1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2011 ProFUSION Embedded Systems
5

6
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
7

8
   This program is free software; you can redistribute it and/or modify
9
   it under the terms of the GNU General Public License version 2 as
10
   published by the Free Software Foundation;
11

12
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20

21
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23
   SOFTWARE IS DISCLAIMED.
24
*/
25

26
/* Bluetooth HCI core. */
27

28
#include <linux/export.h>
29
#include <linux/rfkill.h>
30
#include <linux/debugfs.h>
31
#include <linux/crypto.h>
32
#include <linux/kcov.h>
33
#include <linux/property.h>
34
#include <linux/suspend.h>
35
#include <linux/wait.h>
36
#include <linux/unaligned.h>
37

38
#include <net/bluetooth/bluetooth.h>
39
#include <net/bluetooth/hci_core.h>
40
#include <net/bluetooth/l2cap.h>
41
#include <net/bluetooth/mgmt.h>
42

43
#include "hci_debugfs.h"
44
#include "smp.h"
45
#include "leds.h"
46
#include "msft.h"
47
#include "aosp.h"
48
#include "hci_codec.h"
49

50
static void hci_rx_work(struct work_struct *work);
51
static void hci_cmd_work(struct work_struct *work);
52
static void hci_tx_work(struct work_struct *work);
53

54
/* HCI device list */
55
LIST_HEAD(hci_dev_list);
56
DEFINE_RWLOCK(hci_dev_list_lock);
57

58
/* HCI callback list */
59
LIST_HEAD(hci_cb_list);
60
DEFINE_MUTEX(hci_cb_list_lock);
61

62
/* HCI ID Numbering */
63
static DEFINE_IDA(hci_index_ida);
64

65
/* Get HCI device by index.
66
 * Device is held on return. */
67
static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
68
{
69
	struct hci_dev *hdev = NULL, *d;
70

71
	BT_DBG("%d", index);
72

73
	if (index < 0)
74
		return NULL;
75

76
	read_lock(&hci_dev_list_lock);
77
	list_for_each_entry(d, &hci_dev_list, list) {
78
		if (d->id == index) {
79
			hdev = hci_dev_hold(d);
80
			if (srcu_index)
81
				*srcu_index = srcu_read_lock(&d->srcu);
82
			break;
83
		}
84
	}
85
	read_unlock(&hci_dev_list_lock);
86
	return hdev;
87
}
88

89
struct hci_dev *hci_dev_get(int index)
90
{
91
	return __hci_dev_get(index, NULL);
92
}
93

94
static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
95
{
96
	return __hci_dev_get(index, srcu_index);
97
}
98

99
static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
100
{
101
	srcu_read_unlock(&hdev->srcu, srcu_index);
102
	hci_dev_put(hdev);
103
}
104

105
/* ---- Inquiry support ---- */
106

107
bool hci_discovery_active(struct hci_dev *hdev)
108
{
109
	struct discovery_state *discov = &hdev->discovery;
110

111
	switch (discov->state) {
112
	case DISCOVERY_FINDING:
113
	case DISCOVERY_RESOLVING:
114
		return true;
115

116
	default:
117
		return false;
118
	}
119
}
120

121
void hci_discovery_set_state(struct hci_dev *hdev, int state)
122
{
123
	int old_state = hdev->discovery.state;
124

125
	if (old_state == state)
126
		return;
127

128
	hdev->discovery.state = state;
129

130
	switch (state) {
131
	case DISCOVERY_STOPPED:
132
		hci_update_passive_scan(hdev);
133

134
		if (old_state != DISCOVERY_STARTING)
135
			mgmt_discovering(hdev, 0);
136
		break;
137
	case DISCOVERY_STARTING:
138
		break;
139
	case DISCOVERY_FINDING:
140
		mgmt_discovering(hdev, 1);
141
		break;
142
	case DISCOVERY_RESOLVING:
143
		break;
144
	case DISCOVERY_STOPPING:
145
		break;
146
	}
147

148
	bt_dev_dbg(hdev, "state %u -> %u", old_state, state);
149
}
150

151
void hci_inquiry_cache_flush(struct hci_dev *hdev)
152
{
153
	struct discovery_state *cache = &hdev->discovery;
154
	struct inquiry_entry *p, *n;
155

156
	list_for_each_entry_safe(p, n, &cache->all, all) {
157
		list_del(&p->all);
158
		kfree(p);
159
	}
160

161
	INIT_LIST_HEAD(&cache->unknown);
162
	INIT_LIST_HEAD(&cache->resolve);
163
}
164

165
struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
166
					       bdaddr_t *bdaddr)
167
{
168
	struct discovery_state *cache = &hdev->discovery;
169
	struct inquiry_entry *e;
170

171
	BT_DBG("cache %p, %pMR", cache, bdaddr);
172

173
	list_for_each_entry(e, &cache->all, all) {
174
		if (!bacmp(&e->data.bdaddr, bdaddr))
175
			return e;
176
	}
177

178
	return NULL;
179
}
180

181
struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
182
						       bdaddr_t *bdaddr)
183
{
184
	struct discovery_state *cache = &hdev->discovery;
185
	struct inquiry_entry *e;
186

187
	BT_DBG("cache %p, %pMR", cache, bdaddr);
188

189
	list_for_each_entry(e, &cache->unknown, list) {
190
		if (!bacmp(&e->data.bdaddr, bdaddr))
191
			return e;
192
	}
193

194
	return NULL;
195
}
196

197
struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
198
						       bdaddr_t *bdaddr,
199
						       int state)
200
{
201
	struct discovery_state *cache = &hdev->discovery;
202
	struct inquiry_entry *e;
203

204
	BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
205

206
	list_for_each_entry(e, &cache->resolve, list) {
207
		if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
208
			return e;
209
		if (!bacmp(&e->data.bdaddr, bdaddr))
210
			return e;
211
	}
212

213
	return NULL;
214
}
215

216
void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
217
				      struct inquiry_entry *ie)
218
{
219
	struct discovery_state *cache = &hdev->discovery;
220
	struct list_head *pos = &cache->resolve;
221
	struct inquiry_entry *p;
222

223
	list_del(&ie->list);
224

225
	list_for_each_entry(p, &cache->resolve, list) {
226
		if (p->name_state != NAME_PENDING &&
227
		    abs(p->data.rssi) >= abs(ie->data.rssi))
228
			break;
229
		pos = &p->list;
230
	}
231

232
	list_add(&ie->list, pos);
233
}
234

235
u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
236
			     bool name_known)
237
{
238
	struct discovery_state *cache = &hdev->discovery;
239
	struct inquiry_entry *ie;
240
	u32 flags = 0;
241

242
	BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
243

244
	hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
245

246
	if (!data->ssp_mode)
247
		flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
248

249
	ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
250
	if (ie) {
251
		if (!ie->data.ssp_mode)
252
			flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
253

254
		if (ie->name_state == NAME_NEEDED &&
255
		    data->rssi != ie->data.rssi) {
256
			ie->data.rssi = data->rssi;
257
			hci_inquiry_cache_update_resolve(hdev, ie);
258
		}
259

260
		goto update;
261
	}
262

263
	/* Entry not in the cache. Add new one. */
264
	ie = kzalloc(sizeof(*ie), GFP_KERNEL);
265
	if (!ie) {
266
		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
267
		goto done;
268
	}
269

270
	list_add(&ie->all, &cache->all);
271

272
	if (name_known) {
273
		ie->name_state = NAME_KNOWN;
274
	} else {
275
		ie->name_state = NAME_NOT_KNOWN;
276
		list_add(&ie->list, &cache->unknown);
277
	}
278

279
update:
280
	if (name_known && ie->name_state != NAME_KNOWN &&
281
	    ie->name_state != NAME_PENDING) {
282
		ie->name_state = NAME_KNOWN;
283
		list_del(&ie->list);
284
	}
285

286
	memcpy(&ie->data, data, sizeof(*data));
287
	ie->timestamp = jiffies;
288
	cache->timestamp = jiffies;
289

290
	if (ie->name_state == NAME_NOT_KNOWN)
291
		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
292

293
done:
294
	return flags;
295
}
296

297
static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
298
{
299
	struct discovery_state *cache = &hdev->discovery;
300
	struct inquiry_info *info = (struct inquiry_info *) buf;
301
	struct inquiry_entry *e;
302
	int copied = 0;
303

304
	list_for_each_entry(e, &cache->all, all) {
305
		struct inquiry_data *data = &e->data;
306

307
		if (copied >= num)
308
			break;
309

310
		bacpy(&info->bdaddr, &data->bdaddr);
311
		info->pscan_rep_mode	= data->pscan_rep_mode;
312
		info->pscan_period_mode	= data->pscan_period_mode;
313
		info->pscan_mode	= data->pscan_mode;
314
		memcpy(info->dev_class, data->dev_class, 3);
315
		info->clock_offset	= data->clock_offset;
316

317
		info++;
318
		copied++;
319
	}
320

321
	BT_DBG("cache %p, copied %d", cache, copied);
322
	return copied;
323
}
324

325
int hci_inquiry(void __user *arg)
326
{
327
	__u8 __user *ptr = arg;
328
	struct hci_inquiry_req ir;
329
	struct hci_dev *hdev;
330
	int err = 0, do_inquiry = 0, max_rsp;
331
	__u8 *buf;
332

333
	if (copy_from_user(&ir, ptr, sizeof(ir)))
334
		return -EFAULT;
335

336
	hdev = hci_dev_get(ir.dev_id);
337
	if (!hdev)
338
		return -ENODEV;
339

340
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
341
		err = -EBUSY;
342
		goto done;
343
	}
344

345
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
346
		err = -EOPNOTSUPP;
347
		goto done;
348
	}
349

350
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
351
		err = -EOPNOTSUPP;
352
		goto done;
353
	}
354

355
	/* Restrict maximum inquiry length to 60 seconds */
356
	if (ir.length > 60) {
357
		err = -EINVAL;
358
		goto done;
359
	}
360

361
	hci_dev_lock(hdev);
362
	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
363
	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
364
		hci_inquiry_cache_flush(hdev);
365
		do_inquiry = 1;
366
	}
367
	hci_dev_unlock(hdev);
368

369
	if (do_inquiry) {
370
		hci_req_sync_lock(hdev);
371
		err = hci_inquiry_sync(hdev, ir.length, ir.num_rsp);
372
		hci_req_sync_unlock(hdev);
373

374
		if (err < 0)
375
			goto done;
376

377
		/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
378
		 * cleared). If it is interrupted by a signal, return -EINTR.
379
		 */
380
		if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
381
				TASK_INTERRUPTIBLE)) {
382
			err = -EINTR;
383
			goto done;
384
		}
385
	}
386

387
	/* for unlimited number of responses we will use buffer with
388
	 * 255 entries
389
	 */
390
	max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
391

392
	/* cache_dump can't sleep. Therefore we allocate temp buffer and then
393
	 * copy it to the user space.
394
	 */
395
	buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
396
	if (!buf) {
397
		err = -ENOMEM;
398
		goto done;
399
	}
400

401
	hci_dev_lock(hdev);
402
	ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
403
	hci_dev_unlock(hdev);
404

405
	BT_DBG("num_rsp %d", ir.num_rsp);
406

407
	if (!copy_to_user(ptr, &ir, sizeof(ir))) {
408
		ptr += sizeof(ir);
409
		if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
410
				 ir.num_rsp))
411
			err = -EFAULT;
412
	} else
413
		err = -EFAULT;
414

415
	kfree(buf);
416

417
done:
418
	hci_dev_put(hdev);
419
	return err;
420
}
421

422
static int hci_dev_do_open(struct hci_dev *hdev)
423
{
424
	int ret = 0;
425

426
	BT_DBG("%s %p", hdev->name, hdev);
427

428
	hci_req_sync_lock(hdev);
429

430
	ret = hci_dev_open_sync(hdev);
431

432
	hci_req_sync_unlock(hdev);
433
	return ret;
434
}
435

436
/* ---- HCI ioctl helpers ---- */
437

438
int hci_dev_open(__u16 dev)
439
{
440
	struct hci_dev *hdev;
441
	int err;
442

443
	hdev = hci_dev_get(dev);
444
	if (!hdev)
445
		return -ENODEV;
446

447
	/* Devices that are marked as unconfigured can only be powered
448
	 * up as user channel. Trying to bring them up as normal devices
449
	 * will result into a failure. Only user channel operation is
450
	 * possible.
451
	 *
452
	 * When this function is called for a user channel, the flag
453
	 * HCI_USER_CHANNEL will be set first before attempting to
454
	 * open the device.
455
	 */
456
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
457
	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
458
		err = -EOPNOTSUPP;
459
		goto done;
460
	}
461

462
	/* We need to ensure that no other power on/off work is pending
463
	 * before proceeding to call hci_dev_do_open. This is
464
	 * particularly important if the setup procedure has not yet
465
	 * completed.
466
	 */
467
	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
468
		cancel_delayed_work(&hdev->power_off);
469

470
	/* After this call it is guaranteed that the setup procedure
471
	 * has finished. This means that error conditions like RFKILL
472
	 * or no valid public or static random address apply.
473
	 */
474
	flush_workqueue(hdev->req_workqueue);
475

476
	/* For controllers not using the management interface and that
477
	 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
478
	 * so that pairing works for them. Once the management interface
479
	 * is in use this bit will be cleared again and userspace has
480
	 * to explicitly enable it.
481
	 */
482
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
483
	    !hci_dev_test_flag(hdev, HCI_MGMT))
484
		hci_dev_set_flag(hdev, HCI_BONDABLE);
485

486
	err = hci_dev_do_open(hdev);
487

488
done:
489
	hci_dev_put(hdev);
490
	return err;
491
}
492

493
int hci_dev_do_close(struct hci_dev *hdev)
494
{
495
	int err;
496

497
	BT_DBG("%s %p", hdev->name, hdev);
498

499
	hci_req_sync_lock(hdev);
500

501
	err = hci_dev_close_sync(hdev);
502

503
	hci_req_sync_unlock(hdev);
504

505
	return err;
506
}
507

508
int hci_dev_close(__u16 dev)
509
{
510
	struct hci_dev *hdev;
511
	int err;
512

513
	hdev = hci_dev_get(dev);
514
	if (!hdev)
515
		return -ENODEV;
516

517
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
518
		err = -EBUSY;
519
		goto done;
520
	}
521

522
	cancel_work_sync(&hdev->power_on);
523
	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
524
		cancel_delayed_work(&hdev->power_off);
525

526
	err = hci_dev_do_close(hdev);
527

528
done:
529
	hci_dev_put(hdev);
530
	return err;
531
}
532

533
static int hci_dev_do_reset(struct hci_dev *hdev)
534
{
535
	int ret;
536

537
	BT_DBG("%s %p", hdev->name, hdev);
538

539
	hci_req_sync_lock(hdev);
540

541
	/* Drop queues */
542
	skb_queue_purge(&hdev->rx_q);
543
	skb_queue_purge(&hdev->cmd_q);
544

545
	/* Cancel these to avoid queueing non-chained pending work */
546
	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
547
	/* Wait for
548
	 *
549
	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
550
	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
551
	 *
552
	 * inside RCU section to see the flag or complete scheduling.
553
	 */
554
	synchronize_rcu();
555
	/* Explicitly cancel works in case scheduled after setting the flag. */
556
	cancel_delayed_work(&hdev->cmd_timer);
557
	cancel_delayed_work(&hdev->ncmd_timer);
558

559
	/* Avoid potential lockdep warnings from the *_flush() calls by
560
	 * ensuring the workqueue is empty up front.
561
	 */
562
	drain_workqueue(hdev->workqueue);
563

564
	hci_dev_lock(hdev);
565
	hci_inquiry_cache_flush(hdev);
566
	hci_conn_hash_flush(hdev);
567
	hci_dev_unlock(hdev);
568

569
	if (hdev->flush)
570
		hdev->flush(hdev);
571

572
	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
573

574
	atomic_set(&hdev->cmd_cnt, 1);
575
	hdev->acl_cnt = 0;
576
	hdev->sco_cnt = 0;
577
	hdev->le_cnt = 0;
578
	hdev->iso_cnt = 0;
579

580
	ret = hci_reset_sync(hdev);
581

582
	hci_req_sync_unlock(hdev);
583
	return ret;
584
}
585

586
int hci_dev_reset(__u16 dev)
587
{
588
	struct hci_dev *hdev;
589
	int err, srcu_index;
590

591
	hdev = hci_dev_get_srcu(dev, &srcu_index);
592
	if (!hdev)
593
		return -ENODEV;
594

595
	if (!test_bit(HCI_UP, &hdev->flags)) {
596
		err = -ENETDOWN;
597
		goto done;
598
	}
599

600
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
601
		err = -EBUSY;
602
		goto done;
603
	}
604

605
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
606
		err = -EOPNOTSUPP;
607
		goto done;
608
	}
609

610
	err = hci_dev_do_reset(hdev);
611

612
done:
613
	hci_dev_put_srcu(hdev, srcu_index);
614
	return err;
615
}
616

617
int hci_dev_reset_stat(__u16 dev)
618
{
619
	struct hci_dev *hdev;
620
	int ret = 0;
621

622
	hdev = hci_dev_get(dev);
623
	if (!hdev)
624
		return -ENODEV;
625

626
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
627
		ret = -EBUSY;
628
		goto done;
629
	}
630

631
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
632
		ret = -EOPNOTSUPP;
633
		goto done;
634
	}
635

636
	memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
637

638
done:
639
	hci_dev_put(hdev);
640
	return ret;
641
}
642

643
static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan)
644
{
645
	bool conn_changed, discov_changed;
646

647
	BT_DBG("%s scan 0x%02x", hdev->name, scan);
648

649
	if ((scan & SCAN_PAGE))
650
		conn_changed = !hci_dev_test_and_set_flag(hdev,
651
							  HCI_CONNECTABLE);
652
	else
653
		conn_changed = hci_dev_test_and_clear_flag(hdev,
654
							   HCI_CONNECTABLE);
655

656
	if ((scan & SCAN_INQUIRY)) {
657
		discov_changed = !hci_dev_test_and_set_flag(hdev,
658
							    HCI_DISCOVERABLE);
659
	} else {
660
		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
661
		discov_changed = hci_dev_test_and_clear_flag(hdev,
662
							     HCI_DISCOVERABLE);
663
	}
664

665
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
666
		return;
667

668
	if (conn_changed || discov_changed) {
669
		/* In case this was disabled through mgmt */
670
		hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
671

672
		if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
673
			hci_update_adv_data(hdev, hdev->cur_adv_instance);
674

675
		mgmt_new_settings(hdev);
676
	}
677
}
678

679
int hci_dev_cmd(unsigned int cmd, void __user *arg)
680
{
681
	struct hci_dev *hdev;
682
	struct hci_dev_req dr;
683
	__le16 policy;
684
	int err = 0;
685

686
	if (copy_from_user(&dr, arg, sizeof(dr)))
687
		return -EFAULT;
688

689
	hdev = hci_dev_get(dr.dev_id);
690
	if (!hdev)
691
		return -ENODEV;
692

693
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
694
		err = -EBUSY;
695
		goto done;
696
	}
697

698
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
699
		err = -EOPNOTSUPP;
700
		goto done;
701
	}
702

703
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
704
		err = -EOPNOTSUPP;
705
		goto done;
706
	}
707

708
	switch (cmd) {
709
	case HCISETAUTH:
710
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
711
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
712
		break;
713

714
	case HCISETENCRYPT:
715
		if (!lmp_encrypt_capable(hdev)) {
716
			err = -EOPNOTSUPP;
717
			break;
718
		}
719

720
		if (!test_bit(HCI_AUTH, &hdev->flags)) {
721
			/* Auth must be enabled first */
722
			err = hci_cmd_sync_status(hdev,
723
						  HCI_OP_WRITE_AUTH_ENABLE,
724
						  1, &dr.dev_opt,
725
						  HCI_CMD_TIMEOUT);
726
			if (err)
727
				break;
728
		}
729

730
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,
731
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
732
		break;
733

734
	case HCISETSCAN:
735
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
736
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
737

738
		/* Ensure that the connectable and discoverable states
739
		 * get correctly modified as this was a non-mgmt change.
740
		 */
741
		if (!err)
742
			hci_update_passive_scan_state(hdev, dr.dev_opt);
743
		break;
744

745
	case HCISETLINKPOL:
746
		policy = cpu_to_le16(dr.dev_opt);
747

748
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
749
					  2, &policy, HCI_CMD_TIMEOUT);
750
		break;
751

752
	case HCISETLINKMODE:
753
		hdev->link_mode = ((__u16) dr.dev_opt) &
754
					(HCI_LM_MASTER | HCI_LM_ACCEPT);
755
		break;
756

757
	case HCISETPTYPE:
758
		if (hdev->pkt_type == (__u16) dr.dev_opt)
759
			break;
760

761
		hdev->pkt_type = (__u16) dr.dev_opt;
762
		mgmt_phy_configuration_changed(hdev, NULL);
763
		break;
764

765
	case HCISETACLMTU:
766
		hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
767
		hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
768
		break;
769

770
	case HCISETSCOMTU:
771
		hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
772
		hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
773
		break;
774

775
	default:
776
		err = -EINVAL;
777
		break;
778
	}
779

780
done:
781
	hci_dev_put(hdev);
782
	return err;
783
}
784

785
int hci_get_dev_list(void __user *arg)
786
{
787
	struct hci_dev *hdev;
788
	struct hci_dev_list_req *dl;
789
	struct hci_dev_req *dr;
790
	int n = 0, err;
791
	__u16 dev_num;
792

793
	if (get_user(dev_num, (__u16 __user *) arg))
794
		return -EFAULT;
795

796
	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
797
		return -EINVAL;
798

799
	dl = kzalloc(struct_size(dl, dev_req, dev_num), GFP_KERNEL);
800
	if (!dl)
801
		return -ENOMEM;
802

803
	dl->dev_num = dev_num;
804
	dr = dl->dev_req;
805

806
	read_lock(&hci_dev_list_lock);
807
	list_for_each_entry(hdev, &hci_dev_list, list) {
808
		unsigned long flags = hdev->flags;
809

810
		/* When the auto-off is configured it means the transport
811
		 * is running, but in that case still indicate that the
812
		 * device is actually down.
813
		 */
814
		if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
815
			flags &= ~BIT(HCI_UP);
816

817
		dr[n].dev_id  = hdev->id;
818
		dr[n].dev_opt = flags;
819

820
		if (++n >= dev_num)
821
			break;
822
	}
823
	read_unlock(&hci_dev_list_lock);
824

825
	dl->dev_num = n;
826
	err = copy_to_user(arg, dl, struct_size(dl, dev_req, n));
827
	kfree(dl);
828

829
	return err ? -EFAULT : 0;
830
}
831

832
int hci_get_dev_info(void __user *arg)
833
{
834
	struct hci_dev *hdev;
835
	struct hci_dev_info di;
836
	unsigned long flags;
837
	int err = 0;
838

839
	if (copy_from_user(&di, arg, sizeof(di)))
840
		return -EFAULT;
841

842
	hdev = hci_dev_get(di.dev_id);
843
	if (!hdev)
844
		return -ENODEV;
845

846
	/* When the auto-off is configured it means the transport
847
	 * is running, but in that case still indicate that the
848
	 * device is actually down.
849
	 */
850
	if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
851
		flags = hdev->flags & ~BIT(HCI_UP);
852
	else
853
		flags = hdev->flags;
854

855
	strscpy(di.name, hdev->name, sizeof(di.name));
856
	di.bdaddr   = hdev->bdaddr;
857
	di.type     = (hdev->bus & 0x0f);
858
	di.flags    = flags;
859
	di.pkt_type = hdev->pkt_type;
860
	if (lmp_bredr_capable(hdev)) {
861
		di.acl_mtu  = hdev->acl_mtu;
862
		di.acl_pkts = hdev->acl_pkts;
863
		di.sco_mtu  = hdev->sco_mtu;
864
		di.sco_pkts = hdev->sco_pkts;
865
	} else {
866
		di.acl_mtu  = hdev->le_mtu;
867
		di.acl_pkts = hdev->le_pkts;
868
		di.sco_mtu  = 0;
869
		di.sco_pkts = 0;
870
	}
871
	di.link_policy = hdev->link_policy;
872
	di.link_mode   = hdev->link_mode;
873

874
	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
875
	memcpy(&di.features, &hdev->features, sizeof(di.features));
876

877
	if (copy_to_user(arg, &di, sizeof(di)))
878
		err = -EFAULT;
879

880
	hci_dev_put(hdev);
881

882
	return err;
883
}
884

885
/* ---- Interface to HCI drivers ---- */
886

887
static int hci_dev_do_poweroff(struct hci_dev *hdev)
888
{
889
	int err;
890

891
	BT_DBG("%s %p", hdev->name, hdev);
892

893
	hci_req_sync_lock(hdev);
894

895
	err = hci_set_powered_sync(hdev, false);
896

897
	hci_req_sync_unlock(hdev);
898

899
	return err;
900
}
901

902
static int hci_rfkill_set_block(void *data, bool blocked)
903
{
904
	struct hci_dev *hdev = data;
905
	int err;
906

907
	BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
908

909
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
910
		return -EBUSY;
911

912
	if (blocked == hci_dev_test_flag(hdev, HCI_RFKILLED))
913
		return 0;
914

915
	if (blocked) {
916
		hci_dev_set_flag(hdev, HCI_RFKILLED);
917

918
		if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
919
		    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
920
			err = hci_dev_do_poweroff(hdev);
921
			if (err) {
922
				bt_dev_err(hdev, "Error when powering off device on rfkill (%d)",
923
					   err);
924

925
				/* Make sure the device is still closed even if
926
				 * anything during power off sequence (eg.
927
				 * disconnecting devices) failed.
928
				 */
929
				hci_dev_do_close(hdev);
930
			}
931
		}
932
	} else {
933
		hci_dev_clear_flag(hdev, HCI_RFKILLED);
934
	}
935

936
	return 0;
937
}
938

939
static const struct rfkill_ops hci_rfkill_ops = {
940
	.set_block = hci_rfkill_set_block,
941
};
942

943
static void hci_power_on(struct work_struct *work)
944
{
945
	struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
946
	int err;
947

948
	BT_DBG("%s", hdev->name);
949

950
	if (test_bit(HCI_UP, &hdev->flags) &&
951
	    hci_dev_test_flag(hdev, HCI_MGMT) &&
952
	    hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
953
		cancel_delayed_work(&hdev->power_off);
954
		err = hci_powered_update_sync(hdev);
955
		mgmt_power_on(hdev, err);
956
		return;
957
	}
958

959
	err = hci_dev_do_open(hdev);
960
	if (err < 0) {
961
		hci_dev_lock(hdev);
962
		mgmt_set_powered_failed(hdev, err);
963
		hci_dev_unlock(hdev);
964
		return;
965
	}
966

967
	/* During the HCI setup phase, a few error conditions are
968
	 * ignored and they need to be checked now. If they are still
969
	 * valid, it is important to turn the device back off.
970
	 */
971
	if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
972
	    hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
973
	    (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
974
	     !bacmp(&hdev->static_addr, BDADDR_ANY))) {
975
		hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
976
		hci_dev_do_close(hdev);
977
	} else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
978
		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
979
				   HCI_AUTO_OFF_TIMEOUT);
980
	}
981

982
	if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
983
		/* For unconfigured devices, set the HCI_RAW flag
984
		 * so that userspace can easily identify them.
985
		 */
986
		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
987
			set_bit(HCI_RAW, &hdev->flags);
988

989
		/* For fully configured devices, this will send
990
		 * the Index Added event. For unconfigured devices,
991
		 * it will send Unconfigued Index Added event.
992
		 *
993
		 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
994
		 * and no event will be send.
995
		 */
996
		mgmt_index_added(hdev);
997
	} else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
998
		/* When the controller is now configured, then it
999
		 * is important to clear the HCI_RAW flag.
1000
		 */
1001
		if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1002
			clear_bit(HCI_RAW, &hdev->flags);
1003

1004
		/* Powering on the controller with HCI_CONFIG set only
1005
		 * happens with the transition from unconfigured to
1006
		 * configured. This will send the Index Added event.
1007
		 */
1008
		mgmt_index_added(hdev);
1009
	}
1010
}
1011

1012
static void hci_power_off(struct work_struct *work)
1013
{
1014
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1015
					    power_off.work);
1016

1017
	BT_DBG("%s", hdev->name);
1018

1019
	hci_dev_do_close(hdev);
1020
}
1021

1022
static void hci_error_reset(struct work_struct *work)
1023
{
1024
	struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
1025

1026
	hci_dev_hold(hdev);
1027
	BT_DBG("%s", hdev->name);
1028

1029
	if (hdev->hw_error)
1030
		hdev->hw_error(hdev, hdev->hw_error_code);
1031
	else
1032
		bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
1033

1034
	if (!hci_dev_do_close(hdev))
1035
		hci_dev_do_open(hdev);
1036

1037
	hci_dev_put(hdev);
1038
}
1039

1040
void hci_uuids_clear(struct hci_dev *hdev)
1041
{
1042
	struct bt_uuid *uuid, *tmp;
1043

1044
	list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1045
		list_del(&uuid->list);
1046
		kfree(uuid);
1047
	}
1048
}
1049

1050
void hci_link_keys_clear(struct hci_dev *hdev)
1051
{
1052
	struct link_key *key, *tmp;
1053

1054
	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
1055
		list_del_rcu(&key->list);
1056
		kfree_rcu(key, rcu);
1057
	}
1058
}
1059

1060
void hci_smp_ltks_clear(struct hci_dev *hdev)
1061
{
1062
	struct smp_ltk *k, *tmp;
1063

1064
	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1065
		list_del_rcu(&k->list);
1066
		kfree_rcu(k, rcu);
1067
	}
1068
}
1069

1070
void hci_smp_irks_clear(struct hci_dev *hdev)
1071
{
1072
	struct smp_irk *k, *tmp;
1073

1074
	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1075
		list_del_rcu(&k->list);
1076
		kfree_rcu(k, rcu);
1077
	}
1078
}
1079

1080
void hci_blocked_keys_clear(struct hci_dev *hdev)
1081
{
1082
	struct blocked_key *b, *tmp;
1083

1084
	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
1085
		list_del_rcu(&b->list);
1086
		kfree_rcu(b, rcu);
1087
	}
1088
}
1089

1090
bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16])
1091
{
1092
	bool blocked = false;
1093
	struct blocked_key *b;
1094

1095
	rcu_read_lock();
1096
	list_for_each_entry_rcu(b, &hdev->blocked_keys, list) {
1097
		if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) {
1098
			blocked = true;
1099
			break;
1100
		}
1101
	}
1102

1103
	rcu_read_unlock();
1104
	return blocked;
1105
}
1106

1107
struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1108
{
1109
	struct link_key *k;
1110

1111
	rcu_read_lock();
1112
	list_for_each_entry_rcu(k, &hdev->link_keys, list) {
1113
		if (bacmp(bdaddr, &k->bdaddr) == 0) {
1114
			rcu_read_unlock();
1115

1116
			if (hci_is_blocked_key(hdev,
1117
					       HCI_BLOCKED_KEY_TYPE_LINKKEY,
1118
					       k->val)) {
1119
				bt_dev_warn_ratelimited(hdev,
1120
							"Link key blocked for %pMR",
1121
							&k->bdaddr);
1122
				return NULL;
1123
			}
1124

1125
			return k;
1126
		}
1127
	}
1128
	rcu_read_unlock();
1129

1130
	return NULL;
1131
}
1132

1133
static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1134
			       u8 key_type, u8 old_key_type)
1135
{
1136
	/* Legacy key */
1137
	if (key_type < 0x03)
1138
		return true;
1139

1140
	/* Debug keys are insecure so don't store them persistently */
1141
	if (key_type == HCI_LK_DEBUG_COMBINATION)
1142
		return false;
1143

1144
	/* Changed combination key and there's no previous one */
1145
	if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1146
		return false;
1147

1148
	/* Security mode 3 case */
1149
	if (!conn)
1150
		return true;
1151

1152
	/* BR/EDR key derived using SC from an LE link */
1153
	if (conn->type == LE_LINK)
1154
		return true;
1155

1156
	/* Neither local nor remote side had no-bonding as requirement */
1157
	if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1158
		return true;
1159

1160
	/* Local side had dedicated bonding as requirement */
1161
	if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1162
		return true;
1163

1164
	/* Remote side had dedicated bonding as requirement */
1165
	if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1166
		return true;
1167

1168
	/* If none of the above criteria match, then don't store the key
1169
	 * persistently */
1170
	return false;
1171
}
1172

1173
static u8 ltk_role(u8 type)
1174
{
1175
	if (type == SMP_LTK)
1176
		return HCI_ROLE_MASTER;
1177

1178
	return HCI_ROLE_SLAVE;
1179
}
1180

1181
struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1182
			     u8 addr_type, u8 role)
1183
{
1184
	struct smp_ltk *k;
1185

1186
	rcu_read_lock();
1187
	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1188
		if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
1189
			continue;
1190

1191
		if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
1192
			rcu_read_unlock();
1193

1194
			if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK,
1195
					       k->val)) {
1196
				bt_dev_warn_ratelimited(hdev,
1197
							"LTK blocked for %pMR",
1198
							&k->bdaddr);
1199
				return NULL;
1200
			}
1201

1202
			return k;
1203
		}
1204
	}
1205
	rcu_read_unlock();
1206

1207
	return NULL;
1208
}
1209

1210
struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
1211
{
1212
	struct smp_irk *irk_to_return = NULL;
1213
	struct smp_irk *irk;
1214

1215
	rcu_read_lock();
1216
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1217
		if (!bacmp(&irk->rpa, rpa)) {
1218
			irk_to_return = irk;
1219
			goto done;
1220
		}
1221
	}
1222

1223
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1224
		if (smp_irk_matches(hdev, irk->val, rpa)) {
1225
			bacpy(&irk->rpa, rpa);
1226
			irk_to_return = irk;
1227
			goto done;
1228
		}
1229
	}
1230

1231
done:
1232
	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1233
						irk_to_return->val)) {
1234
		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1235
					&irk_to_return->bdaddr);
1236
		irk_to_return = NULL;
1237
	}
1238

1239
	rcu_read_unlock();
1240

1241
	return irk_to_return;
1242
}
1243

1244
struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1245
				     u8 addr_type)
1246
{
1247
	struct smp_irk *irk_to_return = NULL;
1248
	struct smp_irk *irk;
1249

1250
	/* Identity Address must be public or static random */
1251
	if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
1252
		return NULL;
1253

1254
	rcu_read_lock();
1255
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1256
		if (addr_type == irk->addr_type &&
1257
		    bacmp(bdaddr, &irk->bdaddr) == 0) {
1258
			irk_to_return = irk;
1259
			break;
1260
		}
1261
	}
1262

1263
	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1264
						irk_to_return->val)) {
1265
		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1266
					&irk_to_return->bdaddr);
1267
		irk_to_return = NULL;
1268
	}
1269

1270
	rcu_read_unlock();
1271

1272
	return irk_to_return;
1273
}
1274

1275
struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
1276
				  bdaddr_t *bdaddr, u8 *val, u8 type,
1277
				  u8 pin_len, bool *persistent)
1278
{
1279
	struct link_key *key, *old_key;
1280
	u8 old_key_type;
1281

1282
	old_key = hci_find_link_key(hdev, bdaddr);
1283
	if (old_key) {
1284
		old_key_type = old_key->type;
1285
		key = old_key;
1286
	} else {
1287
		old_key_type = conn ? conn->key_type : 0xff;
1288
		key = kzalloc(sizeof(*key), GFP_KERNEL);
1289
		if (!key)
1290
			return NULL;
1291
		list_add_rcu(&key->list, &hdev->link_keys);
1292
	}
1293

1294
	BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1295

1296
	/* Some buggy controller combinations generate a changed
1297
	 * combination key for legacy pairing even when there's no
1298
	 * previous key */
1299
	if (type == HCI_LK_CHANGED_COMBINATION &&
1300
	    (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1301
		type = HCI_LK_COMBINATION;
1302
		if (conn)
1303
			conn->key_type = type;
1304
	}
1305

1306
	bacpy(&key->bdaddr, bdaddr);
1307
	memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1308
	key->pin_len = pin_len;
1309

1310
	if (type == HCI_LK_CHANGED_COMBINATION)
1311
		key->type = old_key_type;
1312
	else
1313
		key->type = type;
1314

1315
	if (persistent)
1316
		*persistent = hci_persistent_key(hdev, conn, type,
1317
						 old_key_type);
1318

1319
	return key;
1320
}
1321

1322
struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1323
			    u8 addr_type, u8 type, u8 authenticated,
1324
			    u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
1325
{
1326
	struct smp_ltk *key, *old_key;
1327
	u8 role = ltk_role(type);
1328

1329
	old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
1330
	if (old_key)
1331
		key = old_key;
1332
	else {
1333
		key = kzalloc(sizeof(*key), GFP_KERNEL);
1334
		if (!key)
1335
			return NULL;
1336
		list_add_rcu(&key->list, &hdev->long_term_keys);
1337
	}
1338

1339
	bacpy(&key->bdaddr, bdaddr);
1340
	key->bdaddr_type = addr_type;
1341
	memcpy(key->val, tk, sizeof(key->val));
1342
	key->authenticated = authenticated;
1343
	key->ediv = ediv;
1344
	key->rand = rand;
1345
	key->enc_size = enc_size;
1346
	key->type = type;
1347

1348
	return key;
1349
}
1350

1351
struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1352
			    u8 addr_type, u8 val[16], bdaddr_t *rpa)
1353
{
1354
	struct smp_irk *irk;
1355

1356
	irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
1357
	if (!irk) {
1358
		irk = kzalloc(sizeof(*irk), GFP_KERNEL);
1359
		if (!irk)
1360
			return NULL;
1361

1362
		bacpy(&irk->bdaddr, bdaddr);
1363
		irk->addr_type = addr_type;
1364

1365
		list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
1366
	}
1367

1368
	memcpy(irk->val, val, 16);
1369
	bacpy(&irk->rpa, rpa);
1370

1371
	return irk;
1372
}
1373

1374
int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1375
{
1376
	struct link_key *key;
1377

1378
	key = hci_find_link_key(hdev, bdaddr);
1379
	if (!key)
1380
		return -ENOENT;
1381

1382
	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1383

1384
	list_del_rcu(&key->list);
1385
	kfree_rcu(key, rcu);
1386

1387
	return 0;
1388
}
1389

1390
int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
1391
{
1392
	struct smp_ltk *k, *tmp;
1393
	int removed = 0;
1394

1395
	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1396
		if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
1397
			continue;
1398

1399
		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1400

1401
		list_del_rcu(&k->list);
1402
		kfree_rcu(k, rcu);
1403
		removed++;
1404
	}
1405

1406
	return removed ? 0 : -ENOENT;
1407
}
1408

1409
void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
1410
{
1411
	struct smp_irk *k, *tmp;
1412

1413
	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1414
		if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
1415
			continue;
1416

1417
		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1418

1419
		list_del_rcu(&k->list);
1420
		kfree_rcu(k, rcu);
1421
	}
1422
}
1423

1424
bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1425
{
1426
	struct smp_ltk *k;
1427
	struct smp_irk *irk;
1428
	u8 addr_type;
1429

1430
	if (type == BDADDR_BREDR) {
1431
		if (hci_find_link_key(hdev, bdaddr))
1432
			return true;
1433
		return false;
1434
	}
1435

1436
	/* Convert to HCI addr type which struct smp_ltk uses */
1437
	if (type == BDADDR_LE_PUBLIC)
1438
		addr_type = ADDR_LE_DEV_PUBLIC;
1439
	else
1440
		addr_type = ADDR_LE_DEV_RANDOM;
1441

1442
	irk = hci_get_irk(hdev, bdaddr, addr_type);
1443
	if (irk) {
1444
		bdaddr = &irk->bdaddr;
1445
		addr_type = irk->addr_type;
1446
	}
1447

1448
	rcu_read_lock();
1449
	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1450
		if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
1451
			rcu_read_unlock();
1452
			return true;
1453
		}
1454
	}
1455
	rcu_read_unlock();
1456

1457
	return false;
1458
}
1459

1460
/* HCI command timer function */
1461
static void hci_cmd_timeout(struct work_struct *work)
1462
{
1463
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1464
					    cmd_timer.work);
1465

1466
	if (hdev->req_skb) {
1467
		u16 opcode = hci_skb_opcode(hdev->req_skb);
1468

1469
		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
1470

1471
		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
1472
	} else {
1473
		bt_dev_err(hdev, "command tx timeout");
1474
	}
1475

1476
	if (hdev->reset)
1477
		hdev->reset(hdev);
1478

1479
	atomic_set(&hdev->cmd_cnt, 1);
1480
	queue_work(hdev->workqueue, &hdev->cmd_work);
1481
}
1482

1483
/* HCI ncmd timer function */
1484
static void hci_ncmd_timeout(struct work_struct *work)
1485
{
1486
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1487
					    ncmd_timer.work);
1488

1489
	bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0");
1490

1491
	/* During HCI_INIT phase no events can be injected if the ncmd timer
1492
	 * triggers since the procedure has its own timeout handling.
1493
	 */
1494
	if (test_bit(HCI_INIT, &hdev->flags))
1495
		return;
1496

1497
	/* This is an irrecoverable state, inject hardware error event */
1498
	hci_reset_dev(hdev);
1499
}
1500

1501
struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1502
					  bdaddr_t *bdaddr, u8 bdaddr_type)
1503
{
1504
	struct oob_data *data;
1505

1506
	list_for_each_entry(data, &hdev->remote_oob_data, list) {
1507
		if (bacmp(bdaddr, &data->bdaddr) != 0)
1508
			continue;
1509
		if (data->bdaddr_type != bdaddr_type)
1510
			continue;
1511
		return data;
1512
	}
1513

1514
	return NULL;
1515
}
1516

1517
int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1518
			       u8 bdaddr_type)
1519
{
1520
	struct oob_data *data;
1521

1522
	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1523
	if (!data)
1524
		return -ENOENT;
1525

1526
	BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
1527

1528
	list_del(&data->list);
1529
	kfree(data);
1530

1531
	return 0;
1532
}
1533

1534
void hci_remote_oob_data_clear(struct hci_dev *hdev)
1535
{
1536
	struct oob_data *data, *n;
1537

1538
	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1539
		list_del(&data->list);
1540
		kfree(data);
1541
	}
1542
}
1543

1544
int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1545
			    u8 bdaddr_type, u8 *hash192, u8 *rand192,
1546
			    u8 *hash256, u8 *rand256)
1547
{
1548
	struct oob_data *data;
1549

1550
	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1551
	if (!data) {
1552
		data = kmalloc(sizeof(*data), GFP_KERNEL);
1553
		if (!data)
1554
			return -ENOMEM;
1555

1556
		bacpy(&data->bdaddr, bdaddr);
1557
		data->bdaddr_type = bdaddr_type;
1558
		list_add(&data->list, &hdev->remote_oob_data);
1559
	}
1560

1561
	if (hash192 && rand192) {
1562
		memcpy(data->hash192, hash192, sizeof(data->hash192));
1563
		memcpy(data->rand192, rand192, sizeof(data->rand192));
1564
		if (hash256 && rand256)
1565
			data->present = 0x03;
1566
	} else {
1567
		memset(data->hash192, 0, sizeof(data->hash192));
1568
		memset(data->rand192, 0, sizeof(data->rand192));
1569
		if (hash256 && rand256)
1570
			data->present = 0x02;
1571
		else
1572
			data->present = 0x00;
1573
	}
1574

1575
	if (hash256 && rand256) {
1576
		memcpy(data->hash256, hash256, sizeof(data->hash256));
1577
		memcpy(data->rand256, rand256, sizeof(data->rand256));
1578
	} else {
1579
		memset(data->hash256, 0, sizeof(data->hash256));
1580
		memset(data->rand256, 0, sizeof(data->rand256));
1581
		if (hash192 && rand192)
1582
			data->present = 0x01;
1583
	}
1584

1585
	BT_DBG("%s for %pMR", hdev->name, bdaddr);
1586

1587
	return 0;
1588
}
1589

1590
/* This function requires the caller holds hdev->lock */
1591
struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
1592
{
1593
	struct adv_info *adv_instance;
1594

1595
	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
1596
		if (adv_instance->instance == instance)
1597
			return adv_instance;
1598
	}
1599

1600
	return NULL;
1601
}
1602

1603
/* This function requires the caller holds hdev->lock */
1604
struct adv_info *hci_find_adv_sid(struct hci_dev *hdev, u8 sid)
1605
{
1606
	struct adv_info *adv;
1607

1608
	list_for_each_entry(adv, &hdev->adv_instances, list) {
1609
		if (adv->sid == sid)
1610
			return adv;
1611
	}
1612

1613
	return NULL;
1614
}
1615

1616
/* This function requires the caller holds hdev->lock */
1617
struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
1618
{
1619
	struct adv_info *cur_instance;
1620

1621
	cur_instance = hci_find_adv_instance(hdev, instance);
1622
	if (!cur_instance)
1623
		return NULL;
1624

1625
	if (cur_instance == list_last_entry(&hdev->adv_instances,
1626
					    struct adv_info, list))
1627
		return list_first_entry(&hdev->adv_instances,
1628
						 struct adv_info, list);
1629
	else
1630
		return list_next_entry(cur_instance, list);
1631
}
1632

1633
/* This function requires the caller holds hdev->lock */
1634
int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
1635
{
1636
	struct adv_info *adv_instance;
1637

1638
	adv_instance = hci_find_adv_instance(hdev, instance);
1639
	if (!adv_instance)
1640
		return -ENOENT;
1641

1642
	BT_DBG("%s removing %dMR", hdev->name, instance);
1643

1644
	if (hdev->cur_adv_instance == instance) {
1645
		if (hdev->adv_instance_timeout) {
1646
			cancel_delayed_work(&hdev->adv_instance_expire);
1647
			hdev->adv_instance_timeout = 0;
1648
		}
1649
		hdev->cur_adv_instance = 0x00;
1650
	}
1651

1652
	cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1653

1654
	list_del(&adv_instance->list);
1655
	kfree(adv_instance);
1656

1657
	hdev->adv_instance_cnt--;
1658

1659
	return 0;
1660
}
1661

1662
void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
1663
{
1664
	struct adv_info *adv_instance, *n;
1665

1666
	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
1667
		adv_instance->rpa_expired = rpa_expired;
1668
}
1669

1670
/* This function requires the caller holds hdev->lock */
1671
void hci_adv_instances_clear(struct hci_dev *hdev)
1672
{
1673
	struct adv_info *adv_instance, *n;
1674

1675
	if (hdev->adv_instance_timeout) {
1676
		disable_delayed_work(&hdev->adv_instance_expire);
1677
		hdev->adv_instance_timeout = 0;
1678
	}
1679

1680
	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
1681
		disable_delayed_work_sync(&adv_instance->rpa_expired_cb);
1682
		list_del(&adv_instance->list);
1683
		kfree(adv_instance);
1684
	}
1685

1686
	hdev->adv_instance_cnt = 0;
1687
	hdev->cur_adv_instance = 0x00;
1688
}
1689

1690
static void adv_instance_rpa_expired(struct work_struct *work)
1691
{
1692
	struct adv_info *adv_instance = container_of(work, struct adv_info,
1693
						     rpa_expired_cb.work);
1694

1695
	BT_DBG("");
1696

1697
	adv_instance->rpa_expired = true;
1698
}
1699

1700
/* This function requires the caller holds hdev->lock */
1701
struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance,
1702
				      u32 flags, u16 adv_data_len, u8 *adv_data,
1703
				      u16 scan_rsp_len, u8 *scan_rsp_data,
1704
				      u16 timeout, u16 duration, s8 tx_power,
1705
				      u32 min_interval, u32 max_interval,
1706
				      u8 mesh_handle)
1707
{
1708
	struct adv_info *adv;
1709

1710
	adv = hci_find_adv_instance(hdev, instance);
1711
	if (adv) {
1712
		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1713
		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1714
		memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data));
1715
	} else {
1716
		if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
1717
		    instance < 1 || instance > hdev->le_num_of_adv_sets + 1)
1718
			return ERR_PTR(-EOVERFLOW);
1719

1720
		adv = kzalloc(sizeof(*adv), GFP_KERNEL);
1721
		if (!adv)
1722
			return ERR_PTR(-ENOMEM);
1723

1724
		adv->pending = true;
1725
		adv->instance = instance;
1726

1727
		/* If controller support only one set and the instance is set to
1728
		 * 1 then there is no option other than using handle 0x00.
1729
		 */
1730
		if (hdev->le_num_of_adv_sets == 1 && instance == 1)
1731
			adv->handle = 0x00;
1732
		else
1733
			adv->handle = instance;
1734

1735
		list_add(&adv->list, &hdev->adv_instances);
1736
		hdev->adv_instance_cnt++;
1737
	}
1738

1739
	adv->flags = flags;
1740
	adv->min_interval = min_interval;
1741
	adv->max_interval = max_interval;
1742
	adv->tx_power = tx_power;
1743
	/* Defining a mesh_handle changes the timing units to ms,
1744
	 * rather than seconds, and ties the instance to the requested
1745
	 * mesh_tx queue.
1746
	 */
1747
	adv->mesh = mesh_handle;
1748

1749
	hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data,
1750
				  scan_rsp_len, scan_rsp_data);
1751

1752
	adv->timeout = timeout;
1753
	adv->remaining_time = timeout;
1754

1755
	if (duration == 0)
1756
		adv->duration = hdev->def_multi_adv_rotation_duration;
1757
	else
1758
		adv->duration = duration;
1759

1760
	INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired);
1761

1762
	BT_DBG("%s for %dMR", hdev->name, instance);
1763

1764
	return adv;
1765
}
1766

1767
/* This function requires the caller holds hdev->lock */
1768
struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance, u8 sid,
1769
				      u32 flags, u8 data_len, u8 *data,
1770
				      u32 min_interval, u32 max_interval)
1771
{
1772
	struct adv_info *adv;
1773

1774
	adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL,
1775
				   0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE,
1776
				   min_interval, max_interval, 0);
1777
	if (IS_ERR(adv))
1778
		return adv;
1779

1780
	adv->sid = sid;
1781
	adv->periodic = true;
1782
	adv->per_adv_data_len = data_len;
1783

1784
	if (data)
1785
		memcpy(adv->per_adv_data, data, data_len);
1786

1787
	return adv;
1788
}
1789

1790
/* This function requires the caller holds hdev->lock */
1791
int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance,
1792
			      u16 adv_data_len, u8 *adv_data,
1793
			      u16 scan_rsp_len, u8 *scan_rsp_data)
1794
{
1795
	struct adv_info *adv;
1796

1797
	adv = hci_find_adv_instance(hdev, instance);
1798

1799
	/* If advertisement doesn't exist, we can't modify its data */
1800
	if (!adv)
1801
		return -ENOENT;
1802

1803
	if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) {
1804
		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1805
		memcpy(adv->adv_data, adv_data, adv_data_len);
1806
		adv->adv_data_len = adv_data_len;
1807
		adv->adv_data_changed = true;
1808
	}
1809

1810
	if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) {
1811
		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1812
		memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len);
1813
		adv->scan_rsp_len = scan_rsp_len;
1814
		adv->scan_rsp_changed = true;
1815
	}
1816

1817
	/* Mark as changed if there are flags which would affect it */
1818
	if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) ||
1819
	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1820
		adv->scan_rsp_changed = true;
1821

1822
	return 0;
1823
}
1824

1825
/* This function requires the caller holds hdev->lock */
1826
u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance)
1827
{
1828
	u32 flags;
1829
	struct adv_info *adv;
1830

1831
	if (instance == 0x00) {
1832
		/* Instance 0 always manages the "Tx Power" and "Flags"
1833
		 * fields
1834
		 */
1835
		flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS;
1836

1837
		/* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting
1838
		 * corresponds to the "connectable" instance flag.
1839
		 */
1840
		if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))
1841
			flags |= MGMT_ADV_FLAG_CONNECTABLE;
1842

1843
		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
1844
			flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
1845
		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
1846
			flags |= MGMT_ADV_FLAG_DISCOV;
1847

1848
		return flags;
1849
	}
1850

1851
	adv = hci_find_adv_instance(hdev, instance);
1852

1853
	/* Return 0 when we got an invalid instance identifier. */
1854
	if (!adv)
1855
		return 0;
1856

1857
	return adv->flags;
1858
}
1859

1860
bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance)
1861
{
1862
	struct adv_info *adv;
1863

1864
	/* Instance 0x00 always set local name */
1865
	if (instance == 0x00)
1866
		return true;
1867

1868
	adv = hci_find_adv_instance(hdev, instance);
1869
	if (!adv)
1870
		return false;
1871

1872
	if (adv->flags & MGMT_ADV_FLAG_APPEARANCE ||
1873
	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1874
		return true;
1875

1876
	return adv->scan_rsp_len ? true : false;
1877
}
1878

1879
/* This function requires the caller holds hdev->lock */
1880
void hci_adv_monitors_clear(struct hci_dev *hdev)
1881
{
1882
	struct adv_monitor *monitor;
1883
	int handle;
1884

1885
	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
1886
		hci_free_adv_monitor(hdev, monitor);
1887

1888
	idr_destroy(&hdev->adv_monitors_idr);
1889
}
1890

1891
/* Frees the monitor structure and do some bookkeepings.
1892
 * This function requires the caller holds hdev->lock.
1893
 */
1894
void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1895
{
1896
	struct adv_pattern *pattern;
1897
	struct adv_pattern *tmp;
1898

1899
	if (!monitor)
1900
		return;
1901

1902
	list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) {
1903
		list_del(&pattern->list);
1904
		kfree(pattern);
1905
	}
1906

1907
	if (monitor->handle)
1908
		idr_remove(&hdev->adv_monitors_idr, monitor->handle);
1909

1910
	if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
1911
		hdev->adv_monitors_cnt--;
1912

1913
	kfree(monitor);
1914
}
1915

1916
/* Assigns handle to a monitor, and if offloading is supported and power is on,
1917
 * also attempts to forward the request to the controller.
1918
 * This function requires the caller holds hci_req_sync_lock.
1919
 */
1920
int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1921
{
1922
	int min, max, handle;
1923
	int status = 0;
1924

1925
	if (!monitor)
1926
		return -EINVAL;
1927

1928
	hci_dev_lock(hdev);
1929

1930
	min = HCI_MIN_ADV_MONITOR_HANDLE;
1931
	max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES;
1932
	handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max,
1933
			   GFP_KERNEL);
1934

1935
	hci_dev_unlock(hdev);
1936

1937
	if (handle < 0)
1938
		return handle;
1939

1940
	monitor->handle = handle;
1941

1942
	if (!hdev_is_powered(hdev))
1943
		return status;
1944

1945
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1946
	case HCI_ADV_MONITOR_EXT_NONE:
1947
		bt_dev_dbg(hdev, "add monitor %d status %d",
1948
			   monitor->handle, status);
1949
		/* Message was not forwarded to controller - not an error */
1950
		break;
1951

1952
	case HCI_ADV_MONITOR_EXT_MSFT:
1953
		status = msft_add_monitor_pattern(hdev, monitor);
1954
		bt_dev_dbg(hdev, "add monitor %d msft status %d",
1955
			   handle, status);
1956
		break;
1957
	}
1958

1959
	return status;
1960
}
1961

1962
/* Attempts to tell the controller and free the monitor. If somehow the
1963
 * controller doesn't have a corresponding handle, remove anyway.
1964
 * This function requires the caller holds hci_req_sync_lock.
1965
 */
1966
static int hci_remove_adv_monitor(struct hci_dev *hdev,
1967
				  struct adv_monitor *monitor)
1968
{
1969
	int status = 0;
1970
	int handle;
1971

1972
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1973
	case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */
1974
		bt_dev_dbg(hdev, "remove monitor %d status %d",
1975
			   monitor->handle, status);
1976
		goto free_monitor;
1977

1978
	case HCI_ADV_MONITOR_EXT_MSFT:
1979
		handle = monitor->handle;
1980
		status = msft_remove_monitor(hdev, monitor);
1981
		bt_dev_dbg(hdev, "remove monitor %d msft status %d",
1982
			   handle, status);
1983
		break;
1984
	}
1985

1986
	/* In case no matching handle registered, just free the monitor */
1987
	if (status == -ENOENT)
1988
		goto free_monitor;
1989

1990
	return status;
1991

1992
free_monitor:
1993
	if (status == -ENOENT)
1994
		bt_dev_warn(hdev, "Removing monitor with no matching handle %d",
1995
			    monitor->handle);
1996
	hci_free_adv_monitor(hdev, monitor);
1997

1998
	return status;
1999
}
2000

2001
/* This function requires the caller holds hci_req_sync_lock */
2002
int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle)
2003
{
2004
	struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle);
2005

2006
	if (!monitor)
2007
		return -EINVAL;
2008

2009
	return hci_remove_adv_monitor(hdev, monitor);
2010
}
2011

2012
/* This function requires the caller holds hci_req_sync_lock */
2013
int hci_remove_all_adv_monitor(struct hci_dev *hdev)
2014
{
2015
	struct adv_monitor *monitor;
2016
	int idr_next_id = 0;
2017
	int status = 0;
2018

2019
	while (1) {
2020
		monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id);
2021
		if (!monitor)
2022
			break;
2023

2024
		status = hci_remove_adv_monitor(hdev, monitor);
2025
		if (status)
2026
			return status;
2027

2028
		idr_next_id++;
2029
	}
2030

2031
	return status;
2032
}
2033

2034
/* This function requires the caller holds hdev->lock */
2035
bool hci_is_adv_monitoring(struct hci_dev *hdev)
2036
{
2037
	return !idr_is_empty(&hdev->adv_monitors_idr);
2038
}
2039

2040
int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev)
2041
{
2042
	if (msft_monitor_supported(hdev))
2043
		return HCI_ADV_MONITOR_EXT_MSFT;
2044

2045
	return HCI_ADV_MONITOR_EXT_NONE;
2046
}
2047

2048
struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2049
					 bdaddr_t *bdaddr, u8 type)
2050
{
2051
	struct bdaddr_list *b;
2052

2053
	list_for_each_entry(b, bdaddr_list, list) {
2054
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2055
			return b;
2056
	}
2057

2058
	return NULL;
2059
}
2060

2061
struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
2062
				struct list_head *bdaddr_list, bdaddr_t *bdaddr,
2063
				u8 type)
2064
{
2065
	struct bdaddr_list_with_irk *b;
2066

2067
	list_for_each_entry(b, bdaddr_list, list) {
2068
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2069
			return b;
2070
	}
2071

2072
	return NULL;
2073
}
2074

2075
struct bdaddr_list_with_flags *
2076
hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list,
2077
				  bdaddr_t *bdaddr, u8 type)
2078
{
2079
	struct bdaddr_list_with_flags *b;
2080

2081
	list_for_each_entry(b, bdaddr_list, list) {
2082
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2083
			return b;
2084
	}
2085

2086
	return NULL;
2087
}
2088

2089
void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2090
{
2091
	struct bdaddr_list *b, *n;
2092

2093
	list_for_each_entry_safe(b, n, bdaddr_list, list) {
2094
		list_del(&b->list);
2095
		kfree(b);
2096
	}
2097
}
2098

2099
int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2100
{
2101
	struct bdaddr_list *entry;
2102

2103
	if (!bacmp(bdaddr, BDADDR_ANY))
2104
		return -EBADF;
2105

2106
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2107
		return -EEXIST;
2108

2109
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2110
	if (!entry)
2111
		return -ENOMEM;
2112

2113
	bacpy(&entry->bdaddr, bdaddr);
2114
	entry->bdaddr_type = type;
2115

2116
	list_add(&entry->list, list);
2117

2118
	return 0;
2119
}
2120

2121
int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2122
					u8 type, u8 *peer_irk, u8 *local_irk)
2123
{
2124
	struct bdaddr_list_with_irk *entry;
2125

2126
	if (!bacmp(bdaddr, BDADDR_ANY))
2127
		return -EBADF;
2128

2129
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2130
		return -EEXIST;
2131

2132
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2133
	if (!entry)
2134
		return -ENOMEM;
2135

2136
	bacpy(&entry->bdaddr, bdaddr);
2137
	entry->bdaddr_type = type;
2138

2139
	if (peer_irk)
2140
		memcpy(entry->peer_irk, peer_irk, 16);
2141

2142
	if (local_irk)
2143
		memcpy(entry->local_irk, local_irk, 16);
2144

2145
	list_add(&entry->list, list);
2146

2147
	return 0;
2148
}
2149

2150
int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr,
2151
				   u8 type, u32 flags)
2152
{
2153
	struct bdaddr_list_with_flags *entry;
2154

2155
	if (!bacmp(bdaddr, BDADDR_ANY))
2156
		return -EBADF;
2157

2158
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2159
		return -EEXIST;
2160

2161
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2162
	if (!entry)
2163
		return -ENOMEM;
2164

2165
	bacpy(&entry->bdaddr, bdaddr);
2166
	entry->bdaddr_type = type;
2167
	entry->flags = flags;
2168

2169
	list_add(&entry->list, list);
2170

2171
	return 0;
2172
}
2173

2174
int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2175
{
2176
	struct bdaddr_list *entry;
2177

2178
	if (!bacmp(bdaddr, BDADDR_ANY)) {
2179
		hci_bdaddr_list_clear(list);
2180
		return 0;
2181
	}
2182

2183
	entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2184
	if (!entry)
2185
		return -ENOENT;
2186

2187
	list_del(&entry->list);
2188
	kfree(entry);
2189

2190
	return 0;
2191
}
2192

2193
int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2194
							u8 type)
2195
{
2196
	struct bdaddr_list_with_irk *entry;
2197

2198
	if (!bacmp(bdaddr, BDADDR_ANY)) {
2199
		hci_bdaddr_list_clear(list);
2200
		return 0;
2201
	}
2202

2203
	entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
2204
	if (!entry)
2205
		return -ENOENT;
2206

2207
	list_del(&entry->list);
2208
	kfree(entry);
2209

2210
	return 0;
2211
}
2212

2213
/* This function requires the caller holds hdev->lock */
2214
struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2215
					       bdaddr_t *addr, u8 addr_type)
2216
{
2217
	struct hci_conn_params *params;
2218

2219
	list_for_each_entry(params, &hdev->le_conn_params, list) {
2220
		if (bacmp(&params->addr, addr) == 0 &&
2221
		    params->addr_type == addr_type) {
2222
			return params;
2223
		}
2224
	}
2225

2226
	return NULL;
2227
}
2228

2229
/* This function requires the caller holds hdev->lock or rcu_read_lock */
2230
struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2231
						  bdaddr_t *addr, u8 addr_type)
2232
{
2233
	struct hci_conn_params *param;
2234

2235
	rcu_read_lock();
2236

2237
	list_for_each_entry_rcu(param, list, action) {
2238
		if (bacmp(&param->addr, addr) == 0 &&
2239
		    param->addr_type == addr_type) {
2240
			rcu_read_unlock();
2241
			return param;
2242
		}
2243
	}
2244

2245
	rcu_read_unlock();
2246

2247
	return NULL;
2248
}
2249

2250
/* This function requires the caller holds hdev->lock */
2251
void hci_pend_le_list_del_init(struct hci_conn_params *param)
2252
{
2253
	if (list_empty(&param->action))
2254
		return;
2255

2256
	list_del_rcu(&param->action);
2257
	synchronize_rcu();
2258
	INIT_LIST_HEAD(&param->action);
2259
}
2260

2261
/* This function requires the caller holds hdev->lock */
2262
void hci_pend_le_list_add(struct hci_conn_params *param,
2263
			  struct list_head *list)
2264
{
2265
	list_add_rcu(&param->action, list);
2266
}
2267

2268
/* This function requires the caller holds hdev->lock */
2269
struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2270
					    bdaddr_t *addr, u8 addr_type)
2271
{
2272
	struct hci_conn_params *params;
2273

2274
	params = hci_conn_params_lookup(hdev, addr, addr_type);
2275
	if (params)
2276
		return params;
2277

2278
	params = kzalloc(sizeof(*params), GFP_KERNEL);
2279
	if (!params) {
2280
		bt_dev_err(hdev, "out of memory");
2281
		return NULL;
2282
	}
2283

2284
	bacpy(&params->addr, addr);
2285
	params->addr_type = addr_type;
2286

2287
	list_add(&params->list, &hdev->le_conn_params);
2288
	INIT_LIST_HEAD(&params->action);
2289

2290
	params->conn_min_interval = hdev->le_conn_min_interval;
2291
	params->conn_max_interval = hdev->le_conn_max_interval;
2292
	params->conn_latency = hdev->le_conn_latency;
2293
	params->supervision_timeout = hdev->le_supv_timeout;
2294
	params->auto_connect = HCI_AUTO_CONN_DISABLED;
2295

2296
	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2297

2298
	return params;
2299
}
2300

2301
void hci_conn_params_free(struct hci_conn_params *params)
2302
{
2303
	hci_pend_le_list_del_init(params);
2304

2305
	if (params->conn) {
2306
		hci_conn_drop(params->conn);
2307
		hci_conn_put(params->conn);
2308
	}
2309

2310
	list_del(&params->list);
2311
	kfree(params);
2312
}
2313

2314
/* This function requires the caller holds hdev->lock */
2315
void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2316
{
2317
	struct hci_conn_params *params;
2318

2319
	params = hci_conn_params_lookup(hdev, addr, addr_type);
2320
	if (!params)
2321
		return;
2322

2323
	hci_conn_params_free(params);
2324

2325
	hci_update_passive_scan(hdev);
2326

2327
	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2328
}
2329

2330
/* This function requires the caller holds hdev->lock */
2331
void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2332
{
2333
	struct hci_conn_params *params, *tmp;
2334

2335
	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2336
		if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2337
			continue;
2338

2339
		/* If trying to establish one time connection to disabled
2340
		 * device, leave the params, but mark them as just once.
2341
		 */
2342
		if (params->explicit_connect) {
2343
			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2344
			continue;
2345
		}
2346

2347
		hci_conn_params_free(params);
2348
	}
2349

2350
	BT_DBG("All LE disabled connection parameters were removed");
2351
}
2352

2353
/* This function requires the caller holds hdev->lock */
2354
static void hci_conn_params_clear_all(struct hci_dev *hdev)
2355
{
2356
	struct hci_conn_params *params, *tmp;
2357

2358
	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2359
		hci_conn_params_free(params);
2360

2361
	BT_DBG("All LE connection parameters were removed");
2362
}
2363

2364
/* Copy the Identity Address of the controller.
2365
 *
2366
 * If the controller has a public BD_ADDR, then by default use that one.
2367
 * If this is a LE only controller without a public address, default to
2368
 * the static random address.
2369
 *
2370
 * For debugging purposes it is possible to force controllers with a
2371
 * public address to use the static random address instead.
2372
 *
2373
 * In case BR/EDR has been disabled on a dual-mode controller and
2374
 * userspace has configured a static address, then that address
2375
 * becomes the identity address instead of the public BR/EDR address.
2376
 */
2377
void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2378
			       u8 *bdaddr_type)
2379
{
2380
	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2381
	    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2382
	    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2383
	     bacmp(&hdev->static_addr, BDADDR_ANY))) {
2384
		bacpy(bdaddr, &hdev->static_addr);
2385
		*bdaddr_type = ADDR_LE_DEV_RANDOM;
2386
	} else {
2387
		bacpy(bdaddr, &hdev->bdaddr);
2388
		*bdaddr_type = ADDR_LE_DEV_PUBLIC;
2389
	}
2390
}
2391

2392
static void hci_clear_wake_reason(struct hci_dev *hdev)
2393
{
2394
	hci_dev_lock(hdev);
2395

2396
	hdev->wake_reason = 0;
2397
	bacpy(&hdev->wake_addr, BDADDR_ANY);
2398
	hdev->wake_addr_type = 0;
2399

2400
	hci_dev_unlock(hdev);
2401
}
2402

2403
static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
2404
				void *data)
2405
{
2406
	struct hci_dev *hdev =
2407
		container_of(nb, struct hci_dev, suspend_notifier);
2408
	int ret = 0;
2409

2410
	/* Userspace has full control of this device. Do nothing. */
2411
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2412
		return NOTIFY_DONE;
2413

2414
	/* To avoid a potential race with hci_unregister_dev. */
2415
	hci_dev_hold(hdev);
2416

2417
	switch (action) {
2418
	case PM_HIBERNATION_PREPARE:
2419
	case PM_SUSPEND_PREPARE:
2420
		ret = hci_suspend_dev(hdev);
2421
		break;
2422
	case PM_POST_HIBERNATION:
2423
	case PM_POST_SUSPEND:
2424
		ret = hci_resume_dev(hdev);
2425
		break;
2426
	}
2427

2428
	if (ret)
2429
		bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
2430
			   action, ret);
2431

2432
	hci_dev_put(hdev);
2433
	return NOTIFY_DONE;
2434
}
2435

2436
/* Alloc HCI device */
2437
struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
2438
{
2439
	struct hci_dev *hdev;
2440
	unsigned int alloc_size;
2441

2442
	alloc_size = sizeof(*hdev);
2443
	if (sizeof_priv) {
2444
		/* Fixme: May need ALIGN-ment? */
2445
		alloc_size += sizeof_priv;
2446
	}
2447

2448
	hdev = kzalloc(alloc_size, GFP_KERNEL);
2449
	if (!hdev)
2450
		return NULL;
2451

2452
	if (init_srcu_struct(&hdev->srcu)) {
2453
		kfree(hdev);
2454
		return NULL;
2455
	}
2456

2457
	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2458
	hdev->esco_type = (ESCO_HV1);
2459
	hdev->link_mode = (HCI_LM_ACCEPT);
2460
	hdev->num_iac = 0x01;		/* One IAC support is mandatory */
2461
	hdev->io_capability = 0x03;	/* No Input No Output */
2462
	hdev->manufacturer = 0xffff;	/* Default to internal use */
2463
	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2464
	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2465
	hdev->adv_instance_cnt = 0;
2466
	hdev->cur_adv_instance = 0x00;
2467
	hdev->adv_instance_timeout = 0;
2468

2469
	hdev->advmon_allowlist_duration = 300;
2470
	hdev->advmon_no_filter_duration = 500;
2471
	hdev->enable_advmon_interleave_scan = 0x00;	/* Default to disable */
2472

2473
	hdev->sniff_max_interval = 800;
2474
	hdev->sniff_min_interval = 80;
2475

2476
	hdev->le_adv_channel_map = 0x07;
2477
	hdev->le_adv_min_interval = 0x0800;
2478
	hdev->le_adv_max_interval = 0x0800;
2479
	hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST;
2480
	hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST;
2481
	hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1;
2482
	hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1;
2483
	hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
2484
	hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
2485
	hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST;
2486
	hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST;
2487
	hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN;
2488
	hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN;
2489
	hdev->le_conn_min_interval = 0x0018;
2490
	hdev->le_conn_max_interval = 0x0028;
2491
	hdev->le_conn_latency = 0x0000;
2492
	hdev->le_supv_timeout = 0x002a;
2493
	hdev->le_def_tx_len = 0x001b;
2494
	hdev->le_def_tx_time = 0x0148;
2495
	hdev->le_max_tx_len = 0x001b;
2496
	hdev->le_max_tx_time = 0x0148;
2497
	hdev->le_max_rx_len = 0x001b;
2498
	hdev->le_max_rx_time = 0x0148;
2499
	hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
2500
	hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
2501
	hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
2502
	hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
2503
	hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
2504
	hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
2505
	hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT;
2506
	hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
2507
	hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
2508

2509
	hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2510
	hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2511
	hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2512
	hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2513
	hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
2514
	hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
2515

2516
	/* default 1.28 sec page scan */
2517
	hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
2518
	hdev->def_page_scan_int = 0x0800;
2519
	hdev->def_page_scan_window = 0x0012;
2520

2521
	mutex_init(&hdev->lock);
2522
	mutex_init(&hdev->req_lock);
2523
	mutex_init(&hdev->mgmt_pending_lock);
2524

2525
	ida_init(&hdev->unset_handle_ida);
2526

2527
	INIT_LIST_HEAD(&hdev->mesh_pending);
2528
	INIT_LIST_HEAD(&hdev->mgmt_pending);
2529
	INIT_LIST_HEAD(&hdev->reject_list);
2530
	INIT_LIST_HEAD(&hdev->accept_list);
2531
	INIT_LIST_HEAD(&hdev->uuids);
2532
	INIT_LIST_HEAD(&hdev->link_keys);
2533
	INIT_LIST_HEAD(&hdev->long_term_keys);
2534
	INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2535
	INIT_LIST_HEAD(&hdev->remote_oob_data);
2536
	INIT_LIST_HEAD(&hdev->le_accept_list);
2537
	INIT_LIST_HEAD(&hdev->le_resolv_list);
2538
	INIT_LIST_HEAD(&hdev->le_conn_params);
2539
	INIT_LIST_HEAD(&hdev->pend_le_conns);
2540
	INIT_LIST_HEAD(&hdev->pend_le_reports);
2541
	INIT_LIST_HEAD(&hdev->conn_hash.list);
2542
	INIT_LIST_HEAD(&hdev->adv_instances);
2543
	INIT_LIST_HEAD(&hdev->blocked_keys);
2544
	INIT_LIST_HEAD(&hdev->monitored_devices);
2545

2546
	INIT_LIST_HEAD(&hdev->local_codecs);
2547
	INIT_WORK(&hdev->rx_work, hci_rx_work);
2548
	INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2549
	INIT_WORK(&hdev->tx_work, hci_tx_work);
2550
	INIT_WORK(&hdev->power_on, hci_power_on);
2551
	INIT_WORK(&hdev->error_reset, hci_error_reset);
2552

2553
	hci_cmd_sync_init(hdev);
2554

2555
	INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2556

2557
	skb_queue_head_init(&hdev->rx_q);
2558
	skb_queue_head_init(&hdev->cmd_q);
2559
	skb_queue_head_init(&hdev->raw_q);
2560

2561
	init_waitqueue_head(&hdev->req_wait_q);
2562

2563
	INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
2564
	INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
2565

2566
	hci_devcd_setup(hdev);
2567

2568
	hci_init_sysfs(hdev);
2569
	discovery_init(hdev);
2570

2571
	return hdev;
2572
}
2573
EXPORT_SYMBOL(hci_alloc_dev_priv);
2574

2575
/* Free HCI device */
2576
void hci_free_dev(struct hci_dev *hdev)
2577
{
2578
	/* will free via device release */
2579
	put_device(&hdev->dev);
2580
}
2581
EXPORT_SYMBOL(hci_free_dev);
2582

2583
/* Register HCI device */
2584
int hci_register_dev(struct hci_dev *hdev)
2585
{
2586
	int id, error;
2587

2588
	if (!hdev->open || !hdev->close || !hdev->send)
2589
		return -EINVAL;
2590

2591
	id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL);
2592
	if (id < 0)
2593
		return id;
2594

2595
	error = dev_set_name(&hdev->dev, "hci%u", id);
2596
	if (error)
2597
		return error;
2598

2599
	hdev->name = dev_name(&hdev->dev);
2600
	hdev->id = id;
2601

2602
	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2603

2604
	hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
2605
	if (!hdev->workqueue) {
2606
		error = -ENOMEM;
2607
		goto err;
2608
	}
2609

2610
	hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
2611
						      hdev->name);
2612
	if (!hdev->req_workqueue) {
2613
		destroy_workqueue(hdev->workqueue);
2614
		error = -ENOMEM;
2615
		goto err;
2616
	}
2617

2618
	if (!IS_ERR_OR_NULL(bt_debugfs))
2619
		hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
2620

2621
	error = device_add(&hdev->dev);
2622
	if (error < 0)
2623
		goto err_wqueue;
2624

2625
	hci_leds_init(hdev);
2626

2627
	hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2628
				    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2629
				    hdev);
2630
	if (hdev->rfkill) {
2631
		if (rfkill_register(hdev->rfkill) < 0) {
2632
			rfkill_destroy(hdev->rfkill);
2633
			hdev->rfkill = NULL;
2634
		}
2635
	}
2636

2637
	if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2638
		hci_dev_set_flag(hdev, HCI_RFKILLED);
2639

2640
	hci_dev_set_flag(hdev, HCI_SETUP);
2641
	hci_dev_set_flag(hdev, HCI_AUTO_OFF);
2642

2643
	/* Assume BR/EDR support until proven otherwise (such as
2644
	 * through reading supported features during init.
2645
	 */
2646
	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
2647

2648
	write_lock(&hci_dev_list_lock);
2649
	list_add(&hdev->list, &hci_dev_list);
2650
	write_unlock(&hci_dev_list_lock);
2651

2652
	/* Devices that are marked for raw-only usage are unconfigured
2653
	 * and should not be included in normal operation.
2654
	 */
2655
	if (hci_test_quirk(hdev, HCI_QUIRK_RAW_DEVICE))
2656
		hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
2657

2658
	/* Mark Remote Wakeup connection flag as supported if driver has wakeup
2659
	 * callback.
2660
	 */
2661
	if (hdev->wakeup)
2662
		hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP;
2663

2664
	hci_sock_dev_event(hdev, HCI_DEV_REG);
2665
	hci_dev_hold(hdev);
2666

2667
	error = hci_register_suspend_notifier(hdev);
2668
	if (error)
2669
		BT_WARN("register suspend notifier failed error:%d\n", error);
2670

2671
	queue_work(hdev->req_workqueue, &hdev->power_on);
2672

2673
	idr_init(&hdev->adv_monitors_idr);
2674
	msft_register(hdev);
2675

2676
	return id;
2677

2678
err_wqueue:
2679
	debugfs_remove_recursive(hdev->debugfs);
2680
	destroy_workqueue(hdev->workqueue);
2681
	destroy_workqueue(hdev->req_workqueue);
2682
err:
2683
	ida_free(&hci_index_ida, hdev->id);
2684

2685
	return error;
2686
}
2687
EXPORT_SYMBOL(hci_register_dev);
2688

2689
/* Unregister HCI device */
2690
void hci_unregister_dev(struct hci_dev *hdev)
2691
{
2692
	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2693

2694
	mutex_lock(&hdev->unregister_lock);
2695
	hci_dev_set_flag(hdev, HCI_UNREGISTER);
2696
	mutex_unlock(&hdev->unregister_lock);
2697

2698
	write_lock(&hci_dev_list_lock);
2699
	list_del(&hdev->list);
2700
	write_unlock(&hci_dev_list_lock);
2701

2702
	synchronize_srcu(&hdev->srcu);
2703
	cleanup_srcu_struct(&hdev->srcu);
2704

2705
	disable_work_sync(&hdev->rx_work);
2706
	disable_work_sync(&hdev->cmd_work);
2707
	disable_work_sync(&hdev->tx_work);
2708
	disable_work_sync(&hdev->power_on);
2709
	disable_work_sync(&hdev->error_reset);
2710

2711
	hci_cmd_sync_clear(hdev);
2712

2713
	hci_unregister_suspend_notifier(hdev);
2714

2715
	hci_dev_do_close(hdev);
2716

2717
	if (!test_bit(HCI_INIT, &hdev->flags) &&
2718
	    !hci_dev_test_flag(hdev, HCI_SETUP) &&
2719
	    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
2720
		hci_dev_lock(hdev);
2721
		mgmt_index_removed(hdev);
2722
		hci_dev_unlock(hdev);
2723
	}
2724

2725
	/* mgmt_index_removed should take care of emptying the
2726
	 * pending list */
2727
	BUG_ON(!list_empty(&hdev->mgmt_pending));
2728

2729
	hci_sock_dev_event(hdev, HCI_DEV_UNREG);
2730

2731
	if (hdev->rfkill) {
2732
		rfkill_unregister(hdev->rfkill);
2733
		rfkill_destroy(hdev->rfkill);
2734
	}
2735

2736
	device_del(&hdev->dev);
2737
	/* Actual cleanup is deferred until hci_release_dev(). */
2738
	hci_dev_put(hdev);
2739
}
2740
EXPORT_SYMBOL(hci_unregister_dev);
2741

2742
/* Release HCI device */
2743
void hci_release_dev(struct hci_dev *hdev)
2744
{
2745
	debugfs_remove_recursive(hdev->debugfs);
2746
	kfree_const(hdev->hw_info);
2747
	kfree_const(hdev->fw_info);
2748

2749
	destroy_workqueue(hdev->workqueue);
2750
	destroy_workqueue(hdev->req_workqueue);
2751

2752
	hci_dev_lock(hdev);
2753
	hci_bdaddr_list_clear(&hdev->reject_list);
2754
	hci_bdaddr_list_clear(&hdev->accept_list);
2755
	hci_uuids_clear(hdev);
2756
	hci_link_keys_clear(hdev);
2757
	hci_smp_ltks_clear(hdev);
2758
	hci_smp_irks_clear(hdev);
2759
	hci_remote_oob_data_clear(hdev);
2760
	hci_adv_instances_clear(hdev);
2761
	hci_adv_monitors_clear(hdev);
2762
	hci_bdaddr_list_clear(&hdev->le_accept_list);
2763
	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2764
	hci_conn_params_clear_all(hdev);
2765
	hci_discovery_filter_clear(hdev);
2766
	hci_blocked_keys_clear(hdev);
2767
	hci_codec_list_clear(&hdev->local_codecs);
2768
	msft_release(hdev);
2769
	hci_dev_unlock(hdev);
2770

2771
	ida_destroy(&hdev->unset_handle_ida);
2772
	ida_free(&hci_index_ida, hdev->id);
2773
	kfree_skb(hdev->sent_cmd);
2774
	kfree_skb(hdev->req_skb);
2775
	kfree_skb(hdev->recv_event);
2776
	kfree(hdev);
2777
}
2778
EXPORT_SYMBOL(hci_release_dev);
2779

2780
int hci_register_suspend_notifier(struct hci_dev *hdev)
2781
{
2782
	int ret = 0;
2783

2784
	if (!hdev->suspend_notifier.notifier_call &&
2785
	    !hci_test_quirk(hdev, HCI_QUIRK_NO_SUSPEND_NOTIFIER)) {
2786
		hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
2787
		ret = register_pm_notifier(&hdev->suspend_notifier);
2788
	}
2789

2790
	return ret;
2791
}
2792

2793
int hci_unregister_suspend_notifier(struct hci_dev *hdev)
2794
{
2795
	int ret = 0;
2796

2797
	if (hdev->suspend_notifier.notifier_call) {
2798
		ret = unregister_pm_notifier(&hdev->suspend_notifier);
2799
		if (!ret)
2800
			hdev->suspend_notifier.notifier_call = NULL;
2801
	}
2802

2803
	return ret;
2804
}
2805

2806
/* Cancel ongoing command synchronously:
2807
 *
2808
 * - Cancel command timer
2809
 * - Reset command counter
2810
 * - Cancel command request
2811
 */
2812
static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err)
2813
{
2814
	bt_dev_dbg(hdev, "err 0x%2.2x", err);
2815

2816
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
2817
		disable_delayed_work_sync(&hdev->cmd_timer);
2818
		disable_delayed_work_sync(&hdev->ncmd_timer);
2819
	} else  {
2820
		cancel_delayed_work_sync(&hdev->cmd_timer);
2821
		cancel_delayed_work_sync(&hdev->ncmd_timer);
2822
	}
2823

2824
	atomic_set(&hdev->cmd_cnt, 1);
2825

2826
	hci_cmd_sync_cancel_sync(hdev, err);
2827
}
2828

2829
/* Suspend HCI device */
2830
int hci_suspend_dev(struct hci_dev *hdev)
2831
{
2832
	int ret;
2833

2834
	bt_dev_dbg(hdev, "");
2835

2836
	/* Suspend should only act on when powered. */
2837
	if (!hdev_is_powered(hdev) ||
2838
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2839
		return 0;
2840

2841
	/* If powering down don't attempt to suspend */
2842
	if (mgmt_powering_down(hdev))
2843
		return 0;
2844

2845
	/* Cancel potentially blocking sync operation before suspend */
2846
	hci_cancel_cmd_sync(hdev, EHOSTDOWN);
2847

2848
	hci_req_sync_lock(hdev);
2849
	ret = hci_suspend_sync(hdev);
2850
	hci_req_sync_unlock(hdev);
2851

2852
	hci_clear_wake_reason(hdev);
2853
	mgmt_suspending(hdev, hdev->suspend_state);
2854

2855
	hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
2856
	return ret;
2857
}
2858
EXPORT_SYMBOL(hci_suspend_dev);
2859

2860
/* Resume HCI device */
2861
int hci_resume_dev(struct hci_dev *hdev)
2862
{
2863
	int ret;
2864

2865
	bt_dev_dbg(hdev, "");
2866

2867
	/* Resume should only act on when powered. */
2868
	if (!hdev_is_powered(hdev) ||
2869
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2870
		return 0;
2871

2872
	/* If powering down don't attempt to resume */
2873
	if (mgmt_powering_down(hdev))
2874
		return 0;
2875

2876
	hci_req_sync_lock(hdev);
2877
	ret = hci_resume_sync(hdev);
2878
	hci_req_sync_unlock(hdev);
2879

2880
	mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr,
2881
		      hdev->wake_addr_type);
2882

2883
	hci_sock_dev_event(hdev, HCI_DEV_RESUME);
2884
	return ret;
2885
}
2886
EXPORT_SYMBOL(hci_resume_dev);
2887

2888
/* Reset HCI device */
2889
int hci_reset_dev(struct hci_dev *hdev)
2890
{
2891
	static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
2892
	struct sk_buff *skb;
2893

2894
	skb = bt_skb_alloc(3, GFP_ATOMIC);
2895
	if (!skb)
2896
		return -ENOMEM;
2897

2898
	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2899
	skb_put_data(skb, hw_err, 3);
2900

2901
	bt_dev_err(hdev, "Injecting HCI hardware error event");
2902

2903
	/* Send Hardware Error to upper stack */
2904
	return hci_recv_frame(hdev, skb);
2905
}
2906
EXPORT_SYMBOL(hci_reset_dev);
2907

2908
static u8 hci_dev_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb)
2909
{
2910
	if (hdev->classify_pkt_type)
2911
		return hdev->classify_pkt_type(hdev, skb);
2912

2913
	return hci_skb_pkt_type(skb);
2914
}
2915

2916
/* Receive frame from HCI drivers */
2917
int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
2918
{
2919
	u8 dev_pkt_type;
2920

2921
	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2922
		      && !test_bit(HCI_INIT, &hdev->flags))) {
2923
		kfree_skb(skb);
2924
		return -ENXIO;
2925
	}
2926

2927
	/* Check if the driver agree with packet type classification */
2928
	dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb);
2929
	if (hci_skb_pkt_type(skb) != dev_pkt_type) {
2930
		hci_skb_pkt_type(skb) = dev_pkt_type;
2931
	}
2932

2933
	switch (hci_skb_pkt_type(skb)) {
2934
	case HCI_EVENT_PKT:
2935
		break;
2936
	case HCI_ACLDATA_PKT:
2937
		/* Detect if ISO packet has been sent as ACL */
2938
		if (hci_conn_num(hdev, CIS_LINK) ||
2939
		    hci_conn_num(hdev, BIS_LINK) ||
2940
			hci_conn_num(hdev, PA_LINK)) {
2941
			__u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2942
			__u8 type;
2943

2944
			type = hci_conn_lookup_type(hdev, hci_handle(handle));
2945
			if (type == CIS_LINK || type == BIS_LINK ||
2946
			    type == PA_LINK)
2947
				hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
2948
		}
2949
		break;
2950
	case HCI_SCODATA_PKT:
2951
		break;
2952
	case HCI_ISODATA_PKT:
2953
		break;
2954
	case HCI_DRV_PKT:
2955
		break;
2956
	default:
2957
		kfree_skb(skb);
2958
		return -EINVAL;
2959
	}
2960

2961
	/* Incoming skb */
2962
	bt_cb(skb)->incoming = 1;
2963

2964
	/* Time stamp */
2965
	__net_timestamp(skb);
2966

2967
	skb_queue_tail(&hdev->rx_q, skb);
2968
	queue_work(hdev->workqueue, &hdev->rx_work);
2969

2970
	return 0;
2971
}
2972
EXPORT_SYMBOL(hci_recv_frame);
2973

2974
/* Receive diagnostic message from HCI drivers */
2975
int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
2976
{
2977
	/* Mark as diagnostic packet */
2978
	hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
2979

2980
	/* Time stamp */
2981
	__net_timestamp(skb);
2982

2983
	skb_queue_tail(&hdev->rx_q, skb);
2984
	queue_work(hdev->workqueue, &hdev->rx_work);
2985

2986
	return 0;
2987
}
2988
EXPORT_SYMBOL(hci_recv_diag);
2989

2990
void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
2991
{
2992
	va_list vargs;
2993

2994
	va_start(vargs, fmt);
2995
	kfree_const(hdev->hw_info);
2996
	hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2997
	va_end(vargs);
2998
}
2999
EXPORT_SYMBOL(hci_set_hw_info);
3000

3001
void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
3002
{
3003
	va_list vargs;
3004

3005
	va_start(vargs, fmt);
3006
	kfree_const(hdev->fw_info);
3007
	hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
3008
	va_end(vargs);
3009
}
3010
EXPORT_SYMBOL(hci_set_fw_info);
3011

3012
/* ---- Interface to upper protocols ---- */
3013

3014
int hci_register_cb(struct hci_cb *cb)
3015
{
3016
	BT_DBG("%p name %s", cb, cb->name);
3017

3018
	mutex_lock(&hci_cb_list_lock);
3019
	list_add_tail(&cb->list, &hci_cb_list);
3020
	mutex_unlock(&hci_cb_list_lock);
3021

3022
	return 0;
3023
}
3024
EXPORT_SYMBOL(hci_register_cb);
3025

3026
int hci_unregister_cb(struct hci_cb *cb)
3027
{
3028
	BT_DBG("%p name %s", cb, cb->name);
3029

3030
	mutex_lock(&hci_cb_list_lock);
3031
	list_del(&cb->list);
3032
	mutex_unlock(&hci_cb_list_lock);
3033

3034
	return 0;
3035
}
3036
EXPORT_SYMBOL(hci_unregister_cb);
3037

3038
static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3039
{
3040
	int err;
3041

3042
	BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3043
	       skb->len);
3044

3045
	/* Time stamp */
3046
	__net_timestamp(skb);
3047

3048
	/* Send copy to monitor */
3049
	hci_send_to_monitor(hdev, skb);
3050

3051
	if (atomic_read(&hdev->promisc)) {
3052
		/* Send copy to the sockets */
3053
		hci_send_to_sock(hdev, skb);
3054
	}
3055

3056
	/* Get rid of skb owner, prior to sending to the driver. */
3057
	skb_orphan(skb);
3058

3059
	if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3060
		kfree_skb(skb);
3061
		return -EINVAL;
3062
	}
3063

3064
	if (hci_skb_pkt_type(skb) == HCI_DRV_PKT) {
3065
		/* Intercept HCI Drv packet here and don't go with hdev->send
3066
		 * callback.
3067
		 */
3068
		err = hci_drv_process_cmd(hdev, skb);
3069
		kfree_skb(skb);
3070
		return err;
3071
	}
3072

3073
	err = hdev->send(hdev, skb);
3074
	if (err < 0) {
3075
		bt_dev_err(hdev, "sending frame failed (%d)", err);
3076
		kfree_skb(skb);
3077
		return err;
3078
	}
3079

3080
	return 0;
3081
}
3082

3083
static int hci_send_conn_frame(struct hci_dev *hdev, struct hci_conn *conn,
3084
			       struct sk_buff *skb)
3085
{
3086
	hci_conn_tx_queue(conn, skb);
3087
	return hci_send_frame(hdev, skb);
3088
}
3089

3090
/* Send HCI command */
3091
int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3092
		 const void *param)
3093
{
3094
	struct sk_buff *skb;
3095

3096
	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3097

3098
	skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3099
	if (!skb) {
3100
		bt_dev_err(hdev, "no memory for command");
3101
		return -ENOMEM;
3102
	}
3103

3104
	/* Stand-alone HCI commands must be flagged as
3105
	 * single-command requests.
3106
	 */
3107
	bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3108

3109
	skb_queue_tail(&hdev->cmd_q, skb);
3110
	queue_work(hdev->workqueue, &hdev->cmd_work);
3111

3112
	return 0;
3113
}
3114

3115
int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
3116
		   const void *param)
3117
{
3118
	struct sk_buff *skb;
3119

3120
	if (hci_opcode_ogf(opcode) != 0x3f) {
3121
		/* A controller receiving a command shall respond with either
3122
		 * a Command Status Event or a Command Complete Event.
3123
		 * Therefore, all standard HCI commands must be sent via the
3124
		 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
3125
		 * Some vendors do not comply with this rule for vendor-specific
3126
		 * commands and do not return any event. We want to support
3127
		 * unresponded commands for such cases only.
3128
		 */
3129
		bt_dev_err(hdev, "unresponded command not supported");
3130
		return -EINVAL;
3131
	}
3132

3133
	skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3134
	if (!skb) {
3135
		bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
3136
			   opcode);
3137
		return -ENOMEM;
3138
	}
3139

3140
	hci_send_frame(hdev, skb);
3141

3142
	return 0;
3143
}
3144
EXPORT_SYMBOL(__hci_cmd_send);
3145

3146
/* Get data from the previously sent command */
3147
static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode)
3148
{
3149
	struct hci_command_hdr *hdr;
3150

3151
	if (!skb || skb->len < HCI_COMMAND_HDR_SIZE)
3152
		return NULL;
3153

3154
	hdr = (void *)skb->data;
3155

3156
	if (hdr->opcode != cpu_to_le16(opcode))
3157
		return NULL;
3158

3159
	return skb->data + HCI_COMMAND_HDR_SIZE;
3160
}
3161

3162
/* Get data from the previously sent command */
3163
void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3164
{
3165
	void *data;
3166

3167
	/* Check if opcode matches last sent command */
3168
	data = hci_cmd_data(hdev->sent_cmd, opcode);
3169
	if (!data)
3170
		/* Check if opcode matches last request */
3171
		data = hci_cmd_data(hdev->req_skb, opcode);
3172

3173
	return data;
3174
}
3175

3176
/* Get data from last received event */
3177
void *hci_recv_event_data(struct hci_dev *hdev, __u8 event)
3178
{
3179
	struct hci_event_hdr *hdr;
3180
	int offset;
3181

3182
	if (!hdev->recv_event)
3183
		return NULL;
3184

3185
	hdr = (void *)hdev->recv_event->data;
3186
	offset = sizeof(*hdr);
3187

3188
	if (hdr->evt != event) {
3189
		/* In case of LE metaevent check the subevent match */
3190
		if (hdr->evt == HCI_EV_LE_META) {
3191
			struct hci_ev_le_meta *ev;
3192

3193
			ev = (void *)hdev->recv_event->data + offset;
3194
			offset += sizeof(*ev);
3195
			if (ev->subevent == event)
3196
				goto found;
3197
		}
3198
		return NULL;
3199
	}
3200

3201
found:
3202
	bt_dev_dbg(hdev, "event 0x%2.2x", event);
3203

3204
	return hdev->recv_event->data + offset;
3205
}
3206

3207
/* Send ACL data */
3208
static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3209
{
3210
	struct hci_acl_hdr *hdr;
3211
	int len = skb->len;
3212

3213
	skb_push(skb, HCI_ACL_HDR_SIZE);
3214
	skb_reset_transport_header(skb);
3215
	hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3216
	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3217
	hdr->dlen   = cpu_to_le16(len);
3218
}
3219

3220
static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3221
			  struct sk_buff *skb, __u16 flags)
3222
{
3223
	struct hci_conn *conn = chan->conn;
3224
	struct hci_dev *hdev = conn->hdev;
3225
	struct sk_buff *list;
3226

3227
	skb->len = skb_headlen(skb);
3228
	skb->data_len = 0;
3229

3230
	hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3231

3232
	hci_add_acl_hdr(skb, conn->handle, flags);
3233

3234
	list = skb_shinfo(skb)->frag_list;
3235
	if (!list) {
3236
		/* Non fragmented */
3237
		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3238

3239
		skb_queue_tail(queue, skb);
3240
	} else {
3241
		/* Fragmented */
3242
		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3243

3244
		skb_shinfo(skb)->frag_list = NULL;
3245

3246
		/* Queue all fragments atomically. We need to use spin_lock_bh
3247
		 * here because of 6LoWPAN links, as there this function is
3248
		 * called from softirq and using normal spin lock could cause
3249
		 * deadlocks.
3250
		 */
3251
		spin_lock_bh(&queue->lock);
3252

3253
		__skb_queue_tail(queue, skb);
3254

3255
		flags &= ~ACL_START;
3256
		flags |= ACL_CONT;
3257
		do {
3258
			skb = list; list = list->next;
3259

3260
			hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3261
			hci_add_acl_hdr(skb, conn->handle, flags);
3262

3263
			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3264

3265
			__skb_queue_tail(queue, skb);
3266
		} while (list);
3267

3268
		spin_unlock_bh(&queue->lock);
3269
	}
3270
}
3271

3272
void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3273
{
3274
	struct hci_dev *hdev = chan->conn->hdev;
3275

3276
	BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3277

3278
	hci_queue_acl(chan, &chan->data_q, skb, flags);
3279

3280
	queue_work(hdev->workqueue, &hdev->tx_work);
3281
}
3282

3283
/* Send SCO data */
3284
void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3285
{
3286
	struct hci_dev *hdev = conn->hdev;
3287
	struct hci_sco_hdr hdr;
3288

3289
	BT_DBG("%s len %d", hdev->name, skb->len);
3290

3291
	hdr.handle = cpu_to_le16(conn->handle);
3292
	hdr.dlen   = skb->len;
3293

3294
	skb_push(skb, HCI_SCO_HDR_SIZE);
3295
	skb_reset_transport_header(skb);
3296
	memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3297

3298
	hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3299

3300
	skb_queue_tail(&conn->data_q, skb);
3301
	queue_work(hdev->workqueue, &hdev->tx_work);
3302
}
3303

3304
/* Send ISO data */
3305
static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags)
3306
{
3307
	struct hci_iso_hdr *hdr;
3308
	int len = skb->len;
3309

3310
	skb_push(skb, HCI_ISO_HDR_SIZE);
3311
	skb_reset_transport_header(skb);
3312
	hdr = (struct hci_iso_hdr *)skb_transport_header(skb);
3313
	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3314
	hdr->dlen   = cpu_to_le16(len);
3315
}
3316

3317
static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue,
3318
			  struct sk_buff *skb)
3319
{
3320
	struct hci_dev *hdev = conn->hdev;
3321
	struct sk_buff *list;
3322
	__u16 flags;
3323

3324
	skb->len = skb_headlen(skb);
3325
	skb->data_len = 0;
3326

3327
	hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3328

3329
	list = skb_shinfo(skb)->frag_list;
3330

3331
	flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00);
3332
	hci_add_iso_hdr(skb, conn->handle, flags);
3333

3334
	if (!list) {
3335
		/* Non fragmented */
3336
		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3337

3338
		skb_queue_tail(queue, skb);
3339
	} else {
3340
		/* Fragmented */
3341
		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3342

3343
		skb_shinfo(skb)->frag_list = NULL;
3344

3345
		__skb_queue_tail(queue, skb);
3346

3347
		do {
3348
			skb = list; list = list->next;
3349

3350
			hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3351
			flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END,
3352
						   0x00);
3353
			hci_add_iso_hdr(skb, conn->handle, flags);
3354

3355
			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3356

3357
			__skb_queue_tail(queue, skb);
3358
		} while (list);
3359
	}
3360
}
3361

3362
void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb)
3363
{
3364
	struct hci_dev *hdev = conn->hdev;
3365

3366
	BT_DBG("%s len %d", hdev->name, skb->len);
3367

3368
	hci_queue_iso(conn, &conn->data_q, skb);
3369

3370
	queue_work(hdev->workqueue, &hdev->tx_work);
3371
}
3372

3373
/* ---- HCI TX task (outgoing data) ---- */
3374

3375
/* HCI Connection scheduler */
3376
static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote)
3377
{
3378
	struct hci_dev *hdev;
3379
	int cnt, q;
3380

3381
	if (!conn) {
3382
		*quote = 0;
3383
		return;
3384
	}
3385

3386
	hdev = conn->hdev;
3387

3388
	switch (conn->type) {
3389
	case ACL_LINK:
3390
		cnt = hdev->acl_cnt;
3391
		break;
3392
	case SCO_LINK:
3393
	case ESCO_LINK:
3394
		cnt = hdev->sco_cnt;
3395
		break;
3396
	case LE_LINK:
3397
		cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3398
		break;
3399
	case CIS_LINK:
3400
	case BIS_LINK:
3401
	case PA_LINK:
3402
		cnt = hdev->iso_mtu ? hdev->iso_cnt :
3403
			hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3404
		break;
3405
	default:
3406
		cnt = 0;
3407
		bt_dev_err(hdev, "unknown link type %d", conn->type);
3408
	}
3409

3410
	q = cnt / num;
3411
	*quote = q ? q : 1;
3412
}
3413

3414
static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3415
				     int *quote)
3416
{
3417
	struct hci_conn_hash *h = &hdev->conn_hash;
3418
	struct hci_conn *conn = NULL, *c;
3419
	unsigned int num = 0, min = ~0;
3420

3421
	/* We don't have to lock device here. Connections are always
3422
	 * added and removed with TX task disabled. */
3423

3424
	rcu_read_lock();
3425

3426
	list_for_each_entry_rcu(c, &h->list, list) {
3427
		if (c->type != type ||
3428
		    skb_queue_empty(&c->data_q))
3429
			continue;
3430

3431
		if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3432
			continue;
3433

3434
		num++;
3435

3436
		if (c->sent < min) {
3437
			min  = c->sent;
3438
			conn = c;
3439
		}
3440

3441
		if (hci_conn_num(hdev, type) == num)
3442
			break;
3443
	}
3444

3445
	rcu_read_unlock();
3446

3447
	hci_quote_sent(conn, num, quote);
3448

3449
	BT_DBG("conn %p quote %d", conn, *quote);
3450
	return conn;
3451
}
3452

3453
static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3454
{
3455
	struct hci_conn_hash *h = &hdev->conn_hash;
3456
	struct hci_conn *c;
3457

3458
	bt_dev_err(hdev, "link tx timeout");
3459

3460
	hci_dev_lock(hdev);
3461

3462
	/* Kill stalled connections */
3463
	list_for_each_entry(c, &h->list, list) {
3464
		if (c->type == type && c->sent) {
3465
			bt_dev_err(hdev, "killing stalled connection %pMR",
3466
				   &c->dst);
3467
			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3468
		}
3469
	}
3470

3471
	hci_dev_unlock(hdev);
3472
}
3473

3474
static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3475
				      int *quote)
3476
{
3477
	struct hci_conn_hash *h = &hdev->conn_hash;
3478
	struct hci_chan *chan = NULL;
3479
	unsigned int num = 0, min = ~0, cur_prio = 0;
3480
	struct hci_conn *conn;
3481
	int conn_num = 0;
3482

3483
	BT_DBG("%s", hdev->name);
3484

3485
	rcu_read_lock();
3486

3487
	list_for_each_entry_rcu(conn, &h->list, list) {
3488
		struct hci_chan *tmp;
3489

3490
		if (conn->type != type)
3491
			continue;
3492

3493
		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3494
			continue;
3495

3496
		conn_num++;
3497

3498
		list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3499
			struct sk_buff *skb;
3500

3501
			if (skb_queue_empty(&tmp->data_q))
3502
				continue;
3503

3504
			skb = skb_peek(&tmp->data_q);
3505
			if (skb->priority < cur_prio)
3506
				continue;
3507

3508
			if (skb->priority > cur_prio) {
3509
				num = 0;
3510
				min = ~0;
3511
				cur_prio = skb->priority;
3512
			}
3513

3514
			num++;
3515

3516
			if (conn->sent < min) {
3517
				min  = conn->sent;
3518
				chan = tmp;
3519
			}
3520
		}
3521

3522
		if (hci_conn_num(hdev, type) == conn_num)
3523
			break;
3524
	}
3525

3526
	rcu_read_unlock();
3527

3528
	if (!chan)
3529
		return NULL;
3530

3531
	hci_quote_sent(chan->conn, num, quote);
3532

3533
	BT_DBG("chan %p quote %d", chan, *quote);
3534
	return chan;
3535
}
3536

3537
static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3538
{
3539
	struct hci_conn_hash *h = &hdev->conn_hash;
3540
	struct hci_conn *conn;
3541
	int num = 0;
3542

3543
	BT_DBG("%s", hdev->name);
3544

3545
	rcu_read_lock();
3546

3547
	list_for_each_entry_rcu(conn, &h->list, list) {
3548
		struct hci_chan *chan;
3549

3550
		if (conn->type != type)
3551
			continue;
3552

3553
		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3554
			continue;
3555

3556
		num++;
3557

3558
		list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3559
			struct sk_buff *skb;
3560

3561
			if (chan->sent) {
3562
				chan->sent = 0;
3563
				continue;
3564
			}
3565

3566
			if (skb_queue_empty(&chan->data_q))
3567
				continue;
3568

3569
			skb = skb_peek(&chan->data_q);
3570
			if (skb->priority >= HCI_PRIO_MAX - 1)
3571
				continue;
3572

3573
			skb->priority = HCI_PRIO_MAX - 1;
3574

3575
			BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3576
			       skb->priority);
3577
		}
3578

3579
		if (hci_conn_num(hdev, type) == num)
3580
			break;
3581
	}
3582

3583
	rcu_read_unlock();
3584

3585
}
3586

3587
static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type)
3588
{
3589
	unsigned long last_tx;
3590

3591
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
3592
		return;
3593

3594
	switch (type) {
3595
	case LE_LINK:
3596
		last_tx = hdev->le_last_tx;
3597
		break;
3598
	default:
3599
		last_tx = hdev->acl_last_tx;
3600
		break;
3601
	}
3602

3603
	/* tx timeout must be longer than maximum link supervision timeout
3604
	 * (40.9 seconds)
3605
	 */
3606
	if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT))
3607
		hci_link_tx_to(hdev, type);
3608
}
3609

3610
/* Schedule SCO */
3611
static void hci_sched_sco(struct hci_dev *hdev, __u8 type)
3612
{
3613
	struct hci_conn *conn;
3614
	struct sk_buff *skb;
3615
	int quote, *cnt;
3616
	unsigned int pkts = hdev->sco_pkts;
3617

3618
	bt_dev_dbg(hdev, "type %u", type);
3619

3620
	if (!hci_conn_num(hdev, type) || !pkts)
3621
		return;
3622

3623
	/* Use sco_pkts if flow control has not been enabled which will limit
3624
	 * the amount of buffer sent in a row.
3625
	 */
3626
	if (!hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3627
		cnt = &pkts;
3628
	else
3629
		cnt = &hdev->sco_cnt;
3630

3631
	while (*cnt && (conn = hci_low_sent(hdev, type, &quote))) {
3632
		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3633
			BT_DBG("skb %p len %d", skb, skb->len);
3634
			hci_send_conn_frame(hdev, conn, skb);
3635

3636
			conn->sent++;
3637
			if (conn->sent == ~0)
3638
				conn->sent = 0;
3639
			(*cnt)--;
3640
		}
3641
	}
3642

3643
	/* Rescheduled if all packets were sent and flow control is not enabled
3644
	 * as there could be more packets queued that could not be sent and
3645
	 * since no HCI_EV_NUM_COMP_PKTS event will be generated the reschedule
3646
	 * needs to be forced.
3647
	 */
3648
	if (!pkts && !hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3649
		queue_work(hdev->workqueue, &hdev->tx_work);
3650
}
3651

3652
static void hci_sched_acl_pkt(struct hci_dev *hdev)
3653
{
3654
	unsigned int cnt = hdev->acl_cnt;
3655
	struct hci_chan *chan;
3656
	struct sk_buff *skb;
3657
	int quote;
3658

3659
	__check_timeout(hdev, cnt, ACL_LINK);
3660

3661
	while (hdev->acl_cnt &&
3662
	       (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3663
		u32 priority = (skb_peek(&chan->data_q))->priority;
3664
		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3665
			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3666
			       skb->len, skb->priority);
3667

3668
			/* Stop if priority has changed */
3669
			if (skb->priority < priority)
3670
				break;
3671

3672
			skb = skb_dequeue(&chan->data_q);
3673

3674
			hci_conn_enter_active_mode(chan->conn,
3675
						   bt_cb(skb)->force_active);
3676

3677
			hci_send_conn_frame(hdev, chan->conn, skb);
3678
			hdev->acl_last_tx = jiffies;
3679

3680
			hdev->acl_cnt--;
3681
			chan->sent++;
3682
			chan->conn->sent++;
3683

3684
			/* Send pending SCO packets right away */
3685
			hci_sched_sco(hdev, SCO_LINK);
3686
			hci_sched_sco(hdev, ESCO_LINK);
3687
		}
3688
	}
3689

3690
	if (cnt != hdev->acl_cnt)
3691
		hci_prio_recalculate(hdev, ACL_LINK);
3692
}
3693

3694
static void hci_sched_acl(struct hci_dev *hdev)
3695
{
3696
	BT_DBG("%s", hdev->name);
3697

3698
	/* No ACL link over BR/EDR controller */
3699
	if (!hci_conn_num(hdev, ACL_LINK))
3700
		return;
3701

3702
	hci_sched_acl_pkt(hdev);
3703
}
3704

3705
static void hci_sched_le(struct hci_dev *hdev)
3706
{
3707
	struct hci_chan *chan;
3708
	struct sk_buff *skb;
3709
	int quote, *cnt, tmp;
3710

3711
	BT_DBG("%s", hdev->name);
3712

3713
	if (!hci_conn_num(hdev, LE_LINK))
3714
		return;
3715

3716
	cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
3717

3718
	__check_timeout(hdev, *cnt, LE_LINK);
3719

3720
	tmp = *cnt;
3721
	while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3722
		u32 priority = (skb_peek(&chan->data_q))->priority;
3723
		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3724
			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3725
			       skb->len, skb->priority);
3726

3727
			/* Stop if priority has changed */
3728
			if (skb->priority < priority)
3729
				break;
3730

3731
			skb = skb_dequeue(&chan->data_q);
3732

3733
			hci_send_conn_frame(hdev, chan->conn, skb);
3734
			hdev->le_last_tx = jiffies;
3735

3736
			(*cnt)--;
3737
			chan->sent++;
3738
			chan->conn->sent++;
3739

3740
			/* Send pending SCO packets right away */
3741
			hci_sched_sco(hdev, SCO_LINK);
3742
			hci_sched_sco(hdev, ESCO_LINK);
3743
		}
3744
	}
3745

3746
	if (*cnt != tmp)
3747
		hci_prio_recalculate(hdev, LE_LINK);
3748
}
3749

3750
/* Schedule iso */
3751
static void hci_sched_iso(struct hci_dev *hdev, __u8 type)
3752
{
3753
	struct hci_conn *conn;
3754
	struct sk_buff *skb;
3755
	int quote, *cnt;
3756

3757
	BT_DBG("%s", hdev->name);
3758

3759
	if (!hci_conn_num(hdev, type))
3760
		return;
3761

3762
	cnt = hdev->iso_pkts ? &hdev->iso_cnt :
3763
		hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
3764
	while (*cnt && (conn = hci_low_sent(hdev, type, &quote))) {
3765
		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3766
			BT_DBG("skb %p len %d", skb, skb->len);
3767
			hci_send_conn_frame(hdev, conn, skb);
3768

3769
			conn->sent++;
3770
			if (conn->sent == ~0)
3771
				conn->sent = 0;
3772
			(*cnt)--;
3773
		}
3774
	}
3775
}
3776

3777
static void hci_tx_work(struct work_struct *work)
3778
{
3779
	struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3780
	struct sk_buff *skb;
3781

3782
	BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt,
3783
	       hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt);
3784

3785
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3786
		/* Schedule queues and send stuff to HCI driver */
3787
		hci_sched_sco(hdev, SCO_LINK);
3788
		hci_sched_sco(hdev, ESCO_LINK);
3789
		hci_sched_iso(hdev, CIS_LINK);
3790
		hci_sched_iso(hdev, BIS_LINK);
3791
		hci_sched_iso(hdev, PA_LINK);
3792
		hci_sched_acl(hdev);
3793
		hci_sched_le(hdev);
3794
	}
3795

3796
	/* Send next queued raw (unknown type) packet */
3797
	while ((skb = skb_dequeue(&hdev->raw_q)))
3798
		hci_send_frame(hdev, skb);
3799
}
3800

3801
/* ----- HCI RX task (incoming data processing) ----- */
3802

3803
/* ACL data packet */
3804
static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3805
{
3806
	struct hci_acl_hdr *hdr;
3807
	struct hci_conn *conn;
3808
	__u16 handle, flags;
3809

3810
	hdr = skb_pull_data(skb, sizeof(*hdr));
3811
	if (!hdr) {
3812
		bt_dev_err(hdev, "ACL packet too small");
3813
		goto drop;
3814
	}
3815

3816
	handle = __le16_to_cpu(hdr->handle);
3817
	flags  = hci_flags(handle);
3818
	handle = hci_handle(handle);
3819

3820
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3821
		   handle, flags);
3822

3823
	hdev->stat.acl_rx++;
3824

3825
	hci_dev_lock(hdev);
3826
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3827
	hci_dev_unlock(hdev);
3828

3829
	if (conn) {
3830
		hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3831

3832
		/* Send to upper protocol */
3833
		l2cap_recv_acldata(conn, skb, flags);
3834
		return;
3835
	} else {
3836
		bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
3837
			   handle);
3838
	}
3839

3840
drop:
3841
	kfree_skb(skb);
3842
}
3843

3844
/* SCO data packet */
3845
static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3846
{
3847
	struct hci_sco_hdr *hdr;
3848
	struct hci_conn *conn;
3849
	__u16 handle, flags;
3850

3851
	hdr = skb_pull_data(skb, sizeof(*hdr));
3852
	if (!hdr) {
3853
		bt_dev_err(hdev, "SCO packet too small");
3854
		goto drop;
3855
	}
3856

3857
	handle = __le16_to_cpu(hdr->handle);
3858
	flags  = hci_flags(handle);
3859
	handle = hci_handle(handle);
3860

3861
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3862
		   handle, flags);
3863

3864
	hdev->stat.sco_rx++;
3865

3866
	hci_dev_lock(hdev);
3867
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3868
	hci_dev_unlock(hdev);
3869

3870
	if (conn) {
3871
		/* Send to upper protocol */
3872
		hci_skb_pkt_status(skb) = flags & 0x03;
3873
		sco_recv_scodata(conn, skb);
3874
		return;
3875
	} else {
3876
		bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d",
3877
				       handle);
3878
	}
3879

3880
drop:
3881
	kfree_skb(skb);
3882
}
3883

3884
static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3885
{
3886
	struct hci_iso_hdr *hdr;
3887
	struct hci_conn *conn;
3888
	__u16 handle, flags;
3889

3890
	hdr = skb_pull_data(skb, sizeof(*hdr));
3891
	if (!hdr) {
3892
		bt_dev_err(hdev, "ISO packet too small");
3893
		goto drop;
3894
	}
3895

3896
	handle = __le16_to_cpu(hdr->handle);
3897
	flags  = hci_flags(handle);
3898
	handle = hci_handle(handle);
3899

3900
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3901
		   handle, flags);
3902

3903
	hci_dev_lock(hdev);
3904
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3905
	hci_dev_unlock(hdev);
3906

3907
	if (!conn) {
3908
		bt_dev_err(hdev, "ISO packet for unknown connection handle %d",
3909
			   handle);
3910
		goto drop;
3911
	}
3912

3913
	/* Send to upper protocol */
3914
	iso_recv(conn, skb, flags);
3915
	return;
3916

3917
drop:
3918
	kfree_skb(skb);
3919
}
3920

3921
static bool hci_req_is_complete(struct hci_dev *hdev)
3922
{
3923
	struct sk_buff *skb;
3924

3925
	skb = skb_peek(&hdev->cmd_q);
3926
	if (!skb)
3927
		return true;
3928

3929
	return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
3930
}
3931

3932
static void hci_resend_last(struct hci_dev *hdev)
3933
{
3934
	struct hci_command_hdr *sent;
3935
	struct sk_buff *skb;
3936
	u16 opcode;
3937

3938
	if (!hdev->sent_cmd)
3939
		return;
3940

3941
	sent = (void *) hdev->sent_cmd->data;
3942
	opcode = __le16_to_cpu(sent->opcode);
3943
	if (opcode == HCI_OP_RESET)
3944
		return;
3945

3946
	skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3947
	if (!skb)
3948
		return;
3949

3950
	skb_queue_head(&hdev->cmd_q, skb);
3951
	queue_work(hdev->workqueue, &hdev->cmd_work);
3952
}
3953

3954
void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
3955
			  hci_req_complete_t *req_complete,
3956
			  hci_req_complete_skb_t *req_complete_skb)
3957
{
3958
	struct sk_buff *skb;
3959
	unsigned long flags;
3960

3961
	BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3962

3963
	/* If the completed command doesn't match the last one that was
3964
	 * sent we need to do special handling of it.
3965
	 */
3966
	if (!hci_sent_cmd_data(hdev, opcode)) {
3967
		/* Some CSR based controllers generate a spontaneous
3968
		 * reset complete event during init and any pending
3969
		 * command will never be completed. In such a case we
3970
		 * need to resend whatever was the last sent
3971
		 * command.
3972
		 */
3973
		if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3974
			hci_resend_last(hdev);
3975

3976
		return;
3977
	}
3978

3979
	/* If we reach this point this event matches the last command sent */
3980
	hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
3981

3982
	/* If the command succeeded and there's still more commands in
3983
	 * this request the request is not yet complete.
3984
	 */
3985
	if (!status && !hci_req_is_complete(hdev))
3986
		return;
3987

3988
	skb = hdev->req_skb;
3989

3990
	/* If this was the last command in a request the complete
3991
	 * callback would be found in hdev->req_skb instead of the
3992
	 * command queue (hdev->cmd_q).
3993
	 */
3994
	if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) {
3995
		*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
3996
		return;
3997
	}
3998

3999
	if (skb && bt_cb(skb)->hci.req_complete) {
4000
		*req_complete = bt_cb(skb)->hci.req_complete;
4001
		return;
4002
	}
4003

4004
	/* Remove all pending commands belonging to this request */
4005
	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4006
	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4007
		if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4008
			__skb_queue_head(&hdev->cmd_q, skb);
4009
			break;
4010
		}
4011

4012
		if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4013
			*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4014
		else
4015
			*req_complete = bt_cb(skb)->hci.req_complete;
4016
		dev_kfree_skb_irq(skb);
4017
	}
4018
	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4019
}
4020

4021
static void hci_rx_work(struct work_struct *work)
4022
{
4023
	struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4024
	struct sk_buff *skb;
4025

4026
	BT_DBG("%s", hdev->name);
4027

4028
	/* The kcov_remote functions used for collecting packet parsing
4029
	 * coverage information from this background thread and associate
4030
	 * the coverage with the syscall's thread which originally injected
4031
	 * the packet. This helps fuzzing the kernel.
4032
	 */
4033
	for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
4034
		kcov_remote_start_common(skb_get_kcov_handle(skb));
4035

4036
		/* Send copy to monitor */
4037
		hci_send_to_monitor(hdev, skb);
4038

4039
		if (atomic_read(&hdev->promisc)) {
4040
			/* Send copy to the sockets */
4041
			hci_send_to_sock(hdev, skb);
4042
		}
4043

4044
		/* If the device has been opened in HCI_USER_CHANNEL,
4045
		 * the userspace has exclusive access to device.
4046
		 * When device is HCI_INIT, we still need to process
4047
		 * the data packets to the driver in order
4048
		 * to complete its setup().
4049
		 */
4050
		if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
4051
		    !test_bit(HCI_INIT, &hdev->flags)) {
4052
			kfree_skb(skb);
4053
			continue;
4054
		}
4055

4056
		if (test_bit(HCI_INIT, &hdev->flags)) {
4057
			/* Don't process data packets in this states. */
4058
			switch (hci_skb_pkt_type(skb)) {
4059
			case HCI_ACLDATA_PKT:
4060
			case HCI_SCODATA_PKT:
4061
			case HCI_ISODATA_PKT:
4062
				kfree_skb(skb);
4063
				continue;
4064
			}
4065
		}
4066

4067
		/* Process frame */
4068
		switch (hci_skb_pkt_type(skb)) {
4069
		case HCI_EVENT_PKT:
4070
			BT_DBG("%s Event packet", hdev->name);
4071
			hci_event_packet(hdev, skb);
4072
			break;
4073

4074
		case HCI_ACLDATA_PKT:
4075
			BT_DBG("%s ACL data packet", hdev->name);
4076
			hci_acldata_packet(hdev, skb);
4077
			break;
4078

4079
		case HCI_SCODATA_PKT:
4080
			BT_DBG("%s SCO data packet", hdev->name);
4081
			hci_scodata_packet(hdev, skb);
4082
			break;
4083

4084
		case HCI_ISODATA_PKT:
4085
			BT_DBG("%s ISO data packet", hdev->name);
4086
			hci_isodata_packet(hdev, skb);
4087
			break;
4088

4089
		default:
4090
			kfree_skb(skb);
4091
			break;
4092
		}
4093
	}
4094
}
4095

4096
static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
4097
{
4098
	int err;
4099

4100
	bt_dev_dbg(hdev, "skb %p", skb);
4101

4102
	kfree_skb(hdev->sent_cmd);
4103

4104
	hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4105
	if (!hdev->sent_cmd) {
4106
		skb_queue_head(&hdev->cmd_q, skb);
4107
		queue_work(hdev->workqueue, &hdev->cmd_work);
4108
		return;
4109
	}
4110

4111
	if (hci_skb_opcode(skb) != HCI_OP_NOP) {
4112
		err = hci_send_frame(hdev, skb);
4113
		if (err < 0) {
4114
			hci_cmd_sync_cancel_sync(hdev, -err);
4115
			return;
4116
		}
4117
		atomic_dec(&hdev->cmd_cnt);
4118
	}
4119

4120
	if (hdev->req_status == HCI_REQ_PEND &&
4121
	    !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
4122
		kfree_skb(hdev->req_skb);
4123
		hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4124
	}
4125
}
4126

4127
static void hci_cmd_work(struct work_struct *work)
4128
{
4129
	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4130
	struct sk_buff *skb;
4131

4132
	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4133
	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4134

4135
	/* Send queued commands */
4136
	if (atomic_read(&hdev->cmd_cnt)) {
4137
		skb = skb_dequeue(&hdev->cmd_q);
4138
		if (!skb)
4139
			return;
4140

4141
		hci_send_cmd_sync(hdev, skb);
4142

4143
		rcu_read_lock();
4144
		if (test_bit(HCI_RESET, &hdev->flags) ||
4145
		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4146
			cancel_delayed_work(&hdev->cmd_timer);
4147
		else
4148
			queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4149
					   HCI_CMD_TIMEOUT);
4150
		rcu_read_unlock();
4151
	}
4152
}
4153

4154