1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2011 ProFUSION Embedded Systems 5 6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License version 2 as 10 published by the Free Software Foundation; 11 12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 23 SOFTWARE IS DISCLAIMED. 24 */ 25 26 /* Bluetooth HCI core. */ 27 28 #include <linux/export.h> 29 #include <linux/rfkill.h> 30 #include <linux/debugfs.h> 31 #include <linux/crypto.h> 32 #include <linux/kcov.h> 33 #include <linux/property.h> 34 #include <linux/suspend.h> 35 #include <linux/wait.h> 36 #include <asm/unaligned.h> 37 38 #include <net/bluetooth/bluetooth.h> 39 #include <net/bluetooth/hci_core.h> 40 #include <net/bluetooth/l2cap.h> 41 #include <net/bluetooth/mgmt.h> 42 43 #include "hci_request.h" 44 #include "hci_debugfs.h" 45 #include "smp.h" 46 #include "leds.h" 47 #include "msft.h" 48 #include "aosp.h" 49 #include "hci_codec.h" 50 51 static void hci_rx_work(struct work_struct *work); 52 static void hci_cmd_work(struct work_struct *work); 53 static void hci_tx_work(struct work_struct *work); 54 55 /* HCI device list */ 56 LIST_HEAD(hci_dev_list); 57 DEFINE_RWLOCK(hci_dev_list_lock); 58 59 /* HCI callback list */ 60 LIST_HEAD(hci_cb_list); 61 DEFINE_MUTEX(hci_cb_list_lock); 62 63 /* HCI ID Numbering */ 64 static DEFINE_IDA(hci_index_ida); 65 66 static int hci_scan_req(struct hci_request *req, unsigned long opt) 67 { 68 __u8 scan = opt; 69 70 BT_DBG("%s %x", req->hdev->name, scan); 71 72 /* Inquiry and Page scans */ 73 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan); 74 return 0; 75 } 76 77 static int hci_auth_req(struct hci_request *req, unsigned long opt) 78 { 79 __u8 auth = opt; 80 81 BT_DBG("%s %x", req->hdev->name, auth); 82 83 /* Authentication */ 84 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth); 85 return 0; 86 } 87 88 static int hci_encrypt_req(struct hci_request *req, unsigned long opt) 89 { 90 __u8 encrypt = opt; 91 92 BT_DBG("%s %x", req->hdev->name, encrypt); 93 94 /* Encryption */ 95 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt); 96 return 0; 97 } 98 99 static int hci_linkpol_req(struct hci_request *req, unsigned long opt) 100 { 101 __le16 policy = cpu_to_le16(opt); 102 103 BT_DBG("%s %x", req->hdev->name, policy); 104 105 /* Default link policy */ 106 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy); 107 return 0; 108 } 109 110 /* Get HCI device by index. 111 * Device is held on return. */ 112 struct hci_dev *hci_dev_get(int index) 113 { 114 struct hci_dev *hdev = NULL, *d; 115 116 BT_DBG("%d", index); 117 118 if (index < 0) 119 return NULL; 120 121 read_lock(&hci_dev_list_lock); 122 list_for_each_entry(d, &hci_dev_list, list) { 123 if (d->id == index) { 124 hdev = hci_dev_hold(d); 125 break; 126 } 127 } 128 read_unlock(&hci_dev_list_lock); 129 return hdev; 130 } 131 132 /* ---- Inquiry support ---- */ 133 134 bool hci_discovery_active(struct hci_dev *hdev) 135 { 136 struct discovery_state *discov = &hdev->discovery; 137 138 switch (discov->state) { 139 case DISCOVERY_FINDING: 140 case DISCOVERY_RESOLVING: 141 return true; 142 143 default: 144 return false; 145 } 146 } 147 148 void hci_discovery_set_state(struct hci_dev *hdev, int state) 149 { 150 int old_state = hdev->discovery.state; 151 152 if (old_state == state) 153 return; 154 155 hdev->discovery.state = state; 156 157 switch (state) { 158 case DISCOVERY_STOPPED: 159 hci_update_passive_scan(hdev); 160 161 if (old_state != DISCOVERY_STARTING) 162 mgmt_discovering(hdev, 0); 163 break; 164 case DISCOVERY_STARTING: 165 break; 166 case DISCOVERY_FINDING: 167 /* If discovery was not started then it was initiated by the 168 * MGMT interface so no MGMT event shall be generated either 169 */ 170 if (old_state != DISCOVERY_STARTING) { 171 hdev->discovery.state = old_state; 172 return; 173 } 174 mgmt_discovering(hdev, 1); 175 break; 176 case DISCOVERY_RESOLVING: 177 break; 178 case DISCOVERY_STOPPING: 179 break; 180 } 181 182 bt_dev_dbg(hdev, "state %u -> %u", old_state, state); 183 } 184 185 void hci_inquiry_cache_flush(struct hci_dev *hdev) 186 { 187 struct discovery_state *cache = &hdev->discovery; 188 struct inquiry_entry *p, *n; 189 190 list_for_each_entry_safe(p, n, &cache->all, all) { 191 list_del(&p->all); 192 kfree(p); 193 } 194 195 INIT_LIST_HEAD(&cache->unknown); 196 INIT_LIST_HEAD(&cache->resolve); 197 } 198 199 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev, 200 bdaddr_t *bdaddr) 201 { 202 struct discovery_state *cache = &hdev->discovery; 203 struct inquiry_entry *e; 204 205 BT_DBG("cache %p, %pMR", cache, bdaddr); 206 207 list_for_each_entry(e, &cache->all, all) { 208 if (!bacmp(&e->data.bdaddr, bdaddr)) 209 return e; 210 } 211 212 return NULL; 213 } 214 215 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev, 216 bdaddr_t *bdaddr) 217 { 218 struct discovery_state *cache = &hdev->discovery; 219 struct inquiry_entry *e; 220 221 BT_DBG("cache %p, %pMR", cache, bdaddr); 222 223 list_for_each_entry(e, &cache->unknown, list) { 224 if (!bacmp(&e->data.bdaddr, bdaddr)) 225 return e; 226 } 227 228 return NULL; 229 } 230 231 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev, 232 bdaddr_t *bdaddr, 233 int state) 234 { 235 struct discovery_state *cache = &hdev->discovery; 236 struct inquiry_entry *e; 237 238 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state); 239 240 list_for_each_entry(e, &cache->resolve, list) { 241 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state) 242 return e; 243 if (!bacmp(&e->data.bdaddr, bdaddr)) 244 return e; 245 } 246 247 return NULL; 248 } 249 250 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev, 251 struct inquiry_entry *ie) 252 { 253 struct discovery_state *cache = &hdev->discovery; 254 struct list_head *pos = &cache->resolve; 255 struct inquiry_entry *p; 256 257 list_del(&ie->list); 258 259 list_for_each_entry(p, &cache->resolve, list) { 260 if (p->name_state != NAME_PENDING && 261 abs(p->data.rssi) >= abs(ie->data.rssi)) 262 break; 263 pos = &p->list; 264 } 265 266 list_add(&ie->list, pos); 267 } 268 269 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data, 270 bool name_known) 271 { 272 struct discovery_state *cache = &hdev->discovery; 273 struct inquiry_entry *ie; 274 u32 flags = 0; 275 276 BT_DBG("cache %p, %pMR", cache, &data->bdaddr); 277 278 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR); 279 280 if (!data->ssp_mode) 281 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 282 283 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr); 284 if (ie) { 285 if (!ie->data.ssp_mode) 286 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 287 288 if (ie->name_state == NAME_NEEDED && 289 data->rssi != ie->data.rssi) { 290 ie->data.rssi = data->rssi; 291 hci_inquiry_cache_update_resolve(hdev, ie); 292 } 293 294 goto update; 295 } 296 297 /* Entry not in the cache. Add new one. */ 298 ie = kzalloc(sizeof(*ie), GFP_KERNEL); 299 if (!ie) { 300 flags |= MGMT_DEV_FOUND_CONFIRM_NAME; 301 goto done; 302 } 303 304 list_add(&ie->all, &cache->all); 305 306 if (name_known) { 307 ie->name_state = NAME_KNOWN; 308 } else { 309 ie->name_state = NAME_NOT_KNOWN; 310 list_add(&ie->list, &cache->unknown); 311 } 312 313 update: 314 if (name_known && ie->name_state != NAME_KNOWN && 315 ie->name_state != NAME_PENDING) { 316 ie->name_state = NAME_KNOWN; 317 list_del(&ie->list); 318 } 319 320 memcpy(&ie->data, data, sizeof(*data)); 321 ie->timestamp = jiffies; 322 cache->timestamp = jiffies; 323 324 if (ie->name_state == NAME_NOT_KNOWN) 325 flags |= MGMT_DEV_FOUND_CONFIRM_NAME; 326 327 done: 328 return flags; 329 } 330 331 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf) 332 { 333 struct discovery_state *cache = &hdev->discovery; 334 struct inquiry_info *info = (struct inquiry_info *) buf; 335 struct inquiry_entry *e; 336 int copied = 0; 337 338 list_for_each_entry(e, &cache->all, all) { 339 struct inquiry_data *data = &e->data; 340 341 if (copied >= num) 342 break; 343 344 bacpy(&info->bdaddr, &data->bdaddr); 345 info->pscan_rep_mode = data->pscan_rep_mode; 346 info->pscan_period_mode = data->pscan_period_mode; 347 info->pscan_mode = data->pscan_mode; 348 memcpy(info->dev_class, data->dev_class, 3); 349 info->clock_offset = data->clock_offset; 350 351 info++; 352 copied++; 353 } 354 355 BT_DBG("cache %p, copied %d", cache, copied); 356 return copied; 357 } 358 359 static int hci_inq_req(struct hci_request *req, unsigned long opt) 360 { 361 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt; 362 struct hci_dev *hdev = req->hdev; 363 struct hci_cp_inquiry cp; 364 365 BT_DBG("%s", hdev->name); 366 367 if (test_bit(HCI_INQUIRY, &hdev->flags)) 368 return 0; 369 370 /* Start Inquiry */ 371 memcpy(&cp.lap, &ir->lap, 3); 372 cp.length = ir->length; 373 cp.num_rsp = ir->num_rsp; 374 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp); 375 376 return 0; 377 } 378 379 int hci_inquiry(void __user *arg) 380 { 381 __u8 __user *ptr = arg; 382 struct hci_inquiry_req ir; 383 struct hci_dev *hdev; 384 int err = 0, do_inquiry = 0, max_rsp; 385 long timeo; 386 __u8 *buf; 387 388 if (copy_from_user(&ir, ptr, sizeof(ir))) 389 return -EFAULT; 390 391 hdev = hci_dev_get(ir.dev_id); 392 if (!hdev) 393 return -ENODEV; 394 395 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 396 err = -EBUSY; 397 goto done; 398 } 399 400 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 401 err = -EOPNOTSUPP; 402 goto done; 403 } 404 405 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 406 err = -EOPNOTSUPP; 407 goto done; 408 } 409 410 /* Restrict maximum inquiry length to 60 seconds */ 411 if (ir.length > 60) { 412 err = -EINVAL; 413 goto done; 414 } 415 416 hci_dev_lock(hdev); 417 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || 418 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { 419 hci_inquiry_cache_flush(hdev); 420 do_inquiry = 1; 421 } 422 hci_dev_unlock(hdev); 423 424 timeo = ir.length * msecs_to_jiffies(2000); 425 426 if (do_inquiry) { 427 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir, 428 timeo, NULL); 429 if (err < 0) 430 goto done; 431 432 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is 433 * cleared). If it is interrupted by a signal, return -EINTR. 434 */ 435 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, 436 TASK_INTERRUPTIBLE)) { 437 err = -EINTR; 438 goto done; 439 } 440 } 441 442 /* for unlimited number of responses we will use buffer with 443 * 255 entries 444 */ 445 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp; 446 447 /* cache_dump can't sleep. Therefore we allocate temp buffer and then 448 * copy it to the user space. 449 */ 450 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL); 451 if (!buf) { 452 err = -ENOMEM; 453 goto done; 454 } 455 456 hci_dev_lock(hdev); 457 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf); 458 hci_dev_unlock(hdev); 459 460 BT_DBG("num_rsp %d", ir.num_rsp); 461 462 if (!copy_to_user(ptr, &ir, sizeof(ir))) { 463 ptr += sizeof(ir); 464 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) * 465 ir.num_rsp)) 466 err = -EFAULT; 467 } else 468 err = -EFAULT; 469 470 kfree(buf); 471 472 done: 473 hci_dev_put(hdev); 474 return err; 475 } 476 477 static int hci_dev_do_open(struct hci_dev *hdev) 478 { 479 int ret = 0; 480 481 BT_DBG("%s %p", hdev->name, hdev); 482 483 hci_req_sync_lock(hdev); 484 485 ret = hci_dev_open_sync(hdev); 486 487 hci_req_sync_unlock(hdev); 488 return ret; 489 } 490 491 /* ---- HCI ioctl helpers ---- */ 492 493 int hci_dev_open(__u16 dev) 494 { 495 struct hci_dev *hdev; 496 int err; 497 498 hdev = hci_dev_get(dev); 499 if (!hdev) 500 return -ENODEV; 501 502 /* Devices that are marked as unconfigured can only be powered 503 * up as user channel. Trying to bring them up as normal devices 504 * will result into a failure. Only user channel operation is 505 * possible. 506 * 507 * When this function is called for a user channel, the flag 508 * HCI_USER_CHANNEL will be set first before attempting to 509 * open the device. 510 */ 511 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 512 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 513 err = -EOPNOTSUPP; 514 goto done; 515 } 516 517 /* We need to ensure that no other power on/off work is pending 518 * before proceeding to call hci_dev_do_open. This is 519 * particularly important if the setup procedure has not yet 520 * completed. 521 */ 522 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) 523 cancel_delayed_work(&hdev->power_off); 524 525 /* After this call it is guaranteed that the setup procedure 526 * has finished. This means that error conditions like RFKILL 527 * or no valid public or static random address apply. 528 */ 529 flush_workqueue(hdev->req_workqueue); 530 531 /* For controllers not using the management interface and that 532 * are brought up using legacy ioctl, set the HCI_BONDABLE bit 533 * so that pairing works for them. Once the management interface 534 * is in use this bit will be cleared again and userspace has 535 * to explicitly enable it. 536 */ 537 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && 538 !hci_dev_test_flag(hdev, HCI_MGMT)) 539 hci_dev_set_flag(hdev, HCI_BONDABLE); 540 541 err = hci_dev_do_open(hdev); 542 543 done: 544 hci_dev_put(hdev); 545 return err; 546 } 547 548 int hci_dev_do_close(struct hci_dev *hdev) 549 { 550 int err; 551 552 BT_DBG("%s %p", hdev->name, hdev); 553 554 hci_req_sync_lock(hdev); 555 556 err = hci_dev_close_sync(hdev); 557 558 hci_req_sync_unlock(hdev); 559 560 return err; 561 } 562 563 int hci_dev_close(__u16 dev) 564 { 565 struct hci_dev *hdev; 566 int err; 567 568 hdev = hci_dev_get(dev); 569 if (!hdev) 570 return -ENODEV; 571 572 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 573 err = -EBUSY; 574 goto done; 575 } 576 577 cancel_work_sync(&hdev->power_on); 578 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) 579 cancel_delayed_work(&hdev->power_off); 580 581 err = hci_dev_do_close(hdev); 582 583 done: 584 hci_dev_put(hdev); 585 return err; 586 } 587 588 static int hci_dev_do_reset(struct hci_dev *hdev) 589 { 590 int ret; 591 592 BT_DBG("%s %p", hdev->name, hdev); 593 594 hci_req_sync_lock(hdev); 595 596 /* Drop queues */ 597 skb_queue_purge(&hdev->rx_q); 598 skb_queue_purge(&hdev->cmd_q); 599 600 /* Cancel these to avoid queueing non-chained pending work */ 601 hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE); 602 /* Wait for 603 * 604 * if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 605 * queue_delayed_work(&hdev->{cmd,ncmd}_timer) 606 * 607 * inside RCU section to see the flag or complete scheduling. 608 */ 609 synchronize_rcu(); 610 /* Explicitly cancel works in case scheduled after setting the flag. */ 611 cancel_delayed_work(&hdev->cmd_timer); 612 cancel_delayed_work(&hdev->ncmd_timer); 613 614 /* Avoid potential lockdep warnings from the *_flush() calls by 615 * ensuring the workqueue is empty up front. 616 */ 617 drain_workqueue(hdev->workqueue); 618 619 hci_dev_lock(hdev); 620 hci_inquiry_cache_flush(hdev); 621 hci_conn_hash_flush(hdev); 622 hci_dev_unlock(hdev); 623 624 if (hdev->flush) 625 hdev->flush(hdev); 626 627 hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE); 628 629 atomic_set(&hdev->cmd_cnt, 1); 630 hdev->acl_cnt = 0; 631 hdev->sco_cnt = 0; 632 hdev->le_cnt = 0; 633 hdev->iso_cnt = 0; 634 635 ret = hci_reset_sync(hdev); 636 637 hci_req_sync_unlock(hdev); 638 return ret; 639 } 640 641 int hci_dev_reset(__u16 dev) 642 { 643 struct hci_dev *hdev; 644 int err; 645 646 hdev = hci_dev_get(dev); 647 if (!hdev) 648 return -ENODEV; 649 650 if (!test_bit(HCI_UP, &hdev->flags)) { 651 err = -ENETDOWN; 652 goto done; 653 } 654 655 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 656 err = -EBUSY; 657 goto done; 658 } 659 660 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 661 err = -EOPNOTSUPP; 662 goto done; 663 } 664 665 err = hci_dev_do_reset(hdev); 666 667 done: 668 hci_dev_put(hdev); 669 return err; 670 } 671 672 int hci_dev_reset_stat(__u16 dev) 673 { 674 struct hci_dev *hdev; 675 int ret = 0; 676 677 hdev = hci_dev_get(dev); 678 if (!hdev) 679 return -ENODEV; 680 681 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 682 ret = -EBUSY; 683 goto done; 684 } 685 686 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 687 ret = -EOPNOTSUPP; 688 goto done; 689 } 690 691 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats)); 692 693 done: 694 hci_dev_put(hdev); 695 return ret; 696 } 697 698 static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan) 699 { 700 bool conn_changed, discov_changed; 701 702 BT_DBG("%s scan 0x%02x", hdev->name, scan); 703 704 if ((scan & SCAN_PAGE)) 705 conn_changed = !hci_dev_test_and_set_flag(hdev, 706 HCI_CONNECTABLE); 707 else 708 conn_changed = hci_dev_test_and_clear_flag(hdev, 709 HCI_CONNECTABLE); 710 711 if ((scan & SCAN_INQUIRY)) { 712 discov_changed = !hci_dev_test_and_set_flag(hdev, 713 HCI_DISCOVERABLE); 714 } else { 715 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE); 716 discov_changed = hci_dev_test_and_clear_flag(hdev, 717 HCI_DISCOVERABLE); 718 } 719 720 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 721 return; 722 723 if (conn_changed || discov_changed) { 724 /* In case this was disabled through mgmt */ 725 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); 726 727 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 728 hci_update_adv_data(hdev, hdev->cur_adv_instance); 729 730 mgmt_new_settings(hdev); 731 } 732 } 733 734 int hci_dev_cmd(unsigned int cmd, void __user *arg) 735 { 736 struct hci_dev *hdev; 737 struct hci_dev_req dr; 738 int err = 0; 739 740 if (copy_from_user(&dr, arg, sizeof(dr))) 741 return -EFAULT; 742 743 hdev = hci_dev_get(dr.dev_id); 744 if (!hdev) 745 return -ENODEV; 746 747 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 748 err = -EBUSY; 749 goto done; 750 } 751 752 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 753 err = -EOPNOTSUPP; 754 goto done; 755 } 756 757 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 758 err = -EOPNOTSUPP; 759 goto done; 760 } 761 762 switch (cmd) { 763 case HCISETAUTH: 764 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt, 765 HCI_INIT_TIMEOUT, NULL); 766 break; 767 768 case HCISETENCRYPT: 769 if (!lmp_encrypt_capable(hdev)) { 770 err = -EOPNOTSUPP; 771 break; 772 } 773 774 if (!test_bit(HCI_AUTH, &hdev->flags)) { 775 /* Auth must be enabled first */ 776 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt, 777 HCI_INIT_TIMEOUT, NULL); 778 if (err) 779 break; 780 } 781 782 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt, 783 HCI_INIT_TIMEOUT, NULL); 784 break; 785 786 case HCISETSCAN: 787 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt, 788 HCI_INIT_TIMEOUT, NULL); 789 790 /* Ensure that the connectable and discoverable states 791 * get correctly modified as this was a non-mgmt change. 792 */ 793 if (!err) 794 hci_update_passive_scan_state(hdev, dr.dev_opt); 795 break; 796 797 case HCISETLINKPOL: 798 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt, 799 HCI_INIT_TIMEOUT, NULL); 800 break; 801 802 case HCISETLINKMODE: 803 hdev->link_mode = ((__u16) dr.dev_opt) & 804 (HCI_LM_MASTER | HCI_LM_ACCEPT); 805 break; 806 807 case HCISETPTYPE: 808 if (hdev->pkt_type == (__u16) dr.dev_opt) 809 break; 810 811 hdev->pkt_type = (__u16) dr.dev_opt; 812 mgmt_phy_configuration_changed(hdev, NULL); 813 break; 814 815 case HCISETACLMTU: 816 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1); 817 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0); 818 break; 819 820 case HCISETSCOMTU: 821 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1); 822 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0); 823 break; 824 825 default: 826 err = -EINVAL; 827 break; 828 } 829 830 done: 831 hci_dev_put(hdev); 832 return err; 833 } 834 835 int hci_get_dev_list(void __user *arg) 836 { 837 struct hci_dev *hdev; 838 struct hci_dev_list_req *dl; 839 struct hci_dev_req *dr; 840 int n = 0, size, err; 841 __u16 dev_num; 842 843 if (get_user(dev_num, (__u16 __user *) arg)) 844 return -EFAULT; 845 846 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr)) 847 return -EINVAL; 848 849 size = sizeof(*dl) + dev_num * sizeof(*dr); 850 851 dl = kzalloc(size, GFP_KERNEL); 852 if (!dl) 853 return -ENOMEM; 854 855 dr = dl->dev_req; 856 857 read_lock(&hci_dev_list_lock); 858 list_for_each_entry(hdev, &hci_dev_list, list) { 859 unsigned long flags = hdev->flags; 860 861 /* When the auto-off is configured it means the transport 862 * is running, but in that case still indicate that the 863 * device is actually down. 864 */ 865 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) 866 flags &= ~BIT(HCI_UP); 867 868 (dr + n)->dev_id = hdev->id; 869 (dr + n)->dev_opt = flags; 870 871 if (++n >= dev_num) 872 break; 873 } 874 read_unlock(&hci_dev_list_lock); 875 876 dl->dev_num = n; 877 size = sizeof(*dl) + n * sizeof(*dr); 878 879 err = copy_to_user(arg, dl, size); 880 kfree(dl); 881 882 return err ? -EFAULT : 0; 883 } 884 885 int hci_get_dev_info(void __user *arg) 886 { 887 struct hci_dev *hdev; 888 struct hci_dev_info di; 889 unsigned long flags; 890 int err = 0; 891 892 if (copy_from_user(&di, arg, sizeof(di))) 893 return -EFAULT; 894 895 hdev = hci_dev_get(di.dev_id); 896 if (!hdev) 897 return -ENODEV; 898 899 /* When the auto-off is configured it means the transport 900 * is running, but in that case still indicate that the 901 * device is actually down. 902 */ 903 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) 904 flags = hdev->flags & ~BIT(HCI_UP); 905 else 906 flags = hdev->flags; 907 908 strscpy(di.name, hdev->name, sizeof(di.name)); 909 di.bdaddr = hdev->bdaddr; 910 di.type = (hdev->bus & 0x0f); 911 di.flags = flags; 912 di.pkt_type = hdev->pkt_type; 913 if (lmp_bredr_capable(hdev)) { 914 di.acl_mtu = hdev->acl_mtu; 915 di.acl_pkts = hdev->acl_pkts; 916 di.sco_mtu = hdev->sco_mtu; 917 di.sco_pkts = hdev->sco_pkts; 918 } else { 919 di.acl_mtu = hdev->le_mtu; 920 di.acl_pkts = hdev->le_pkts; 921 di.sco_mtu = 0; 922 di.sco_pkts = 0; 923 } 924 di.link_policy = hdev->link_policy; 925 di.link_mode = hdev->link_mode; 926 927 memcpy(&di.stat, &hdev->stat, sizeof(di.stat)); 928 memcpy(&di.features, &hdev->features, sizeof(di.features)); 929 930 if (copy_to_user(arg, &di, sizeof(di))) 931 err = -EFAULT; 932 933 hci_dev_put(hdev); 934 935 return err; 936 } 937 938 /* ---- Interface to HCI drivers ---- */ 939 940 static int hci_dev_do_poweroff(struct hci_dev *hdev) 941 { 942 int err; 943 944 BT_DBG("%s %p", hdev->name, hdev); 945 946 hci_req_sync_lock(hdev); 947 948 err = hci_set_powered_sync(hdev, false); 949 950 hci_req_sync_unlock(hdev); 951 952 return err; 953 } 954 955 static int hci_rfkill_set_block(void *data, bool blocked) 956 { 957 struct hci_dev *hdev = data; 958 int err; 959 960 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked); 961 962 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 963 return -EBUSY; 964 965 if (blocked == hci_dev_test_flag(hdev, HCI_RFKILLED)) 966 return 0; 967 968 if (blocked) { 969 hci_dev_set_flag(hdev, HCI_RFKILLED); 970 971 if (!hci_dev_test_flag(hdev, HCI_SETUP) && 972 !hci_dev_test_flag(hdev, HCI_CONFIG)) { 973 err = hci_dev_do_poweroff(hdev); 974 if (err) { 975 bt_dev_err(hdev, "Error when powering off device on rfkill (%d)", 976 err); 977 978 /* Make sure the device is still closed even if 979 * anything during power off sequence (eg. 980 * disconnecting devices) failed. 981 */ 982 hci_dev_do_close(hdev); 983 } 984 } 985 } else { 986 hci_dev_clear_flag(hdev, HCI_RFKILLED); 987 } 988 989 return 0; 990 } 991 992 static const struct rfkill_ops hci_rfkill_ops = { 993 .set_block = hci_rfkill_set_block, 994 }; 995 996 static void hci_power_on(struct work_struct *work) 997 { 998 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on); 999 int err; 1000 1001 BT_DBG("%s", hdev->name); 1002 1003 if (test_bit(HCI_UP, &hdev->flags) && 1004 hci_dev_test_flag(hdev, HCI_MGMT) && 1005 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) { 1006 cancel_delayed_work(&hdev->power_off); 1007 err = hci_powered_update_sync(hdev); 1008 mgmt_power_on(hdev, err); 1009 return; 1010 } 1011 1012 err = hci_dev_do_open(hdev); 1013 if (err < 0) { 1014 hci_dev_lock(hdev); 1015 mgmt_set_powered_failed(hdev, err); 1016 hci_dev_unlock(hdev); 1017 return; 1018 } 1019 1020 /* During the HCI setup phase, a few error conditions are 1021 * ignored and they need to be checked now. If they are still 1022 * valid, it is important to turn the device back off. 1023 */ 1024 if (hci_dev_test_flag(hdev, HCI_RFKILLED) || 1025 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) || 1026 (!bacmp(&hdev->bdaddr, BDADDR_ANY) && 1027 !bacmp(&hdev->static_addr, BDADDR_ANY))) { 1028 hci_dev_clear_flag(hdev, HCI_AUTO_OFF); 1029 hci_dev_do_close(hdev); 1030 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) { 1031 queue_delayed_work(hdev->req_workqueue, &hdev->power_off, 1032 HCI_AUTO_OFF_TIMEOUT); 1033 } 1034 1035 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) { 1036 /* For unconfigured devices, set the HCI_RAW flag 1037 * so that userspace can easily identify them. 1038 */ 1039 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 1040 set_bit(HCI_RAW, &hdev->flags); 1041 1042 /* For fully configured devices, this will send 1043 * the Index Added event. For unconfigured devices, 1044 * it will send Unconfigued Index Added event. 1045 * 1046 * Devices with HCI_QUIRK_RAW_DEVICE are ignored 1047 * and no event will be send. 1048 */ 1049 mgmt_index_added(hdev); 1050 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) { 1051 /* When the controller is now configured, then it 1052 * is important to clear the HCI_RAW flag. 1053 */ 1054 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 1055 clear_bit(HCI_RAW, &hdev->flags); 1056 1057 /* Powering on the controller with HCI_CONFIG set only 1058 * happens with the transition from unconfigured to 1059 * configured. This will send the Index Added event. 1060 */ 1061 mgmt_index_added(hdev); 1062 } 1063 } 1064 1065 static void hci_power_off(struct work_struct *work) 1066 { 1067 struct hci_dev *hdev = container_of(work, struct hci_dev, 1068 power_off.work); 1069 1070 BT_DBG("%s", hdev->name); 1071 1072 hci_dev_do_close(hdev); 1073 } 1074 1075 static void hci_error_reset(struct work_struct *work) 1076 { 1077 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset); 1078 1079 hci_dev_hold(hdev); 1080 BT_DBG("%s", hdev->name); 1081 1082 if (hdev->hw_error) 1083 hdev->hw_error(hdev, hdev->hw_error_code); 1084 else 1085 bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code); 1086 1087 if (!hci_dev_do_close(hdev)) 1088 hci_dev_do_open(hdev); 1089 1090 hci_dev_put(hdev); 1091 } 1092 1093 void hci_uuids_clear(struct hci_dev *hdev) 1094 { 1095 struct bt_uuid *uuid, *tmp; 1096 1097 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) { 1098 list_del(&uuid->list); 1099 kfree(uuid); 1100 } 1101 } 1102 1103 void hci_link_keys_clear(struct hci_dev *hdev) 1104 { 1105 struct link_key *key, *tmp; 1106 1107 list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) { 1108 list_del_rcu(&key->list); 1109 kfree_rcu(key, rcu); 1110 } 1111 } 1112 1113 void hci_smp_ltks_clear(struct hci_dev *hdev) 1114 { 1115 struct smp_ltk *k, *tmp; 1116 1117 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 1118 list_del_rcu(&k->list); 1119 kfree_rcu(k, rcu); 1120 } 1121 } 1122 1123 void hci_smp_irks_clear(struct hci_dev *hdev) 1124 { 1125 struct smp_irk *k, *tmp; 1126 1127 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { 1128 list_del_rcu(&k->list); 1129 kfree_rcu(k, rcu); 1130 } 1131 } 1132 1133 void hci_blocked_keys_clear(struct hci_dev *hdev) 1134 { 1135 struct blocked_key *b, *tmp; 1136 1137 list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) { 1138 list_del_rcu(&b->list); 1139 kfree_rcu(b, rcu); 1140 } 1141 } 1142 1143 bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16]) 1144 { 1145 bool blocked = false; 1146 struct blocked_key *b; 1147 1148 rcu_read_lock(); 1149 list_for_each_entry_rcu(b, &hdev->blocked_keys, list) { 1150 if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) { 1151 blocked = true; 1152 break; 1153 } 1154 } 1155 1156 rcu_read_unlock(); 1157 return blocked; 1158 } 1159 1160 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1161 { 1162 struct link_key *k; 1163 1164 rcu_read_lock(); 1165 list_for_each_entry_rcu(k, &hdev->link_keys, list) { 1166 if (bacmp(bdaddr, &k->bdaddr) == 0) { 1167 rcu_read_unlock(); 1168 1169 if (hci_is_blocked_key(hdev, 1170 HCI_BLOCKED_KEY_TYPE_LINKKEY, 1171 k->val)) { 1172 bt_dev_warn_ratelimited(hdev, 1173 "Link key blocked for %pMR", 1174 &k->bdaddr); 1175 return NULL; 1176 } 1177 1178 return k; 1179 } 1180 } 1181 rcu_read_unlock(); 1182 1183 return NULL; 1184 } 1185 1186 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn, 1187 u8 key_type, u8 old_key_type) 1188 { 1189 /* Legacy key */ 1190 if (key_type < 0x03) 1191 return true; 1192 1193 /* Debug keys are insecure so don't store them persistently */ 1194 if (key_type == HCI_LK_DEBUG_COMBINATION) 1195 return false; 1196 1197 /* Changed combination key and there's no previous one */ 1198 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff) 1199 return false; 1200 1201 /* Security mode 3 case */ 1202 if (!conn) 1203 return true; 1204 1205 /* BR/EDR key derived using SC from an LE link */ 1206 if (conn->type == LE_LINK) 1207 return true; 1208 1209 /* Neither local nor remote side had no-bonding as requirement */ 1210 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01) 1211 return true; 1212 1213 /* Local side had dedicated bonding as requirement */ 1214 if (conn->auth_type == 0x02 || conn->auth_type == 0x03) 1215 return true; 1216 1217 /* Remote side had dedicated bonding as requirement */ 1218 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) 1219 return true; 1220 1221 /* If none of the above criteria match, then don't store the key 1222 * persistently */ 1223 return false; 1224 } 1225 1226 static u8 ltk_role(u8 type) 1227 { 1228 if (type == SMP_LTK) 1229 return HCI_ROLE_MASTER; 1230 1231 return HCI_ROLE_SLAVE; 1232 } 1233 1234 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1235 u8 addr_type, u8 role) 1236 { 1237 struct smp_ltk *k; 1238 1239 rcu_read_lock(); 1240 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 1241 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr)) 1242 continue; 1243 1244 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) { 1245 rcu_read_unlock(); 1246 1247 if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK, 1248 k->val)) { 1249 bt_dev_warn_ratelimited(hdev, 1250 "LTK blocked for %pMR", 1251 &k->bdaddr); 1252 return NULL; 1253 } 1254 1255 return k; 1256 } 1257 } 1258 rcu_read_unlock(); 1259 1260 return NULL; 1261 } 1262 1263 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa) 1264 { 1265 struct smp_irk *irk_to_return = NULL; 1266 struct smp_irk *irk; 1267 1268 rcu_read_lock(); 1269 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1270 if (!bacmp(&irk->rpa, rpa)) { 1271 irk_to_return = irk; 1272 goto done; 1273 } 1274 } 1275 1276 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1277 if (smp_irk_matches(hdev, irk->val, rpa)) { 1278 bacpy(&irk->rpa, rpa); 1279 irk_to_return = irk; 1280 goto done; 1281 } 1282 } 1283 1284 done: 1285 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK, 1286 irk_to_return->val)) { 1287 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR", 1288 &irk_to_return->bdaddr); 1289 irk_to_return = NULL; 1290 } 1291 1292 rcu_read_unlock(); 1293 1294 return irk_to_return; 1295 } 1296 1297 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 1298 u8 addr_type) 1299 { 1300 struct smp_irk *irk_to_return = NULL; 1301 struct smp_irk *irk; 1302 1303 /* Identity Address must be public or static random */ 1304 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0) 1305 return NULL; 1306 1307 rcu_read_lock(); 1308 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1309 if (addr_type == irk->addr_type && 1310 bacmp(bdaddr, &irk->bdaddr) == 0) { 1311 irk_to_return = irk; 1312 goto done; 1313 } 1314 } 1315 1316 done: 1317 1318 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK, 1319 irk_to_return->val)) { 1320 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR", 1321 &irk_to_return->bdaddr); 1322 irk_to_return = NULL; 1323 } 1324 1325 rcu_read_unlock(); 1326 1327 return irk_to_return; 1328 } 1329 1330 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, 1331 bdaddr_t *bdaddr, u8 *val, u8 type, 1332 u8 pin_len, bool *persistent) 1333 { 1334 struct link_key *key, *old_key; 1335 u8 old_key_type; 1336 1337 old_key = hci_find_link_key(hdev, bdaddr); 1338 if (old_key) { 1339 old_key_type = old_key->type; 1340 key = old_key; 1341 } else { 1342 old_key_type = conn ? conn->key_type : 0xff; 1343 key = kzalloc(sizeof(*key), GFP_KERNEL); 1344 if (!key) 1345 return NULL; 1346 list_add_rcu(&key->list, &hdev->link_keys); 1347 } 1348 1349 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type); 1350 1351 /* Some buggy controller combinations generate a changed 1352 * combination key for legacy pairing even when there's no 1353 * previous key */ 1354 if (type == HCI_LK_CHANGED_COMBINATION && 1355 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) { 1356 type = HCI_LK_COMBINATION; 1357 if (conn) 1358 conn->key_type = type; 1359 } 1360 1361 bacpy(&key->bdaddr, bdaddr); 1362 memcpy(key->val, val, HCI_LINK_KEY_SIZE); 1363 key->pin_len = pin_len; 1364 1365 if (type == HCI_LK_CHANGED_COMBINATION) 1366 key->type = old_key_type; 1367 else 1368 key->type = type; 1369 1370 if (persistent) 1371 *persistent = hci_persistent_key(hdev, conn, type, 1372 old_key_type); 1373 1374 return key; 1375 } 1376 1377 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1378 u8 addr_type, u8 type, u8 authenticated, 1379 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand) 1380 { 1381 struct smp_ltk *key, *old_key; 1382 u8 role = ltk_role(type); 1383 1384 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role); 1385 if (old_key) 1386 key = old_key; 1387 else { 1388 key = kzalloc(sizeof(*key), GFP_KERNEL); 1389 if (!key) 1390 return NULL; 1391 list_add_rcu(&key->list, &hdev->long_term_keys); 1392 } 1393 1394 bacpy(&key->bdaddr, bdaddr); 1395 key->bdaddr_type = addr_type; 1396 memcpy(key->val, tk, sizeof(key->val)); 1397 key->authenticated = authenticated; 1398 key->ediv = ediv; 1399 key->rand = rand; 1400 key->enc_size = enc_size; 1401 key->type = type; 1402 1403 return key; 1404 } 1405 1406 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1407 u8 addr_type, u8 val[16], bdaddr_t *rpa) 1408 { 1409 struct smp_irk *irk; 1410 1411 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type); 1412 if (!irk) { 1413 irk = kzalloc(sizeof(*irk), GFP_KERNEL); 1414 if (!irk) 1415 return NULL; 1416 1417 bacpy(&irk->bdaddr, bdaddr); 1418 irk->addr_type = addr_type; 1419 1420 list_add_rcu(&irk->list, &hdev->identity_resolving_keys); 1421 } 1422 1423 memcpy(irk->val, val, 16); 1424 bacpy(&irk->rpa, rpa); 1425 1426 return irk; 1427 } 1428 1429 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1430 { 1431 struct link_key *key; 1432 1433 key = hci_find_link_key(hdev, bdaddr); 1434 if (!key) 1435 return -ENOENT; 1436 1437 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1438 1439 list_del_rcu(&key->list); 1440 kfree_rcu(key, rcu); 1441 1442 return 0; 1443 } 1444 1445 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) 1446 { 1447 struct smp_ltk *k, *tmp; 1448 int removed = 0; 1449 1450 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 1451 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type) 1452 continue; 1453 1454 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1455 1456 list_del_rcu(&k->list); 1457 kfree_rcu(k, rcu); 1458 removed++; 1459 } 1460 1461 return removed ? 0 : -ENOENT; 1462 } 1463 1464 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type) 1465 { 1466 struct smp_irk *k, *tmp; 1467 1468 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { 1469 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type) 1470 continue; 1471 1472 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1473 1474 list_del_rcu(&k->list); 1475 kfree_rcu(k, rcu); 1476 } 1477 } 1478 1479 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 1480 { 1481 struct smp_ltk *k; 1482 struct smp_irk *irk; 1483 u8 addr_type; 1484 1485 if (type == BDADDR_BREDR) { 1486 if (hci_find_link_key(hdev, bdaddr)) 1487 return true; 1488 return false; 1489 } 1490 1491 /* Convert to HCI addr type which struct smp_ltk uses */ 1492 if (type == BDADDR_LE_PUBLIC) 1493 addr_type = ADDR_LE_DEV_PUBLIC; 1494 else 1495 addr_type = ADDR_LE_DEV_RANDOM; 1496 1497 irk = hci_get_irk(hdev, bdaddr, addr_type); 1498 if (irk) { 1499 bdaddr = &irk->bdaddr; 1500 addr_type = irk->addr_type; 1501 } 1502 1503 rcu_read_lock(); 1504 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 1505 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) { 1506 rcu_read_unlock(); 1507 return true; 1508 } 1509 } 1510 rcu_read_unlock(); 1511 1512 return false; 1513 } 1514 1515 /* HCI command timer function */ 1516 static void hci_cmd_timeout(struct work_struct *work) 1517 { 1518 struct hci_dev *hdev = container_of(work, struct hci_dev, 1519 cmd_timer.work); 1520 1521 if (hdev->req_skb) { 1522 u16 opcode = hci_skb_opcode(hdev->req_skb); 1523 1524 bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode); 1525 1526 hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT); 1527 } else { 1528 bt_dev_err(hdev, "command tx timeout"); 1529 } 1530 1531 if (hdev->cmd_timeout) 1532 hdev->cmd_timeout(hdev); 1533 1534 atomic_set(&hdev->cmd_cnt, 1); 1535 queue_work(hdev->workqueue, &hdev->cmd_work); 1536 } 1537 1538 /* HCI ncmd timer function */ 1539 static void hci_ncmd_timeout(struct work_struct *work) 1540 { 1541 struct hci_dev *hdev = container_of(work, struct hci_dev, 1542 ncmd_timer.work); 1543 1544 bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0"); 1545 1546 /* During HCI_INIT phase no events can be injected if the ncmd timer 1547 * triggers since the procedure has its own timeout handling. 1548 */ 1549 if (test_bit(HCI_INIT, &hdev->flags)) 1550 return; 1551 1552 /* This is an irrecoverable state, inject hardware error event */ 1553 hci_reset_dev(hdev); 1554 } 1555 1556 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 1557 bdaddr_t *bdaddr, u8 bdaddr_type) 1558 { 1559 struct oob_data *data; 1560 1561 list_for_each_entry(data, &hdev->remote_oob_data, list) { 1562 if (bacmp(bdaddr, &data->bdaddr) != 0) 1563 continue; 1564 if (data->bdaddr_type != bdaddr_type) 1565 continue; 1566 return data; 1567 } 1568 1569 return NULL; 1570 } 1571 1572 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 1573 u8 bdaddr_type) 1574 { 1575 struct oob_data *data; 1576 1577 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type); 1578 if (!data) 1579 return -ENOENT; 1580 1581 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type); 1582 1583 list_del(&data->list); 1584 kfree(data); 1585 1586 return 0; 1587 } 1588 1589 void hci_remote_oob_data_clear(struct hci_dev *hdev) 1590 { 1591 struct oob_data *data, *n; 1592 1593 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) { 1594 list_del(&data->list); 1595 kfree(data); 1596 } 1597 } 1598 1599 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 1600 u8 bdaddr_type, u8 *hash192, u8 *rand192, 1601 u8 *hash256, u8 *rand256) 1602 { 1603 struct oob_data *data; 1604 1605 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type); 1606 if (!data) { 1607 data = kmalloc(sizeof(*data), GFP_KERNEL); 1608 if (!data) 1609 return -ENOMEM; 1610 1611 bacpy(&data->bdaddr, bdaddr); 1612 data->bdaddr_type = bdaddr_type; 1613 list_add(&data->list, &hdev->remote_oob_data); 1614 } 1615 1616 if (hash192 && rand192) { 1617 memcpy(data->hash192, hash192, sizeof(data->hash192)); 1618 memcpy(data->rand192, rand192, sizeof(data->rand192)); 1619 if (hash256 && rand256) 1620 data->present = 0x03; 1621 } else { 1622 memset(data->hash192, 0, sizeof(data->hash192)); 1623 memset(data->rand192, 0, sizeof(data->rand192)); 1624 if (hash256 && rand256) 1625 data->present = 0x02; 1626 else 1627 data->present = 0x00; 1628 } 1629 1630 if (hash256 && rand256) { 1631 memcpy(data->hash256, hash256, sizeof(data->hash256)); 1632 memcpy(data->rand256, rand256, sizeof(data->rand256)); 1633 } else { 1634 memset(data->hash256, 0, sizeof(data->hash256)); 1635 memset(data->rand256, 0, sizeof(data->rand256)); 1636 if (hash192 && rand192) 1637 data->present = 0x01; 1638 } 1639 1640 BT_DBG("%s for %pMR", hdev->name, bdaddr); 1641 1642 return 0; 1643 } 1644 1645 /* This function requires the caller holds hdev->lock */ 1646 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance) 1647 { 1648 struct adv_info *adv_instance; 1649 1650 list_for_each_entry(adv_instance, &hdev->adv_instances, list) { 1651 if (adv_instance->instance == instance) 1652 return adv_instance; 1653 } 1654 1655 return NULL; 1656 } 1657 1658 /* This function requires the caller holds hdev->lock */ 1659 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance) 1660 { 1661 struct adv_info *cur_instance; 1662 1663 cur_instance = hci_find_adv_instance(hdev, instance); 1664 if (!cur_instance) 1665 return NULL; 1666 1667 if (cur_instance == list_last_entry(&hdev->adv_instances, 1668 struct adv_info, list)) 1669 return list_first_entry(&hdev->adv_instances, 1670 struct adv_info, list); 1671 else 1672 return list_next_entry(cur_instance, list); 1673 } 1674 1675 /* This function requires the caller holds hdev->lock */ 1676 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance) 1677 { 1678 struct adv_info *adv_instance; 1679 1680 adv_instance = hci_find_adv_instance(hdev, instance); 1681 if (!adv_instance) 1682 return -ENOENT; 1683 1684 BT_DBG("%s removing %dMR", hdev->name, instance); 1685 1686 if (hdev->cur_adv_instance == instance) { 1687 if (hdev->adv_instance_timeout) { 1688 cancel_delayed_work(&hdev->adv_instance_expire); 1689 hdev->adv_instance_timeout = 0; 1690 } 1691 hdev->cur_adv_instance = 0x00; 1692 } 1693 1694 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb); 1695 1696 list_del(&adv_instance->list); 1697 kfree(adv_instance); 1698 1699 hdev->adv_instance_cnt--; 1700 1701 return 0; 1702 } 1703 1704 void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired) 1705 { 1706 struct adv_info *adv_instance, *n; 1707 1708 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) 1709 adv_instance->rpa_expired = rpa_expired; 1710 } 1711 1712 /* This function requires the caller holds hdev->lock */ 1713 void hci_adv_instances_clear(struct hci_dev *hdev) 1714 { 1715 struct adv_info *adv_instance, *n; 1716 1717 if (hdev->adv_instance_timeout) { 1718 cancel_delayed_work(&hdev->adv_instance_expire); 1719 hdev->adv_instance_timeout = 0; 1720 } 1721 1722 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) { 1723 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb); 1724 list_del(&adv_instance->list); 1725 kfree(adv_instance); 1726 } 1727 1728 hdev->adv_instance_cnt = 0; 1729 hdev->cur_adv_instance = 0x00; 1730 } 1731 1732 static void adv_instance_rpa_expired(struct work_struct *work) 1733 { 1734 struct adv_info *adv_instance = container_of(work, struct adv_info, 1735 rpa_expired_cb.work); 1736 1737 BT_DBG(""); 1738 1739 adv_instance->rpa_expired = true; 1740 } 1741 1742 /* This function requires the caller holds hdev->lock */ 1743 struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance, 1744 u32 flags, u16 adv_data_len, u8 *adv_data, 1745 u16 scan_rsp_len, u8 *scan_rsp_data, 1746 u16 timeout, u16 duration, s8 tx_power, 1747 u32 min_interval, u32 max_interval, 1748 u8 mesh_handle) 1749 { 1750 struct adv_info *adv; 1751 1752 adv = hci_find_adv_instance(hdev, instance); 1753 if (adv) { 1754 memset(adv->adv_data, 0, sizeof(adv->adv_data)); 1755 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data)); 1756 memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data)); 1757 } else { 1758 if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets || 1759 instance < 1 || instance > hdev->le_num_of_adv_sets + 1) 1760 return ERR_PTR(-EOVERFLOW); 1761 1762 adv = kzalloc(sizeof(*adv), GFP_KERNEL); 1763 if (!adv) 1764 return ERR_PTR(-ENOMEM); 1765 1766 adv->pending = true; 1767 adv->instance = instance; 1768 1769 /* If controller support only one set and the instance is set to 1770 * 1 then there is no option other than using handle 0x00. 1771 */ 1772 if (hdev->le_num_of_adv_sets == 1 && instance == 1) 1773 adv->handle = 0x00; 1774 else 1775 adv->handle = instance; 1776 1777 list_add(&adv->list, &hdev->adv_instances); 1778 hdev->adv_instance_cnt++; 1779 } 1780 1781 adv->flags = flags; 1782 adv->min_interval = min_interval; 1783 adv->max_interval = max_interval; 1784 adv->tx_power = tx_power; 1785 /* Defining a mesh_handle changes the timing units to ms, 1786 * rather than seconds, and ties the instance to the requested 1787 * mesh_tx queue. 1788 */ 1789 adv->mesh = mesh_handle; 1790 1791 hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data, 1792 scan_rsp_len, scan_rsp_data); 1793 1794 adv->timeout = timeout; 1795 adv->remaining_time = timeout; 1796 1797 if (duration == 0) 1798 adv->duration = hdev->def_multi_adv_rotation_duration; 1799 else 1800 adv->duration = duration; 1801 1802 INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired); 1803 1804 BT_DBG("%s for %dMR", hdev->name, instance); 1805 1806 return adv; 1807 } 1808 1809 /* This function requires the caller holds hdev->lock */ 1810 struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance, 1811 u32 flags, u8 data_len, u8 *data, 1812 u32 min_interval, u32 max_interval) 1813 { 1814 struct adv_info *adv; 1815 1816 adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL, 1817 0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE, 1818 min_interval, max_interval, 0); 1819 if (IS_ERR(adv)) 1820 return adv; 1821 1822 adv->periodic = true; 1823 adv->per_adv_data_len = data_len; 1824 1825 if (data) 1826 memcpy(adv->per_adv_data, data, data_len); 1827 1828 return adv; 1829 } 1830 1831 /* This function requires the caller holds hdev->lock */ 1832 int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance, 1833 u16 adv_data_len, u8 *adv_data, 1834 u16 scan_rsp_len, u8 *scan_rsp_data) 1835 { 1836 struct adv_info *adv; 1837 1838 adv = hci_find_adv_instance(hdev, instance); 1839 1840 /* If advertisement doesn't exist, we can't modify its data */ 1841 if (!adv) 1842 return -ENOENT; 1843 1844 if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) { 1845 memset(adv->adv_data, 0, sizeof(adv->adv_data)); 1846 memcpy(adv->adv_data, adv_data, adv_data_len); 1847 adv->adv_data_len = adv_data_len; 1848 adv->adv_data_changed = true; 1849 } 1850 1851 if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) { 1852 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data)); 1853 memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len); 1854 adv->scan_rsp_len = scan_rsp_len; 1855 adv->scan_rsp_changed = true; 1856 } 1857 1858 /* Mark as changed if there are flags which would affect it */ 1859 if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) || 1860 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME) 1861 adv->scan_rsp_changed = true; 1862 1863 return 0; 1864 } 1865 1866 /* This function requires the caller holds hdev->lock */ 1867 u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance) 1868 { 1869 u32 flags; 1870 struct adv_info *adv; 1871 1872 if (instance == 0x00) { 1873 /* Instance 0 always manages the "Tx Power" and "Flags" 1874 * fields 1875 */ 1876 flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS; 1877 1878 /* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting 1879 * corresponds to the "connectable" instance flag. 1880 */ 1881 if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) 1882 flags |= MGMT_ADV_FLAG_CONNECTABLE; 1883 1884 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) 1885 flags |= MGMT_ADV_FLAG_LIMITED_DISCOV; 1886 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) 1887 flags |= MGMT_ADV_FLAG_DISCOV; 1888 1889 return flags; 1890 } 1891 1892 adv = hci_find_adv_instance(hdev, instance); 1893 1894 /* Return 0 when we got an invalid instance identifier. */ 1895 if (!adv) 1896 return 0; 1897 1898 return adv->flags; 1899 } 1900 1901 bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance) 1902 { 1903 struct adv_info *adv; 1904 1905 /* Instance 0x00 always set local name */ 1906 if (instance == 0x00) 1907 return true; 1908 1909 adv = hci_find_adv_instance(hdev, instance); 1910 if (!adv) 1911 return false; 1912 1913 if (adv->flags & MGMT_ADV_FLAG_APPEARANCE || 1914 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME) 1915 return true; 1916 1917 return adv->scan_rsp_len ? true : false; 1918 } 1919 1920 /* This function requires the caller holds hdev->lock */ 1921 void hci_adv_monitors_clear(struct hci_dev *hdev) 1922 { 1923 struct adv_monitor *monitor; 1924 int handle; 1925 1926 idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle) 1927 hci_free_adv_monitor(hdev, monitor); 1928 1929 idr_destroy(&hdev->adv_monitors_idr); 1930 } 1931 1932 /* Frees the monitor structure and do some bookkeepings. 1933 * This function requires the caller holds hdev->lock. 1934 */ 1935 void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor) 1936 { 1937 struct adv_pattern *pattern; 1938 struct adv_pattern *tmp; 1939 1940 if (!monitor) 1941 return; 1942 1943 list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) { 1944 list_del(&pattern->list); 1945 kfree(pattern); 1946 } 1947 1948 if (monitor->handle) 1949 idr_remove(&hdev->adv_monitors_idr, monitor->handle); 1950 1951 if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) { 1952 hdev->adv_monitors_cnt--; 1953 mgmt_adv_monitor_removed(hdev, monitor->handle); 1954 } 1955 1956 kfree(monitor); 1957 } 1958 1959 /* Assigns handle to a monitor, and if offloading is supported and power is on, 1960 * also attempts to forward the request to the controller. 1961 * This function requires the caller holds hci_req_sync_lock. 1962 */ 1963 int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor) 1964 { 1965 int min, max, handle; 1966 int status = 0; 1967 1968 if (!monitor) 1969 return -EINVAL; 1970 1971 hci_dev_lock(hdev); 1972 1973 min = HCI_MIN_ADV_MONITOR_HANDLE; 1974 max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES; 1975 handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max, 1976 GFP_KERNEL); 1977 1978 hci_dev_unlock(hdev); 1979 1980 if (handle < 0) 1981 return handle; 1982 1983 monitor->handle = handle; 1984 1985 if (!hdev_is_powered(hdev)) 1986 return status; 1987 1988 switch (hci_get_adv_monitor_offload_ext(hdev)) { 1989 case HCI_ADV_MONITOR_EXT_NONE: 1990 bt_dev_dbg(hdev, "add monitor %d status %d", 1991 monitor->handle, status); 1992 /* Message was not forwarded to controller - not an error */ 1993 break; 1994 1995 case HCI_ADV_MONITOR_EXT_MSFT: 1996 status = msft_add_monitor_pattern(hdev, monitor); 1997 bt_dev_dbg(hdev, "add monitor %d msft status %d", 1998 handle, status); 1999 break; 2000 } 2001 2002 return status; 2003 } 2004 2005 /* Attempts to tell the controller and free the monitor. If somehow the 2006 * controller doesn't have a corresponding handle, remove anyway. 2007 * This function requires the caller holds hci_req_sync_lock. 2008 */ 2009 static int hci_remove_adv_monitor(struct hci_dev *hdev, 2010 struct adv_monitor *monitor) 2011 { 2012 int status = 0; 2013 int handle; 2014 2015 switch (hci_get_adv_monitor_offload_ext(hdev)) { 2016 case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ 2017 bt_dev_dbg(hdev, "remove monitor %d status %d", 2018 monitor->handle, status); 2019 goto free_monitor; 2020 2021 case HCI_ADV_MONITOR_EXT_MSFT: 2022 handle = monitor->handle; 2023 status = msft_remove_monitor(hdev, monitor); 2024 bt_dev_dbg(hdev, "remove monitor %d msft status %d", 2025 handle, status); 2026 break; 2027 } 2028 2029 /* In case no matching handle registered, just free the monitor */ 2030 if (status == -ENOENT) 2031 goto free_monitor; 2032 2033 return status; 2034 2035 free_monitor: 2036 if (status == -ENOENT) 2037 bt_dev_warn(hdev, "Removing monitor with no matching handle %d", 2038 monitor->handle); 2039 hci_free_adv_monitor(hdev, monitor); 2040 2041 return status; 2042 } 2043 2044 /* This function requires the caller holds hci_req_sync_lock */ 2045 int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle) 2046 { 2047 struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle); 2048 2049 if (!monitor) 2050 return -EINVAL; 2051 2052 return hci_remove_adv_monitor(hdev, monitor); 2053 } 2054 2055 /* This function requires the caller holds hci_req_sync_lock */ 2056 int hci_remove_all_adv_monitor(struct hci_dev *hdev) 2057 { 2058 struct adv_monitor *monitor; 2059 int idr_next_id = 0; 2060 int status = 0; 2061 2062 while (1) { 2063 monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id); 2064 if (!monitor) 2065 break; 2066 2067 status = hci_remove_adv_monitor(hdev, monitor); 2068 if (status) 2069 return status; 2070 2071 idr_next_id++; 2072 } 2073 2074 return status; 2075 } 2076 2077 /* This function requires the caller holds hdev->lock */ 2078 bool hci_is_adv_monitoring(struct hci_dev *hdev) 2079 { 2080 return !idr_is_empty(&hdev->adv_monitors_idr); 2081 } 2082 2083 int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev) 2084 { 2085 if (msft_monitor_supported(hdev)) 2086 return HCI_ADV_MONITOR_EXT_MSFT; 2087 2088 return HCI_ADV_MONITOR_EXT_NONE; 2089 } 2090 2091 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list, 2092 bdaddr_t *bdaddr, u8 type) 2093 { 2094 struct bdaddr_list *b; 2095 2096 list_for_each_entry(b, bdaddr_list, list) { 2097 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2098 return b; 2099 } 2100 2101 return NULL; 2102 } 2103 2104 struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk( 2105 struct list_head *bdaddr_list, bdaddr_t *bdaddr, 2106 u8 type) 2107 { 2108 struct bdaddr_list_with_irk *b; 2109 2110 list_for_each_entry(b, bdaddr_list, list) { 2111 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2112 return b; 2113 } 2114 2115 return NULL; 2116 } 2117 2118 struct bdaddr_list_with_flags * 2119 hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list, 2120 bdaddr_t *bdaddr, u8 type) 2121 { 2122 struct bdaddr_list_with_flags *b; 2123 2124 list_for_each_entry(b, bdaddr_list, list) { 2125 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2126 return b; 2127 } 2128 2129 return NULL; 2130 } 2131 2132 void hci_bdaddr_list_clear(struct list_head *bdaddr_list) 2133 { 2134 struct bdaddr_list *b, *n; 2135 2136 list_for_each_entry_safe(b, n, bdaddr_list, list) { 2137 list_del(&b->list); 2138 kfree(b); 2139 } 2140 } 2141 2142 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type) 2143 { 2144 struct bdaddr_list *entry; 2145 2146 if (!bacmp(bdaddr, BDADDR_ANY)) 2147 return -EBADF; 2148 2149 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2150 return -EEXIST; 2151 2152 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 2153 if (!entry) 2154 return -ENOMEM; 2155 2156 bacpy(&entry->bdaddr, bdaddr); 2157 entry->bdaddr_type = type; 2158 2159 list_add(&entry->list, list); 2160 2161 return 0; 2162 } 2163 2164 int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr, 2165 u8 type, u8 *peer_irk, u8 *local_irk) 2166 { 2167 struct bdaddr_list_with_irk *entry; 2168 2169 if (!bacmp(bdaddr, BDADDR_ANY)) 2170 return -EBADF; 2171 2172 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2173 return -EEXIST; 2174 2175 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 2176 if (!entry) 2177 return -ENOMEM; 2178 2179 bacpy(&entry->bdaddr, bdaddr); 2180 entry->bdaddr_type = type; 2181 2182 if (peer_irk) 2183 memcpy(entry->peer_irk, peer_irk, 16); 2184 2185 if (local_irk) 2186 memcpy(entry->local_irk, local_irk, 16); 2187 2188 list_add(&entry->list, list); 2189 2190 return 0; 2191 } 2192 2193 int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr, 2194 u8 type, u32 flags) 2195 { 2196 struct bdaddr_list_with_flags *entry; 2197 2198 if (!bacmp(bdaddr, BDADDR_ANY)) 2199 return -EBADF; 2200 2201 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2202 return -EEXIST; 2203 2204 entry = kzalloc(sizeof(*entry), GFP_KERNEL); 2205 if (!entry) 2206 return -ENOMEM; 2207 2208 bacpy(&entry->bdaddr, bdaddr); 2209 entry->bdaddr_type = type; 2210 entry->flags = flags; 2211 2212 list_add(&entry->list, list); 2213 2214 return 0; 2215 } 2216 2217 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type) 2218 { 2219 struct bdaddr_list *entry; 2220 2221 if (!bacmp(bdaddr, BDADDR_ANY)) { 2222 hci_bdaddr_list_clear(list); 2223 return 0; 2224 } 2225 2226 entry = hci_bdaddr_list_lookup(list, bdaddr, type); 2227 if (!entry) 2228 return -ENOENT; 2229 2230 list_del(&entry->list); 2231 kfree(entry); 2232 2233 return 0; 2234 } 2235 2236 int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr, 2237 u8 type) 2238 { 2239 struct bdaddr_list_with_irk *entry; 2240 2241 if (!bacmp(bdaddr, BDADDR_ANY)) { 2242 hci_bdaddr_list_clear(list); 2243 return 0; 2244 } 2245 2246 entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type); 2247 if (!entry) 2248 return -ENOENT; 2249 2250 list_del(&entry->list); 2251 kfree(entry); 2252 2253 return 0; 2254 } 2255 2256 int hci_bdaddr_list_del_with_flags(struct list_head *list, bdaddr_t *bdaddr, 2257 u8 type) 2258 { 2259 struct bdaddr_list_with_flags *entry; 2260 2261 if (!bacmp(bdaddr, BDADDR_ANY)) { 2262 hci_bdaddr_list_clear(list); 2263 return 0; 2264 } 2265 2266 entry = hci_bdaddr_list_lookup_with_flags(list, bdaddr, type); 2267 if (!entry) 2268 return -ENOENT; 2269 2270 list_del(&entry->list); 2271 kfree(entry); 2272 2273 return 0; 2274 } 2275 2276 /* This function requires the caller holds hdev->lock */ 2277 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, 2278 bdaddr_t *addr, u8 addr_type) 2279 { 2280 struct hci_conn_params *params; 2281 2282 list_for_each_entry(params, &hdev->le_conn_params, list) { 2283 if (bacmp(¶ms->addr, addr) == 0 && 2284 params->addr_type == addr_type) { 2285 return params; 2286 } 2287 } 2288 2289 return NULL; 2290 } 2291 2292 /* This function requires the caller holds hdev->lock or rcu_read_lock */ 2293 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, 2294 bdaddr_t *addr, u8 addr_type) 2295 { 2296 struct hci_conn_params *param; 2297 2298 rcu_read_lock(); 2299 2300 list_for_each_entry_rcu(param, list, action) { 2301 if (bacmp(¶m->addr, addr) == 0 && 2302 param->addr_type == addr_type) { 2303 rcu_read_unlock(); 2304 return param; 2305 } 2306 } 2307 2308 rcu_read_unlock(); 2309 2310 return NULL; 2311 } 2312 2313 /* This function requires the caller holds hdev->lock */ 2314 void hci_pend_le_list_del_init(struct hci_conn_params *param) 2315 { 2316 if (list_empty(¶m->action)) 2317 return; 2318 2319 list_del_rcu(¶m->action); 2320 synchronize_rcu(); 2321 INIT_LIST_HEAD(¶m->action); 2322 } 2323 2324 /* This function requires the caller holds hdev->lock */ 2325 void hci_pend_le_list_add(struct hci_conn_params *param, 2326 struct list_head *list) 2327 { 2328 list_add_rcu(¶m->action, list); 2329 } 2330 2331 /* This function requires the caller holds hdev->lock */ 2332 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, 2333 bdaddr_t *addr, u8 addr_type) 2334 { 2335 struct hci_conn_params *params; 2336 2337 params = hci_conn_params_lookup(hdev, addr, addr_type); 2338 if (params) 2339 return params; 2340 2341 params = kzalloc(sizeof(*params), GFP_KERNEL); 2342 if (!params) { 2343 bt_dev_err(hdev, "out of memory"); 2344 return NULL; 2345 } 2346 2347 bacpy(¶ms->addr, addr); 2348 params->addr_type = addr_type; 2349 2350 list_add(¶ms->list, &hdev->le_conn_params); 2351 INIT_LIST_HEAD(¶ms->action); 2352 2353 params->conn_min_interval = hdev->le_conn_min_interval; 2354 params->conn_max_interval = hdev->le_conn_max_interval; 2355 params->conn_latency = hdev->le_conn_latency; 2356 params->supervision_timeout = hdev->le_supv_timeout; 2357 params->auto_connect = HCI_AUTO_CONN_DISABLED; 2358 2359 BT_DBG("addr %pMR (type %u)", addr, addr_type); 2360 2361 return params; 2362 } 2363 2364 void hci_conn_params_free(struct hci_conn_params *params) 2365 { 2366 hci_pend_le_list_del_init(params); 2367 2368 if (params->conn) { 2369 hci_conn_drop(params->conn); 2370 hci_conn_put(params->conn); 2371 } 2372 2373 list_del(¶ms->list); 2374 kfree(params); 2375 } 2376 2377 /* This function requires the caller holds hdev->lock */ 2378 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type) 2379 { 2380 struct hci_conn_params *params; 2381 2382 params = hci_conn_params_lookup(hdev, addr, addr_type); 2383 if (!params) 2384 return; 2385 2386 hci_conn_params_free(params); 2387 2388 hci_update_passive_scan(hdev); 2389 2390 BT_DBG("addr %pMR (type %u)", addr, addr_type); 2391 } 2392 2393 /* This function requires the caller holds hdev->lock */ 2394 void hci_conn_params_clear_disabled(struct hci_dev *hdev) 2395 { 2396 struct hci_conn_params *params, *tmp; 2397 2398 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) { 2399 if (params->auto_connect != HCI_AUTO_CONN_DISABLED) 2400 continue; 2401 2402 /* If trying to establish one time connection to disabled 2403 * device, leave the params, but mark them as just once. 2404 */ 2405 if (params->explicit_connect) { 2406 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 2407 continue; 2408 } 2409 2410 hci_conn_params_free(params); 2411 } 2412 2413 BT_DBG("All LE disabled connection parameters were removed"); 2414 } 2415 2416 /* This function requires the caller holds hdev->lock */ 2417 static void hci_conn_params_clear_all(struct hci_dev *hdev) 2418 { 2419 struct hci_conn_params *params, *tmp; 2420 2421 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) 2422 hci_conn_params_free(params); 2423 2424 BT_DBG("All LE connection parameters were removed"); 2425 } 2426 2427 /* Copy the Identity Address of the controller. 2428 * 2429 * If the controller has a public BD_ADDR, then by default use that one. 2430 * If this is a LE only controller without a public address, default to 2431 * the static random address. 2432 * 2433 * For debugging purposes it is possible to force controllers with a 2434 * public address to use the static random address instead. 2435 * 2436 * In case BR/EDR has been disabled on a dual-mode controller and 2437 * userspace has configured a static address, then that address 2438 * becomes the identity address instead of the public BR/EDR address. 2439 */ 2440 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr, 2441 u8 *bdaddr_type) 2442 { 2443 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) || 2444 !bacmp(&hdev->bdaddr, BDADDR_ANY) || 2445 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) && 2446 bacmp(&hdev->static_addr, BDADDR_ANY))) { 2447 bacpy(bdaddr, &hdev->static_addr); 2448 *bdaddr_type = ADDR_LE_DEV_RANDOM; 2449 } else { 2450 bacpy(bdaddr, &hdev->bdaddr); 2451 *bdaddr_type = ADDR_LE_DEV_PUBLIC; 2452 } 2453 } 2454 2455 static void hci_clear_wake_reason(struct hci_dev *hdev) 2456 { 2457 hci_dev_lock(hdev); 2458 2459 hdev->wake_reason = 0; 2460 bacpy(&hdev->wake_addr, BDADDR_ANY); 2461 hdev->wake_addr_type = 0; 2462 2463 hci_dev_unlock(hdev); 2464 } 2465 2466 static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action, 2467 void *data) 2468 { 2469 struct hci_dev *hdev = 2470 container_of(nb, struct hci_dev, suspend_notifier); 2471 int ret = 0; 2472 2473 /* Userspace has full control of this device. Do nothing. */ 2474 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 2475 return NOTIFY_DONE; 2476 2477 /* To avoid a potential race with hci_unregister_dev. */ 2478 hci_dev_hold(hdev); 2479 2480 if (action == PM_SUSPEND_PREPARE) 2481 ret = hci_suspend_dev(hdev); 2482 else if (action == PM_POST_SUSPEND) 2483 ret = hci_resume_dev(hdev); 2484 2485 if (ret) 2486 bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d", 2487 action, ret); 2488 2489 hci_dev_put(hdev); 2490 return NOTIFY_DONE; 2491 } 2492 2493 /* Alloc HCI device */ 2494 struct hci_dev *hci_alloc_dev_priv(int sizeof_priv) 2495 { 2496 struct hci_dev *hdev; 2497 unsigned int alloc_size; 2498 2499 alloc_size = sizeof(*hdev); 2500 if (sizeof_priv) { 2501 /* Fixme: May need ALIGN-ment? */ 2502 alloc_size += sizeof_priv; 2503 } 2504 2505 hdev = kzalloc(alloc_size, GFP_KERNEL); 2506 if (!hdev) 2507 return NULL; 2508 2509 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1); 2510 hdev->esco_type = (ESCO_HV1); 2511 hdev->link_mode = (HCI_LM_ACCEPT); 2512 hdev->num_iac = 0x01; /* One IAC support is mandatory */ 2513 hdev->io_capability = 0x03; /* No Input No Output */ 2514 hdev->manufacturer = 0xffff; /* Default to internal use */ 2515 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 2516 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 2517 hdev->adv_instance_cnt = 0; 2518 hdev->cur_adv_instance = 0x00; 2519 hdev->adv_instance_timeout = 0; 2520 2521 hdev->advmon_allowlist_duration = 300; 2522 hdev->advmon_no_filter_duration = 500; 2523 hdev->enable_advmon_interleave_scan = 0x00; /* Default to disable */ 2524 2525 hdev->sniff_max_interval = 800; 2526 hdev->sniff_min_interval = 80; 2527 2528 hdev->le_adv_channel_map = 0x07; 2529 hdev->le_adv_min_interval = 0x0800; 2530 hdev->le_adv_max_interval = 0x0800; 2531 hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST; 2532 hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST; 2533 hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1; 2534 hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1; 2535 hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT; 2536 hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN; 2537 hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST; 2538 hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST; 2539 hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN; 2540 hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN; 2541 hdev->le_conn_min_interval = 0x0018; 2542 hdev->le_conn_max_interval = 0x0028; 2543 hdev->le_conn_latency = 0x0000; 2544 hdev->le_supv_timeout = 0x002a; 2545 hdev->le_def_tx_len = 0x001b; 2546 hdev->le_def_tx_time = 0x0148; 2547 hdev->le_max_tx_len = 0x001b; 2548 hdev->le_max_tx_time = 0x0148; 2549 hdev->le_max_rx_len = 0x001b; 2550 hdev->le_max_rx_time = 0x0148; 2551 hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE; 2552 hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE; 2553 hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M; 2554 hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M; 2555 hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES; 2556 hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION; 2557 hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT; 2558 hdev->min_le_tx_power = HCI_TX_POWER_INVALID; 2559 hdev->max_le_tx_power = HCI_TX_POWER_INVALID; 2560 2561 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT; 2562 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT; 2563 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE; 2564 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE; 2565 hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 2566 hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE; 2567 2568 /* default 1.28 sec page scan */ 2569 hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD; 2570 hdev->def_page_scan_int = 0x0800; 2571 hdev->def_page_scan_window = 0x0012; 2572 2573 mutex_init(&hdev->lock); 2574 mutex_init(&hdev->req_lock); 2575 2576 ida_init(&hdev->unset_handle_ida); 2577 2578 INIT_LIST_HEAD(&hdev->mesh_pending); 2579 INIT_LIST_HEAD(&hdev->mgmt_pending); 2580 INIT_LIST_HEAD(&hdev->reject_list); 2581 INIT_LIST_HEAD(&hdev->accept_list); 2582 INIT_LIST_HEAD(&hdev->uuids); 2583 INIT_LIST_HEAD(&hdev->link_keys); 2584 INIT_LIST_HEAD(&hdev->long_term_keys); 2585 INIT_LIST_HEAD(&hdev->identity_resolving_keys); 2586 INIT_LIST_HEAD(&hdev->remote_oob_data); 2587 INIT_LIST_HEAD(&hdev->le_accept_list); 2588 INIT_LIST_HEAD(&hdev->le_resolv_list); 2589 INIT_LIST_HEAD(&hdev->le_conn_params); 2590 INIT_LIST_HEAD(&hdev->pend_le_conns); 2591 INIT_LIST_HEAD(&hdev->pend_le_reports); 2592 INIT_LIST_HEAD(&hdev->conn_hash.list); 2593 INIT_LIST_HEAD(&hdev->adv_instances); 2594 INIT_LIST_HEAD(&hdev->blocked_keys); 2595 INIT_LIST_HEAD(&hdev->monitored_devices); 2596 2597 INIT_LIST_HEAD(&hdev->local_codecs); 2598 INIT_WORK(&hdev->rx_work, hci_rx_work); 2599 INIT_WORK(&hdev->cmd_work, hci_cmd_work); 2600 INIT_WORK(&hdev->tx_work, hci_tx_work); 2601 INIT_WORK(&hdev->power_on, hci_power_on); 2602 INIT_WORK(&hdev->error_reset, hci_error_reset); 2603 2604 hci_cmd_sync_init(hdev); 2605 2606 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off); 2607 2608 skb_queue_head_init(&hdev->rx_q); 2609 skb_queue_head_init(&hdev->cmd_q); 2610 skb_queue_head_init(&hdev->raw_q); 2611 2612 init_waitqueue_head(&hdev->req_wait_q); 2613 2614 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout); 2615 INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout); 2616 2617 hci_devcd_setup(hdev); 2618 hci_request_setup(hdev); 2619 2620 hci_init_sysfs(hdev); 2621 discovery_init(hdev); 2622 2623 return hdev; 2624 } 2625 EXPORT_SYMBOL(hci_alloc_dev_priv); 2626 2627 /* Free HCI device */ 2628 void hci_free_dev(struct hci_dev *hdev) 2629 { 2630 /* will free via device release */ 2631 put_device(&hdev->dev); 2632 } 2633 EXPORT_SYMBOL(hci_free_dev); 2634 2635 /* Register HCI device */ 2636 int hci_register_dev(struct hci_dev *hdev) 2637 { 2638 int id, error; 2639 2640 if (!hdev->open || !hdev->close || !hdev->send) 2641 return -EINVAL; 2642 2643 id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL); 2644 if (id < 0) 2645 return id; 2646 2647 error = dev_set_name(&hdev->dev, "hci%u", id); 2648 if (error) 2649 return error; 2650 2651 hdev->name = dev_name(&hdev->dev); 2652 hdev->id = id; 2653 2654 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 2655 2656 hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name); 2657 if (!hdev->workqueue) { 2658 error = -ENOMEM; 2659 goto err; 2660 } 2661 2662 hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, 2663 hdev->name); 2664 if (!hdev->req_workqueue) { 2665 destroy_workqueue(hdev->workqueue); 2666 error = -ENOMEM; 2667 goto err; 2668 } 2669 2670 if (!IS_ERR_OR_NULL(bt_debugfs)) 2671 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs); 2672 2673 error = device_add(&hdev->dev); 2674 if (error < 0) 2675 goto err_wqueue; 2676 2677 hci_leds_init(hdev); 2678 2679 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 2680 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 2681 hdev); 2682 if (hdev->rfkill) { 2683 if (rfkill_register(hdev->rfkill) < 0) { 2684 rfkill_destroy(hdev->rfkill); 2685 hdev->rfkill = NULL; 2686 } 2687 } 2688 2689 if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) 2690 hci_dev_set_flag(hdev, HCI_RFKILLED); 2691 2692 hci_dev_set_flag(hdev, HCI_SETUP); 2693 hci_dev_set_flag(hdev, HCI_AUTO_OFF); 2694 2695 /* Assume BR/EDR support until proven otherwise (such as 2696 * through reading supported features during init. 2697 */ 2698 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); 2699 2700 write_lock(&hci_dev_list_lock); 2701 list_add(&hdev->list, &hci_dev_list); 2702 write_unlock(&hci_dev_list_lock); 2703 2704 /* Devices that are marked for raw-only usage are unconfigured 2705 * and should not be included in normal operation. 2706 */ 2707 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks)) 2708 hci_dev_set_flag(hdev, HCI_UNCONFIGURED); 2709 2710 /* Mark Remote Wakeup connection flag as supported if driver has wakeup 2711 * callback. 2712 */ 2713 if (hdev->wakeup) 2714 hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP; 2715 2716 hci_sock_dev_event(hdev, HCI_DEV_REG); 2717 hci_dev_hold(hdev); 2718 2719 error = hci_register_suspend_notifier(hdev); 2720 if (error) 2721 BT_WARN("register suspend notifier failed error:%d\n", error); 2722 2723 queue_work(hdev->req_workqueue, &hdev->power_on); 2724 2725 idr_init(&hdev->adv_monitors_idr); 2726 msft_register(hdev); 2727 2728 return id; 2729 2730 err_wqueue: 2731 debugfs_remove_recursive(hdev->debugfs); 2732 destroy_workqueue(hdev->workqueue); 2733 destroy_workqueue(hdev->req_workqueue); 2734 err: 2735 ida_free(&hci_index_ida, hdev->id); 2736 2737 return error; 2738 } 2739 EXPORT_SYMBOL(hci_register_dev); 2740 2741 /* Unregister HCI device */ 2742 void hci_unregister_dev(struct hci_dev *hdev) 2743 { 2744 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 2745 2746 mutex_lock(&hdev->unregister_lock); 2747 hci_dev_set_flag(hdev, HCI_UNREGISTER); 2748 mutex_unlock(&hdev->unregister_lock); 2749 2750 write_lock(&hci_dev_list_lock); 2751 list_del(&hdev->list); 2752 write_unlock(&hci_dev_list_lock); 2753 2754 cancel_work_sync(&hdev->power_on); 2755 2756 hci_cmd_sync_clear(hdev); 2757 2758 hci_unregister_suspend_notifier(hdev); 2759 2760 hci_dev_do_close(hdev); 2761 2762 if (!test_bit(HCI_INIT, &hdev->flags) && 2763 !hci_dev_test_flag(hdev, HCI_SETUP) && 2764 !hci_dev_test_flag(hdev, HCI_CONFIG)) { 2765 hci_dev_lock(hdev); 2766 mgmt_index_removed(hdev); 2767 hci_dev_unlock(hdev); 2768 } 2769 2770 /* mgmt_index_removed should take care of emptying the 2771 * pending list */ 2772 BUG_ON(!list_empty(&hdev->mgmt_pending)); 2773 2774 hci_sock_dev_event(hdev, HCI_DEV_UNREG); 2775 2776 if (hdev->rfkill) { 2777 rfkill_unregister(hdev->rfkill); 2778 rfkill_destroy(hdev->rfkill); 2779 } 2780 2781 device_del(&hdev->dev); 2782 /* Actual cleanup is deferred until hci_release_dev(). */ 2783 hci_dev_put(hdev); 2784 } 2785 EXPORT_SYMBOL(hci_unregister_dev); 2786 2787 /* Release HCI device */ 2788 void hci_release_dev(struct hci_dev *hdev) 2789 { 2790 debugfs_remove_recursive(hdev->debugfs); 2791 kfree_const(hdev->hw_info); 2792 kfree_const(hdev->fw_info); 2793 2794 destroy_workqueue(hdev->workqueue); 2795 destroy_workqueue(hdev->req_workqueue); 2796 2797 hci_dev_lock(hdev); 2798 hci_bdaddr_list_clear(&hdev->reject_list); 2799 hci_bdaddr_list_clear(&hdev->accept_list); 2800 hci_uuids_clear(hdev); 2801 hci_link_keys_clear(hdev); 2802 hci_smp_ltks_clear(hdev); 2803 hci_smp_irks_clear(hdev); 2804 hci_remote_oob_data_clear(hdev); 2805 hci_adv_instances_clear(hdev); 2806 hci_adv_monitors_clear(hdev); 2807 hci_bdaddr_list_clear(&hdev->le_accept_list); 2808 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2809 hci_conn_params_clear_all(hdev); 2810 hci_discovery_filter_clear(hdev); 2811 hci_blocked_keys_clear(hdev); 2812 hci_codec_list_clear(&hdev->local_codecs); 2813 msft_release(hdev); 2814 hci_dev_unlock(hdev); 2815 2816 ida_destroy(&hdev->unset_handle_ida); 2817 ida_free(&hci_index_ida, hdev->id); 2818 kfree_skb(hdev->sent_cmd); 2819 kfree_skb(hdev->req_skb); 2820 kfree_skb(hdev->recv_event); 2821 kfree(hdev); 2822 } 2823 EXPORT_SYMBOL(hci_release_dev); 2824 2825 int hci_register_suspend_notifier(struct hci_dev *hdev) 2826 { 2827 int ret = 0; 2828 2829 if (!hdev->suspend_notifier.notifier_call && 2830 !test_bit(HCI_QUIRK_NO_SUSPEND_NOTIFIER, &hdev->quirks)) { 2831 hdev->suspend_notifier.notifier_call = hci_suspend_notifier; 2832 ret = register_pm_notifier(&hdev->suspend_notifier); 2833 } 2834 2835 return ret; 2836 } 2837 2838 int hci_unregister_suspend_notifier(struct hci_dev *hdev) 2839 { 2840 int ret = 0; 2841 2842 if (hdev->suspend_notifier.notifier_call) { 2843 ret = unregister_pm_notifier(&hdev->suspend_notifier); 2844 if (!ret) 2845 hdev->suspend_notifier.notifier_call = NULL; 2846 } 2847 2848 return ret; 2849 } 2850 2851 /* Cancel ongoing command synchronously: 2852 * 2853 * - Cancel command timer 2854 * - Reset command counter 2855 * - Cancel command request 2856 */ 2857 static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err) 2858 { 2859 bt_dev_dbg(hdev, "err 0x%2.2x", err); 2860 2861 cancel_delayed_work_sync(&hdev->cmd_timer); 2862 cancel_delayed_work_sync(&hdev->ncmd_timer); 2863 atomic_set(&hdev->cmd_cnt, 1); 2864 2865 hci_cmd_sync_cancel_sync(hdev, err); 2866 } 2867 2868 /* Suspend HCI device */ 2869 int hci_suspend_dev(struct hci_dev *hdev) 2870 { 2871 int ret; 2872 2873 bt_dev_dbg(hdev, ""); 2874 2875 /* Suspend should only act on when powered. */ 2876 if (!hdev_is_powered(hdev) || 2877 hci_dev_test_flag(hdev, HCI_UNREGISTER)) 2878 return 0; 2879 2880 /* If powering down don't attempt to suspend */ 2881 if (mgmt_powering_down(hdev)) 2882 return 0; 2883 2884 /* Cancel potentially blocking sync operation before suspend */ 2885 hci_cancel_cmd_sync(hdev, EHOSTDOWN); 2886 2887 hci_req_sync_lock(hdev); 2888 ret = hci_suspend_sync(hdev); 2889 hci_req_sync_unlock(hdev); 2890 2891 hci_clear_wake_reason(hdev); 2892 mgmt_suspending(hdev, hdev->suspend_state); 2893 2894 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND); 2895 return ret; 2896 } 2897 EXPORT_SYMBOL(hci_suspend_dev); 2898 2899 /* Resume HCI device */ 2900 int hci_resume_dev(struct hci_dev *hdev) 2901 { 2902 int ret; 2903 2904 bt_dev_dbg(hdev, ""); 2905 2906 /* Resume should only act on when powered. */ 2907 if (!hdev_is_powered(hdev) || 2908 hci_dev_test_flag(hdev, HCI_UNREGISTER)) 2909 return 0; 2910 2911 /* If powering down don't attempt to resume */ 2912 if (mgmt_powering_down(hdev)) 2913 return 0; 2914 2915 hci_req_sync_lock(hdev); 2916 ret = hci_resume_sync(hdev); 2917 hci_req_sync_unlock(hdev); 2918 2919 mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr, 2920 hdev->wake_addr_type); 2921 2922 hci_sock_dev_event(hdev, HCI_DEV_RESUME); 2923 return ret; 2924 } 2925 EXPORT_SYMBOL(hci_resume_dev); 2926 2927 /* Reset HCI device */ 2928 int hci_reset_dev(struct hci_dev *hdev) 2929 { 2930 static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 }; 2931 struct sk_buff *skb; 2932 2933 skb = bt_skb_alloc(3, GFP_ATOMIC); 2934 if (!skb) 2935 return -ENOMEM; 2936 2937 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 2938 skb_put_data(skb, hw_err, 3); 2939 2940 bt_dev_err(hdev, "Injecting HCI hardware error event"); 2941 2942 /* Send Hardware Error to upper stack */ 2943 return hci_recv_frame(hdev, skb); 2944 } 2945 EXPORT_SYMBOL(hci_reset_dev); 2946 2947 /* Receive frame from HCI drivers */ 2948 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb) 2949 { 2950 if (!hdev || (!test_bit(HCI_UP, &hdev->flags) 2951 && !test_bit(HCI_INIT, &hdev->flags))) { 2952 kfree_skb(skb); 2953 return -ENXIO; 2954 } 2955 2956 switch (hci_skb_pkt_type(skb)) { 2957 case HCI_EVENT_PKT: 2958 break; 2959 case HCI_ACLDATA_PKT: 2960 /* Detect if ISO packet has been sent as ACL */ 2961 if (hci_conn_num(hdev, ISO_LINK)) { 2962 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2963 __u8 type; 2964 2965 type = hci_conn_lookup_type(hdev, hci_handle(handle)); 2966 if (type == ISO_LINK) 2967 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 2968 } 2969 break; 2970 case HCI_SCODATA_PKT: 2971 break; 2972 case HCI_ISODATA_PKT: 2973 break; 2974 default: 2975 kfree_skb(skb); 2976 return -EINVAL; 2977 } 2978 2979 /* Incoming skb */ 2980 bt_cb(skb)->incoming = 1; 2981 2982 /* Time stamp */ 2983 __net_timestamp(skb); 2984 2985 skb_queue_tail(&hdev->rx_q, skb); 2986 queue_work(hdev->workqueue, &hdev->rx_work); 2987 2988 return 0; 2989 } 2990 EXPORT_SYMBOL(hci_recv_frame); 2991 2992 /* Receive diagnostic message from HCI drivers */ 2993 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb) 2994 { 2995 /* Mark as diagnostic packet */ 2996 hci_skb_pkt_type(skb) = HCI_DIAG_PKT; 2997 2998 /* Time stamp */ 2999 __net_timestamp(skb); 3000 3001 skb_queue_tail(&hdev->rx_q, skb); 3002 queue_work(hdev->workqueue, &hdev->rx_work); 3003 3004 return 0; 3005 } 3006 EXPORT_SYMBOL(hci_recv_diag); 3007 3008 void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...) 3009 { 3010 va_list vargs; 3011 3012 va_start(vargs, fmt); 3013 kfree_const(hdev->hw_info); 3014 hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs); 3015 va_end(vargs); 3016 } 3017 EXPORT_SYMBOL(hci_set_hw_info); 3018 3019 void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...) 3020 { 3021 va_list vargs; 3022 3023 va_start(vargs, fmt); 3024 kfree_const(hdev->fw_info); 3025 hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs); 3026 va_end(vargs); 3027 } 3028 EXPORT_SYMBOL(hci_set_fw_info); 3029 3030 /* ---- Interface to upper protocols ---- */ 3031 3032 int hci_register_cb(struct hci_cb *cb) 3033 { 3034 BT_DBG("%p name %s", cb, cb->name); 3035 3036 mutex_lock(&hci_cb_list_lock); 3037 list_add_tail(&cb->list, &hci_cb_list); 3038 mutex_unlock(&hci_cb_list_lock); 3039 3040 return 0; 3041 } 3042 EXPORT_SYMBOL(hci_register_cb); 3043 3044 int hci_unregister_cb(struct hci_cb *cb) 3045 { 3046 BT_DBG("%p name %s", cb, cb->name); 3047 3048 mutex_lock(&hci_cb_list_lock); 3049 list_del(&cb->list); 3050 mutex_unlock(&hci_cb_list_lock); 3051 3052 return 0; 3053 } 3054 EXPORT_SYMBOL(hci_unregister_cb); 3055 3056 static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 3057 { 3058 int err; 3059 3060 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb), 3061 skb->len); 3062 3063 /* Time stamp */ 3064 __net_timestamp(skb); 3065 3066 /* Send copy to monitor */ 3067 hci_send_to_monitor(hdev, skb); 3068 3069 if (atomic_read(&hdev->promisc)) { 3070 /* Send copy to the sockets */ 3071 hci_send_to_sock(hdev, skb); 3072 } 3073 3074 /* Get rid of skb owner, prior to sending to the driver. */ 3075 skb_orphan(skb); 3076 3077 if (!test_bit(HCI_RUNNING, &hdev->flags)) { 3078 kfree_skb(skb); 3079 return -EINVAL; 3080 } 3081 3082 err = hdev->send(hdev, skb); 3083 if (err < 0) { 3084 bt_dev_err(hdev, "sending frame failed (%d)", err); 3085 kfree_skb(skb); 3086 return err; 3087 } 3088 3089 return 0; 3090 } 3091 3092 /* Send HCI command */ 3093 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, 3094 const void *param) 3095 { 3096 struct sk_buff *skb; 3097 3098 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen); 3099 3100 skb = hci_prepare_cmd(hdev, opcode, plen, param); 3101 if (!skb) { 3102 bt_dev_err(hdev, "no memory for command"); 3103 return -ENOMEM; 3104 } 3105 3106 /* Stand-alone HCI commands must be flagged as 3107 * single-command requests. 3108 */ 3109 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 3110 3111 skb_queue_tail(&hdev->cmd_q, skb); 3112 queue_work(hdev->workqueue, &hdev->cmd_work); 3113 3114 return 0; 3115 } 3116 3117 int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen, 3118 const void *param) 3119 { 3120 struct sk_buff *skb; 3121 3122 if (hci_opcode_ogf(opcode) != 0x3f) { 3123 /* A controller receiving a command shall respond with either 3124 * a Command Status Event or a Command Complete Event. 3125 * Therefore, all standard HCI commands must be sent via the 3126 * standard API, using hci_send_cmd or hci_cmd_sync helpers. 3127 * Some vendors do not comply with this rule for vendor-specific 3128 * commands and do not return any event. We want to support 3129 * unresponded commands for such cases only. 3130 */ 3131 bt_dev_err(hdev, "unresponded command not supported"); 3132 return -EINVAL; 3133 } 3134 3135 skb = hci_prepare_cmd(hdev, opcode, plen, param); 3136 if (!skb) { 3137 bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)", 3138 opcode); 3139 return -ENOMEM; 3140 } 3141 3142 hci_send_frame(hdev, skb); 3143 3144 return 0; 3145 } 3146 EXPORT_SYMBOL(__hci_cmd_send); 3147 3148 /* Get data from the previously sent command */ 3149 static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode) 3150 { 3151 struct hci_command_hdr *hdr; 3152 3153 if (!skb || skb->len < HCI_COMMAND_HDR_SIZE) 3154 return NULL; 3155 3156 hdr = (void *)skb->data; 3157 3158 if (hdr->opcode != cpu_to_le16(opcode)) 3159 return NULL; 3160 3161 return skb->data + HCI_COMMAND_HDR_SIZE; 3162 } 3163 3164 /* Get data from the previously sent command */ 3165 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode) 3166 { 3167 void *data; 3168 3169 /* Check if opcode matches last sent command */ 3170 data = hci_cmd_data(hdev->sent_cmd, opcode); 3171 if (!data) 3172 /* Check if opcode matches last request */ 3173 data = hci_cmd_data(hdev->req_skb, opcode); 3174 3175 return data; 3176 } 3177 3178 /* Get data from last received event */ 3179 void *hci_recv_event_data(struct hci_dev *hdev, __u8 event) 3180 { 3181 struct hci_event_hdr *hdr; 3182 int offset; 3183 3184 if (!hdev->recv_event) 3185 return NULL; 3186 3187 hdr = (void *)hdev->recv_event->data; 3188 offset = sizeof(*hdr); 3189 3190 if (hdr->evt != event) { 3191 /* In case of LE metaevent check the subevent match */ 3192 if (hdr->evt == HCI_EV_LE_META) { 3193 struct hci_ev_le_meta *ev; 3194 3195 ev = (void *)hdev->recv_event->data + offset; 3196 offset += sizeof(*ev); 3197 if (ev->subevent == event) 3198 goto found; 3199 } 3200 return NULL; 3201 } 3202 3203 found: 3204 bt_dev_dbg(hdev, "event 0x%2.2x", event); 3205 3206 return hdev->recv_event->data + offset; 3207 } 3208 3209 /* Send ACL data */ 3210 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags) 3211 { 3212 struct hci_acl_hdr *hdr; 3213 int len = skb->len; 3214 3215 skb_push(skb, HCI_ACL_HDR_SIZE); 3216 skb_reset_transport_header(skb); 3217 hdr = (struct hci_acl_hdr *)skb_transport_header(skb); 3218 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags)); 3219 hdr->dlen = cpu_to_le16(len); 3220 } 3221 3222 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue, 3223 struct sk_buff *skb, __u16 flags) 3224 { 3225 struct hci_conn *conn = chan->conn; 3226 struct hci_dev *hdev = conn->hdev; 3227 struct sk_buff *list; 3228 3229 skb->len = skb_headlen(skb); 3230 skb->data_len = 0; 3231 3232 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT; 3233 3234 hci_add_acl_hdr(skb, conn->handle, flags); 3235 3236 list = skb_shinfo(skb)->frag_list; 3237 if (!list) { 3238 /* Non fragmented */ 3239 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len); 3240 3241 skb_queue_tail(queue, skb); 3242 } else { 3243 /* Fragmented */ 3244 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3245 3246 skb_shinfo(skb)->frag_list = NULL; 3247 3248 /* Queue all fragments atomically. We need to use spin_lock_bh 3249 * here because of 6LoWPAN links, as there this function is 3250 * called from softirq and using normal spin lock could cause 3251 * deadlocks. 3252 */ 3253 spin_lock_bh(&queue->lock); 3254 3255 __skb_queue_tail(queue, skb); 3256 3257 flags &= ~ACL_START; 3258 flags |= ACL_CONT; 3259 do { 3260 skb = list; list = list->next; 3261 3262 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT; 3263 hci_add_acl_hdr(skb, conn->handle, flags); 3264 3265 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3266 3267 __skb_queue_tail(queue, skb); 3268 } while (list); 3269 3270 spin_unlock_bh(&queue->lock); 3271 } 3272 } 3273 3274 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags) 3275 { 3276 struct hci_dev *hdev = chan->conn->hdev; 3277 3278 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags); 3279 3280 hci_queue_acl(chan, &chan->data_q, skb, flags); 3281 3282 queue_work(hdev->workqueue, &hdev->tx_work); 3283 } 3284 3285 /* Send SCO data */ 3286 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb) 3287 { 3288 struct hci_dev *hdev = conn->hdev; 3289 struct hci_sco_hdr hdr; 3290 3291 BT_DBG("%s len %d", hdev->name, skb->len); 3292 3293 hdr.handle = cpu_to_le16(conn->handle); 3294 hdr.dlen = skb->len; 3295 3296 skb_push(skb, HCI_SCO_HDR_SIZE); 3297 skb_reset_transport_header(skb); 3298 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE); 3299 3300 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT; 3301 3302 skb_queue_tail(&conn->data_q, skb); 3303 queue_work(hdev->workqueue, &hdev->tx_work); 3304 } 3305 3306 /* Send ISO data */ 3307 static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags) 3308 { 3309 struct hci_iso_hdr *hdr; 3310 int len = skb->len; 3311 3312 skb_push(skb, HCI_ISO_HDR_SIZE); 3313 skb_reset_transport_header(skb); 3314 hdr = (struct hci_iso_hdr *)skb_transport_header(skb); 3315 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags)); 3316 hdr->dlen = cpu_to_le16(len); 3317 } 3318 3319 static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue, 3320 struct sk_buff *skb) 3321 { 3322 struct hci_dev *hdev = conn->hdev; 3323 struct sk_buff *list; 3324 __u16 flags; 3325 3326 skb->len = skb_headlen(skb); 3327 skb->data_len = 0; 3328 3329 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 3330 3331 list = skb_shinfo(skb)->frag_list; 3332 3333 flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00); 3334 hci_add_iso_hdr(skb, conn->handle, flags); 3335 3336 if (!list) { 3337 /* Non fragmented */ 3338 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len); 3339 3340 skb_queue_tail(queue, skb); 3341 } else { 3342 /* Fragmented */ 3343 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3344 3345 skb_shinfo(skb)->frag_list = NULL; 3346 3347 __skb_queue_tail(queue, skb); 3348 3349 do { 3350 skb = list; list = list->next; 3351 3352 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 3353 flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END, 3354 0x00); 3355 hci_add_iso_hdr(skb, conn->handle, flags); 3356 3357 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3358 3359 __skb_queue_tail(queue, skb); 3360 } while (list); 3361 } 3362 } 3363 3364 void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb) 3365 { 3366 struct hci_dev *hdev = conn->hdev; 3367 3368 BT_DBG("%s len %d", hdev->name, skb->len); 3369 3370 hci_queue_iso(conn, &conn->data_q, skb); 3371 3372 queue_work(hdev->workqueue, &hdev->tx_work); 3373 } 3374 3375 /* ---- HCI TX task (outgoing data) ---- */ 3376 3377 /* HCI Connection scheduler */ 3378 static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote) 3379 { 3380 struct hci_dev *hdev; 3381 int cnt, q; 3382 3383 if (!conn) { 3384 *quote = 0; 3385 return; 3386 } 3387 3388 hdev = conn->hdev; 3389 3390 switch (conn->type) { 3391 case ACL_LINK: 3392 cnt = hdev->acl_cnt; 3393 break; 3394 case SCO_LINK: 3395 case ESCO_LINK: 3396 cnt = hdev->sco_cnt; 3397 break; 3398 case LE_LINK: 3399 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt; 3400 break; 3401 case ISO_LINK: 3402 cnt = hdev->iso_mtu ? hdev->iso_cnt : 3403 hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt; 3404 break; 3405 default: 3406 cnt = 0; 3407 bt_dev_err(hdev, "unknown link type %d", conn->type); 3408 } 3409 3410 q = cnt / num; 3411 *quote = q ? q : 1; 3412 } 3413 3414 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, 3415 int *quote) 3416 { 3417 struct hci_conn_hash *h = &hdev->conn_hash; 3418 struct hci_conn *conn = NULL, *c; 3419 unsigned int num = 0, min = ~0; 3420 3421 /* We don't have to lock device here. Connections are always 3422 * added and removed with TX task disabled. */ 3423 3424 rcu_read_lock(); 3425 3426 list_for_each_entry_rcu(c, &h->list, list) { 3427 if (c->type != type || skb_queue_empty(&c->data_q)) 3428 continue; 3429 3430 if (c->state != BT_CONNECTED && c->state != BT_CONFIG) 3431 continue; 3432 3433 num++; 3434 3435 if (c->sent < min) { 3436 min = c->sent; 3437 conn = c; 3438 } 3439 3440 if (hci_conn_num(hdev, type) == num) 3441 break; 3442 } 3443 3444 rcu_read_unlock(); 3445 3446 hci_quote_sent(conn, num, quote); 3447 3448 BT_DBG("conn %p quote %d", conn, *quote); 3449 return conn; 3450 } 3451 3452 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type) 3453 { 3454 struct hci_conn_hash *h = &hdev->conn_hash; 3455 struct hci_conn *c; 3456 3457 bt_dev_err(hdev, "link tx timeout"); 3458 3459 rcu_read_lock(); 3460 3461 /* Kill stalled connections */ 3462 list_for_each_entry_rcu(c, &h->list, list) { 3463 if (c->type == type && c->sent) { 3464 bt_dev_err(hdev, "killing stalled connection %pMR", 3465 &c->dst); 3466 /* hci_disconnect might sleep, so, we have to release 3467 * the RCU read lock before calling it. 3468 */ 3469 rcu_read_unlock(); 3470 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM); 3471 rcu_read_lock(); 3472 } 3473 } 3474 3475 rcu_read_unlock(); 3476 } 3477 3478 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type, 3479 int *quote) 3480 { 3481 struct hci_conn_hash *h = &hdev->conn_hash; 3482 struct hci_chan *chan = NULL; 3483 unsigned int num = 0, min = ~0, cur_prio = 0; 3484 struct hci_conn *conn; 3485 int conn_num = 0; 3486 3487 BT_DBG("%s", hdev->name); 3488 3489 rcu_read_lock(); 3490 3491 list_for_each_entry_rcu(conn, &h->list, list) { 3492 struct hci_chan *tmp; 3493 3494 if (conn->type != type) 3495 continue; 3496 3497 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG) 3498 continue; 3499 3500 conn_num++; 3501 3502 list_for_each_entry_rcu(tmp, &conn->chan_list, list) { 3503 struct sk_buff *skb; 3504 3505 if (skb_queue_empty(&tmp->data_q)) 3506 continue; 3507 3508 skb = skb_peek(&tmp->data_q); 3509 if (skb->priority < cur_prio) 3510 continue; 3511 3512 if (skb->priority > cur_prio) { 3513 num = 0; 3514 min = ~0; 3515 cur_prio = skb->priority; 3516 } 3517 3518 num++; 3519 3520 if (conn->sent < min) { 3521 min = conn->sent; 3522 chan = tmp; 3523 } 3524 } 3525 3526 if (hci_conn_num(hdev, type) == conn_num) 3527 break; 3528 } 3529 3530 rcu_read_unlock(); 3531 3532 if (!chan) 3533 return NULL; 3534 3535 hci_quote_sent(chan->conn, num, quote); 3536 3537 BT_DBG("chan %p quote %d", chan, *quote); 3538 return chan; 3539 } 3540 3541 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type) 3542 { 3543 struct hci_conn_hash *h = &hdev->conn_hash; 3544 struct hci_conn *conn; 3545 int num = 0; 3546 3547 BT_DBG("%s", hdev->name); 3548 3549 rcu_read_lock(); 3550 3551 list_for_each_entry_rcu(conn, &h->list, list) { 3552 struct hci_chan *chan; 3553 3554 if (conn->type != type) 3555 continue; 3556 3557 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG) 3558 continue; 3559 3560 num++; 3561 3562 list_for_each_entry_rcu(chan, &conn->chan_list, list) { 3563 struct sk_buff *skb; 3564 3565 if (chan->sent) { 3566 chan->sent = 0; 3567 continue; 3568 } 3569 3570 if (skb_queue_empty(&chan->data_q)) 3571 continue; 3572 3573 skb = skb_peek(&chan->data_q); 3574 if (skb->priority >= HCI_PRIO_MAX - 1) 3575 continue; 3576 3577 skb->priority = HCI_PRIO_MAX - 1; 3578 3579 BT_DBG("chan %p skb %p promoted to %d", chan, skb, 3580 skb->priority); 3581 } 3582 3583 if (hci_conn_num(hdev, type) == num) 3584 break; 3585 } 3586 3587 rcu_read_unlock(); 3588 3589 } 3590 3591 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) 3592 { 3593 unsigned long last_tx; 3594 3595 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 3596 return; 3597 3598 switch (type) { 3599 case LE_LINK: 3600 last_tx = hdev->le_last_tx; 3601 break; 3602 default: 3603 last_tx = hdev->acl_last_tx; 3604 break; 3605 } 3606 3607 /* tx timeout must be longer than maximum link supervision timeout 3608 * (40.9 seconds) 3609 */ 3610 if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT)) 3611 hci_link_tx_to(hdev, type); 3612 } 3613 3614 /* Schedule SCO */ 3615 static void hci_sched_sco(struct hci_dev *hdev) 3616 { 3617 struct hci_conn *conn; 3618 struct sk_buff *skb; 3619 int quote; 3620 3621 BT_DBG("%s", hdev->name); 3622 3623 if (!hci_conn_num(hdev, SCO_LINK)) 3624 return; 3625 3626 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) { 3627 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3628 BT_DBG("skb %p len %d", skb, skb->len); 3629 hci_send_frame(hdev, skb); 3630 3631 conn->sent++; 3632 if (conn->sent == ~0) 3633 conn->sent = 0; 3634 } 3635 } 3636 } 3637 3638 static void hci_sched_esco(struct hci_dev *hdev) 3639 { 3640 struct hci_conn *conn; 3641 struct sk_buff *skb; 3642 int quote; 3643 3644 BT_DBG("%s", hdev->name); 3645 3646 if (!hci_conn_num(hdev, ESCO_LINK)) 3647 return; 3648 3649 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK, 3650 "e))) { 3651 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3652 BT_DBG("skb %p len %d", skb, skb->len); 3653 hci_send_frame(hdev, skb); 3654 3655 conn->sent++; 3656 if (conn->sent == ~0) 3657 conn->sent = 0; 3658 } 3659 } 3660 } 3661 3662 static void hci_sched_acl_pkt(struct hci_dev *hdev) 3663 { 3664 unsigned int cnt = hdev->acl_cnt; 3665 struct hci_chan *chan; 3666 struct sk_buff *skb; 3667 int quote; 3668 3669 __check_timeout(hdev, cnt, ACL_LINK); 3670 3671 while (hdev->acl_cnt && 3672 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) { 3673 u32 priority = (skb_peek(&chan->data_q))->priority; 3674 while (quote-- && (skb = skb_peek(&chan->data_q))) { 3675 BT_DBG("chan %p skb %p len %d priority %u", chan, skb, 3676 skb->len, skb->priority); 3677 3678 /* Stop if priority has changed */ 3679 if (skb->priority < priority) 3680 break; 3681 3682 skb = skb_dequeue(&chan->data_q); 3683 3684 hci_conn_enter_active_mode(chan->conn, 3685 bt_cb(skb)->force_active); 3686 3687 hci_send_frame(hdev, skb); 3688 hdev->acl_last_tx = jiffies; 3689 3690 hdev->acl_cnt--; 3691 chan->sent++; 3692 chan->conn->sent++; 3693 3694 /* Send pending SCO packets right away */ 3695 hci_sched_sco(hdev); 3696 hci_sched_esco(hdev); 3697 } 3698 } 3699 3700 if (cnt != hdev->acl_cnt) 3701 hci_prio_recalculate(hdev, ACL_LINK); 3702 } 3703 3704 static void hci_sched_acl(struct hci_dev *hdev) 3705 { 3706 BT_DBG("%s", hdev->name); 3707 3708 /* No ACL link over BR/EDR controller */ 3709 if (!hci_conn_num(hdev, ACL_LINK)) 3710 return; 3711 3712 hci_sched_acl_pkt(hdev); 3713 } 3714 3715 static void hci_sched_le(struct hci_dev *hdev) 3716 { 3717 struct hci_chan *chan; 3718 struct sk_buff *skb; 3719 int quote, cnt, tmp; 3720 3721 BT_DBG("%s", hdev->name); 3722 3723 if (!hci_conn_num(hdev, LE_LINK)) 3724 return; 3725 3726 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt; 3727 3728 __check_timeout(hdev, cnt, LE_LINK); 3729 3730 tmp = cnt; 3731 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { 3732 u32 priority = (skb_peek(&chan->data_q))->priority; 3733 while (quote-- && (skb = skb_peek(&chan->data_q))) { 3734 BT_DBG("chan %p skb %p len %d priority %u", chan, skb, 3735 skb->len, skb->priority); 3736 3737 /* Stop if priority has changed */ 3738 if (skb->priority < priority) 3739 break; 3740 3741 skb = skb_dequeue(&chan->data_q); 3742 3743 hci_send_frame(hdev, skb); 3744 hdev->le_last_tx = jiffies; 3745 3746 cnt--; 3747 chan->sent++; 3748 chan->conn->sent++; 3749 3750 /* Send pending SCO packets right away */ 3751 hci_sched_sco(hdev); 3752 hci_sched_esco(hdev); 3753 } 3754 } 3755 3756 if (hdev->le_pkts) 3757 hdev->le_cnt = cnt; 3758 else 3759 hdev->acl_cnt = cnt; 3760 3761 if (cnt != tmp) 3762 hci_prio_recalculate(hdev, LE_LINK); 3763 } 3764 3765 /* Schedule CIS */ 3766 static void hci_sched_iso(struct hci_dev *hdev) 3767 { 3768 struct hci_conn *conn; 3769 struct sk_buff *skb; 3770 int quote, *cnt; 3771 3772 BT_DBG("%s", hdev->name); 3773 3774 if (!hci_conn_num(hdev, ISO_LINK)) 3775 return; 3776 3777 cnt = hdev->iso_pkts ? &hdev->iso_cnt : 3778 hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt; 3779 while (*cnt && (conn = hci_low_sent(hdev, ISO_LINK, "e))) { 3780 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3781 BT_DBG("skb %p len %d", skb, skb->len); 3782 hci_send_frame(hdev, skb); 3783 3784 conn->sent++; 3785 if (conn->sent == ~0) 3786 conn->sent = 0; 3787 (*cnt)--; 3788 } 3789 } 3790 } 3791 3792 static void hci_tx_work(struct work_struct *work) 3793 { 3794 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work); 3795 struct sk_buff *skb; 3796 3797 BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt, 3798 hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt); 3799 3800 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 3801 /* Schedule queues and send stuff to HCI driver */ 3802 hci_sched_sco(hdev); 3803 hci_sched_esco(hdev); 3804 hci_sched_iso(hdev); 3805 hci_sched_acl(hdev); 3806 hci_sched_le(hdev); 3807 } 3808 3809 /* Send next queued raw (unknown type) packet */ 3810 while ((skb = skb_dequeue(&hdev->raw_q))) 3811 hci_send_frame(hdev, skb); 3812 } 3813 3814 /* ----- HCI RX task (incoming data processing) ----- */ 3815 3816 /* ACL data packet */ 3817 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3818 { 3819 struct hci_acl_hdr *hdr = (void *) skb->data; 3820 struct hci_conn *conn; 3821 __u16 handle, flags; 3822 3823 skb_pull(skb, HCI_ACL_HDR_SIZE); 3824 3825 handle = __le16_to_cpu(hdr->handle); 3826 flags = hci_flags(handle); 3827 handle = hci_handle(handle); 3828 3829 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, 3830 handle, flags); 3831 3832 hdev->stat.acl_rx++; 3833 3834 hci_dev_lock(hdev); 3835 conn = hci_conn_hash_lookup_handle(hdev, handle); 3836 hci_dev_unlock(hdev); 3837 3838 if (conn) { 3839 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF); 3840 3841 /* Send to upper protocol */ 3842 l2cap_recv_acldata(conn, skb, flags); 3843 return; 3844 } else { 3845 bt_dev_err(hdev, "ACL packet for unknown connection handle %d", 3846 handle); 3847 } 3848 3849 kfree_skb(skb); 3850 } 3851 3852 /* SCO data packet */ 3853 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3854 { 3855 struct hci_sco_hdr *hdr = (void *) skb->data; 3856 struct hci_conn *conn; 3857 __u16 handle, flags; 3858 3859 skb_pull(skb, HCI_SCO_HDR_SIZE); 3860 3861 handle = __le16_to_cpu(hdr->handle); 3862 flags = hci_flags(handle); 3863 handle = hci_handle(handle); 3864 3865 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, 3866 handle, flags); 3867 3868 hdev->stat.sco_rx++; 3869 3870 hci_dev_lock(hdev); 3871 conn = hci_conn_hash_lookup_handle(hdev, handle); 3872 hci_dev_unlock(hdev); 3873 3874 if (conn) { 3875 /* Send to upper protocol */ 3876 hci_skb_pkt_status(skb) = flags & 0x03; 3877 sco_recv_scodata(conn, skb); 3878 return; 3879 } else { 3880 bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d", 3881 handle); 3882 } 3883 3884 kfree_skb(skb); 3885 } 3886 3887 static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3888 { 3889 struct hci_iso_hdr *hdr; 3890 struct hci_conn *conn; 3891 __u16 handle, flags; 3892 3893 hdr = skb_pull_data(skb, sizeof(*hdr)); 3894 if (!hdr) { 3895 bt_dev_err(hdev, "ISO packet too small"); 3896 goto drop; 3897 } 3898 3899 handle = __le16_to_cpu(hdr->handle); 3900 flags = hci_flags(handle); 3901 handle = hci_handle(handle); 3902 3903 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3904 handle, flags); 3905 3906 hci_dev_lock(hdev); 3907 conn = hci_conn_hash_lookup_handle(hdev, handle); 3908 hci_dev_unlock(hdev); 3909 3910 if (!conn) { 3911 bt_dev_err(hdev, "ISO packet for unknown connection handle %d", 3912 handle); 3913 goto drop; 3914 } 3915 3916 /* Send to upper protocol */ 3917 iso_recv(conn, skb, flags); 3918 return; 3919 3920 drop: 3921 kfree_skb(skb); 3922 } 3923 3924 static bool hci_req_is_complete(struct hci_dev *hdev) 3925 { 3926 struct sk_buff *skb; 3927 3928 skb = skb_peek(&hdev->cmd_q); 3929 if (!skb) 3930 return true; 3931 3932 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START); 3933 } 3934 3935 static void hci_resend_last(struct hci_dev *hdev) 3936 { 3937 struct hci_command_hdr *sent; 3938 struct sk_buff *skb; 3939 u16 opcode; 3940 3941 if (!hdev->sent_cmd) 3942 return; 3943 3944 sent = (void *) hdev->sent_cmd->data; 3945 opcode = __le16_to_cpu(sent->opcode); 3946 if (opcode == HCI_OP_RESET) 3947 return; 3948 3949 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); 3950 if (!skb) 3951 return; 3952 3953 skb_queue_head(&hdev->cmd_q, skb); 3954 queue_work(hdev->workqueue, &hdev->cmd_work); 3955 } 3956 3957 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, 3958 hci_req_complete_t *req_complete, 3959 hci_req_complete_skb_t *req_complete_skb) 3960 { 3961 struct sk_buff *skb; 3962 unsigned long flags; 3963 3964 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status); 3965 3966 /* If the completed command doesn't match the last one that was 3967 * sent we need to do special handling of it. 3968 */ 3969 if (!hci_sent_cmd_data(hdev, opcode)) { 3970 /* Some CSR based controllers generate a spontaneous 3971 * reset complete event during init and any pending 3972 * command will never be completed. In such a case we 3973 * need to resend whatever was the last sent 3974 * command. 3975 */ 3976 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET) 3977 hci_resend_last(hdev); 3978 3979 return; 3980 } 3981 3982 /* If we reach this point this event matches the last command sent */ 3983 hci_dev_clear_flag(hdev, HCI_CMD_PENDING); 3984 3985 /* If the command succeeded and there's still more commands in 3986 * this request the request is not yet complete. 3987 */ 3988 if (!status && !hci_req_is_complete(hdev)) 3989 return; 3990 3991 skb = hdev->req_skb; 3992 3993 /* If this was the last command in a request the complete 3994 * callback would be found in hdev->req_skb instead of the 3995 * command queue (hdev->cmd_q). 3996 */ 3997 if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) { 3998 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; 3999 return; 4000 } 4001 4002 if (skb && bt_cb(skb)->hci.req_complete) { 4003 *req_complete = bt_cb(skb)->hci.req_complete; 4004 return; 4005 } 4006 4007 /* Remove all pending commands belonging to this request */ 4008 spin_lock_irqsave(&hdev->cmd_q.lock, flags); 4009 while ((skb = __skb_dequeue(&hdev->cmd_q))) { 4010 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) { 4011 __skb_queue_head(&hdev->cmd_q, skb); 4012 break; 4013 } 4014 4015 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) 4016 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; 4017 else 4018 *req_complete = bt_cb(skb)->hci.req_complete; 4019 dev_kfree_skb_irq(skb); 4020 } 4021 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags); 4022 } 4023 4024 static void hci_rx_work(struct work_struct *work) 4025 { 4026 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work); 4027 struct sk_buff *skb; 4028 4029 BT_DBG("%s", hdev->name); 4030 4031 /* The kcov_remote functions used for collecting packet parsing 4032 * coverage information from this background thread and associate 4033 * the coverage with the syscall's thread which originally injected 4034 * the packet. This helps fuzzing the kernel. 4035 */ 4036 for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) { 4037 kcov_remote_start_common(skb_get_kcov_handle(skb)); 4038 4039 /* Send copy to monitor */ 4040 hci_send_to_monitor(hdev, skb); 4041 4042 if (atomic_read(&hdev->promisc)) { 4043 /* Send copy to the sockets */ 4044 hci_send_to_sock(hdev, skb); 4045 } 4046 4047 /* If the device has been opened in HCI_USER_CHANNEL, 4048 * the userspace has exclusive access to device. 4049 * When device is HCI_INIT, we still need to process 4050 * the data packets to the driver in order 4051 * to complete its setup(). 4052 */ 4053 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && 4054 !test_bit(HCI_INIT, &hdev->flags)) { 4055 kfree_skb(skb); 4056 continue; 4057 } 4058 4059 if (test_bit(HCI_INIT, &hdev->flags)) { 4060 /* Don't process data packets in this states. */ 4061 switch (hci_skb_pkt_type(skb)) { 4062 case HCI_ACLDATA_PKT: 4063 case HCI_SCODATA_PKT: 4064 case HCI_ISODATA_PKT: 4065 kfree_skb(skb); 4066 continue; 4067 } 4068 } 4069 4070 /* Process frame */ 4071 switch (hci_skb_pkt_type(skb)) { 4072 case HCI_EVENT_PKT: 4073 BT_DBG("%s Event packet", hdev->name); 4074 hci_event_packet(hdev, skb); 4075 break; 4076 4077 case HCI_ACLDATA_PKT: 4078 BT_DBG("%s ACL data packet", hdev->name); 4079 hci_acldata_packet(hdev, skb); 4080 break; 4081 4082 case HCI_SCODATA_PKT: 4083 BT_DBG("%s SCO data packet", hdev->name); 4084 hci_scodata_packet(hdev, skb); 4085 break; 4086 4087 case HCI_ISODATA_PKT: 4088 BT_DBG("%s ISO data packet", hdev->name); 4089 hci_isodata_packet(hdev, skb); 4090 break; 4091 4092 default: 4093 kfree_skb(skb); 4094 break; 4095 } 4096 } 4097 } 4098 4099 static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) 4100 { 4101 int err; 4102 4103 bt_dev_dbg(hdev, "skb %p", skb); 4104 4105 kfree_skb(hdev->sent_cmd); 4106 4107 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL); 4108 if (!hdev->sent_cmd) { 4109 skb_queue_head(&hdev->cmd_q, skb); 4110 queue_work(hdev->workqueue, &hdev->cmd_work); 4111 return; 4112 } 4113 4114 err = hci_send_frame(hdev, skb); 4115 if (err < 0) { 4116 hci_cmd_sync_cancel_sync(hdev, -err); 4117 return; 4118 } 4119 4120 if (hci_req_status_pend(hdev) && 4121 !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { 4122 kfree_skb(hdev->req_skb); 4123 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); 4124 } 4125 4126 atomic_dec(&hdev->cmd_cnt); 4127 } 4128 4129 static void hci_cmd_work(struct work_struct *work) 4130 { 4131 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work); 4132 struct sk_buff *skb; 4133 4134 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name, 4135 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q)); 4136 4137 /* Send queued commands */ 4138 if (atomic_read(&hdev->cmd_cnt)) { 4139 skb = skb_dequeue(&hdev->cmd_q); 4140 if (!skb) 4141 return; 4142 4143 hci_send_cmd_sync(hdev, skb); 4144 4145 rcu_read_lock(); 4146 if (test_bit(HCI_RESET, &hdev->flags) || 4147 hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 4148 cancel_delayed_work(&hdev->cmd_timer); 4149 else 4150 queue_delayed_work(hdev->workqueue, &hdev->cmd_timer, 4151 HCI_CMD_TIMEOUT); 4152 rcu_read_unlock(); 4153 } 4154 } 4155