1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 BlueZ - Bluetooth protocol stack for Linux 4 Copyright (C) 2000-2001 Qualcomm Incorporated 5 Copyright (C) 2011 ProFUSION Embedded Systems 6 7 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 /* Bluetooth HCI core. */ 24 25 #include <linux/export.h> 26 #include <linux/rfkill.h> 27 #include <linux/debugfs.h> 28 #include <linux/crypto.h> 29 #include <linux/kcov.h> 30 #include <linux/property.h> 31 #include <linux/suspend.h> 32 #include <linux/wait.h> 33 #include <linux/unaligned.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 #include <net/bluetooth/mgmt.h> 39 40 #include "hci_debugfs.h" 41 #include "smp.h" 42 #include "leds.h" 43 #include "msft.h" 44 #include "aosp.h" 45 #include "hci_codec.h" 46 47 static void hci_rx_work(struct work_struct *work); 48 static void hci_cmd_work(struct work_struct *work); 49 static void hci_tx_work(struct work_struct *work); 50 51 /* HCI device list */ 52 LIST_HEAD(hci_dev_list); 53 DEFINE_RWLOCK(hci_dev_list_lock); 54 55 /* HCI callback list */ 56 LIST_HEAD(hci_cb_list); 57 DEFINE_MUTEX(hci_cb_list_lock); 58 59 /* HCI ID Numbering */ 60 static DEFINE_IDA(hci_index_ida); 61 62 /* Get HCI device by index. 63 * Device is held on return. */ 64 static struct hci_dev *__hci_dev_get(int index, int *srcu_index) 65 { 66 struct hci_dev *hdev = NULL, *d; 67 68 BT_DBG("%d", index); 69 70 if (index < 0) 71 return NULL; 72 73 read_lock(&hci_dev_list_lock); 74 list_for_each_entry(d, &hci_dev_list, list) { 75 if (d->id == index) { 76 hdev = hci_dev_hold(d); 77 if (srcu_index) 78 *srcu_index = srcu_read_lock(&d->srcu); 79 break; 80 } 81 } 82 read_unlock(&hci_dev_list_lock); 83 return hdev; 84 } 85 86 struct hci_dev *hci_dev_get(int index) 87 { 88 return __hci_dev_get(index, NULL); 89 } 90 91 static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index) 92 { 93 return __hci_dev_get(index, srcu_index); 94 } 95 96 static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index) 97 { 98 srcu_read_unlock(&hdev->srcu, srcu_index); 99 hci_dev_put(hdev); 100 } 101 102 /* ---- Inquiry support ---- */ 103 104 bool hci_discovery_active(struct hci_dev *hdev) 105 { 106 struct discovery_state *discov = &hdev->discovery; 107 108 switch (discov->state) { 109 case DISCOVERY_FINDING: 110 case DISCOVERY_RESOLVING: 111 return true; 112 113 default: 114 return false; 115 } 116 } 117 EXPORT_SYMBOL(hci_discovery_active); 118 119 void hci_discovery_set_state(struct hci_dev *hdev, int state) 120 { 121 int old_state = hdev->discovery.state; 122 123 if (old_state == state) 124 return; 125 126 hdev->discovery.state = state; 127 128 switch (state) { 129 case DISCOVERY_STOPPED: 130 hci_update_passive_scan(hdev); 131 132 if (old_state != DISCOVERY_STARTING) 133 mgmt_discovering(hdev, 0); 134 break; 135 case DISCOVERY_STARTING: 136 break; 137 case DISCOVERY_FINDING: 138 mgmt_discovering(hdev, 1); 139 break; 140 case DISCOVERY_RESOLVING: 141 break; 142 case DISCOVERY_STOPPING: 143 break; 144 } 145 146 bt_dev_dbg(hdev, "state %u -> %u", old_state, state); 147 } 148 149 void hci_inquiry_cache_flush(struct hci_dev *hdev) 150 { 151 struct discovery_state *cache = &hdev->discovery; 152 struct inquiry_entry *p, *n; 153 154 list_for_each_entry_safe(p, n, &cache->all, all) { 155 list_del(&p->all); 156 kfree(p); 157 } 158 159 INIT_LIST_HEAD(&cache->unknown); 160 INIT_LIST_HEAD(&cache->resolve); 161 } 162 163 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev, 164 bdaddr_t *bdaddr) 165 { 166 struct discovery_state *cache = &hdev->discovery; 167 struct inquiry_entry *e; 168 169 BT_DBG("cache %p, %pMR", cache, bdaddr); 170 171 list_for_each_entry(e, &cache->all, all) { 172 if (!bacmp(&e->data.bdaddr, bdaddr)) 173 return e; 174 } 175 176 return NULL; 177 } 178 179 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev, 180 bdaddr_t *bdaddr) 181 { 182 struct discovery_state *cache = &hdev->discovery; 183 struct inquiry_entry *e; 184 185 BT_DBG("cache %p, %pMR", cache, bdaddr); 186 187 list_for_each_entry(e, &cache->unknown, list) { 188 if (!bacmp(&e->data.bdaddr, bdaddr)) 189 return e; 190 } 191 192 return NULL; 193 } 194 195 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev, 196 bdaddr_t *bdaddr, 197 int state) 198 { 199 struct discovery_state *cache = &hdev->discovery; 200 struct inquiry_entry *e; 201 202 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state); 203 204 list_for_each_entry(e, &cache->resolve, list) { 205 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state) 206 return e; 207 if (!bacmp(&e->data.bdaddr, bdaddr)) 208 return e; 209 } 210 211 return NULL; 212 } 213 214 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev, 215 struct inquiry_entry *ie) 216 { 217 struct discovery_state *cache = &hdev->discovery; 218 struct list_head *pos = &cache->resolve; 219 struct inquiry_entry *p; 220 221 list_del(&ie->list); 222 223 list_for_each_entry(p, &cache->resolve, list) { 224 if (p->name_state != NAME_PENDING && 225 abs(p->data.rssi) >= abs(ie->data.rssi)) 226 break; 227 pos = &p->list; 228 } 229 230 list_add(&ie->list, pos); 231 } 232 233 u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data, 234 bool name_known) 235 { 236 struct discovery_state *cache = &hdev->discovery; 237 struct inquiry_entry *ie; 238 u32 flags = 0; 239 240 BT_DBG("cache %p, %pMR", cache, &data->bdaddr); 241 242 hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR); 243 244 if (!data->ssp_mode) 245 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 246 247 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr); 248 if (ie) { 249 if (!ie->data.ssp_mode) 250 flags |= MGMT_DEV_FOUND_LEGACY_PAIRING; 251 252 if (ie->name_state == NAME_NEEDED && 253 data->rssi != ie->data.rssi) { 254 ie->data.rssi = data->rssi; 255 hci_inquiry_cache_update_resolve(hdev, ie); 256 } 257 258 goto update; 259 } 260 261 /* Entry not in the cache. Add new one. */ 262 ie = kzalloc_obj(*ie); 263 if (!ie) { 264 flags |= MGMT_DEV_FOUND_CONFIRM_NAME; 265 goto done; 266 } 267 268 list_add(&ie->all, &cache->all); 269 270 if (name_known) { 271 ie->name_state = NAME_KNOWN; 272 } else { 273 ie->name_state = NAME_NOT_KNOWN; 274 list_add(&ie->list, &cache->unknown); 275 } 276 277 update: 278 if (name_known && ie->name_state != NAME_KNOWN && 279 ie->name_state != NAME_PENDING) { 280 ie->name_state = NAME_KNOWN; 281 list_del(&ie->list); 282 } 283 284 memcpy(&ie->data, data, sizeof(*data)); 285 ie->timestamp = jiffies; 286 cache->timestamp = jiffies; 287 288 if (ie->name_state == NAME_NOT_KNOWN) 289 flags |= MGMT_DEV_FOUND_CONFIRM_NAME; 290 291 done: 292 return flags; 293 } 294 295 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf) 296 { 297 struct discovery_state *cache = &hdev->discovery; 298 struct inquiry_info *info = (struct inquiry_info *) buf; 299 struct inquiry_entry *e; 300 int copied = 0; 301 302 list_for_each_entry(e, &cache->all, all) { 303 struct inquiry_data *data = &e->data; 304 305 if (copied >= num) 306 break; 307 308 bacpy(&info->bdaddr, &data->bdaddr); 309 info->pscan_rep_mode = data->pscan_rep_mode; 310 info->pscan_period_mode = data->pscan_period_mode; 311 info->pscan_mode = data->pscan_mode; 312 memcpy(info->dev_class, data->dev_class, 3); 313 info->clock_offset = data->clock_offset; 314 315 info++; 316 copied++; 317 } 318 319 BT_DBG("cache %p, copied %d", cache, copied); 320 return copied; 321 } 322 323 int hci_inquiry(void __user *arg) 324 { 325 __u8 __user *ptr = arg; 326 struct hci_inquiry_req ir; 327 struct hci_dev *hdev; 328 int err = 0, do_inquiry = 0, max_rsp; 329 __u8 *buf; 330 331 if (copy_from_user(&ir, ptr, sizeof(ir))) 332 return -EFAULT; 333 334 hdev = hci_dev_get(ir.dev_id); 335 if (!hdev) 336 return -ENODEV; 337 338 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 339 err = -EBUSY; 340 goto done; 341 } 342 343 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 344 err = -EOPNOTSUPP; 345 goto done; 346 } 347 348 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 349 err = -EOPNOTSUPP; 350 goto done; 351 } 352 353 /* Restrict maximum inquiry length to 60 seconds */ 354 if (ir.length > 60) { 355 err = -EINVAL; 356 goto done; 357 } 358 359 hci_dev_lock(hdev); 360 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || 361 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { 362 hci_inquiry_cache_flush(hdev); 363 do_inquiry = 1; 364 } 365 hci_dev_unlock(hdev); 366 367 if (do_inquiry) { 368 hci_req_sync_lock(hdev); 369 err = hci_inquiry_sync(hdev, ir.length, ir.num_rsp); 370 hci_req_sync_unlock(hdev); 371 372 if (err < 0) 373 goto done; 374 375 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is 376 * cleared). If it is interrupted by a signal, return -EINTR. 377 */ 378 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, 379 TASK_INTERRUPTIBLE)) { 380 err = -EINTR; 381 goto done; 382 } 383 } 384 385 /* for unlimited number of responses we will use buffer with 386 * 255 entries 387 */ 388 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp; 389 390 /* cache_dump can't sleep. Therefore we allocate temp buffer and then 391 * copy it to the user space. 392 */ 393 buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL); 394 if (!buf) { 395 err = -ENOMEM; 396 goto done; 397 } 398 399 hci_dev_lock(hdev); 400 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf); 401 hci_dev_unlock(hdev); 402 403 BT_DBG("num_rsp %d", ir.num_rsp); 404 405 if (!copy_to_user(ptr, &ir, sizeof(ir))) { 406 ptr += sizeof(ir); 407 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) * 408 ir.num_rsp)) 409 err = -EFAULT; 410 } else 411 err = -EFAULT; 412 413 kfree(buf); 414 415 done: 416 hci_dev_put(hdev); 417 return err; 418 } 419 420 static int hci_dev_do_open(struct hci_dev *hdev) 421 { 422 int ret = 0; 423 424 BT_DBG("%s %p", hdev->name, hdev); 425 426 hci_req_sync_lock(hdev); 427 428 ret = hci_dev_open_sync(hdev); 429 430 hci_req_sync_unlock(hdev); 431 return ret; 432 } 433 434 /* ---- HCI ioctl helpers ---- */ 435 436 int hci_dev_open(__u16 dev) 437 { 438 struct hci_dev *hdev; 439 int err; 440 441 hdev = hci_dev_get(dev); 442 if (!hdev) 443 return -ENODEV; 444 445 /* Devices that are marked as unconfigured can only be powered 446 * up as user channel. Trying to bring them up as normal devices 447 * will result into a failure. Only user channel operation is 448 * possible. 449 * 450 * When this function is called for a user channel, the flag 451 * HCI_USER_CHANNEL will be set first before attempting to 452 * open the device. 453 */ 454 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) && 455 !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 456 err = -EOPNOTSUPP; 457 goto done; 458 } 459 460 /* We need to ensure that no other power on/off work is pending 461 * before proceeding to call hci_dev_do_open. This is 462 * particularly important if the setup procedure has not yet 463 * completed. 464 */ 465 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) 466 cancel_delayed_work(&hdev->power_off); 467 468 /* After this call it is guaranteed that the setup procedure 469 * has finished. This means that error conditions like RFKILL 470 * or no valid public or static random address apply. 471 */ 472 flush_workqueue(hdev->req_workqueue); 473 474 /* For controllers not using the management interface and that 475 * are brought up using legacy ioctl, set the HCI_BONDABLE bit 476 * so that pairing works for them. Once the management interface 477 * is in use this bit will be cleared again and userspace has 478 * to explicitly enable it. 479 */ 480 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && 481 !hci_dev_test_flag(hdev, HCI_MGMT)) 482 hci_dev_set_flag(hdev, HCI_BONDABLE); 483 484 err = hci_dev_do_open(hdev); 485 486 done: 487 hci_dev_put(hdev); 488 return err; 489 } 490 491 int hci_dev_do_close(struct hci_dev *hdev) 492 { 493 int err; 494 495 BT_DBG("%s %p", hdev->name, hdev); 496 497 hci_req_sync_lock(hdev); 498 499 err = hci_dev_close_sync(hdev); 500 501 hci_req_sync_unlock(hdev); 502 503 return err; 504 } 505 506 int hci_dev_close(__u16 dev) 507 { 508 struct hci_dev *hdev; 509 int err; 510 511 hdev = hci_dev_get(dev); 512 if (!hdev) 513 return -ENODEV; 514 515 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 516 err = -EBUSY; 517 goto done; 518 } 519 520 cancel_work_sync(&hdev->power_on); 521 if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) 522 cancel_delayed_work(&hdev->power_off); 523 524 err = hci_dev_do_close(hdev); 525 526 done: 527 hci_dev_put(hdev); 528 return err; 529 } 530 531 static int hci_dev_do_reset(struct hci_dev *hdev) 532 { 533 int ret; 534 535 BT_DBG("%s %p", hdev->name, hdev); 536 537 hci_req_sync_lock(hdev); 538 539 ret = hci_dev_close_sync(hdev); 540 if (!ret) 541 ret = hci_dev_open_sync(hdev); 542 543 hci_req_sync_unlock(hdev); 544 return ret; 545 } 546 547 int hci_dev_reset(__u16 dev) 548 { 549 struct hci_dev *hdev; 550 int err, srcu_index; 551 552 hdev = hci_dev_get_srcu(dev, &srcu_index); 553 if (!hdev) 554 return -ENODEV; 555 556 if (!test_bit(HCI_UP, &hdev->flags)) { 557 err = -ENETDOWN; 558 goto done; 559 } 560 561 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 562 err = -EBUSY; 563 goto done; 564 } 565 566 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 567 err = -EOPNOTSUPP; 568 goto done; 569 } 570 571 err = hci_dev_do_reset(hdev); 572 573 done: 574 hci_dev_put_srcu(hdev, srcu_index); 575 return err; 576 } 577 578 int hci_dev_reset_stat(__u16 dev) 579 { 580 struct hci_dev *hdev; 581 int ret = 0; 582 583 hdev = hci_dev_get(dev); 584 if (!hdev) 585 return -ENODEV; 586 587 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 588 ret = -EBUSY; 589 goto done; 590 } 591 592 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 593 ret = -EOPNOTSUPP; 594 goto done; 595 } 596 597 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats)); 598 599 done: 600 hci_dev_put(hdev); 601 return ret; 602 } 603 604 static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan) 605 { 606 bool conn_changed, discov_changed; 607 608 BT_DBG("%s scan 0x%02x", hdev->name, scan); 609 610 if ((scan & SCAN_PAGE)) 611 conn_changed = !hci_dev_test_and_set_flag(hdev, 612 HCI_CONNECTABLE); 613 else 614 conn_changed = hci_dev_test_and_clear_flag(hdev, 615 HCI_CONNECTABLE); 616 617 if ((scan & SCAN_INQUIRY)) { 618 discov_changed = !hci_dev_test_and_set_flag(hdev, 619 HCI_DISCOVERABLE); 620 } else { 621 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE); 622 discov_changed = hci_dev_test_and_clear_flag(hdev, 623 HCI_DISCOVERABLE); 624 } 625 626 if (!hci_dev_test_flag(hdev, HCI_MGMT)) 627 return; 628 629 if (conn_changed || discov_changed) { 630 /* In case this was disabled through mgmt */ 631 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); 632 633 if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 634 hci_update_adv_data(hdev, hdev->cur_adv_instance); 635 636 mgmt_new_settings(hdev); 637 } 638 } 639 640 int hci_dev_cmd(unsigned int cmd, void __user *arg) 641 { 642 struct hci_dev *hdev; 643 struct hci_dev_req dr; 644 __le16 policy; 645 int err = 0; 646 647 if (copy_from_user(&dr, arg, sizeof(dr))) 648 return -EFAULT; 649 650 hdev = hci_dev_get(dr.dev_id); 651 if (!hdev) 652 return -ENODEV; 653 654 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 655 err = -EBUSY; 656 goto done; 657 } 658 659 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { 660 err = -EOPNOTSUPP; 661 goto done; 662 } 663 664 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) { 665 err = -EOPNOTSUPP; 666 goto done; 667 } 668 669 switch (cmd) { 670 case HCISETAUTH: 671 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE, 672 1, &dr.dev_opt, HCI_CMD_TIMEOUT); 673 break; 674 675 case HCISETENCRYPT: 676 if (!lmp_encrypt_capable(hdev)) { 677 err = -EOPNOTSUPP; 678 break; 679 } 680 681 if (!test_bit(HCI_AUTH, &hdev->flags)) { 682 /* Auth must be enabled first */ 683 err = hci_cmd_sync_status(hdev, 684 HCI_OP_WRITE_AUTH_ENABLE, 685 1, &dr.dev_opt, 686 HCI_CMD_TIMEOUT); 687 if (err) 688 break; 689 } 690 691 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE, 692 1, &dr.dev_opt, HCI_CMD_TIMEOUT); 693 break; 694 695 case HCISETSCAN: 696 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE, 697 1, &dr.dev_opt, HCI_CMD_TIMEOUT); 698 699 /* Ensure that the connectable and discoverable states 700 * get correctly modified as this was a non-mgmt change. 701 */ 702 if (!err) 703 hci_update_passive_scan_state(hdev, dr.dev_opt); 704 break; 705 706 case HCISETLINKPOL: 707 policy = cpu_to_le16(dr.dev_opt); 708 709 err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, 710 2, &policy, HCI_CMD_TIMEOUT); 711 break; 712 713 case HCISETLINKMODE: 714 hdev->link_mode = ((__u16) dr.dev_opt) & 715 (HCI_LM_MASTER | HCI_LM_ACCEPT); 716 break; 717 718 case HCISETPTYPE: 719 if (hdev->pkt_type == (__u16) dr.dev_opt) 720 break; 721 722 hdev->pkt_type = (__u16) dr.dev_opt; 723 mgmt_phy_configuration_changed(hdev, NULL); 724 break; 725 726 case HCISETACLMTU: 727 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1); 728 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0); 729 break; 730 731 case HCISETSCOMTU: 732 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1); 733 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0); 734 break; 735 736 default: 737 err = -EINVAL; 738 break; 739 } 740 741 done: 742 hci_dev_put(hdev); 743 return err; 744 } 745 746 int hci_get_dev_list(void __user *arg) 747 { 748 struct hci_dev *hdev; 749 struct hci_dev_list_req *dl; 750 struct hci_dev_req *dr; 751 int n = 0, err; 752 __u16 dev_num; 753 754 if (get_user(dev_num, (__u16 __user *) arg)) 755 return -EFAULT; 756 757 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr)) 758 return -EINVAL; 759 760 dl = kzalloc_flex(*dl, dev_req, dev_num); 761 if (!dl) 762 return -ENOMEM; 763 764 dl->dev_num = dev_num; 765 dr = dl->dev_req; 766 767 read_lock(&hci_dev_list_lock); 768 list_for_each_entry(hdev, &hci_dev_list, list) { 769 unsigned long flags = hdev->flags; 770 771 /* When the auto-off is configured it means the transport 772 * is running, but in that case still indicate that the 773 * device is actually down. 774 */ 775 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) 776 flags &= ~BIT(HCI_UP); 777 778 dr[n].dev_id = hdev->id; 779 dr[n].dev_opt = flags; 780 781 if (++n >= dev_num) 782 break; 783 } 784 read_unlock(&hci_dev_list_lock); 785 786 dl->dev_num = n; 787 err = copy_to_user(arg, dl, struct_size(dl, dev_req, n)); 788 kfree(dl); 789 790 return err ? -EFAULT : 0; 791 } 792 793 int hci_get_dev_info(void __user *arg) 794 { 795 struct hci_dev *hdev; 796 struct hci_dev_info di; 797 unsigned long flags; 798 int err = 0; 799 800 if (copy_from_user(&di, arg, sizeof(di))) 801 return -EFAULT; 802 803 hdev = hci_dev_get(di.dev_id); 804 if (!hdev) 805 return -ENODEV; 806 807 /* When the auto-off is configured it means the transport 808 * is running, but in that case still indicate that the 809 * device is actually down. 810 */ 811 if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) 812 flags = hdev->flags & ~BIT(HCI_UP); 813 else 814 flags = hdev->flags; 815 816 strscpy(di.name, hdev->name, sizeof(di.name)); 817 di.bdaddr = hdev->bdaddr; 818 di.type = (hdev->bus & 0x0f); 819 di.flags = flags; 820 di.pkt_type = hdev->pkt_type; 821 if (lmp_bredr_capable(hdev)) { 822 di.acl_mtu = hdev->acl_mtu; 823 di.acl_pkts = hdev->acl_pkts; 824 di.sco_mtu = hdev->sco_mtu; 825 di.sco_pkts = hdev->sco_pkts; 826 } else { 827 di.acl_mtu = hdev->le_mtu; 828 di.acl_pkts = hdev->le_pkts; 829 di.sco_mtu = 0; 830 di.sco_pkts = 0; 831 } 832 di.link_policy = hdev->link_policy; 833 di.link_mode = hdev->link_mode; 834 835 memcpy(&di.stat, &hdev->stat, sizeof(di.stat)); 836 memcpy(&di.features, &hdev->features, sizeof(di.features)); 837 838 if (copy_to_user(arg, &di, sizeof(di))) 839 err = -EFAULT; 840 841 hci_dev_put(hdev); 842 843 return err; 844 } 845 846 /* ---- Interface to HCI drivers ---- */ 847 848 static int hci_dev_do_poweroff(struct hci_dev *hdev) 849 { 850 int err; 851 852 BT_DBG("%s %p", hdev->name, hdev); 853 854 hci_req_sync_lock(hdev); 855 856 err = hci_set_powered_sync(hdev, false); 857 858 hci_req_sync_unlock(hdev); 859 860 return err; 861 } 862 863 static int hci_rfkill_set_block(void *data, bool blocked) 864 { 865 struct hci_dev *hdev = data; 866 int err; 867 868 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked); 869 870 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 871 return -EBUSY; 872 873 if (blocked == hci_dev_test_flag(hdev, HCI_RFKILLED)) 874 return 0; 875 876 if (blocked) { 877 hci_dev_set_flag(hdev, HCI_RFKILLED); 878 879 if (!hci_dev_test_flag(hdev, HCI_SETUP) && 880 !hci_dev_test_flag(hdev, HCI_CONFIG)) { 881 err = hci_dev_do_poweroff(hdev); 882 if (err) { 883 bt_dev_err(hdev, "Error when powering off device on rfkill (%d)", 884 err); 885 886 /* Make sure the device is still closed even if 887 * anything during power off sequence (eg. 888 * disconnecting devices) failed. 889 */ 890 hci_dev_do_close(hdev); 891 } 892 } 893 } else { 894 hci_dev_clear_flag(hdev, HCI_RFKILLED); 895 } 896 897 return 0; 898 } 899 900 static const struct rfkill_ops hci_rfkill_ops = { 901 .set_block = hci_rfkill_set_block, 902 }; 903 904 static void hci_power_on(struct work_struct *work) 905 { 906 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on); 907 int err; 908 909 BT_DBG("%s", hdev->name); 910 911 if (test_bit(HCI_UP, &hdev->flags) && 912 hci_dev_test_flag(hdev, HCI_MGMT) && 913 hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) { 914 cancel_delayed_work(&hdev->power_off); 915 err = hci_powered_update_sync(hdev); 916 mgmt_power_on(hdev, err); 917 return; 918 } 919 920 err = hci_dev_do_open(hdev); 921 if (err < 0) { 922 hci_dev_lock(hdev); 923 mgmt_set_powered_failed(hdev, err); 924 hci_dev_unlock(hdev); 925 return; 926 } 927 928 /* During the HCI setup phase, a few error conditions are 929 * ignored and they need to be checked now. If they are still 930 * valid, it is important to turn the device back off. 931 */ 932 if (hci_dev_test_flag(hdev, HCI_RFKILLED) || 933 hci_dev_test_flag(hdev, HCI_UNCONFIGURED) || 934 (!bacmp(&hdev->bdaddr, BDADDR_ANY) && 935 !bacmp(&hdev->static_addr, BDADDR_ANY))) { 936 hci_dev_clear_flag(hdev, HCI_AUTO_OFF); 937 hci_dev_do_close(hdev); 938 } else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) { 939 queue_delayed_work(hdev->req_workqueue, &hdev->power_off, 940 HCI_AUTO_OFF_TIMEOUT); 941 } 942 943 if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) { 944 /* For unconfigured devices, set the HCI_RAW flag 945 * so that userspace can easily identify them. 946 */ 947 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 948 set_bit(HCI_RAW, &hdev->flags); 949 950 /* For fully configured devices, this will send 951 * the Index Added event. For unconfigured devices, 952 * it will send Unconfigued Index Added event. 953 * 954 * Devices with HCI_QUIRK_RAW_DEVICE are ignored 955 * and no event will be send. 956 */ 957 mgmt_index_added(hdev); 958 } else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) { 959 /* When the controller is now configured, then it 960 * is important to clear the HCI_RAW flag. 961 */ 962 if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 963 clear_bit(HCI_RAW, &hdev->flags); 964 965 /* Powering on the controller with HCI_CONFIG set only 966 * happens with the transition from unconfigured to 967 * configured. This will send the Index Added event. 968 */ 969 mgmt_index_added(hdev); 970 } 971 } 972 973 static void hci_power_off(struct work_struct *work) 974 { 975 struct hci_dev *hdev = container_of(work, struct hci_dev, 976 power_off.work); 977 978 BT_DBG("%s", hdev->name); 979 980 hci_dev_do_close(hdev); 981 } 982 983 static void hci_error_reset(struct work_struct *work) 984 { 985 struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset); 986 987 hci_dev_hold(hdev); 988 BT_DBG("%s", hdev->name); 989 990 if (hdev->hw_error) 991 hdev->hw_error(hdev, hdev->hw_error_code); 992 else 993 bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code); 994 995 if (!hci_dev_do_close(hdev)) 996 hci_dev_do_open(hdev); 997 998 hci_dev_put(hdev); 999 } 1000 1001 void hci_uuids_clear(struct hci_dev *hdev) 1002 { 1003 struct bt_uuid *uuid, *tmp; 1004 1005 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) { 1006 list_del(&uuid->list); 1007 kfree(uuid); 1008 } 1009 } 1010 1011 void hci_link_keys_clear(struct hci_dev *hdev) 1012 { 1013 struct link_key *key, *tmp; 1014 1015 list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) { 1016 list_del_rcu(&key->list); 1017 kfree_rcu(key, rcu); 1018 } 1019 } 1020 1021 void hci_smp_ltks_clear(struct hci_dev *hdev) 1022 { 1023 struct smp_ltk *k, *tmp; 1024 1025 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 1026 list_del_rcu(&k->list); 1027 kfree_rcu(k, rcu); 1028 } 1029 } 1030 1031 void hci_smp_irks_clear(struct hci_dev *hdev) 1032 { 1033 struct smp_irk *k, *tmp; 1034 1035 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { 1036 list_del_rcu(&k->list); 1037 kfree_rcu(k, rcu); 1038 } 1039 } 1040 1041 void hci_blocked_keys_clear(struct hci_dev *hdev) 1042 { 1043 struct blocked_key *b, *tmp; 1044 1045 list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) { 1046 list_del_rcu(&b->list); 1047 kfree_rcu(b, rcu); 1048 } 1049 } 1050 1051 bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16]) 1052 { 1053 bool blocked = false; 1054 struct blocked_key *b; 1055 1056 rcu_read_lock(); 1057 list_for_each_entry_rcu(b, &hdev->blocked_keys, list) { 1058 if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) { 1059 blocked = true; 1060 break; 1061 } 1062 } 1063 1064 rcu_read_unlock(); 1065 return blocked; 1066 } 1067 1068 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1069 { 1070 struct link_key *k; 1071 1072 rcu_read_lock(); 1073 list_for_each_entry_rcu(k, &hdev->link_keys, list) { 1074 if (bacmp(bdaddr, &k->bdaddr) == 0) { 1075 rcu_read_unlock(); 1076 1077 if (hci_is_blocked_key(hdev, 1078 HCI_BLOCKED_KEY_TYPE_LINKKEY, 1079 k->val)) { 1080 bt_dev_warn_ratelimited(hdev, 1081 "Link key blocked for %pMR", 1082 &k->bdaddr); 1083 return NULL; 1084 } 1085 1086 return k; 1087 } 1088 } 1089 rcu_read_unlock(); 1090 1091 return NULL; 1092 } 1093 1094 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn, 1095 u8 key_type, u8 old_key_type) 1096 { 1097 /* Legacy key */ 1098 if (key_type < 0x03) 1099 return true; 1100 1101 /* Debug keys are insecure so don't store them persistently */ 1102 if (key_type == HCI_LK_DEBUG_COMBINATION) 1103 return false; 1104 1105 /* Changed combination key and there's no previous one */ 1106 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff) 1107 return false; 1108 1109 /* Security mode 3 case */ 1110 if (!conn) 1111 return true; 1112 1113 /* BR/EDR key derived using SC from an LE link */ 1114 if (conn->type == LE_LINK) 1115 return true; 1116 1117 /* Neither local nor remote side had no-bonding as requirement */ 1118 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01) 1119 return true; 1120 1121 /* Local side had dedicated bonding as requirement */ 1122 if (conn->auth_type == 0x02 || conn->auth_type == 0x03) 1123 return true; 1124 1125 /* Remote side had dedicated bonding as requirement */ 1126 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) 1127 return true; 1128 1129 /* If none of the above criteria match, then don't store the key 1130 * persistently */ 1131 return false; 1132 } 1133 1134 static u8 ltk_role(u8 type) 1135 { 1136 if (type == SMP_LTK) 1137 return HCI_ROLE_MASTER; 1138 1139 return HCI_ROLE_SLAVE; 1140 } 1141 1142 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1143 u8 addr_type, u8 role) 1144 { 1145 struct smp_ltk *k; 1146 1147 rcu_read_lock(); 1148 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 1149 if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr)) 1150 continue; 1151 1152 if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) { 1153 rcu_read_unlock(); 1154 1155 if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK, 1156 k->val)) { 1157 bt_dev_warn_ratelimited(hdev, 1158 "LTK blocked for %pMR", 1159 &k->bdaddr); 1160 return NULL; 1161 } 1162 1163 return k; 1164 } 1165 } 1166 rcu_read_unlock(); 1167 1168 return NULL; 1169 } 1170 1171 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa) 1172 { 1173 struct smp_irk *irk_to_return = NULL; 1174 struct smp_irk *irk; 1175 1176 rcu_read_lock(); 1177 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1178 if (!bacmp(&irk->rpa, rpa)) { 1179 irk_to_return = irk; 1180 goto done; 1181 } 1182 } 1183 1184 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1185 if (smp_irk_matches(hdev, irk->val, rpa)) { 1186 bacpy(&irk->rpa, rpa); 1187 irk_to_return = irk; 1188 goto done; 1189 } 1190 } 1191 1192 done: 1193 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK, 1194 irk_to_return->val)) { 1195 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR", 1196 &irk_to_return->bdaddr); 1197 irk_to_return = NULL; 1198 } 1199 1200 rcu_read_unlock(); 1201 1202 return irk_to_return; 1203 } 1204 1205 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr, 1206 u8 addr_type) 1207 { 1208 struct smp_irk *irk_to_return = NULL; 1209 struct smp_irk *irk; 1210 1211 /* Identity Address must be public or static random */ 1212 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0) 1213 return NULL; 1214 1215 rcu_read_lock(); 1216 list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) { 1217 if (addr_type == irk->addr_type && 1218 bacmp(bdaddr, &irk->bdaddr) == 0) { 1219 irk_to_return = irk; 1220 break; 1221 } 1222 } 1223 1224 if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK, 1225 irk_to_return->val)) { 1226 bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR", 1227 &irk_to_return->bdaddr); 1228 irk_to_return = NULL; 1229 } 1230 1231 rcu_read_unlock(); 1232 1233 return irk_to_return; 1234 } 1235 1236 struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, 1237 bdaddr_t *bdaddr, u8 *val, u8 type, 1238 u8 pin_len, bool *persistent) 1239 { 1240 struct link_key *key, *old_key; 1241 u8 old_key_type; 1242 1243 old_key = hci_find_link_key(hdev, bdaddr); 1244 if (old_key) { 1245 old_key_type = old_key->type; 1246 key = old_key; 1247 } else { 1248 old_key_type = conn ? conn->key_type : 0xff; 1249 key = kzalloc_obj(*key); 1250 if (!key) 1251 return NULL; 1252 list_add_rcu(&key->list, &hdev->link_keys); 1253 } 1254 1255 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type); 1256 1257 /* Some buggy controller combinations generate a changed 1258 * combination key for legacy pairing even when there's no 1259 * previous key */ 1260 if (type == HCI_LK_CHANGED_COMBINATION && 1261 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) { 1262 type = HCI_LK_COMBINATION; 1263 if (conn) 1264 conn->key_type = type; 1265 } 1266 1267 bacpy(&key->bdaddr, bdaddr); 1268 memcpy(key->val, val, HCI_LINK_KEY_SIZE); 1269 key->pin_len = pin_len; 1270 1271 if (type == HCI_LK_CHANGED_COMBINATION) 1272 key->type = old_key_type; 1273 else 1274 key->type = type; 1275 1276 if (persistent) 1277 *persistent = hci_persistent_key(hdev, conn, type, 1278 old_key_type); 1279 1280 return key; 1281 } 1282 1283 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1284 u8 addr_type, u8 type, u8 authenticated, 1285 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand) 1286 { 1287 struct smp_ltk *key, *old_key; 1288 u8 role = ltk_role(type); 1289 1290 old_key = hci_find_ltk(hdev, bdaddr, addr_type, role); 1291 if (old_key) 1292 key = old_key; 1293 else { 1294 key = kzalloc_obj(*key); 1295 if (!key) 1296 return NULL; 1297 list_add_rcu(&key->list, &hdev->long_term_keys); 1298 } 1299 1300 bacpy(&key->bdaddr, bdaddr); 1301 key->bdaddr_type = addr_type; 1302 memcpy(key->val, tk, sizeof(key->val)); 1303 key->authenticated = authenticated; 1304 key->ediv = ediv; 1305 key->rand = rand; 1306 key->enc_size = enc_size; 1307 key->type = type; 1308 1309 return key; 1310 } 1311 1312 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, 1313 u8 addr_type, u8 val[16], bdaddr_t *rpa) 1314 { 1315 struct smp_irk *irk; 1316 1317 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type); 1318 if (!irk) { 1319 irk = kzalloc_obj(*irk); 1320 if (!irk) 1321 return NULL; 1322 1323 bacpy(&irk->bdaddr, bdaddr); 1324 irk->addr_type = addr_type; 1325 1326 list_add_rcu(&irk->list, &hdev->identity_resolving_keys); 1327 } 1328 1329 memcpy(irk->val, val, 16); 1330 bacpy(&irk->rpa, rpa); 1331 1332 return irk; 1333 } 1334 1335 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr) 1336 { 1337 struct link_key *key; 1338 1339 key = hci_find_link_key(hdev, bdaddr); 1340 if (!key) 1341 return -ENOENT; 1342 1343 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1344 1345 list_del_rcu(&key->list); 1346 kfree_rcu(key, rcu); 1347 1348 return 0; 1349 } 1350 1351 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type) 1352 { 1353 struct smp_ltk *k, *tmp; 1354 int removed = 0; 1355 1356 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) { 1357 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type) 1358 continue; 1359 1360 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1361 1362 list_del_rcu(&k->list); 1363 kfree_rcu(k, rcu); 1364 removed++; 1365 } 1366 1367 return removed ? 0 : -ENOENT; 1368 } 1369 1370 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type) 1371 { 1372 struct smp_irk *k, *tmp; 1373 1374 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) { 1375 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type) 1376 continue; 1377 1378 BT_DBG("%s removing %pMR", hdev->name, bdaddr); 1379 1380 list_del_rcu(&k->list); 1381 kfree_rcu(k, rcu); 1382 } 1383 } 1384 1385 bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type) 1386 { 1387 struct smp_ltk *k; 1388 struct smp_irk *irk; 1389 u8 addr_type; 1390 1391 if (type == BDADDR_BREDR) { 1392 if (hci_find_link_key(hdev, bdaddr)) 1393 return true; 1394 return false; 1395 } 1396 1397 /* Convert to HCI addr type which struct smp_ltk uses */ 1398 if (type == BDADDR_LE_PUBLIC) 1399 addr_type = ADDR_LE_DEV_PUBLIC; 1400 else 1401 addr_type = ADDR_LE_DEV_RANDOM; 1402 1403 irk = hci_get_irk(hdev, bdaddr, addr_type); 1404 if (irk) { 1405 bdaddr = &irk->bdaddr; 1406 addr_type = irk->addr_type; 1407 } 1408 1409 rcu_read_lock(); 1410 list_for_each_entry_rcu(k, &hdev->long_term_keys, list) { 1411 if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) { 1412 rcu_read_unlock(); 1413 return true; 1414 } 1415 } 1416 rcu_read_unlock(); 1417 1418 return false; 1419 } 1420 1421 /* HCI command timer function */ 1422 static void hci_cmd_timeout(struct work_struct *work) 1423 { 1424 struct hci_dev *hdev = container_of(work, struct hci_dev, 1425 cmd_timer.work); 1426 1427 if (hdev->req_skb) { 1428 u16 opcode = hci_skb_opcode(hdev->req_skb); 1429 1430 bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode); 1431 1432 hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT); 1433 } else { 1434 bt_dev_err(hdev, "command tx timeout"); 1435 } 1436 1437 if (hdev->reset) 1438 hdev->reset(hdev); 1439 1440 atomic_set(&hdev->cmd_cnt, 1); 1441 queue_work(hdev->workqueue, &hdev->cmd_work); 1442 } 1443 1444 /* HCI ncmd timer function */ 1445 static void hci_ncmd_timeout(struct work_struct *work) 1446 { 1447 struct hci_dev *hdev = container_of(work, struct hci_dev, 1448 ncmd_timer.work); 1449 1450 bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0"); 1451 1452 /* During HCI_INIT phase no events can be injected if the ncmd timer 1453 * triggers since the procedure has its own timeout handling. 1454 */ 1455 if (test_bit(HCI_INIT, &hdev->flags)) 1456 return; 1457 1458 /* This is an irrecoverable state, inject hardware error event */ 1459 hci_reset_dev(hdev); 1460 } 1461 1462 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev, 1463 bdaddr_t *bdaddr, u8 bdaddr_type) 1464 { 1465 struct oob_data *data; 1466 1467 list_for_each_entry(data, &hdev->remote_oob_data, list) { 1468 if (bacmp(bdaddr, &data->bdaddr) != 0) 1469 continue; 1470 if (data->bdaddr_type != bdaddr_type) 1471 continue; 1472 return data; 1473 } 1474 1475 return NULL; 1476 } 1477 1478 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 1479 u8 bdaddr_type) 1480 { 1481 struct oob_data *data; 1482 1483 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type); 1484 if (!data) 1485 return -ENOENT; 1486 1487 BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type); 1488 1489 list_del(&data->list); 1490 kfree(data); 1491 1492 return 0; 1493 } 1494 1495 void hci_remote_oob_data_clear(struct hci_dev *hdev) 1496 { 1497 struct oob_data *data, *n; 1498 1499 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) { 1500 list_del(&data->list); 1501 kfree(data); 1502 } 1503 } 1504 1505 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, 1506 u8 bdaddr_type, u8 *hash192, u8 *rand192, 1507 u8 *hash256, u8 *rand256) 1508 { 1509 struct oob_data *data; 1510 1511 data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type); 1512 if (!data) { 1513 data = kmalloc_obj(*data); 1514 if (!data) 1515 return -ENOMEM; 1516 1517 bacpy(&data->bdaddr, bdaddr); 1518 data->bdaddr_type = bdaddr_type; 1519 list_add(&data->list, &hdev->remote_oob_data); 1520 } 1521 1522 if (hash192 && rand192) { 1523 memcpy(data->hash192, hash192, sizeof(data->hash192)); 1524 memcpy(data->rand192, rand192, sizeof(data->rand192)); 1525 if (hash256 && rand256) 1526 data->present = 0x03; 1527 } else { 1528 memset(data->hash192, 0, sizeof(data->hash192)); 1529 memset(data->rand192, 0, sizeof(data->rand192)); 1530 if (hash256 && rand256) 1531 data->present = 0x02; 1532 else 1533 data->present = 0x00; 1534 } 1535 1536 if (hash256 && rand256) { 1537 memcpy(data->hash256, hash256, sizeof(data->hash256)); 1538 memcpy(data->rand256, rand256, sizeof(data->rand256)); 1539 } else { 1540 memset(data->hash256, 0, sizeof(data->hash256)); 1541 memset(data->rand256, 0, sizeof(data->rand256)); 1542 if (hash192 && rand192) 1543 data->present = 0x01; 1544 } 1545 1546 BT_DBG("%s for %pMR", hdev->name, bdaddr); 1547 1548 return 0; 1549 } 1550 1551 /* This function requires the caller holds hdev->lock */ 1552 struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance) 1553 { 1554 struct adv_info *adv_instance; 1555 1556 list_for_each_entry(adv_instance, &hdev->adv_instances, list) { 1557 if (adv_instance->instance == instance) 1558 return adv_instance; 1559 } 1560 1561 return NULL; 1562 } 1563 1564 /* This function requires the caller holds hdev->lock */ 1565 struct adv_info *hci_find_adv_sid(struct hci_dev *hdev, u8 sid) 1566 { 1567 struct adv_info *adv; 1568 1569 list_for_each_entry(adv, &hdev->adv_instances, list) { 1570 if (adv->sid == sid) 1571 return adv; 1572 } 1573 1574 return NULL; 1575 } 1576 1577 /* This function requires the caller holds hdev->lock */ 1578 struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance) 1579 { 1580 struct adv_info *cur_instance; 1581 1582 cur_instance = hci_find_adv_instance(hdev, instance); 1583 if (!cur_instance) 1584 return NULL; 1585 1586 if (cur_instance == list_last_entry(&hdev->adv_instances, 1587 struct adv_info, list)) 1588 return list_first_entry(&hdev->adv_instances, 1589 struct adv_info, list); 1590 else 1591 return list_next_entry(cur_instance, list); 1592 } 1593 1594 /* This function requires the caller holds hdev->lock */ 1595 int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance) 1596 { 1597 struct adv_info *adv_instance; 1598 1599 adv_instance = hci_find_adv_instance(hdev, instance); 1600 if (!adv_instance) 1601 return -ENOENT; 1602 1603 BT_DBG("%s removing %dMR", hdev->name, instance); 1604 1605 if (hdev->cur_adv_instance == instance) { 1606 if (hdev->adv_instance_timeout) { 1607 cancel_delayed_work(&hdev->adv_instance_expire); 1608 hdev->adv_instance_timeout = 0; 1609 } 1610 hdev->cur_adv_instance = 0x00; 1611 } 1612 1613 cancel_delayed_work_sync(&adv_instance->rpa_expired_cb); 1614 1615 list_del(&adv_instance->list); 1616 kfree(adv_instance); 1617 1618 hdev->adv_instance_cnt--; 1619 1620 return 0; 1621 } 1622 1623 void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired) 1624 { 1625 struct adv_info *adv_instance, *n; 1626 1627 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) 1628 adv_instance->rpa_expired = rpa_expired; 1629 } 1630 1631 /* This function requires the caller holds hdev->lock */ 1632 void hci_adv_instances_clear(struct hci_dev *hdev) 1633 { 1634 struct adv_info *adv_instance, *n; 1635 1636 if (hdev->adv_instance_timeout) { 1637 disable_delayed_work(&hdev->adv_instance_expire); 1638 hdev->adv_instance_timeout = 0; 1639 } 1640 1641 list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) { 1642 disable_delayed_work_sync(&adv_instance->rpa_expired_cb); 1643 list_del(&adv_instance->list); 1644 kfree(adv_instance); 1645 } 1646 1647 hdev->adv_instance_cnt = 0; 1648 hdev->cur_adv_instance = 0x00; 1649 } 1650 1651 static void adv_instance_rpa_expired(struct work_struct *work) 1652 { 1653 struct adv_info *adv_instance = container_of(work, struct adv_info, 1654 rpa_expired_cb.work); 1655 1656 BT_DBG(""); 1657 1658 adv_instance->rpa_expired = true; 1659 } 1660 1661 /* This function requires the caller holds hdev->lock */ 1662 struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance, 1663 u32 flags, u16 adv_data_len, u8 *adv_data, 1664 u16 scan_rsp_len, u8 *scan_rsp_data, 1665 u16 timeout, u16 duration, s8 tx_power, 1666 u32 min_interval, u32 max_interval, 1667 u8 mesh_handle) 1668 { 1669 struct adv_info *adv; 1670 1671 adv = hci_find_adv_instance(hdev, instance); 1672 if (adv) { 1673 memset(adv->adv_data, 0, sizeof(adv->adv_data)); 1674 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data)); 1675 memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data)); 1676 } else { 1677 if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets || 1678 instance < 1 || instance > hdev->le_num_of_adv_sets + 1) 1679 return ERR_PTR(-EOVERFLOW); 1680 1681 adv = kzalloc_obj(*adv); 1682 if (!adv) 1683 return ERR_PTR(-ENOMEM); 1684 1685 adv->pending = true; 1686 adv->instance = instance; 1687 1688 /* If controller support only one set and the instance is set to 1689 * 1 then there is no option other than using handle 0x00. 1690 */ 1691 if (hdev->le_num_of_adv_sets == 1 && instance == 1) 1692 adv->handle = 0x00; 1693 else 1694 adv->handle = instance; 1695 1696 list_add(&adv->list, &hdev->adv_instances); 1697 hdev->adv_instance_cnt++; 1698 } 1699 1700 adv->flags = flags; 1701 adv->min_interval = min_interval; 1702 adv->max_interval = max_interval; 1703 adv->tx_power = tx_power; 1704 /* Defining a mesh_handle changes the timing units to ms, 1705 * rather than seconds, and ties the instance to the requested 1706 * mesh_tx queue. 1707 */ 1708 adv->mesh = mesh_handle; 1709 1710 hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data, 1711 scan_rsp_len, scan_rsp_data); 1712 1713 adv->timeout = timeout; 1714 adv->remaining_time = timeout; 1715 1716 if (duration == 0) 1717 adv->duration = hdev->def_multi_adv_rotation_duration; 1718 else 1719 adv->duration = duration; 1720 1721 INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired); 1722 1723 BT_DBG("%s for %dMR", hdev->name, instance); 1724 1725 return adv; 1726 } 1727 1728 /* This function requires the caller holds hdev->lock */ 1729 struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance, u8 sid, 1730 u32 flags, u8 data_len, u8 *data, 1731 u32 min_interval, u32 max_interval) 1732 { 1733 struct adv_info *adv; 1734 1735 adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL, 1736 0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE, 1737 min_interval, max_interval, 0); 1738 if (IS_ERR(adv)) 1739 return adv; 1740 1741 adv->sid = sid; 1742 adv->periodic = true; 1743 adv->per_adv_data_len = data_len; 1744 1745 if (data) 1746 memcpy(adv->per_adv_data, data, data_len); 1747 1748 return adv; 1749 } 1750 1751 /* This function requires the caller holds hdev->lock */ 1752 int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance, 1753 u16 adv_data_len, u8 *adv_data, 1754 u16 scan_rsp_len, u8 *scan_rsp_data) 1755 { 1756 struct adv_info *adv; 1757 1758 adv = hci_find_adv_instance(hdev, instance); 1759 1760 /* If advertisement doesn't exist, we can't modify its data */ 1761 if (!adv) 1762 return -ENOENT; 1763 1764 if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) { 1765 memset(adv->adv_data, 0, sizeof(adv->adv_data)); 1766 memcpy(adv->adv_data, adv_data, adv_data_len); 1767 adv->adv_data_len = adv_data_len; 1768 adv->adv_data_changed = true; 1769 } 1770 1771 if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) { 1772 memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data)); 1773 memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len); 1774 adv->scan_rsp_len = scan_rsp_len; 1775 adv->scan_rsp_changed = true; 1776 } 1777 1778 /* Mark as changed if there are flags which would affect it */ 1779 if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) || 1780 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME) 1781 adv->scan_rsp_changed = true; 1782 1783 return 0; 1784 } 1785 1786 /* This function requires the caller holds hdev->lock */ 1787 u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance) 1788 { 1789 u32 flags; 1790 struct adv_info *adv; 1791 1792 if (instance == 0x00) { 1793 /* Instance 0 always manages the "Tx Power" and "Flags" 1794 * fields 1795 */ 1796 flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS; 1797 1798 /* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting 1799 * corresponds to the "connectable" instance flag. 1800 */ 1801 if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) 1802 flags |= MGMT_ADV_FLAG_CONNECTABLE; 1803 1804 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) 1805 flags |= MGMT_ADV_FLAG_LIMITED_DISCOV; 1806 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) 1807 flags |= MGMT_ADV_FLAG_DISCOV; 1808 1809 return flags; 1810 } 1811 1812 adv = hci_find_adv_instance(hdev, instance); 1813 1814 /* Return 0 when we got an invalid instance identifier. */ 1815 if (!adv) 1816 return 0; 1817 1818 return adv->flags; 1819 } 1820 1821 bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance) 1822 { 1823 struct adv_info *adv; 1824 1825 /* Instance 0x00 always set local name */ 1826 if (instance == 0x00) 1827 return true; 1828 1829 adv = hci_find_adv_instance(hdev, instance); 1830 if (!adv) 1831 return false; 1832 1833 if (adv->flags & MGMT_ADV_FLAG_APPEARANCE || 1834 adv->flags & MGMT_ADV_FLAG_LOCAL_NAME) 1835 return true; 1836 1837 return adv->scan_rsp_len ? true : false; 1838 } 1839 1840 /* This function requires the caller holds hdev->lock */ 1841 void hci_adv_monitors_clear(struct hci_dev *hdev) 1842 { 1843 struct adv_monitor *monitor; 1844 int handle; 1845 1846 idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle) 1847 hci_free_adv_monitor(hdev, monitor); 1848 1849 idr_destroy(&hdev->adv_monitors_idr); 1850 } 1851 1852 /* Frees the monitor structure and do some bookkeepings. 1853 * This function requires the caller holds hdev->lock. 1854 */ 1855 void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor) 1856 { 1857 struct adv_pattern *pattern; 1858 struct adv_pattern *tmp; 1859 1860 if (!monitor) 1861 return; 1862 1863 list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) { 1864 list_del(&pattern->list); 1865 kfree(pattern); 1866 } 1867 1868 if (monitor->handle) 1869 idr_remove(&hdev->adv_monitors_idr, monitor->handle); 1870 1871 if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) 1872 hdev->adv_monitors_cnt--; 1873 1874 kfree(monitor); 1875 } 1876 1877 /* Assigns handle to a monitor, and if offloading is supported and power is on, 1878 * also attempts to forward the request to the controller. 1879 * This function requires the caller holds hci_req_sync_lock. 1880 */ 1881 int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor) 1882 { 1883 int min, max, handle; 1884 int status = 0; 1885 1886 if (!monitor) 1887 return -EINVAL; 1888 1889 hci_dev_lock(hdev); 1890 1891 min = HCI_MIN_ADV_MONITOR_HANDLE; 1892 max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES; 1893 handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max, 1894 GFP_KERNEL); 1895 1896 hci_dev_unlock(hdev); 1897 1898 if (handle < 0) 1899 return handle; 1900 1901 monitor->handle = handle; 1902 1903 if (!hdev_is_powered(hdev)) 1904 return status; 1905 1906 switch (hci_get_adv_monitor_offload_ext(hdev)) { 1907 case HCI_ADV_MONITOR_EXT_NONE: 1908 bt_dev_dbg(hdev, "add monitor %d status %d", 1909 monitor->handle, status); 1910 /* Message was not forwarded to controller - not an error */ 1911 break; 1912 1913 case HCI_ADV_MONITOR_EXT_MSFT: 1914 status = msft_add_monitor_pattern(hdev, monitor); 1915 bt_dev_dbg(hdev, "add monitor %d msft status %d", 1916 handle, status); 1917 break; 1918 } 1919 1920 return status; 1921 } 1922 1923 /* Attempts to tell the controller and free the monitor. If somehow the 1924 * controller doesn't have a corresponding handle, remove anyway. 1925 * This function requires the caller holds hci_req_sync_lock. 1926 */ 1927 static int hci_remove_adv_monitor(struct hci_dev *hdev, 1928 struct adv_monitor *monitor) 1929 { 1930 int status = 0; 1931 int handle; 1932 1933 switch (hci_get_adv_monitor_offload_ext(hdev)) { 1934 case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ 1935 bt_dev_dbg(hdev, "remove monitor %d status %d", 1936 monitor->handle, status); 1937 goto free_monitor; 1938 1939 case HCI_ADV_MONITOR_EXT_MSFT: 1940 handle = monitor->handle; 1941 status = msft_remove_monitor(hdev, monitor); 1942 bt_dev_dbg(hdev, "remove monitor %d msft status %d", 1943 handle, status); 1944 break; 1945 } 1946 1947 /* In case no matching handle registered, just free the monitor */ 1948 if (status == -ENOENT) 1949 goto free_monitor; 1950 1951 return status; 1952 1953 free_monitor: 1954 if (status == -ENOENT) 1955 bt_dev_warn(hdev, "Removing monitor with no matching handle %d", 1956 monitor->handle); 1957 hci_free_adv_monitor(hdev, monitor); 1958 1959 return status; 1960 } 1961 1962 /* This function requires the caller holds hci_req_sync_lock */ 1963 int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle) 1964 { 1965 struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle); 1966 1967 if (!monitor) 1968 return -EINVAL; 1969 1970 return hci_remove_adv_monitor(hdev, monitor); 1971 } 1972 1973 /* This function requires the caller holds hci_req_sync_lock */ 1974 int hci_remove_all_adv_monitor(struct hci_dev *hdev) 1975 { 1976 struct adv_monitor *monitor; 1977 int idr_next_id = 0; 1978 int status = 0; 1979 1980 while (1) { 1981 monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id); 1982 if (!monitor) 1983 break; 1984 1985 status = hci_remove_adv_monitor(hdev, monitor); 1986 if (status) 1987 return status; 1988 1989 idr_next_id++; 1990 } 1991 1992 return status; 1993 } 1994 1995 /* This function requires the caller holds hdev->lock */ 1996 bool hci_is_adv_monitoring(struct hci_dev *hdev) 1997 { 1998 return !idr_is_empty(&hdev->adv_monitors_idr); 1999 } 2000 2001 int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev) 2002 { 2003 if (msft_monitor_supported(hdev)) 2004 return HCI_ADV_MONITOR_EXT_MSFT; 2005 2006 return HCI_ADV_MONITOR_EXT_NONE; 2007 } 2008 2009 struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list, 2010 bdaddr_t *bdaddr, u8 type) 2011 { 2012 struct bdaddr_list *b; 2013 2014 list_for_each_entry(b, bdaddr_list, list) { 2015 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2016 return b; 2017 } 2018 2019 return NULL; 2020 } 2021 2022 struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk( 2023 struct list_head *bdaddr_list, bdaddr_t *bdaddr, 2024 u8 type) 2025 { 2026 struct bdaddr_list_with_irk *b; 2027 2028 list_for_each_entry(b, bdaddr_list, list) { 2029 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2030 return b; 2031 } 2032 2033 return NULL; 2034 } 2035 2036 struct bdaddr_list_with_flags * 2037 hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list, 2038 bdaddr_t *bdaddr, u8 type) 2039 { 2040 struct bdaddr_list_with_flags *b; 2041 2042 list_for_each_entry(b, bdaddr_list, list) { 2043 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type) 2044 return b; 2045 } 2046 2047 return NULL; 2048 } 2049 2050 void hci_bdaddr_list_clear(struct list_head *bdaddr_list) 2051 { 2052 struct bdaddr_list *b, *n; 2053 2054 list_for_each_entry_safe(b, n, bdaddr_list, list) { 2055 list_del(&b->list); 2056 kfree(b); 2057 } 2058 } 2059 2060 int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type) 2061 { 2062 struct bdaddr_list *entry; 2063 2064 if (!bacmp(bdaddr, BDADDR_ANY)) 2065 return -EBADF; 2066 2067 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2068 return -EEXIST; 2069 2070 entry = kzalloc_obj(*entry); 2071 if (!entry) 2072 return -ENOMEM; 2073 2074 bacpy(&entry->bdaddr, bdaddr); 2075 entry->bdaddr_type = type; 2076 2077 list_add(&entry->list, list); 2078 2079 return 0; 2080 } 2081 2082 int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr, 2083 u8 type, u8 *peer_irk, u8 *local_irk) 2084 { 2085 struct bdaddr_list_with_irk *entry; 2086 2087 if (!bacmp(bdaddr, BDADDR_ANY)) 2088 return -EBADF; 2089 2090 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2091 return -EEXIST; 2092 2093 entry = kzalloc_obj(*entry); 2094 if (!entry) 2095 return -ENOMEM; 2096 2097 bacpy(&entry->bdaddr, bdaddr); 2098 entry->bdaddr_type = type; 2099 2100 if (peer_irk) 2101 memcpy(entry->peer_irk, peer_irk, 16); 2102 2103 if (local_irk) 2104 memcpy(entry->local_irk, local_irk, 16); 2105 2106 list_add(&entry->list, list); 2107 2108 return 0; 2109 } 2110 2111 int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr, 2112 u8 type, u32 flags) 2113 { 2114 struct bdaddr_list_with_flags *entry; 2115 2116 if (!bacmp(bdaddr, BDADDR_ANY)) 2117 return -EBADF; 2118 2119 if (hci_bdaddr_list_lookup(list, bdaddr, type)) 2120 return -EEXIST; 2121 2122 entry = kzalloc_obj(*entry); 2123 if (!entry) 2124 return -ENOMEM; 2125 2126 bacpy(&entry->bdaddr, bdaddr); 2127 entry->bdaddr_type = type; 2128 entry->flags = flags; 2129 2130 list_add(&entry->list, list); 2131 2132 return 0; 2133 } 2134 2135 int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type) 2136 { 2137 struct bdaddr_list *entry; 2138 2139 if (!bacmp(bdaddr, BDADDR_ANY)) { 2140 hci_bdaddr_list_clear(list); 2141 return 0; 2142 } 2143 2144 entry = hci_bdaddr_list_lookup(list, bdaddr, type); 2145 if (!entry) 2146 return -ENOENT; 2147 2148 list_del(&entry->list); 2149 kfree(entry); 2150 2151 return 0; 2152 } 2153 2154 int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr, 2155 u8 type) 2156 { 2157 struct bdaddr_list_with_irk *entry; 2158 2159 if (!bacmp(bdaddr, BDADDR_ANY)) { 2160 hci_bdaddr_list_clear(list); 2161 return 0; 2162 } 2163 2164 entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type); 2165 if (!entry) 2166 return -ENOENT; 2167 2168 list_del(&entry->list); 2169 kfree(entry); 2170 2171 return 0; 2172 } 2173 2174 /* This function requires the caller holds hdev->lock */ 2175 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, 2176 bdaddr_t *addr, u8 addr_type) 2177 { 2178 struct hci_conn_params *params; 2179 2180 list_for_each_entry(params, &hdev->le_conn_params, list) { 2181 if (bacmp(¶ms->addr, addr) == 0 && 2182 params->addr_type == addr_type) { 2183 return params; 2184 } 2185 } 2186 2187 return NULL; 2188 } 2189 2190 /* This function requires the caller holds hdev->lock or rcu_read_lock */ 2191 struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, 2192 bdaddr_t *addr, u8 addr_type) 2193 { 2194 struct hci_conn_params *param; 2195 2196 rcu_read_lock(); 2197 2198 list_for_each_entry_rcu(param, list, action) { 2199 if (bacmp(¶m->addr, addr) == 0 && 2200 param->addr_type == addr_type) { 2201 rcu_read_unlock(); 2202 return param; 2203 } 2204 } 2205 2206 rcu_read_unlock(); 2207 2208 return NULL; 2209 } 2210 2211 /* This function requires the caller holds hdev->lock */ 2212 void hci_pend_le_list_del_init(struct hci_conn_params *param) 2213 { 2214 if (list_empty(¶m->action)) 2215 return; 2216 2217 list_del_rcu(¶m->action); 2218 synchronize_rcu(); 2219 INIT_LIST_HEAD(¶m->action); 2220 } 2221 2222 /* This function requires the caller holds hdev->lock */ 2223 void hci_pend_le_list_add(struct hci_conn_params *param, 2224 struct list_head *list) 2225 { 2226 list_add_rcu(¶m->action, list); 2227 } 2228 2229 /* This function requires the caller holds hdev->lock */ 2230 struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, 2231 bdaddr_t *addr, u8 addr_type) 2232 { 2233 struct hci_conn_params *params; 2234 2235 params = hci_conn_params_lookup(hdev, addr, addr_type); 2236 if (params) 2237 return params; 2238 2239 params = kzalloc_obj(*params); 2240 if (!params) { 2241 bt_dev_err(hdev, "out of memory"); 2242 return NULL; 2243 } 2244 2245 bacpy(¶ms->addr, addr); 2246 params->addr_type = addr_type; 2247 2248 list_add(¶ms->list, &hdev->le_conn_params); 2249 INIT_LIST_HEAD(¶ms->action); 2250 2251 params->conn_min_interval = hdev->le_conn_min_interval; 2252 params->conn_max_interval = hdev->le_conn_max_interval; 2253 params->conn_latency = hdev->le_conn_latency; 2254 params->supervision_timeout = hdev->le_supv_timeout; 2255 params->auto_connect = HCI_AUTO_CONN_DISABLED; 2256 2257 BT_DBG("addr %pMR (type %u)", addr, addr_type); 2258 2259 return params; 2260 } 2261 2262 void hci_conn_params_free(struct hci_conn_params *params) 2263 { 2264 hci_pend_le_list_del_init(params); 2265 2266 if (params->conn) { 2267 hci_conn_drop(params->conn); 2268 hci_conn_put(params->conn); 2269 } 2270 2271 list_del(¶ms->list); 2272 kfree(params); 2273 } 2274 2275 /* This function requires the caller holds hdev->lock */ 2276 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type) 2277 { 2278 struct hci_conn_params *params; 2279 2280 params = hci_conn_params_lookup(hdev, addr, addr_type); 2281 if (!params) 2282 return; 2283 2284 hci_conn_params_free(params); 2285 2286 hci_update_passive_scan(hdev); 2287 2288 BT_DBG("addr %pMR (type %u)", addr, addr_type); 2289 } 2290 2291 /* This function requires the caller holds hdev->lock */ 2292 void hci_conn_params_clear_disabled(struct hci_dev *hdev) 2293 { 2294 struct hci_conn_params *params, *tmp; 2295 2296 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) { 2297 if (params->auto_connect != HCI_AUTO_CONN_DISABLED) 2298 continue; 2299 2300 /* If trying to establish one time connection to disabled 2301 * device, leave the params, but mark them as just once. 2302 */ 2303 if (params->explicit_connect) { 2304 params->auto_connect = HCI_AUTO_CONN_EXPLICIT; 2305 continue; 2306 } 2307 2308 hci_conn_params_free(params); 2309 } 2310 2311 BT_DBG("All LE disabled connection parameters were removed"); 2312 } 2313 2314 /* This function requires the caller holds hdev->lock */ 2315 static void hci_conn_params_clear_all(struct hci_dev *hdev) 2316 { 2317 struct hci_conn_params *params, *tmp; 2318 2319 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) 2320 hci_conn_params_free(params); 2321 2322 BT_DBG("All LE connection parameters were removed"); 2323 } 2324 2325 /* Copy the Identity Address of the controller. 2326 * 2327 * If the controller has a public BD_ADDR, then by default use that one. 2328 * If this is a LE only controller without a public address, default to 2329 * the static random address. 2330 * 2331 * For debugging purposes it is possible to force controllers with a 2332 * public address to use the static random address instead. 2333 * 2334 * In case BR/EDR has been disabled on a dual-mode controller and 2335 * userspace has configured a static address, then that address 2336 * becomes the identity address instead of the public BR/EDR address. 2337 */ 2338 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr, 2339 u8 *bdaddr_type) 2340 { 2341 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) || 2342 !bacmp(&hdev->bdaddr, BDADDR_ANY) || 2343 (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) && 2344 bacmp(&hdev->static_addr, BDADDR_ANY))) { 2345 bacpy(bdaddr, &hdev->static_addr); 2346 *bdaddr_type = ADDR_LE_DEV_RANDOM; 2347 } else { 2348 bacpy(bdaddr, &hdev->bdaddr); 2349 *bdaddr_type = ADDR_LE_DEV_PUBLIC; 2350 } 2351 } 2352 2353 static void hci_clear_wake_reason(struct hci_dev *hdev) 2354 { 2355 hci_dev_lock(hdev); 2356 2357 hdev->wake_reason = 0; 2358 bacpy(&hdev->wake_addr, BDADDR_ANY); 2359 hdev->wake_addr_type = 0; 2360 2361 hci_dev_unlock(hdev); 2362 } 2363 2364 static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action, 2365 void *data) 2366 { 2367 struct hci_dev *hdev = 2368 container_of(nb, struct hci_dev, suspend_notifier); 2369 int ret = 0; 2370 2371 /* Userspace has full control of this device. Do nothing. */ 2372 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) 2373 return NOTIFY_DONE; 2374 2375 /* To avoid a potential race with hci_unregister_dev. */ 2376 hci_dev_hold(hdev); 2377 2378 switch (action) { 2379 case PM_HIBERNATION_PREPARE: 2380 case PM_SUSPEND_PREPARE: 2381 ret = hci_suspend_dev(hdev); 2382 break; 2383 case PM_POST_HIBERNATION: 2384 case PM_POST_SUSPEND: 2385 ret = hci_resume_dev(hdev); 2386 break; 2387 } 2388 2389 if (ret) 2390 bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d", 2391 action, ret); 2392 2393 hci_dev_put(hdev); 2394 return NOTIFY_DONE; 2395 } 2396 2397 /* Alloc HCI device */ 2398 struct hci_dev *hci_alloc_dev_priv(int sizeof_priv) 2399 { 2400 struct hci_dev *hdev; 2401 unsigned int alloc_size; 2402 2403 alloc_size = sizeof(*hdev); 2404 if (sizeof_priv) { 2405 /* Fixme: May need ALIGN-ment? */ 2406 alloc_size += sizeof_priv; 2407 } 2408 2409 hdev = kzalloc(alloc_size, GFP_KERNEL); 2410 if (!hdev) 2411 return NULL; 2412 2413 if (init_srcu_struct(&hdev->srcu)) { 2414 kfree(hdev); 2415 return NULL; 2416 } 2417 2418 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1); 2419 hdev->esco_type = (ESCO_HV1); 2420 hdev->link_mode = (HCI_LM_ACCEPT); 2421 hdev->num_iac = 0x01; /* One IAC support is mandatory */ 2422 hdev->io_capability = 0x03; /* No Input No Output */ 2423 hdev->manufacturer = 0xffff; /* Default to internal use */ 2424 hdev->inq_tx_power = HCI_TX_POWER_INVALID; 2425 hdev->adv_tx_power = HCI_TX_POWER_INVALID; 2426 hdev->adv_instance_cnt = 0; 2427 hdev->cur_adv_instance = 0x00; 2428 hdev->adv_instance_timeout = 0; 2429 2430 hdev->advmon_allowlist_duration = 300; 2431 hdev->advmon_no_filter_duration = 500; 2432 hdev->enable_advmon_interleave_scan = 0x00; /* Default to disable */ 2433 2434 hdev->sniff_max_interval = 800; 2435 hdev->sniff_min_interval = 80; 2436 2437 hdev->le_adv_channel_map = 0x07; 2438 hdev->le_adv_min_interval = 0x0800; 2439 hdev->le_adv_max_interval = 0x0800; 2440 hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST; 2441 hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST; 2442 hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1; 2443 hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1; 2444 hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT; 2445 hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN; 2446 hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST; 2447 hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST; 2448 hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN; 2449 hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN; 2450 hdev->le_conn_min_interval = 0x0018; 2451 hdev->le_conn_max_interval = 0x0028; 2452 hdev->le_conn_latency = 0x0000; 2453 hdev->le_supv_timeout = 0x002a; 2454 hdev->le_def_tx_len = 0x001b; 2455 hdev->le_def_tx_time = 0x0148; 2456 hdev->le_max_tx_len = 0x001b; 2457 hdev->le_max_tx_time = 0x0148; 2458 hdev->le_max_rx_len = 0x001b; 2459 hdev->le_max_rx_time = 0x0148; 2460 hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE; 2461 hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE; 2462 hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M; 2463 hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M; 2464 hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES; 2465 hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION; 2466 hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT; 2467 hdev->min_le_tx_power = HCI_TX_POWER_INVALID; 2468 hdev->max_le_tx_power = HCI_TX_POWER_INVALID; 2469 2470 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT; 2471 hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT; 2472 hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE; 2473 hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE; 2474 hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT; 2475 hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE; 2476 2477 /* default 1.28 sec page scan */ 2478 hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD; 2479 hdev->def_page_scan_int = 0x0800; 2480 hdev->def_page_scan_window = 0x0012; 2481 2482 mutex_init(&hdev->lock); 2483 mutex_init(&hdev->req_lock); 2484 mutex_init(&hdev->mgmt_pending_lock); 2485 2486 ida_init(&hdev->unset_handle_ida); 2487 2488 INIT_LIST_HEAD(&hdev->mesh_pending); 2489 INIT_LIST_HEAD(&hdev->mgmt_pending); 2490 INIT_LIST_HEAD(&hdev->reject_list); 2491 INIT_LIST_HEAD(&hdev->accept_list); 2492 INIT_LIST_HEAD(&hdev->uuids); 2493 INIT_LIST_HEAD(&hdev->link_keys); 2494 INIT_LIST_HEAD(&hdev->long_term_keys); 2495 INIT_LIST_HEAD(&hdev->identity_resolving_keys); 2496 INIT_LIST_HEAD(&hdev->remote_oob_data); 2497 INIT_LIST_HEAD(&hdev->le_accept_list); 2498 INIT_LIST_HEAD(&hdev->le_resolv_list); 2499 INIT_LIST_HEAD(&hdev->le_conn_params); 2500 INIT_LIST_HEAD(&hdev->pend_le_conns); 2501 INIT_LIST_HEAD(&hdev->pend_le_reports); 2502 INIT_LIST_HEAD(&hdev->conn_hash.list); 2503 INIT_LIST_HEAD(&hdev->adv_instances); 2504 INIT_LIST_HEAD(&hdev->blocked_keys); 2505 INIT_LIST_HEAD(&hdev->monitored_devices); 2506 2507 INIT_LIST_HEAD(&hdev->local_codecs); 2508 INIT_WORK(&hdev->rx_work, hci_rx_work); 2509 INIT_WORK(&hdev->cmd_work, hci_cmd_work); 2510 INIT_WORK(&hdev->tx_work, hci_tx_work); 2511 INIT_WORK(&hdev->power_on, hci_power_on); 2512 INIT_WORK(&hdev->error_reset, hci_error_reset); 2513 2514 hci_cmd_sync_init(hdev); 2515 2516 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off); 2517 2518 skb_queue_head_init(&hdev->rx_q); 2519 skb_queue_head_init(&hdev->cmd_q); 2520 skb_queue_head_init(&hdev->raw_q); 2521 2522 init_waitqueue_head(&hdev->req_wait_q); 2523 2524 INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout); 2525 INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout); 2526 2527 hci_devcd_setup(hdev); 2528 2529 hci_init_sysfs(hdev); 2530 discovery_init(hdev); 2531 2532 return hdev; 2533 } 2534 EXPORT_SYMBOL(hci_alloc_dev_priv); 2535 2536 /* Free HCI device */ 2537 void hci_free_dev(struct hci_dev *hdev) 2538 { 2539 /* will free via device release */ 2540 put_device(&hdev->dev); 2541 } 2542 EXPORT_SYMBOL(hci_free_dev); 2543 2544 /* Register HCI device */ 2545 int hci_register_dev(struct hci_dev *hdev) 2546 { 2547 int id, error; 2548 2549 if (!hdev->open || !hdev->close || !hdev->send) 2550 return -EINVAL; 2551 2552 id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL); 2553 if (id < 0) 2554 return id; 2555 2556 error = dev_set_name(&hdev->dev, "hci%u", id); 2557 if (error) 2558 return error; 2559 2560 hdev->name = dev_name(&hdev->dev); 2561 hdev->id = id; 2562 2563 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 2564 2565 hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name); 2566 if (!hdev->workqueue) { 2567 error = -ENOMEM; 2568 goto err; 2569 } 2570 2571 hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, 2572 hdev->name); 2573 if (!hdev->req_workqueue) { 2574 destroy_workqueue(hdev->workqueue); 2575 error = -ENOMEM; 2576 goto err; 2577 } 2578 2579 if (!IS_ERR_OR_NULL(bt_debugfs)) 2580 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs); 2581 2582 error = device_add(&hdev->dev); 2583 if (error < 0) 2584 goto err_wqueue; 2585 2586 hci_leds_init(hdev); 2587 2588 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev, 2589 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops, 2590 hdev); 2591 if (hdev->rfkill) { 2592 if (rfkill_register(hdev->rfkill) < 0) { 2593 rfkill_destroy(hdev->rfkill); 2594 hdev->rfkill = NULL; 2595 } 2596 } 2597 2598 if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) 2599 hci_dev_set_flag(hdev, HCI_RFKILLED); 2600 2601 hci_dev_set_flag(hdev, HCI_SETUP); 2602 hci_dev_set_flag(hdev, HCI_AUTO_OFF); 2603 2604 /* Assume BR/EDR support until proven otherwise (such as 2605 * through reading supported features during init. 2606 */ 2607 hci_dev_set_flag(hdev, HCI_BREDR_ENABLED); 2608 2609 write_lock(&hci_dev_list_lock); 2610 list_add(&hdev->list, &hci_dev_list); 2611 write_unlock(&hci_dev_list_lock); 2612 2613 /* Devices that are marked for raw-only usage are unconfigured 2614 * and should not be included in normal operation. 2615 */ 2616 if (hci_test_quirk(hdev, HCI_QUIRK_RAW_DEVICE)) 2617 hci_dev_set_flag(hdev, HCI_UNCONFIGURED); 2618 2619 /* Mark Remote Wakeup connection flag as supported if driver has wakeup 2620 * callback. 2621 */ 2622 if (hdev->wakeup) 2623 hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP; 2624 2625 hci_sock_dev_event(hdev, HCI_DEV_REG); 2626 hci_dev_hold(hdev); 2627 2628 error = hci_register_suspend_notifier(hdev); 2629 if (error) 2630 BT_WARN("register suspend notifier failed error:%d\n", error); 2631 2632 queue_work(hdev->req_workqueue, &hdev->power_on); 2633 2634 idr_init(&hdev->adv_monitors_idr); 2635 msft_register(hdev); 2636 2637 return id; 2638 2639 err_wqueue: 2640 debugfs_remove_recursive(hdev->debugfs); 2641 destroy_workqueue(hdev->workqueue); 2642 destroy_workqueue(hdev->req_workqueue); 2643 err: 2644 ida_free(&hci_index_ida, hdev->id); 2645 2646 return error; 2647 } 2648 EXPORT_SYMBOL(hci_register_dev); 2649 2650 /* Unregister HCI device */ 2651 void hci_unregister_dev(struct hci_dev *hdev) 2652 { 2653 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); 2654 2655 mutex_lock(&hdev->unregister_lock); 2656 hci_dev_set_flag(hdev, HCI_UNREGISTER); 2657 mutex_unlock(&hdev->unregister_lock); 2658 2659 write_lock(&hci_dev_list_lock); 2660 list_del(&hdev->list); 2661 write_unlock(&hci_dev_list_lock); 2662 2663 synchronize_srcu(&hdev->srcu); 2664 cleanup_srcu_struct(&hdev->srcu); 2665 2666 disable_work_sync(&hdev->rx_work); 2667 disable_work_sync(&hdev->cmd_work); 2668 disable_work_sync(&hdev->tx_work); 2669 disable_work_sync(&hdev->power_on); 2670 disable_work_sync(&hdev->error_reset); 2671 disable_delayed_work_sync(&hdev->cmd_timer); 2672 disable_delayed_work_sync(&hdev->ncmd_timer); 2673 2674 hci_cmd_sync_clear(hdev); 2675 2676 hci_unregister_suspend_notifier(hdev); 2677 2678 hci_dev_do_close(hdev); 2679 2680 if (!test_bit(HCI_INIT, &hdev->flags) && 2681 !hci_dev_test_flag(hdev, HCI_SETUP) && 2682 !hci_dev_test_flag(hdev, HCI_CONFIG)) { 2683 hci_dev_lock(hdev); 2684 mgmt_index_removed(hdev); 2685 hci_dev_unlock(hdev); 2686 } 2687 2688 /* mgmt_index_removed should take care of emptying the 2689 * pending list */ 2690 BUG_ON(!list_empty(&hdev->mgmt_pending)); 2691 2692 hci_sock_dev_event(hdev, HCI_DEV_UNREG); 2693 2694 if (hdev->rfkill) { 2695 rfkill_unregister(hdev->rfkill); 2696 rfkill_destroy(hdev->rfkill); 2697 } 2698 2699 device_del(&hdev->dev); 2700 /* Actual cleanup is deferred until hci_release_dev(). */ 2701 hci_dev_put(hdev); 2702 } 2703 EXPORT_SYMBOL(hci_unregister_dev); 2704 2705 /* Release HCI device */ 2706 void hci_release_dev(struct hci_dev *hdev) 2707 { 2708 debugfs_remove_recursive(hdev->debugfs); 2709 kfree_const(hdev->hw_info); 2710 kfree_const(hdev->fw_info); 2711 2712 destroy_workqueue(hdev->workqueue); 2713 destroy_workqueue(hdev->req_workqueue); 2714 2715 hci_dev_lock(hdev); 2716 hci_bdaddr_list_clear(&hdev->reject_list); 2717 hci_bdaddr_list_clear(&hdev->accept_list); 2718 hci_uuids_clear(hdev); 2719 hci_link_keys_clear(hdev); 2720 hci_smp_ltks_clear(hdev); 2721 hci_smp_irks_clear(hdev); 2722 hci_remote_oob_data_clear(hdev); 2723 hci_adv_instances_clear(hdev); 2724 hci_adv_monitors_clear(hdev); 2725 hci_bdaddr_list_clear(&hdev->le_accept_list); 2726 hci_bdaddr_list_clear(&hdev->le_resolv_list); 2727 hci_conn_params_clear_all(hdev); 2728 hci_discovery_filter_clear(hdev); 2729 hci_blocked_keys_clear(hdev); 2730 hci_codec_list_clear(&hdev->local_codecs); 2731 msft_release(hdev); 2732 hci_dev_unlock(hdev); 2733 2734 ida_destroy(&hdev->unset_handle_ida); 2735 ida_free(&hci_index_ida, hdev->id); 2736 kfree_skb(hdev->sent_cmd); 2737 kfree_skb(hdev->req_skb); 2738 kfree_skb(hdev->recv_event); 2739 kfree(hdev); 2740 } 2741 EXPORT_SYMBOL(hci_release_dev); 2742 2743 int hci_register_suspend_notifier(struct hci_dev *hdev) 2744 { 2745 int ret = 0; 2746 2747 if (!hdev->suspend_notifier.notifier_call && 2748 !hci_test_quirk(hdev, HCI_QUIRK_NO_SUSPEND_NOTIFIER)) { 2749 hdev->suspend_notifier.notifier_call = hci_suspend_notifier; 2750 ret = register_pm_notifier(&hdev->suspend_notifier); 2751 } 2752 2753 return ret; 2754 } 2755 2756 int hci_unregister_suspend_notifier(struct hci_dev *hdev) 2757 { 2758 int ret = 0; 2759 2760 if (hdev->suspend_notifier.notifier_call) { 2761 ret = unregister_pm_notifier(&hdev->suspend_notifier); 2762 if (!ret) 2763 hdev->suspend_notifier.notifier_call = NULL; 2764 } 2765 2766 return ret; 2767 } 2768 2769 /* Cancel ongoing command synchronously: 2770 * 2771 * - Cancel command timer 2772 * - Reset command counter 2773 * - Cancel command request 2774 */ 2775 static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err) 2776 { 2777 bt_dev_dbg(hdev, "err 0x%2.2x", err); 2778 2779 if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) { 2780 disable_delayed_work_sync(&hdev->cmd_timer); 2781 disable_delayed_work_sync(&hdev->ncmd_timer); 2782 } else { 2783 cancel_delayed_work_sync(&hdev->cmd_timer); 2784 cancel_delayed_work_sync(&hdev->ncmd_timer); 2785 } 2786 2787 atomic_set(&hdev->cmd_cnt, 1); 2788 2789 hci_cmd_sync_cancel_sync(hdev, err); 2790 } 2791 2792 /* Suspend HCI device */ 2793 int hci_suspend_dev(struct hci_dev *hdev) 2794 { 2795 int ret; 2796 2797 bt_dev_dbg(hdev, ""); 2798 2799 /* Suspend should only act on when powered. */ 2800 if (!hdev_is_powered(hdev) || 2801 hci_dev_test_flag(hdev, HCI_UNREGISTER)) 2802 return 0; 2803 2804 /* If powering down don't attempt to suspend */ 2805 if (mgmt_powering_down(hdev)) 2806 return 0; 2807 2808 /* Cancel potentially blocking sync operation before suspend */ 2809 hci_cancel_cmd_sync(hdev, EHOSTDOWN); 2810 2811 hci_req_sync_lock(hdev); 2812 ret = hci_suspend_sync(hdev); 2813 hci_req_sync_unlock(hdev); 2814 2815 hci_clear_wake_reason(hdev); 2816 mgmt_suspending(hdev, hdev->suspend_state); 2817 2818 hci_sock_dev_event(hdev, HCI_DEV_SUSPEND); 2819 return ret; 2820 } 2821 EXPORT_SYMBOL(hci_suspend_dev); 2822 2823 /* Resume HCI device */ 2824 int hci_resume_dev(struct hci_dev *hdev) 2825 { 2826 int ret; 2827 2828 bt_dev_dbg(hdev, ""); 2829 2830 /* Resume should only act on when powered. */ 2831 if (!hdev_is_powered(hdev) || 2832 hci_dev_test_flag(hdev, HCI_UNREGISTER)) 2833 return 0; 2834 2835 /* If powering down don't attempt to resume */ 2836 if (mgmt_powering_down(hdev)) 2837 return 0; 2838 2839 hci_req_sync_lock(hdev); 2840 ret = hci_resume_sync(hdev); 2841 hci_req_sync_unlock(hdev); 2842 2843 mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr, 2844 hdev->wake_addr_type); 2845 2846 hci_sock_dev_event(hdev, HCI_DEV_RESUME); 2847 return ret; 2848 } 2849 EXPORT_SYMBOL(hci_resume_dev); 2850 2851 /* Reset HCI device */ 2852 int hci_reset_dev(struct hci_dev *hdev) 2853 { 2854 static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 }; 2855 struct sk_buff *skb; 2856 2857 skb = bt_skb_alloc(3, GFP_ATOMIC); 2858 if (!skb) 2859 return -ENOMEM; 2860 2861 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 2862 skb_put_data(skb, hw_err, 3); 2863 2864 bt_dev_err(hdev, "Injecting HCI hardware error event"); 2865 2866 /* Send Hardware Error to upper stack */ 2867 return hci_recv_frame(hdev, skb); 2868 } 2869 EXPORT_SYMBOL(hci_reset_dev); 2870 2871 static u8 hci_dev_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb) 2872 { 2873 if (hdev->classify_pkt_type) 2874 return hdev->classify_pkt_type(hdev, skb); 2875 2876 return hci_skb_pkt_type(skb); 2877 } 2878 2879 /* Receive frame from HCI drivers */ 2880 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb) 2881 { 2882 u8 dev_pkt_type; 2883 2884 if (!hdev || (!test_bit(HCI_UP, &hdev->flags) 2885 && !test_bit(HCI_INIT, &hdev->flags))) { 2886 kfree_skb(skb); 2887 return -ENXIO; 2888 } 2889 2890 /* Check if the driver agree with packet type classification */ 2891 dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb); 2892 if (hci_skb_pkt_type(skb) != dev_pkt_type) { 2893 hci_skb_pkt_type(skb) = dev_pkt_type; 2894 } 2895 2896 switch (hci_skb_pkt_type(skb)) { 2897 case HCI_EVENT_PKT: 2898 break; 2899 case HCI_ACLDATA_PKT: 2900 /* Detect if ISO packet has been sent as ACL */ 2901 if (hci_conn_num(hdev, CIS_LINK) || 2902 hci_conn_num(hdev, BIS_LINK) || 2903 hci_conn_num(hdev, PA_LINK)) { 2904 __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); 2905 __u8 type; 2906 2907 type = hci_conn_lookup_type(hdev, hci_handle(handle)); 2908 if (type == CIS_LINK || type == BIS_LINK || 2909 type == PA_LINK) 2910 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 2911 } 2912 break; 2913 case HCI_SCODATA_PKT: 2914 break; 2915 case HCI_ISODATA_PKT: 2916 break; 2917 case HCI_DRV_PKT: 2918 break; 2919 default: 2920 kfree_skb(skb); 2921 return -EINVAL; 2922 } 2923 2924 /* Incoming skb */ 2925 bt_cb(skb)->incoming = 1; 2926 2927 /* Time stamp */ 2928 __net_timestamp(skb); 2929 2930 skb_queue_tail(&hdev->rx_q, skb); 2931 queue_work(hdev->workqueue, &hdev->rx_work); 2932 2933 return 0; 2934 } 2935 EXPORT_SYMBOL(hci_recv_frame); 2936 2937 /* Receive diagnostic message from HCI drivers */ 2938 int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb) 2939 { 2940 /* Mark as diagnostic packet */ 2941 hci_skb_pkt_type(skb) = HCI_DIAG_PKT; 2942 2943 /* Time stamp */ 2944 __net_timestamp(skb); 2945 2946 skb_queue_tail(&hdev->rx_q, skb); 2947 queue_work(hdev->workqueue, &hdev->rx_work); 2948 2949 return 0; 2950 } 2951 EXPORT_SYMBOL(hci_recv_diag); 2952 2953 void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...) 2954 { 2955 va_list vargs; 2956 2957 va_start(vargs, fmt); 2958 kfree_const(hdev->hw_info); 2959 hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs); 2960 va_end(vargs); 2961 } 2962 EXPORT_SYMBOL(hci_set_hw_info); 2963 2964 void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...) 2965 { 2966 va_list vargs; 2967 2968 va_start(vargs, fmt); 2969 kfree_const(hdev->fw_info); 2970 hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs); 2971 va_end(vargs); 2972 } 2973 EXPORT_SYMBOL(hci_set_fw_info); 2974 2975 /* ---- Interface to upper protocols ---- */ 2976 2977 int hci_register_cb(struct hci_cb *cb) 2978 { 2979 BT_DBG("%p name %s", cb, cb->name); 2980 2981 mutex_lock(&hci_cb_list_lock); 2982 list_add_tail(&cb->list, &hci_cb_list); 2983 mutex_unlock(&hci_cb_list_lock); 2984 2985 return 0; 2986 } 2987 EXPORT_SYMBOL(hci_register_cb); 2988 2989 int hci_unregister_cb(struct hci_cb *cb) 2990 { 2991 BT_DBG("%p name %s", cb, cb->name); 2992 2993 mutex_lock(&hci_cb_list_lock); 2994 list_del(&cb->list); 2995 mutex_unlock(&hci_cb_list_lock); 2996 2997 return 0; 2998 } 2999 EXPORT_SYMBOL(hci_unregister_cb); 3000 3001 static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 3002 { 3003 int err; 3004 3005 BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb), 3006 skb->len); 3007 3008 /* Time stamp */ 3009 __net_timestamp(skb); 3010 3011 /* Send copy to monitor */ 3012 hci_send_to_monitor(hdev, skb); 3013 3014 if (atomic_read(&hdev->promisc)) { 3015 /* Send copy to the sockets */ 3016 hci_send_to_sock(hdev, skb); 3017 } 3018 3019 /* Get rid of skb owner, prior to sending to the driver. */ 3020 skb_orphan(skb); 3021 3022 if (!test_bit(HCI_RUNNING, &hdev->flags)) { 3023 kfree_skb(skb); 3024 return -EINVAL; 3025 } 3026 3027 if (hci_skb_pkt_type(skb) == HCI_DRV_PKT) { 3028 /* Intercept HCI Drv packet here and don't go with hdev->send 3029 * callback. 3030 */ 3031 err = hci_drv_process_cmd(hdev, skb); 3032 kfree_skb(skb); 3033 return err; 3034 } 3035 3036 err = hdev->send(hdev, skb); 3037 if (err < 0) { 3038 bt_dev_err(hdev, "sending frame failed (%d)", err); 3039 kfree_skb(skb); 3040 return err; 3041 } 3042 3043 return 0; 3044 } 3045 3046 static int hci_send_conn_frame(struct hci_dev *hdev, struct hci_conn *conn, 3047 struct sk_buff *skb) 3048 { 3049 hci_conn_tx_queue(conn, skb); 3050 return hci_send_frame(hdev, skb); 3051 } 3052 3053 /* Send HCI command */ 3054 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, 3055 const void *param) 3056 { 3057 struct sk_buff *skb; 3058 3059 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen); 3060 3061 skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL); 3062 if (!skb) { 3063 bt_dev_err(hdev, "no memory for command"); 3064 return -ENOMEM; 3065 } 3066 3067 /* Stand-alone HCI commands must be flagged as 3068 * single-command requests. 3069 */ 3070 bt_cb(skb)->hci.req_flags |= HCI_REQ_START; 3071 3072 skb_queue_tail(&hdev->cmd_q, skb); 3073 queue_work(hdev->workqueue, &hdev->cmd_work); 3074 3075 return 0; 3076 } 3077 3078 int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen, 3079 const void *param) 3080 { 3081 struct sk_buff *skb; 3082 3083 if (hci_opcode_ogf(opcode) != 0x3f) { 3084 /* A controller receiving a command shall respond with either 3085 * a Command Status Event or a Command Complete Event. 3086 * Therefore, all standard HCI commands must be sent via the 3087 * standard API, using hci_send_cmd or hci_cmd_sync helpers. 3088 * Some vendors do not comply with this rule for vendor-specific 3089 * commands and do not return any event. We want to support 3090 * unresponded commands for such cases only. 3091 */ 3092 bt_dev_err(hdev, "unresponded command not supported"); 3093 return -EINVAL; 3094 } 3095 3096 skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL); 3097 if (!skb) { 3098 bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)", 3099 opcode); 3100 return -ENOMEM; 3101 } 3102 3103 hci_send_frame(hdev, skb); 3104 3105 return 0; 3106 } 3107 EXPORT_SYMBOL(__hci_cmd_send); 3108 3109 /* Get data from the previously sent command */ 3110 static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode) 3111 { 3112 struct hci_command_hdr *hdr; 3113 3114 if (!skb || skb->len < HCI_COMMAND_HDR_SIZE) 3115 return NULL; 3116 3117 hdr = (void *)skb->data; 3118 3119 if (hdr->opcode != cpu_to_le16(opcode)) 3120 return NULL; 3121 3122 return skb->data + HCI_COMMAND_HDR_SIZE; 3123 } 3124 3125 /* Get data from the previously sent command */ 3126 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode) 3127 { 3128 void *data; 3129 3130 /* Check if opcode matches last sent command */ 3131 data = hci_cmd_data(hdev->sent_cmd, opcode); 3132 if (!data) 3133 /* Check if opcode matches last request */ 3134 data = hci_cmd_data(hdev->req_skb, opcode); 3135 3136 return data; 3137 } 3138 3139 /* Get data from last received event */ 3140 void *hci_recv_event_data(struct hci_dev *hdev, __u8 event) 3141 { 3142 struct hci_event_hdr *hdr; 3143 int offset; 3144 3145 if (!hdev->recv_event) 3146 return NULL; 3147 3148 hdr = (void *)hdev->recv_event->data; 3149 offset = sizeof(*hdr); 3150 3151 if (hdr->evt != event) { 3152 /* In case of LE metaevent check the subevent match */ 3153 if (hdr->evt == HCI_EV_LE_META) { 3154 struct hci_ev_le_meta *ev; 3155 3156 ev = (void *)hdev->recv_event->data + offset; 3157 offset += sizeof(*ev); 3158 if (ev->subevent == event) 3159 goto found; 3160 } 3161 return NULL; 3162 } 3163 3164 found: 3165 bt_dev_dbg(hdev, "event 0x%2.2x", event); 3166 3167 return hdev->recv_event->data + offset; 3168 } 3169 3170 /* Send ACL data */ 3171 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags) 3172 { 3173 struct hci_acl_hdr *hdr; 3174 int len = skb->len; 3175 3176 skb_push(skb, HCI_ACL_HDR_SIZE); 3177 skb_reset_transport_header(skb); 3178 hdr = (struct hci_acl_hdr *)skb_transport_header(skb); 3179 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags)); 3180 hdr->dlen = cpu_to_le16(len); 3181 } 3182 3183 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue, 3184 struct sk_buff *skb, __u16 flags) 3185 { 3186 struct hci_conn *conn = chan->conn; 3187 struct hci_dev *hdev = conn->hdev; 3188 struct sk_buff *list; 3189 3190 skb->len = skb_headlen(skb); 3191 skb->data_len = 0; 3192 3193 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT; 3194 3195 hci_add_acl_hdr(skb, conn->handle, flags); 3196 3197 list = skb_shinfo(skb)->frag_list; 3198 if (!list) { 3199 /* Non fragmented */ 3200 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len); 3201 3202 skb_queue_tail(queue, skb); 3203 } else { 3204 /* Fragmented */ 3205 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3206 3207 skb_shinfo(skb)->frag_list = NULL; 3208 3209 /* Queue all fragments atomically. We need to use spin_lock_bh 3210 * here because of 6LoWPAN links, as there this function is 3211 * called from softirq and using normal spin lock could cause 3212 * deadlocks. 3213 */ 3214 spin_lock_bh(&queue->lock); 3215 3216 __skb_queue_tail(queue, skb); 3217 3218 flags &= ~ACL_START; 3219 flags |= ACL_CONT; 3220 do { 3221 skb = list; list = list->next; 3222 3223 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT; 3224 hci_add_acl_hdr(skb, conn->handle, flags); 3225 3226 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3227 3228 __skb_queue_tail(queue, skb); 3229 } while (list); 3230 3231 spin_unlock_bh(&queue->lock); 3232 } 3233 3234 bt_dev_dbg(hdev, "chan %p queued %d", chan, skb_queue_len(queue)); 3235 } 3236 3237 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags) 3238 { 3239 struct hci_dev *hdev = chan->conn->hdev; 3240 3241 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags); 3242 3243 hci_queue_acl(chan, &chan->data_q, skb, flags); 3244 3245 queue_work(hdev->workqueue, &hdev->tx_work); 3246 } 3247 3248 /* Send SCO data */ 3249 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb) 3250 { 3251 struct hci_dev *hdev = conn->hdev; 3252 struct hci_sco_hdr hdr; 3253 3254 BT_DBG("%s len %d", hdev->name, skb->len); 3255 3256 hdr.handle = cpu_to_le16(conn->handle); 3257 hdr.dlen = skb->len; 3258 3259 skb_push(skb, HCI_SCO_HDR_SIZE); 3260 skb_reset_transport_header(skb); 3261 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE); 3262 3263 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT; 3264 3265 skb_queue_tail(&conn->data_q, skb); 3266 3267 bt_dev_dbg(hdev, "hcon %p queued %d", conn, 3268 skb_queue_len(&conn->data_q)); 3269 3270 queue_work(hdev->workqueue, &hdev->tx_work); 3271 } 3272 3273 /* Send ISO data */ 3274 static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags) 3275 { 3276 struct hci_iso_hdr *hdr; 3277 int len = skb->len; 3278 3279 skb_push(skb, HCI_ISO_HDR_SIZE); 3280 skb_reset_transport_header(skb); 3281 hdr = (struct hci_iso_hdr *)skb_transport_header(skb); 3282 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags)); 3283 hdr->dlen = cpu_to_le16(len); 3284 } 3285 3286 static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue, 3287 struct sk_buff *skb) 3288 { 3289 struct hci_dev *hdev = conn->hdev; 3290 struct sk_buff *list; 3291 __u16 flags; 3292 3293 skb->len = skb_headlen(skb); 3294 skb->data_len = 0; 3295 3296 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 3297 3298 list = skb_shinfo(skb)->frag_list; 3299 3300 flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00); 3301 hci_add_iso_hdr(skb, conn->handle, flags); 3302 3303 if (!list) { 3304 /* Non fragmented */ 3305 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len); 3306 3307 skb_queue_tail(queue, skb); 3308 } else { 3309 /* Fragmented */ 3310 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3311 3312 skb_shinfo(skb)->frag_list = NULL; 3313 3314 __skb_queue_tail(queue, skb); 3315 3316 do { 3317 skb = list; list = list->next; 3318 3319 hci_skb_pkt_type(skb) = HCI_ISODATA_PKT; 3320 flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END, 3321 0x00); 3322 hci_add_iso_hdr(skb, conn->handle, flags); 3323 3324 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len); 3325 3326 __skb_queue_tail(queue, skb); 3327 } while (list); 3328 } 3329 3330 bt_dev_dbg(hdev, "hcon %p queued %d", conn, skb_queue_len(queue)); 3331 } 3332 3333 void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb) 3334 { 3335 struct hci_dev *hdev = conn->hdev; 3336 3337 BT_DBG("%s len %d", hdev->name, skb->len); 3338 3339 hci_queue_iso(conn, &conn->data_q, skb); 3340 3341 queue_work(hdev->workqueue, &hdev->tx_work); 3342 } 3343 3344 /* ---- HCI TX task (outgoing data) ---- */ 3345 3346 /* HCI Connection scheduler */ 3347 static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote) 3348 { 3349 struct hci_dev *hdev; 3350 int cnt, q; 3351 3352 if (!conn) { 3353 *quote = 0; 3354 return; 3355 } 3356 3357 hdev = conn->hdev; 3358 3359 switch (conn->type) { 3360 case ACL_LINK: 3361 cnt = hdev->acl_cnt; 3362 break; 3363 case SCO_LINK: 3364 case ESCO_LINK: 3365 cnt = hdev->sco_cnt; 3366 break; 3367 case LE_LINK: 3368 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt; 3369 break; 3370 case CIS_LINK: 3371 case BIS_LINK: 3372 case PA_LINK: 3373 cnt = hdev->iso_cnt; 3374 break; 3375 default: 3376 cnt = 0; 3377 bt_dev_err(hdev, "unknown link type %d", conn->type); 3378 } 3379 3380 q = cnt / num; 3381 *quote = q ? q : 1; 3382 } 3383 3384 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, 3385 int *quote) 3386 { 3387 struct hci_conn_hash *h = &hdev->conn_hash; 3388 struct hci_conn *conn = NULL, *c; 3389 unsigned int num = 0, min = ~0; 3390 3391 /* We don't have to lock device here. Connections are always 3392 * added and removed with TX task disabled. */ 3393 3394 rcu_read_lock(); 3395 3396 list_for_each_entry_rcu(c, &h->list, list) { 3397 if (c->type != type || 3398 skb_queue_empty(&c->data_q)) 3399 continue; 3400 3401 bt_dev_dbg(hdev, "hcon %p state %s queued %d", c, 3402 state_to_string(c->state), 3403 skb_queue_len(&c->data_q)); 3404 3405 if (c->state != BT_CONNECTED && c->state != BT_CONFIG) 3406 continue; 3407 3408 num++; 3409 3410 if (c->sent < min) { 3411 min = c->sent; 3412 conn = c; 3413 } 3414 3415 if (hci_conn_num(hdev, type) == num) 3416 break; 3417 } 3418 3419 rcu_read_unlock(); 3420 3421 hci_quote_sent(conn, num, quote); 3422 3423 BT_DBG("conn %p quote %d", conn, *quote); 3424 return conn; 3425 } 3426 3427 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type) 3428 { 3429 struct hci_conn_hash *h = &hdev->conn_hash; 3430 struct hci_conn *c; 3431 3432 bt_dev_err(hdev, "link tx timeout"); 3433 3434 hci_dev_lock(hdev); 3435 3436 /* Kill stalled connections */ 3437 list_for_each_entry(c, &h->list, list) { 3438 if (c->type == type && c->sent) { 3439 bt_dev_err(hdev, "killing stalled connection %pMR", 3440 &c->dst); 3441 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM); 3442 } 3443 } 3444 3445 hci_dev_unlock(hdev); 3446 } 3447 3448 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type, 3449 int *quote) 3450 { 3451 struct hci_conn_hash *h = &hdev->conn_hash; 3452 struct hci_chan *chan = NULL; 3453 unsigned int num = 0, min = ~0, cur_prio = 0; 3454 struct hci_conn *conn; 3455 int conn_num = 0; 3456 3457 BT_DBG("%s", hdev->name); 3458 3459 rcu_read_lock(); 3460 3461 list_for_each_entry_rcu(conn, &h->list, list) { 3462 struct hci_chan *tmp; 3463 3464 if (conn->type != type) 3465 continue; 3466 3467 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG) 3468 continue; 3469 3470 conn_num++; 3471 3472 list_for_each_entry_rcu(tmp, &conn->chan_list, list) { 3473 struct sk_buff *skb; 3474 3475 if (skb_queue_empty(&tmp->data_q)) 3476 continue; 3477 3478 skb = skb_peek(&tmp->data_q); 3479 if (skb->priority < cur_prio) 3480 continue; 3481 3482 if (skb->priority > cur_prio) { 3483 num = 0; 3484 min = ~0; 3485 cur_prio = skb->priority; 3486 } 3487 3488 num++; 3489 3490 if (conn->sent < min) { 3491 min = conn->sent; 3492 chan = tmp; 3493 } 3494 } 3495 3496 if (hci_conn_num(hdev, type) == conn_num) 3497 break; 3498 } 3499 3500 rcu_read_unlock(); 3501 3502 if (!chan) 3503 return NULL; 3504 3505 hci_quote_sent(chan->conn, num, quote); 3506 3507 BT_DBG("chan %p quote %d", chan, *quote); 3508 return chan; 3509 } 3510 3511 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type) 3512 { 3513 struct hci_conn_hash *h = &hdev->conn_hash; 3514 struct hci_conn *conn; 3515 int num = 0; 3516 3517 BT_DBG("%s", hdev->name); 3518 3519 rcu_read_lock(); 3520 3521 list_for_each_entry_rcu(conn, &h->list, list) { 3522 struct hci_chan *chan; 3523 3524 if (conn->type != type) 3525 continue; 3526 3527 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG) 3528 continue; 3529 3530 num++; 3531 3532 list_for_each_entry_rcu(chan, &conn->chan_list, list) { 3533 struct sk_buff *skb; 3534 3535 if (chan->sent) { 3536 chan->sent = 0; 3537 continue; 3538 } 3539 3540 if (skb_queue_empty(&chan->data_q)) 3541 continue; 3542 3543 skb = skb_peek(&chan->data_q); 3544 if (skb->priority >= HCI_PRIO_MAX - 1) 3545 continue; 3546 3547 skb->priority = HCI_PRIO_MAX - 1; 3548 3549 BT_DBG("chan %p skb %p promoted to %d", chan, skb, 3550 skb->priority); 3551 } 3552 3553 if (hci_conn_num(hdev, type) == num) 3554 break; 3555 } 3556 3557 rcu_read_unlock(); 3558 3559 } 3560 3561 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) 3562 { 3563 unsigned long timeout; 3564 3565 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) 3566 return; 3567 3568 switch (type) { 3569 case ACL_LINK: 3570 /* tx timeout must be longer than maximum link supervision 3571 * timeout (40.9 seconds) 3572 */ 3573 timeout = hdev->acl_last_tx + HCI_ACL_TX_TIMEOUT; 3574 break; 3575 case LE_LINK: 3576 /* tx timeout must be longer than maximum link supervision 3577 * timeout (40.9 seconds) 3578 */ 3579 timeout = hdev->le_last_tx + HCI_ACL_TX_TIMEOUT; 3580 break; 3581 case CIS_LINK: 3582 case BIS_LINK: 3583 case PA_LINK: 3584 /* tx timeout must be longer than the maximum transport latency 3585 * (8.388607 seconds) 3586 */ 3587 timeout = hdev->iso_last_tx + HCI_ISO_TX_TIMEOUT; 3588 break; 3589 default: 3590 return; 3591 } 3592 3593 if (!cnt && time_after(jiffies, timeout)) 3594 hci_link_tx_to(hdev, type); 3595 } 3596 3597 /* Schedule SCO */ 3598 static void hci_sched_sco(struct hci_dev *hdev, __u8 type) 3599 { 3600 struct hci_conn *conn; 3601 struct sk_buff *skb; 3602 int quote, *cnt; 3603 unsigned int pkts = hdev->sco_pkts; 3604 3605 bt_dev_dbg(hdev, "type %u", type); 3606 3607 if (!hci_conn_num(hdev, type) || !pkts) 3608 return; 3609 3610 /* Use sco_pkts if flow control has not been enabled which will limit 3611 * the amount of buffer sent in a row. 3612 */ 3613 if (!hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL)) 3614 cnt = &pkts; 3615 else 3616 cnt = &hdev->sco_cnt; 3617 3618 while (*cnt && (conn = hci_low_sent(hdev, type, "e))) { 3619 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3620 BT_DBG("skb %p len %d", skb, skb->len); 3621 hci_send_conn_frame(hdev, conn, skb); 3622 3623 conn->sent++; 3624 if (conn->sent == ~0) 3625 conn->sent = 0; 3626 (*cnt)--; 3627 } 3628 } 3629 3630 /* Rescheduled if all packets were sent and flow control is not enabled 3631 * as there could be more packets queued that could not be sent and 3632 * since no HCI_EV_NUM_COMP_PKTS event will be generated the reschedule 3633 * needs to be forced. 3634 */ 3635 if (!pkts && !hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL)) 3636 queue_work(hdev->workqueue, &hdev->tx_work); 3637 } 3638 3639 static void hci_sched_acl_pkt(struct hci_dev *hdev) 3640 { 3641 unsigned int cnt = hdev->acl_cnt; 3642 struct hci_chan *chan; 3643 struct sk_buff *skb; 3644 int quote; 3645 3646 __check_timeout(hdev, cnt, ACL_LINK); 3647 3648 while (hdev->acl_cnt && 3649 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) { 3650 u32 priority = (skb_peek(&chan->data_q))->priority; 3651 while (quote-- && (skb = skb_peek(&chan->data_q))) { 3652 BT_DBG("chan %p skb %p len %d priority %u", chan, skb, 3653 skb->len, skb->priority); 3654 3655 /* Stop if priority has changed */ 3656 if (skb->priority < priority) 3657 break; 3658 3659 skb = skb_dequeue(&chan->data_q); 3660 3661 hci_conn_enter_active_mode(chan->conn, 3662 bt_cb(skb)->force_active); 3663 3664 hci_send_conn_frame(hdev, chan->conn, skb); 3665 hdev->acl_last_tx = jiffies; 3666 3667 hdev->acl_cnt--; 3668 chan->sent++; 3669 chan->conn->sent++; 3670 3671 /* Send pending SCO packets right away */ 3672 hci_sched_sco(hdev, SCO_LINK); 3673 hci_sched_sco(hdev, ESCO_LINK); 3674 } 3675 } 3676 3677 if (cnt != hdev->acl_cnt) 3678 hci_prio_recalculate(hdev, ACL_LINK); 3679 } 3680 3681 static void hci_sched_acl(struct hci_dev *hdev) 3682 { 3683 BT_DBG("%s", hdev->name); 3684 3685 /* No ACL link over BR/EDR controller */ 3686 if (!hci_conn_num(hdev, ACL_LINK)) 3687 return; 3688 3689 hci_sched_acl_pkt(hdev); 3690 } 3691 3692 static void hci_sched_le(struct hci_dev *hdev) 3693 { 3694 struct hci_chan *chan; 3695 struct sk_buff *skb; 3696 int quote, *cnt, tmp; 3697 3698 BT_DBG("%s", hdev->name); 3699 3700 if (!hci_conn_num(hdev, LE_LINK)) 3701 return; 3702 3703 cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt; 3704 3705 __check_timeout(hdev, *cnt, LE_LINK); 3706 3707 tmp = *cnt; 3708 while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { 3709 u32 priority = (skb_peek(&chan->data_q))->priority; 3710 while (quote-- && (skb = skb_peek(&chan->data_q))) { 3711 BT_DBG("chan %p skb %p len %d priority %u", chan, skb, 3712 skb->len, skb->priority); 3713 3714 /* Stop if priority has changed */ 3715 if (skb->priority < priority) 3716 break; 3717 3718 skb = skb_dequeue(&chan->data_q); 3719 3720 hci_send_conn_frame(hdev, chan->conn, skb); 3721 hdev->le_last_tx = jiffies; 3722 3723 (*cnt)--; 3724 chan->sent++; 3725 chan->conn->sent++; 3726 3727 /* Send pending SCO packets right away */ 3728 hci_sched_sco(hdev, SCO_LINK); 3729 hci_sched_sco(hdev, ESCO_LINK); 3730 } 3731 } 3732 3733 if (*cnt != tmp) 3734 hci_prio_recalculate(hdev, LE_LINK); 3735 } 3736 3737 /* Schedule iso */ 3738 static void hci_sched_iso(struct hci_dev *hdev, __u8 type) 3739 { 3740 struct hci_conn *conn; 3741 struct sk_buff *skb; 3742 int quote, *cnt; 3743 3744 BT_DBG("%s", hdev->name); 3745 3746 if (!hci_conn_num(hdev, type)) 3747 return; 3748 3749 cnt = &hdev->iso_cnt; 3750 3751 __check_timeout(hdev, *cnt, type); 3752 3753 while (*cnt && (conn = hci_low_sent(hdev, type, "e))) { 3754 while (quote-- && (skb = skb_dequeue(&conn->data_q))) { 3755 BT_DBG("skb %p len %d", skb, skb->len); 3756 3757 hci_send_conn_frame(hdev, conn, skb); 3758 hdev->iso_last_tx = jiffies; 3759 3760 conn->sent++; 3761 if (conn->sent == ~0) 3762 conn->sent = 0; 3763 (*cnt)--; 3764 } 3765 } 3766 } 3767 3768 static void hci_tx_work(struct work_struct *work) 3769 { 3770 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work); 3771 struct sk_buff *skb; 3772 3773 BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt, 3774 hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt); 3775 3776 if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) { 3777 /* Schedule queues and send stuff to HCI driver */ 3778 hci_sched_sco(hdev, SCO_LINK); 3779 hci_sched_sco(hdev, ESCO_LINK); 3780 hci_sched_iso(hdev, CIS_LINK); 3781 hci_sched_iso(hdev, BIS_LINK); 3782 hci_sched_iso(hdev, PA_LINK); 3783 hci_sched_acl(hdev); 3784 hci_sched_le(hdev); 3785 } 3786 3787 /* Send next queued raw (unknown type) packet */ 3788 while ((skb = skb_dequeue(&hdev->raw_q))) 3789 hci_send_frame(hdev, skb); 3790 } 3791 3792 /* ----- HCI RX task (incoming data processing) ----- */ 3793 3794 /* ACL data packet */ 3795 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3796 { 3797 struct hci_acl_hdr *hdr; 3798 __u16 handle, flags; 3799 int err; 3800 3801 hdr = skb_pull_data(skb, sizeof(*hdr)); 3802 if (!hdr) { 3803 bt_dev_err(hdev, "ACL packet too small"); 3804 kfree_skb(skb); 3805 return; 3806 } 3807 3808 handle = __le16_to_cpu(hdr->handle); 3809 flags = hci_flags(handle); 3810 handle = hci_handle(handle); 3811 3812 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3813 handle, flags); 3814 3815 hdev->stat.acl_rx++; 3816 3817 err = l2cap_recv_acldata(hdev, handle, skb, flags); 3818 if (err == -ENOENT) 3819 bt_dev_err(hdev, "ACL packet for unknown connection handle %d", 3820 handle); 3821 else if (err) 3822 bt_dev_dbg(hdev, "ACL packet recv for handle %d failed: %d", 3823 handle, err); 3824 } 3825 3826 /* SCO data packet */ 3827 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3828 { 3829 struct hci_sco_hdr *hdr; 3830 __u16 handle, flags; 3831 int err; 3832 3833 hdr = skb_pull_data(skb, sizeof(*hdr)); 3834 if (!hdr) { 3835 bt_dev_err(hdev, "SCO packet too small"); 3836 kfree_skb(skb); 3837 return; 3838 } 3839 3840 handle = __le16_to_cpu(hdr->handle); 3841 flags = hci_flags(handle); 3842 handle = hci_handle(handle); 3843 3844 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3845 handle, flags); 3846 3847 hdev->stat.sco_rx++; 3848 3849 hci_skb_pkt_status(skb) = flags & 0x03; 3850 3851 err = sco_recv_scodata(hdev, handle, skb); 3852 if (err == -ENOENT) 3853 bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d", 3854 handle); 3855 else if (err) 3856 bt_dev_dbg(hdev, "SCO packet recv for handle %d failed: %d", 3857 handle, err); 3858 } 3859 3860 static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 3861 { 3862 struct hci_iso_hdr *hdr; 3863 __u16 handle, flags; 3864 int err; 3865 3866 hdr = skb_pull_data(skb, sizeof(*hdr)); 3867 if (!hdr) { 3868 bt_dev_err(hdev, "ISO packet too small"); 3869 kfree_skb(skb); 3870 return; 3871 } 3872 3873 handle = __le16_to_cpu(hdr->handle); 3874 flags = hci_flags(handle); 3875 handle = hci_handle(handle); 3876 3877 bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, 3878 handle, flags); 3879 3880 err = iso_recv(hdev, handle, skb, flags); 3881 if (err == -ENOENT) 3882 bt_dev_err_ratelimited(hdev, "ISO packet for unknown connection handle %d", 3883 handle); 3884 else if (err) 3885 bt_dev_dbg(hdev, "ISO packet recv for handle %d failed: %d", 3886 handle, err); 3887 } 3888 3889 static bool hci_req_is_complete(struct hci_dev *hdev) 3890 { 3891 struct sk_buff *skb; 3892 3893 skb = skb_peek(&hdev->cmd_q); 3894 if (!skb) 3895 return true; 3896 3897 return (bt_cb(skb)->hci.req_flags & HCI_REQ_START); 3898 } 3899 3900 static void hci_resend_last(struct hci_dev *hdev) 3901 { 3902 struct hci_command_hdr *sent; 3903 struct sk_buff *skb; 3904 u16 opcode; 3905 3906 if (!hdev->sent_cmd) 3907 return; 3908 3909 sent = (void *) hdev->sent_cmd->data; 3910 opcode = __le16_to_cpu(sent->opcode); 3911 if (opcode == HCI_OP_RESET) 3912 return; 3913 3914 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); 3915 if (!skb) 3916 return; 3917 3918 skb_queue_head(&hdev->cmd_q, skb); 3919 queue_work(hdev->workqueue, &hdev->cmd_work); 3920 } 3921 3922 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, 3923 hci_req_complete_t *req_complete, 3924 hci_req_complete_skb_t *req_complete_skb) 3925 { 3926 struct sk_buff *skb; 3927 unsigned long flags; 3928 3929 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status); 3930 3931 /* If the completed command doesn't match the last one that was 3932 * sent we need to do special handling of it. 3933 */ 3934 if (!hci_sent_cmd_data(hdev, opcode)) { 3935 /* Some CSR based controllers generate a spontaneous 3936 * reset complete event during init and any pending 3937 * command will never be completed. In such a case we 3938 * need to resend whatever was the last sent 3939 * command. 3940 */ 3941 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET) 3942 hci_resend_last(hdev); 3943 3944 return; 3945 } 3946 3947 /* If we reach this point this event matches the last command sent */ 3948 hci_dev_clear_flag(hdev, HCI_CMD_PENDING); 3949 3950 /* If the command succeeded and there's still more commands in 3951 * this request the request is not yet complete. 3952 */ 3953 if (!status && !hci_req_is_complete(hdev)) 3954 return; 3955 3956 skb = hdev->req_skb; 3957 3958 /* If this was the last command in a request the complete 3959 * callback would be found in hdev->req_skb instead of the 3960 * command queue (hdev->cmd_q). 3961 */ 3962 if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) { 3963 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; 3964 return; 3965 } 3966 3967 if (skb && bt_cb(skb)->hci.req_complete) { 3968 *req_complete = bt_cb(skb)->hci.req_complete; 3969 return; 3970 } 3971 3972 /* Remove all pending commands belonging to this request */ 3973 spin_lock_irqsave(&hdev->cmd_q.lock, flags); 3974 while ((skb = __skb_dequeue(&hdev->cmd_q))) { 3975 if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) { 3976 __skb_queue_head(&hdev->cmd_q, skb); 3977 break; 3978 } 3979 3980 if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) 3981 *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; 3982 else 3983 *req_complete = bt_cb(skb)->hci.req_complete; 3984 dev_kfree_skb_irq(skb); 3985 } 3986 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags); 3987 } 3988 3989 static void hci_rx_work(struct work_struct *work) 3990 { 3991 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work); 3992 struct sk_buff *skb; 3993 3994 BT_DBG("%s", hdev->name); 3995 3996 /* The kcov_remote functions used for collecting packet parsing 3997 * coverage information from this background thread and associate 3998 * the coverage with the syscall's thread which originally injected 3999 * the packet. This helps fuzzing the kernel. 4000 */ 4001 for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) { 4002 kcov_remote_start_common(skb_get_kcov_handle(skb)); 4003 4004 /* Send copy to monitor */ 4005 hci_send_to_monitor(hdev, skb); 4006 4007 if (atomic_read(&hdev->promisc)) { 4008 /* Send copy to the sockets */ 4009 hci_send_to_sock(hdev, skb); 4010 } 4011 4012 /* If the device has been opened in HCI_USER_CHANNEL, 4013 * the userspace has exclusive access to device. 4014 * When device is HCI_INIT, we still need to process 4015 * the data packets to the driver in order 4016 * to complete its setup(). 4017 */ 4018 if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && 4019 !test_bit(HCI_INIT, &hdev->flags)) { 4020 kfree_skb(skb); 4021 continue; 4022 } 4023 4024 if (test_bit(HCI_INIT, &hdev->flags)) { 4025 /* Don't process data packets in this states. */ 4026 switch (hci_skb_pkt_type(skb)) { 4027 case HCI_ACLDATA_PKT: 4028 case HCI_SCODATA_PKT: 4029 case HCI_ISODATA_PKT: 4030 kfree_skb(skb); 4031 continue; 4032 } 4033 } 4034 4035 /* Process frame */ 4036 switch (hci_skb_pkt_type(skb)) { 4037 case HCI_EVENT_PKT: 4038 BT_DBG("%s Event packet", hdev->name); 4039 hci_event_packet(hdev, skb); 4040 break; 4041 4042 case HCI_ACLDATA_PKT: 4043 BT_DBG("%s ACL data packet", hdev->name); 4044 hci_acldata_packet(hdev, skb); 4045 break; 4046 4047 case HCI_SCODATA_PKT: 4048 BT_DBG("%s SCO data packet", hdev->name); 4049 hci_scodata_packet(hdev, skb); 4050 break; 4051 4052 case HCI_ISODATA_PKT: 4053 BT_DBG("%s ISO data packet", hdev->name); 4054 hci_isodata_packet(hdev, skb); 4055 break; 4056 4057 default: 4058 kfree_skb(skb); 4059 break; 4060 } 4061 } 4062 } 4063 4064 static int hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) 4065 { 4066 int err; 4067 4068 bt_dev_dbg(hdev, "skb %p", skb); 4069 4070 kfree_skb(hdev->sent_cmd); 4071 4072 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL); 4073 if (!hdev->sent_cmd) { 4074 skb_queue_head(&hdev->cmd_q, skb); 4075 queue_work(hdev->workqueue, &hdev->cmd_work); 4076 return -EINVAL; 4077 } 4078 4079 if (hci_skb_opcode(skb) != HCI_OP_NOP) { 4080 err = hci_send_frame(hdev, skb); 4081 if (err < 0) { 4082 hci_cmd_sync_cancel_sync(hdev, -err); 4083 return err; 4084 } 4085 atomic_dec(&hdev->cmd_cnt); 4086 } else { 4087 err = -ENODATA; 4088 kfree_skb(skb); 4089 } 4090 4091 if (READ_ONCE(hdev->req_status) == HCI_REQ_PEND && 4092 !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) { 4093 kfree_skb(hdev->req_skb); 4094 hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); 4095 } 4096 4097 return err; 4098 } 4099 4100 static void hci_cmd_work(struct work_struct *work) 4101 { 4102 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work); 4103 struct sk_buff *skb; 4104 int err; 4105 4106 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name, 4107 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q)); 4108 4109 /* Send queued commands */ 4110 if (atomic_read(&hdev->cmd_cnt)) { 4111 skb = skb_dequeue(&hdev->cmd_q); 4112 if (!skb) 4113 return; 4114 4115 err = hci_send_cmd_sync(hdev, skb); 4116 if (err) 4117 return; 4118 4119 rcu_read_lock(); 4120 if (test_bit(HCI_RESET, &hdev->flags) || 4121 hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) 4122 cancel_delayed_work(&hdev->cmd_timer); 4123 else 4124 queue_delayed_work(hdev->workqueue, &hdev->cmd_timer, 4125 HCI_CMD_TIMEOUT); 4126 rcu_read_unlock(); 4127 } 4128 } 4129