 BT_DBG("%s %ld", hdev->name, opt);
259 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
260 hci_reset_req(req, 0);
262 switch (hdev->dev_type) {
272 BT_ERR("Unknown device type %d", hdev->dev_type);
279 static void bredr_setup(struct hci_request *req)
284 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
285 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
287 /* Read Class of Device */
288 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
290 /* Read Local Name */
291 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
293 /* Read Voice Setting */
294 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
296 /* Read Number of Supported IAC */
297 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
299 /* Read Current IAC LAP */
300 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
302 /* Clear Event Filters */
303 flt_type = HCI_FLT_CLEAR_ALL;
304 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
306 /* Connection accept timeout ~20 secs */
307 param = cpu_to_le16(0x7d00);
308 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
311 static void le_setup(struct hci_request *req)
313 struct hci_dev *hdev = req->hdev;
315 /* Read LE Buffer Size */
316 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
318 /* Read LE Local Supported Features */
319 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
321 /* Read LE Supported States */
322 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
324 /* LE-only controllers have LE implicitly enabled */
325 if (!lmp_bredr_capable(hdev))
326 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
329 static void hci_setup_event_mask(struct hci_request *req)
331 struct hci_dev *hdev = req->hdev;
333 /* The second byte is 0xff instead of 0x9f (two reserved bits
334 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
337 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
339 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
340 * any event mask for pre 1.2 devices.
342 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
345 if (lmp_bredr_capable(hdev)) {
346 events[4] |= 0x01; /* Flow Specification Complete */
348 /* Use a different default for LE-only devices */
349 memset(events, 0, sizeof(events));
350 events[1] |= 0x20; /* Command Complete */
351 events[1] |= 0x40; /* Command Status */
352 events[1] |= 0x80; /* Hardware Error */
354 /* If the controller supports the Disconnect command, enable
355 * the corresponding event. In addition enable packet flow
356 * control related events.
358 if (hdev->commands[0] & 0x20) {
359 events[0] |= 0x10; /* Disconnection Complete */
360 events[2] |= 0x04; /* Number of Completed Packets */
361 events[3] |= 0x02; /* Data Buffer Overflow */
364 /* If the controller supports the Read Remote Version
365 * Information command, enable the corresponding event.
367 if (hdev->commands[2] & 0x80)
368 events[1] |= 0x08; /* Read Remote Version Information
372 if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
373 events[0] |= 0x80; /* Encryption Change */
374 events[5] |= 0x80; /* Encryption Key Refresh Complete */
378 if (lmp_inq_rssi_capable(hdev) ||
379 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks))
380 events[4] |= 0x02; /* Inquiry Result with RSSI */
382 if (lmp_ext_feat_capable(hdev))
383 events[4] |= 0x04; /* Read Remote Extended Features Complete */
385 if (lmp_esco_capable(hdev)) {
386 events[5] |= 0x08; /* Synchronous Connection Complete */
387 events[5] |= 0x10; /* Synchronous Connection Changed */
390 if (lmp_sniffsubr_capable(hdev))
391 events[5] |= 0x20; /* Sniff Subrating */
393 if (lmp_pause_enc_capable(hdev))
394 events[5] |= 0x80; /* Encryption Key Refresh Complete */
396 if (lmp_ext_inq_capable(hdev))
397 events[5] |= 0x40; /* Extended Inquiry Result */
399 if (lmp_no_flush_capable(hdev))
400 events[7] |= 0x01; /* Enhanced Flush Complete */
402 if (lmp_lsto_capable(hdev))
403 events[6] |= 0x80; /* Link Supervision Timeout Changed */
405 if (lmp_ssp_capable(hdev)) {
406 events[6] |= 0x01; /* IO Capability Request */
407 events[6] |= 0x02; /* IO Capability Response */
408 events[6] |= 0x04; /* User Confirmation Request */
409 events[6] |= 0x08; /* User Passkey Request */
410 events[6] |= 0x10; /* Remote OOB Data Request */
411 events[6] |= 0x20; /* Simple Pairing Complete */
412 events[7] |= 0x04; /* User Passkey Notification */
413 events[7] |= 0x08; /* Keypress Notification */
414 events[7] |= 0x10; /* Remote Host Supported
415 * Features Notification
419 if (lmp_le_capable(hdev))
420 events[7] |= 0x20; /* LE Meta-Event */
422 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
425 static int hci_init2_req(struct hci_request *req, unsigned long opt)
427 struct hci_dev *hdev = req->hdev;
429 if (hdev->dev_type == HCI_AMP)
430 return amp_init2(req);
432 if (lmp_bredr_capable(hdev))
435 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
437 if (lmp_le_capable(hdev))
440 /* All Bluetooth 1.2 and later controllers should support the
441 * HCI command for reading the local supported commands.
443 * Unfortunately some controllers indicate Bluetooth 1.2 support,
444 * but do not have support for this command. If that is the case,
445 * the driver can quirk the behavior and skip reading the local
446 * supported commands.
448 if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
449 !test_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks))
450 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
452 if (lmp_ssp_capable(hdev)) {
453 /* When SSP is available, then the host features page
454 * should also be available as well. However some
455 * controllers list the max_page as 0 as long as SSP
456 * has not been enabled. To achieve proper debugging
457 * output, force the minimum max_page to 1 at least.
459 hdev->max_page = 0x01;
461 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
464 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
465 sizeof(mode), &mode);
467 struct hci_cp_write_eir cp;
469 memset(hdev->eir, 0, sizeof(hdev->eir));
470 memset(&cp, 0, sizeof(cp));
472 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
476 if (lmp_inq_rssi_capable(hdev) ||
477 test_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks)) {
480 /* If Extended Inquiry Result events are supported, then
481 * they are clearly preferred over Inquiry Result with RSSI
484 mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
486 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
489 if (lmp_inq_tx_pwr_capable(hdev))
490 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
492 if (lmp_ext_feat_capable(hdev)) {
493 struct hci_cp_read_local_ext_features cp;
496 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
500 if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
502 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
509 static void hci_setup_link_policy(struct hci_request *req)
511 struct hci_dev *hdev = req->hdev;
512 struct hci_cp_write_def_link_policy cp;
515 if (lmp_rswitch_capable(hdev))
516 link_policy |= HCI_LP_RSWITCH;
517 if (lmp_hold_capable(hdev))
518 link_policy |= HCI_LP_HOLD;
519 if (lmp_sniff_capable(hdev))
520 link_policy |= HCI_LP_SNIFF;
521 if (lmp_park_capable(hdev))
522 link_policy |= HCI_LP_PARK;
524 cp.policy = cpu_to_le16(link_policy);
525 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
528 static void hci_set_le_support(struct hci_request *req)
530 struct hci_dev *hdev = req->hdev;
531 struct hci_cp_write_le_host_supported cp;
533 /* LE-only devices do not support explicit enablement */
534 if (!lmp_bredr_capable(hdev))
537 memset(&cp, 0, sizeof(cp));
539 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
544 if (cp.le != lmp_host_le_capable(hdev))
545 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
549 static void hci_set_event_mask_page_2(struct hci_request *req)
551 struct hci_dev *hdev = req->hdev;
552 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
554 /* If Connectionless Slave Broadcast master role is supported
555 * enable all necessary events for it.
557 if (lmp_csb_master_capable(hdev)) {
558 events[1] |= 0x40; /* Triggered Clock Capture */
559 events[1] |= 0x80; /* Synchronization Train Complete */
560 events[2] |= 0x10; /* Slave Page Response Timeout */
561 events[2] |= 0x20; /* CSB Channel Map Change */
564 /* If Connectionless Slave Broadcast slave role is supported
565 * enable all necessary events for it.
567 if (lmp_csb_slave_capable(hdev)) {
568 events[2] |= 0x01; /* Synchronization Train Received */
569 events[2] |= 0x02; /* CSB Receive */
570 events[2] |= 0x04; /* CSB Timeout */
571 events[2] |= 0x08; /* Truncated Page Complete */
574 /* Enable Authenticated Payload Timeout Expired event if supported */
575 if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
578 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
581 static int hci_init3_req(struct hci_request *req, unsigned long opt)
583 struct hci_dev *hdev = req->hdev;
586 hci_setup_event_mask(req);
588 if (hdev->commands[6] & 0x20 &&
589 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
590 struct hci_cp_read_stored_link_key cp;
592 bacpy(&cp.bdaddr, BDADDR_ANY);
594 hci_req_add(req, HCI_OP_READ_STORED_LINK_KEY, sizeof(cp), &cp);
597 if (hdev->commands[5] & 0x10)
598 hci_setup_link_policy(req);
600 if (hdev->commands[8] & 0x01)
601 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
603 /* Some older Broadcom based Bluetooth 1.2 controllers do not
604 * support the Read Page Scan Type command. Check support for
605 * this command in the bit mask of supported commands.
607 if (hdev->commands[13] & 0x01)
608 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
610 if (lmp_le_capable(hdev)) {
613 memset(events, 0, sizeof(events));
615 if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
616 events[0] |= 0x10; /* LE Long Term Key Request */
618 /* If controller supports the Connection Parameters Request
619 * Link Layer Procedure, enable the corresponding event.
621 if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
622 events[0] |= 0x20; /* LE Remote Connection
626 /* If the controller supports the Data Length Extension
627 * feature, enable the corresponding event.
629 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
630 events[0] |= 0x40; /* LE Data Length Change */
632 /* If the controller supports Extended Scanner Filter
633 * Policies, enable the correspondig event.
635 if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
636 events[1] |= 0x04; /* LE Direct Advertising
640 /* If the controller supports the LE Set Scan Enable command,
641 * enable the corresponding advertising report event.
643 if (hdev->commands[26] & 0x08)
644 events[0] |= 0x02; /* LE Advertising Report */
646 /* If the controller supports the LE Create Connection
647 * command, enable the corresponding event.
649 if (hdev->commands[26] & 0x10)
650 events[0] |= 0x01; /* LE Connection Complete */
652 /* If the controller supports the LE Connection Update
653 * command, enable the corresponding event.
655 if (hdev->commands[27] & 0x04)
656 events[0] |= 0x04; /* LE Connection Update
660 /* If the controller supports the LE Read Remote Used Features
661 * command, enable the corresponding event.
663 if (hdev->commands[27] & 0x20)
664 events[0] |= 0x08; /* LE Read Remote Used
668 /* If the controller supports the LE Read Local P-256
669 * Public Key command, enable the corresponding event.
671 if (hdev->commands[34] & 0x02)
672 events[0] |= 0x80; /* LE Read Local P-256
673 * Public Key Complete
676 /* If the controller supports the LE Generate DHKey
677 * command, enable the corresponding event.
679 if (hdev->commands[34] & 0x04)
680 events[1] |= 0x01; /* LE Generate DHKey Complete */
682 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK, sizeof(events),
685 if (hdev->commands[25] & 0x40) {
686 /* Read LE Advertising Channel TX Power */
687 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
690 if (hdev->commands[26] & 0x40) {
691 /* Read LE White List Size */
692 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE,
696 if (hdev->commands[26] & 0x80) {
697 /* Clear LE White List */
698 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
701 if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT) {
702 /* Read LE Maximum Data Length */
703 hci_req_add(req, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL);
705 /* Read LE Suggested Default Data Length */
706 hci_req_add(req, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL);
709 hci_set_le_support(req);
712 /* Read features beyond page 1 if available */
713 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
714 struct hci_cp_read_local_ext_features cp;
717 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
724 static int hci_init4_req(struct hci_request *req, unsigned long opt)
726 struct hci_dev *hdev = req->hdev;
728 /* Some Broadcom based Bluetooth controllers do not support the
729 * Delete Stored Link Key command. They are clearly indicating its
730 * absence in the bit mask of supported commands.
732 * Check the supported commands and only if the the command is marked
733 * as supported send it. If not supported assume that the controller
734 * does not have actual support for stored link keys which makes this
735 * command redundant anyway.
737 * Some controllers indicate that they support handling deleting
738 * stored link keys, but they don't. The quirk lets a driver
739 * just disable this command.
741 if (hdev->commands[6] & 0x80 &&
742 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
743 struct hci_cp_delete_stored_link_key cp;
745 bacpy(&cp.bdaddr, BDADDR_ANY);
746 cp.delete_all = 0x01;
747 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
751 /* Set event mask page 2 if the HCI command for it is supported */
752 if (hdev->commands[22] & 0x04)
753 hci_set_event_mask_page_2(req);
755 /* Read local codec list if the HCI command is supported */
756 if (hdev->commands[29] & 0x20)
757 hci_req_add(req, HCI_OP_READ_LOCAL_CODECS, 0, NULL);
759 /* Get MWS transport configuration if the HCI command is supported */
760 if (hdev->commands[30] & 0x08)
761 hci_req_add(req, HCI_OP_GET_MWS_TRANSPORT_CONFIG, 0, NULL);
763 /* Check for Synchronization Train support */
764 if (lmp_sync_train_capable(hdev))
765 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
767 /* Enable Secure Connections if supported and configured */
768 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED) &&
769 bredr_sc_enabled(hdev)) {
772 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
773 sizeof(support), &support);
779 static int __hci_init(struct hci_dev *hdev)
783 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT, NULL);
787 if (hci_dev_test_flag(hdev, HCI_SETUP))
788 hci_debugfs_create_basic(hdev);
790 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT, NULL);
794 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
795 * BR/EDR/LE type controllers. AMP controllers only need the
796 * first two stages of init.
798 if (hdev->dev_type != HCI_BREDR)
801 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT, NULL);
805 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT, NULL);
809 /* This function is only called when the controller is actually in
810 * configured state. When the controller is marked as unconfigured,
811 * this initialization procedure is not run.
813 * It means that it is possible that a controller runs through its
814 * setup phase and then discovers missing settings. If that is the
815 * case, then this function will not be called. It then will only
816 * be called during the config phase.
818 * So only when in setup phase or config phase, create the debugfs
819 * entries and register the SMP channels.
821 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
822 !hci_dev_test_flag(hdev, HCI_CONFIG))
825 hci_debugfs_create_common(hdev);
827 if (lmp_bredr_capable(hdev))
828 hci_debugfs_create_bredr(hdev);
830 if (lmp_le_capable(hdev))
831 hci_debugfs_create_le(hdev);
836 static int hci_init0_req(struct hci_request *req, unsigned long opt)
838 struct hci_dev *hdev = req->hdev;
840 BT_DBG("%s %ld", hdev->name, opt);
843 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
844 hci_reset_req(req, 0);
846 /* Read Local Version */
847 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
849 /* Read BD Address */
850 if (hdev->set_bdaddr)
851 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
856 static int __hci_unconf_init(struct hci_dev *hdev)
860 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
863 err = __hci_req_sync(hdev, hci_init0_req, 0, HCI_INIT_TIMEOUT, NULL);
867 if (hci_dev_test_flag(hdev, HCI_SETUP))
868 hci_debugfs_create_basic(hdev);
873 static int hci_scan_req(struct hci_request *req, unsigned long opt)
877 BT_DBG("%s %x", req->hdev->name, scan);
879 /* Inquiry and Page scans */
880 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
884 static int hci_auth_req(struct hci_request *req, unsigned long opt)
888 BT_DBG("%s %x", req->hdev->name, auth);
891 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
895 static int hci_encrypt_req(struct hci_request *req, unsigned long opt)
899 BT_DBG("%s %x", req->hdev->name, encrypt);
902 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
906 static int hci_linkpol_req(struct hci_request *req, unsigned long opt)
908 __le16 policy = cpu_to_le16(opt);
910 BT_DBG("%s %x", req->hdev->name, policy);
912 /* Default link policy */
913 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
917 /* Get HCI device by index.
918 * Device is held on return. */
919 struct hci_dev *hci_dev_get(int index)
921 struct hci_dev *hdev = NULL, *d;
928 read_lock(&hci_dev_list_lock);
929 list_for_each_entry(d, &hci_dev_list, list) {
930 if (d->id == index) {
931 hdev = hci_dev_hold(d);
935 read_unlock(&hci_dev_list_lock);
939 /* ---- Inquiry support ---- */
941 bool hci_discovery_active(struct hci_dev *hdev)
943 struct discovery_state *discov = &hdev->discovery;
945 switch (discov->state) {
946 case DISCOVERY_FINDING:
947 case DISCOVERY_RESOLVING:
955 void hci_discovery_set_state(struct hci_dev *hdev, int state)
957 int old_state = hdev->discovery.state;
959 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
961 if (old_state == state)
964 hdev->discovery.state = state;
967 case DISCOVERY_STOPPED:
968 hci_update_background_scan(hdev);
970 if (old_state != DISCOVERY_STARTING)
971 mgmt_discovering(hdev, 0);
973 case DISCOVERY_STARTING:
975 case DISCOVERY_FINDING:
976 mgmt_discovering(hdev, 1);
978 case DISCOVERY_RESOLVING:
980 case DISCOVERY_STOPPING:
985 void hci_inquiry_cache_flush(struct hci_dev *hdev)
987 struct discovery_state *cache = &hdev->discovery;
988 struct inquiry_entry *p, *n;
990 list_for_each_entry_safe(p, n, &cache->all, all) {
995 INIT_LIST_HEAD(&cache->unknown);
996 INIT_LIST_HEAD(&cache->resolve);
999 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1002 struct discovery_state *cache = &hdev->discovery;
1003 struct inquiry_entry *e;
1005 BT_DBG("cache %p, %pMR", cache, bdaddr);
1007 list_for_each_entry(e, &cache->all, all) {
1008 if (!bacmp(&e->data.bdaddr, bdaddr))
1015 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1018 struct discovery_state *cache = &hdev->discovery;
1019 struct inquiry_entry *e;
1021 BT_DBG("cache %p, %pMR", cache, bdaddr);
1023 list_for_each_entry(e, &cache->unknown, list) {
1024 if (!bacmp(&e->data.bdaddr, bdaddr))
1031 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1035 struct discovery_state *cache = &hdev->discovery;
1036 struct inquiry_entry *e;
1038 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1040 list_for_each_entry(e, &cache->resolve, list) {
1041 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1043 if (!bacmp(&e->data.bdaddr, bdaddr))
1050 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1051 struct inquiry_entry *ie)
1053 struct discovery_state *cache = &hdev->discovery;
1054 struct list_head *pos = &cache->resolve;
1055 struct inquiry_entry *p;
1057 list_del(&ie->list);
1059 list_for_each_entry(p, &cache->resolve, list) {
1060 if (p->name_state != NAME_PENDING &&
1061 abs(p->data.rssi) >= abs(ie->data.rssi))
1066 list_add(&ie->list, pos);
1069 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1072 struct discovery_state *cache = &hdev->discovery;
1073 struct inquiry_entry *ie;
1076 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1078 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
1080 if (!data->ssp_mode)
1081 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1083 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1085 if (!ie->data.ssp_mode)
1086 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
1088 if (ie->name_state == NAME_NEEDED &&
1089 data->rssi != ie->data.rssi) {
1090 ie->data.rssi = data->rssi;
1091 hci_inquiry_cache_update_resolve(hdev, ie);
1097 /* Entry not in the cache. Add new one. */
1098 ie = kzalloc(sizeof(*ie), GFP_KERNEL);
1100 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1104 list_add(&ie->all, &cache->all);
1107 ie->name_state = NAME_KNOWN;
1109 ie->name_state = NAME_NOT_KNOWN;
1110 list_add(&ie->list, &cache->unknown);
1114 if (name_known && ie->name_state != NAME_KNOWN &&
1115 ie->name_state != NAME_PENDING) {
1116 ie->name_state = NAME_KNOWN;
1117 list_del(&ie->list);
1120 memcpy(&ie->data, data, sizeof(*data));
1121 ie->timestamp = jiffies;
1122 cache->timestamp = jiffies;
1124 if (ie->name_state == NAME_NOT_KNOWN)
1125 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
1131 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1133 struct discovery_state *cache = &hdev->discovery;
1134 struct inquiry_info *info = (struct inquiry_info *) buf;
1135 struct inquiry_entry *e;
1138 list_for_each_entry(e, &cache->all, all) {
1139 struct inquiry_data *data = &e->data;
1144 bacpy(&info->bdaddr, &data->bdaddr);
1145 info->pscan_rep_mode = data->pscan_rep_mode;
1146 info->pscan_period_mode = data->pscan_period_mode;
1147 info->pscan_mode = data->pscan_mode;
1148 memcpy(info->dev_class, data->dev_class, 3);
1149 info->clock_offset = data->clock_offset;
1155 BT_DBG("cache %p, copied %d", cache, copied);
1159 static int hci_inq_req(struct hci_request *req, unsigned long opt)
1161 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1162 struct hci_dev *hdev = req->hdev;
1163 struct hci_cp_inquiry cp;
1165 BT_DBG("%s", hdev->name);
1167 if (test_bit(HCI_INQUIRY, &hdev->flags))
1171 memcpy(&cp.lap, &ir->lap, 3);
1172 cp.length = ir->length;
1173 cp.num_rsp = ir->num_rsp;
1174 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1179 int hci_inquiry(void __user *arg)
1181 __u8 __user *ptr = arg;
1182 struct hci_inquiry_req ir;
1183 struct hci_dev *hdev;
1184 int err = 0, do_inquiry = 0, max_rsp;
1188 if (copy_from_user(&ir, ptr, sizeof(ir)))
1191 hdev = hci_dev_get(ir.dev_id);
1195 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1200 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1205 if (hdev->dev_type != HCI_BREDR) {
1210 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1216 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1217 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1218 hci_inquiry_cache_flush(hdev);
1221 hci_dev_unlock(hdev);
1223 timeo = ir.length * msecs_to_jiffies(2000);
1226 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1231 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1232 * cleared). If it is interrupted by a signal, return -EINTR.
1234 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
1235 TASK_INTERRUPTIBLE))
1239 /* for unlimited number of responses we will use buffer with
1242 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1244 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1245 * copy it to the user space.
1247 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1254 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1255 hci_dev_unlock(hdev);
1257 BT_DBG("num_rsp %d", ir.num_rsp);
1259 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1261 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1274 static int hci_dev_do_open(struct hci_dev *hdev)
1278 BT_DBG("%s %p", hdev->name, hdev);
1280 hci_req_sync_lock(hdev);
1282 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
1287 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1288 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
1289 /* Check for rfkill but allow the HCI setup stage to
1290 * proceed (which in itself doesn't cause any RF activity).
1292 if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
1297 /* Check for valid public address or a configured static
1298 * random adddress, but let the HCI setup proceed to
1299 * be able to determine if there is a public address
1302 * In case of user channel usage, it is not important
1303 * if a public address or static random address is
1306 * This check is only valid for BR/EDR controllers
1307 * since AMP controllers do not have an address.
1309 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1310 hdev->dev_type == HCI_BREDR &&
1311 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1312 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1313 ret = -EADDRNOTAVAIL;
1318 if (test_bit(HCI_UP, &hdev->flags)) {
1323 if (hdev->open(hdev)) {
1328 set_bit(HCI_RUNNING, &hdev->flags);
1329 hci_sock_dev_event(hdev, HCI_DEV_OPEN);
1331 atomic_set(&hdev->cmd_cnt, 1);
1332 set_bit(HCI_INIT, &hdev->flags);
1334 if (hci_dev_test_flag(hdev, HCI_SETUP)) {
1335 hci_sock_dev_event(hdev, HCI_DEV_SETUP);
1338 ret = hdev->setup(hdev);
1340 /* The transport driver can set these quirks before
1341 * creating the HCI device or in its setup callback.
1343 * In case any of them is set, the controller has to
1344 * start up as unconfigured.
1346 if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
1347 test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks))
1348 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
1350 /* For an unconfigured controller it is required to
1351 * read at least the version information provided by
1352 * the Read Local Version Information command.
1354 * If the set_bdaddr driver callback is provided, then
1355 * also the original Bluetooth public device address
1356 * will be read using the Read BD Address command.
1358 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1359 ret = __hci_unconf_init(hdev);
1362 if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
1363 /* If public address change is configured, ensure that
1364 * the address gets programmed. If the driver does not
1365 * support changing the public address, fail the power
1368 if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
1370 ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
1372 ret = -EADDRNOTAVAIL;
1376 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1377 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1378 ret = __hci_init(hdev);
1379 if (!ret && hdev->post_init)
1380 ret = hdev->post_init(hdev);
1384 /* If the HCI Reset command is clearing all diagnostic settings,
1385 * then they need to be reprogrammed after the init procedure
1388 if (test_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks) &&
1389 hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
1390 ret = hdev->set_diag(hdev, true);
1392 clear_bit(HCI_INIT, &hdev->flags);
1396 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1397 set_bit(HCI_UP, &hdev->flags);
1398 hci_sock_dev_event(hdev, HCI_DEV_UP);
1399 hci_leds_update_powered(hdev, true);
1400 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
1401 !hci_dev_test_flag(hdev, HCI_CONFIG) &&
1402 !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1403 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1404 hci_dev_test_flag(hdev, HCI_MGMT) &&
1405 hdev->dev_type == HCI_BREDR) {
1406 ret = __hci_req_hci_power_on(hdev);
1407 mgmt_power_on(hdev, ret);
1410 /* Init failed, cleanup */
1411 flush_work(&hdev->tx_work);
1412 flush_work(&hdev->cmd_work);
1413 flush_work(&hdev->rx_work);
1415 skb_queue_purge(&hdev->cmd_q);
1416 skb_queue_purge(&hdev->rx_q);
1421 if (hdev->sent_cmd) {
1422 kfree_skb(hdev->sent_cmd);
1423 hdev->sent_cmd = NULL;
1426 clear_bit(HCI_RUNNING, &hdev->flags);
1427 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1430 hdev->flags &= BIT(HCI_RAW);
1434 hci_req_sync_unlock(hdev);
1438 /* ---- HCI ioctl helpers ---- */
1440 int hci_dev_open(__u16 dev)
1442 struct hci_dev *hdev;
1445 hdev = hci_dev_get(dev);
1449 /* Devices that are marked as unconfigured can only be powered
1450 * up as user channel. Trying to bring them up as normal devices
1451 * will result into a failure. Only user channel operation is
1454 * When this function is called for a user channel, the flag
1455 * HCI_USER_CHANNEL will be set first before attempting to
1458 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
1459 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1464 /* We need to ensure that no other power on/off work is pending
1465 * before proceeding to call hci_dev_do_open. This is
1466 * particularly important if the setup procedure has not yet
1469 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1470 cancel_delayed_work(&hdev->power_off);
1472 /* After this call it is guaranteed that the setup procedure
1473 * has finished. This means that error conditions like RFKILL
1474 * or no valid public or static random address apply.
1476 flush_workqueue(hdev->req_workqueue);
1478 /* For controllers not using the management interface and that
1479 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
1480 * so that pairing works for them. Once the management interface
1481 * is in use this bit will be cleared again and userspace has
1482 * to explicitly enable it.
1484 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1485 !hci_dev_test_flag(hdev, HCI_MGMT))
1486 hci_dev_set_flag(hdev, HCI_BONDABLE);
1488 err = hci_dev_do_open(hdev);
1495 /* This function requires the caller holds hdev->lock */
1496 static void hci_pend_le_actions_clear(struct hci_dev *hdev)
1498 struct hci_conn_params *p;
1500 list_for_each_entry(p, &hdev->le_conn_params, list) {
1502 hci_conn_drop(p->conn);
1503 hci_conn_put(p->conn);
1506 list_del_init(&p->action);
1509 BT_DBG("All LE pending actions cleared");
1512 int hci_dev_do_close(struct hci_dev *hdev)
1516 BT_DBG("%s %p", hdev->name, hdev);
1518 if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
1519 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
1520 test_bit(HCI_UP, &hdev->flags)) {
1521 /* Execute vendor specific shutdown routine */
1523 hdev->shutdown(hdev);
1526 cancel_delayed_work(&hdev->power_off);
1528 hci_request_cancel_all(hdev);
1529 hci_req_sync_lock(hdev);
1531 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1532 cancel_delayed_work_sync(&hdev->cmd_timer);
1533 hci_req_sync_unlock(hdev);
1537 hci_leds_update_powered(hdev, false);
1539 /* Flush RX and TX works */
1540 flush_work(&hdev->tx_work);
1541 flush_work(&hdev->rx_work);
1543 if (hdev->discov_timeout > 0) {
1544 hdev->discov_timeout = 0;
1545 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1546 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1549 if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1550 cancel_delayed_work(&hdev->service_cache);
1552 if (hci_dev_test_flag(hdev, HCI_MGMT))
1553 cancel_delayed_work_sync(&hdev->rpa_expired);
1555 /* Avoid potential lockdep warnings from the *_flush() calls by
1556 * ensuring the workqueue is empty up front.
1558 drain_workqueue(hdev->workqueue);
1562 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1564 auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
1566 if (!auto_off && hdev->dev_type == HCI_BREDR &&
1567 hci_dev_test_flag(hdev, HCI_MGMT))
1568 __mgmt_power_off(hdev);
1570 hci_inquiry_cache_flush(hdev);
1571 hci_pend_le_actions_clear(hdev);
1572 hci_conn_hash_flush(hdev);
1573 hci_dev_unlock(hdev);
1575 smp_unregister(hdev);
1577 hci_sock_dev_event(hdev, HCI_DEV_DOWN);
1583 skb_queue_purge(&hdev->cmd_q);
1584 atomic_set(&hdev->cmd_cnt, 1);
1585 if (test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks) &&
1586 !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1587 set_bit(HCI_INIT, &hdev->flags);
1588 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT, NULL);
1589 clear_bit(HCI_INIT, &hdev->flags);
1592 /* flush cmd work */
1593 flush_work(&hdev->cmd_work);
1596 skb_queue_purge(&hdev->rx_q);
1597 skb_queue_purge(&hdev->cmd_q);
1598 skb_queue_purge(&hdev->raw_q);
1600 /* Drop last sent command */
1601 if (hdev->sent_cmd) {
1602 cancel_delayed_work_sync(&hdev->cmd_timer);
1603 kfree_skb(hdev->sent_cmd);
1604 hdev->sent_cmd = NULL;
1607 clear_bit(HCI_RUNNING, &hdev->flags);
1608 hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
1610 /* After this point our queues are empty
1611 * and no tasks are scheduled. */
1615 hdev->flags &= BIT(HCI_RAW);
1616 hci_dev_clear_volatile_flags(hdev);
1618 /* Controller radio is available but is currently powered down */
1619 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
1621 memset(hdev->eir, 0, sizeof(hdev->eir));
1622 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1623 bacpy(&hdev->random_addr, BDADDR_ANY);
1625 hci_req_sync_unlock(hdev);
1631 int hci_dev_close(__u16 dev)
1633 struct hci_dev *hdev;
1636 hdev = hci_dev_get(dev);
1640 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1645 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
1646 cancel_delayed_work(&hdev->power_off);
1648 err = hci_dev_do_close(hdev);
1655 static int hci_dev_do_reset(struct hci_dev *hdev)
1659 BT_DBG("%s %p", hdev->name, hdev);
1661 hci_req_sync_lock(hdev);
1664 skb_queue_purge(&hdev->rx_q);
1665 skb_queue_purge(&hdev->cmd_q);
1667 /* Avoid potential lockdep warnings from the *_flush() calls by
1668 * ensuring the workqueue is empty up front.
1670 drain_workqueue(hdev->workqueue);
1673 hci_inquiry_cache_flush(hdev);
1674 hci_conn_hash_flush(hdev);
1675 hci_dev_unlock(hdev);
1680 atomic_set(&hdev->cmd_cnt, 1);
1681 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1683 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT, NULL);
1685 hci_req_sync_unlock(hdev);
1689 int hci_dev_reset(__u16 dev)
1691 struct hci_dev *hdev;
1694 hdev = hci_dev_get(dev);
1698 if (!test_bit(HCI_UP, &hdev->flags)) {
1703 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1708 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1713 err = hci_dev_do_reset(hdev);
1720 int hci_dev_reset_stat(__u16 dev)
1722 struct hci_dev *hdev;
1725 hdev = hci_dev_get(dev);
1729 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1734 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1739 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1746 static void hci_update_scan_state(struct hci_dev *hdev, u8 scan)
1748 bool conn_changed, discov_changed;
1750 BT_DBG("%s scan 0x%02x", hdev->name, scan);
1752 if ((scan & SCAN_PAGE))
1753 conn_changed = !hci_dev_test_and_set_flag(hdev,
1756 conn_changed = hci_dev_test_and_clear_flag(hdev,
1759 if ((scan & SCAN_INQUIRY)) {
1760 discov_changed = !hci_dev_test_and_set_flag(hdev,
1763 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1764 discov_changed = hci_dev_test_and_clear_flag(hdev,
1768 if (!hci_dev_test_flag(hdev, HCI_MGMT))
1771 if (conn_changed || discov_changed) {
1772 /* In case this was disabled through mgmt */
1773 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
1775 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1776 hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1778 mgmt_new_settings(hdev);
1782 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1784 struct hci_dev *hdev;
1785 struct hci_dev_req dr;
1788 if (copy_from_user(&dr, arg, sizeof(dr)))
1791 hdev = hci_dev_get(dr.dev_id);
1795 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
1800 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
1805 if (hdev->dev_type != HCI_BREDR) {
1810 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1817 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1818 HCI_INIT_TIMEOUT, NULL);
1822 if (!lmp_encrypt_capable(hdev)) {
1827 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1828 /* Auth must be enabled first */
1829 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1830 HCI_INIT_TIMEOUT, NULL);
1835 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1836 HCI_INIT_TIMEOUT, NULL);
1840 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1841 HCI_INIT_TIMEOUT, NULL);
1843 /* Ensure that the connectable and discoverable states
1844 * get correctly modified as this was a non-mgmt change.
1847 hci_update_scan_state(hdev, dr.dev_opt);
1851 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1852 HCI_INIT_TIMEOUT, NULL);
1855 case HCISETLINKMODE:
1856 hdev->link_mode = ((__u16) dr.dev_opt) &
1857 (HCI_LM_MASTER | HCI_LM_ACCEPT);
1861 hdev->pkt_type = (__u16) dr.dev_opt;
1865 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
1866 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1870 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
1871 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1884 int hci_get_dev_list(void __user *arg)
1886 struct hci_dev *hdev;
1887 struct hci_dev_list_req *dl;
1888 struct hci_dev_req *dr;
1889 int n = 0, size, err;
1892 if (get_user(dev_num, (__u16 __user *) arg))
1895 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1898 size = sizeof(*dl) + dev_num * sizeof(*dr);
1900 dl = kzalloc(size, GFP_KERNEL);
1906 read_lock(&hci_dev_list_lock);
1907 list_for_each_entry(hdev, &hci_dev_list, list) {
1908 unsigned long flags = hdev->flags;
1910 /* When the auto-off is configured it means the transport
1911 * is running, but in that case still indicate that the
1912 * device is actually down.
1914 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1915 flags &= ~BIT(HCI_UP);
1917 (dr + n)->dev_id = hdev->id;
1918 (dr + n)->dev_opt = flags;
1923 read_unlock(&hci_dev_list_lock);
1926 size = sizeof(*dl) + n * sizeof(*dr);
1928 err = copy_to_user(arg, dl, size);
1931 return err ? -EFAULT : 0;
1934 int hci_get_dev_info(void __user *arg)
1936 struct hci_dev *hdev;
1937 struct hci_dev_info di;
1938 unsigned long flags;
1941 if (copy_from_user(&di, arg, sizeof(di)))
1944 hdev = hci_dev_get(di.dev_id);
1948 /* When the auto-off is configured it means the transport
1949 * is running, but in that case still indicate that the
1950 * device is actually down.
1952 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
1953 flags = hdev->flags & ~BIT(HCI_UP);
1955 flags = hdev->flags;
1957 strcpy(di.name, hdev->name);
1958 di.bdaddr = hdev->bdaddr;
1959 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
1961 di.pkt_type = hdev->pkt_type;
1962 if (lmp_bredr_capable(hdev)) {
1963 di.acl_mtu = hdev->acl_mtu;
1964 di.acl_pkts = hdev->acl_pkts;
1965 di.sco_mtu = hdev->sco_mtu;
1966 di.sco_pkts = hdev->sco_pkts;
1968 di.acl_mtu = hdev->le_mtu;
1969 di.acl_pkts = hdev->le_pkts;
1973 di.link_policy = hdev->link_policy;
1974 di.link_mode = hdev->link_mode;
1976 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1977 memcpy(&di.features, &hdev->features, sizeof(di.features));
1979 if (copy_to_user(arg, &di, sizeof(di)))
1987 /* ---- Interface to HCI drivers ---- */
1989 static int hci_rfkill_set_block(void *data, bool blocked)
1991 struct hci_dev *hdev = data;
1993 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1995 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
1999 hci_dev_set_flag(hdev, HCI_RFKILLED);
2000 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
2001 !hci_dev_test_flag(hdev, HCI_CONFIG))
2002 hci_dev_do_close(hdev);
2004 hci_dev_clear_flag(hdev, HCI_RFKILLED);
2010 static const struct rfkill_ops hci_rfkill_ops = {
2011 .set_block = hci_rfkill_set_block,
2014 static void hci_power_on(struct work_struct *work)
2016 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2019 BT_DBG("%s", hdev->name);
2021 if (test_bit(HCI_UP, &hdev->flags) &&
2022 hci_dev_test_flag(hdev, HCI_MGMT) &&
2023 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
2024 hci_req_sync_lock(hdev);
2025 err = __hci_req_hci_power_on(hdev);
2026 hci_req_sync_unlock(hdev);
2027 mgmt_power_on(hdev, err);
2031 err = hci_dev_do_open(hdev);
2034 mgmt_set_powered_failed(hdev, err);
2035 hci_dev_unlock(hdev);
2039 /* During the HCI setup phase, a few error conditions are
2040 * ignored and they need to be checked now. If they are still
2041 * valid, it is important to turn the device back off.
2043 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
2044 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
2045 (hdev->dev_type == HCI_BREDR &&
2046 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2047 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2048 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
2049 hci_dev_do_close(hdev);
2050 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
2051 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2052 HCI_AUTO_OFF_TIMEOUT);
2055 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
2056 /* For unconfigured devices, set the HCI_RAW flag
2057 * so that userspace can easily identify them.
2059 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2060 set_bit(HCI_RAW, &hdev->flags);
2062 /* For fully configured devices, this will send
2063 * the Index Added event. For unconfigured devices,
2064 * it will send Unconfigued Index Added event.
2066 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
2067 * and no event will be send.
2069 mgmt_index_added(hdev);
2070 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
2071 /* When the controller is now configured, then it
2072 * is important to clear the HCI_RAW flag.
2074 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
2075 clear_bit(HCI_RAW, &hdev->flags);
2077 /* Powering on the controller with HCI_CONFIG set only
2078 * happens with the transition from unconfigured to
2079 * configured. This will send the Index Added event.
2081 mgmt_index_added(hdev);
2085 static void hci_power_off(struct work_struct *work)
2087 struct hci_dev *hdev = container_of(work, struct hci_dev,
2090 BT_DBG("%s", hdev->name);
2092 hci_dev_do_close(hdev);
2095 static void hci_error_reset(struct work_struct *work)
2097 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
2099 BT_DBG("%s", hdev->name);
2102 hdev->hw_error(hdev, hdev->hw_error_code);
2104 BT_ERR("%s hardware error 0x%2.2x", hdev->name,
2105 hdev->hw_error_code);
2107 if (hci_dev_do_close(hdev))
2110 hci_dev_do_open(hdev);
2113 void hci_uuids_clear(struct hci_dev *hdev)
2115 struct bt_uuid *uuid, *tmp;
2117 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2118 list_del(&uuid->list);
2123 void hci_link_keys_clear(struct hci_dev *hdev)
2125 struct link_key *key;
2127 list_for_each_entry_rcu(key, &hdev->link_keys, list) {
2128 list_del_rcu(&key->list);
2129 kfree_rcu(key, rcu);
2133 void hci_smp_ltks_clear(struct hci_dev *hdev)
2137 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2138 list_del_rcu(&k->list);
2143 void hci_smp_irks_clear(struct hci_dev *hdev)
2147 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2148 list_del_rcu(&k->list);
2153 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2158 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
2159 if (bacmp(bdaddr, &k->bdaddr) == 0) {
2169 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2170 u8 key_type, u8 old_key_type)
2173 if (key_type < 0x03)
2176 /* Debug keys are insecure so don't store them persistently */
2177 if (key_type == HCI_LK_DEBUG_COMBINATION)
2180 /* Changed combination key and there's no previous one */
2181 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2184 /* Security mode 3 case */
2188 /* BR/EDR key derived using SC from an LE link */
2189 if (conn->type == LE_LINK)
2192 /* Neither local nor remote side had no-bonding as requirement */
2193 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2196 /* Local side had dedicated bonding as requirement */
2197 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2200 /* Remote side had dedicated bonding as requirement */
2201 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2204 /* If none of the above criteria match, then don't store the key
2209 static u8 ltk_role(u8 type)
2211 if (type == SMP_LTK)
2212 return HCI_ROLE_MASTER;
2214 return HCI_ROLE_SLAVE;
2217 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2218 u8 addr_type, u8 role)
2223 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2224 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
2227 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
2237 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2239 struct smp_irk *irk;
2242 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2243 if (!bacmp(&irk->rpa, rpa)) {
2249 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2250 if (smp_irk_matches(hdev, irk->val, rpa)) {
2251 bacpy(&irk->rpa, rpa);
2261 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2264 struct smp_irk *irk;
2266 /* Identity Address must be public or static random */
2267 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2271 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
2272 if (addr_type == irk->addr_type &&
2273 bacmp(bdaddr, &irk->bdaddr) == 0) {
2283 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
2284 bdaddr_t *bdaddr, u8 *val, u8 type,
2285 u8 pin_len, bool *persistent)
2287 struct link_key *key, *old_key;
2290 old_key = hci_find_link_key(hdev, bdaddr);
2292 old_key_type = old_key->type;
2295 old_key_type = conn ? conn->key_type : 0xff;
2296 key = kzalloc(sizeof(*key), GFP_KERNEL);
2299 list_add_rcu(&key->list, &hdev->link_keys);
2302 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2304 /* Some buggy controller combinations generate a changed
2305 * combination key for legacy pairing even when there's no
2307 if (type == HCI_LK_CHANGED_COMBINATION &&
2308 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2309 type = HCI_LK_COMBINATION;
2311 conn->key_type = type;
2314 bacpy(&key->bdaddr, bdaddr);
2315 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2316 key->pin_len = pin_len;
2318 if (type == HCI_LK_CHANGED_COMBINATION)
2319 key->type = old_key_type;
2324 *persistent = hci_persistent_key(hdev, conn, type,
2330 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2331 u8 addr_type, u8 type, u8 authenticated,
2332 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
2334 struct smp_ltk *key, *old_key;
2335 u8 role = ltk_role(type);
2337 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
2341 key = kzalloc(sizeof(*key), GFP_KERNEL);
2344 list_add_rcu(&key->list, &hdev->long_term_keys);
2347 bacpy(&key->bdaddr, bdaddr);
2348 key->bdaddr_type = addr_type;
2349 memcpy(key->val, tk, sizeof(key->val));
2350 key->authenticated = authenticated;
2353 key->enc_size = enc_size;
2359 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
2360 u8 addr_type, u8 val[16], bdaddr_t *rpa)
2362 struct smp_irk *irk;
2364 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
2366 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
2370 bacpy(&irk->bdaddr, bdaddr);
2371 irk->addr_type = addr_type;
2373 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
2376 memcpy(irk->val, val, 16);
2377 bacpy(&irk->rpa, rpa);
2382 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2384 struct link_key *key;
2386 key = hci_find_link_key(hdev, bdaddr);
2390 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2392 list_del_rcu(&key->list);
2393 kfree_rcu(key, rcu);
2398 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
2403 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2404 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
2407 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2409 list_del_rcu(&k->list);
2414 return removed ? 0 : -ENOENT;
2417 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
2421 list_for_each_entry_rcu(k, &hdev->identity_resolving_keys, list) {
2422 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
2425 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2427 list_del_rcu(&k->list);
2432 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2435 struct smp_irk *irk;
2438 if (type == BDADDR_BREDR) {
2439 if (hci_find_link_key(hdev, bdaddr))
2444 /* Convert to HCI addr type which struct smp_ltk uses */
2445 if (type == BDADDR_LE_PUBLIC)
2446 addr_type = ADDR_LE_DEV_PUBLIC;
2448 addr_type = ADDR_LE_DEV_RANDOM;
2450 irk = hci_get_irk(hdev, bdaddr, addr_type);
2452 bdaddr = &irk->bdaddr;
2453 addr_type = irk->addr_type;
2457 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
2458 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
2468 /* HCI command timer function */
2469 static void hci_cmd_timeout(struct work_struct *work)
2471 struct hci_dev *hdev = container_of(work, struct hci_dev,
2474 if (hdev->sent_cmd) {
2475 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2476 u16 opcode = __le16_to_cpu(sent->opcode);
2478 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2480 BT_ERR("%s command tx timeout", hdev->name);
2483 atomic_set(&hdev->cmd_cnt, 1);
2484 queue_work(hdev->workqueue, &hdev->cmd_work);
2487 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2488 bdaddr_t *bdaddr, u8 bdaddr_type)
2490 struct oob_data *data;
2492 list_for_each_entry(data, &hdev->remote_oob_data, list) {
2493 if (bacmp(bdaddr, &data->bdaddr) != 0)
2495 if (data->bdaddr_type != bdaddr_type)
2503 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2506 struct oob_data *data;
2508 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2512 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
2514 list_del(&data->list);
2520 void hci_remote_oob_data_clear(struct hci_dev *hdev)
2522 struct oob_data *data, *n;
2524 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2525 list_del(&data->list);
2530 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
2531 u8 bdaddr_type, u8 *hash192, u8 *rand192,
2532 u8 *hash256, u8 *rand256)
2534 struct oob_data *data;
2536 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
2538 data = kmalloc(sizeof(*data), GFP_KERNEL);
2542 bacpy(&data->bdaddr, bdaddr);
2543 data->bdaddr_type = bdaddr_type;
2544 list_add(&data->list, &hdev->remote_oob_data);
2547 if (hash192 && rand192) {
2548 memcpy(data->hash192, hash192, sizeof(data->hash192));
2549 memcpy(data->rand192, rand192, sizeof(data->rand192));
2550 if (hash256 && rand256)
2551 data->present = 0x03;
2553 memset(data->hash192, 0, sizeof(data->hash192));
2554 memset(data->rand192, 0, sizeof(data->rand192));
2555 if (hash256 && rand256)
2556 data->present = 0x02;
2558 data->present = 0x00;
2561 if (hash256 && rand256) {
2562 memcpy(data->hash256, hash256, sizeof(data->hash256));
2563 memcpy(data->rand256, rand256, sizeof(data->rand256));
2565 memset(data->hash256, 0, sizeof(data->hash256));
2566 memset(data->rand256, 0, sizeof(data->rand256));
2567 if (hash192 && rand192)
2568 data->present = 0x01;
2571 BT_DBG("%s for %pMR", hdev->name, bdaddr);
2576 /* This function requires the caller holds hdev->lock */
2577 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
2579 struct adv_info *adv_instance;
2581 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
2582 if (adv_instance->instance == instance)
2583 return adv_instance;
2589 /* This function requires the caller holds hdev->lock */
2590 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
2592 struct adv_info *cur_instance;
2594 cur_instance = hci_find_adv_instance(hdev, instance);
2598 if (cur_instance == list_last_entry(&hdev->adv_instances,
2599 struct adv_info, list))
2600 return list_first_entry(&hdev->adv_instances,
2601 struct adv_info, list);
2603 return list_next_entry(cur_instance, list);
2606 /* This function requires the caller holds hdev->lock */
2607 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
2609 struct adv_info *adv_instance;
2611 adv_instance = hci_find_adv_instance(hdev, instance);
2615 BT_DBG("%s removing %dMR", hdev->name, instance);
2617 if (hdev->cur_adv_instance == instance) {
2618 if (hdev->adv_instance_timeout) {
2619 cancel_delayed_work(&hdev->adv_instance_expire);
2620 hdev->adv_instance_timeout = 0;
2622 hdev->cur_adv_instance = 0x00;
2625 list_del(&adv_instance->list);
2626 kfree(adv_instance);
2628 hdev->adv_instance_cnt--;
2633 /* This function requires the caller holds hdev->lock */
2634 void hci_adv_instances_clear(struct hci_dev *hdev)
2636 struct adv_info *adv_instance, *n;
2638 if (hdev->adv_instance_timeout) {
2639 cancel_delayed_work(&hdev->adv_instance_expire);
2640 hdev->adv_instance_timeout = 0;
2643 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
2644 list_del(&adv_instance->list);
2645 kfree(adv_instance);
2648 hdev->adv_instance_cnt = 0;
2649 hdev->cur_adv_instance = 0x00;
2652 /* This function requires the caller holds hdev->lock */
2653 int hci_add_adv_instance(struct hci_dev *hdev, u8 instance, u32 flags,
2654 u16 adv_data_len, u8 *adv_data,
2655 u16 scan_rsp_len, u8 *scan_rsp_data,
2656 u16 timeout, u16 duration)
2658 struct adv_info *adv_instance;
2660 adv_instance = hci_find_adv_instance(hdev, instance);
2662 memset(adv_instance->adv_data, 0,
2663 sizeof(adv_instance->adv_data));
2664 memset(adv_instance->scan_rsp_data, 0,
2665 sizeof(adv_instance->scan_rsp_data));
2667 if (hdev->adv_instance_cnt >= HCI_MAX_ADV_INSTANCES ||
2668 instance < 1 || instance > HCI_MAX_ADV_INSTANCES)
2671 adv_instance = kzalloc(sizeof(*adv_instance), GFP_KERNEL);
2675 adv_instance->pending = true;
2676 adv_instance->instance = instance;
2677 list_add(&adv_instance->list, &hdev->adv_instances);
2678 hdev->adv_instance_cnt++;
2681 adv_instance->flags = flags;
2682 adv_instance->adv_data_len = adv_data_len;
2683 adv_instance->scan_rsp_len = scan_rsp_len;
2686 memcpy(adv_instance->adv_data, adv_data, adv_data_len);
2689 memcpy(adv_instance->scan_rsp_data,
2690 scan_rsp_data, scan_rsp_len);
2692 adv_instance->timeout = timeout;
2693 adv_instance->remaining_time = timeout;
2696 adv_instance->duration = HCI_DEFAULT_ADV_DURATION;
2698 adv_instance->duration = duration;
2700 BT_DBG("%s for %dMR", hdev->name, instance);
2705 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2706 bdaddr_t *bdaddr, u8 type)
2708 struct bdaddr_list *b;
2710 list_for_each_entry(b, bdaddr_list, list) {
2711 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2718 void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2720 struct bdaddr_list *b, *n;
2722 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2728 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2730 struct bdaddr_list *entry;
2732 if (!bacmp(bdaddr, BDADDR_ANY))
2735 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2738 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2742 bacpy(&entry->bdaddr, bdaddr);
2743 entry->bdaddr_type = type;
2745 list_add(&entry->list, list);
2750 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2752 struct bdaddr_list *entry;
2754 if (!bacmp(bdaddr, BDADDR_ANY)) {
2755 hci_bdaddr_list_clear(list);
2759 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2763 list_del(&entry->list);
2769 /* This function requires the caller holds hdev->lock */
2770 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2771 bdaddr_t *addr, u8 addr_type)
2773 struct hci_conn_params *params;
2775 list_for_each_entry(params, &hdev->le_conn_params, list) {
2776 if (bacmp(¶ms->addr, addr) == 0 &&
2777 params->addr_type == addr_type) {
2785 /* This function requires the caller holds hdev->lock */
2786 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2787 bdaddr_t *addr, u8 addr_type)
2789 struct hci_conn_params *param;
2791 list_for_each_entry(param, list, action) {
2792 if (bacmp(¶m->addr, addr) == 0 &&
2793 param->addr_type == addr_type)
2800 /* This function requires the caller holds hdev->lock */
2801 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2802 bdaddr_t *addr, u8 addr_type)
2804 struct hci_conn_params *params;
2806 params = hci_conn_params_lookup(hdev, addr, addr_type);
2810 params = kzalloc(sizeof(*params), GFP_KERNEL);
2812 BT_ERR("Out of memory");
2816 bacpy(¶ms->addr, addr);
2817 params->addr_type = addr_type;
2819 list_add(¶ms->list, &hdev->le_conn_params);
2820 INIT_LIST_HEAD(¶ms->action);
2822 params->conn_min_interval = hdev->le_conn_min_interval;
2823 params->conn_max_interval = hdev->le_conn_max_interval;
2824 params->conn_latency = hdev->le_conn_latency;
2825 params->supervision_timeout = hdev->le_supv_timeout;
2826 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2828 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2833 static void hci_conn_params_free(struct hci_conn_params *params)
2836 hci_conn_drop(params->conn);
2837 hci_conn_put(params->conn);
2840 list_del(¶ms->action);
2841 list_del(¶ms->list);
2845 /* This function requires the caller holds hdev->lock */
2846 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2848 struct hci_conn_params *params;
2850 params = hci_conn_params_lookup(hdev, addr, addr_type);
2854 hci_conn_params_free(params);
2856 hci_update_background_scan(hdev);
2858 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2861 /* This function requires the caller holds hdev->lock */
2862 void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2864 struct hci_conn_params *params, *tmp;
2866 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2867 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2870 /* If trying to estabilish one time connection to disabled
2871 * device, leave the params, but mark them as just once.
2873 if (params->explicit_connect) {
2874 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2878 list_del(¶ms->list);
2882 BT_DBG("All LE disabled connection parameters were removed");
2885 /* This function requires the caller holds hdev->lock */
2886 static void hci_conn_params_clear_all(struct hci_dev *hdev)
2888 struct hci_conn_params *params, *tmp;
2890 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2891 hci_conn_params_free(params);
2893 BT_DBG("All LE connection parameters were removed");
2896 /* Copy the Identity Address of the controller.
2898 * If the controller has a public BD_ADDR, then by default use that one.
2899 * If this is a LE only controller without a public address, default to
2900 * the static random address.
2902 * For debugging purposes it is possible to force controllers with a
2903 * public address to use the static random address instead.
2905 * In case BR/EDR has been disabled on a dual-mode controller and
2906 * userspace has configured a static address, then that address
2907 * becomes the identity address instead of the public BR/EDR address.
2909 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2912 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2913 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2914 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2915 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2916 bacpy(bdaddr, &hdev->static_addr);
2917 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2919 bacpy(bdaddr, &hdev->bdaddr);
2920 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2924 /* Alloc HCI device */
2925 struct hci_dev *hci_alloc_dev(void)
2927 struct hci_dev *hdev;
2929 hdev = kzalloc(sizeof(*hdev), GFP_KERNEL);
2933 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2934 hdev->esco_type = (ESCO_HV1);
2935 hdev->link_mode = (HCI_LM_ACCEPT);
2936 hdev->num_iac = 0x01; /* One IAC support is mandatory */
2937 hdev->io_capability = 0x03; /* No Input No Output */
2938 hdev->manufacturer = 0xffff; /* Default to internal use */
2939 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2940 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2941 hdev->adv_instance_cnt = 0;
2942 hdev->cur_adv_instance = 0x00;
2943 hdev->adv_instance_timeout = 0;
2945 hdev->sniff_max_interval = 800;
2946 hdev->sniff_min_interval = 80;
2948 hdev->le_adv_channel_map = 0x07;
2949 hdev->le_adv_min_interval = 0x0800;
2950 hdev->le_adv_max_interval = 0x0800;
2951 hdev->le_scan_interval = 0x0060;
2952 hdev->le_scan_window = 0x0030;
2953 hdev->le_conn_min_interval = 0x0028;
2954 hdev->le_conn_max_interval = 0x0038;
2955 hdev->le_conn_latency = 0x0000;
2956 hdev->le_supv_timeout = 0x002a;
2957 hdev->le_def_tx_len = 0x001b;
2958 hdev->le_def_tx_time = 0x0148;
2959 hdev->le_max_tx_len = 0x001b;
2960 hdev->le_max_tx_time = 0x0148;
2961 hdev->le_max_rx_len = 0x001b;
2962 hdev->le_max_rx_time = 0x0148;
2964 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2965 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2966 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2967 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2969 mutex_init(&hdev->lock);
2970 mutex_init(&hdev->req_lock);
2972 INIT_LIST_HEAD(&hdev->mgmt_pending);
2973 INIT_LIST_HEAD(&hdev->blacklist);
2974 INIT_LIST_HEAD(&hdev->whitelist);
2975 INIT_LIST_HEAD(&hdev->uuids);
2976 INIT_LIST_HEAD(&hdev->link_keys);
2977 INIT_LIST_HEAD(&hdev->long_term_keys);
2978 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2979 INIT_LIST_HEAD(&hdev->remote_oob_data);
2980 INIT_LIST_HEAD(&hdev->le_white_list);
2981 INIT_LIST_HEAD(&hdev->le_conn_params);
2982 INIT_LIST_HEAD(&hdev->pend_le_conns);
2983 INIT_LIST_HEAD(&hdev->pend_le_reports);
2984 INIT_LIST_HEAD(&hdev->conn_hash.list);
2985 INIT_LIST_HEAD(&hdev->adv_instances);
2987 INIT_WORK(&hdev->rx_work, hci_rx_work);
2988 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2989 INIT_WORK(&hdev->tx_work, hci_tx_work);
2990 INIT_WORK(&hdev->power_on, hci_power_on);
2991 INIT_WORK(&hdev->error_reset, hci_error_reset);
2993 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2995 skb_queue_head_init(&hdev->rx_q);
2996 skb_queue_head_init(&hdev->cmd_q);
2997 skb_queue_head_init(&hdev->raw_q);
2999 init_waitqueue_head(&hdev->req_wait_q);
3001 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
3003 hci_request_setup(hdev);
3005 hci_init_sysfs(hdev);
3006 discovery_init(hdev);
3010 EXPORT_SYMBOL(hci_alloc_dev);
3012 /* Free HCI device */
3013 void hci_free_dev(struct hci_dev *hdev)
3015 /* will free via device release */
3016 put_device(&hdev->dev);
3018 EXPORT_SYMBOL(hci_free_dev);
3020 /* Register HCI device */
3021 int hci_register_dev(struct hci_dev *hdev)
3025 if (!hdev->open || !hdev->close || !hdev->send)
3028 /* Do not allow HCI_AMP devices to register at index 0,
3029 * so the index can be used as the AMP controller ID.
3031 switch (hdev->dev_type) {
3033 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3036 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3045 sprintf(hdev->name, "hci%d", id);
3048 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3050 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3051 WQ_MEM_RECLAIM, 1, hdev->name);
3052 if (!hdev->workqueue) {
3057 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3058 WQ_MEM_RECLAIM, 1, hdev->name);
3059 if (!hdev->req_workqueue) {
3060 destroy_workqueue(hdev->workqueue);
3065 if (!IS_ERR_OR_NULL(bt_debugfs))
3066 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3068 dev_set_name(&hdev->dev, "%s", hdev->name);
3070 error = device_add(&hdev->dev);
3074 hci_leds_init(hdev);
3076 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3077 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3080 if (rfkill_register(hdev->rfkill) < 0) {
3081 rfkill_destroy(hdev->rfkill);
3082 hdev->rfkill = NULL;
3086 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3087 hci_dev_set_flag(hdev, HCI_RFKILLED);
3089 hci_dev_set_flag(hdev, HCI_SETUP);
3090 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
3092 if (hdev->dev_type == HCI_BREDR) {
3093 /* Assume BR/EDR support until proven otherwise (such as
3094 * through reading supported features during init.
3096 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
3099 write_lock(&hci_dev_list_lock);
3100 list_add(&hdev->list, &hci_dev_list);
3101 write_unlock(&hci_dev_list_lock);
3103 /* Devices that are marked for raw-only usage are unconfigured
3104 * and should not be included in normal operation.
3106 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
3107 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
3109 hci_sock_dev_event(hdev, HCI_DEV_REG);
3112 queue_work(hdev->req_workqueue, &hdev->power_on);
3117 destroy_workqueue(hdev->workqueue);
3118 destroy_workqueue(hdev->req_workqueue);
3120 ida_simple_remove(&hci_index_ida, hdev->id);
3124 EXPORT_SYMBOL(hci_register_dev);
3126 /* Unregister HCI device */
3127 void hci_unregister_dev(struct hci_dev *hdev)
3131 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3133 hci_dev_set_flag(hdev, HCI_UNREGISTER);
3137 write_lock(&hci_dev_list_lock);
3138 list_del(&hdev->list);
3139 write_unlock(&hci_dev_list_lock);
3141 hci_dev_do_close(hdev);
3143 cancel_work_sync(&hdev->power_on);
3145 if (!test_bit(HCI_INIT, &hdev->flags) &&
3146 !hci_dev_test_flag(hdev, HCI_SETUP) &&
3147 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
3149 mgmt_index_removed(hdev);
3150 hci_dev_unlock(hdev);
3153 /* mgmt_index_removed should take care of emptying the
3155 BUG_ON(!list_empty(&hdev->mgmt_pending));
3157 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
3160 rfkill_unregister(hdev->rfkill);
3161 rfkill_destroy(hdev->rfkill);
3164 device_del(&hdev->dev);
3166 debugfs_remove_recursive(hdev->debugfs);
3168 destroy_workqueue(hdev->workqueue);
3169 destroy_workqueue(hdev->req_workqueue);
3172 hci_bdaddr_list_clear(&hdev->blacklist);
3173 hci_bdaddr_list_clear(&hdev->whitelist);
3174 hci_uuids_clear(hdev);
3175 hci_link_keys_clear(hdev);
3176 hci_smp_ltks_clear(hdev);
3177 hci_smp_irks_clear(hdev);
3178 hci_remote_oob_data_clear(hdev);
3179 hci_adv_instances_clear(hdev);
3180 hci_bdaddr_list_clear(&hdev->le_white_list);
3181 hci_conn_params_clear_all(hdev);
3182 hci_discovery_filter_clear(hdev);
3183 hci_dev_unlock(hdev);
3187 ida_simple_remove(&hci_index_ida, id);
3189 EXPORT_SYMBOL(hci_unregister_dev);
3191 /* Suspend HCI device */
3192 int hci_suspend_dev(struct hci_dev *hdev)
3194 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
3197 EXPORT_SYMBOL(hci_suspend_dev);
3199 /* Resume HCI device */
3200 int hci_resume_dev(struct hci_dev *hdev)
3202 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
3205 EXPORT_SYMBOL(hci_resume_dev);
3207 /* Reset HCI device */
3208 int hci_reset_dev(struct hci_dev *hdev)
3210 const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
3211 struct sk_buff *skb;
3213 skb = bt_skb_alloc(3, GFP_ATOMIC);
3217 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
3218 memcpy(skb_put(skb, 3), hw_err, 3);
3220 /* Send Hardware Error to upper stack */
3221 return hci_recv_frame(hdev, skb);
3223 EXPORT_SYMBOL(hci_reset_dev);
3225 /* Receive frame from HCI drivers */
3226 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3228 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3229 && !test_bit(HCI_INIT, &hdev->flags))) {
3234 if (hci_skb_pkt_type(skb) != HCI_EVENT_PKT &&
3235 hci_skb_pkt_type(skb) != HCI_ACLDATA_PKT &&
3236 hci_skb_pkt_type(skb) != HCI_SCODATA_PKT) {
3242 bt_cb(skb)->incoming = 1;
3245 __net_timestamp(skb);
3247 skb_queue_tail(&hdev->rx_q, skb);
3248 queue_work(hdev->workqueue, &hdev->rx_work);
3252 EXPORT_SYMBOL(hci_recv_frame);
3254 /* Receive diagnostic message from HCI drivers */
3255 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
3257 /* Mark as diagnostic packet */
3258 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
3261 __net_timestamp(skb);
3263 skb_queue_tail(&hdev->rx_q, skb);
3264 queue_work(hdev->workqueue, &hdev->rx_work);
3268 EXPORT_SYMBOL(hci_recv_diag);
3270 /* ---- Interface to upper protocols ---- */
3272 int hci_register_cb(struct hci_cb *cb)
3274 BT_DBG("%p name %s", cb, cb->name);
3276 mutex_lock(&hci_cb_list_lock);
3277 list_add_tail(&cb->list, &hci_cb_list);
3278 mutex_unlock(&hci_cb_list_lock);
3282 EXPORT_SYMBOL(hci_register_cb);
3284 int hci_unregister_cb(struct hci_cb *cb)
3286 BT_DBG("%p name %s", cb, cb->name);
3288 mutex_lock(&hci_cb_list_lock);
3289 list_del(&cb->list);
3290 mutex_unlock(&hci_cb_list_lock);
3294 EXPORT_SYMBOL(hci_unregister_cb);
3296 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3300 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3304 __net_timestamp(skb);
3306 /* Send copy to monitor */
3307 hci_send_to_monitor(hdev, skb);
3309 if (atomic_read(&hdev->promisc)) {
3310 /* Send copy to the sockets */
3311 hci_send_to_sock(hdev, skb);
3314 /* Get rid of skb owner, prior to sending to the driver. */
3317 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3322 err = hdev->send(hdev, skb);
3324 BT_ERR("%s sending frame failed (%d)", hdev->name, err);
3329 /* Send HCI command */
3330 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3333 struct sk_buff *skb;
3335 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3337 skb = hci_prepare_cmd(hdev, opcode, plen, param);
3339 BT_ERR("%s no memory for command", hdev->name);
3343 /* Stand-alone HCI commands must be flagged as
3344 * single-command requests.
3346 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3348 skb_queue_tail(&hdev->cmd_q, skb);
3349 queue_work(hdev->workqueue, &hdev->cmd_work);
3354 /* Get data from the previously sent command */
3355 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3357 struct hci_command_hdr *hdr;
3359 if (!hdev->sent_cmd)
3362 hdr = (void *) hdev->sent_cmd->data;
3364 if (hdr->opcode != cpu_to_le16(opcode))
3367 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3369 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3372 /* Send HCI command and wait for command commplete event */
3373 struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
3374 const void *param, u32 timeout)
3376 struct sk_buff *skb;
3378 if (!test_bit(HCI_UP, &hdev->flags))
3379 return ERR_PTR(-ENETDOWN);
3381 bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
3383 hci_req_sync_lock(hdev);
3384 skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
3385 hci_req_sync_unlock(hdev);
3389 EXPORT_SYMBOL(hci_cmd_sync);
3392 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3394 struct hci_acl_hdr *hdr;
3397 skb_push(skb, HCI_ACL_HDR_SIZE);
3398 skb_reset_transport_header(skb);
3399 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3400 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3401 hdr->dlen = cpu_to_le16(len);
3404 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3405 struct sk_buff *skb, __u16 flags)
3407 struct hci_conn *conn = chan->conn;
3408 struct hci_dev *hdev = conn->hdev;
3409 struct sk_buff *list;
3411 skb->len = skb_headlen(skb);
3414 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3416 switch (hdev->dev_type) {
3418 hci_add_acl_hdr(skb, conn->handle, flags);
3421 hci_add_acl_hdr(skb, chan->handle, flags);
3424 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3428 list = skb_shinfo(skb)->frag_list;
3430 /* Non fragmented */
3431 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3433 skb_queue_tail(queue, skb);
3436 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3438 skb_shinfo(skb)->frag_list = NULL;
3440 /* Queue all fragments atomically. We need to use spin_lock_bh
3441 * here because of 6LoWPAN links, as there this function is
3442 * called from softirq and using normal spin lock could cause
3445 spin_lock_bh(&queue->lock);
3447 __skb_queue_tail(queue, skb);
3449 flags &= ~ACL_START;
3452 skb = list; list = list->next;
3454 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3455 hci_add_acl_hdr(skb, conn->handle, flags);
3457 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3459 __skb_queue_tail(queue, skb);
3462 spin_unlock_bh(&queue->lock);
3466 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3468 struct hci_dev *hdev = chan->conn->hdev;
3470 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3472 hci_queue_acl(chan, &chan->data_q, skb, flags);
3474 queue_work(hdev->workqueue, &hdev->tx_work);
3478 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3480 struct hci_dev *hdev = conn->hdev;
3481 struct hci_sco_hdr hdr;
3483 BT_DBG("%s len %d", hdev->name, skb->len);
3485 hdr.handle = cpu_to_le16(conn->handle);
3486 hdr.dlen = skb->len;
3488 skb_push(skb, HCI_SCO_HDR_SIZE);
3489 skb_reset_transport_header(skb);
3490 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3492 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3494 skb_queue_tail(&conn->data_q, skb);
3495 queue_work(hdev->workqueue, &hdev->tx_work);
3498 /* ---- HCI TX task (outgoing data) ---- */
3500 /* HCI Connection scheduler */
3501 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3504 struct hci_conn_hash *h = &hdev->conn_hash;
3505 struct hci_conn *conn = NULL, *c;
3506 unsigned int num = 0, min = ~0;
3508 /* We don't have to lock device here. Connections are always
3509 * added and removed with TX task disabled. */
3513 list_for_each_entry_rcu(c, &h->list, list) {
3514 if (c->type != type || skb_queue_empty(&c->data_q))
3517 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3522 if (c->sent < min) {
3527 if (hci_conn_num(hdev, type) == num)
3536 switch (conn->type) {
3538 cnt = hdev->acl_cnt;
3542 cnt = hdev->sco_cnt;
3545 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3549 BT_ERR("Unknown link type");
3557 BT_DBG("conn %p quote %d", conn, *quote);
3561 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3563 struct hci_conn_hash *h = &hdev->conn_hash;
3566 BT_ERR("%s link tx timeout", hdev->name);
3570 /* Kill stalled connections */
3571 list_for_each_entry_rcu(c, &h->list, list) {
3572 if (c->type == type && c->sent) {
3573 BT_ERR("%s killing stalled connection %pMR",
3574 hdev->name, &c->dst);
3575 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3582 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3585 struct hci_conn_hash *h = &hdev->conn_hash;
3586 struct hci_chan *chan = NULL;
3587 unsigned int num = 0, min = ~0, cur_prio = 0;
3588 struct hci_conn *conn;
3589 int cnt, q, conn_num = 0;
3591 BT_DBG("%s", hdev->name);
3595 list_for_each_entry_rcu(conn, &h->list, list) {
3596 struct hci_chan *tmp;
3598 if (conn->type != type)
3601 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3606 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3607 struct sk_buff *skb;
3609 if (skb_queue_empty(&tmp->data_q))
3612 skb = skb_peek(&tmp->data_q);
3613 if (skb->priority < cur_prio)
3616 if (skb->priority > cur_prio) {
3619 cur_prio = skb->priority;
3624 if (conn->sent < min) {
3630 if (hci_conn_num(hdev, type) == conn_num)
3639 switch (chan->conn->type) {
3641 cnt = hdev->acl_cnt;
3644 cnt = hdev->block_cnt;
3648 cnt = hdev->sco_cnt;
3651 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3655 BT_ERR("Unknown link type");
3660 BT_DBG("chan %p quote %d", chan, *quote);
3664 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3666 struct hci_conn_hash *h = &hdev->conn_hash;
3667 struct hci_conn *conn;
3670 BT_DBG("%s", hdev->name);
3674 list_for_each_entry_rcu(conn, &h->list, list) {
3675 struct hci_chan *chan;
3677 if (conn->type != type)
3680 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3685 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3686 struct sk_buff *skb;
3693 if (skb_queue_empty(&chan->data_q))
3696 skb = skb_peek(&chan->data_q);
3697 if (skb->priority >= HCI_PRIO_MAX - 1)
3700 skb->priority = HCI_PRIO_MAX - 1;
3702 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3706 if (hci_conn_num(hdev, type) == num)
3714 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3716 /* Calculate count of blocks used by this packet */
3717 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3720 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3722 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3723 /* ACL tx timeout must be longer than maximum
3724 * link supervision timeout (40.9 seconds) */
3725 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3726 HCI_ACL_TX_TIMEOUT))
3727 hci_link_tx_to(hdev, ACL_LINK);
3731 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3733 unsigned int cnt = hdev->acl_cnt;
3734 struct hci_chan *chan;
3735 struct sk_buff *skb;
3738 __check_timeout(hdev, cnt);
3740 while (hdev->acl_cnt &&
3741 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3742 u32 priority = (skb_peek(&chan->data_q))->priority;
3743 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3744 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3745 skb->len, skb->priority);
3747 /* Stop if priority has changed */
3748 if (skb->priority < priority)
3751 skb = skb_dequeue(&chan->data_q);
3753 hci_conn_enter_active_mode(chan->conn,
3754 bt_cb(skb)->force_active);
3756 hci_send_frame(hdev, skb);
3757 hdev->acl_last_tx = jiffies;
3765 if (cnt != hdev->acl_cnt)
3766 hci_prio_recalculate(hdev, ACL_LINK);
3769 static void hci_sched_acl_blk(struct hci_dev *hdev)
3771 unsigned int cnt = hdev->block_cnt;
3772 struct hci_chan *chan;
3773 struct sk_buff *skb;
3777 __check_timeout(hdev, cnt);
3779 BT_DBG("%s", hdev->name);
3781 if (hdev->dev_type == HCI_AMP)
3786 while (hdev->block_cnt > 0 &&
3787 (chan = hci_chan_sent(hdev, type, "e))) {
3788 u32 priority = (skb_peek(&chan->data_q))->priority;
3789 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3792 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3793 skb->len, skb->priority);
3795 /* Stop if priority has changed */
3796 if (skb->priority < priority)
3799 skb = skb_dequeue(&chan->data_q);
3801 blocks = __get_blocks(hdev, skb);
3802 if (blocks > hdev->block_cnt)
3805 hci_conn_enter_active_mode(chan->conn,
3806 bt_cb(skb)->force_active);
3808 hci_send_frame(hdev, skb);
3809 hdev->acl_last_tx = jiffies;
3811 hdev->block_cnt -= blocks;
3814 chan->sent += blocks;
3815 chan->conn->sent += blocks;
3819 if (cnt != hdev->block_cnt)
3820 hci_prio_recalculate(hdev, type);
3823 static void hci_sched_acl(struct hci_dev *hdev)
3825 BT_DBG("%s", hdev->name);
3827 /* No ACL link over BR/EDR controller */
3828 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3831 /* No AMP link over AMP controller */
3832 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3835 switch (hdev->flow_ctl_mode) {
3836 case HCI_FLOW_CTL_MODE_PACKET_BASED:
3837 hci_sched_acl_pkt(hdev);
3840 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3841 hci_sched_acl_blk(hdev);
3847 static void hci_sched_sco(struct hci_dev *hdev)
3849 struct hci_conn *conn;
3850 struct sk_buff *skb;
3853 BT_DBG("%s", hdev->name);
3855 if (!hci_conn_num(hdev, SCO_LINK))
3858 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
3859 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3860 BT_DBG("skb %p len %d", skb, skb->len);
3861 hci_send_frame(hdev, skb);
3864 if (conn->sent == ~0)
3870 static void hci_sched_esco(struct hci_dev *hdev)
3872 struct hci_conn *conn;
3873 struct sk_buff *skb;
3876 BT_DBG("%s", hdev->name);
3878 if (!hci_conn_num(hdev, ESCO_LINK))
3881 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3883 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3884 BT_DBG("skb %p len %d", skb, skb->len);
3885 hci_send_frame(hdev, skb);
3888 if (conn->sent == ~0)
3894 static void hci_sched_le(struct hci_dev *hdev)
3896 struct hci_chan *chan;
3897 struct sk_buff *skb;
3898 int quote, cnt, tmp;
3900 BT_DBG("%s", hdev->name);
3902 if (!hci_conn_num(hdev, LE_LINK))
3905 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
3906 /* LE tx timeout must be longer than maximum
3907 * link supervision timeout (40.9 seconds) */
3908 if (!hdev->le_cnt && hdev->le_pkts &&
3909 time_after(jiffies, hdev->le_last_tx + HZ * 45))
3910 hci_link_tx_to(hdev, LE_LINK);
3913 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3915 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
3916 u32 priority = (skb_peek(&chan->data_q))->priority;
3917 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3918 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3919 skb->len, skb->priority);
3921 /* Stop if priority has changed */
3922 if (skb->priority < priority)
3925 skb = skb_dequeue(&chan->data_q);
3927 hci_send_frame(hdev, skb);
3928 hdev->le_last_tx = jiffies;
3939 hdev->acl_cnt = cnt;
3942 hci_prio_recalculate(hdev, LE_LINK);
3945 static void hci_tx_work(struct work_struct *work)
3947 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3948 struct sk_buff *skb;
3950 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3951 hdev->sco_cnt, hdev->le_cnt);
3953 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3954 /* Schedule queues and send stuff to HCI driver */
3955 hci_sched_acl(hdev);
3956 hci_sched_sco(hdev);
3957 hci_sched_esco(hdev);
3961 /* Send next queued raw (unknown type) packet */
3962 while ((skb = skb_dequeue(&hdev->raw_q)))
3963 hci_send_frame(hdev, skb);
3966 /* ----- HCI RX task (incoming data processing) ----- */
3968 /* ACL data packet */
3969 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3971 struct hci_acl_hdr *hdr = (void *) skb->data;
3972 struct hci_conn *conn;
3973 __u16 handle, flags;
3975 skb_pull(skb, HCI_ACL_HDR_SIZE);
3977 handle = __le16_to_cpu(hdr->handle);
3978 flags = hci_flags(handle);
3979 handle = hci_handle(handle);
3981 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3984 hdev->stat.acl_rx++;
3987 conn = hci_conn_hash_lookup_handle(hdev, handle);
3988 hci_dev_unlock(hdev);
3991 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3993 /* Send to upper protocol */
3994 l2cap_recv_acldata(conn, skb, flags);
3997 BT_ERR("%s ACL packet for unknown connection handle %d",
3998 hdev->name, handle);
4004 /* SCO data packet */
4005 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4007 struct hci_sco_hdr *hdr = (void *) skb->data;
4008 struct hci_conn *conn;
4011 skb_pull(skb, HCI_SCO_HDR_SIZE);
4013 handle = __le16_to_cpu(hdr->handle);
4015 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4017 hdev->stat.sco_rx++;
4020 conn = hci_conn_hash_lookup_handle(hdev, handle);
4021 hci_dev_unlock(hdev);
4024 /* Send to upper protocol */
4025 sco_recv_scodata(conn, skb);
4028 BT_ERR("%s SCO packet for unknown connection handle %d",
4029 hdev->name, handle);
4035 static bool hci_req_is_complete(struct hci_dev *hdev)
4037 struct sk_buff *skb;
4039 skb = skb_peek(&hdev->cmd_q);
4043 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
4046 static void hci_resend_last(struct hci_dev *hdev)
4048 struct hci_command_hdr *sent;
4049 struct sk_buff *skb;
4052 if (!hdev->sent_cmd)
4055 sent = (void *) hdev->sent_cmd->data;
4056 opcode = __le16_to_cpu(sent->opcode);
4057 if (opcode == HCI_OP_RESET)
4060 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4064 skb_queue_head(&hdev->cmd_q, skb);
4065 queue_work(hdev->workqueue, &hdev->cmd_work);
4068 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
4069 hci_req_complete_t *req_complete,
4070 hci_req_complete_skb_t *req_complete_skb)
4072 struct sk_buff *skb;
4073 unsigned long flags;
4075 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4077 /* If the completed command doesn't match the last one that was
4078 * sent we need to do special handling of it.
4080 if (!hci_sent_cmd_data(hdev, opcode)) {
4081 /* Some CSR based controllers generate a spontaneous
4082 * reset complete event during init and any pending
4083 * command will never be completed. In such a case we
4084 * need to resend whatever was the last sent
4087 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4088 hci_resend_last(hdev);
4093 /* If the command succeeded and there's still more commands in
4094 * this request the request is not yet complete.
4096 if (!status && !hci_req_is_complete(hdev))
4099 /* If this was the last command in a request the complete
4100 * callback would be found in hdev->sent_cmd instead of the
4101 * command queue (hdev->cmd_q).
4103 if (bt_cb(hdev->sent_cmd)->hci.req_flags & HCI_REQ_SKB) {
4104 *req_complete_skb = bt_cb(hdev->sent_cmd)->hci.req_complete_skb;
4108 if (bt_cb(hdev->sent_cmd)->hci.req_complete) {
4109 *req_complete = bt_cb(hdev->sent_cmd)->hci.req_complete;
4113 /* Remove all pending commands belonging to this request */
4114 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4115 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4116 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4117 __skb_queue_head(&hdev->cmd_q, skb);
4121 *req_complete = bt_cb(skb)->hci.req_complete;
4122 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4125 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4128 static void hci_rx_work(struct work_struct *work)
4130 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4131 struct sk_buff *skb;
4133 BT_DBG("%s", hdev->name);
4135 while ((skb = skb_dequeue(&hdev->rx_q))) {
4136 /* Send copy to monitor */
4137 hci_send_to_monitor(hdev, skb);
4139 if (atomic_read(&hdev->promisc)) {
4140 /* Send copy to the sockets */
4141 hci_send_to_sock(hdev, skb);
4144 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
4149 if (test_bit(HCI_INIT, &hdev->flags)) {
4150 /* Don't process data packets in this states. */
4151 switch (hci_skb_pkt_type(skb)) {
4152 case HCI_ACLDATA_PKT:
4153 case HCI_SCODATA_PKT:
4160 switch (hci_skb_pkt_type(skb)) {
4162 BT_DBG("%s Event packet", hdev->name);
4163 hci_event_packet(hdev, skb);
4166 case HCI_ACLDATA_PKT:
4167 BT_DBG("%s ACL data packet", hdev->name);
4168 hci_acldata_packet(hdev, skb);
4171 case HCI_SCODATA_PKT:
4172 BT_DBG("%s SCO data packet", hdev->name);
4173 hci_scodata_packet(hdev, skb);
4183 static void hci_cmd_work(struct work_struct *work)
4185 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4186 struct sk_buff *skb;
4188 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4189 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4191 /* Send queued commands */
4192 if (atomic_read(&hdev->cmd_cnt)) {
4193 skb = skb_dequeue(&hdev->cmd_q);
4197 kfree_skb(hdev->sent_cmd);
4199 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4200 if (hdev->sent_cmd) {
4201 atomic_dec(&hdev->cmd_cnt);
4202 hci_send_frame(hdev, skb);
4203 if (test_bit(HCI_RESET, &hdev->flags))
4204 cancel_delayed_work(&hdev->cmd_timer);
4206 schedule_delayed_work(&hdev->cmd_timer,
4209 skb_queue_head(&hdev->cmd_q, skb);
4210 queue_work(hdev->workqueue, &hdev->cmd_work);
projects / karo-tx-linux.git / blob