1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
5
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
11
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI core. */
27
28 #include <linux/export.h>
29 #include <linux/rfkill.h>
30 #include <linux/debugfs.h>
31 #include <linux/crypto.h>
32 #include <linux/kcov.h>
33 #include <linux/property.h>
34 #include <linux/suspend.h>
35 #include <linux/wait.h>
36 #include <linux/unaligned.h>
37
38 #include <net/bluetooth/bluetooth.h>
39 #include <net/bluetooth/hci_core.h>
40 #include <net/bluetooth/l2cap.h>
41 #include <net/bluetooth/mgmt.h>
42
43 #include "hci_debugfs.h"
44 #include "smp.h"
45 #include "leds.h"
46 #include "msft.h"
47 #include "aosp.h"
48 #include "hci_codec.h"
49
50 static void hci_rx_work(struct work_struct *work);
51 static void hci_cmd_work(struct work_struct *work);
52 static void hci_tx_work(struct work_struct *work);
53
54 /* HCI device list */
55 LIST_HEAD(hci_dev_list);
56 DEFINE_RWLOCK(hci_dev_list_lock);
57
58 /* HCI callback list */
59 LIST_HEAD(hci_cb_list);
60 DEFINE_MUTEX(hci_cb_list_lock);
61
62 /* HCI ID Numbering */
63 static DEFINE_IDA(hci_index_ida);
64
65 /* Get HCI device by index.
66 * Device is held on return. */
__hci_dev_get(int index,int * srcu_index)67 static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
68 {
69 struct hci_dev *hdev = NULL, *d;
70
71 BT_DBG("%d", index);
72
73 if (index < 0)
74 return NULL;
75
76 read_lock(&hci_dev_list_lock);
77 list_for_each_entry(d, &hci_dev_list, list) {
78 if (d->id == index) {
79 hdev = hci_dev_hold(d);
80 if (srcu_index)
81 *srcu_index = srcu_read_lock(&d->srcu);
82 break;
83 }
84 }
85 read_unlock(&hci_dev_list_lock);
86 return hdev;
87 }
88
hci_dev_get(int index)89 struct hci_dev *hci_dev_get(int index)
90 {
91 return __hci_dev_get(index, NULL);
92 }
93
hci_dev_get_srcu(int index,int * srcu_index)94 static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
95 {
96 return __hci_dev_get(index, srcu_index);
97 }
98
hci_dev_put_srcu(struct hci_dev * hdev,int srcu_index)99 static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
100 {
101 srcu_read_unlock(&hdev->srcu, srcu_index);
102 hci_dev_put(hdev);
103 }
104
105 /* ---- Inquiry support ---- */
106
hci_discovery_active(struct hci_dev * hdev)107 bool hci_discovery_active(struct hci_dev *hdev)
108 {
109 struct discovery_state *discov = &hdev->discovery;
110
111 switch (discov->state) {
112 case DISCOVERY_FINDING:
113 case DISCOVERY_RESOLVING:
114 return true;
115
116 default:
117 return false;
118 }
119 }
120 EXPORT_SYMBOL(hci_discovery_active);
121
hci_discovery_set_state(struct hci_dev * hdev,int state)122 void hci_discovery_set_state(struct hci_dev *hdev, int state)
123 {
124 int old_state = hdev->discovery.state;
125
126 if (old_state == state)
127 return;
128
129 hdev->discovery.state = state;
130
131 switch (state) {
132 case DISCOVERY_STOPPED:
133 hci_update_passive_scan(hdev);
134
135 if (old_state != DISCOVERY_STARTING)
136 mgmt_discovering(hdev, 0);
137 break;
138 case DISCOVERY_STARTING:
139 break;
140 case DISCOVERY_FINDING:
141 mgmt_discovering(hdev, 1);
142 break;
143 case DISCOVERY_RESOLVING:
144 break;
145 case DISCOVERY_STOPPING:
146 break;
147 }
148
149 bt_dev_dbg(hdev, "state %u -> %u", old_state, state);
150 }
151
hci_inquiry_cache_flush(struct hci_dev * hdev)152 void hci_inquiry_cache_flush(struct hci_dev *hdev)
153 {
154 struct discovery_state *cache = &hdev->discovery;
155 struct inquiry_entry *p, *n;
156
157 list_for_each_entry_safe(p, n, &cache->all, all) {
158 list_del(&p->all);
159 kfree(p);
160 }
161
162 INIT_LIST_HEAD(&cache->unknown);
163 INIT_LIST_HEAD(&cache->resolve);
164 }
165
hci_inquiry_cache_lookup(struct hci_dev * hdev,bdaddr_t * bdaddr)166 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
167 bdaddr_t *bdaddr)
168 {
169 struct discovery_state *cache = &hdev->discovery;
170 struct inquiry_entry *e;
171
172 BT_DBG("cache %p, %pMR", cache, bdaddr);
173
174 list_for_each_entry(e, &cache->all, all) {
175 if (!bacmp(&e->data.bdaddr, bdaddr))
176 return e;
177 }
178
179 return NULL;
180 }
181
hci_inquiry_cache_lookup_unknown(struct hci_dev * hdev,bdaddr_t * bdaddr)182 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
183 bdaddr_t *bdaddr)
184 {
185 struct discovery_state *cache = &hdev->discovery;
186 struct inquiry_entry *e;
187
188 BT_DBG("cache %p, %pMR", cache, bdaddr);
189
190 list_for_each_entry(e, &cache->unknown, list) {
191 if (!bacmp(&e->data.bdaddr, bdaddr))
192 return e;
193 }
194
195 return NULL;
196 }
197
hci_inquiry_cache_lookup_resolve(struct hci_dev * hdev,bdaddr_t * bdaddr,int state)198 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
199 bdaddr_t *bdaddr,
200 int state)
201 {
202 struct discovery_state *cache = &hdev->discovery;
203 struct inquiry_entry *e;
204
205 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
206
207 list_for_each_entry(e, &cache->resolve, list) {
208 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
209 return e;
210 if (!bacmp(&e->data.bdaddr, bdaddr))
211 return e;
212 }
213
214 return NULL;
215 }
216
hci_inquiry_cache_update_resolve(struct hci_dev * hdev,struct inquiry_entry * ie)217 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
218 struct inquiry_entry *ie)
219 {
220 struct discovery_state *cache = &hdev->discovery;
221 struct list_head *pos = &cache->resolve;
222 struct inquiry_entry *p;
223
224 list_del(&ie->list);
225
226 list_for_each_entry(p, &cache->resolve, list) {
227 if (p->name_state != NAME_PENDING &&
228 abs(p->data.rssi) >= abs(ie->data.rssi))
229 break;
230 pos = &p->list;
231 }
232
233 list_add(&ie->list, pos);
234 }
235
hci_inquiry_cache_update(struct hci_dev * hdev,struct inquiry_data * data,bool name_known)236 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
237 bool name_known)
238 {
239 struct discovery_state *cache = &hdev->discovery;
240 struct inquiry_entry *ie;
241 u32 flags = 0;
242
243 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
244
245 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
246
247 if (!data->ssp_mode)
248 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
249
250 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
251 if (ie) {
252 if (!ie->data.ssp_mode)
253 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
254
255 if (ie->name_state == NAME_NEEDED &&
256 data->rssi != ie->data.rssi) {
257 ie->data.rssi = data->rssi;
258 hci_inquiry_cache_update_resolve(hdev, ie);
259 }
260
261 goto update;
262 }
263
264 /* Entry not in the cache. Add new one. */
265 ie = kzalloc_obj(*ie);
266 if (!ie) {
267 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
268 goto done;
269 }
270
271 list_add(&ie->all, &cache->all);
272
273 if (name_known) {
274 ie->name_state = NAME_KNOWN;
275 } else {
276 ie->name_state = NAME_NOT_KNOWN;
277 list_add(&ie->list, &cache->unknown);
278 }
279
280 update:
281 if (name_known && ie->name_state != NAME_KNOWN &&
282 ie->name_state != NAME_PENDING) {
283 ie->name_state = NAME_KNOWN;
284 list_del(&ie->list);
285 }
286
287 memcpy(&ie->data, data, sizeof(*data));
288 ie->timestamp = jiffies;
289 cache->timestamp = jiffies;
290
291 if (ie->name_state == NAME_NOT_KNOWN)
292 flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
293
294 done:
295 return flags;
296 }
297
inquiry_cache_dump(struct hci_dev * hdev,int num,__u8 * buf)298 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
299 {
300 struct discovery_state *cache = &hdev->discovery;
301 struct inquiry_info *info = (struct inquiry_info *) buf;
302 struct inquiry_entry *e;
303 int copied = 0;
304
305 list_for_each_entry(e, &cache->all, all) {
306 struct inquiry_data *data = &e->data;
307
308 if (copied >= num)
309 break;
310
311 bacpy(&info->bdaddr, &data->bdaddr);
312 info->pscan_rep_mode = data->pscan_rep_mode;
313 info->pscan_period_mode = data->pscan_period_mode;
314 info->pscan_mode = data->pscan_mode;
315 memcpy(info->dev_class, data->dev_class, 3);
316 info->clock_offset = data->clock_offset;
317
318 info++;
319 copied++;
320 }
321
322 BT_DBG("cache %p, copied %d", cache, copied);
323 return copied;
324 }
325
hci_inquiry(void __user * arg)326 int hci_inquiry(void __user *arg)
327 {
328 __u8 __user *ptr = arg;
329 struct hci_inquiry_req ir;
330 struct hci_dev *hdev;
331 int err = 0, do_inquiry = 0, max_rsp;
332 __u8 *buf;
333
334 if (copy_from_user(&ir, ptr, sizeof(ir)))
335 return -EFAULT;
336
337 hdev = hci_dev_get(ir.dev_id);
338 if (!hdev)
339 return -ENODEV;
340
341 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
342 err = -EBUSY;
343 goto done;
344 }
345
346 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
347 err = -EOPNOTSUPP;
348 goto done;
349 }
350
351 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
352 err = -EOPNOTSUPP;
353 goto done;
354 }
355
356 /* Restrict maximum inquiry length to 60 seconds */
357 if (ir.length > 60) {
358 err = -EINVAL;
359 goto done;
360 }
361
362 hci_dev_lock(hdev);
363 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
364 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
365 hci_inquiry_cache_flush(hdev);
366 do_inquiry = 1;
367 }
368 hci_dev_unlock(hdev);
369
370 if (do_inquiry) {
371 hci_req_sync_lock(hdev);
372 err = hci_inquiry_sync(hdev, ir.length, ir.num_rsp);
373 hci_req_sync_unlock(hdev);
374
375 if (err < 0)
376 goto done;
377
378 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
379 * cleared). If it is interrupted by a signal, return -EINTR.
380 */
381 if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
382 TASK_INTERRUPTIBLE)) {
383 err = -EINTR;
384 goto done;
385 }
386 }
387
388 /* for unlimited number of responses we will use buffer with
389 * 255 entries
390 */
391 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
392
393 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
394 * copy it to the user space.
395 */
396 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
397 if (!buf) {
398 err = -ENOMEM;
399 goto done;
400 }
401
402 hci_dev_lock(hdev);
403 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
404 hci_dev_unlock(hdev);
405
406 BT_DBG("num_rsp %d", ir.num_rsp);
407
408 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
409 ptr += sizeof(ir);
410 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
411 ir.num_rsp))
412 err = -EFAULT;
413 } else
414 err = -EFAULT;
415
416 kfree(buf);
417
418 done:
419 hci_dev_put(hdev);
420 return err;
421 }
422
hci_dev_do_open(struct hci_dev * hdev)423 static int hci_dev_do_open(struct hci_dev *hdev)
424 {
425 int ret = 0;
426
427 BT_DBG("%s %p", hdev->name, hdev);
428
429 hci_req_sync_lock(hdev);
430
431 ret = hci_dev_open_sync(hdev);
432
433 hci_req_sync_unlock(hdev);
434 return ret;
435 }
436
437 /* ---- HCI ioctl helpers ---- */
438
hci_dev_open(__u16 dev)439 int hci_dev_open(__u16 dev)
440 {
441 struct hci_dev *hdev;
442 int err;
443
444 hdev = hci_dev_get(dev);
445 if (!hdev)
446 return -ENODEV;
447
448 /* Devices that are marked as unconfigured can only be powered
449 * up as user channel. Trying to bring them up as normal devices
450 * will result into a failure. Only user channel operation is
451 * possible.
452 *
453 * When this function is called for a user channel, the flag
454 * HCI_USER_CHANNEL will be set first before attempting to
455 * open the device.
456 */
457 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
458 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
459 err = -EOPNOTSUPP;
460 goto done;
461 }
462
463 /* We need to ensure that no other power on/off work is pending
464 * before proceeding to call hci_dev_do_open. This is
465 * particularly important if the setup procedure has not yet
466 * completed.
467 */
468 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
469 cancel_delayed_work(&hdev->power_off);
470
471 /* After this call it is guaranteed that the setup procedure
472 * has finished. This means that error conditions like RFKILL
473 * or no valid public or static random address apply.
474 */
475 flush_workqueue(hdev->req_workqueue);
476
477 /* For controllers not using the management interface and that
478 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
479 * so that pairing works for them. Once the management interface
480 * is in use this bit will be cleared again and userspace has
481 * to explicitly enable it.
482 */
483 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
484 !hci_dev_test_flag(hdev, HCI_MGMT))
485 hci_dev_set_flag(hdev, HCI_BONDABLE);
486
487 err = hci_dev_do_open(hdev);
488
489 done:
490 hci_dev_put(hdev);
491 return err;
492 }
493
hci_dev_do_close(struct hci_dev * hdev)494 int hci_dev_do_close(struct hci_dev *hdev)
495 {
496 int err;
497
498 BT_DBG("%s %p", hdev->name, hdev);
499
500 hci_req_sync_lock(hdev);
501
502 err = hci_dev_close_sync(hdev);
503
504 hci_req_sync_unlock(hdev);
505
506 return err;
507 }
508
hci_dev_close(__u16 dev)509 int hci_dev_close(__u16 dev)
510 {
511 struct hci_dev *hdev;
512 int err;
513
514 hdev = hci_dev_get(dev);
515 if (!hdev)
516 return -ENODEV;
517
518 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
519 err = -EBUSY;
520 goto done;
521 }
522
523 cancel_work_sync(&hdev->power_on);
524 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
525 cancel_delayed_work(&hdev->power_off);
526
527 err = hci_dev_do_close(hdev);
528
529 done:
530 hci_dev_put(hdev);
531 return err;
532 }
533
hci_dev_do_reset(struct hci_dev * hdev)534 static int hci_dev_do_reset(struct hci_dev *hdev)
535 {
536 int ret;
537
538 BT_DBG("%s %p", hdev->name, hdev);
539
540 hci_req_sync_lock(hdev);
541
542 ret = hci_dev_close_sync(hdev);
543 if (!ret)
544 ret = hci_dev_open_sync(hdev);
545
546 hci_req_sync_unlock(hdev);
547 return ret;
548 }
549
hci_dev_reset(__u16 dev)550 int hci_dev_reset(__u16 dev)
551 {
552 struct hci_dev *hdev;
553 int err, srcu_index;
554
555 hdev = hci_dev_get_srcu(dev, &srcu_index);
556 if (!hdev)
557 return -ENODEV;
558
559 if (!test_bit(HCI_UP, &hdev->flags)) {
560 err = -ENETDOWN;
561 goto done;
562 }
563
564 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
565 err = -EBUSY;
566 goto done;
567 }
568
569 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
570 err = -EOPNOTSUPP;
571 goto done;
572 }
573
574 err = hci_dev_do_reset(hdev);
575
576 done:
577 hci_dev_put_srcu(hdev, srcu_index);
578 return err;
579 }
580
hci_dev_reset_stat(__u16 dev)581 int hci_dev_reset_stat(__u16 dev)
582 {
583 struct hci_dev *hdev;
584 int ret = 0;
585
586 hdev = hci_dev_get(dev);
587 if (!hdev)
588 return -ENODEV;
589
590 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
591 ret = -EBUSY;
592 goto done;
593 }
594
595 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
596 ret = -EOPNOTSUPP;
597 goto done;
598 }
599
600 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
601
602 done:
603 hci_dev_put(hdev);
604 return ret;
605 }
606
hci_update_passive_scan_state(struct hci_dev * hdev,u8 scan)607 static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan)
608 {
609 bool conn_changed, discov_changed;
610
611 BT_DBG("%s scan 0x%02x", hdev->name, scan);
612
613 if ((scan & SCAN_PAGE))
614 conn_changed = !hci_dev_test_and_set_flag(hdev,
615 HCI_CONNECTABLE);
616 else
617 conn_changed = hci_dev_test_and_clear_flag(hdev,
618 HCI_CONNECTABLE);
619
620 if ((scan & SCAN_INQUIRY)) {
621 discov_changed = !hci_dev_test_and_set_flag(hdev,
622 HCI_DISCOVERABLE);
623 } else {
624 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
625 discov_changed = hci_dev_test_and_clear_flag(hdev,
626 HCI_DISCOVERABLE);
627 }
628
629 if (!hci_dev_test_flag(hdev, HCI_MGMT))
630 return;
631
632 if (conn_changed || discov_changed) {
633 /* In case this was disabled through mgmt */
634 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
635
636 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
637 hci_update_adv_data(hdev, hdev->cur_adv_instance);
638
639 mgmt_new_settings(hdev);
640 }
641 }
642
hci_dev_cmd(unsigned int cmd,void __user * arg)643 int hci_dev_cmd(unsigned int cmd, void __user *arg)
644 {
645 struct hci_dev *hdev;
646 struct hci_dev_req dr;
647 __le16 policy;
648 int err = 0;
649
650 if (copy_from_user(&dr, arg, sizeof(dr)))
651 return -EFAULT;
652
653 hdev = hci_dev_get(dr.dev_id);
654 if (!hdev)
655 return -ENODEV;
656
657 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
658 err = -EBUSY;
659 goto done;
660 }
661
662 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
663 err = -EOPNOTSUPP;
664 goto done;
665 }
666
667 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
668 err = -EOPNOTSUPP;
669 goto done;
670 }
671
672 switch (cmd) {
673 case HCISETAUTH:
674 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
675 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
676 break;
677
678 case HCISETENCRYPT:
679 if (!lmp_encrypt_capable(hdev)) {
680 err = -EOPNOTSUPP;
681 break;
682 }
683
684 if (!test_bit(HCI_AUTH, &hdev->flags)) {
685 /* Auth must be enabled first */
686 err = hci_cmd_sync_status(hdev,
687 HCI_OP_WRITE_AUTH_ENABLE,
688 1, &dr.dev_opt,
689 HCI_CMD_TIMEOUT);
690 if (err)
691 break;
692 }
693
694 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,
695 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
696 break;
697
698 case HCISETSCAN:
699 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
700 1, &dr.dev_opt, HCI_CMD_TIMEOUT);
701
702 /* Ensure that the connectable and discoverable states
703 * get correctly modified as this was a non-mgmt change.
704 */
705 if (!err)
706 hci_update_passive_scan_state(hdev, dr.dev_opt);
707 break;
708
709 case HCISETLINKPOL:
710 policy = cpu_to_le16(dr.dev_opt);
711
712 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
713 2, &policy, HCI_CMD_TIMEOUT);
714 break;
715
716 case HCISETLINKMODE:
717 hdev->link_mode = ((__u16) dr.dev_opt) &
718 (HCI_LM_MASTER | HCI_LM_ACCEPT);
719 break;
720
721 case HCISETPTYPE:
722 if (hdev->pkt_type == (__u16) dr.dev_opt)
723 break;
724
725 hdev->pkt_type = (__u16) dr.dev_opt;
726 mgmt_phy_configuration_changed(hdev, NULL);
727 break;
728
729 case HCISETACLMTU:
730 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
731 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
732 break;
733
734 case HCISETSCOMTU:
735 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
736 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
737 break;
738
739 default:
740 err = -EINVAL;
741 break;
742 }
743
744 done:
745 hci_dev_put(hdev);
746 return err;
747 }
748
hci_get_dev_list(void __user * arg)749 int hci_get_dev_list(void __user *arg)
750 {
751 struct hci_dev *hdev;
752 struct hci_dev_list_req *dl;
753 struct hci_dev_req *dr;
754 int n = 0, err;
755 __u16 dev_num;
756
757 if (get_user(dev_num, (__u16 __user *) arg))
758 return -EFAULT;
759
760 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
761 return -EINVAL;
762
763 dl = kzalloc_flex(*dl, dev_req, dev_num);
764 if (!dl)
765 return -ENOMEM;
766
767 dl->dev_num = dev_num;
768 dr = dl->dev_req;
769
770 read_lock(&hci_dev_list_lock);
771 list_for_each_entry(hdev, &hci_dev_list, list) {
772 unsigned long flags = hdev->flags;
773
774 /* When the auto-off is configured it means the transport
775 * is running, but in that case still indicate that the
776 * device is actually down.
777 */
778 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
779 flags &= ~BIT(HCI_UP);
780
781 dr[n].dev_id = hdev->id;
782 dr[n].dev_opt = flags;
783
784 if (++n >= dev_num)
785 break;
786 }
787 read_unlock(&hci_dev_list_lock);
788
789 dl->dev_num = n;
790 err = copy_to_user(arg, dl, struct_size(dl, dev_req, n));
791 kfree(dl);
792
793 return err ? -EFAULT : 0;
794 }
795
hci_get_dev_info(void __user * arg)796 int hci_get_dev_info(void __user *arg)
797 {
798 struct hci_dev *hdev;
799 struct hci_dev_info di;
800 unsigned long flags;
801 int err = 0;
802
803 if (copy_from_user(&di, arg, sizeof(di)))
804 return -EFAULT;
805
806 hdev = hci_dev_get(di.dev_id);
807 if (!hdev)
808 return -ENODEV;
809
810 /* When the auto-off is configured it means the transport
811 * is running, but in that case still indicate that the
812 * device is actually down.
813 */
814 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
815 flags = hdev->flags & ~BIT(HCI_UP);
816 else
817 flags = hdev->flags;
818
819 strscpy(di.name, hdev->name, sizeof(di.name));
820 di.bdaddr = hdev->bdaddr;
821 di.type = (hdev->bus & 0x0f);
822 di.flags = flags;
823 di.pkt_type = hdev->pkt_type;
824 if (lmp_bredr_capable(hdev)) {
825 di.acl_mtu = hdev->acl_mtu;
826 di.acl_pkts = hdev->acl_pkts;
827 di.sco_mtu = hdev->sco_mtu;
828 di.sco_pkts = hdev->sco_pkts;
829 } else {
830 di.acl_mtu = hdev->le_mtu;
831 di.acl_pkts = hdev->le_pkts;
832 di.sco_mtu = 0;
833 di.sco_pkts = 0;
834 }
835 di.link_policy = hdev->link_policy;
836 di.link_mode = hdev->link_mode;
837
838 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
839 memcpy(&di.features, &hdev->features, sizeof(di.features));
840
841 if (copy_to_user(arg, &di, sizeof(di)))
842 err = -EFAULT;
843
844 hci_dev_put(hdev);
845
846 return err;
847 }
848
849 /* ---- Interface to HCI drivers ---- */
850
hci_dev_do_poweroff(struct hci_dev * hdev)851 static int hci_dev_do_poweroff(struct hci_dev *hdev)
852 {
853 int err;
854
855 BT_DBG("%s %p", hdev->name, hdev);
856
857 hci_req_sync_lock(hdev);
858
859 err = hci_set_powered_sync(hdev, false);
860
861 hci_req_sync_unlock(hdev);
862
863 return err;
864 }
865
hci_rfkill_set_block(void * data,bool blocked)866 static int hci_rfkill_set_block(void *data, bool blocked)
867 {
868 struct hci_dev *hdev = data;
869 int err;
870
871 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
872
873 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
874 return -EBUSY;
875
876 if (blocked == hci_dev_test_flag(hdev, HCI_RFKILLED))
877 return 0;
878
879 if (blocked) {
880 hci_dev_set_flag(hdev, HCI_RFKILLED);
881
882 if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
883 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
884 err = hci_dev_do_poweroff(hdev);
885 if (err) {
886 bt_dev_err(hdev, "Error when powering off device on rfkill (%d)",
887 err);
888
889 /* Make sure the device is still closed even if
890 * anything during power off sequence (eg.
891 * disconnecting devices) failed.
892 */
893 hci_dev_do_close(hdev);
894 }
895 }
896 } else {
897 hci_dev_clear_flag(hdev, HCI_RFKILLED);
898 }
899
900 return 0;
901 }
902
903 static const struct rfkill_ops hci_rfkill_ops = {
904 .set_block = hci_rfkill_set_block,
905 };
906
hci_power_on(struct work_struct * work)907 static void hci_power_on(struct work_struct *work)
908 {
909 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
910 int err;
911
912 BT_DBG("%s", hdev->name);
913
914 if (test_bit(HCI_UP, &hdev->flags) &&
915 hci_dev_test_flag(hdev, HCI_MGMT) &&
916 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
917 cancel_delayed_work(&hdev->power_off);
918 err = hci_powered_update_sync(hdev);
919 mgmt_power_on(hdev, err);
920 return;
921 }
922
923 err = hci_dev_do_open(hdev);
924 if (err < 0) {
925 hci_dev_lock(hdev);
926 mgmt_set_powered_failed(hdev, err);
927 hci_dev_unlock(hdev);
928 return;
929 }
930
931 /* During the HCI setup phase, a few error conditions are
932 * ignored and they need to be checked now. If they are still
933 * valid, it is important to turn the device back off.
934 */
935 if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
936 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
937 (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
938 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
939 hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
940 hci_dev_do_close(hdev);
941 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
942 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
943 HCI_AUTO_OFF_TIMEOUT);
944 }
945
946 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
947 /* For unconfigured devices, set the HCI_RAW flag
948 * so that userspace can easily identify them.
949 */
950 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
951 set_bit(HCI_RAW, &hdev->flags);
952
953 /* For fully configured devices, this will send
954 * the Index Added event. For unconfigured devices,
955 * it will send Unconfigued Index Added event.
956 *
957 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
958 * and no event will be send.
959 */
960 mgmt_index_added(hdev);
961 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
962 /* When the controller is now configured, then it
963 * is important to clear the HCI_RAW flag.
964 */
965 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
966 clear_bit(HCI_RAW, &hdev->flags);
967
968 /* Powering on the controller with HCI_CONFIG set only
969 * happens with the transition from unconfigured to
970 * configured. This will send the Index Added event.
971 */
972 mgmt_index_added(hdev);
973 }
974 }
975
hci_power_off(struct work_struct * work)976 static void hci_power_off(struct work_struct *work)
977 {
978 struct hci_dev *hdev = container_of(work, struct hci_dev,
979 power_off.work);
980
981 BT_DBG("%s", hdev->name);
982
983 hci_dev_do_close(hdev);
984 }
985
hci_error_reset(struct work_struct * work)986 static void hci_error_reset(struct work_struct *work)
987 {
988 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
989
990 hci_dev_hold(hdev);
991 BT_DBG("%s", hdev->name);
992
993 if (hdev->hw_error)
994 hdev->hw_error(hdev, hdev->hw_error_code);
995 else
996 bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
997
998 if (!hci_dev_do_close(hdev))
999 hci_dev_do_open(hdev);
1000
1001 hci_dev_put(hdev);
1002 }
1003
hci_uuids_clear(struct hci_dev * hdev)1004 void hci_uuids_clear(struct hci_dev *hdev)
1005 {
1006 struct bt_uuid *uuid, *tmp;
1007
1008 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1009 list_del(&uuid->list);
1010 kfree(uuid);
1011 }
1012 }
1013
hci_link_keys_clear(struct hci_dev * hdev)1014 void hci_link_keys_clear(struct hci_dev *hdev)
1015 {
1016 struct link_key *key, *tmp;
1017
1018 list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
1019 list_del_rcu(&key->list);
1020 kfree_rcu(key, rcu);
1021 }
1022 }
1023
hci_smp_ltks_clear(struct hci_dev * hdev)1024 void hci_smp_ltks_clear(struct hci_dev *hdev)
1025 {
1026 struct smp_ltk *k, *tmp;
1027
1028 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1029 list_del_rcu(&k->list);
1030 kfree_rcu(k, rcu);
1031 }
1032 }
1033
hci_smp_irks_clear(struct hci_dev * hdev)1034 void hci_smp_irks_clear(struct hci_dev *hdev)
1035 {
1036 struct smp_irk *k, *tmp;
1037
1038 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1039 list_del_rcu(&k->list);
1040 kfree_rcu(k, rcu);
1041 }
1042 }
1043
hci_blocked_keys_clear(struct hci_dev * hdev)1044 void hci_blocked_keys_clear(struct hci_dev *hdev)
1045 {
1046 struct blocked_key *b, *tmp;
1047
1048 list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
1049 list_del_rcu(&b->list);
1050 kfree_rcu(b, rcu);
1051 }
1052 }
1053
hci_is_blocked_key(struct hci_dev * hdev,u8 type,u8 val[16])1054 bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16])
1055 {
1056 bool blocked = false;
1057 struct blocked_key *b;
1058
1059 rcu_read_lock();
1060 list_for_each_entry_rcu(b, &hdev->blocked_keys, list) {
1061 if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) {
1062 blocked = true;
1063 break;
1064 }
1065 }
1066
1067 rcu_read_unlock();
1068 return blocked;
1069 }
1070
hci_find_link_key(struct hci_dev * hdev,bdaddr_t * bdaddr)1071 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1072 {
1073 struct link_key *k;
1074
1075 rcu_read_lock();
1076 list_for_each_entry_rcu(k, &hdev->link_keys, list) {
1077 if (bacmp(bdaddr, &k->bdaddr) == 0) {
1078 rcu_read_unlock();
1079
1080 if (hci_is_blocked_key(hdev,
1081 HCI_BLOCKED_KEY_TYPE_LINKKEY,
1082 k->val)) {
1083 bt_dev_warn_ratelimited(hdev,
1084 "Link key blocked for %pMR",
1085 &k->bdaddr);
1086 return NULL;
1087 }
1088
1089 return k;
1090 }
1091 }
1092 rcu_read_unlock();
1093
1094 return NULL;
1095 }
1096
hci_persistent_key(struct hci_dev * hdev,struct hci_conn * conn,u8 key_type,u8 old_key_type)1097 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1098 u8 key_type, u8 old_key_type)
1099 {
1100 /* Legacy key */
1101 if (key_type < 0x03)
1102 return true;
1103
1104 /* Debug keys are insecure so don't store them persistently */
1105 if (key_type == HCI_LK_DEBUG_COMBINATION)
1106 return false;
1107
1108 /* Changed combination key and there's no previous one */
1109 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1110 return false;
1111
1112 /* Security mode 3 case */
1113 if (!conn)
1114 return true;
1115
1116 /* BR/EDR key derived using SC from an LE link */
1117 if (conn->type == LE_LINK)
1118 return true;
1119
1120 /* Neither local nor remote side had no-bonding as requirement */
1121 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1122 return true;
1123
1124 /* Local side had dedicated bonding as requirement */
1125 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1126 return true;
1127
1128 /* Remote side had dedicated bonding as requirement */
1129 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1130 return true;
1131
1132 /* If none of the above criteria match, then don't store the key
1133 * persistently */
1134 return false;
1135 }
1136
ltk_role(u8 type)1137 static u8 ltk_role(u8 type)
1138 {
1139 if (type == SMP_LTK)
1140 return HCI_ROLE_MASTER;
1141
1142 return HCI_ROLE_SLAVE;
1143 }
1144
hci_find_ltk(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,u8 role)1145 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1146 u8 addr_type, u8 role)
1147 {
1148 struct smp_ltk *k;
1149
1150 rcu_read_lock();
1151 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1152 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
1153 continue;
1154
1155 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
1156 rcu_read_unlock();
1157
1158 if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK,
1159 k->val)) {
1160 bt_dev_warn_ratelimited(hdev,
1161 "LTK blocked for %pMR",
1162 &k->bdaddr);
1163 return NULL;
1164 }
1165
1166 return k;
1167 }
1168 }
1169 rcu_read_unlock();
1170
1171 return NULL;
1172 }
1173
hci_find_irk_by_rpa(struct hci_dev * hdev,bdaddr_t * rpa)1174 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
1175 {
1176 struct smp_irk *irk_to_return = NULL;
1177 struct smp_irk *irk;
1178
1179 rcu_read_lock();
1180 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1181 if (!bacmp(&irk->rpa, rpa)) {
1182 irk_to_return = irk;
1183 goto done;
1184 }
1185 }
1186
1187 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1188 if (smp_irk_matches(hdev, irk->val, rpa)) {
1189 bacpy(&irk->rpa, rpa);
1190 irk_to_return = irk;
1191 goto done;
1192 }
1193 }
1194
1195 done:
1196 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1197 irk_to_return->val)) {
1198 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1199 &irk_to_return->bdaddr);
1200 irk_to_return = NULL;
1201 }
1202
1203 rcu_read_unlock();
1204
1205 return irk_to_return;
1206 }
1207
hci_find_irk_by_addr(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)1208 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1209 u8 addr_type)
1210 {
1211 struct smp_irk *irk_to_return = NULL;
1212 struct smp_irk *irk;
1213
1214 /* Identity Address must be public or static random */
1215 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
1216 return NULL;
1217
1218 rcu_read_lock();
1219 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1220 if (addr_type == irk->addr_type &&
1221 bacmp(bdaddr, &irk->bdaddr) == 0) {
1222 irk_to_return = irk;
1223 break;
1224 }
1225 }
1226
1227 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1228 irk_to_return->val)) {
1229 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1230 &irk_to_return->bdaddr);
1231 irk_to_return = NULL;
1232 }
1233
1234 rcu_read_unlock();
1235
1236 return irk_to_return;
1237 }
1238
hci_add_link_key(struct hci_dev * hdev,struct hci_conn * conn,bdaddr_t * bdaddr,u8 * val,u8 type,u8 pin_len,bool * persistent)1239 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
1240 bdaddr_t *bdaddr, u8 *val, u8 type,
1241 u8 pin_len, bool *persistent)
1242 {
1243 struct link_key *key, *old_key;
1244 u8 old_key_type;
1245
1246 old_key = hci_find_link_key(hdev, bdaddr);
1247 if (old_key) {
1248 old_key_type = old_key->type;
1249 key = old_key;
1250 } else {
1251 old_key_type = conn ? conn->key_type : 0xff;
1252 key = kzalloc_obj(*key);
1253 if (!key)
1254 return NULL;
1255 list_add_rcu(&key->list, &hdev->link_keys);
1256 }
1257
1258 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1259
1260 /* Some buggy controller combinations generate a changed
1261 * combination key for legacy pairing even when there's no
1262 * previous key */
1263 if (type == HCI_LK_CHANGED_COMBINATION &&
1264 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1265 type = HCI_LK_COMBINATION;
1266 if (conn)
1267 conn->key_type = type;
1268 }
1269
1270 bacpy(&key->bdaddr, bdaddr);
1271 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1272 key->pin_len = pin_len;
1273
1274 if (type == HCI_LK_CHANGED_COMBINATION)
1275 key->type = old_key_type;
1276 else
1277 key->type = type;
1278
1279 if (persistent)
1280 *persistent = hci_persistent_key(hdev, conn, type,
1281 old_key_type);
1282
1283 return key;
1284 }
1285
hci_add_ltk(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,u8 type,u8 authenticated,u8 tk[16],u8 enc_size,__le16 ediv,__le64 rand)1286 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1287 u8 addr_type, u8 type, u8 authenticated,
1288 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
1289 {
1290 struct smp_ltk *key, *old_key;
1291 u8 role = ltk_role(type);
1292
1293 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
1294 if (old_key)
1295 key = old_key;
1296 else {
1297 key = kzalloc_obj(*key);
1298 if (!key)
1299 return NULL;
1300 list_add_rcu(&key->list, &hdev->long_term_keys);
1301 }
1302
1303 bacpy(&key->bdaddr, bdaddr);
1304 key->bdaddr_type = addr_type;
1305 memcpy(key->val, tk, sizeof(key->val));
1306 key->authenticated = authenticated;
1307 key->ediv = ediv;
1308 key->rand = rand;
1309 key->enc_size = enc_size;
1310 key->type = type;
1311
1312 return key;
1313 }
1314
hci_add_irk(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,u8 val[16],bdaddr_t * rpa)1315 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1316 u8 addr_type, u8 val[16], bdaddr_t *rpa)
1317 {
1318 struct smp_irk *irk;
1319
1320 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
1321 if (!irk) {
1322 irk = kzalloc_obj(*irk);
1323 if (!irk)
1324 return NULL;
1325
1326 bacpy(&irk->bdaddr, bdaddr);
1327 irk->addr_type = addr_type;
1328
1329 list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
1330 }
1331
1332 memcpy(irk->val, val, 16);
1333 bacpy(&irk->rpa, rpa);
1334
1335 return irk;
1336 }
1337
hci_remove_link_key(struct hci_dev * hdev,bdaddr_t * bdaddr)1338 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1339 {
1340 struct link_key *key;
1341
1342 key = hci_find_link_key(hdev, bdaddr);
1343 if (!key)
1344 return -ENOENT;
1345
1346 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1347
1348 list_del_rcu(&key->list);
1349 kfree_rcu(key, rcu);
1350
1351 return 0;
1352 }
1353
hci_remove_ltk(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type)1354 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
1355 {
1356 struct smp_ltk *k, *tmp;
1357 int removed = 0;
1358
1359 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1360 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
1361 continue;
1362
1363 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1364
1365 list_del_rcu(&k->list);
1366 kfree_rcu(k, rcu);
1367 removed++;
1368 }
1369
1370 return removed ? 0 : -ENOENT;
1371 }
1372
hci_remove_irk(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)1373 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
1374 {
1375 struct smp_irk *k, *tmp;
1376
1377 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1378 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
1379 continue;
1380
1381 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1382
1383 list_del_rcu(&k->list);
1384 kfree_rcu(k, rcu);
1385 }
1386 }
1387
hci_bdaddr_is_paired(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 type)1388 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1389 {
1390 struct smp_ltk *k;
1391 struct smp_irk *irk;
1392 u8 addr_type;
1393
1394 if (type == BDADDR_BREDR) {
1395 if (hci_find_link_key(hdev, bdaddr))
1396 return true;
1397 return false;
1398 }
1399
1400 /* Convert to HCI addr type which struct smp_ltk uses */
1401 if (type == BDADDR_LE_PUBLIC)
1402 addr_type = ADDR_LE_DEV_PUBLIC;
1403 else
1404 addr_type = ADDR_LE_DEV_RANDOM;
1405
1406 irk = hci_get_irk(hdev, bdaddr, addr_type);
1407 if (irk) {
1408 bdaddr = &irk->bdaddr;
1409 addr_type = irk->addr_type;
1410 }
1411
1412 rcu_read_lock();
1413 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1414 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
1415 rcu_read_unlock();
1416 return true;
1417 }
1418 }
1419 rcu_read_unlock();
1420
1421 return false;
1422 }
1423
1424 /* HCI command timer function */
hci_cmd_timeout(struct work_struct * work)1425 static void hci_cmd_timeout(struct work_struct *work)
1426 {
1427 struct hci_dev *hdev = container_of(work, struct hci_dev,
1428 cmd_timer.work);
1429
1430 if (hdev->req_skb) {
1431 u16 opcode = hci_skb_opcode(hdev->req_skb);
1432
1433 bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
1434
1435 hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
1436 } else {
1437 bt_dev_err(hdev, "command tx timeout");
1438 }
1439
1440 if (hdev->reset)
1441 hdev->reset(hdev);
1442
1443 atomic_set(&hdev->cmd_cnt, 1);
1444 queue_work(hdev->workqueue, &hdev->cmd_work);
1445 }
1446
1447 /* HCI ncmd timer function */
hci_ncmd_timeout(struct work_struct * work)1448 static void hci_ncmd_timeout(struct work_struct *work)
1449 {
1450 struct hci_dev *hdev = container_of(work, struct hci_dev,
1451 ncmd_timer.work);
1452
1453 bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0");
1454
1455 /* During HCI_INIT phase no events can be injected if the ncmd timer
1456 * triggers since the procedure has its own timeout handling.
1457 */
1458 if (test_bit(HCI_INIT, &hdev->flags))
1459 return;
1460
1461 /* This is an irrecoverable state, inject hardware error event */
1462 hci_reset_dev(hdev);
1463 }
1464
hci_find_remote_oob_data(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type)1465 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1466 bdaddr_t *bdaddr, u8 bdaddr_type)
1467 {
1468 struct oob_data *data;
1469
1470 list_for_each_entry(data, &hdev->remote_oob_data, list) {
1471 if (bacmp(bdaddr, &data->bdaddr) != 0)
1472 continue;
1473 if (data->bdaddr_type != bdaddr_type)
1474 continue;
1475 return data;
1476 }
1477
1478 return NULL;
1479 }
1480
hci_remove_remote_oob_data(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type)1481 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1482 u8 bdaddr_type)
1483 {
1484 struct oob_data *data;
1485
1486 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1487 if (!data)
1488 return -ENOENT;
1489
1490 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
1491
1492 list_del(&data->list);
1493 kfree(data);
1494
1495 return 0;
1496 }
1497
hci_remote_oob_data_clear(struct hci_dev * hdev)1498 void hci_remote_oob_data_clear(struct hci_dev *hdev)
1499 {
1500 struct oob_data *data, *n;
1501
1502 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1503 list_del(&data->list);
1504 kfree(data);
1505 }
1506 }
1507
hci_add_remote_oob_data(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,u8 * hash192,u8 * rand192,u8 * hash256,u8 * rand256)1508 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1509 u8 bdaddr_type, u8 *hash192, u8 *rand192,
1510 u8 *hash256, u8 *rand256)
1511 {
1512 struct oob_data *data;
1513
1514 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1515 if (!data) {
1516 data = kmalloc_obj(*data);
1517 if (!data)
1518 return -ENOMEM;
1519
1520 bacpy(&data->bdaddr, bdaddr);
1521 data->bdaddr_type = bdaddr_type;
1522 list_add(&data->list, &hdev->remote_oob_data);
1523 }
1524
1525 if (hash192 && rand192) {
1526 memcpy(data->hash192, hash192, sizeof(data->hash192));
1527 memcpy(data->rand192, rand192, sizeof(data->rand192));
1528 if (hash256 && rand256)
1529 data->present = 0x03;
1530 } else {
1531 memset(data->hash192, 0, sizeof(data->hash192));
1532 memset(data->rand192, 0, sizeof(data->rand192));
1533 if (hash256 && rand256)
1534 data->present = 0x02;
1535 else
1536 data->present = 0x00;
1537 }
1538
1539 if (hash256 && rand256) {
1540 memcpy(data->hash256, hash256, sizeof(data->hash256));
1541 memcpy(data->rand256, rand256, sizeof(data->rand256));
1542 } else {
1543 memset(data->hash256, 0, sizeof(data->hash256));
1544 memset(data->rand256, 0, sizeof(data->rand256));
1545 if (hash192 && rand192)
1546 data->present = 0x01;
1547 }
1548
1549 BT_DBG("%s for %pMR", hdev->name, bdaddr);
1550
1551 return 0;
1552 }
1553
1554 /* This function requires the caller holds hdev->lock */
hci_find_adv_instance(struct hci_dev * hdev,u8 instance)1555 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
1556 {
1557 struct adv_info *adv_instance;
1558
1559 list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
1560 if (adv_instance->instance == instance)
1561 return adv_instance;
1562 }
1563
1564 return NULL;
1565 }
1566
1567 /* This function requires the caller holds hdev->lock */
hci_find_adv_sid(struct hci_dev * hdev,u8 sid)1568 struct adv_info *hci_find_adv_sid(struct hci_dev *hdev, u8 sid)
1569 {
1570 struct adv_info *adv;
1571
1572 list_for_each_entry(adv, &hdev->adv_instances, list) {
1573 if (adv->sid == sid)
1574 return adv;
1575 }
1576
1577 return NULL;
1578 }
1579
1580 /* This function requires the caller holds hdev->lock */
hci_get_next_instance(struct hci_dev * hdev,u8 instance)1581 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
1582 {
1583 struct adv_info *cur_instance;
1584
1585 cur_instance = hci_find_adv_instance(hdev, instance);
1586 if (!cur_instance)
1587 return NULL;
1588
1589 if (cur_instance == list_last_entry(&hdev->adv_instances,
1590 struct adv_info, list))
1591 return list_first_entry(&hdev->adv_instances,
1592 struct adv_info, list);
1593 else
1594 return list_next_entry(cur_instance, list);
1595 }
1596
1597 /* This function requires the caller holds hdev->lock */
hci_remove_adv_instance(struct hci_dev * hdev,u8 instance)1598 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
1599 {
1600 struct adv_info *adv_instance;
1601
1602 adv_instance = hci_find_adv_instance(hdev, instance);
1603 if (!adv_instance)
1604 return -ENOENT;
1605
1606 BT_DBG("%s removing %dMR", hdev->name, instance);
1607
1608 if (hdev->cur_adv_instance == instance) {
1609 if (hdev->adv_instance_timeout) {
1610 cancel_delayed_work(&hdev->adv_instance_expire);
1611 hdev->adv_instance_timeout = 0;
1612 }
1613 hdev->cur_adv_instance = 0x00;
1614 }
1615
1616 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1617
1618 list_del(&adv_instance->list);
1619 kfree(adv_instance);
1620
1621 hdev->adv_instance_cnt--;
1622
1623 return 0;
1624 }
1625
hci_adv_instances_set_rpa_expired(struct hci_dev * hdev,bool rpa_expired)1626 void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
1627 {
1628 struct adv_info *adv_instance, *n;
1629
1630 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
1631 adv_instance->rpa_expired = rpa_expired;
1632 }
1633
1634 /* This function requires the caller holds hdev->lock */
hci_adv_instances_clear(struct hci_dev * hdev)1635 void hci_adv_instances_clear(struct hci_dev *hdev)
1636 {
1637 struct adv_info *adv_instance, *n;
1638
1639 if (hdev->adv_instance_timeout) {
1640 disable_delayed_work(&hdev->adv_instance_expire);
1641 hdev->adv_instance_timeout = 0;
1642 }
1643
1644 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
1645 disable_delayed_work_sync(&adv_instance->rpa_expired_cb);
1646 list_del(&adv_instance->list);
1647 kfree(adv_instance);
1648 }
1649
1650 hdev->adv_instance_cnt = 0;
1651 hdev->cur_adv_instance = 0x00;
1652 }
1653
adv_instance_rpa_expired(struct work_struct * work)1654 static void adv_instance_rpa_expired(struct work_struct *work)
1655 {
1656 struct adv_info *adv_instance = container_of(work, struct adv_info,
1657 rpa_expired_cb.work);
1658
1659 BT_DBG("");
1660
1661 adv_instance->rpa_expired = true;
1662 }
1663
1664 /* This function requires the caller holds hdev->lock */
hci_add_adv_instance(struct hci_dev * hdev,u8 instance,u32 flags,u16 adv_data_len,u8 * adv_data,u16 scan_rsp_len,u8 * scan_rsp_data,u16 timeout,u16 duration,s8 tx_power,u32 min_interval,u32 max_interval,u8 mesh_handle)1665 struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance,
1666 u32 flags, u16 adv_data_len, u8 *adv_data,
1667 u16 scan_rsp_len, u8 *scan_rsp_data,
1668 u16 timeout, u16 duration, s8 tx_power,
1669 u32 min_interval, u32 max_interval,
1670 u8 mesh_handle)
1671 {
1672 struct adv_info *adv;
1673
1674 adv = hci_find_adv_instance(hdev, instance);
1675 if (adv) {
1676 memset(adv->adv_data, 0, sizeof(adv->adv_data));
1677 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1678 memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data));
1679 } else {
1680 if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
1681 instance < 1 || instance > hdev->le_num_of_adv_sets + 1)
1682 return ERR_PTR(-EOVERFLOW);
1683
1684 adv = kzalloc_obj(*adv);
1685 if (!adv)
1686 return ERR_PTR(-ENOMEM);
1687
1688 adv->pending = true;
1689 adv->instance = instance;
1690
1691 /* If controller support only one set and the instance is set to
1692 * 1 then there is no option other than using handle 0x00.
1693 */
1694 if (hdev->le_num_of_adv_sets == 1 && instance == 1)
1695 adv->handle = 0x00;
1696 else
1697 adv->handle = instance;
1698
1699 list_add(&adv->list, &hdev->adv_instances);
1700 hdev->adv_instance_cnt++;
1701 }
1702
1703 adv->flags = flags;
1704 adv->min_interval = min_interval;
1705 adv->max_interval = max_interval;
1706 adv->tx_power = tx_power;
1707 /* Defining a mesh_handle changes the timing units to ms,
1708 * rather than seconds, and ties the instance to the requested
1709 * mesh_tx queue.
1710 */
1711 adv->mesh = mesh_handle;
1712
1713 hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data,
1714 scan_rsp_len, scan_rsp_data);
1715
1716 adv->timeout = timeout;
1717 adv->remaining_time = timeout;
1718
1719 if (duration == 0)
1720 adv->duration = hdev->def_multi_adv_rotation_duration;
1721 else
1722 adv->duration = duration;
1723
1724 INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired);
1725
1726 BT_DBG("%s for %dMR", hdev->name, instance);
1727
1728 return adv;
1729 }
1730
1731 /* This function requires the caller holds hdev->lock */
hci_add_per_instance(struct hci_dev * hdev,u8 instance,u8 sid,u32 flags,u8 data_len,u8 * data,u32 min_interval,u32 max_interval)1732 struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance, u8 sid,
1733 u32 flags, u8 data_len, u8 *data,
1734 u32 min_interval, u32 max_interval)
1735 {
1736 struct adv_info *adv;
1737
1738 adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL,
1739 0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE,
1740 min_interval, max_interval, 0);
1741 if (IS_ERR(adv))
1742 return adv;
1743
1744 adv->sid = sid;
1745 adv->periodic = true;
1746 adv->per_adv_data_len = data_len;
1747
1748 if (data)
1749 memcpy(adv->per_adv_data, data, data_len);
1750
1751 return adv;
1752 }
1753
1754 /* This function requires the caller holds hdev->lock */
hci_set_adv_instance_data(struct hci_dev * hdev,u8 instance,u16 adv_data_len,u8 * adv_data,u16 scan_rsp_len,u8 * scan_rsp_data)1755 int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance,
1756 u16 adv_data_len, u8 *adv_data,
1757 u16 scan_rsp_len, u8 *scan_rsp_data)
1758 {
1759 struct adv_info *adv;
1760
1761 adv = hci_find_adv_instance(hdev, instance);
1762
1763 /* If advertisement doesn't exist, we can't modify its data */
1764 if (!adv)
1765 return -ENOENT;
1766
1767 if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) {
1768 memset(adv->adv_data, 0, sizeof(adv->adv_data));
1769 memcpy(adv->adv_data, adv_data, adv_data_len);
1770 adv->adv_data_len = adv_data_len;
1771 adv->adv_data_changed = true;
1772 }
1773
1774 if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) {
1775 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1776 memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len);
1777 adv->scan_rsp_len = scan_rsp_len;
1778 adv->scan_rsp_changed = true;
1779 }
1780
1781 /* Mark as changed if there are flags which would affect it */
1782 if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) ||
1783 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1784 adv->scan_rsp_changed = true;
1785
1786 return 0;
1787 }
1788
1789 /* This function requires the caller holds hdev->lock */
hci_adv_instance_flags(struct hci_dev * hdev,u8 instance)1790 u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance)
1791 {
1792 u32 flags;
1793 struct adv_info *adv;
1794
1795 if (instance == 0x00) {
1796 /* Instance 0 always manages the "Tx Power" and "Flags"
1797 * fields
1798 */
1799 flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS;
1800
1801 /* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting
1802 * corresponds to the "connectable" instance flag.
1803 */
1804 if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))
1805 flags |= MGMT_ADV_FLAG_CONNECTABLE;
1806
1807 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
1808 flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
1809 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
1810 flags |= MGMT_ADV_FLAG_DISCOV;
1811
1812 return flags;
1813 }
1814
1815 adv = hci_find_adv_instance(hdev, instance);
1816
1817 /* Return 0 when we got an invalid instance identifier. */
1818 if (!adv)
1819 return 0;
1820
1821 return adv->flags;
1822 }
1823
hci_adv_instance_is_scannable(struct hci_dev * hdev,u8 instance)1824 bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance)
1825 {
1826 struct adv_info *adv;
1827
1828 /* Instance 0x00 always set local name */
1829 if (instance == 0x00)
1830 return true;
1831
1832 adv = hci_find_adv_instance(hdev, instance);
1833 if (!adv)
1834 return false;
1835
1836 if (adv->flags & MGMT_ADV_FLAG_APPEARANCE ||
1837 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1838 return true;
1839
1840 return adv->scan_rsp_len ? true : false;
1841 }
1842
1843 /* This function requires the caller holds hdev->lock */
hci_adv_monitors_clear(struct hci_dev * hdev)1844 void hci_adv_monitors_clear(struct hci_dev *hdev)
1845 {
1846 struct adv_monitor *monitor;
1847 int handle;
1848
1849 idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
1850 hci_free_adv_monitor(hdev, monitor);
1851
1852 idr_destroy(&hdev->adv_monitors_idr);
1853 }
1854
1855 /* Frees the monitor structure and do some bookkeepings.
1856 * This function requires the caller holds hdev->lock.
1857 */
hci_free_adv_monitor(struct hci_dev * hdev,struct adv_monitor * monitor)1858 void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1859 {
1860 struct adv_pattern *pattern;
1861 struct adv_pattern *tmp;
1862
1863 if (!monitor)
1864 return;
1865
1866 list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) {
1867 list_del(&pattern->list);
1868 kfree(pattern);
1869 }
1870
1871 if (monitor->handle)
1872 idr_remove(&hdev->adv_monitors_idr, monitor->handle);
1873
1874 if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
1875 hdev->adv_monitors_cnt--;
1876
1877 kfree(monitor);
1878 }
1879
1880 /* Assigns handle to a monitor, and if offloading is supported and power is on,
1881 * also attempts to forward the request to the controller.
1882 * This function requires the caller holds hci_req_sync_lock.
1883 */
hci_add_adv_monitor(struct hci_dev * hdev,struct adv_monitor * monitor)1884 int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1885 {
1886 int min, max, handle;
1887 int status = 0;
1888
1889 if (!monitor)
1890 return -EINVAL;
1891
1892 hci_dev_lock(hdev);
1893
1894 min = HCI_MIN_ADV_MONITOR_HANDLE;
1895 max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES;
1896 handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max,
1897 GFP_KERNEL);
1898
1899 hci_dev_unlock(hdev);
1900
1901 if (handle < 0)
1902 return handle;
1903
1904 monitor->handle = handle;
1905
1906 if (!hdev_is_powered(hdev))
1907 return status;
1908
1909 switch (hci_get_adv_monitor_offload_ext(hdev)) {
1910 case HCI_ADV_MONITOR_EXT_NONE:
1911 bt_dev_dbg(hdev, "add monitor %d status %d",
1912 monitor->handle, status);
1913 /* Message was not forwarded to controller - not an error */
1914 break;
1915
1916 case HCI_ADV_MONITOR_EXT_MSFT:
1917 status = msft_add_monitor_pattern(hdev, monitor);
1918 bt_dev_dbg(hdev, "add monitor %d msft status %d",
1919 handle, status);
1920 break;
1921 }
1922
1923 return status;
1924 }
1925
1926 /* Attempts to tell the controller and free the monitor. If somehow the
1927 * controller doesn't have a corresponding handle, remove anyway.
1928 * This function requires the caller holds hci_req_sync_lock.
1929 */
hci_remove_adv_monitor(struct hci_dev * hdev,struct adv_monitor * monitor)1930 static int hci_remove_adv_monitor(struct hci_dev *hdev,
1931 struct adv_monitor *monitor)
1932 {
1933 int status = 0;
1934 int handle;
1935
1936 switch (hci_get_adv_monitor_offload_ext(hdev)) {
1937 case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */
1938 bt_dev_dbg(hdev, "remove monitor %d status %d",
1939 monitor->handle, status);
1940 goto free_monitor;
1941
1942 case HCI_ADV_MONITOR_EXT_MSFT:
1943 handle = monitor->handle;
1944 status = msft_remove_monitor(hdev, monitor);
1945 bt_dev_dbg(hdev, "remove monitor %d msft status %d",
1946 handle, status);
1947 break;
1948 }
1949
1950 /* In case no matching handle registered, just free the monitor */
1951 if (status == -ENOENT)
1952 goto free_monitor;
1953
1954 return status;
1955
1956 free_monitor:
1957 if (status == -ENOENT)
1958 bt_dev_warn(hdev, "Removing monitor with no matching handle %d",
1959 monitor->handle);
1960 hci_free_adv_monitor(hdev, monitor);
1961
1962 return status;
1963 }
1964
1965 /* This function requires the caller holds hci_req_sync_lock */
hci_remove_single_adv_monitor(struct hci_dev * hdev,u16 handle)1966 int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle)
1967 {
1968 struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle);
1969
1970 if (!monitor)
1971 return -EINVAL;
1972
1973 return hci_remove_adv_monitor(hdev, monitor);
1974 }
1975
1976 /* This function requires the caller holds hci_req_sync_lock */
hci_remove_all_adv_monitor(struct hci_dev * hdev)1977 int hci_remove_all_adv_monitor(struct hci_dev *hdev)
1978 {
1979 struct adv_monitor *monitor;
1980 int idr_next_id = 0;
1981 int status = 0;
1982
1983 while (1) {
1984 monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id);
1985 if (!monitor)
1986 break;
1987
1988 status = hci_remove_adv_monitor(hdev, monitor);
1989 if (status)
1990 return status;
1991
1992 idr_next_id++;
1993 }
1994
1995 return status;
1996 }
1997
1998 /* This function requires the caller holds hdev->lock */
hci_is_adv_monitoring(struct hci_dev * hdev)1999 bool hci_is_adv_monitoring(struct hci_dev *hdev)
2000 {
2001 return !idr_is_empty(&hdev->adv_monitors_idr);
2002 }
2003
hci_get_adv_monitor_offload_ext(struct hci_dev * hdev)2004 int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev)
2005 {
2006 if (msft_monitor_supported(hdev))
2007 return HCI_ADV_MONITOR_EXT_MSFT;
2008
2009 return HCI_ADV_MONITOR_EXT_NONE;
2010 }
2011
hci_bdaddr_list_lookup(struct list_head * bdaddr_list,bdaddr_t * bdaddr,u8 type)2012 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2013 bdaddr_t *bdaddr, u8 type)
2014 {
2015 struct bdaddr_list *b;
2016
2017 list_for_each_entry(b, bdaddr_list, list) {
2018 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2019 return b;
2020 }
2021
2022 return NULL;
2023 }
2024
hci_bdaddr_list_lookup_with_irk(struct list_head * bdaddr_list,bdaddr_t * bdaddr,u8 type)2025 struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
2026 struct list_head *bdaddr_list, bdaddr_t *bdaddr,
2027 u8 type)
2028 {
2029 struct bdaddr_list_with_irk *b;
2030
2031 list_for_each_entry(b, bdaddr_list, list) {
2032 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2033 return b;
2034 }
2035
2036 return NULL;
2037 }
2038
2039 struct bdaddr_list_with_flags *
hci_bdaddr_list_lookup_with_flags(struct list_head * bdaddr_list,bdaddr_t * bdaddr,u8 type)2040 hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list,
2041 bdaddr_t *bdaddr, u8 type)
2042 {
2043 struct bdaddr_list_with_flags *b;
2044
2045 list_for_each_entry(b, bdaddr_list, list) {
2046 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2047 return b;
2048 }
2049
2050 return NULL;
2051 }
2052
hci_bdaddr_list_clear(struct list_head * bdaddr_list)2053 void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2054 {
2055 struct bdaddr_list *b, *n;
2056
2057 list_for_each_entry_safe(b, n, bdaddr_list, list) {
2058 list_del(&b->list);
2059 kfree(b);
2060 }
2061 }
2062
hci_bdaddr_list_add(struct list_head * list,bdaddr_t * bdaddr,u8 type)2063 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2064 {
2065 struct bdaddr_list *entry;
2066
2067 if (!bacmp(bdaddr, BDADDR_ANY))
2068 return -EBADF;
2069
2070 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2071 return -EEXIST;
2072
2073 entry = kzalloc_obj(*entry);
2074 if (!entry)
2075 return -ENOMEM;
2076
2077 bacpy(&entry->bdaddr, bdaddr);
2078 entry->bdaddr_type = type;
2079
2080 list_add(&entry->list, list);
2081
2082 return 0;
2083 }
2084
hci_bdaddr_list_add_with_irk(struct list_head * list,bdaddr_t * bdaddr,u8 type,u8 * peer_irk,u8 * local_irk)2085 int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2086 u8 type, u8 *peer_irk, u8 *local_irk)
2087 {
2088 struct bdaddr_list_with_irk *entry;
2089
2090 if (!bacmp(bdaddr, BDADDR_ANY))
2091 return -EBADF;
2092
2093 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2094 return -EEXIST;
2095
2096 entry = kzalloc_obj(*entry);
2097 if (!entry)
2098 return -ENOMEM;
2099
2100 bacpy(&entry->bdaddr, bdaddr);
2101 entry->bdaddr_type = type;
2102
2103 if (peer_irk)
2104 memcpy(entry->peer_irk, peer_irk, 16);
2105
2106 if (local_irk)
2107 memcpy(entry->local_irk, local_irk, 16);
2108
2109 list_add(&entry->list, list);
2110
2111 return 0;
2112 }
2113
hci_bdaddr_list_add_with_flags(struct list_head * list,bdaddr_t * bdaddr,u8 type,u32 flags)2114 int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr,
2115 u8 type, u32 flags)
2116 {
2117 struct bdaddr_list_with_flags *entry;
2118
2119 if (!bacmp(bdaddr, BDADDR_ANY))
2120 return -EBADF;
2121
2122 if (hci_bdaddr_list_lookup(list, bdaddr, type))
2123 return -EEXIST;
2124
2125 entry = kzalloc_obj(*entry);
2126 if (!entry)
2127 return -ENOMEM;
2128
2129 bacpy(&entry->bdaddr, bdaddr);
2130 entry->bdaddr_type = type;
2131 entry->flags = flags;
2132
2133 list_add(&entry->list, list);
2134
2135 return 0;
2136 }
2137
hci_bdaddr_list_del(struct list_head * list,bdaddr_t * bdaddr,u8 type)2138 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2139 {
2140 struct bdaddr_list *entry;
2141
2142 if (!bacmp(bdaddr, BDADDR_ANY)) {
2143 hci_bdaddr_list_clear(list);
2144 return 0;
2145 }
2146
2147 entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2148 if (!entry)
2149 return -ENOENT;
2150
2151 list_del(&entry->list);
2152 kfree(entry);
2153
2154 return 0;
2155 }
2156
hci_bdaddr_list_del_with_irk(struct list_head * list,bdaddr_t * bdaddr,u8 type)2157 int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2158 u8 type)
2159 {
2160 struct bdaddr_list_with_irk *entry;
2161
2162 if (!bacmp(bdaddr, BDADDR_ANY)) {
2163 hci_bdaddr_list_clear(list);
2164 return 0;
2165 }
2166
2167 entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
2168 if (!entry)
2169 return -ENOENT;
2170
2171 list_del(&entry->list);
2172 kfree(entry);
2173
2174 return 0;
2175 }
2176
2177 /* This function requires the caller holds hdev->lock */
hci_conn_params_lookup(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)2178 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2179 bdaddr_t *addr, u8 addr_type)
2180 {
2181 struct hci_conn_params *params;
2182
2183 list_for_each_entry(params, &hdev->le_conn_params, list) {
2184 if (bacmp(¶ms->addr, addr) == 0 &&
2185 params->addr_type == addr_type) {
2186 return params;
2187 }
2188 }
2189
2190 return NULL;
2191 }
2192
2193 /* This function requires the caller holds hdev->lock or rcu_read_lock */
hci_pend_le_action_lookup(struct list_head * list,bdaddr_t * addr,u8 addr_type)2194 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2195 bdaddr_t *addr, u8 addr_type)
2196 {
2197 struct hci_conn_params *param;
2198
2199 rcu_read_lock();
2200
2201 list_for_each_entry_rcu(param, list, action) {
2202 if (bacmp(¶m->addr, addr) == 0 &&
2203 param->addr_type == addr_type) {
2204 rcu_read_unlock();
2205 return param;
2206 }
2207 }
2208
2209 rcu_read_unlock();
2210
2211 return NULL;
2212 }
2213
2214 /* This function requires the caller holds hdev->lock */
hci_pend_le_list_del_init(struct hci_conn_params * param)2215 void hci_pend_le_list_del_init(struct hci_conn_params *param)
2216 {
2217 if (list_empty(¶m->action))
2218 return;
2219
2220 list_del_rcu(¶m->action);
2221 synchronize_rcu();
2222 INIT_LIST_HEAD(¶m->action);
2223 }
2224
2225 /* This function requires the caller holds hdev->lock */
hci_pend_le_list_add(struct hci_conn_params * param,struct list_head * list)2226 void hci_pend_le_list_add(struct hci_conn_params *param,
2227 struct list_head *list)
2228 {
2229 list_add_rcu(¶m->action, list);
2230 }
2231
2232 /* This function requires the caller holds hdev->lock */
hci_conn_params_add(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)2233 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2234 bdaddr_t *addr, u8 addr_type)
2235 {
2236 struct hci_conn_params *params;
2237
2238 params = hci_conn_params_lookup(hdev, addr, addr_type);
2239 if (params)
2240 return params;
2241
2242 params = kzalloc_obj(*params);
2243 if (!params) {
2244 bt_dev_err(hdev, "out of memory");
2245 return NULL;
2246 }
2247
2248 bacpy(¶ms->addr, addr);
2249 params->addr_type = addr_type;
2250
2251 list_add(¶ms->list, &hdev->le_conn_params);
2252 INIT_LIST_HEAD(¶ms->action);
2253
2254 params->conn_min_interval = hdev->le_conn_min_interval;
2255 params->conn_max_interval = hdev->le_conn_max_interval;
2256 params->conn_latency = hdev->le_conn_latency;
2257 params->supervision_timeout = hdev->le_supv_timeout;
2258 params->auto_connect = HCI_AUTO_CONN_DISABLED;
2259
2260 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2261
2262 return params;
2263 }
2264
hci_conn_params_free(struct hci_conn_params * params)2265 void hci_conn_params_free(struct hci_conn_params *params)
2266 {
2267 hci_pend_le_list_del_init(params);
2268
2269 if (params->conn) {
2270 hci_conn_drop(params->conn);
2271 hci_conn_put(params->conn);
2272 }
2273
2274 list_del(¶ms->list);
2275 kfree(params);
2276 }
2277
2278 /* This function requires the caller holds hdev->lock */
hci_conn_params_del(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type)2279 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2280 {
2281 struct hci_conn_params *params;
2282
2283 params = hci_conn_params_lookup(hdev, addr, addr_type);
2284 if (!params)
2285 return;
2286
2287 hci_conn_params_free(params);
2288
2289 hci_update_passive_scan(hdev);
2290
2291 BT_DBG("addr %pMR (type %u)", addr, addr_type);
2292 }
2293
2294 /* This function requires the caller holds hdev->lock */
hci_conn_params_clear_disabled(struct hci_dev * hdev)2295 void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2296 {
2297 struct hci_conn_params *params, *tmp;
2298
2299 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2300 if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2301 continue;
2302
2303 /* If trying to establish one time connection to disabled
2304 * device, leave the params, but mark them as just once.
2305 */
2306 if (params->explicit_connect) {
2307 params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2308 continue;
2309 }
2310
2311 hci_conn_params_free(params);
2312 }
2313
2314 BT_DBG("All LE disabled connection parameters were removed");
2315 }
2316
2317 /* This function requires the caller holds hdev->lock */
hci_conn_params_clear_all(struct hci_dev * hdev)2318 static void hci_conn_params_clear_all(struct hci_dev *hdev)
2319 {
2320 struct hci_conn_params *params, *tmp;
2321
2322 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2323 hci_conn_params_free(params);
2324
2325 BT_DBG("All LE connection parameters were removed");
2326 }
2327
2328 /* Copy the Identity Address of the controller.
2329 *
2330 * If the controller has a public BD_ADDR, then by default use that one.
2331 * If this is a LE only controller without a public address, default to
2332 * the static random address.
2333 *
2334 * For debugging purposes it is possible to force controllers with a
2335 * public address to use the static random address instead.
2336 *
2337 * In case BR/EDR has been disabled on a dual-mode controller and
2338 * userspace has configured a static address, then that address
2339 * becomes the identity address instead of the public BR/EDR address.
2340 */
hci_copy_identity_address(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 * bdaddr_type)2341 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2342 u8 *bdaddr_type)
2343 {
2344 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2345 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2346 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2347 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2348 bacpy(bdaddr, &hdev->static_addr);
2349 *bdaddr_type = ADDR_LE_DEV_RANDOM;
2350 } else {
2351 bacpy(bdaddr, &hdev->bdaddr);
2352 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
2353 }
2354 }
2355
hci_clear_wake_reason(struct hci_dev * hdev)2356 static void hci_clear_wake_reason(struct hci_dev *hdev)
2357 {
2358 hci_dev_lock(hdev);
2359
2360 hdev->wake_reason = 0;
2361 bacpy(&hdev->wake_addr, BDADDR_ANY);
2362 hdev->wake_addr_type = 0;
2363
2364 hci_dev_unlock(hdev);
2365 }
2366
hci_suspend_notifier(struct notifier_block * nb,unsigned long action,void * data)2367 static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
2368 void *data)
2369 {
2370 struct hci_dev *hdev =
2371 container_of(nb, struct hci_dev, suspend_notifier);
2372 int ret = 0;
2373
2374 /* Userspace has full control of this device. Do nothing. */
2375 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2376 return NOTIFY_DONE;
2377
2378 /* To avoid a potential race with hci_unregister_dev. */
2379 hci_dev_hold(hdev);
2380
2381 switch (action) {
2382 case PM_HIBERNATION_PREPARE:
2383 case PM_SUSPEND_PREPARE:
2384 ret = hci_suspend_dev(hdev);
2385 break;
2386 case PM_POST_HIBERNATION:
2387 case PM_POST_SUSPEND:
2388 ret = hci_resume_dev(hdev);
2389 break;
2390 }
2391
2392 if (ret)
2393 bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
2394 action, ret);
2395
2396 hci_dev_put(hdev);
2397 return NOTIFY_DONE;
2398 }
2399
2400 /* Alloc HCI device */
hci_alloc_dev_priv(int sizeof_priv)2401 struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
2402 {
2403 struct hci_dev *hdev;
2404 unsigned int alloc_size;
2405
2406 alloc_size = sizeof(*hdev);
2407 if (sizeof_priv) {
2408 /* Fixme: May need ALIGN-ment? */
2409 alloc_size += sizeof_priv;
2410 }
2411
2412 hdev = kzalloc(alloc_size, GFP_KERNEL);
2413 if (!hdev)
2414 return NULL;
2415
2416 if (init_srcu_struct(&hdev->srcu)) {
2417 kfree(hdev);
2418 return NULL;
2419 }
2420
2421 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2422 hdev->esco_type = (ESCO_HV1);
2423 hdev->link_mode = (HCI_LM_ACCEPT);
2424 hdev->num_iac = 0x01; /* One IAC support is mandatory */
2425 hdev->io_capability = 0x03; /* No Input No Output */
2426 hdev->manufacturer = 0xffff; /* Default to internal use */
2427 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2428 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2429 hdev->adv_instance_cnt = 0;
2430 hdev->cur_adv_instance = 0x00;
2431 hdev->adv_instance_timeout = 0;
2432
2433 hdev->advmon_allowlist_duration = 300;
2434 hdev->advmon_no_filter_duration = 500;
2435 hdev->enable_advmon_interleave_scan = 0x00; /* Default to disable */
2436
2437 hdev->sniff_max_interval = 800;
2438 hdev->sniff_min_interval = 80;
2439
2440 hdev->le_adv_channel_map = 0x07;
2441 hdev->le_adv_min_interval = 0x0800;
2442 hdev->le_adv_max_interval = 0x0800;
2443 hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST;
2444 hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST;
2445 hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1;
2446 hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1;
2447 hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
2448 hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
2449 hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST;
2450 hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST;
2451 hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN;
2452 hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN;
2453 hdev->le_conn_min_interval = 0x0018;
2454 hdev->le_conn_max_interval = 0x0028;
2455 hdev->le_conn_latency = 0x0000;
2456 hdev->le_supv_timeout = 0x002a;
2457 hdev->le_def_tx_len = 0x001b;
2458 hdev->le_def_tx_time = 0x0148;
2459 hdev->le_max_tx_len = 0x001b;
2460 hdev->le_max_tx_time = 0x0148;
2461 hdev->le_max_rx_len = 0x001b;
2462 hdev->le_max_rx_time = 0x0148;
2463 hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
2464 hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
2465 hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
2466 hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
2467 hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
2468 hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
2469 hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT;
2470 hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
2471 hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
2472
2473 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2474 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2475 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2476 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2477 hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
2478 hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
2479
2480 /* default 1.28 sec page scan */
2481 hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
2482 hdev->def_page_scan_int = 0x0800;
2483 hdev->def_page_scan_window = 0x0012;
2484
2485 mutex_init(&hdev->lock);
2486 mutex_init(&hdev->req_lock);
2487 mutex_init(&hdev->mgmt_pending_lock);
2488
2489 ida_init(&hdev->unset_handle_ida);
2490
2491 INIT_LIST_HEAD(&hdev->mesh_pending);
2492 INIT_LIST_HEAD(&hdev->mgmt_pending);
2493 INIT_LIST_HEAD(&hdev->reject_list);
2494 INIT_LIST_HEAD(&hdev->accept_list);
2495 INIT_LIST_HEAD(&hdev->uuids);
2496 INIT_LIST_HEAD(&hdev->link_keys);
2497 INIT_LIST_HEAD(&hdev->long_term_keys);
2498 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2499 INIT_LIST_HEAD(&hdev->remote_oob_data);
2500 INIT_LIST_HEAD(&hdev->le_accept_list);
2501 INIT_LIST_HEAD(&hdev->le_resolv_list);
2502 INIT_LIST_HEAD(&hdev->le_conn_params);
2503 INIT_LIST_HEAD(&hdev->pend_le_conns);
2504 INIT_LIST_HEAD(&hdev->pend_le_reports);
2505 INIT_LIST_HEAD(&hdev->conn_hash.list);
2506 INIT_LIST_HEAD(&hdev->adv_instances);
2507 INIT_LIST_HEAD(&hdev->blocked_keys);
2508 INIT_LIST_HEAD(&hdev->monitored_devices);
2509
2510 INIT_LIST_HEAD(&hdev->local_codecs);
2511 INIT_WORK(&hdev->rx_work, hci_rx_work);
2512 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2513 INIT_WORK(&hdev->tx_work, hci_tx_work);
2514 INIT_WORK(&hdev->power_on, hci_power_on);
2515 INIT_WORK(&hdev->error_reset, hci_error_reset);
2516
2517 hci_cmd_sync_init(hdev);
2518
2519 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2520
2521 skb_queue_head_init(&hdev->rx_q);
2522 skb_queue_head_init(&hdev->cmd_q);
2523 skb_queue_head_init(&hdev->raw_q);
2524
2525 init_waitqueue_head(&hdev->req_wait_q);
2526
2527 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
2528 INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
2529
2530 hci_devcd_setup(hdev);
2531
2532 hci_init_sysfs(hdev);
2533 discovery_init(hdev);
2534
2535 return hdev;
2536 }
2537 EXPORT_SYMBOL(hci_alloc_dev_priv);
2538
2539 /* Free HCI device */
hci_free_dev(struct hci_dev * hdev)2540 void hci_free_dev(struct hci_dev *hdev)
2541 {
2542 /* will free via device release */
2543 put_device(&hdev->dev);
2544 }
2545 EXPORT_SYMBOL(hci_free_dev);
2546
2547 /* Register HCI device */
hci_register_dev(struct hci_dev * hdev)2548 int hci_register_dev(struct hci_dev *hdev)
2549 {
2550 int id, error;
2551
2552 if (!hdev->open || !hdev->close || !hdev->send)
2553 return -EINVAL;
2554
2555 id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL);
2556 if (id < 0)
2557 return id;
2558
2559 error = dev_set_name(&hdev->dev, "hci%u", id);
2560 if (error)
2561 return error;
2562
2563 hdev->name = dev_name(&hdev->dev);
2564 hdev->id = id;
2565
2566 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2567
2568 hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
2569 if (!hdev->workqueue) {
2570 error = -ENOMEM;
2571 goto err;
2572 }
2573
2574 hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
2575 hdev->name);
2576 if (!hdev->req_workqueue) {
2577 destroy_workqueue(hdev->workqueue);
2578 error = -ENOMEM;
2579 goto err;
2580 }
2581
2582 if (!IS_ERR_OR_NULL(bt_debugfs))
2583 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
2584
2585 error = device_add(&hdev->dev);
2586 if (error < 0)
2587 goto err_wqueue;
2588
2589 hci_leds_init(hdev);
2590
2591 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2592 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2593 hdev);
2594 if (hdev->rfkill) {
2595 if (rfkill_register(hdev->rfkill) < 0) {
2596 rfkill_destroy(hdev->rfkill);
2597 hdev->rfkill = NULL;
2598 }
2599 }
2600
2601 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2602 hci_dev_set_flag(hdev, HCI_RFKILLED);
2603
2604 hci_dev_set_flag(hdev, HCI_SETUP);
2605 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
2606
2607 /* Assume BR/EDR support until proven otherwise (such as
2608 * through reading supported features during init.
2609 */
2610 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
2611
2612 write_lock(&hci_dev_list_lock);
2613 list_add(&hdev->list, &hci_dev_list);
2614 write_unlock(&hci_dev_list_lock);
2615
2616 /* Devices that are marked for raw-only usage are unconfigured
2617 * and should not be included in normal operation.
2618 */
2619 if (hci_test_quirk(hdev, HCI_QUIRK_RAW_DEVICE))
2620 hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
2621
2622 /* Mark Remote Wakeup connection flag as supported if driver has wakeup
2623 * callback.
2624 */
2625 if (hdev->wakeup)
2626 hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP;
2627
2628 hci_sock_dev_event(hdev, HCI_DEV_REG);
2629 hci_dev_hold(hdev);
2630
2631 error = hci_register_suspend_notifier(hdev);
2632 if (error)
2633 BT_WARN("register suspend notifier failed error:%d\n", error);
2634
2635 queue_work(hdev->req_workqueue, &hdev->power_on);
2636
2637 idr_init(&hdev->adv_monitors_idr);
2638 msft_register(hdev);
2639
2640 return id;
2641
2642 err_wqueue:
2643 debugfs_remove_recursive(hdev->debugfs);
2644 destroy_workqueue(hdev->workqueue);
2645 destroy_workqueue(hdev->req_workqueue);
2646 err:
2647 ida_free(&hci_index_ida, hdev->id);
2648
2649 return error;
2650 }
2651 EXPORT_SYMBOL(hci_register_dev);
2652
2653 /* Unregister HCI device */
hci_unregister_dev(struct hci_dev * hdev)2654 void hci_unregister_dev(struct hci_dev *hdev)
2655 {
2656 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2657
2658 mutex_lock(&hdev->unregister_lock);
2659 hci_dev_set_flag(hdev, HCI_UNREGISTER);
2660 mutex_unlock(&hdev->unregister_lock);
2661
2662 write_lock(&hci_dev_list_lock);
2663 list_del(&hdev->list);
2664 write_unlock(&hci_dev_list_lock);
2665
2666 synchronize_srcu(&hdev->srcu);
2667 cleanup_srcu_struct(&hdev->srcu);
2668
2669 disable_work_sync(&hdev->rx_work);
2670 disable_work_sync(&hdev->cmd_work);
2671 disable_work_sync(&hdev->tx_work);
2672 disable_work_sync(&hdev->power_on);
2673 disable_work_sync(&hdev->error_reset);
2674
2675 hci_cmd_sync_clear(hdev);
2676
2677 hci_unregister_suspend_notifier(hdev);
2678
2679 hci_dev_do_close(hdev);
2680
2681 if (!test_bit(HCI_INIT, &hdev->flags) &&
2682 !hci_dev_test_flag(hdev, HCI_SETUP) &&
2683 !hci_dev_test_flag(hdev, HCI_CONFIG)) {
2684 hci_dev_lock(hdev);
2685 mgmt_index_removed(hdev);
2686 hci_dev_unlock(hdev);
2687 }
2688
2689 /* mgmt_index_removed should take care of emptying the
2690 * pending list */
2691 BUG_ON(!list_empty(&hdev->mgmt_pending));
2692
2693 hci_sock_dev_event(hdev, HCI_DEV_UNREG);
2694
2695 if (hdev->rfkill) {
2696 rfkill_unregister(hdev->rfkill);
2697 rfkill_destroy(hdev->rfkill);
2698 }
2699
2700 device_del(&hdev->dev);
2701 /* Actual cleanup is deferred until hci_release_dev(). */
2702 hci_dev_put(hdev);
2703 }
2704 EXPORT_SYMBOL(hci_unregister_dev);
2705
2706 /* Release HCI device */
hci_release_dev(struct hci_dev * hdev)2707 void hci_release_dev(struct hci_dev *hdev)
2708 {
2709 debugfs_remove_recursive(hdev->debugfs);
2710 kfree_const(hdev->hw_info);
2711 kfree_const(hdev->fw_info);
2712
2713 destroy_workqueue(hdev->workqueue);
2714 destroy_workqueue(hdev->req_workqueue);
2715
2716 hci_dev_lock(hdev);
2717 hci_bdaddr_list_clear(&hdev->reject_list);
2718 hci_bdaddr_list_clear(&hdev->accept_list);
2719 hci_uuids_clear(hdev);
2720 hci_link_keys_clear(hdev);
2721 hci_smp_ltks_clear(hdev);
2722 hci_smp_irks_clear(hdev);
2723 hci_remote_oob_data_clear(hdev);
2724 hci_adv_instances_clear(hdev);
2725 hci_adv_monitors_clear(hdev);
2726 hci_bdaddr_list_clear(&hdev->le_accept_list);
2727 hci_bdaddr_list_clear(&hdev->le_resolv_list);
2728 hci_conn_params_clear_all(hdev);
2729 hci_discovery_filter_clear(hdev);
2730 hci_blocked_keys_clear(hdev);
2731 hci_codec_list_clear(&hdev->local_codecs);
2732 msft_release(hdev);
2733 hci_dev_unlock(hdev);
2734
2735 ida_destroy(&hdev->unset_handle_ida);
2736 ida_free(&hci_index_ida, hdev->id);
2737 kfree_skb(hdev->sent_cmd);
2738 kfree_skb(hdev->req_skb);
2739 kfree_skb(hdev->recv_event);
2740 kfree(hdev);
2741 }
2742 EXPORT_SYMBOL(hci_release_dev);
2743
hci_register_suspend_notifier(struct hci_dev * hdev)2744 int hci_register_suspend_notifier(struct hci_dev *hdev)
2745 {
2746 int ret = 0;
2747
2748 if (!hdev->suspend_notifier.notifier_call &&
2749 !hci_test_quirk(hdev, HCI_QUIRK_NO_SUSPEND_NOTIFIER)) {
2750 hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
2751 ret = register_pm_notifier(&hdev->suspend_notifier);
2752 }
2753
2754 return ret;
2755 }
2756
hci_unregister_suspend_notifier(struct hci_dev * hdev)2757 int hci_unregister_suspend_notifier(struct hci_dev *hdev)
2758 {
2759 int ret = 0;
2760
2761 if (hdev->suspend_notifier.notifier_call) {
2762 ret = unregister_pm_notifier(&hdev->suspend_notifier);
2763 if (!ret)
2764 hdev->suspend_notifier.notifier_call = NULL;
2765 }
2766
2767 return ret;
2768 }
2769
2770 /* Cancel ongoing command synchronously:
2771 *
2772 * - Cancel command timer
2773 * - Reset command counter
2774 * - Cancel command request
2775 */
hci_cancel_cmd_sync(struct hci_dev * hdev,int err)2776 static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err)
2777 {
2778 bt_dev_dbg(hdev, "err 0x%2.2x", err);
2779
2780 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
2781 disable_delayed_work_sync(&hdev->cmd_timer);
2782 disable_delayed_work_sync(&hdev->ncmd_timer);
2783 } else {
2784 cancel_delayed_work_sync(&hdev->cmd_timer);
2785 cancel_delayed_work_sync(&hdev->ncmd_timer);
2786 }
2787
2788 atomic_set(&hdev->cmd_cnt, 1);
2789
2790 hci_cmd_sync_cancel_sync(hdev, err);
2791 }
2792
2793 /* Suspend HCI device */
hci_suspend_dev(struct hci_dev * hdev)2794 int hci_suspend_dev(struct hci_dev *hdev)
2795 {
2796 int ret;
2797
2798 bt_dev_dbg(hdev, "");
2799
2800 /* Suspend should only act on when powered. */
2801 if (!hdev_is_powered(hdev) ||
2802 hci_dev_test_flag(hdev, HCI_UNREGISTER))
2803 return 0;
2804
2805 /* If powering down don't attempt to suspend */
2806 if (mgmt_powering_down(hdev))
2807 return 0;
2808
2809 /* Cancel potentially blocking sync operation before suspend */
2810 hci_cancel_cmd_sync(hdev, EHOSTDOWN);
2811
2812 hci_req_sync_lock(hdev);
2813 ret = hci_suspend_sync(hdev);
2814 hci_req_sync_unlock(hdev);
2815
2816 hci_clear_wake_reason(hdev);
2817 mgmt_suspending(hdev, hdev->suspend_state);
2818
2819 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
2820 return ret;
2821 }
2822 EXPORT_SYMBOL(hci_suspend_dev);
2823
2824 /* Resume HCI device */
hci_resume_dev(struct hci_dev * hdev)2825 int hci_resume_dev(struct hci_dev *hdev)
2826 {
2827 int ret;
2828
2829 bt_dev_dbg(hdev, "");
2830
2831 /* Resume should only act on when powered. */
2832 if (!hdev_is_powered(hdev) ||
2833 hci_dev_test_flag(hdev, HCI_UNREGISTER))
2834 return 0;
2835
2836 /* If powering down don't attempt to resume */
2837 if (mgmt_powering_down(hdev))
2838 return 0;
2839
2840 hci_req_sync_lock(hdev);
2841 ret = hci_resume_sync(hdev);
2842 hci_req_sync_unlock(hdev);
2843
2844 mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr,
2845 hdev->wake_addr_type);
2846
2847 hci_sock_dev_event(hdev, HCI_DEV_RESUME);
2848 return ret;
2849 }
2850 EXPORT_SYMBOL(hci_resume_dev);
2851
2852 /* Reset HCI device */
hci_reset_dev(struct hci_dev * hdev)2853 int hci_reset_dev(struct hci_dev *hdev)
2854 {
2855 static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
2856 struct sk_buff *skb;
2857
2858 skb = bt_skb_alloc(3, GFP_ATOMIC);
2859 if (!skb)
2860 return -ENOMEM;
2861
2862 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2863 skb_put_data(skb, hw_err, 3);
2864
2865 bt_dev_err(hdev, "Injecting HCI hardware error event");
2866
2867 /* Send Hardware Error to upper stack */
2868 return hci_recv_frame(hdev, skb);
2869 }
2870 EXPORT_SYMBOL(hci_reset_dev);
2871
hci_dev_classify_pkt_type(struct hci_dev * hdev,struct sk_buff * skb)2872 static u8 hci_dev_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb)
2873 {
2874 if (hdev->classify_pkt_type)
2875 return hdev->classify_pkt_type(hdev, skb);
2876
2877 return hci_skb_pkt_type(skb);
2878 }
2879
2880 /* Receive frame from HCI drivers */
hci_recv_frame(struct hci_dev * hdev,struct sk_buff * skb)2881 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
2882 {
2883 u8 dev_pkt_type;
2884
2885 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2886 && !test_bit(HCI_INIT, &hdev->flags))) {
2887 kfree_skb(skb);
2888 return -ENXIO;
2889 }
2890
2891 /* Check if the driver agree with packet type classification */
2892 dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb);
2893 if (hci_skb_pkt_type(skb) != dev_pkt_type) {
2894 hci_skb_pkt_type(skb) = dev_pkt_type;
2895 }
2896
2897 switch (hci_skb_pkt_type(skb)) {
2898 case HCI_EVENT_PKT:
2899 break;
2900 case HCI_ACLDATA_PKT:
2901 /* Detect if ISO packet has been sent as ACL */
2902 if (hci_conn_num(hdev, CIS_LINK) ||
2903 hci_conn_num(hdev, BIS_LINK) ||
2904 hci_conn_num(hdev, PA_LINK)) {
2905 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2906 __u8 type;
2907
2908 type = hci_conn_lookup_type(hdev, hci_handle(handle));
2909 if (type == CIS_LINK || type == BIS_LINK ||
2910 type == PA_LINK)
2911 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
2912 }
2913 break;
2914 case HCI_SCODATA_PKT:
2915 break;
2916 case HCI_ISODATA_PKT:
2917 break;
2918 case HCI_DRV_PKT:
2919 break;
2920 default:
2921 kfree_skb(skb);
2922 return -EINVAL;
2923 }
2924
2925 /* Incoming skb */
2926 bt_cb(skb)->incoming = 1;
2927
2928 /* Time stamp */
2929 __net_timestamp(skb);
2930
2931 skb_queue_tail(&hdev->rx_q, skb);
2932 queue_work(hdev->workqueue, &hdev->rx_work);
2933
2934 return 0;
2935 }
2936 EXPORT_SYMBOL(hci_recv_frame);
2937
2938 /* Receive diagnostic message from HCI drivers */
hci_recv_diag(struct hci_dev * hdev,struct sk_buff * skb)2939 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
2940 {
2941 /* Mark as diagnostic packet */
2942 hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
2943
2944 /* Time stamp */
2945 __net_timestamp(skb);
2946
2947 skb_queue_tail(&hdev->rx_q, skb);
2948 queue_work(hdev->workqueue, &hdev->rx_work);
2949
2950 return 0;
2951 }
2952 EXPORT_SYMBOL(hci_recv_diag);
2953
hci_set_hw_info(struct hci_dev * hdev,const char * fmt,...)2954 void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
2955 {
2956 va_list vargs;
2957
2958 va_start(vargs, fmt);
2959 kfree_const(hdev->hw_info);
2960 hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2961 va_end(vargs);
2962 }
2963 EXPORT_SYMBOL(hci_set_hw_info);
2964
hci_set_fw_info(struct hci_dev * hdev,const char * fmt,...)2965 void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
2966 {
2967 va_list vargs;
2968
2969 va_start(vargs, fmt);
2970 kfree_const(hdev->fw_info);
2971 hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2972 va_end(vargs);
2973 }
2974 EXPORT_SYMBOL(hci_set_fw_info);
2975
2976 /* ---- Interface to upper protocols ---- */
2977
hci_register_cb(struct hci_cb * cb)2978 int hci_register_cb(struct hci_cb *cb)
2979 {
2980 BT_DBG("%p name %s", cb, cb->name);
2981
2982 mutex_lock(&hci_cb_list_lock);
2983 list_add_tail(&cb->list, &hci_cb_list);
2984 mutex_unlock(&hci_cb_list_lock);
2985
2986 return 0;
2987 }
2988 EXPORT_SYMBOL(hci_register_cb);
2989
hci_unregister_cb(struct hci_cb * cb)2990 int hci_unregister_cb(struct hci_cb *cb)
2991 {
2992 BT_DBG("%p name %s", cb, cb->name);
2993
2994 mutex_lock(&hci_cb_list_lock);
2995 list_del(&cb->list);
2996 mutex_unlock(&hci_cb_list_lock);
2997
2998 return 0;
2999 }
3000 EXPORT_SYMBOL(hci_unregister_cb);
3001
hci_send_frame(struct hci_dev * hdev,struct sk_buff * skb)3002 static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3003 {
3004 int err;
3005
3006 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3007 skb->len);
3008
3009 /* Time stamp */
3010 __net_timestamp(skb);
3011
3012 /* Send copy to monitor */
3013 hci_send_to_monitor(hdev, skb);
3014
3015 if (atomic_read(&hdev->promisc)) {
3016 /* Send copy to the sockets */
3017 hci_send_to_sock(hdev, skb);
3018 }
3019
3020 /* Get rid of skb owner, prior to sending to the driver. */
3021 skb_orphan(skb);
3022
3023 if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3024 kfree_skb(skb);
3025 return -EINVAL;
3026 }
3027
3028 if (hci_skb_pkt_type(skb) == HCI_DRV_PKT) {
3029 /* Intercept HCI Drv packet here and don't go with hdev->send
3030 * callback.
3031 */
3032 err = hci_drv_process_cmd(hdev, skb);
3033 kfree_skb(skb);
3034 return err;
3035 }
3036
3037 err = hdev->send(hdev, skb);
3038 if (err < 0) {
3039 bt_dev_err(hdev, "sending frame failed (%d)", err);
3040 kfree_skb(skb);
3041 return err;
3042 }
3043
3044 return 0;
3045 }
3046
hci_send_conn_frame(struct hci_dev * hdev,struct hci_conn * conn,struct sk_buff * skb)3047 static int hci_send_conn_frame(struct hci_dev *hdev, struct hci_conn *conn,
3048 struct sk_buff *skb)
3049 {
3050 hci_conn_tx_queue(conn, skb);
3051 return hci_send_frame(hdev, skb);
3052 }
3053
3054 /* Send HCI command */
hci_send_cmd(struct hci_dev * hdev,__u16 opcode,__u32 plen,const void * param)3055 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3056 const void *param)
3057 {
3058 struct sk_buff *skb;
3059
3060 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3061
3062 skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3063 if (!skb) {
3064 bt_dev_err(hdev, "no memory for command");
3065 return -ENOMEM;
3066 }
3067
3068 /* Stand-alone HCI commands must be flagged as
3069 * single-command requests.
3070 */
3071 bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3072
3073 skb_queue_tail(&hdev->cmd_q, skb);
3074 queue_work(hdev->workqueue, &hdev->cmd_work);
3075
3076 return 0;
3077 }
3078
__hci_cmd_send(struct hci_dev * hdev,u16 opcode,u32 plen,const void * param)3079 int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
3080 const void *param)
3081 {
3082 struct sk_buff *skb;
3083
3084 if (hci_opcode_ogf(opcode) != 0x3f) {
3085 /* A controller receiving a command shall respond with either
3086 * a Command Status Event or a Command Complete Event.
3087 * Therefore, all standard HCI commands must be sent via the
3088 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
3089 * Some vendors do not comply with this rule for vendor-specific
3090 * commands and do not return any event. We want to support
3091 * unresponded commands for such cases only.
3092 */
3093 bt_dev_err(hdev, "unresponded command not supported");
3094 return -EINVAL;
3095 }
3096
3097 skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3098 if (!skb) {
3099 bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
3100 opcode);
3101 return -ENOMEM;
3102 }
3103
3104 hci_send_frame(hdev, skb);
3105
3106 return 0;
3107 }
3108 EXPORT_SYMBOL(__hci_cmd_send);
3109
3110 /* Get data from the previously sent command */
hci_cmd_data(struct sk_buff * skb,__u16 opcode)3111 static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode)
3112 {
3113 struct hci_command_hdr *hdr;
3114
3115 if (!skb || skb->len < HCI_COMMAND_HDR_SIZE)
3116 return NULL;
3117
3118 hdr = (void *)skb->data;
3119
3120 if (hdr->opcode != cpu_to_le16(opcode))
3121 return NULL;
3122
3123 return skb->data + HCI_COMMAND_HDR_SIZE;
3124 }
3125
3126 /* Get data from the previously sent command */
hci_sent_cmd_data(struct hci_dev * hdev,__u16 opcode)3127 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3128 {
3129 void *data;
3130
3131 /* Check if opcode matches last sent command */
3132 data = hci_cmd_data(hdev->sent_cmd, opcode);
3133 if (!data)
3134 /* Check if opcode matches last request */
3135 data = hci_cmd_data(hdev->req_skb, opcode);
3136
3137 return data;
3138 }
3139
3140 /* Get data from last received event */
hci_recv_event_data(struct hci_dev * hdev,__u8 event)3141 void *hci_recv_event_data(struct hci_dev *hdev, __u8 event)
3142 {
3143 struct hci_event_hdr *hdr;
3144 int offset;
3145
3146 if (!hdev->recv_event)
3147 return NULL;
3148
3149 hdr = (void *)hdev->recv_event->data;
3150 offset = sizeof(*hdr);
3151
3152 if (hdr->evt != event) {
3153 /* In case of LE metaevent check the subevent match */
3154 if (hdr->evt == HCI_EV_LE_META) {
3155 struct hci_ev_le_meta *ev;
3156
3157 ev = (void *)hdev->recv_event->data + offset;
3158 offset += sizeof(*ev);
3159 if (ev->subevent == event)
3160 goto found;
3161 }
3162 return NULL;
3163 }
3164
3165 found:
3166 bt_dev_dbg(hdev, "event 0x%2.2x", event);
3167
3168 return hdev->recv_event->data + offset;
3169 }
3170
3171 /* Send ACL data */
hci_add_acl_hdr(struct sk_buff * skb,__u16 handle,__u16 flags)3172 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3173 {
3174 struct hci_acl_hdr *hdr;
3175 int len = skb->len;
3176
3177 skb_push(skb, HCI_ACL_HDR_SIZE);
3178 skb_reset_transport_header(skb);
3179 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3180 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3181 hdr->dlen = cpu_to_le16(len);
3182 }
3183
hci_queue_acl(struct hci_chan * chan,struct sk_buff_head * queue,struct sk_buff * skb,__u16 flags)3184 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3185 struct sk_buff *skb, __u16 flags)
3186 {
3187 struct hci_conn *conn = chan->conn;
3188 struct hci_dev *hdev = conn->hdev;
3189 struct sk_buff *list;
3190
3191 skb->len = skb_headlen(skb);
3192 skb->data_len = 0;
3193
3194 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3195
3196 hci_add_acl_hdr(skb, conn->handle, flags);
3197
3198 list = skb_shinfo(skb)->frag_list;
3199 if (!list) {
3200 /* Non fragmented */
3201 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3202
3203 skb_queue_tail(queue, skb);
3204 } else {
3205 /* Fragmented */
3206 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3207
3208 skb_shinfo(skb)->frag_list = NULL;
3209
3210 /* Queue all fragments atomically. We need to use spin_lock_bh
3211 * here because of 6LoWPAN links, as there this function is
3212 * called from softirq and using normal spin lock could cause
3213 * deadlocks.
3214 */
3215 spin_lock_bh(&queue->lock);
3216
3217 __skb_queue_tail(queue, skb);
3218
3219 flags &= ~ACL_START;
3220 flags |= ACL_CONT;
3221 do {
3222 skb = list; list = list->next;
3223
3224 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3225 hci_add_acl_hdr(skb, conn->handle, flags);
3226
3227 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3228
3229 __skb_queue_tail(queue, skb);
3230 } while (list);
3231
3232 spin_unlock_bh(&queue->lock);
3233 }
3234
3235 bt_dev_dbg(hdev, "chan %p queued %d", chan, skb_queue_len(queue));
3236 }
3237
hci_send_acl(struct hci_chan * chan,struct sk_buff * skb,__u16 flags)3238 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3239 {
3240 struct hci_dev *hdev = chan->conn->hdev;
3241
3242 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3243
3244 hci_queue_acl(chan, &chan->data_q, skb, flags);
3245
3246 queue_work(hdev->workqueue, &hdev->tx_work);
3247 }
3248
3249 /* Send SCO data */
hci_send_sco(struct hci_conn * conn,struct sk_buff * skb)3250 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3251 {
3252 struct hci_dev *hdev = conn->hdev;
3253 struct hci_sco_hdr hdr;
3254
3255 BT_DBG("%s len %d", hdev->name, skb->len);
3256
3257 hdr.handle = cpu_to_le16(conn->handle);
3258 hdr.dlen = skb->len;
3259
3260 skb_push(skb, HCI_SCO_HDR_SIZE);
3261 skb_reset_transport_header(skb);
3262 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3263
3264 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3265
3266 skb_queue_tail(&conn->data_q, skb);
3267
3268 bt_dev_dbg(hdev, "hcon %p queued %d", conn,
3269 skb_queue_len(&conn->data_q));
3270
3271 queue_work(hdev->workqueue, &hdev->tx_work);
3272 }
3273
3274 /* Send ISO data */
hci_add_iso_hdr(struct sk_buff * skb,__u16 handle,__u8 flags)3275 static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags)
3276 {
3277 struct hci_iso_hdr *hdr;
3278 int len = skb->len;
3279
3280 skb_push(skb, HCI_ISO_HDR_SIZE);
3281 skb_reset_transport_header(skb);
3282 hdr = (struct hci_iso_hdr *)skb_transport_header(skb);
3283 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3284 hdr->dlen = cpu_to_le16(len);
3285 }
3286
hci_queue_iso(struct hci_conn * conn,struct sk_buff_head * queue,struct sk_buff * skb)3287 static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue,
3288 struct sk_buff *skb)
3289 {
3290 struct hci_dev *hdev = conn->hdev;
3291 struct sk_buff *list;
3292 __u16 flags;
3293
3294 skb->len = skb_headlen(skb);
3295 skb->data_len = 0;
3296
3297 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3298
3299 list = skb_shinfo(skb)->frag_list;
3300
3301 flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00);
3302 hci_add_iso_hdr(skb, conn->handle, flags);
3303
3304 if (!list) {
3305 /* Non fragmented */
3306 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3307
3308 skb_queue_tail(queue, skb);
3309 } else {
3310 /* Fragmented */
3311 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3312
3313 skb_shinfo(skb)->frag_list = NULL;
3314
3315 __skb_queue_tail(queue, skb);
3316
3317 do {
3318 skb = list; list = list->next;
3319
3320 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3321 flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END,
3322 0x00);
3323 hci_add_iso_hdr(skb, conn->handle, flags);
3324
3325 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3326
3327 __skb_queue_tail(queue, skb);
3328 } while (list);
3329 }
3330
3331 bt_dev_dbg(hdev, "hcon %p queued %d", conn, skb_queue_len(queue));
3332 }
3333
hci_send_iso(struct hci_conn * conn,struct sk_buff * skb)3334 void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb)
3335 {
3336 struct hci_dev *hdev = conn->hdev;
3337
3338 BT_DBG("%s len %d", hdev->name, skb->len);
3339
3340 hci_queue_iso(conn, &conn->data_q, skb);
3341
3342 queue_work(hdev->workqueue, &hdev->tx_work);
3343 }
3344
3345 /* ---- HCI TX task (outgoing data) ---- */
3346
3347 /* HCI Connection scheduler */
hci_quote_sent(struct hci_conn * conn,int num,int * quote)3348 static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote)
3349 {
3350 struct hci_dev *hdev;
3351 int cnt, q;
3352
3353 if (!conn) {
3354 *quote = 0;
3355 return;
3356 }
3357
3358 hdev = conn->hdev;
3359
3360 switch (conn->type) {
3361 case ACL_LINK:
3362 cnt = hdev->acl_cnt;
3363 break;
3364 case SCO_LINK:
3365 case ESCO_LINK:
3366 cnt = hdev->sco_cnt;
3367 break;
3368 case LE_LINK:
3369 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3370 break;
3371 case CIS_LINK:
3372 case BIS_LINK:
3373 case PA_LINK:
3374 cnt = hdev->iso_cnt;
3375 break;
3376 default:
3377 cnt = 0;
3378 bt_dev_err(hdev, "unknown link type %d", conn->type);
3379 }
3380
3381 q = cnt / num;
3382 *quote = q ? q : 1;
3383 }
3384
hci_low_sent(struct hci_dev * hdev,__u8 type,int * quote)3385 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3386 int *quote)
3387 {
3388 struct hci_conn_hash *h = &hdev->conn_hash;
3389 struct hci_conn *conn = NULL, *c;
3390 unsigned int num = 0, min = ~0;
3391
3392 /* We don't have to lock device here. Connections are always
3393 * added and removed with TX task disabled. */
3394
3395 rcu_read_lock();
3396
3397 list_for_each_entry_rcu(c, &h->list, list) {
3398 if (c->type != type ||
3399 skb_queue_empty(&c->data_q))
3400 continue;
3401
3402 bt_dev_dbg(hdev, "hcon %p state %s queued %d", c,
3403 state_to_string(c->state),
3404 skb_queue_len(&c->data_q));
3405
3406 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3407 continue;
3408
3409 num++;
3410
3411 if (c->sent < min) {
3412 min = c->sent;
3413 conn = c;
3414 }
3415
3416 if (hci_conn_num(hdev, type) == num)
3417 break;
3418 }
3419
3420 rcu_read_unlock();
3421
3422 hci_quote_sent(conn, num, quote);
3423
3424 BT_DBG("conn %p quote %d", conn, *quote);
3425 return conn;
3426 }
3427
hci_link_tx_to(struct hci_dev * hdev,__u8 type)3428 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3429 {
3430 struct hci_conn_hash *h = &hdev->conn_hash;
3431 struct hci_conn *c;
3432
3433 bt_dev_err(hdev, "link tx timeout");
3434
3435 hci_dev_lock(hdev);
3436
3437 /* Kill stalled connections */
3438 list_for_each_entry(c, &h->list, list) {
3439 if (c->type == type && c->sent) {
3440 bt_dev_err(hdev, "killing stalled connection %pMR",
3441 &c->dst);
3442 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3443 }
3444 }
3445
3446 hci_dev_unlock(hdev);
3447 }
3448
hci_chan_sent(struct hci_dev * hdev,__u8 type,int * quote)3449 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3450 int *quote)
3451 {
3452 struct hci_conn_hash *h = &hdev->conn_hash;
3453 struct hci_chan *chan = NULL;
3454 unsigned int num = 0, min = ~0, cur_prio = 0;
3455 struct hci_conn *conn;
3456 int conn_num = 0;
3457
3458 BT_DBG("%s", hdev->name);
3459
3460 rcu_read_lock();
3461
3462 list_for_each_entry_rcu(conn, &h->list, list) {
3463 struct hci_chan *tmp;
3464
3465 if (conn->type != type)
3466 continue;
3467
3468 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3469 continue;
3470
3471 conn_num++;
3472
3473 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3474 struct sk_buff *skb;
3475
3476 if (skb_queue_empty(&tmp->data_q))
3477 continue;
3478
3479 skb = skb_peek(&tmp->data_q);
3480 if (skb->priority < cur_prio)
3481 continue;
3482
3483 if (skb->priority > cur_prio) {
3484 num = 0;
3485 min = ~0;
3486 cur_prio = skb->priority;
3487 }
3488
3489 num++;
3490
3491 if (conn->sent < min) {
3492 min = conn->sent;
3493 chan = tmp;
3494 }
3495 }
3496
3497 if (hci_conn_num(hdev, type) == conn_num)
3498 break;
3499 }
3500
3501 rcu_read_unlock();
3502
3503 if (!chan)
3504 return NULL;
3505
3506 hci_quote_sent(chan->conn, num, quote);
3507
3508 BT_DBG("chan %p quote %d", chan, *quote);
3509 return chan;
3510 }
3511
hci_prio_recalculate(struct hci_dev * hdev,__u8 type)3512 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3513 {
3514 struct hci_conn_hash *h = &hdev->conn_hash;
3515 struct hci_conn *conn;
3516 int num = 0;
3517
3518 BT_DBG("%s", hdev->name);
3519
3520 rcu_read_lock();
3521
3522 list_for_each_entry_rcu(conn, &h->list, list) {
3523 struct hci_chan *chan;
3524
3525 if (conn->type != type)
3526 continue;
3527
3528 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3529 continue;
3530
3531 num++;
3532
3533 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3534 struct sk_buff *skb;
3535
3536 if (chan->sent) {
3537 chan->sent = 0;
3538 continue;
3539 }
3540
3541 if (skb_queue_empty(&chan->data_q))
3542 continue;
3543
3544 skb = skb_peek(&chan->data_q);
3545 if (skb->priority >= HCI_PRIO_MAX - 1)
3546 continue;
3547
3548 skb->priority = HCI_PRIO_MAX - 1;
3549
3550 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3551 skb->priority);
3552 }
3553
3554 if (hci_conn_num(hdev, type) == num)
3555 break;
3556 }
3557
3558 rcu_read_unlock();
3559
3560 }
3561
__check_timeout(struct hci_dev * hdev,unsigned int cnt,u8 type)3562 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type)
3563 {
3564 unsigned long timeout;
3565
3566 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
3567 return;
3568
3569 switch (type) {
3570 case ACL_LINK:
3571 /* tx timeout must be longer than maximum link supervision
3572 * timeout (40.9 seconds)
3573 */
3574 timeout = hdev->acl_last_tx + HCI_ACL_TX_TIMEOUT;
3575 break;
3576 case LE_LINK:
3577 /* tx timeout must be longer than maximum link supervision
3578 * timeout (40.9 seconds)
3579 */
3580 timeout = hdev->le_last_tx + HCI_ACL_TX_TIMEOUT;
3581 break;
3582 case CIS_LINK:
3583 case BIS_LINK:
3584 case PA_LINK:
3585 /* tx timeout must be longer than the maximum transport latency
3586 * (8.388607 seconds)
3587 */
3588 timeout = hdev->iso_last_tx + HCI_ISO_TX_TIMEOUT;
3589 break;
3590 default:
3591 return;
3592 }
3593
3594 if (!cnt && time_after(jiffies, timeout))
3595 hci_link_tx_to(hdev, type);
3596 }
3597
3598 /* Schedule SCO */
hci_sched_sco(struct hci_dev * hdev,__u8 type)3599 static void hci_sched_sco(struct hci_dev *hdev, __u8 type)
3600 {
3601 struct hci_conn *conn;
3602 struct sk_buff *skb;
3603 int quote, *cnt;
3604 unsigned int pkts = hdev->sco_pkts;
3605
3606 bt_dev_dbg(hdev, "type %u", type);
3607
3608 if (!hci_conn_num(hdev, type) || !pkts)
3609 return;
3610
3611 /* Use sco_pkts if flow control has not been enabled which will limit
3612 * the amount of buffer sent in a row.
3613 */
3614 if (!hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3615 cnt = &pkts;
3616 else
3617 cnt = &hdev->sco_cnt;
3618
3619 while (*cnt && (conn = hci_low_sent(hdev, type, "e))) {
3620 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3621 BT_DBG("skb %p len %d", skb, skb->len);
3622 hci_send_conn_frame(hdev, conn, skb);
3623
3624 conn->sent++;
3625 if (conn->sent == ~0)
3626 conn->sent = 0;
3627 (*cnt)--;
3628 }
3629 }
3630
3631 /* Rescheduled if all packets were sent and flow control is not enabled
3632 * as there could be more packets queued that could not be sent and
3633 * since no HCI_EV_NUM_COMP_PKTS event will be generated the reschedule
3634 * needs to be forced.
3635 */
3636 if (!pkts && !hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3637 queue_work(hdev->workqueue, &hdev->tx_work);
3638 }
3639
hci_sched_acl_pkt(struct hci_dev * hdev)3640 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3641 {
3642 unsigned int cnt = hdev->acl_cnt;
3643 struct hci_chan *chan;
3644 struct sk_buff *skb;
3645 int quote;
3646
3647 __check_timeout(hdev, cnt, ACL_LINK);
3648
3649 while (hdev->acl_cnt &&
3650 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
3651 u32 priority = (skb_peek(&chan->data_q))->priority;
3652 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3653 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3654 skb->len, skb->priority);
3655
3656 /* Stop if priority has changed */
3657 if (skb->priority < priority)
3658 break;
3659
3660 skb = skb_dequeue(&chan->data_q);
3661
3662 hci_conn_enter_active_mode(chan->conn,
3663 bt_cb(skb)->force_active);
3664
3665 hci_send_conn_frame(hdev, chan->conn, skb);
3666 hdev->acl_last_tx = jiffies;
3667
3668 hdev->acl_cnt--;
3669 chan->sent++;
3670 chan->conn->sent++;
3671
3672 /* Send pending SCO packets right away */
3673 hci_sched_sco(hdev, SCO_LINK);
3674 hci_sched_sco(hdev, ESCO_LINK);
3675 }
3676 }
3677
3678 if (cnt != hdev->acl_cnt)
3679 hci_prio_recalculate(hdev, ACL_LINK);
3680 }
3681
hci_sched_acl(struct hci_dev * hdev)3682 static void hci_sched_acl(struct hci_dev *hdev)
3683 {
3684 BT_DBG("%s", hdev->name);
3685
3686 /* No ACL link over BR/EDR controller */
3687 if (!hci_conn_num(hdev, ACL_LINK))
3688 return;
3689
3690 hci_sched_acl_pkt(hdev);
3691 }
3692
hci_sched_le(struct hci_dev * hdev)3693 static void hci_sched_le(struct hci_dev *hdev)
3694 {
3695 struct hci_chan *chan;
3696 struct sk_buff *skb;
3697 int quote, *cnt, tmp;
3698
3699 BT_DBG("%s", hdev->name);
3700
3701 if (!hci_conn_num(hdev, LE_LINK))
3702 return;
3703
3704 cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
3705
3706 __check_timeout(hdev, *cnt, LE_LINK);
3707
3708 tmp = *cnt;
3709 while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
3710 u32 priority = (skb_peek(&chan->data_q))->priority;
3711 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3712 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3713 skb->len, skb->priority);
3714
3715 /* Stop if priority has changed */
3716 if (skb->priority < priority)
3717 break;
3718
3719 skb = skb_dequeue(&chan->data_q);
3720
3721 hci_send_conn_frame(hdev, chan->conn, skb);
3722 hdev->le_last_tx = jiffies;
3723
3724 (*cnt)--;
3725 chan->sent++;
3726 chan->conn->sent++;
3727
3728 /* Send pending SCO packets right away */
3729 hci_sched_sco(hdev, SCO_LINK);
3730 hci_sched_sco(hdev, ESCO_LINK);
3731 }
3732 }
3733
3734 if (*cnt != tmp)
3735 hci_prio_recalculate(hdev, LE_LINK);
3736 }
3737
3738 /* Schedule iso */
hci_sched_iso(struct hci_dev * hdev,__u8 type)3739 static void hci_sched_iso(struct hci_dev *hdev, __u8 type)
3740 {
3741 struct hci_conn *conn;
3742 struct sk_buff *skb;
3743 int quote, *cnt;
3744
3745 BT_DBG("%s", hdev->name);
3746
3747 if (!hci_conn_num(hdev, type))
3748 return;
3749
3750 cnt = &hdev->iso_cnt;
3751
3752 __check_timeout(hdev, *cnt, type);
3753
3754 while (*cnt && (conn = hci_low_sent(hdev, type, "e))) {
3755 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3756 BT_DBG("skb %p len %d", skb, skb->len);
3757
3758 hci_send_conn_frame(hdev, conn, skb);
3759 hdev->iso_last_tx = jiffies;
3760
3761 conn->sent++;
3762 if (conn->sent == ~0)
3763 conn->sent = 0;
3764 (*cnt)--;
3765 }
3766 }
3767 }
3768
hci_tx_work(struct work_struct * work)3769 static void hci_tx_work(struct work_struct *work)
3770 {
3771 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3772 struct sk_buff *skb;
3773
3774 BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt,
3775 hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt);
3776
3777 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3778 /* Schedule queues and send stuff to HCI driver */
3779 hci_sched_sco(hdev, SCO_LINK);
3780 hci_sched_sco(hdev, ESCO_LINK);
3781 hci_sched_iso(hdev, CIS_LINK);
3782 hci_sched_iso(hdev, BIS_LINK);
3783 hci_sched_iso(hdev, PA_LINK);
3784 hci_sched_acl(hdev);
3785 hci_sched_le(hdev);
3786 }
3787
3788 /* Send next queued raw (unknown type) packet */
3789 while ((skb = skb_dequeue(&hdev->raw_q)))
3790 hci_send_frame(hdev, skb);
3791 }
3792
3793 /* ----- HCI RX task (incoming data processing) ----- */
3794
3795 /* ACL data packet */
hci_acldata_packet(struct hci_dev * hdev,struct sk_buff * skb)3796 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3797 {
3798 struct hci_acl_hdr *hdr;
3799 __u16 handle, flags;
3800 int err;
3801
3802 hdr = skb_pull_data(skb, sizeof(*hdr));
3803 if (!hdr) {
3804 bt_dev_err(hdev, "ACL packet too small");
3805 kfree_skb(skb);
3806 return;
3807 }
3808
3809 handle = __le16_to_cpu(hdr->handle);
3810 flags = hci_flags(handle);
3811 handle = hci_handle(handle);
3812
3813 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3814 handle, flags);
3815
3816 hdev->stat.acl_rx++;
3817
3818 err = l2cap_recv_acldata(hdev, handle, skb, flags);
3819 if (err == -ENOENT)
3820 bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
3821 handle);
3822 else if (err)
3823 bt_dev_dbg(hdev, "ACL packet recv for handle %d failed: %d",
3824 handle, err);
3825 }
3826
3827 /* SCO data packet */
hci_scodata_packet(struct hci_dev * hdev,struct sk_buff * skb)3828 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3829 {
3830 struct hci_sco_hdr *hdr;
3831 __u16 handle, flags;
3832 int err;
3833
3834 hdr = skb_pull_data(skb, sizeof(*hdr));
3835 if (!hdr) {
3836 bt_dev_err(hdev, "SCO packet too small");
3837 kfree_skb(skb);
3838 return;
3839 }
3840
3841 handle = __le16_to_cpu(hdr->handle);
3842 flags = hci_flags(handle);
3843 handle = hci_handle(handle);
3844
3845 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3846 handle, flags);
3847
3848 hdev->stat.sco_rx++;
3849
3850 hci_skb_pkt_status(skb) = flags & 0x03;
3851
3852 err = sco_recv_scodata(hdev, handle, skb);
3853 if (err == -ENOENT)
3854 bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d",
3855 handle);
3856 else if (err)
3857 bt_dev_dbg(hdev, "SCO packet recv for handle %d failed: %d",
3858 handle, err);
3859 }
3860
hci_isodata_packet(struct hci_dev * hdev,struct sk_buff * skb)3861 static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3862 {
3863 struct hci_iso_hdr *hdr;
3864 __u16 handle, flags;
3865 int err;
3866
3867 hdr = skb_pull_data(skb, sizeof(*hdr));
3868 if (!hdr) {
3869 bt_dev_err(hdev, "ISO packet too small");
3870 kfree_skb(skb);
3871 return;
3872 }
3873
3874 handle = __le16_to_cpu(hdr->handle);
3875 flags = hci_flags(handle);
3876 handle = hci_handle(handle);
3877
3878 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3879 handle, flags);
3880
3881 err = iso_recv(hdev, handle, skb, flags);
3882 if (err == -ENOENT)
3883 bt_dev_err_ratelimited(hdev, "ISO packet for unknown connection handle %d",
3884 handle);
3885 else if (err)
3886 bt_dev_dbg(hdev, "ISO packet recv for handle %d failed: %d",
3887 handle, err);
3888 }
3889
hci_req_is_complete(struct hci_dev * hdev)3890 static bool hci_req_is_complete(struct hci_dev *hdev)
3891 {
3892 struct sk_buff *skb;
3893
3894 skb = skb_peek(&hdev->cmd_q);
3895 if (!skb)
3896 return true;
3897
3898 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
3899 }
3900
hci_resend_last(struct hci_dev * hdev)3901 static void hci_resend_last(struct hci_dev *hdev)
3902 {
3903 struct hci_command_hdr *sent;
3904 struct sk_buff *skb;
3905 u16 opcode;
3906
3907 if (!hdev->sent_cmd)
3908 return;
3909
3910 sent = (void *) hdev->sent_cmd->data;
3911 opcode = __le16_to_cpu(sent->opcode);
3912 if (opcode == HCI_OP_RESET)
3913 return;
3914
3915 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3916 if (!skb)
3917 return;
3918
3919 skb_queue_head(&hdev->cmd_q, skb);
3920 queue_work(hdev->workqueue, &hdev->cmd_work);
3921 }
3922
hci_req_cmd_complete(struct hci_dev * hdev,u16 opcode,u8 status,hci_req_complete_t * req_complete,hci_req_complete_skb_t * req_complete_skb)3923 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
3924 hci_req_complete_t *req_complete,
3925 hci_req_complete_skb_t *req_complete_skb)
3926 {
3927 struct sk_buff *skb;
3928 unsigned long flags;
3929
3930 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3931
3932 /* If the completed command doesn't match the last one that was
3933 * sent we need to do special handling of it.
3934 */
3935 if (!hci_sent_cmd_data(hdev, opcode)) {
3936 /* Some CSR based controllers generate a spontaneous
3937 * reset complete event during init and any pending
3938 * command will never be completed. In such a case we
3939 * need to resend whatever was the last sent
3940 * command.
3941 */
3942 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3943 hci_resend_last(hdev);
3944
3945 return;
3946 }
3947
3948 /* If we reach this point this event matches the last command sent */
3949 hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
3950
3951 /* If the command succeeded and there's still more commands in
3952 * this request the request is not yet complete.
3953 */
3954 if (!status && !hci_req_is_complete(hdev))
3955 return;
3956
3957 skb = hdev->req_skb;
3958
3959 /* If this was the last command in a request the complete
3960 * callback would be found in hdev->req_skb instead of the
3961 * command queue (hdev->cmd_q).
3962 */
3963 if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) {
3964 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
3965 return;
3966 }
3967
3968 if (skb && bt_cb(skb)->hci.req_complete) {
3969 *req_complete = bt_cb(skb)->hci.req_complete;
3970 return;
3971 }
3972
3973 /* Remove all pending commands belonging to this request */
3974 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3975 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3976 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
3977 __skb_queue_head(&hdev->cmd_q, skb);
3978 break;
3979 }
3980
3981 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
3982 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
3983 else
3984 *req_complete = bt_cb(skb)->hci.req_complete;
3985 dev_kfree_skb_irq(skb);
3986 }
3987 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3988 }
3989
hci_rx_work(struct work_struct * work)3990 static void hci_rx_work(struct work_struct *work)
3991 {
3992 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3993 struct sk_buff *skb;
3994
3995 BT_DBG("%s", hdev->name);
3996
3997 /* The kcov_remote functions used for collecting packet parsing
3998 * coverage information from this background thread and associate
3999 * the coverage with the syscall's thread which originally injected
4000 * the packet. This helps fuzzing the kernel.
4001 */
4002 for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
4003 kcov_remote_start_common(skb_get_kcov_handle(skb));
4004
4005 /* Send copy to monitor */
4006 hci_send_to_monitor(hdev, skb);
4007
4008 if (atomic_read(&hdev->promisc)) {
4009 /* Send copy to the sockets */
4010 hci_send_to_sock(hdev, skb);
4011 }
4012
4013 /* If the device has been opened in HCI_USER_CHANNEL,
4014 * the userspace has exclusive access to device.
4015 * When device is HCI_INIT, we still need to process
4016 * the data packets to the driver in order
4017 * to complete its setup().
4018 */
4019 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
4020 !test_bit(HCI_INIT, &hdev->flags)) {
4021 kfree_skb(skb);
4022 continue;
4023 }
4024
4025 if (test_bit(HCI_INIT, &hdev->flags)) {
4026 /* Don't process data packets in this states. */
4027 switch (hci_skb_pkt_type(skb)) {
4028 case HCI_ACLDATA_PKT:
4029 case HCI_SCODATA_PKT:
4030 case HCI_ISODATA_PKT:
4031 kfree_skb(skb);
4032 continue;
4033 }
4034 }
4035
4036 /* Process frame */
4037 switch (hci_skb_pkt_type(skb)) {
4038 case HCI_EVENT_PKT:
4039 BT_DBG("%s Event packet", hdev->name);
4040 hci_event_packet(hdev, skb);
4041 break;
4042
4043 case HCI_ACLDATA_PKT:
4044 BT_DBG("%s ACL data packet", hdev->name);
4045 hci_acldata_packet(hdev, skb);
4046 break;
4047
4048 case HCI_SCODATA_PKT:
4049 BT_DBG("%s SCO data packet", hdev->name);
4050 hci_scodata_packet(hdev, skb);
4051 break;
4052
4053 case HCI_ISODATA_PKT:
4054 BT_DBG("%s ISO data packet", hdev->name);
4055 hci_isodata_packet(hdev, skb);
4056 break;
4057
4058 default:
4059 kfree_skb(skb);
4060 break;
4061 }
4062 }
4063 }
4064
hci_send_cmd_sync(struct hci_dev * hdev,struct sk_buff * skb)4065 static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
4066 {
4067 int err;
4068
4069 bt_dev_dbg(hdev, "skb %p", skb);
4070
4071 kfree_skb(hdev->sent_cmd);
4072
4073 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4074 if (!hdev->sent_cmd) {
4075 skb_queue_head(&hdev->cmd_q, skb);
4076 queue_work(hdev->workqueue, &hdev->cmd_work);
4077 return -EINVAL;
4078 }
4079
4080 if (hci_skb_opcode(skb) != HCI_OP_NOP) {
4081 err = hci_send_frame(hdev, skb);
4082 if (err < 0) {
4083 hci_cmd_sync_cancel_sync(hdev, -err);
4084 return err;
4085 }
4086 atomic_dec(&hdev->cmd_cnt);
4087 } else {
4088 err = -ENODATA;
4089 kfree_skb(skb);
4090 }
4091
4092 if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND &&
4093 !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
4094 kfree_skb(hdev->req_skb);
4095 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4096 }
4097
4098 return err;
4099 }
4100
hci_cmd_work(struct work_struct * work)4101 static void hci_cmd_work(struct work_struct *work)
4102 {
4103 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4104 struct sk_buff *skb;
4105 int err;
4106
4107 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4108 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4109
4110 /* Send queued commands */
4111 if (atomic_read(&hdev->cmd_cnt)) {
4112 skb = skb_dequeue(&hdev->cmd_q);
4113 if (!skb)
4114 return;
4115
4116 err = hci_send_cmd_sync(hdev, skb);
4117 if (err)
4118 return;
4119
4120 rcu_read_lock();
4121 if (test_bit(HCI_RESET, &hdev->flags) ||
4122 hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4123 cancel_delayed_work(&hdev->cmd_timer);
4124 else
4125 queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4126 HCI_CMD_TIMEOUT);
4127 rcu_read_unlock();
4128 }
4129 }
4130