]> git.karo-electronics.de Git - karo-tx-linux.git/blob - net/bluetooth/hci_core.c
projects / karo-tx-linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge remote-tracking branch 'slave-dma/next'
[karo-tx-linux.git] / net / bluetooth / hci_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI core. */
27
28 #include <linux/export.h>
29 #include <linux/idr.h>
30
31 #include <linux/rfkill.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35
36 static void hci_rx_work(struct work_struct *work);
37 static void hci_cmd_work(struct work_struct *work);
38 static void hci_tx_work(struct work_struct *work);
39
40 /* HCI device list */
41 LIST_HEAD(hci_dev_list);
42 DEFINE_RWLOCK(hci_dev_list_lock);
43
44 /* HCI callback list */
45 LIST_HEAD(hci_cb_list);
46 DEFINE_RWLOCK(hci_cb_list_lock);
47
48 /* HCI ID Numbering */
49 static DEFINE_IDA(hci_index_ida);
50
51 /* ---- HCI notifications ---- */
52
53 static void hci_notify(struct hci_dev *hdev, int event)
54 {
55         hci_sock_dev_event(hdev, event);
56 }
57
58 /* ---- HCI requests ---- */
59
60 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
61 {
62         BT_DBG("%s result 0x%2.2x", hdev->name, result);
63
64         if (hdev->req_status == HCI_REQ_PEND) {
65                 hdev->req_result = result;
66                 hdev->req_status = HCI_REQ_DONE;
67                 wake_up_interruptible(&hdev->req_wait_q);
68         }
69 }
70
71 static void hci_req_cancel(struct hci_dev *hdev, int err)
72 {
73         BT_DBG("%s err 0x%2.2x", hdev->name, err);
74
75         if (hdev->req_status == HCI_REQ_PEND) {
76                 hdev->req_result = err;
77                 hdev->req_status = HCI_REQ_CANCELED;
78                 wake_up_interruptible(&hdev->req_wait_q);
79         }
80 }
81
82 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
83                                             u8 event)
84 {
85         struct hci_ev_cmd_complete *ev;
86         struct hci_event_hdr *hdr;
87         struct sk_buff *skb;
88
89         hci_dev_lock(hdev);
90
91         skb = hdev->recv_evt;
92         hdev->recv_evt = NULL;
93
94         hci_dev_unlock(hdev);
95
96         if (!skb)
97                 return ERR_PTR(-ENODATA);
98
99         if (skb->len < sizeof(*hdr)) {
100                 BT_ERR("Too short HCI event");
101                 goto failed;
102         }
103
104         hdr = (void *) skb->data;
105         skb_pull(skb, HCI_EVENT_HDR_SIZE);
106
107         if (event) {
108                 if (hdr->evt != event)
109                         goto failed;
110                 return skb;
111         }
112
113         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
114                 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
115                 goto failed;
116         }
117
118         if (skb->len < sizeof(*ev)) {
119                 BT_ERR("Too short cmd_complete event");
120                 goto failed;
121         }
122
123         ev = (void *) skb->data;
124         skb_pull(skb, sizeof(*ev));
125
126         if (opcode == __le16_to_cpu(ev->opcode))
127                 return skb;
128
129         BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
130                __le16_to_cpu(ev->opcode));
131
132 failed:
133         kfree_skb(skb);
134         return ERR_PTR(-ENODATA);
135 }
136
137 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
138                                   const void *param, u8 event, u32 timeout)
139 {
140         DECLARE_WAITQUEUE(wait, current);
141         struct hci_request req;
142         int err = 0;
143
144         BT_DBG("%s", hdev->name);
145
146         hci_req_init(&req, hdev);
147
148         hci_req_add_ev(&req, opcode, plen, param, event);
149
150         hdev->req_status = HCI_REQ_PEND;
151
152         err = hci_req_run(&req, hci_req_sync_complete);
153         if (err < 0)
154                 return ERR_PTR(err);
155
156         add_wait_queue(&hdev->req_wait_q, &wait);
157         set_current_state(TASK_INTERRUPTIBLE);
158
159         schedule_timeout(timeout);
160
161         remove_wait_queue(&hdev->req_wait_q, &wait);
162
163         if (signal_pending(current))
164                 return ERR_PTR(-EINTR);
165
166         switch (hdev->req_status) {
167         case HCI_REQ_DONE:
168                 err = -bt_to_errno(hdev->req_result);
169                 break;
170
171         case HCI_REQ_CANCELED:
172                 err = -hdev->req_result;
173                 break;
174
175         default:
176                 err = -ETIMEDOUT;
177                 break;
178         }
179
180         hdev->req_status = hdev->req_result = 0;
181
182         BT_DBG("%s end: err %d", hdev->name, err);
183
184         if (err < 0)
185                 return ERR_PTR(err);
186
187         return hci_get_cmd_complete(hdev, opcode, event);
188 }
189 EXPORT_SYMBOL(__hci_cmd_sync_ev);
190
191 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
192                                const void *param, u32 timeout)
193 {
194         return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
195 }
196 EXPORT_SYMBOL(__hci_cmd_sync);
197
198 /* Execute request and wait for completion. */
199 static int __hci_req_sync(struct hci_dev *hdev,
200                           void (*func)(struct hci_request *req,
201                                       unsigned long opt),
202                           unsigned long opt, __u32 timeout)
203 {
204         struct hci_request req;
205         DECLARE_WAITQUEUE(wait, current);
206         int err = 0;
207
208         BT_DBG("%s start", hdev->name);
209
210         hci_req_init(&req, hdev);
211
212         hdev->req_status = HCI_REQ_PEND;
213
214         func(&req, opt);
215
216         err = hci_req_run(&req, hci_req_sync_complete);
217         if (err < 0) {
218                 hdev->req_status = 0;
219
220                 /* ENODATA means the HCI request command queue is empty.
221                  * This can happen when a request with conditionals doesn't
222                  * trigger any commands to be sent. This is normal behavior
223                  * and should not trigger an error return.
224                  */
225                 if (err == -ENODATA)
226                         return 0;
227
228                 return err;
229         }
230
231         add_wait_queue(&hdev->req_wait_q, &wait);
232         set_current_state(TASK_INTERRUPTIBLE);
233
234         schedule_timeout(timeout);
235
236         remove_wait_queue(&hdev->req_wait_q, &wait);
237
238         if (signal_pending(current))
239                 return -EINTR;
240
241         switch (hdev->req_status) {
242         case HCI_REQ_DONE:
243                 err = -bt_to_errno(hdev->req_result);
244                 break;
245
246         case HCI_REQ_CANCELED:
247                 err = -hdev->req_result;
248                 break;
249
250         default:
251                 err = -ETIMEDOUT;
252                 break;
253         }
254
255         hdev->req_status = hdev->req_result = 0;
256
257         BT_DBG("%s end: err %d", hdev->name, err);
258
259         return err;
260 }
261
262 static int hci_req_sync(struct hci_dev *hdev,
263                         void (*req)(struct hci_request *req,
264                                     unsigned long opt),
265                         unsigned long opt, __u32 timeout)
266 {
267         int ret;
268
269         if (!test_bit(HCI_UP, &hdev->flags))
270                 return -ENETDOWN;
271
272         /* Serialize all requests */
273         hci_req_lock(hdev);
274         ret = __hci_req_sync(hdev, req, opt, timeout);
275         hci_req_unlock(hdev);
276
277         return ret;
278 }
279
280 static void hci_reset_req(struct hci_request *req, unsigned long opt)
281 {
282         BT_DBG("%s %ld", req->hdev->name, opt);
283
284         /* Reset device */
285         set_bit(HCI_RESET, &req->hdev->flags);
286         hci_req_add(req, HCI_OP_RESET, 0, NULL);
287 }
288
289 static void bredr_init(struct hci_request *req)
290 {
291         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
292
293         /* Read Local Supported Features */
294         hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
295
296         /* Read Local Version */
297         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
298
299         /* Read BD Address */
300         hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
301 }
302
303 static void amp_init(struct hci_request *req)
304 {
305         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
306
307         /* Read Local Version */
308         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
309
310         /* Read Local AMP Info */
311         hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
312
313         /* Read Data Blk size */
314         hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
315 }
316
317 static void hci_init1_req(struct hci_request *req, unsigned long opt)
318 {
319         struct hci_dev *hdev = req->hdev;
320
321         BT_DBG("%s %ld", hdev->name, opt);
322
323         /* Reset */
324         if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
325                 hci_reset_req(req, 0);
326
327         switch (hdev->dev_type) {
328         case HCI_BREDR:
329                 bredr_init(req);
330                 break;
331
332         case HCI_AMP:
333                 amp_init(req);
334                 break;
335
336         default:
337                 BT_ERR("Unknown device type %d", hdev->dev_type);
338                 break;
339         }
340 }
341
342 static void bredr_setup(struct hci_request *req)
343 {
344         __le16 param;
345         __u8 flt_type;
346
347         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
348         hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
349
350         /* Read Class of Device */
351         hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
352
353         /* Read Local Name */
354         hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
355
356         /* Read Voice Setting */
357         hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
358
359         /* Clear Event Filters */
360         flt_type = HCI_FLT_CLEAR_ALL;
361         hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
362
363         /* Connection accept timeout ~20 secs */
364         param = __constant_cpu_to_le16(0x7d00);
365         hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
366
367         /* Read page scan parameters */
368         if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
369                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
370                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
371         }
372 }
373
374 static void le_setup(struct hci_request *req)
375 {
376         struct hci_dev *hdev = req->hdev;
377
378         /* Read LE Buffer Size */
379         hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
380
381         /* Read LE Local Supported Features */
382         hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
383
384         /* Read LE Advertising Channel TX Power */
385         hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
386
387         /* Read LE White List Size */
388         hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
389
390         /* Read LE Supported States */
391         hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
392
393         /* LE-only controllers have LE implicitly enabled */
394         if (!lmp_bredr_capable(hdev))
395                 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
396 }
397
398 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
399 {
400         if (lmp_ext_inq_capable(hdev))
401                 return 0x02;
402
403         if (lmp_inq_rssi_capable(hdev))
404                 return 0x01;
405
406         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
407             hdev->lmp_subver == 0x0757)
408                 return 0x01;
409
410         if (hdev->manufacturer == 15) {
411                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
412                         return 0x01;
413                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
414                         return 0x01;
415                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
416                         return 0x01;
417         }
418
419         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
420             hdev->lmp_subver == 0x1805)
421                 return 0x01;
422
423         return 0x00;
424 }
425
426 static void hci_setup_inquiry_mode(struct hci_request *req)
427 {
428         u8 mode;
429
430         mode = hci_get_inquiry_mode(req->hdev);
431
432         hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
433 }
434
435 static void hci_setup_event_mask(struct hci_request *req)
436 {
437         struct hci_dev *hdev = req->hdev;
438
439         /* The second byte is 0xff instead of 0x9f (two reserved bits
440          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
441          * command otherwise.
442          */
443         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
444
445         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
446          * any event mask for pre 1.2 devices.
447          */
448         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
449                 return;
450
451         if (lmp_bredr_capable(hdev)) {
452                 events[4] |= 0x01; /* Flow Specification Complete */
453                 events[4] |= 0x02; /* Inquiry Result with RSSI */
454                 events[4] |= 0x04; /* Read Remote Extended Features Complete */
455                 events[5] |= 0x08; /* Synchronous Connection Complete */
456                 events[5] |= 0x10; /* Synchronous Connection Changed */
457         } else {
458                 /* Use a different default for LE-only devices */
459                 memset(events, 0, sizeof(events));
460                 events[0] |= 0x10; /* Disconnection Complete */
461                 events[0] |= 0x80; /* Encryption Change */
462                 events[1] |= 0x08; /* Read Remote Version Information Complete */
463                 events[1] |= 0x20; /* Command Complete */
464                 events[1] |= 0x40; /* Command Status */
465                 events[1] |= 0x80; /* Hardware Error */
466                 events[2] |= 0x04; /* Number of Completed Packets */
467                 events[3] |= 0x02; /* Data Buffer Overflow */
468                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
469         }
470
471         if (lmp_inq_rssi_capable(hdev))
472                 events[4] |= 0x02; /* Inquiry Result with RSSI */
473
474         if (lmp_sniffsubr_capable(hdev))
475                 events[5] |= 0x20; /* Sniff Subrating */
476
477         if (lmp_pause_enc_capable(hdev))
478                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
479
480         if (lmp_ext_inq_capable(hdev))
481                 events[5] |= 0x40; /* Extended Inquiry Result */
482
483         if (lmp_no_flush_capable(hdev))
484                 events[7] |= 0x01; /* Enhanced Flush Complete */
485
486         if (lmp_lsto_capable(hdev))
487                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
488
489         if (lmp_ssp_capable(hdev)) {
490                 events[6] |= 0x01;      /* IO Capability Request */
491                 events[6] |= 0x02;      /* IO Capability Response */
492                 events[6] |= 0x04;      /* User Confirmation Request */
493                 events[6] |= 0x08;      /* User Passkey Request */
494                 events[6] |= 0x10;      /* Remote OOB Data Request */
495                 events[6] |= 0x20;      /* Simple Pairing Complete */
496                 events[7] |= 0x04;      /* User Passkey Notification */
497                 events[7] |= 0x08;      /* Keypress Notification */
498                 events[7] |= 0x10;      /* Remote Host Supported
499                                          * Features Notification
500                                          */
501         }
502
503         if (lmp_le_capable(hdev))
504                 events[7] |= 0x20;      /* LE Meta-Event */
505
506         hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
507
508         if (lmp_le_capable(hdev)) {
509                 memset(events, 0, sizeof(events));
510                 events[0] = 0x1f;
511                 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
512                             sizeof(events), events);
513         }
514 }
515
516 static void hci_init2_req(struct hci_request *req, unsigned long opt)
517 {
518         struct hci_dev *hdev = req->hdev;
519
520         if (lmp_bredr_capable(hdev))
521                 bredr_setup(req);
522
523         if (lmp_le_capable(hdev))
524                 le_setup(req);
525
526         hci_setup_event_mask(req);
527
528         /* AVM Berlin (31), aka "BlueFRITZ!", doesn't support the read
529          * local supported commands HCI command.
530          */
531         if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1)
532                 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
533
534         if (lmp_ssp_capable(hdev)) {
535                 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
536                         u8 mode = 0x01;
537                         hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
538                                     sizeof(mode), &mode);
539                 } else {
540                         struct hci_cp_write_eir cp;
541
542                         memset(hdev->eir, 0, sizeof(hdev->eir));
543                         memset(&cp, 0, sizeof(cp));
544
545                         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
546                 }
547         }
548
549         if (lmp_inq_rssi_capable(hdev))
550                 hci_setup_inquiry_mode(req);
551
552         if (lmp_inq_tx_pwr_capable(hdev))
553                 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
554
555         if (lmp_ext_feat_capable(hdev)) {
556                 struct hci_cp_read_local_ext_features cp;
557
558                 cp.page = 0x01;
559                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
560                             sizeof(cp), &cp);
561         }
562
563         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
564                 u8 enable = 1;
565                 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
566                             &enable);
567         }
568 }
569
570 static void hci_setup_link_policy(struct hci_request *req)
571 {
572         struct hci_dev *hdev = req->hdev;
573         struct hci_cp_write_def_link_policy cp;
574         u16 link_policy = 0;
575
576         if (lmp_rswitch_capable(hdev))
577                 link_policy |= HCI_LP_RSWITCH;
578         if (lmp_hold_capable(hdev))
579                 link_policy |= HCI_LP_HOLD;
580         if (lmp_sniff_capable(hdev))
581                 link_policy |= HCI_LP_SNIFF;
582         if (lmp_park_capable(hdev))
583                 link_policy |= HCI_LP_PARK;
584
585         cp.policy = cpu_to_le16(link_policy);
586         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
587 }
588
589 static void hci_set_le_support(struct hci_request *req)
590 {
591         struct hci_dev *hdev = req->hdev;
592         struct hci_cp_write_le_host_supported cp;
593
594         /* LE-only devices do not support explicit enablement */
595         if (!lmp_bredr_capable(hdev))
596                 return;
597
598         memset(&cp, 0, sizeof(cp));
599
600         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
601                 cp.le = 0x01;
602                 cp.simul = lmp_le_br_capable(hdev);
603         }
604
605         if (cp.le != lmp_host_le_capable(hdev))
606                 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
607                             &cp);
608 }
609
610 static void hci_init3_req(struct hci_request *req, unsigned long opt)
611 {
612         struct hci_dev *hdev = req->hdev;
613         u8 p;
614
615         /* Some Broadcom based Bluetooth controllers do not support the
616          * Delete Stored Link Key command. They are clearly indicating its
617          * absence in the bit mask of supported commands.
618          *
619          * Check the supported commands and only if the the command is marked
620          * as supported send it. If not supported assume that the controller
621          * does not have actual support for stored link keys which makes this
622          * command redundant anyway.
623          */
624         if (hdev->commands[6] & 0x80) {
625                 struct hci_cp_delete_stored_link_key cp;
626
627                 bacpy(&cp.bdaddr, BDADDR_ANY);
628                 cp.delete_all = 0x01;
629                 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
630                             sizeof(cp), &cp);
631         }
632
633         if (hdev->commands[5] & 0x10)
634                 hci_setup_link_policy(req);
635
636         if (lmp_le_capable(hdev)) {
637                 hci_set_le_support(req);
638                 hci_update_ad(req);
639         }
640
641         /* Read features beyond page 1 if available */
642         for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
643                 struct hci_cp_read_local_ext_features cp;
644
645                 cp.page = p;
646                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
647                             sizeof(cp), &cp);
648         }
649 }
650
651 static int __hci_init(struct hci_dev *hdev)
652 {
653         int err;
654
655         err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
656         if (err < 0)
657                 return err;
658
659         /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
660          * BR/EDR/LE type controllers. AMP controllers only need the
661          * first stage init.
662          */
663         if (hdev->dev_type != HCI_BREDR)
664                 return 0;
665
666         err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
667         if (err < 0)
668                 return err;
669
670         return __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
671 }
672
673 static void hci_scan_req(struct hci_request *req, unsigned long opt)
674 {
675         __u8 scan = opt;
676
677         BT_DBG("%s %x", req->hdev->name, scan);
678
679         /* Inquiry and Page scans */
680         hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
681 }
682
683 static void hci_auth_req(struct hci_request *req, unsigned long opt)
684 {
685         __u8 auth = opt;
686
687         BT_DBG("%s %x", req->hdev->name, auth);
688
689         /* Authentication */
690         hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
691 }
692
693 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
694 {
695         __u8 encrypt = opt;
696
697         BT_DBG("%s %x", req->hdev->name, encrypt);
698
699         /* Encryption */
700         hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
701 }
702
703 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
704 {
705         __le16 policy = cpu_to_le16(opt);
706
707         BT_DBG("%s %x", req->hdev->name, policy);
708
709         /* Default link policy */
710         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
711 }
712
713 /* Get HCI device by index.
714  * Device is held on return. */
715 struct hci_dev *hci_dev_get(int index)
716 {
717         struct hci_dev *hdev = NULL, *d;
718
719         BT_DBG("%d", index);
720
721         if (index < 0)
722                 return NULL;
723
724         read_lock(&hci_dev_list_lock);
725         list_for_each_entry(d, &hci_dev_list, list) {
726                 if (d->id == index) {
727                         hdev = hci_dev_hold(d);
728                         break;
729                 }
730         }
731         read_unlock(&hci_dev_list_lock);
732         return hdev;
733 }
734
735 /* ---- Inquiry support ---- */
736
737 bool hci_discovery_active(struct hci_dev *hdev)
738 {
739         struct discovery_state *discov = &hdev->discovery;
740
741         switch (discov->state) {
742         case DISCOVERY_FINDING:
743         case DISCOVERY_RESOLVING:
744                 return true;
745
746         default:
747                 return false;
748         }
749 }
750
751 void hci_discovery_set_state(struct hci_dev *hdev, int state)
752 {
753         BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
754
755         if (hdev->discovery.state == state)
756                 return;
757
758         switch (state) {
759         case DISCOVERY_STOPPED:
760                 if (hdev->discovery.state != DISCOVERY_STARTING)
761                         mgmt_discovering(hdev, 0);
762                 break;
763         case DISCOVERY_STARTING:
764                 break;
765         case DISCOVERY_FINDING:
766                 mgmt_discovering(hdev, 1);
767                 break;
768         case DISCOVERY_RESOLVING:
769                 break;
770         case DISCOVERY_STOPPING:
771                 break;
772         }
773
774         hdev->discovery.state = state;
775 }
776
777 void hci_inquiry_cache_flush(struct hci_dev *hdev)
778 {
779         struct discovery_state *cache = &hdev->discovery;
780         struct inquiry_entry *p, *n;
781
782         list_for_each_entry_safe(p, n, &cache->all, all) {
783                 list_del(&p->all);
784                 kfree(p);
785         }
786
787         INIT_LIST_HEAD(&cache->unknown);
788         INIT_LIST_HEAD(&cache->resolve);
789 }
790
791 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
792                                                bdaddr_t *bdaddr)
793 {
794         struct discovery_state *cache = &hdev->discovery;
795         struct inquiry_entry *e;
796
797         BT_DBG("cache %p, %pMR", cache, bdaddr);
798
799         list_for_each_entry(e, &cache->all, all) {
800                 if (!bacmp(&e->data.bdaddr, bdaddr))
801                         return e;
802         }
803
804         return NULL;
805 }
806
807 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
808                                                        bdaddr_t *bdaddr)
809 {
810         struct discovery_state *cache = &hdev->discovery;
811         struct inquiry_entry *e;
812
813         BT_DBG("cache %p, %pMR", cache, bdaddr);
814
815         list_for_each_entry(e, &cache->unknown, list) {
816                 if (!bacmp(&e->data.bdaddr, bdaddr))
817                         return e;
818         }
819
820         return NULL;
821 }
822
823 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
824                                                        bdaddr_t *bdaddr,
825                                                        int state)
826 {
827         struct discovery_state *cache = &hdev->discovery;
828         struct inquiry_entry *e;
829
830         BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
831
832         list_for_each_entry(e, &cache->resolve, list) {
833                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
834                         return e;
835                 if (!bacmp(&e->data.bdaddr, bdaddr))
836                         return e;
837         }
838
839         return NULL;
840 }
841
842 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
843                                       struct inquiry_entry *ie)
844 {
845         struct discovery_state *cache = &hdev->discovery;
846         struct list_head *pos = &cache->resolve;
847         struct inquiry_entry *p;
848
849         list_del(&ie->list);
850
851         list_for_each_entry(p, &cache->resolve, list) {
852                 if (p->name_state != NAME_PENDING &&
853                     abs(p->data.rssi) >= abs(ie->data.rssi))
854                         break;
855                 pos = &p->list;
856         }
857
858         list_add(&ie->list, pos);
859 }
860
861 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
862                               bool name_known, bool *ssp)
863 {
864         struct discovery_state *cache = &hdev->discovery;
865         struct inquiry_entry *ie;
866
867         BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
868
869         hci_remove_remote_oob_data(hdev, &data->bdaddr);
870
871         if (ssp)
872                 *ssp = data->ssp_mode;
873
874         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
875         if (ie) {
876                 if (ie->data.ssp_mode && ssp)
877                         *ssp = true;
878
879                 if (ie->name_state == NAME_NEEDED &&
880                     data->rssi != ie->data.rssi) {
881                         ie->data.rssi = data->rssi;
882                         hci_inquiry_cache_update_resolve(hdev, ie);
883                 }
884
885                 goto update;
886         }
887
888         /* Entry not in the cache. Add new one. */
889         ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
890         if (!ie)
891                 return false;
892
893         list_add(&ie->all, &cache->all);
894
895         if (name_known) {
896                 ie->name_state = NAME_KNOWN;
897         } else {
898                 ie->name_state = NAME_NOT_KNOWN;
899                 list_add(&ie->list, &cache->unknown);
900         }
901
902 update:
903         if (name_known && ie->name_state != NAME_KNOWN &&
904             ie->name_state != NAME_PENDING) {
905                 ie->name_state = NAME_KNOWN;
906                 list_del(&ie->list);
907         }
908
909         memcpy(&ie->data, data, sizeof(*data));
910         ie->timestamp = jiffies;
911         cache->timestamp = jiffies;
912
913         if (ie->name_state == NAME_NOT_KNOWN)
914                 return false;
915
916         return true;
917 }
918
919 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
920 {
921         struct discovery_state *cache = &hdev->discovery;
922         struct inquiry_info *info = (struct inquiry_info *) buf;
923         struct inquiry_entry *e;
924         int copied = 0;
925
926         list_for_each_entry(e, &cache->all, all) {
927                 struct inquiry_data *data = &e->data;
928
929                 if (copied >= num)
930                         break;
931
932                 bacpy(&info->bdaddr, &data->bdaddr);
933                 info->pscan_rep_mode    = data->pscan_rep_mode;
934                 info->pscan_period_mode = data->pscan_period_mode;
935                 info->pscan_mode        = data->pscan_mode;
936                 memcpy(info->dev_class, data->dev_class, 3);
937                 info->clock_offset      = data->clock_offset;
938
939                 info++;
940                 copied++;
941         }
942
943         BT_DBG("cache %p, copied %d", cache, copied);
944         return copied;
945 }
946
947 static void hci_inq_req(struct hci_request *req, unsigned long opt)
948 {
949         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
950         struct hci_dev *hdev = req->hdev;
951         struct hci_cp_inquiry cp;
952
953         BT_DBG("%s", hdev->name);
954
955         if (test_bit(HCI_INQUIRY, &hdev->flags))
956                 return;
957
958         /* Start Inquiry */
959         memcpy(&cp.lap, &ir->lap, 3);
960         cp.length  = ir->length;
961         cp.num_rsp = ir->num_rsp;
962         hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
963 }
964
965 static int wait_inquiry(void *word)
966 {
967         schedule();
968         return signal_pending(current);
969 }
970
971 int hci_inquiry(void __user *arg)
972 {
973         __u8 __user *ptr = arg;
974         struct hci_inquiry_req ir;
975         struct hci_dev *hdev;
976         int err = 0, do_inquiry = 0, max_rsp;
977         long timeo;
978         __u8 *buf;
979
980         if (copy_from_user(&ir, ptr, sizeof(ir)))
981                 return -EFAULT;
982
983         hdev = hci_dev_get(ir.dev_id);
984         if (!hdev)
985                 return -ENODEV;
986
987         hci_dev_lock(hdev);
988         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
989             inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
990                 hci_inquiry_cache_flush(hdev);
991                 do_inquiry = 1;
992         }
993         hci_dev_unlock(hdev);
994
995         timeo = ir.length * msecs_to_jiffies(2000);
996
997         if (do_inquiry) {
998                 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
999                                    timeo);
1000                 if (err < 0)
1001                         goto done;
1002
1003                 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1004                  * cleared). If it is interrupted by a signal, return -EINTR.
1005                  */
1006                 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
1007                                 TASK_INTERRUPTIBLE))
1008                         return -EINTR;
1009         }
1010
1011         /* for unlimited number of responses we will use buffer with
1012          * 255 entries
1013          */
1014         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1015
1016         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1017          * copy it to the user space.
1018          */
1019         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1020         if (!buf) {
1021                 err = -ENOMEM;
1022                 goto done;
1023         }
1024
1025         hci_dev_lock(hdev);
1026         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1027         hci_dev_unlock(hdev);
1028
1029         BT_DBG("num_rsp %d", ir.num_rsp);
1030
1031         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1032                 ptr += sizeof(ir);
1033                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1034                                  ir.num_rsp))
1035                         err = -EFAULT;
1036         } else
1037                 err = -EFAULT;
1038
1039         kfree(buf);
1040
1041 done:
1042         hci_dev_put(hdev);
1043         return err;
1044 }
1045
1046 static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
1047 {
1048         u8 ad_len = 0, flags = 0;
1049         size_t name_len;
1050
1051         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
1052                 flags |= LE_AD_GENERAL;
1053
1054         if (!lmp_bredr_capable(hdev))
1055                 flags |= LE_AD_NO_BREDR;
1056
1057         if (lmp_le_br_capable(hdev))
1058                 flags |= LE_AD_SIM_LE_BREDR_CTRL;
1059
1060         if (lmp_host_le_br_capable(hdev))
1061                 flags |= LE_AD_SIM_LE_BREDR_HOST;
1062
1063         if (flags) {
1064                 BT_DBG("adv flags 0x%02x", flags);
1065
1066                 ptr[0] = 2;
1067                 ptr[1] = EIR_FLAGS;
1068                 ptr[2] = flags;
1069
1070                 ad_len += 3;
1071                 ptr += 3;
1072         }
1073
1074         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
1075                 ptr[0] = 2;
1076                 ptr[1] = EIR_TX_POWER;
1077                 ptr[2] = (u8) hdev->adv_tx_power;
1078
1079                 ad_len += 3;
1080                 ptr += 3;
1081         }
1082
1083         name_len = strlen(hdev->dev_name);
1084         if (name_len > 0) {
1085                 size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
1086
1087                 if (name_len > max_len) {
1088                         name_len = max_len;
1089                         ptr[1] = EIR_NAME_SHORT;
1090                 } else
1091                         ptr[1] = EIR_NAME_COMPLETE;
1092
1093                 ptr[0] = name_len + 1;
1094
1095                 memcpy(ptr + 2, hdev->dev_name, name_len);
1096
1097                 ad_len += (name_len + 2);
1098                 ptr += (name_len + 2);
1099         }
1100
1101         return ad_len;
1102 }
1103
1104 void hci_update_ad(struct hci_request *req)
1105 {
1106         struct hci_dev *hdev = req->hdev;
1107         struct hci_cp_le_set_adv_data cp;
1108         u8 len;
1109
1110         if (!lmp_le_capable(hdev))
1111                 return;
1112
1113         memset(&cp, 0, sizeof(cp));
1114
1115         len = create_ad(hdev, cp.data);
1116
1117         if (hdev->adv_data_len == len &&
1118             memcmp(cp.data, hdev->adv_data, len) == 0)
1119                 return;
1120
1121         memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
1122         hdev->adv_data_len = len;
1123
1124         cp.length = len;
1125
1126         hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
1127 }
1128
1129 /* ---- HCI ioctl helpers ---- */
1130
1131 int hci_dev_open(__u16 dev)
1132 {
1133         struct hci_dev *hdev;
1134         int ret = 0;
1135
1136         hdev = hci_dev_get(dev);
1137         if (!hdev)
1138                 return -ENODEV;
1139
1140         BT_DBG("%s %p", hdev->name, hdev);
1141
1142         hci_req_lock(hdev);
1143
1144         if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1145                 ret = -ENODEV;
1146                 goto done;
1147         }
1148
1149         /* Check for rfkill but allow the HCI setup stage to proceed
1150          * (which in itself doesn't cause any RF activity).
1151          */
1152         if (test_bit(HCI_RFKILLED, &hdev->dev_flags) &&
1153             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
1154                 ret = -ERFKILL;
1155                 goto done;
1156         }
1157
1158         if (test_bit(HCI_UP, &hdev->flags)) {
1159                 ret = -EALREADY;
1160                 goto done;
1161         }
1162
1163         if (hdev->open(hdev)) {
1164                 ret = -EIO;
1165                 goto done;
1166         }
1167
1168         atomic_set(&hdev->cmd_cnt, 1);
1169         set_bit(HCI_INIT, &hdev->flags);
1170
1171         if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1172                 ret = hdev->setup(hdev);
1173
1174         if (!ret) {
1175                 /* Treat all non BR/EDR controllers as raw devices if
1176                  * enable_hs is not set.
1177                  */
1178                 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1179                         set_bit(HCI_RAW, &hdev->flags);
1180
1181                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1182                         set_bit(HCI_RAW, &hdev->flags);
1183
1184                 if (!test_bit(HCI_RAW, &hdev->flags))
1185                         ret = __hci_init(hdev);
1186         }
1187
1188         clear_bit(HCI_INIT, &hdev->flags);
1189
1190         if (!ret) {
1191                 hci_dev_hold(hdev);
1192                 set_bit(HCI_UP, &hdev->flags);
1193                 hci_notify(hdev, HCI_DEV_UP);
1194                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1195                     mgmt_valid_hdev(hdev)) {
1196                         hci_dev_lock(hdev);
1197                         mgmt_powered(hdev, 1);
1198                         hci_dev_unlock(hdev);
1199                 }
1200         } else {
1201                 /* Init failed, cleanup */
1202                 flush_work(&hdev->tx_work);
1203                 flush_work(&hdev->cmd_work);
1204                 flush_work(&hdev->rx_work);
1205
1206                 skb_queue_purge(&hdev->cmd_q);
1207                 skb_queue_purge(&hdev->rx_q);
1208
1209                 if (hdev->flush)
1210                         hdev->flush(hdev);
1211
1212                 if (hdev->sent_cmd) {
1213                         kfree_skb(hdev->sent_cmd);
1214                         hdev->sent_cmd = NULL;
1215                 }
1216
1217                 hdev->close(hdev);
1218                 hdev->flags = 0;
1219         }
1220
1221 done:
1222         hci_req_unlock(hdev);
1223         hci_dev_put(hdev);
1224         return ret;
1225 }
1226
1227 static int hci_dev_do_close(struct hci_dev *hdev)
1228 {
1229         BT_DBG("%s %p", hdev->name, hdev);
1230
1231         cancel_delayed_work(&hdev->power_off);
1232
1233         hci_req_cancel(hdev, ENODEV);
1234         hci_req_lock(hdev);
1235
1236         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1237                 del_timer_sync(&hdev->cmd_timer);
1238                 hci_req_unlock(hdev);
1239                 return 0;
1240         }
1241
1242         /* Flush RX and TX works */
1243         flush_work(&hdev->tx_work);
1244         flush_work(&hdev->rx_work);
1245
1246         if (hdev->discov_timeout > 0) {
1247                 cancel_delayed_work(&hdev->discov_off);
1248                 hdev->discov_timeout = 0;
1249                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1250         }
1251
1252         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1253                 cancel_delayed_work(&hdev->service_cache);
1254
1255         cancel_delayed_work_sync(&hdev->le_scan_disable);
1256
1257         hci_dev_lock(hdev);
1258         hci_inquiry_cache_flush(hdev);
1259         hci_conn_hash_flush(hdev);
1260         hci_dev_unlock(hdev);
1261
1262         hci_notify(hdev, HCI_DEV_DOWN);
1263
1264         if (hdev->flush)
1265                 hdev->flush(hdev);
1266
1267         /* Reset device */
1268         skb_queue_purge(&hdev->cmd_q);
1269         atomic_set(&hdev->cmd_cnt, 1);
1270         if (!test_bit(HCI_RAW, &hdev->flags) &&
1271             test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1272                 set_bit(HCI_INIT, &hdev->flags);
1273                 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1274                 clear_bit(HCI_INIT, &hdev->flags);
1275         }
1276
1277         /* flush cmd  work */
1278         flush_work(&hdev->cmd_work);
1279
1280         /* Drop queues */
1281         skb_queue_purge(&hdev->rx_q);
1282         skb_queue_purge(&hdev->cmd_q);
1283         skb_queue_purge(&hdev->raw_q);
1284
1285         /* Drop last sent command */
1286         if (hdev->sent_cmd) {
1287                 del_timer_sync(&hdev->cmd_timer);
1288                 kfree_skb(hdev->sent_cmd);
1289                 hdev->sent_cmd = NULL;
1290         }
1291
1292         kfree_skb(hdev->recv_evt);
1293         hdev->recv_evt = NULL;
1294
1295         /* After this point our queues are empty
1296          * and no tasks are scheduled. */
1297         hdev->close(hdev);
1298
1299         /* Clear flags */
1300         hdev->flags = 0;
1301         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
1302
1303         if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1304             mgmt_valid_hdev(hdev)) {
1305                 hci_dev_lock(hdev);
1306                 mgmt_powered(hdev, 0);
1307                 hci_dev_unlock(hdev);
1308         }
1309
1310         /* Controller radio is available but is currently powered down */
1311         hdev->amp_status = 0;
1312
1313         memset(hdev->eir, 0, sizeof(hdev->eir));
1314         memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1315
1316         hci_req_unlock(hdev);
1317
1318         hci_dev_put(hdev);
1319         return 0;
1320 }
1321
1322 int hci_dev_close(__u16 dev)
1323 {
1324         struct hci_dev *hdev;
1325         int err;
1326
1327         hdev = hci_dev_get(dev);
1328         if (!hdev)
1329                 return -ENODEV;
1330
1331         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1332                 cancel_delayed_work(&hdev->power_off);
1333
1334         err = hci_dev_do_close(hdev);
1335
1336         hci_dev_put(hdev);
1337         return err;
1338 }
1339
1340 int hci_dev_reset(__u16 dev)
1341 {
1342         struct hci_dev *hdev;
1343         int ret = 0;
1344
1345         hdev = hci_dev_get(dev);
1346         if (!hdev)
1347                 return -ENODEV;
1348
1349         hci_req_lock(hdev);
1350
1351         if (!test_bit(HCI_UP, &hdev->flags))
1352                 goto done;
1353
1354         /* Drop queues */
1355         skb_queue_purge(&hdev->rx_q);
1356         skb_queue_purge(&hdev->cmd_q);
1357
1358         hci_dev_lock(hdev);
1359         hci_inquiry_cache_flush(hdev);
1360         hci_conn_hash_flush(hdev);
1361         hci_dev_unlock(hdev);
1362
1363         if (hdev->flush)
1364                 hdev->flush(hdev);
1365
1366         atomic_set(&hdev->cmd_cnt, 1);
1367         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1368
1369         if (!test_bit(HCI_RAW, &hdev->flags))
1370                 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1371
1372 done:
1373         hci_req_unlock(hdev);
1374         hci_dev_put(hdev);
1375         return ret;
1376 }
1377
1378 int hci_dev_reset_stat(__u16 dev)
1379 {
1380         struct hci_dev *hdev;
1381         int ret = 0;
1382
1383         hdev = hci_dev_get(dev);
1384         if (!hdev)
1385                 return -ENODEV;
1386
1387         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1388
1389         hci_dev_put(hdev);
1390
1391         return ret;
1392 }
1393
1394 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1395 {
1396         struct hci_dev *hdev;
1397         struct hci_dev_req dr;
1398         int err = 0;
1399
1400         if (copy_from_user(&dr, arg, sizeof(dr)))
1401                 return -EFAULT;
1402
1403         hdev = hci_dev_get(dr.dev_id);
1404         if (!hdev)
1405                 return -ENODEV;
1406
1407         switch (cmd) {
1408         case HCISETAUTH:
1409                 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1410                                    HCI_INIT_TIMEOUT);
1411                 break;
1412
1413         case HCISETENCRYPT:
1414                 if (!lmp_encrypt_capable(hdev)) {
1415                         err = -EOPNOTSUPP;
1416                         break;
1417                 }
1418
1419                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1420                         /* Auth must be enabled first */
1421                         err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1422                                            HCI_INIT_TIMEOUT);
1423                         if (err)
1424                                 break;
1425                 }
1426
1427                 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1428                                    HCI_INIT_TIMEOUT);
1429                 break;
1430
1431         case HCISETSCAN:
1432                 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1433                                    HCI_INIT_TIMEOUT);
1434                 break;
1435
1436         case HCISETLINKPOL:
1437                 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1438                                    HCI_INIT_TIMEOUT);
1439                 break;
1440
1441         case HCISETLINKMODE:
1442                 hdev->link_mode = ((__u16) dr.dev_opt) &
1443                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
1444                 break;
1445
1446         case HCISETPTYPE:
1447                 hdev->pkt_type = (__u16) dr.dev_opt;
1448                 break;
1449
1450         case HCISETACLMTU:
1451                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1452                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1453                 break;
1454
1455         case HCISETSCOMTU:
1456                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1457                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1458                 break;
1459
1460         default:
1461                 err = -EINVAL;
1462                 break;
1463         }
1464
1465         hci_dev_put(hdev);
1466         return err;
1467 }
1468
1469 int hci_get_dev_list(void __user *arg)
1470 {
1471         struct hci_dev *hdev;
1472         struct hci_dev_list_req *dl;
1473         struct hci_dev_req *dr;
1474         int n = 0, size, err;
1475         __u16 dev_num;
1476
1477         if (get_user(dev_num, (__u16 __user *) arg))
1478                 return -EFAULT;
1479
1480         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1481                 return -EINVAL;
1482
1483         size = sizeof(*dl) + dev_num * sizeof(*dr);
1484
1485         dl = kzalloc(size, GFP_KERNEL);
1486         if (!dl)
1487                 return -ENOMEM;
1488
1489         dr = dl->dev_req;
1490
1491         read_lock(&hci_dev_list_lock);
1492         list_for_each_entry(hdev, &hci_dev_list, list) {
1493                 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1494                         cancel_delayed_work(&hdev->power_off);
1495
1496                 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1497                         set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1498
1499                 (dr + n)->dev_id  = hdev->id;
1500                 (dr + n)->dev_opt = hdev->flags;
1501
1502                 if (++n >= dev_num)
1503                         break;
1504         }
1505         read_unlock(&hci_dev_list_lock);
1506
1507         dl->dev_num = n;
1508         size = sizeof(*dl) + n * sizeof(*dr);
1509
1510         err = copy_to_user(arg, dl, size);
1511         kfree(dl);
1512
1513         return err ? -EFAULT : 0;
1514 }
1515
1516 int hci_get_dev_info(void __user *arg)
1517 {
1518         struct hci_dev *hdev;
1519         struct hci_dev_info di;
1520         int err = 0;
1521
1522         if (copy_from_user(&di, arg, sizeof(di)))
1523                 return -EFAULT;
1524
1525         hdev = hci_dev_get(di.dev_id);
1526         if (!hdev)
1527                 return -ENODEV;
1528
1529         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1530                 cancel_delayed_work_sync(&hdev->power_off);
1531
1532         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1533                 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1534
1535         strcpy(di.name, hdev->name);
1536         di.bdaddr   = hdev->bdaddr;
1537         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
1538         di.flags    = hdev->flags;
1539         di.pkt_type = hdev->pkt_type;
1540         if (lmp_bredr_capable(hdev)) {
1541                 di.acl_mtu  = hdev->acl_mtu;
1542                 di.acl_pkts = hdev->acl_pkts;
1543                 di.sco_mtu  = hdev->sco_mtu;
1544                 di.sco_pkts = hdev->sco_pkts;
1545         } else {
1546                 di.acl_mtu  = hdev->le_mtu;
1547                 di.acl_pkts = hdev->le_pkts;
1548                 di.sco_mtu  = 0;
1549                 di.sco_pkts = 0;
1550         }
1551         di.link_policy = hdev->link_policy;
1552         di.link_mode   = hdev->link_mode;
1553
1554         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1555         memcpy(&di.features, &hdev->features, sizeof(di.features));
1556
1557         if (copy_to_user(arg, &di, sizeof(di)))
1558                 err = -EFAULT;
1559
1560         hci_dev_put(hdev);
1561
1562         return err;
1563 }
1564
1565 /* ---- Interface to HCI drivers ---- */
1566
1567 static int hci_rfkill_set_block(void *data, bool blocked)
1568 {
1569         struct hci_dev *hdev = data;
1570
1571         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1572
1573         if (blocked) {
1574                 set_bit(HCI_RFKILLED, &hdev->dev_flags);
1575                 if (!test_bit(HCI_SETUP, &hdev->dev_flags))
1576                         hci_dev_do_close(hdev);
1577         } else {
1578                 clear_bit(HCI_RFKILLED, &hdev->dev_flags);
1579         }
1580
1581         return 0;
1582 }
1583
1584 static const struct rfkill_ops hci_rfkill_ops = {
1585         .set_block = hci_rfkill_set_block,
1586 };
1587
1588 static void hci_power_on(struct work_struct *work)
1589 {
1590         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1591         int err;
1592
1593         BT_DBG("%s", hdev->name);
1594
1595         err = hci_dev_open(hdev->id);
1596         if (err < 0) {
1597                 mgmt_set_powered_failed(hdev, err);
1598                 return;
1599         }
1600
1601         if (test_bit(HCI_RFKILLED, &hdev->dev_flags)) {
1602                 clear_bit(HCI_AUTO_OFF, &hdev->dev_flags);
1603                 hci_dev_do_close(hdev);
1604         } else if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
1605                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1606                                    HCI_AUTO_OFF_TIMEOUT);
1607         }
1608
1609         if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
1610                 mgmt_index_added(hdev);
1611 }
1612
1613 static void hci_power_off(struct work_struct *work)
1614 {
1615         struct hci_dev *hdev = container_of(work, struct hci_dev,
1616                                             power_off.work);
1617
1618         BT_DBG("%s", hdev->name);
1619
1620         hci_dev_do_close(hdev);
1621 }
1622
1623 static void hci_discov_off(struct work_struct *work)
1624 {
1625         struct hci_dev *hdev;
1626         u8 scan = SCAN_PAGE;
1627
1628         hdev = container_of(work, struct hci_dev, discov_off.work);
1629
1630         BT_DBG("%s", hdev->name);
1631
1632         hci_dev_lock(hdev);
1633
1634         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1635
1636         hdev->discov_timeout = 0;
1637
1638         hci_dev_unlock(hdev);
1639 }
1640
1641 int hci_uuids_clear(struct hci_dev *hdev)
1642 {
1643         struct bt_uuid *uuid, *tmp;
1644
1645         list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1646                 list_del(&uuid->list);
1647                 kfree(uuid);
1648         }
1649
1650         return 0;
1651 }
1652
1653 int hci_link_keys_clear(struct hci_dev *hdev)
1654 {
1655         struct list_head *p, *n;
1656
1657         list_for_each_safe(p, n, &hdev->link_keys) {
1658                 struct link_key *key;
1659
1660                 key = list_entry(p, struct link_key, list);
1661
1662                 list_del(p);
1663                 kfree(key);
1664         }
1665
1666         return 0;
1667 }
1668
1669 int hci_smp_ltks_clear(struct hci_dev *hdev)
1670 {
1671         struct smp_ltk *k, *tmp;
1672
1673         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1674                 list_del(&k->list);
1675                 kfree(k);
1676         }
1677
1678         return 0;
1679 }
1680
1681 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1682 {
1683         struct link_key *k;
1684
1685         list_for_each_entry(k, &hdev->link_keys, list)
1686                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1687                         return k;
1688
1689         return NULL;
1690 }
1691
1692 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1693                                u8 key_type, u8 old_key_type)
1694 {
1695         /* Legacy key */
1696         if (key_type < 0x03)
1697                 return true;
1698
1699         /* Debug keys are insecure so don't store them persistently */
1700         if (key_type == HCI_LK_DEBUG_COMBINATION)
1701                 return false;
1702
1703         /* Changed combination key and there's no previous one */
1704         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1705                 return false;
1706
1707         /* Security mode 3 case */
1708         if (!conn)
1709                 return true;
1710
1711         /* Neither local nor remote side had no-bonding as requirement */
1712         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1713                 return true;
1714
1715         /* Local side had dedicated bonding as requirement */
1716         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1717                 return true;
1718
1719         /* Remote side had dedicated bonding as requirement */
1720         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1721                 return true;
1722
1723         /* If none of the above criteria match, then don't store the key
1724          * persistently */
1725         return false;
1726 }
1727
1728 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1729 {
1730         struct smp_ltk *k;
1731
1732         list_for_each_entry(k, &hdev->long_term_keys, list) {
1733                 if (k->ediv != ediv ||
1734                     memcmp(rand, k->rand, sizeof(k->rand)))
1735                         continue;
1736
1737                 return k;
1738         }
1739
1740         return NULL;
1741 }
1742
1743 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1744                                      u8 addr_type)
1745 {
1746         struct smp_ltk *k;
1747
1748         list_for_each_entry(k, &hdev->long_term_keys, list)
1749                 if (addr_type == k->bdaddr_type &&
1750                     bacmp(bdaddr, &k->bdaddr) == 0)
1751                         return k;
1752
1753         return NULL;
1754 }
1755
1756 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1757                      bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1758 {
1759         struct link_key *key, *old_key;
1760         u8 old_key_type;
1761         bool persistent;
1762
1763         old_key = hci_find_link_key(hdev, bdaddr);
1764         if (old_key) {
1765                 old_key_type = old_key->type;
1766                 key = old_key;
1767         } else {
1768                 old_key_type = conn ? conn->key_type : 0xff;
1769                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1770                 if (!key)
1771                         return -ENOMEM;
1772                 list_add(&key->list, &hdev->link_keys);
1773         }
1774
1775         BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1776
1777         /* Some buggy controller combinations generate a changed
1778          * combination key for legacy pairing even when there's no
1779          * previous key */
1780         if (type == HCI_LK_CHANGED_COMBINATION &&
1781             (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1782                 type = HCI_LK_COMBINATION;
1783                 if (conn)
1784                         conn->key_type = type;
1785         }
1786
1787         bacpy(&key->bdaddr, bdaddr);
1788         memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1789         key->pin_len = pin_len;
1790
1791         if (type == HCI_LK_CHANGED_COMBINATION)
1792                 key->type = old_key_type;
1793         else
1794                 key->type = type;
1795
1796         if (!new_key)
1797                 return 0;
1798
1799         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1800
1801         mgmt_new_link_key(hdev, key, persistent);
1802
1803         if (conn)
1804                 conn->flush_key = !persistent;
1805
1806         return 0;
1807 }
1808
1809 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
1810                 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
1811                 ediv, u8 rand[8])
1812 {
1813         struct smp_ltk *key, *old_key;
1814
1815         if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
1816                 return 0;
1817
1818         old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
1819         if (old_key)
1820                 key = old_key;
1821         else {
1822                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1823                 if (!key)
1824                         return -ENOMEM;
1825                 list_add(&key->list, &hdev->long_term_keys);
1826         }
1827
1828         bacpy(&key->bdaddr, bdaddr);
1829         key->bdaddr_type = addr_type;
1830         memcpy(key->val, tk, sizeof(key->val));
1831         key->authenticated = authenticated;
1832         key->ediv = ediv;
1833         key->enc_size = enc_size;
1834         key->type = type;
1835         memcpy(key->rand, rand, sizeof(key->rand));
1836
1837         if (!new_key)
1838                 return 0;
1839
1840         if (type & HCI_SMP_LTK)
1841                 mgmt_new_ltk(hdev, key, 1);
1842
1843         return 0;
1844 }
1845
1846 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1847 {
1848         struct link_key *key;
1849
1850         key = hci_find_link_key(hdev, bdaddr);
1851         if (!key)
1852                 return -ENOENT;
1853
1854         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1855
1856         list_del(&key->list);
1857         kfree(key);
1858
1859         return 0;
1860 }
1861
1862 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
1863 {
1864         struct smp_ltk *k, *tmp;
1865
1866         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1867                 if (bacmp(bdaddr, &k->bdaddr))
1868                         continue;
1869
1870                 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1871
1872                 list_del(&k->list);
1873                 kfree(k);
1874         }
1875
1876         return 0;
1877 }
1878
1879 /* HCI command timer function */
1880 static void hci_cmd_timeout(unsigned long arg)
1881 {
1882         struct hci_dev *hdev = (void *) arg;
1883
1884         if (hdev->sent_cmd) {
1885                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
1886                 u16 opcode = __le16_to_cpu(sent->opcode);
1887
1888                 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
1889         } else {
1890                 BT_ERR("%s command tx timeout", hdev->name);
1891         }
1892
1893         atomic_set(&hdev->cmd_cnt, 1);
1894         queue_work(hdev->workqueue, &hdev->cmd_work);
1895 }
1896
1897 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1898                                           bdaddr_t *bdaddr)
1899 {
1900         struct oob_data *data;
1901
1902         list_for_each_entry(data, &hdev->remote_oob_data, list)
1903                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1904                         return data;
1905
1906         return NULL;
1907 }
1908
1909 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1910 {
1911         struct oob_data *data;
1912
1913         data = hci_find_remote_oob_data(hdev, bdaddr);
1914         if (!data)
1915                 return -ENOENT;
1916
1917         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1918
1919         list_del(&data->list);
1920         kfree(data);
1921
1922         return 0;
1923 }
1924
1925 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1926 {
1927         struct oob_data *data, *n;
1928
1929         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1930                 list_del(&data->list);
1931                 kfree(data);
1932         }
1933
1934         return 0;
1935 }
1936
1937 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1938                             u8 *randomizer)
1939 {
1940         struct oob_data *data;
1941
1942         data = hci_find_remote_oob_data(hdev, bdaddr);
1943
1944         if (!data) {
1945                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1946                 if (!data)
1947                         return -ENOMEM;
1948
1949                 bacpy(&data->bdaddr, bdaddr);
1950                 list_add(&data->list, &hdev->remote_oob_data);
1951         }
1952
1953         memcpy(data->hash, hash, sizeof(data->hash));
1954         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1955
1956         BT_DBG("%s for %pMR", hdev->name, bdaddr);
1957
1958         return 0;
1959 }
1960
1961 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
1962 {
1963         struct bdaddr_list *b;
1964
1965         list_for_each_entry(b, &hdev->blacklist, list)
1966                 if (bacmp(bdaddr, &b->bdaddr) == 0)
1967                         return b;
1968
1969         return NULL;
1970 }
1971
1972 int hci_blacklist_clear(struct hci_dev *hdev)
1973 {
1974         struct list_head *p, *n;
1975
1976         list_for_each_safe(p, n, &hdev->blacklist) {
1977                 struct bdaddr_list *b;
1978
1979                 b = list_entry(p, struct bdaddr_list, list);
1980
1981                 list_del(p);
1982                 kfree(b);
1983         }
1984
1985         return 0;
1986 }
1987
1988 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1989 {
1990         struct bdaddr_list *entry;
1991
1992         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1993                 return -EBADF;
1994
1995         if (hci_blacklist_lookup(hdev, bdaddr))
1996                 return -EEXIST;
1997
1998         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1999         if (!entry)
2000                 return -ENOMEM;
2001
2002         bacpy(&entry->bdaddr, bdaddr);
2003
2004         list_add(&entry->list, &hdev->blacklist);
2005
2006         return mgmt_device_blocked(hdev, bdaddr, type);
2007 }
2008
2009 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2010 {
2011         struct bdaddr_list *entry;
2012
2013         if (bacmp(bdaddr, BDADDR_ANY) == 0)
2014                 return hci_blacklist_clear(hdev);
2015
2016         entry = hci_blacklist_lookup(hdev, bdaddr);
2017         if (!entry)
2018                 return -ENOENT;
2019
2020         list_del(&entry->list);
2021         kfree(entry);
2022
2023         return mgmt_device_unblocked(hdev, bdaddr, type);
2024 }
2025
2026 static void inquiry_complete(struct hci_dev *hdev, u8 status)
2027 {
2028         if (status) {
2029                 BT_ERR("Failed to start inquiry: status %d", status);
2030
2031                 hci_dev_lock(hdev);
2032                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2033                 hci_dev_unlock(hdev);
2034                 return;
2035         }
2036 }
2037
2038 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status)
2039 {
2040         /* General inquiry access code (GIAC) */
2041         u8 lap[3] = { 0x33, 0x8b, 0x9e };
2042         struct hci_request req;
2043         struct hci_cp_inquiry cp;
2044         int err;
2045
2046         if (status) {
2047                 BT_ERR("Failed to disable LE scanning: status %d", status);
2048                 return;
2049         }
2050
2051         switch (hdev->discovery.type) {
2052         case DISCOV_TYPE_LE:
2053                 hci_dev_lock(hdev);
2054                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2055                 hci_dev_unlock(hdev);
2056                 break;
2057
2058         case DISCOV_TYPE_INTERLEAVED:
2059                 hci_req_init(&req, hdev);
2060
2061                 memset(&cp, 0, sizeof(cp));
2062                 memcpy(&cp.lap, lap, sizeof(cp.lap));
2063                 cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
2064                 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2065
2066                 hci_dev_lock(hdev);
2067
2068                 hci_inquiry_cache_flush(hdev);
2069
2070                 err = hci_req_run(&req, inquiry_complete);
2071                 if (err) {
2072                         BT_ERR("Inquiry request failed: err %d", err);
2073                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2074                 }
2075
2076                 hci_dev_unlock(hdev);
2077                 break;
2078         }
2079 }
2080
2081 static void le_scan_disable_work(struct work_struct *work)
2082 {
2083         struct hci_dev *hdev = container_of(work, struct hci_dev,
2084                                             le_scan_disable.work);
2085         struct hci_cp_le_set_scan_enable cp;
2086         struct hci_request req;
2087         int err;
2088
2089         BT_DBG("%s", hdev->name);
2090
2091         hci_req_init(&req, hdev);
2092
2093         memset(&cp, 0, sizeof(cp));
2094         cp.enable = LE_SCAN_DISABLE;
2095         hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2096
2097         err = hci_req_run(&req, le_scan_disable_work_complete);
2098         if (err)
2099                 BT_ERR("Disable LE scanning request failed: err %d", err);
2100 }
2101
2102 /* Alloc HCI device */
2103 struct hci_dev *hci_alloc_dev(void)
2104 {
2105         struct hci_dev *hdev;
2106
2107         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2108         if (!hdev)
2109                 return NULL;
2110
2111         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2112         hdev->esco_type = (ESCO_HV1);
2113         hdev->link_mode = (HCI_LM_ACCEPT);
2114         hdev->io_capability = 0x03; /* No Input No Output */
2115         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2116         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2117
2118         hdev->sniff_max_interval = 800;
2119         hdev->sniff_min_interval = 80;
2120
2121         mutex_init(&hdev->lock);
2122         mutex_init(&hdev->req_lock);
2123
2124         INIT_LIST_HEAD(&hdev->mgmt_pending);
2125         INIT_LIST_HEAD(&hdev->blacklist);
2126         INIT_LIST_HEAD(&hdev->uuids);
2127         INIT_LIST_HEAD(&hdev->link_keys);
2128         INIT_LIST_HEAD(&hdev->long_term_keys);
2129         INIT_LIST_HEAD(&hdev->remote_oob_data);
2130         INIT_LIST_HEAD(&hdev->conn_hash.list);
2131
2132         INIT_WORK(&hdev->rx_work, hci_rx_work);
2133         INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2134         INIT_WORK(&hdev->tx_work, hci_tx_work);
2135         INIT_WORK(&hdev->power_on, hci_power_on);
2136
2137         INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2138         INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2139         INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2140
2141         skb_queue_head_init(&hdev->rx_q);
2142         skb_queue_head_init(&hdev->cmd_q);
2143         skb_queue_head_init(&hdev->raw_q);
2144
2145         init_waitqueue_head(&hdev->req_wait_q);
2146
2147         setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2148
2149         hci_init_sysfs(hdev);
2150         discovery_init(hdev);
2151
2152         return hdev;
2153 }
2154 EXPORT_SYMBOL(hci_alloc_dev);
2155
2156 /* Free HCI device */
2157 void hci_free_dev(struct hci_dev *hdev)
2158 {
2159         /* will free via device release */
2160         put_device(&hdev->dev);
2161 }
2162 EXPORT_SYMBOL(hci_free_dev);
2163
2164 /* Register HCI device */
2165 int hci_register_dev(struct hci_dev *hdev)
2166 {
2167         int id, error;
2168
2169         if (!hdev->open || !hdev->close)
2170                 return -EINVAL;
2171
2172         /* Do not allow HCI_AMP devices to register at index 0,
2173          * so the index can be used as the AMP controller ID.
2174          */
2175         switch (hdev->dev_type) {
2176         case HCI_BREDR:
2177                 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2178                 break;
2179         case HCI_AMP:
2180                 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2181                 break;
2182         default:
2183                 return -EINVAL;
2184         }
2185
2186         if (id < 0)
2187                 return id;
2188
2189         sprintf(hdev->name, "hci%d", id);
2190         hdev->id = id;
2191
2192         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2193
2194         hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2195                                           WQ_MEM_RECLAIM, 1, hdev->name);
2196         if (!hdev->workqueue) {
2197                 error = -ENOMEM;
2198                 goto err;
2199         }
2200
2201         hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2202                                               WQ_MEM_RECLAIM, 1, hdev->name);
2203         if (!hdev->req_workqueue) {
2204                 destroy_workqueue(hdev->workqueue);
2205                 error = -ENOMEM;
2206                 goto err;
2207         }
2208
2209         error = hci_add_sysfs(hdev);
2210         if (error < 0)
2211                 goto err_wqueue;
2212
2213         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2214                                     RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2215                                     hdev);
2216         if (hdev->rfkill) {
2217                 if (rfkill_register(hdev->rfkill) < 0) {
2218                         rfkill_destroy(hdev->rfkill);
2219                         hdev->rfkill = NULL;
2220                 }
2221         }
2222
2223         if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2224                 set_bit(HCI_RFKILLED, &hdev->dev_flags);
2225
2226         set_bit(HCI_SETUP, &hdev->dev_flags);
2227
2228         if (hdev->dev_type != HCI_AMP)
2229                 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2230
2231         write_lock(&hci_dev_list_lock);
2232         list_add(&hdev->list, &hci_dev_list);
2233         write_unlock(&hci_dev_list_lock);
2234
2235         hci_notify(hdev, HCI_DEV_REG);
2236         hci_dev_hold(hdev);
2237
2238         queue_work(hdev->req_workqueue, &hdev->power_on);
2239
2240         return id;
2241
2242 err_wqueue:
2243         destroy_workqueue(hdev->workqueue);
2244         destroy_workqueue(hdev->req_workqueue);
2245 err:
2246         ida_simple_remove(&hci_index_ida, hdev->id);
2247
2248         return error;
2249 }
2250 EXPORT_SYMBOL(hci_register_dev);
2251
2252 /* Unregister HCI device */
2253 void hci_unregister_dev(struct hci_dev *hdev)
2254 {
2255         int i, id;
2256
2257         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2258
2259         set_bit(HCI_UNREGISTER, &hdev->dev_flags);
2260
2261         id = hdev->id;
2262
2263         write_lock(&hci_dev_list_lock);
2264         list_del(&hdev->list);
2265         write_unlock(&hci_dev_list_lock);
2266
2267         hci_dev_do_close(hdev);
2268
2269         for (i = 0; i < NUM_REASSEMBLY; i++)
2270                 kfree_skb(hdev->reassembly[i]);
2271
2272         cancel_work_sync(&hdev->power_on);
2273
2274         if (!test_bit(HCI_INIT, &hdev->flags) &&
2275             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
2276                 hci_dev_lock(hdev);
2277                 mgmt_index_removed(hdev);
2278                 hci_dev_unlock(hdev);
2279         }
2280
2281         /* mgmt_index_removed should take care of emptying the
2282          * pending list */
2283         BUG_ON(!list_empty(&hdev->mgmt_pending));
2284
2285         hci_notify(hdev, HCI_DEV_UNREG);
2286
2287         if (hdev->rfkill) {
2288                 rfkill_unregister(hdev->rfkill);
2289                 rfkill_destroy(hdev->rfkill);
2290         }
2291
2292         hci_del_sysfs(hdev);
2293
2294         destroy_workqueue(hdev->workqueue);
2295         destroy_workqueue(hdev->req_workqueue);
2296
2297         hci_dev_lock(hdev);
2298         hci_blacklist_clear(hdev);
2299         hci_uuids_clear(hdev);
2300         hci_link_keys_clear(hdev);
2301         hci_smp_ltks_clear(hdev);
2302         hci_remote_oob_data_clear(hdev);
2303         hci_dev_unlock(hdev);
2304
2305         hci_dev_put(hdev);
2306
2307         ida_simple_remove(&hci_index_ida, id);
2308 }
2309 EXPORT_SYMBOL(hci_unregister_dev);
2310
2311 /* Suspend HCI device */
2312 int hci_suspend_dev(struct hci_dev *hdev)
2313 {
2314         hci_notify(hdev, HCI_DEV_SUSPEND);
2315         return 0;
2316 }
2317 EXPORT_SYMBOL(hci_suspend_dev);
2318
2319 /* Resume HCI device */
2320 int hci_resume_dev(struct hci_dev *hdev)
2321 {
2322         hci_notify(hdev, HCI_DEV_RESUME);
2323         return 0;
2324 }
2325 EXPORT_SYMBOL(hci_resume_dev);
2326
2327 /* Receive frame from HCI drivers */
2328 int hci_recv_frame(struct sk_buff *skb)
2329 {
2330         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2331         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2332                       && !test_bit(HCI_INIT, &hdev->flags))) {
2333                 kfree_skb(skb);
2334                 return -ENXIO;
2335         }
2336
2337         /* Incoming skb */
2338         bt_cb(skb)->incoming = 1;
2339
2340         /* Time stamp */
2341         __net_timestamp(skb);
2342
2343         skb_queue_tail(&hdev->rx_q, skb);
2344         queue_work(hdev->workqueue, &hdev->rx_work);
2345
2346         return 0;
2347 }
2348 EXPORT_SYMBOL(hci_recv_frame);
2349
2350 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
2351                           int count, __u8 index)
2352 {
2353         int len = 0;
2354         int hlen = 0;
2355         int remain = count;
2356         struct sk_buff *skb;
2357         struct bt_skb_cb *scb;
2358
2359         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
2360             index >= NUM_REASSEMBLY)
2361                 return -EILSEQ;
2362
2363         skb = hdev->reassembly[index];
2364
2365         if (!skb) {
2366                 switch (type) {
2367                 case HCI_ACLDATA_PKT:
2368                         len = HCI_MAX_FRAME_SIZE;
2369                         hlen = HCI_ACL_HDR_SIZE;
2370                         break;
2371                 case HCI_EVENT_PKT:
2372                         len = HCI_MAX_EVENT_SIZE;
2373                         hlen = HCI_EVENT_HDR_SIZE;
2374                         break;
2375                 case HCI_SCODATA_PKT:
2376                         len = HCI_MAX_SCO_SIZE;
2377                         hlen = HCI_SCO_HDR_SIZE;
2378                         break;
2379                 }
2380
2381                 skb = bt_skb_alloc(len, GFP_ATOMIC);
2382                 if (!skb)
2383                         return -ENOMEM;
2384
2385                 scb = (void *) skb->cb;
2386                 scb->expect = hlen;
2387                 scb->pkt_type = type;
2388
2389                 skb->dev = (void *) hdev;
2390                 hdev->reassembly[index] = skb;
2391         }
2392
2393         while (count) {
2394                 scb = (void *) skb->cb;
2395                 len = min_t(uint, scb->expect, count);
2396
2397                 memcpy(skb_put(skb, len), data, len);
2398
2399                 count -= len;
2400                 data += len;
2401                 scb->expect -= len;
2402                 remain = count;
2403
2404                 switch (type) {
2405                 case HCI_EVENT_PKT:
2406                         if (skb->len == HCI_EVENT_HDR_SIZE) {
2407                                 struct hci_event_hdr *h = hci_event_hdr(skb);
2408                                 scb->expect = h->plen;
2409
2410                                 if (skb_tailroom(skb) < scb->expect) {
2411                                         kfree_skb(skb);
2412                                         hdev->reassembly[index] = NULL;
2413                                         return -ENOMEM;
2414                                 }
2415                         }
2416                         break;
2417
2418                 case HCI_ACLDATA_PKT:
2419                         if (skb->len  == HCI_ACL_HDR_SIZE) {
2420                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
2421                                 scb->expect = __le16_to_cpu(h->dlen);
2422
2423                                 if (skb_tailroom(skb) < scb->expect) {
2424                                         kfree_skb(skb);
2425                                         hdev->reassembly[index] = NULL;
2426                                         return -ENOMEM;
2427                                 }
2428                         }
2429                         break;
2430
2431                 case HCI_SCODATA_PKT:
2432                         if (skb->len == HCI_SCO_HDR_SIZE) {
2433                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
2434                                 scb->expect = h->dlen;
2435
2436                                 if (skb_tailroom(skb) < scb->expect) {
2437                                         kfree_skb(skb);
2438                                         hdev->reassembly[index] = NULL;
2439                                         return -ENOMEM;
2440                                 }
2441                         }
2442                         break;
2443                 }
2444
2445                 if (scb->expect == 0) {
2446                         /* Complete frame */
2447
2448                         bt_cb(skb)->pkt_type = type;
2449                         hci_recv_frame(skb);
2450
2451                         hdev->reassembly[index] = NULL;
2452                         return remain;
2453                 }
2454         }
2455
2456         return remain;
2457 }
2458
2459 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
2460 {
2461         int rem = 0;
2462
2463         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
2464                 return -EILSEQ;
2465
2466         while (count) {
2467                 rem = hci_reassembly(hdev, type, data, count, type - 1);
2468                 if (rem < 0)
2469                         return rem;
2470
2471                 data += (count - rem);
2472                 count = rem;
2473         }
2474
2475         return rem;
2476 }
2477 EXPORT_SYMBOL(hci_recv_fragment);
2478
2479 #define STREAM_REASSEMBLY 0
2480
2481 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
2482 {
2483         int type;
2484         int rem = 0;
2485
2486         while (count) {
2487                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
2488
2489                 if (!skb) {
2490                         struct { char type; } *pkt;
2491
2492                         /* Start of the frame */
2493                         pkt = data;
2494                         type = pkt->type;
2495
2496                         data++;
2497                         count--;
2498                 } else
2499                         type = bt_cb(skb)->pkt_type;
2500
2501                 rem = hci_reassembly(hdev, type, data, count,
2502                                      STREAM_REASSEMBLY);
2503                 if (rem < 0)
2504                         return rem;
2505
2506                 data += (count - rem);
2507                 count = rem;
2508         }
2509
2510         return rem;
2511 }
2512 EXPORT_SYMBOL(hci_recv_stream_fragment);
2513
2514 /* ---- Interface to upper protocols ---- */
2515
2516 int hci_register_cb(struct hci_cb *cb)
2517 {
2518         BT_DBG("%p name %s", cb, cb->name);
2519
2520         write_lock(&hci_cb_list_lock);
2521         list_add(&cb->list, &hci_cb_list);
2522         write_unlock(&hci_cb_list_lock);
2523
2524         return 0;
2525 }
2526 EXPORT_SYMBOL(hci_register_cb);
2527
2528 int hci_unregister_cb(struct hci_cb *cb)
2529 {
2530         BT_DBG("%p name %s", cb, cb->name);
2531
2532         write_lock(&hci_cb_list_lock);
2533         list_del(&cb->list);
2534         write_unlock(&hci_cb_list_lock);
2535
2536         return 0;
2537 }
2538 EXPORT_SYMBOL(hci_unregister_cb);
2539
2540 static int hci_send_frame(struct sk_buff *skb)
2541 {
2542         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2543
2544         if (!hdev) {
2545                 kfree_skb(skb);
2546                 return -ENODEV;
2547         }
2548
2549         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
2550
2551         /* Time stamp */
2552         __net_timestamp(skb);
2553
2554         /* Send copy to monitor */
2555         hci_send_to_monitor(hdev, skb);
2556
2557         if (atomic_read(&hdev->promisc)) {
2558                 /* Send copy to the sockets */
2559                 hci_send_to_sock(hdev, skb);
2560         }
2561
2562         /* Get rid of skb owner, prior to sending to the driver. */
2563         skb_orphan(skb);
2564
2565         return hdev->send(skb);
2566 }
2567
2568 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
2569 {
2570         skb_queue_head_init(&req->cmd_q);
2571         req->hdev = hdev;
2572         req->err = 0;
2573 }
2574
2575 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
2576 {
2577         struct hci_dev *hdev = req->hdev;
2578         struct sk_buff *skb;
2579         unsigned long flags;
2580
2581         BT_DBG("length %u", skb_queue_len(&req->cmd_q));
2582
2583         /* If an error occured during request building, remove all HCI
2584          * commands queued on the HCI request queue.
2585          */
2586         if (req->err) {
2587                 skb_queue_purge(&req->cmd_q);
2588                 return req->err;
2589         }
2590
2591         /* Do not allow empty requests */
2592         if (skb_queue_empty(&req->cmd_q))
2593                 return -ENODATA;
2594
2595         skb = skb_peek_tail(&req->cmd_q);
2596         bt_cb(skb)->req.complete = complete;
2597
2598         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
2599         skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
2600         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
2601
2602         queue_work(hdev->workqueue, &hdev->cmd_work);
2603
2604         return 0;
2605 }
2606
2607 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
2608                                        u32 plen, const void *param)
2609 {
2610         int len = HCI_COMMAND_HDR_SIZE + plen;
2611         struct hci_command_hdr *hdr;
2612         struct sk_buff *skb;
2613
2614         skb = bt_skb_alloc(len, GFP_ATOMIC);
2615         if (!skb)
2616                 return NULL;
2617
2618         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
2619         hdr->opcode = cpu_to_le16(opcode);
2620         hdr->plen   = plen;
2621
2622         if (plen)
2623                 memcpy(skb_put(skb, plen), param, plen);
2624
2625         BT_DBG("skb len %d", skb->len);
2626
2627         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
2628         skb->dev = (void *) hdev;
2629
2630         return skb;
2631 }
2632
2633 /* Send HCI command */
2634 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
2635                  const void *param)
2636 {
2637         struct sk_buff *skb;
2638
2639         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2640
2641         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2642         if (!skb) {
2643                 BT_ERR("%s no memory for command", hdev->name);
2644                 return -ENOMEM;
2645         }
2646
2647         /* Stand-alone HCI commands must be flaged as
2648          * single-command requests.
2649          */
2650         bt_cb(skb)->req.start = true;
2651
2652         skb_queue_tail(&hdev->cmd_q, skb);
2653         queue_work(hdev->workqueue, &hdev->cmd_work);
2654
2655         return 0;
2656 }
2657
2658 /* Queue a command to an asynchronous HCI request */
2659 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
2660                     const void *param, u8 event)
2661 {
2662         struct hci_dev *hdev = req->hdev;
2663         struct sk_buff *skb;
2664
2665         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2666
2667         /* If an error occured during request building, there is no point in
2668          * queueing the HCI command. We can simply return.
2669          */
2670         if (req->err)
2671                 return;
2672
2673         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2674         if (!skb) {
2675                 BT_ERR("%s no memory for command (opcode 0x%4.4x)",
2676                        hdev->name, opcode);
2677                 req->err = -ENOMEM;
2678                 return;
2679         }
2680
2681         if (skb_queue_empty(&req->cmd_q))
2682                 bt_cb(skb)->req.start = true;
2683
2684         bt_cb(skb)->req.event = event;
2685
2686         skb_queue_tail(&req->cmd_q, skb);
2687 }
2688
2689 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
2690                  const void *param)
2691 {
2692         hci_req_add_ev(req, opcode, plen, param, 0);
2693 }
2694
2695 /* Get data from the previously sent command */
2696 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2697 {
2698         struct hci_command_hdr *hdr;
2699
2700         if (!hdev->sent_cmd)
2701                 return NULL;
2702
2703         hdr = (void *) hdev->sent_cmd->data;
2704
2705         if (hdr->opcode != cpu_to_le16(opcode))
2706                 return NULL;
2707
2708         BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2709
2710         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
2711 }
2712
2713 /* Send ACL data */
2714 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
2715 {
2716         struct hci_acl_hdr *hdr;
2717         int len = skb->len;
2718
2719         skb_push(skb, HCI_ACL_HDR_SIZE);
2720         skb_reset_transport_header(skb);
2721         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
2722         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
2723         hdr->dlen   = cpu_to_le16(len);
2724 }
2725
2726 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
2727                           struct sk_buff *skb, __u16 flags)
2728 {
2729         struct hci_conn *conn = chan->conn;
2730         struct hci_dev *hdev = conn->hdev;
2731         struct sk_buff *list;
2732
2733         skb->len = skb_headlen(skb);
2734         skb->data_len = 0;
2735
2736         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2737
2738         switch (hdev->dev_type) {
2739         case HCI_BREDR:
2740                 hci_add_acl_hdr(skb, conn->handle, flags);
2741                 break;
2742         case HCI_AMP:
2743                 hci_add_acl_hdr(skb, chan->handle, flags);
2744                 break;
2745         default:
2746                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2747                 return;
2748         }
2749
2750         list = skb_shinfo(skb)->frag_list;
2751         if (!list) {
2752                 /* Non fragmented */
2753                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
2754
2755                 skb_queue_tail(queue, skb);
2756         } else {
2757                 /* Fragmented */
2758                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2759
2760                 skb_shinfo(skb)->frag_list = NULL;
2761
2762                 /* Queue all fragments atomically */
2763                 spin_lock(&queue->lock);
2764
2765                 __skb_queue_tail(queue, skb);
2766
2767                 flags &= ~ACL_START;
2768                 flags |= ACL_CONT;
2769                 do {
2770                         skb = list; list = list->next;
2771
2772                         skb->dev = (void *) hdev;
2773                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2774                         hci_add_acl_hdr(skb, conn->handle, flags);
2775
2776                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2777
2778                         __skb_queue_tail(queue, skb);
2779                 } while (list);
2780
2781                 spin_unlock(&queue->lock);
2782         }
2783 }
2784
2785 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2786 {
2787         struct hci_dev *hdev = chan->conn->hdev;
2788
2789         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
2790
2791         skb->dev = (void *) hdev;
2792
2793         hci_queue_acl(chan, &chan->data_q, skb, flags);
2794
2795         queue_work(hdev->workqueue, &hdev->tx_work);
2796 }
2797
2798 /* Send SCO data */
2799 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2800 {
2801         struct hci_dev *hdev = conn->hdev;
2802         struct hci_sco_hdr hdr;
2803
2804         BT_DBG("%s len %d", hdev->name, skb->len);
2805
2806         hdr.handle = cpu_to_le16(conn->handle);
2807         hdr.dlen   = skb->len;
2808
2809         skb_push(skb, HCI_SCO_HDR_SIZE);
2810         skb_reset_transport_header(skb);
2811         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2812
2813         skb->dev = (void *) hdev;
2814         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2815
2816         skb_queue_tail(&conn->data_q, skb);
2817         queue_work(hdev->workqueue, &hdev->tx_work);
2818 }
2819
2820 /* ---- HCI TX task (outgoing data) ---- */
2821
2822 /* HCI Connection scheduler */
2823 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
2824                                      int *quote)
2825 {
2826         struct hci_conn_hash *h = &hdev->conn_hash;
2827         struct hci_conn *conn = NULL, *c;
2828         unsigned int num = 0, min = ~0;
2829
2830         /* We don't have to lock device here. Connections are always
2831          * added and removed with TX task disabled. */
2832
2833         rcu_read_lock();
2834
2835         list_for_each_entry_rcu(c, &h->list, list) {
2836                 if (c->type != type || skb_queue_empty(&c->data_q))
2837                         continue;
2838
2839                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2840                         continue;
2841
2842                 num++;
2843
2844                 if (c->sent < min) {
2845                         min  = c->sent;
2846                         conn = c;
2847                 }
2848
2849                 if (hci_conn_num(hdev, type) == num)
2850                         break;
2851         }
2852
2853         rcu_read_unlock();
2854
2855         if (conn) {
2856                 int cnt, q;
2857
2858                 switch (conn->type) {
2859                 case ACL_LINK:
2860                         cnt = hdev->acl_cnt;
2861                         break;
2862                 case SCO_LINK:
2863                 case ESCO_LINK:
2864                         cnt = hdev->sco_cnt;
2865                         break;
2866                 case LE_LINK:
2867                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2868                         break;
2869                 default:
2870                         cnt = 0;
2871                         BT_ERR("Unknown link type");
2872                 }
2873
2874                 q = cnt / num;
2875                 *quote = q ? q : 1;
2876         } else
2877                 *quote = 0;
2878
2879         BT_DBG("conn %p quote %d", conn, *quote);
2880         return conn;
2881 }
2882
2883 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2884 {
2885         struct hci_conn_hash *h = &hdev->conn_hash;
2886         struct hci_conn *c;
2887
2888         BT_ERR("%s link tx timeout", hdev->name);
2889
2890         rcu_read_lock();
2891
2892         /* Kill stalled connections */
2893         list_for_each_entry_rcu(c, &h->list, list) {
2894                 if (c->type == type && c->sent) {
2895                         BT_ERR("%s killing stalled connection %pMR",
2896                                hdev->name, &c->dst);
2897                         hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
2898                 }
2899         }
2900
2901         rcu_read_unlock();
2902 }
2903
2904 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2905                                       int *quote)
2906 {
2907         struct hci_conn_hash *h = &hdev->conn_hash;
2908         struct hci_chan *chan = NULL;
2909         unsigned int num = 0, min = ~0, cur_prio = 0;
2910         struct hci_conn *conn;
2911         int cnt, q, conn_num = 0;
2912
2913         BT_DBG("%s", hdev->name);
2914
2915         rcu_read_lock();
2916
2917         list_for_each_entry_rcu(conn, &h->list, list) {
2918                 struct hci_chan *tmp;
2919
2920                 if (conn->type != type)
2921                         continue;
2922
2923                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2924                         continue;
2925
2926                 conn_num++;
2927
2928                 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2929                         struct sk_buff *skb;
2930
2931                         if (skb_queue_empty(&tmp->data_q))
2932                                 continue;
2933
2934                         skb = skb_peek(&tmp->data_q);
2935                         if (skb->priority < cur_prio)
2936                                 continue;
2937
2938                         if (skb->priority > cur_prio) {
2939                                 num = 0;
2940                                 min = ~0;
2941                                 cur_prio = skb->priority;
2942                         }
2943
2944                         num++;
2945
2946                         if (conn->sent < min) {
2947                                 min  = conn->sent;
2948                                 chan = tmp;
2949                         }
2950                 }
2951
2952                 if (hci_conn_num(hdev, type) == conn_num)
2953                         break;
2954         }
2955
2956         rcu_read_unlock();
2957
2958         if (!chan)
2959                 return NULL;
2960
2961         switch (chan->conn->type) {
2962         case ACL_LINK:
2963                 cnt = hdev->acl_cnt;
2964                 break;
2965         case AMP_LINK:
2966                 cnt = hdev->block_cnt;
2967                 break;
2968         case SCO_LINK:
2969         case ESCO_LINK:
2970                 cnt = hdev->sco_cnt;
2971                 break;
2972         case LE_LINK:
2973                 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2974                 break;
2975         default:
2976                 cnt = 0;
2977                 BT_ERR("Unknown link type");
2978         }
2979
2980         q = cnt / num;
2981         *quote = q ? q : 1;
2982         BT_DBG("chan %p quote %d", chan, *quote);
2983         return chan;
2984 }
2985
2986 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2987 {
2988         struct hci_conn_hash *h = &hdev->conn_hash;
2989         struct hci_conn *conn;
2990         int num = 0;
2991
2992         BT_DBG("%s", hdev->name);
2993
2994         rcu_read_lock();
2995
2996         list_for_each_entry_rcu(conn, &h->list, list) {
2997                 struct hci_chan *chan;
2998
2999                 if (conn->type != type)
3000                         continue;
3001
3002                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3003                         continue;
3004
3005                 num++;
3006
3007                 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3008                         struct sk_buff *skb;
3009
3010                         if (chan->sent) {
3011                                 chan->sent = 0;
3012                                 continue;
3013                         }
3014
3015                         if (skb_queue_empty(&chan->data_q))
3016                                 continue;
3017
3018                         skb = skb_peek(&chan->data_q);
3019                         if (skb->priority >= HCI_PRIO_MAX - 1)
3020                                 continue;
3021
3022                         skb->priority = HCI_PRIO_MAX - 1;
3023
3024                         BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3025                                skb->priority);
3026                 }
3027
3028                 if (hci_conn_num(hdev, type) == num)
3029                         break;
3030         }
3031
3032         rcu_read_unlock();
3033
3034 }
3035
3036 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3037 {
3038         /* Calculate count of blocks used by this packet */
3039         return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3040 }
3041
3042 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3043 {
3044         if (!test_bit(HCI_RAW, &hdev->flags)) {
3045                 /* ACL tx timeout must be longer than maximum
3046                  * link supervision timeout (40.9 seconds) */
3047                 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3048                                        HCI_ACL_TX_TIMEOUT))
3049                         hci_link_tx_to(hdev, ACL_LINK);
3050         }
3051 }
3052
3053 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3054 {
3055         unsigned int cnt = hdev->acl_cnt;
3056         struct hci_chan *chan;
3057         struct sk_buff *skb;
3058         int quote;
3059
3060         __check_timeout(hdev, cnt);
3061
3062         while (hdev->acl_cnt &&
3063                (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3064                 u32 priority = (skb_peek(&chan->data_q))->priority;
3065                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3066                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3067                                skb->len, skb->priority);
3068
3069                         /* Stop if priority has changed */
3070                         if (skb->priority < priority)
3071                                 break;
3072
3073                         skb = skb_dequeue(&chan->data_q);
3074
3075                         hci_conn_enter_active_mode(chan->conn,
3076                                                    bt_cb(skb)->force_active);
3077
3078                         hci_send_frame(skb);
3079                         hdev->acl_last_tx = jiffies;
3080
3081                         hdev->acl_cnt--;
3082                         chan->sent++;
3083                         chan->conn->sent++;
3084                 }
3085         }
3086
3087         if (cnt != hdev->acl_cnt)
3088                 hci_prio_recalculate(hdev, ACL_LINK);
3089 }
3090
3091 static void hci_sched_acl_blk(struct hci_dev *hdev)
3092 {
3093         unsigned int cnt = hdev->block_cnt;
3094         struct hci_chan *chan;
3095         struct sk_buff *skb;
3096         int quote;
3097         u8 type;
3098
3099         __check_timeout(hdev, cnt);
3100
3101         BT_DBG("%s", hdev->name);
3102
3103         if (hdev->dev_type == HCI_AMP)
3104                 type = AMP_LINK;
3105         else
3106                 type = ACL_LINK;
3107
3108         while (hdev->block_cnt > 0 &&
3109                (chan = hci_chan_sent(hdev, type, &quote))) {
3110                 u32 priority = (skb_peek(&chan->data_q))->priority;
3111                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3112                         int blocks;
3113
3114                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3115                                skb->len, skb->priority);
3116
3117                         /* Stop if priority has changed */
3118                         if (skb->priority < priority)
3119                                 break;
3120
3121                         skb = skb_dequeue(&chan->data_q);
3122
3123                         blocks = __get_blocks(hdev, skb);
3124                         if (blocks > hdev->block_cnt)
3125                                 return;
3126
3127                         hci_conn_enter_active_mode(chan->conn,
3128                                                    bt_cb(skb)->force_active);
3129
3130                         hci_send_frame(skb);
3131                         hdev->acl_last_tx = jiffies;
3132
3133                         hdev->block_cnt -= blocks;
3134                         quote -= blocks;
3135
3136                         chan->sent += blocks;
3137                         chan->conn->sent += blocks;
3138                 }
3139         }
3140
3141         if (cnt != hdev->block_cnt)
3142                 hci_prio_recalculate(hdev, type);
3143 }
3144
3145 static void hci_sched_acl(struct hci_dev *hdev)
3146 {
3147         BT_DBG("%s", hdev->name);
3148
3149         /* No ACL link over BR/EDR controller */
3150         if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3151                 return;
3152
3153         /* No AMP link over AMP controller */
3154         if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3155                 return;
3156
3157         switch (hdev->flow_ctl_mode) {
3158         case HCI_FLOW_CTL_MODE_PACKET_BASED:
3159                 hci_sched_acl_pkt(hdev);
3160                 break;
3161
3162         case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3163                 hci_sched_acl_blk(hdev);
3164                 break;
3165         }
3166 }
3167
3168 /* Schedule SCO */
3169 static void hci_sched_sco(struct hci_dev *hdev)
3170 {
3171         struct hci_conn *conn;
3172         struct sk_buff *skb;
3173         int quote;
3174
3175         BT_DBG("%s", hdev->name);
3176
3177         if (!hci_conn_num(hdev, SCO_LINK))
3178                 return;
3179
3180         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3181                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3182                         BT_DBG("skb %p len %d", skb, skb->len);
3183                         hci_send_frame(skb);
3184
3185                         conn->sent++;
3186                         if (conn->sent == ~0)
3187                                 conn->sent = 0;
3188                 }
3189         }
3190 }
3191
3192 static void hci_sched_esco(struct hci_dev *hdev)
3193 {
3194         struct hci_conn *conn;
3195         struct sk_buff *skb;
3196         int quote;
3197
3198         BT_DBG("%s", hdev->name);
3199
3200         if (!hci_conn_num(hdev, ESCO_LINK))
3201                 return;
3202
3203         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3204                                                      &quote))) {
3205                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3206                         BT_DBG("skb %p len %d", skb, skb->len);
3207                         hci_send_frame(skb);
3208
3209                         conn->sent++;
3210                         if (conn->sent == ~0)
3211                                 conn->sent = 0;
3212                 }
3213         }
3214 }
3215
3216 static void hci_sched_le(struct hci_dev *hdev)
3217 {
3218         struct hci_chan *chan;
3219         struct sk_buff *skb;
3220         int quote, cnt, tmp;
3221
3222         BT_DBG("%s", hdev->name);
3223
3224         if (!hci_conn_num(hdev, LE_LINK))
3225                 return;
3226
3227         if (!test_bit(HCI_RAW, &hdev->flags)) {
3228                 /* LE tx timeout must be longer than maximum
3229                  * link supervision timeout (40.9 seconds) */
3230                 if (!hdev->le_cnt && hdev->le_pkts &&
3231                     time_after(jiffies, hdev->le_last_tx + HZ * 45))
3232                         hci_link_tx_to(hdev, LE_LINK);
3233         }
3234
3235         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3236         tmp = cnt;
3237         while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3238                 u32 priority = (skb_peek(&chan->data_q))->priority;
3239                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3240                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3241                                skb->len, skb->priority);
3242
3243                         /* Stop if priority has changed */
3244                         if (skb->priority < priority)
3245                                 break;
3246
3247                         skb = skb_dequeue(&chan->data_q);
3248
3249                         hci_send_frame(skb);
3250                         hdev->le_last_tx = jiffies;
3251
3252                         cnt--;
3253                         chan->sent++;
3254                         chan->conn->sent++;
3255                 }
3256         }
3257
3258         if (hdev->le_pkts)
3259                 hdev->le_cnt = cnt;
3260         else
3261                 hdev->acl_cnt = cnt;
3262
3263         if (cnt != tmp)
3264                 hci_prio_recalculate(hdev, LE_LINK);
3265 }
3266
3267 static void hci_tx_work(struct work_struct *work)
3268 {
3269         struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3270         struct sk_buff *skb;
3271
3272         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3273                hdev->sco_cnt, hdev->le_cnt);
3274
3275         /* Schedule queues and send stuff to HCI driver */
3276
3277         hci_sched_acl(hdev);
3278
3279         hci_sched_sco(hdev);
3280
3281         hci_sched_esco(hdev);
3282
3283         hci_sched_le(hdev);
3284
3285         /* Send next queued raw (unknown type) packet */
3286         while ((skb = skb_dequeue(&hdev->raw_q)))
3287                 hci_send_frame(skb);
3288 }
3289
3290 /* ----- HCI RX task (incoming data processing) ----- */
3291
3292 /* ACL data packet */
3293 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3294 {
3295         struct hci_acl_hdr *hdr = (void *) skb->data;
3296         struct hci_conn *conn;
3297         __u16 handle, flags;
3298
3299         skb_pull(skb, HCI_ACL_HDR_SIZE);
3300
3301         handle = __le16_to_cpu(hdr->handle);
3302         flags  = hci_flags(handle);
3303         handle = hci_handle(handle);
3304
3305         BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3306                handle, flags);
3307
3308         hdev->stat.acl_rx++;
3309
3310         hci_dev_lock(hdev);
3311         conn = hci_conn_hash_lookup_handle(hdev, handle);
3312         hci_dev_unlock(hdev);
3313
3314         if (conn) {
3315                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3316
3317                 /* Send to upper protocol */
3318                 l2cap_recv_acldata(conn, skb, flags);
3319                 return;
3320         } else {
3321                 BT_ERR("%s ACL packet for unknown connection handle %d",
3322                        hdev->name, handle);
3323         }
3324
3325         kfree_skb(skb);
3326 }
3327
3328 /* SCO data packet */
3329 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3330 {
3331         struct hci_sco_hdr *hdr = (void *) skb->data;
3332         struct hci_conn *conn;
3333         __u16 handle;
3334
3335         skb_pull(skb, HCI_SCO_HDR_SIZE);
3336
3337         handle = __le16_to_cpu(hdr->handle);
3338
3339         BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
3340
3341         hdev->stat.sco_rx++;
3342
3343         hci_dev_lock(hdev);
3344         conn = hci_conn_hash_lookup_handle(hdev, handle);
3345         hci_dev_unlock(hdev);
3346
3347         if (conn) {
3348                 /* Send to upper protocol */
3349                 sco_recv_scodata(conn, skb);
3350                 return;
3351         } else {
3352                 BT_ERR("%s SCO packet for unknown connection handle %d",
3353                        hdev->name, handle);
3354         }
3355
3356         kfree_skb(skb);
3357 }
3358
3359 static bool hci_req_is_complete(struct hci_dev *hdev)
3360 {
3361         struct sk_buff *skb;
3362
3363         skb = skb_peek(&hdev->cmd_q);
3364         if (!skb)
3365                 return true;
3366
3367         return bt_cb(skb)->req.start;
3368 }
3369
3370 static void hci_resend_last(struct hci_dev *hdev)
3371 {
3372         struct hci_command_hdr *sent;
3373         struct sk_buff *skb;
3374         u16 opcode;
3375
3376         if (!hdev->sent_cmd)
3377                 return;
3378
3379         sent = (void *) hdev->sent_cmd->data;
3380         opcode = __le16_to_cpu(sent->opcode);
3381         if (opcode == HCI_OP_RESET)
3382                 return;
3383
3384         skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3385         if (!skb)
3386                 return;
3387
3388         skb_queue_head(&hdev->cmd_q, skb);
3389         queue_work(hdev->workqueue, &hdev->cmd_work);
3390 }
3391
3392 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
3393 {
3394         hci_req_complete_t req_complete = NULL;
3395         struct sk_buff *skb;
3396         unsigned long flags;
3397
3398         BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3399
3400         /* If the completed command doesn't match the last one that was
3401          * sent we need to do special handling of it.
3402          */
3403         if (!hci_sent_cmd_data(hdev, opcode)) {
3404                 /* Some CSR based controllers generate a spontaneous
3405                  * reset complete event during init and any pending
3406                  * command will never be completed. In such a case we
3407                  * need to resend whatever was the last sent
3408                  * command.
3409                  */
3410                 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3411                         hci_resend_last(hdev);
3412
3413                 return;
3414         }
3415
3416         /* If the command succeeded and there's still more commands in
3417          * this request the request is not yet complete.
3418          */
3419         if (!status && !hci_req_is_complete(hdev))
3420                 return;
3421
3422         /* If this was the last command in a request the complete
3423          * callback would be found in hdev->sent_cmd instead of the
3424          * command queue (hdev->cmd_q).
3425          */
3426         if (hdev->sent_cmd) {
3427                 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3428
3429                 if (req_complete) {
3430                         /* We must set the complete callback to NULL to
3431                          * avoid calling the callback more than once if
3432                          * this function gets called again.
3433                          */
3434                         bt_cb(hdev->sent_cmd)->req.complete = NULL;
3435
3436                         goto call_complete;
3437                 }
3438         }
3439
3440         /* Remove all pending commands belonging to this request */
3441         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3442         while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3443                 if (bt_cb(skb)->req.start) {
3444                         __skb_queue_head(&hdev->cmd_q, skb);
3445                         break;
3446                 }
3447
3448                 req_complete = bt_cb(skb)->req.complete;
3449                 kfree_skb(skb);
3450         }
3451         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3452
3453 call_complete:
3454         if (req_complete)
3455                 req_complete(hdev, status);
3456 }
3457
3458 static void hci_rx_work(struct work_struct *work)
3459 {
3460         struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3461         struct sk_buff *skb;
3462
3463         BT_DBG("%s", hdev->name);
3464
3465         while ((skb = skb_dequeue(&hdev->rx_q))) {
3466                 /* Send copy to monitor */
3467                 hci_send_to_monitor(hdev, skb);
3468
3469                 if (atomic_read(&hdev->promisc)) {
3470                         /* Send copy to the sockets */
3471                         hci_send_to_sock(hdev, skb);
3472                 }
3473
3474                 if (test_bit(HCI_RAW, &hdev->flags)) {
3475                         kfree_skb(skb);
3476                         continue;
3477                 }
3478
3479                 if (test_bit(HCI_INIT, &hdev->flags)) {
3480                         /* Don't process data packets in this states. */
3481                         switch (bt_cb(skb)->pkt_type) {
3482                         case HCI_ACLDATA_PKT:
3483                         case HCI_SCODATA_PKT:
3484                                 kfree_skb(skb);
3485                                 continue;
3486                         }
3487                 }
3488
3489                 /* Process frame */
3490                 switch (bt_cb(skb)->pkt_type) {
3491                 case HCI_EVENT_PKT:
3492                         BT_DBG("%s Event packet", hdev->name);
3493                         hci_event_packet(hdev, skb);
3494                         break;
3495
3496                 case HCI_ACLDATA_PKT:
3497                         BT_DBG("%s ACL data packet", hdev->name);
3498                         hci_acldata_packet(hdev, skb);
3499                         break;
3500
3501                 case HCI_SCODATA_PKT:
3502                         BT_DBG("%s SCO data packet", hdev->name);
3503                         hci_scodata_packet(hdev, skb);
3504                         break;
3505
3506                 default:
3507                         kfree_skb(skb);
3508                         break;
3509                 }
3510         }
3511 }
3512
3513 static void hci_cmd_work(struct work_struct *work)
3514 {
3515         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
3516         struct sk_buff *skb;
3517
3518         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
3519                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
3520
3521         /* Send queued commands */
3522         if (atomic_read(&hdev->cmd_cnt)) {
3523                 skb = skb_dequeue(&hdev->cmd_q);
3524                 if (!skb)
3525                         return;
3526
3527                 kfree_skb(hdev->sent_cmd);
3528
3529                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
3530                 if (hdev->sent_cmd) {
3531                         atomic_dec(&hdev->cmd_cnt);
3532                         hci_send_frame(skb);
3533                         if (test_bit(HCI_RESET, &hdev->flags))
3534                                 del_timer(&hdev->cmd_timer);
3535                         else
3536                                 mod_timer(&hdev->cmd_timer,
3537                                           jiffies + HCI_CMD_TIMEOUT);
3538                 } else {
3539                         skb_queue_head(&hdev->cmd_q, skb);
3540                         queue_work(hdev->workqueue, &hdev->cmd_work);
3541                 }
3542         }
3543 }
3544
3545 u8 bdaddr_to_le(u8 bdaddr_type)
3546 {
3547         switch (bdaddr_type) {
3548         case BDADDR_LE_PUBLIC:
3549                 return ADDR_LE_DEV_PUBLIC;
3550
3551         default:
3552                 /* Fallback to LE Random address type */
3553                 return ADDR_LE_DEV_RANDOM;
3554         }
3555 }
Linux kernel for KaRo TX COM modules