xref: /linux/net/bluetooth/hci_core.c (revision c4ee0af3fa0dc65f690fc908f02b8355f9576ea0)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI core. */
27 
28 #include <linux/export.h>
29 #include <linux/idr.h>
30 #include <linux/rfkill.h>
31 #include <linux/debugfs.h>
32 #include <asm/unaligned.h>
33 
34 #include <net/bluetooth/bluetooth.h>
35 #include <net/bluetooth/hci_core.h>
36 
37 static void hci_rx_work(struct work_struct *work);
38 static void hci_cmd_work(struct work_struct *work);
39 static void hci_tx_work(struct work_struct *work);
40 
41 /* HCI device list */
42 LIST_HEAD(hci_dev_list);
43 DEFINE_RWLOCK(hci_dev_list_lock);
44 
45 /* HCI callback list */
46 LIST_HEAD(hci_cb_list);
47 DEFINE_RWLOCK(hci_cb_list_lock);
48 
49 /* HCI ID Numbering */
50 static DEFINE_IDA(hci_index_ida);
51 
52 /* ---- HCI notifications ---- */
53 
54 static void hci_notify(struct hci_dev *hdev, int event)
55 {
56 	hci_sock_dev_event(hdev, event);
57 }
58 
59 /* ---- HCI debugfs entries ---- */
60 
61 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
62 			     size_t count, loff_t *ppos)
63 {
64 	struct hci_dev *hdev = file->private_data;
65 	char buf[3];
66 
67 	buf[0] = test_bit(HCI_DUT_MODE, &hdev->dev_flags) ? 'Y': 'N';
68 	buf[1] = '\n';
69 	buf[2] = '\0';
70 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
71 }
72 
73 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
74 			      size_t count, loff_t *ppos)
75 {
76 	struct hci_dev *hdev = file->private_data;
77 	struct sk_buff *skb;
78 	char buf[32];
79 	size_t buf_size = min(count, (sizeof(buf)-1));
80 	bool enable;
81 	int err;
82 
83 	if (!test_bit(HCI_UP, &hdev->flags))
84 		return -ENETDOWN;
85 
86 	if (copy_from_user(buf, user_buf, buf_size))
87 		return -EFAULT;
88 
89 	buf[buf_size] = '\0';
90 	if (strtobool(buf, &enable))
91 		return -EINVAL;
92 
93 	if (enable == test_bit(HCI_DUT_MODE, &hdev->dev_flags))
94 		return -EALREADY;
95 
96 	hci_req_lock(hdev);
97 	if (enable)
98 		skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
99 				     HCI_CMD_TIMEOUT);
100 	else
101 		skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
102 				     HCI_CMD_TIMEOUT);
103 	hci_req_unlock(hdev);
104 
105 	if (IS_ERR(skb))
106 		return PTR_ERR(skb);
107 
108 	err = -bt_to_errno(skb->data[0]);
109 	kfree_skb(skb);
110 
111 	if (err < 0)
112 		return err;
113 
114 	change_bit(HCI_DUT_MODE, &hdev->dev_flags);
115 
116 	return count;
117 }
118 
119 static const struct file_operations dut_mode_fops = {
120 	.open		= simple_open,
121 	.read		= dut_mode_read,
122 	.write		= dut_mode_write,
123 	.llseek		= default_llseek,
124 };
125 
126 static int features_show(struct seq_file *f, void *ptr)
127 {
128 	struct hci_dev *hdev = f->private;
129 	u8 p;
130 
131 	hci_dev_lock(hdev);
132 	for (p = 0; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
133 		seq_printf(f, "%2u: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
134 			   "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n", p,
135 			   hdev->features[p][0], hdev->features[p][1],
136 			   hdev->features[p][2], hdev->features[p][3],
137 			   hdev->features[p][4], hdev->features[p][5],
138 			   hdev->features[p][6], hdev->features[p][7]);
139 	}
140 	if (lmp_le_capable(hdev))
141 		seq_printf(f, "LE: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
142 			   "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n",
143 			   hdev->le_features[0], hdev->le_features[1],
144 			   hdev->le_features[2], hdev->le_features[3],
145 			   hdev->le_features[4], hdev->le_features[5],
146 			   hdev->le_features[6], hdev->le_features[7]);
147 	hci_dev_unlock(hdev);
148 
149 	return 0;
150 }
151 
152 static int features_open(struct inode *inode, struct file *file)
153 {
154 	return single_open(file, features_show, inode->i_private);
155 }
156 
157 static const struct file_operations features_fops = {
158 	.open		= features_open,
159 	.read		= seq_read,
160 	.llseek		= seq_lseek,
161 	.release	= single_release,
162 };
163 
164 static int blacklist_show(struct seq_file *f, void *p)
165 {
166 	struct hci_dev *hdev = f->private;
167 	struct bdaddr_list *b;
168 
169 	hci_dev_lock(hdev);
170 	list_for_each_entry(b, &hdev->blacklist, list)
171 		seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
172 	hci_dev_unlock(hdev);
173 
174 	return 0;
175 }
176 
177 static int blacklist_open(struct inode *inode, struct file *file)
178 {
179 	return single_open(file, blacklist_show, inode->i_private);
180 }
181 
182 static const struct file_operations blacklist_fops = {
183 	.open		= blacklist_open,
184 	.read		= seq_read,
185 	.llseek		= seq_lseek,
186 	.release	= single_release,
187 };
188 
189 static int uuids_show(struct seq_file *f, void *p)
190 {
191 	struct hci_dev *hdev = f->private;
192 	struct bt_uuid *uuid;
193 
194 	hci_dev_lock(hdev);
195 	list_for_each_entry(uuid, &hdev->uuids, list) {
196 		u8 i, val[16];
197 
198 		/* The Bluetooth UUID values are stored in big endian,
199 		 * but with reversed byte order. So convert them into
200 		 * the right order for the %pUb modifier.
201 		 */
202 		for (i = 0; i < 16; i++)
203 			val[i] = uuid->uuid[15 - i];
204 
205 		seq_printf(f, "%pUb\n", val);
206 	}
207 	hci_dev_unlock(hdev);
208 
209 	return 0;
210 }
211 
212 static int uuids_open(struct inode *inode, struct file *file)
213 {
214 	return single_open(file, uuids_show, inode->i_private);
215 }
216 
217 static const struct file_operations uuids_fops = {
218 	.open		= uuids_open,
219 	.read		= seq_read,
220 	.llseek		= seq_lseek,
221 	.release	= single_release,
222 };
223 
224 static int inquiry_cache_show(struct seq_file *f, void *p)
225 {
226 	struct hci_dev *hdev = f->private;
227 	struct discovery_state *cache = &hdev->discovery;
228 	struct inquiry_entry *e;
229 
230 	hci_dev_lock(hdev);
231 
232 	list_for_each_entry(e, &cache->all, all) {
233 		struct inquiry_data *data = &e->data;
234 		seq_printf(f, "%pMR %d %d %d 0x%.2x%.2x%.2x 0x%.4x %d %d %u\n",
235 			   &data->bdaddr,
236 			   data->pscan_rep_mode, data->pscan_period_mode,
237 			   data->pscan_mode, data->dev_class[2],
238 			   data->dev_class[1], data->dev_class[0],
239 			   __le16_to_cpu(data->clock_offset),
240 			   data->rssi, data->ssp_mode, e->timestamp);
241 	}
242 
243 	hci_dev_unlock(hdev);
244 
245 	return 0;
246 }
247 
248 static int inquiry_cache_open(struct inode *inode, struct file *file)
249 {
250 	return single_open(file, inquiry_cache_show, inode->i_private);
251 }
252 
253 static const struct file_operations inquiry_cache_fops = {
254 	.open		= inquiry_cache_open,
255 	.read		= seq_read,
256 	.llseek		= seq_lseek,
257 	.release	= single_release,
258 };
259 
260 static int link_keys_show(struct seq_file *f, void *ptr)
261 {
262 	struct hci_dev *hdev = f->private;
263 	struct list_head *p, *n;
264 
265 	hci_dev_lock(hdev);
266 	list_for_each_safe(p, n, &hdev->link_keys) {
267 		struct link_key *key = list_entry(p, struct link_key, list);
268 		seq_printf(f, "%pMR %u %*phN %u\n", &key->bdaddr, key->type,
269 			   HCI_LINK_KEY_SIZE, key->val, key->pin_len);
270 	}
271 	hci_dev_unlock(hdev);
272 
273 	return 0;
274 }
275 
276 static int link_keys_open(struct inode *inode, struct file *file)
277 {
278 	return single_open(file, link_keys_show, inode->i_private);
279 }
280 
281 static const struct file_operations link_keys_fops = {
282 	.open		= link_keys_open,
283 	.read		= seq_read,
284 	.llseek		= seq_lseek,
285 	.release	= single_release,
286 };
287 
288 static ssize_t use_debug_keys_read(struct file *file, char __user *user_buf,
289 				   size_t count, loff_t *ppos)
290 {
291 	struct hci_dev *hdev = file->private_data;
292 	char buf[3];
293 
294 	buf[0] = test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) ? 'Y': 'N';
295 	buf[1] = '\n';
296 	buf[2] = '\0';
297 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
298 }
299 
300 static const struct file_operations use_debug_keys_fops = {
301 	.open		= simple_open,
302 	.read		= use_debug_keys_read,
303 	.llseek		= default_llseek,
304 };
305 
306 static int dev_class_show(struct seq_file *f, void *ptr)
307 {
308 	struct hci_dev *hdev = f->private;
309 
310 	hci_dev_lock(hdev);
311 	seq_printf(f, "0x%.2x%.2x%.2x\n", hdev->dev_class[2],
312 		   hdev->dev_class[1], hdev->dev_class[0]);
313 	hci_dev_unlock(hdev);
314 
315 	return 0;
316 }
317 
318 static int dev_class_open(struct inode *inode, struct file *file)
319 {
320 	return single_open(file, dev_class_show, inode->i_private);
321 }
322 
323 static const struct file_operations dev_class_fops = {
324 	.open		= dev_class_open,
325 	.read		= seq_read,
326 	.llseek		= seq_lseek,
327 	.release	= single_release,
328 };
329 
330 static int voice_setting_get(void *data, u64 *val)
331 {
332 	struct hci_dev *hdev = data;
333 
334 	hci_dev_lock(hdev);
335 	*val = hdev->voice_setting;
336 	hci_dev_unlock(hdev);
337 
338 	return 0;
339 }
340 
341 DEFINE_SIMPLE_ATTRIBUTE(voice_setting_fops, voice_setting_get,
342 			NULL, "0x%4.4llx\n");
343 
344 static int auto_accept_delay_set(void *data, u64 val)
345 {
346 	struct hci_dev *hdev = data;
347 
348 	hci_dev_lock(hdev);
349 	hdev->auto_accept_delay = val;
350 	hci_dev_unlock(hdev);
351 
352 	return 0;
353 }
354 
355 static int auto_accept_delay_get(void *data, u64 *val)
356 {
357 	struct hci_dev *hdev = data;
358 
359 	hci_dev_lock(hdev);
360 	*val = hdev->auto_accept_delay;
361 	hci_dev_unlock(hdev);
362 
363 	return 0;
364 }
365 
366 DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
367 			auto_accept_delay_set, "%llu\n");
368 
369 static int ssp_debug_mode_set(void *data, u64 val)
370 {
371 	struct hci_dev *hdev = data;
372 	struct sk_buff *skb;
373 	__u8 mode;
374 	int err;
375 
376 	if (val != 0 && val != 1)
377 		return -EINVAL;
378 
379 	if (!test_bit(HCI_UP, &hdev->flags))
380 		return -ENETDOWN;
381 
382 	hci_req_lock(hdev);
383 	mode = val;
384 	skb = __hci_cmd_sync(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE, sizeof(mode),
385 			     &mode, HCI_CMD_TIMEOUT);
386 	hci_req_unlock(hdev);
387 
388 	if (IS_ERR(skb))
389 		return PTR_ERR(skb);
390 
391 	err = -bt_to_errno(skb->data[0]);
392 	kfree_skb(skb);
393 
394 	if (err < 0)
395 		return err;
396 
397 	hci_dev_lock(hdev);
398 	hdev->ssp_debug_mode = val;
399 	hci_dev_unlock(hdev);
400 
401 	return 0;
402 }
403 
404 static int ssp_debug_mode_get(void *data, u64 *val)
405 {
406 	struct hci_dev *hdev = data;
407 
408 	hci_dev_lock(hdev);
409 	*val = hdev->ssp_debug_mode;
410 	hci_dev_unlock(hdev);
411 
412 	return 0;
413 }
414 
415 DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get,
416 			ssp_debug_mode_set, "%llu\n");
417 
418 static int idle_timeout_set(void *data, u64 val)
419 {
420 	struct hci_dev *hdev = data;
421 
422 	if (val != 0 && (val < 500 || val > 3600000))
423 		return -EINVAL;
424 
425 	hci_dev_lock(hdev);
426 	hdev->idle_timeout = val;
427 	hci_dev_unlock(hdev);
428 
429 	return 0;
430 }
431 
432 static int idle_timeout_get(void *data, u64 *val)
433 {
434 	struct hci_dev *hdev = data;
435 
436 	hci_dev_lock(hdev);
437 	*val = hdev->idle_timeout;
438 	hci_dev_unlock(hdev);
439 
440 	return 0;
441 }
442 
443 DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get,
444 			idle_timeout_set, "%llu\n");
445 
446 static int sniff_min_interval_set(void *data, u64 val)
447 {
448 	struct hci_dev *hdev = data;
449 
450 	if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
451 		return -EINVAL;
452 
453 	hci_dev_lock(hdev);
454 	hdev->sniff_min_interval = val;
455 	hci_dev_unlock(hdev);
456 
457 	return 0;
458 }
459 
460 static int sniff_min_interval_get(void *data, u64 *val)
461 {
462 	struct hci_dev *hdev = data;
463 
464 	hci_dev_lock(hdev);
465 	*val = hdev->sniff_min_interval;
466 	hci_dev_unlock(hdev);
467 
468 	return 0;
469 }
470 
471 DEFINE_SIMPLE_ATTRIBUTE(sniff_min_interval_fops, sniff_min_interval_get,
472 			sniff_min_interval_set, "%llu\n");
473 
474 static int sniff_max_interval_set(void *data, u64 val)
475 {
476 	struct hci_dev *hdev = data;
477 
478 	if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
479 		return -EINVAL;
480 
481 	hci_dev_lock(hdev);
482 	hdev->sniff_max_interval = val;
483 	hci_dev_unlock(hdev);
484 
485 	return 0;
486 }
487 
488 static int sniff_max_interval_get(void *data, u64 *val)
489 {
490 	struct hci_dev *hdev = data;
491 
492 	hci_dev_lock(hdev);
493 	*val = hdev->sniff_max_interval;
494 	hci_dev_unlock(hdev);
495 
496 	return 0;
497 }
498 
499 DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
500 			sniff_max_interval_set, "%llu\n");
501 
502 static int static_address_show(struct seq_file *f, void *p)
503 {
504 	struct hci_dev *hdev = f->private;
505 
506 	hci_dev_lock(hdev);
507 	seq_printf(f, "%pMR\n", &hdev->static_addr);
508 	hci_dev_unlock(hdev);
509 
510 	return 0;
511 }
512 
513 static int static_address_open(struct inode *inode, struct file *file)
514 {
515 	return single_open(file, static_address_show, inode->i_private);
516 }
517 
518 static const struct file_operations static_address_fops = {
519 	.open		= static_address_open,
520 	.read		= seq_read,
521 	.llseek		= seq_lseek,
522 	.release	= single_release,
523 };
524 
525 static int own_address_type_set(void *data, u64 val)
526 {
527 	struct hci_dev *hdev = data;
528 
529 	if (val != 0 && val != 1)
530 		return -EINVAL;
531 
532 	hci_dev_lock(hdev);
533 	hdev->own_addr_type = val;
534 	hci_dev_unlock(hdev);
535 
536 	return 0;
537 }
538 
539 static int own_address_type_get(void *data, u64 *val)
540 {
541 	struct hci_dev *hdev = data;
542 
543 	hci_dev_lock(hdev);
544 	*val = hdev->own_addr_type;
545 	hci_dev_unlock(hdev);
546 
547 	return 0;
548 }
549 
550 DEFINE_SIMPLE_ATTRIBUTE(own_address_type_fops, own_address_type_get,
551 			own_address_type_set, "%llu\n");
552 
553 static int long_term_keys_show(struct seq_file *f, void *ptr)
554 {
555 	struct hci_dev *hdev = f->private;
556 	struct list_head *p, *n;
557 
558 	hci_dev_lock(hdev);
559 	list_for_each_safe(p, n, &hdev->link_keys) {
560 		struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
561 		seq_printf(f, "%pMR (type %u) %u %u %u %.4x %*phN %*phN\\n",
562 			   &ltk->bdaddr, ltk->bdaddr_type, ltk->authenticated,
563 			   ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
564 			   8, ltk->rand, 16, ltk->val);
565 	}
566 	hci_dev_unlock(hdev);
567 
568 	return 0;
569 }
570 
571 static int long_term_keys_open(struct inode *inode, struct file *file)
572 {
573 	return single_open(file, long_term_keys_show, inode->i_private);
574 }
575 
576 static const struct file_operations long_term_keys_fops = {
577 	.open		= long_term_keys_open,
578 	.read		= seq_read,
579 	.llseek		= seq_lseek,
580 	.release	= single_release,
581 };
582 
583 static int conn_min_interval_set(void *data, u64 val)
584 {
585 	struct hci_dev *hdev = data;
586 
587 	if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval)
588 		return -EINVAL;
589 
590 	hci_dev_lock(hdev);
591 	hdev->le_conn_min_interval = val;
592 	hci_dev_unlock(hdev);
593 
594 	return 0;
595 }
596 
597 static int conn_min_interval_get(void *data, u64 *val)
598 {
599 	struct hci_dev *hdev = data;
600 
601 	hci_dev_lock(hdev);
602 	*val = hdev->le_conn_min_interval;
603 	hci_dev_unlock(hdev);
604 
605 	return 0;
606 }
607 
608 DEFINE_SIMPLE_ATTRIBUTE(conn_min_interval_fops, conn_min_interval_get,
609 			conn_min_interval_set, "%llu\n");
610 
611 static int conn_max_interval_set(void *data, u64 val)
612 {
613 	struct hci_dev *hdev = data;
614 
615 	if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval)
616 		return -EINVAL;
617 
618 	hci_dev_lock(hdev);
619 	hdev->le_conn_max_interval = val;
620 	hci_dev_unlock(hdev);
621 
622 	return 0;
623 }
624 
625 static int conn_max_interval_get(void *data, u64 *val)
626 {
627 	struct hci_dev *hdev = data;
628 
629 	hci_dev_lock(hdev);
630 	*val = hdev->le_conn_max_interval;
631 	hci_dev_unlock(hdev);
632 
633 	return 0;
634 }
635 
636 DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get,
637 			conn_max_interval_set, "%llu\n");
638 
639 /* ---- HCI requests ---- */
640 
641 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
642 {
643 	BT_DBG("%s result 0x%2.2x", hdev->name, result);
644 
645 	if (hdev->req_status == HCI_REQ_PEND) {
646 		hdev->req_result = result;
647 		hdev->req_status = HCI_REQ_DONE;
648 		wake_up_interruptible(&hdev->req_wait_q);
649 	}
650 }
651 
652 static void hci_req_cancel(struct hci_dev *hdev, int err)
653 {
654 	BT_DBG("%s err 0x%2.2x", hdev->name, err);
655 
656 	if (hdev->req_status == HCI_REQ_PEND) {
657 		hdev->req_result = err;
658 		hdev->req_status = HCI_REQ_CANCELED;
659 		wake_up_interruptible(&hdev->req_wait_q);
660 	}
661 }
662 
663 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
664 					    u8 event)
665 {
666 	struct hci_ev_cmd_complete *ev;
667 	struct hci_event_hdr *hdr;
668 	struct sk_buff *skb;
669 
670 	hci_dev_lock(hdev);
671 
672 	skb = hdev->recv_evt;
673 	hdev->recv_evt = NULL;
674 
675 	hci_dev_unlock(hdev);
676 
677 	if (!skb)
678 		return ERR_PTR(-ENODATA);
679 
680 	if (skb->len < sizeof(*hdr)) {
681 		BT_ERR("Too short HCI event");
682 		goto failed;
683 	}
684 
685 	hdr = (void *) skb->data;
686 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
687 
688 	if (event) {
689 		if (hdr->evt != event)
690 			goto failed;
691 		return skb;
692 	}
693 
694 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
695 		BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
696 		goto failed;
697 	}
698 
699 	if (skb->len < sizeof(*ev)) {
700 		BT_ERR("Too short cmd_complete event");
701 		goto failed;
702 	}
703 
704 	ev = (void *) skb->data;
705 	skb_pull(skb, sizeof(*ev));
706 
707 	if (opcode == __le16_to_cpu(ev->opcode))
708 		return skb;
709 
710 	BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
711 	       __le16_to_cpu(ev->opcode));
712 
713 failed:
714 	kfree_skb(skb);
715 	return ERR_PTR(-ENODATA);
716 }
717 
718 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
719 				  const void *param, u8 event, u32 timeout)
720 {
721 	DECLARE_WAITQUEUE(wait, current);
722 	struct hci_request req;
723 	int err = 0;
724 
725 	BT_DBG("%s", hdev->name);
726 
727 	hci_req_init(&req, hdev);
728 
729 	hci_req_add_ev(&req, opcode, plen, param, event);
730 
731 	hdev->req_status = HCI_REQ_PEND;
732 
733 	err = hci_req_run(&req, hci_req_sync_complete);
734 	if (err < 0)
735 		return ERR_PTR(err);
736 
737 	add_wait_queue(&hdev->req_wait_q, &wait);
738 	set_current_state(TASK_INTERRUPTIBLE);
739 
740 	schedule_timeout(timeout);
741 
742 	remove_wait_queue(&hdev->req_wait_q, &wait);
743 
744 	if (signal_pending(current))
745 		return ERR_PTR(-EINTR);
746 
747 	switch (hdev->req_status) {
748 	case HCI_REQ_DONE:
749 		err = -bt_to_errno(hdev->req_result);
750 		break;
751 
752 	case HCI_REQ_CANCELED:
753 		err = -hdev->req_result;
754 		break;
755 
756 	default:
757 		err = -ETIMEDOUT;
758 		break;
759 	}
760 
761 	hdev->req_status = hdev->req_result = 0;
762 
763 	BT_DBG("%s end: err %d", hdev->name, err);
764 
765 	if (err < 0)
766 		return ERR_PTR(err);
767 
768 	return hci_get_cmd_complete(hdev, opcode, event);
769 }
770 EXPORT_SYMBOL(__hci_cmd_sync_ev);
771 
772 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
773 			       const void *param, u32 timeout)
774 {
775 	return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
776 }
777 EXPORT_SYMBOL(__hci_cmd_sync);
778 
779 /* Execute request and wait for completion. */
780 static int __hci_req_sync(struct hci_dev *hdev,
781 			  void (*func)(struct hci_request *req,
782 				      unsigned long opt),
783 			  unsigned long opt, __u32 timeout)
784 {
785 	struct hci_request req;
786 	DECLARE_WAITQUEUE(wait, current);
787 	int err = 0;
788 
789 	BT_DBG("%s start", hdev->name);
790 
791 	hci_req_init(&req, hdev);
792 
793 	hdev->req_status = HCI_REQ_PEND;
794 
795 	func(&req, opt);
796 
797 	err = hci_req_run(&req, hci_req_sync_complete);
798 	if (err < 0) {
799 		hdev->req_status = 0;
800 
801 		/* ENODATA means the HCI request command queue is empty.
802 		 * This can happen when a request with conditionals doesn't
803 		 * trigger any commands to be sent. This is normal behavior
804 		 * and should not trigger an error return.
805 		 */
806 		if (err == -ENODATA)
807 			return 0;
808 
809 		return err;
810 	}
811 
812 	add_wait_queue(&hdev->req_wait_q, &wait);
813 	set_current_state(TASK_INTERRUPTIBLE);
814 
815 	schedule_timeout(timeout);
816 
817 	remove_wait_queue(&hdev->req_wait_q, &wait);
818 
819 	if (signal_pending(current))
820 		return -EINTR;
821 
822 	switch (hdev->req_status) {
823 	case HCI_REQ_DONE:
824 		err = -bt_to_errno(hdev->req_result);
825 		break;
826 
827 	case HCI_REQ_CANCELED:
828 		err = -hdev->req_result;
829 		break;
830 
831 	default:
832 		err = -ETIMEDOUT;
833 		break;
834 	}
835 
836 	hdev->req_status = hdev->req_result = 0;
837 
838 	BT_DBG("%s end: err %d", hdev->name, err);
839 
840 	return err;
841 }
842 
843 static int hci_req_sync(struct hci_dev *hdev,
844 			void (*req)(struct hci_request *req,
845 				    unsigned long opt),
846 			unsigned long opt, __u32 timeout)
847 {
848 	int ret;
849 
850 	if (!test_bit(HCI_UP, &hdev->flags))
851 		return -ENETDOWN;
852 
853 	/* Serialize all requests */
854 	hci_req_lock(hdev);
855 	ret = __hci_req_sync(hdev, req, opt, timeout);
856 	hci_req_unlock(hdev);
857 
858 	return ret;
859 }
860 
861 static void hci_reset_req(struct hci_request *req, unsigned long opt)
862 {
863 	BT_DBG("%s %ld", req->hdev->name, opt);
864 
865 	/* Reset device */
866 	set_bit(HCI_RESET, &req->hdev->flags);
867 	hci_req_add(req, HCI_OP_RESET, 0, NULL);
868 }
869 
870 static void bredr_init(struct hci_request *req)
871 {
872 	req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
873 
874 	/* Read Local Supported Features */
875 	hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
876 
877 	/* Read Local Version */
878 	hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
879 
880 	/* Read BD Address */
881 	hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
882 }
883 
884 static void amp_init(struct hci_request *req)
885 {
886 	req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
887 
888 	/* Read Local Version */
889 	hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
890 
891 	/* Read Local Supported Commands */
892 	hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
893 
894 	/* Read Local Supported Features */
895 	hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
896 
897 	/* Read Local AMP Info */
898 	hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
899 
900 	/* Read Data Blk size */
901 	hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
902 
903 	/* Read Flow Control Mode */
904 	hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
905 
906 	/* Read Location Data */
907 	hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
908 }
909 
910 static void hci_init1_req(struct hci_request *req, unsigned long opt)
911 {
912 	struct hci_dev *hdev = req->hdev;
913 
914 	BT_DBG("%s %ld", hdev->name, opt);
915 
916 	/* Reset */
917 	if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
918 		hci_reset_req(req, 0);
919 
920 	switch (hdev->dev_type) {
921 	case HCI_BREDR:
922 		bredr_init(req);
923 		break;
924 
925 	case HCI_AMP:
926 		amp_init(req);
927 		break;
928 
929 	default:
930 		BT_ERR("Unknown device type %d", hdev->dev_type);
931 		break;
932 	}
933 }
934 
935 static void bredr_setup(struct hci_request *req)
936 {
937 	struct hci_dev *hdev = req->hdev;
938 
939 	__le16 param;
940 	__u8 flt_type;
941 
942 	/* Read Buffer Size (ACL mtu, max pkt, etc.) */
943 	hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
944 
945 	/* Read Class of Device */
946 	hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
947 
948 	/* Read Local Name */
949 	hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
950 
951 	/* Read Voice Setting */
952 	hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
953 
954 	/* Read Number of Supported IAC */
955 	hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
956 
957 	/* Read Current IAC LAP */
958 	hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
959 
960 	/* Clear Event Filters */
961 	flt_type = HCI_FLT_CLEAR_ALL;
962 	hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
963 
964 	/* Connection accept timeout ~20 secs */
965 	param = __constant_cpu_to_le16(0x7d00);
966 	hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
967 
968 	/* AVM Berlin (31), aka "BlueFRITZ!", reports version 1.2,
969 	 * but it does not support page scan related HCI commands.
970 	 */
971 	if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1) {
972 		hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
973 		hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
974 	}
975 }
976 
977 static void le_setup(struct hci_request *req)
978 {
979 	struct hci_dev *hdev = req->hdev;
980 
981 	/* Read LE Buffer Size */
982 	hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
983 
984 	/* Read LE Local Supported Features */
985 	hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
986 
987 	/* Read LE Advertising Channel TX Power */
988 	hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
989 
990 	/* Read LE White List Size */
991 	hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
992 
993 	/* Read LE Supported States */
994 	hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
995 
996 	/* LE-only controllers have LE implicitly enabled */
997 	if (!lmp_bredr_capable(hdev))
998 		set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
999 }
1000 
1001 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
1002 {
1003 	if (lmp_ext_inq_capable(hdev))
1004 		return 0x02;
1005 
1006 	if (lmp_inq_rssi_capable(hdev))
1007 		return 0x01;
1008 
1009 	if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
1010 	    hdev->lmp_subver == 0x0757)
1011 		return 0x01;
1012 
1013 	if (hdev->manufacturer == 15) {
1014 		if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
1015 			return 0x01;
1016 		if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
1017 			return 0x01;
1018 		if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
1019 			return 0x01;
1020 	}
1021 
1022 	if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
1023 	    hdev->lmp_subver == 0x1805)
1024 		return 0x01;
1025 
1026 	return 0x00;
1027 }
1028 
1029 static void hci_setup_inquiry_mode(struct hci_request *req)
1030 {
1031 	u8 mode;
1032 
1033 	mode = hci_get_inquiry_mode(req->hdev);
1034 
1035 	hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
1036 }
1037 
1038 static void hci_setup_event_mask(struct hci_request *req)
1039 {
1040 	struct hci_dev *hdev = req->hdev;
1041 
1042 	/* The second byte is 0xff instead of 0x9f (two reserved bits
1043 	 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
1044 	 * command otherwise.
1045 	 */
1046 	u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
1047 
1048 	/* CSR 1.1 dongles does not accept any bitfield so don't try to set
1049 	 * any event mask for pre 1.2 devices.
1050 	 */
1051 	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
1052 		return;
1053 
1054 	if (lmp_bredr_capable(hdev)) {
1055 		events[4] |= 0x01; /* Flow Specification Complete */
1056 		events[4] |= 0x02; /* Inquiry Result with RSSI */
1057 		events[4] |= 0x04; /* Read Remote Extended Features Complete */
1058 		events[5] |= 0x08; /* Synchronous Connection Complete */
1059 		events[5] |= 0x10; /* Synchronous Connection Changed */
1060 	} else {
1061 		/* Use a different default for LE-only devices */
1062 		memset(events, 0, sizeof(events));
1063 		events[0] |= 0x10; /* Disconnection Complete */
1064 		events[0] |= 0x80; /* Encryption Change */
1065 		events[1] |= 0x08; /* Read Remote Version Information Complete */
1066 		events[1] |= 0x20; /* Command Complete */
1067 		events[1] |= 0x40; /* Command Status */
1068 		events[1] |= 0x80; /* Hardware Error */
1069 		events[2] |= 0x04; /* Number of Completed Packets */
1070 		events[3] |= 0x02; /* Data Buffer Overflow */
1071 		events[5] |= 0x80; /* Encryption Key Refresh Complete */
1072 	}
1073 
1074 	if (lmp_inq_rssi_capable(hdev))
1075 		events[4] |= 0x02; /* Inquiry Result with RSSI */
1076 
1077 	if (lmp_sniffsubr_capable(hdev))
1078 		events[5] |= 0x20; /* Sniff Subrating */
1079 
1080 	if (lmp_pause_enc_capable(hdev))
1081 		events[5] |= 0x80; /* Encryption Key Refresh Complete */
1082 
1083 	if (lmp_ext_inq_capable(hdev))
1084 		events[5] |= 0x40; /* Extended Inquiry Result */
1085 
1086 	if (lmp_no_flush_capable(hdev))
1087 		events[7] |= 0x01; /* Enhanced Flush Complete */
1088 
1089 	if (lmp_lsto_capable(hdev))
1090 		events[6] |= 0x80; /* Link Supervision Timeout Changed */
1091 
1092 	if (lmp_ssp_capable(hdev)) {
1093 		events[6] |= 0x01;	/* IO Capability Request */
1094 		events[6] |= 0x02;	/* IO Capability Response */
1095 		events[6] |= 0x04;	/* User Confirmation Request */
1096 		events[6] |= 0x08;	/* User Passkey Request */
1097 		events[6] |= 0x10;	/* Remote OOB Data Request */
1098 		events[6] |= 0x20;	/* Simple Pairing Complete */
1099 		events[7] |= 0x04;	/* User Passkey Notification */
1100 		events[7] |= 0x08;	/* Keypress Notification */
1101 		events[7] |= 0x10;	/* Remote Host Supported
1102 					 * Features Notification
1103 					 */
1104 	}
1105 
1106 	if (lmp_le_capable(hdev))
1107 		events[7] |= 0x20;	/* LE Meta-Event */
1108 
1109 	hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
1110 
1111 	if (lmp_le_capable(hdev)) {
1112 		memset(events, 0, sizeof(events));
1113 		events[0] = 0x1f;
1114 		hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
1115 			    sizeof(events), events);
1116 	}
1117 }
1118 
1119 static void hci_init2_req(struct hci_request *req, unsigned long opt)
1120 {
1121 	struct hci_dev *hdev = req->hdev;
1122 
1123 	if (lmp_bredr_capable(hdev))
1124 		bredr_setup(req);
1125 	else
1126 		clear_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
1127 
1128 	if (lmp_le_capable(hdev))
1129 		le_setup(req);
1130 
1131 	hci_setup_event_mask(req);
1132 
1133 	/* AVM Berlin (31), aka "BlueFRITZ!", doesn't support the read
1134 	 * local supported commands HCI command.
1135 	 */
1136 	if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1)
1137 		hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
1138 
1139 	if (lmp_ssp_capable(hdev)) {
1140 		/* When SSP is available, then the host features page
1141 		 * should also be available as well. However some
1142 		 * controllers list the max_page as 0 as long as SSP
1143 		 * has not been enabled. To achieve proper debugging
1144 		 * output, force the minimum max_page to 1 at least.
1145 		 */
1146 		hdev->max_page = 0x01;
1147 
1148 		if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
1149 			u8 mode = 0x01;
1150 			hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
1151 				    sizeof(mode), &mode);
1152 		} else {
1153 			struct hci_cp_write_eir cp;
1154 
1155 			memset(hdev->eir, 0, sizeof(hdev->eir));
1156 			memset(&cp, 0, sizeof(cp));
1157 
1158 			hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
1159 		}
1160 	}
1161 
1162 	if (lmp_inq_rssi_capable(hdev))
1163 		hci_setup_inquiry_mode(req);
1164 
1165 	if (lmp_inq_tx_pwr_capable(hdev))
1166 		hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
1167 
1168 	if (lmp_ext_feat_capable(hdev)) {
1169 		struct hci_cp_read_local_ext_features cp;
1170 
1171 		cp.page = 0x01;
1172 		hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1173 			    sizeof(cp), &cp);
1174 	}
1175 
1176 	if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
1177 		u8 enable = 1;
1178 		hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
1179 			    &enable);
1180 	}
1181 }
1182 
1183 static void hci_setup_link_policy(struct hci_request *req)
1184 {
1185 	struct hci_dev *hdev = req->hdev;
1186 	struct hci_cp_write_def_link_policy cp;
1187 	u16 link_policy = 0;
1188 
1189 	if (lmp_rswitch_capable(hdev))
1190 		link_policy |= HCI_LP_RSWITCH;
1191 	if (lmp_hold_capable(hdev))
1192 		link_policy |= HCI_LP_HOLD;
1193 	if (lmp_sniff_capable(hdev))
1194 		link_policy |= HCI_LP_SNIFF;
1195 	if (lmp_park_capable(hdev))
1196 		link_policy |= HCI_LP_PARK;
1197 
1198 	cp.policy = cpu_to_le16(link_policy);
1199 	hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
1200 }
1201 
1202 static void hci_set_le_support(struct hci_request *req)
1203 {
1204 	struct hci_dev *hdev = req->hdev;
1205 	struct hci_cp_write_le_host_supported cp;
1206 
1207 	/* LE-only devices do not support explicit enablement */
1208 	if (!lmp_bredr_capable(hdev))
1209 		return;
1210 
1211 	memset(&cp, 0, sizeof(cp));
1212 
1213 	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
1214 		cp.le = 0x01;
1215 		cp.simul = lmp_le_br_capable(hdev);
1216 	}
1217 
1218 	if (cp.le != lmp_host_le_capable(hdev))
1219 		hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
1220 			    &cp);
1221 }
1222 
1223 static void hci_set_event_mask_page_2(struct hci_request *req)
1224 {
1225 	struct hci_dev *hdev = req->hdev;
1226 	u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1227 
1228 	/* If Connectionless Slave Broadcast master role is supported
1229 	 * enable all necessary events for it.
1230 	 */
1231 	if (hdev->features[2][0] & 0x01) {
1232 		events[1] |= 0x40;	/* Triggered Clock Capture */
1233 		events[1] |= 0x80;	/* Synchronization Train Complete */
1234 		events[2] |= 0x10;	/* Slave Page Response Timeout */
1235 		events[2] |= 0x20;	/* CSB Channel Map Change */
1236 	}
1237 
1238 	/* If Connectionless Slave Broadcast slave role is supported
1239 	 * enable all necessary events for it.
1240 	 */
1241 	if (hdev->features[2][0] & 0x02) {
1242 		events[2] |= 0x01;	/* Synchronization Train Received */
1243 		events[2] |= 0x02;	/* CSB Receive */
1244 		events[2] |= 0x04;	/* CSB Timeout */
1245 		events[2] |= 0x08;	/* Truncated Page Complete */
1246 	}
1247 
1248 	hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
1249 }
1250 
1251 static void hci_init3_req(struct hci_request *req, unsigned long opt)
1252 {
1253 	struct hci_dev *hdev = req->hdev;
1254 	u8 p;
1255 
1256 	/* Some Broadcom based Bluetooth controllers do not support the
1257 	 * Delete Stored Link Key command. They are clearly indicating its
1258 	 * absence in the bit mask of supported commands.
1259 	 *
1260 	 * Check the supported commands and only if the the command is marked
1261 	 * as supported send it. If not supported assume that the controller
1262 	 * does not have actual support for stored link keys which makes this
1263 	 * command redundant anyway.
1264 	 */
1265 	if (hdev->commands[6] & 0x80) {
1266 		struct hci_cp_delete_stored_link_key cp;
1267 
1268 		bacpy(&cp.bdaddr, BDADDR_ANY);
1269 		cp.delete_all = 0x01;
1270 		hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
1271 			    sizeof(cp), &cp);
1272 	}
1273 
1274 	if (hdev->commands[5] & 0x10)
1275 		hci_setup_link_policy(req);
1276 
1277 	if (lmp_le_capable(hdev)) {
1278 		/* If the controller has a public BD_ADDR, then by
1279 		 * default use that one. If this is a LE only
1280 		 * controller without one, default to the random
1281 		 * address.
1282 		 */
1283 		if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1284 			hdev->own_addr_type = ADDR_LE_DEV_PUBLIC;
1285 		else
1286 			hdev->own_addr_type = ADDR_LE_DEV_RANDOM;
1287 
1288 		hci_set_le_support(req);
1289 	}
1290 
1291 	/* Read features beyond page 1 if available */
1292 	for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
1293 		struct hci_cp_read_local_ext_features cp;
1294 
1295 		cp.page = p;
1296 		hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1297 			    sizeof(cp), &cp);
1298 	}
1299 }
1300 
1301 static void hci_init4_req(struct hci_request *req, unsigned long opt)
1302 {
1303 	struct hci_dev *hdev = req->hdev;
1304 
1305 	/* Set event mask page 2 if the HCI command for it is supported */
1306 	if (hdev->commands[22] & 0x04)
1307 		hci_set_event_mask_page_2(req);
1308 
1309 	/* Check for Synchronization Train support */
1310 	if (hdev->features[2][0] & 0x04)
1311 		hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1312 }
1313 
1314 static int __hci_init(struct hci_dev *hdev)
1315 {
1316 	int err;
1317 
1318 	err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
1319 	if (err < 0)
1320 		return err;
1321 
1322 	/* The Device Under Test (DUT) mode is special and available for
1323 	 * all controller types. So just create it early on.
1324 	 */
1325 	if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1326 		debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
1327 				    &dut_mode_fops);
1328 	}
1329 
1330 	/* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
1331 	 * BR/EDR/LE type controllers. AMP controllers only need the
1332 	 * first stage init.
1333 	 */
1334 	if (hdev->dev_type != HCI_BREDR)
1335 		return 0;
1336 
1337 	err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
1338 	if (err < 0)
1339 		return err;
1340 
1341 	err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
1342 	if (err < 0)
1343 		return err;
1344 
1345 	err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT);
1346 	if (err < 0)
1347 		return err;
1348 
1349 	/* Only create debugfs entries during the initial setup
1350 	 * phase and not every time the controller gets powered on.
1351 	 */
1352 	if (!test_bit(HCI_SETUP, &hdev->dev_flags))
1353 		return 0;
1354 
1355 	debugfs_create_file("features", 0444, hdev->debugfs, hdev,
1356 			    &features_fops);
1357 	debugfs_create_u16("manufacturer", 0444, hdev->debugfs,
1358 			   &hdev->manufacturer);
1359 	debugfs_create_u8("hci_version", 0444, hdev->debugfs, &hdev->hci_ver);
1360 	debugfs_create_u16("hci_revision", 0444, hdev->debugfs, &hdev->hci_rev);
1361 	debugfs_create_file("blacklist", 0444, hdev->debugfs, hdev,
1362 			    &blacklist_fops);
1363 	debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
1364 
1365 	if (lmp_bredr_capable(hdev)) {
1366 		debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
1367 				    hdev, &inquiry_cache_fops);
1368 		debugfs_create_file("link_keys", 0400, hdev->debugfs,
1369 				    hdev, &link_keys_fops);
1370 		debugfs_create_file("use_debug_keys", 0444, hdev->debugfs,
1371 				    hdev, &use_debug_keys_fops);
1372 		debugfs_create_file("dev_class", 0444, hdev->debugfs,
1373 				    hdev, &dev_class_fops);
1374 		debugfs_create_file("voice_setting", 0444, hdev->debugfs,
1375 				    hdev, &voice_setting_fops);
1376 	}
1377 
1378 	if (lmp_ssp_capable(hdev)) {
1379 		debugfs_create_file("auto_accept_delay", 0644, hdev->debugfs,
1380 				    hdev, &auto_accept_delay_fops);
1381 		debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs,
1382 				    hdev, &ssp_debug_mode_fops);
1383 	}
1384 
1385 	if (lmp_sniff_capable(hdev)) {
1386 		debugfs_create_file("idle_timeout", 0644, hdev->debugfs,
1387 				    hdev, &idle_timeout_fops);
1388 		debugfs_create_file("sniff_min_interval", 0644, hdev->debugfs,
1389 				    hdev, &sniff_min_interval_fops);
1390 		debugfs_create_file("sniff_max_interval", 0644, hdev->debugfs,
1391 				    hdev, &sniff_max_interval_fops);
1392 	}
1393 
1394 	if (lmp_le_capable(hdev)) {
1395 		debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1396 				  &hdev->le_white_list_size);
1397 		debugfs_create_file("static_address", 0444, hdev->debugfs,
1398 				   hdev, &static_address_fops);
1399 		debugfs_create_file("own_address_type", 0644, hdev->debugfs,
1400 				    hdev, &own_address_type_fops);
1401 		debugfs_create_file("long_term_keys", 0400, hdev->debugfs,
1402 				    hdev, &long_term_keys_fops);
1403 		debugfs_create_file("conn_min_interval", 0644, hdev->debugfs,
1404 				    hdev, &conn_min_interval_fops);
1405 		debugfs_create_file("conn_max_interval", 0644, hdev->debugfs,
1406 				    hdev, &conn_max_interval_fops);
1407 	}
1408 
1409 	return 0;
1410 }
1411 
1412 static void hci_scan_req(struct hci_request *req, unsigned long opt)
1413 {
1414 	__u8 scan = opt;
1415 
1416 	BT_DBG("%s %x", req->hdev->name, scan);
1417 
1418 	/* Inquiry and Page scans */
1419 	hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1420 }
1421 
1422 static void hci_auth_req(struct hci_request *req, unsigned long opt)
1423 {
1424 	__u8 auth = opt;
1425 
1426 	BT_DBG("%s %x", req->hdev->name, auth);
1427 
1428 	/* Authentication */
1429 	hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
1430 }
1431 
1432 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
1433 {
1434 	__u8 encrypt = opt;
1435 
1436 	BT_DBG("%s %x", req->hdev->name, encrypt);
1437 
1438 	/* Encryption */
1439 	hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
1440 }
1441 
1442 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
1443 {
1444 	__le16 policy = cpu_to_le16(opt);
1445 
1446 	BT_DBG("%s %x", req->hdev->name, policy);
1447 
1448 	/* Default link policy */
1449 	hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
1450 }
1451 
1452 /* Get HCI device by index.
1453  * Device is held on return. */
1454 struct hci_dev *hci_dev_get(int index)
1455 {
1456 	struct hci_dev *hdev = NULL, *d;
1457 
1458 	BT_DBG("%d", index);
1459 
1460 	if (index < 0)
1461 		return NULL;
1462 
1463 	read_lock(&hci_dev_list_lock);
1464 	list_for_each_entry(d, &hci_dev_list, list) {
1465 		if (d->id == index) {
1466 			hdev = hci_dev_hold(d);
1467 			break;
1468 		}
1469 	}
1470 	read_unlock(&hci_dev_list_lock);
1471 	return hdev;
1472 }
1473 
1474 /* ---- Inquiry support ---- */
1475 
1476 bool hci_discovery_active(struct hci_dev *hdev)
1477 {
1478 	struct discovery_state *discov = &hdev->discovery;
1479 
1480 	switch (discov->state) {
1481 	case DISCOVERY_FINDING:
1482 	case DISCOVERY_RESOLVING:
1483 		return true;
1484 
1485 	default:
1486 		return false;
1487 	}
1488 }
1489 
1490 void hci_discovery_set_state(struct hci_dev *hdev, int state)
1491 {
1492 	BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1493 
1494 	if (hdev->discovery.state == state)
1495 		return;
1496 
1497 	switch (state) {
1498 	case DISCOVERY_STOPPED:
1499 		if (hdev->discovery.state != DISCOVERY_STARTING)
1500 			mgmt_discovering(hdev, 0);
1501 		break;
1502 	case DISCOVERY_STARTING:
1503 		break;
1504 	case DISCOVERY_FINDING:
1505 		mgmt_discovering(hdev, 1);
1506 		break;
1507 	case DISCOVERY_RESOLVING:
1508 		break;
1509 	case DISCOVERY_STOPPING:
1510 		break;
1511 	}
1512 
1513 	hdev->discovery.state = state;
1514 }
1515 
1516 void hci_inquiry_cache_flush(struct hci_dev *hdev)
1517 {
1518 	struct discovery_state *cache = &hdev->discovery;
1519 	struct inquiry_entry *p, *n;
1520 
1521 	list_for_each_entry_safe(p, n, &cache->all, all) {
1522 		list_del(&p->all);
1523 		kfree(p);
1524 	}
1525 
1526 	INIT_LIST_HEAD(&cache->unknown);
1527 	INIT_LIST_HEAD(&cache->resolve);
1528 }
1529 
1530 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1531 					       bdaddr_t *bdaddr)
1532 {
1533 	struct discovery_state *cache = &hdev->discovery;
1534 	struct inquiry_entry *e;
1535 
1536 	BT_DBG("cache %p, %pMR", cache, bdaddr);
1537 
1538 	list_for_each_entry(e, &cache->all, all) {
1539 		if (!bacmp(&e->data.bdaddr, bdaddr))
1540 			return e;
1541 	}
1542 
1543 	return NULL;
1544 }
1545 
1546 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1547 						       bdaddr_t *bdaddr)
1548 {
1549 	struct discovery_state *cache = &hdev->discovery;
1550 	struct inquiry_entry *e;
1551 
1552 	BT_DBG("cache %p, %pMR", cache, bdaddr);
1553 
1554 	list_for_each_entry(e, &cache->unknown, list) {
1555 		if (!bacmp(&e->data.bdaddr, bdaddr))
1556 			return e;
1557 	}
1558 
1559 	return NULL;
1560 }
1561 
1562 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1563 						       bdaddr_t *bdaddr,
1564 						       int state)
1565 {
1566 	struct discovery_state *cache = &hdev->discovery;
1567 	struct inquiry_entry *e;
1568 
1569 	BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1570 
1571 	list_for_each_entry(e, &cache->resolve, list) {
1572 		if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
1573 			return e;
1574 		if (!bacmp(&e->data.bdaddr, bdaddr))
1575 			return e;
1576 	}
1577 
1578 	return NULL;
1579 }
1580 
1581 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
1582 				      struct inquiry_entry *ie)
1583 {
1584 	struct discovery_state *cache = &hdev->discovery;
1585 	struct list_head *pos = &cache->resolve;
1586 	struct inquiry_entry *p;
1587 
1588 	list_del(&ie->list);
1589 
1590 	list_for_each_entry(p, &cache->resolve, list) {
1591 		if (p->name_state != NAME_PENDING &&
1592 		    abs(p->data.rssi) >= abs(ie->data.rssi))
1593 			break;
1594 		pos = &p->list;
1595 	}
1596 
1597 	list_add(&ie->list, pos);
1598 }
1599 
1600 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
1601 			      bool name_known, bool *ssp)
1602 {
1603 	struct discovery_state *cache = &hdev->discovery;
1604 	struct inquiry_entry *ie;
1605 
1606 	BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
1607 
1608 	hci_remove_remote_oob_data(hdev, &data->bdaddr);
1609 
1610 	if (ssp)
1611 		*ssp = data->ssp_mode;
1612 
1613 	ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
1614 	if (ie) {
1615 		if (ie->data.ssp_mode && ssp)
1616 			*ssp = true;
1617 
1618 		if (ie->name_state == NAME_NEEDED &&
1619 		    data->rssi != ie->data.rssi) {
1620 			ie->data.rssi = data->rssi;
1621 			hci_inquiry_cache_update_resolve(hdev, ie);
1622 		}
1623 
1624 		goto update;
1625 	}
1626 
1627 	/* Entry not in the cache. Add new one. */
1628 	ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
1629 	if (!ie)
1630 		return false;
1631 
1632 	list_add(&ie->all, &cache->all);
1633 
1634 	if (name_known) {
1635 		ie->name_state = NAME_KNOWN;
1636 	} else {
1637 		ie->name_state = NAME_NOT_KNOWN;
1638 		list_add(&ie->list, &cache->unknown);
1639 	}
1640 
1641 update:
1642 	if (name_known && ie->name_state != NAME_KNOWN &&
1643 	    ie->name_state != NAME_PENDING) {
1644 		ie->name_state = NAME_KNOWN;
1645 		list_del(&ie->list);
1646 	}
1647 
1648 	memcpy(&ie->data, data, sizeof(*data));
1649 	ie->timestamp = jiffies;
1650 	cache->timestamp = jiffies;
1651 
1652 	if (ie->name_state == NAME_NOT_KNOWN)
1653 		return false;
1654 
1655 	return true;
1656 }
1657 
1658 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
1659 {
1660 	struct discovery_state *cache = &hdev->discovery;
1661 	struct inquiry_info *info = (struct inquiry_info *) buf;
1662 	struct inquiry_entry *e;
1663 	int copied = 0;
1664 
1665 	list_for_each_entry(e, &cache->all, all) {
1666 		struct inquiry_data *data = &e->data;
1667 
1668 		if (copied >= num)
1669 			break;
1670 
1671 		bacpy(&info->bdaddr, &data->bdaddr);
1672 		info->pscan_rep_mode	= data->pscan_rep_mode;
1673 		info->pscan_period_mode	= data->pscan_period_mode;
1674 		info->pscan_mode	= data->pscan_mode;
1675 		memcpy(info->dev_class, data->dev_class, 3);
1676 		info->clock_offset	= data->clock_offset;
1677 
1678 		info++;
1679 		copied++;
1680 	}
1681 
1682 	BT_DBG("cache %p, copied %d", cache, copied);
1683 	return copied;
1684 }
1685 
1686 static void hci_inq_req(struct hci_request *req, unsigned long opt)
1687 {
1688 	struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
1689 	struct hci_dev *hdev = req->hdev;
1690 	struct hci_cp_inquiry cp;
1691 
1692 	BT_DBG("%s", hdev->name);
1693 
1694 	if (test_bit(HCI_INQUIRY, &hdev->flags))
1695 		return;
1696 
1697 	/* Start Inquiry */
1698 	memcpy(&cp.lap, &ir->lap, 3);
1699 	cp.length  = ir->length;
1700 	cp.num_rsp = ir->num_rsp;
1701 	hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
1702 }
1703 
1704 static int wait_inquiry(void *word)
1705 {
1706 	schedule();
1707 	return signal_pending(current);
1708 }
1709 
1710 int hci_inquiry(void __user *arg)
1711 {
1712 	__u8 __user *ptr = arg;
1713 	struct hci_inquiry_req ir;
1714 	struct hci_dev *hdev;
1715 	int err = 0, do_inquiry = 0, max_rsp;
1716 	long timeo;
1717 	__u8 *buf;
1718 
1719 	if (copy_from_user(&ir, ptr, sizeof(ir)))
1720 		return -EFAULT;
1721 
1722 	hdev = hci_dev_get(ir.dev_id);
1723 	if (!hdev)
1724 		return -ENODEV;
1725 
1726 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
1727 		err = -EBUSY;
1728 		goto done;
1729 	}
1730 
1731 	if (hdev->dev_type != HCI_BREDR) {
1732 		err = -EOPNOTSUPP;
1733 		goto done;
1734 	}
1735 
1736 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1737 		err = -EOPNOTSUPP;
1738 		goto done;
1739 	}
1740 
1741 	hci_dev_lock(hdev);
1742 	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
1743 	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
1744 		hci_inquiry_cache_flush(hdev);
1745 		do_inquiry = 1;
1746 	}
1747 	hci_dev_unlock(hdev);
1748 
1749 	timeo = ir.length * msecs_to_jiffies(2000);
1750 
1751 	if (do_inquiry) {
1752 		err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
1753 				   timeo);
1754 		if (err < 0)
1755 			goto done;
1756 
1757 		/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
1758 		 * cleared). If it is interrupted by a signal, return -EINTR.
1759 		 */
1760 		if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
1761 				TASK_INTERRUPTIBLE))
1762 			return -EINTR;
1763 	}
1764 
1765 	/* for unlimited number of responses we will use buffer with
1766 	 * 255 entries
1767 	 */
1768 	max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1769 
1770 	/* cache_dump can't sleep. Therefore we allocate temp buffer and then
1771 	 * copy it to the user space.
1772 	 */
1773 	buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1774 	if (!buf) {
1775 		err = -ENOMEM;
1776 		goto done;
1777 	}
1778 
1779 	hci_dev_lock(hdev);
1780 	ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1781 	hci_dev_unlock(hdev);
1782 
1783 	BT_DBG("num_rsp %d", ir.num_rsp);
1784 
1785 	if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1786 		ptr += sizeof(ir);
1787 		if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1788 				 ir.num_rsp))
1789 			err = -EFAULT;
1790 	} else
1791 		err = -EFAULT;
1792 
1793 	kfree(buf);
1794 
1795 done:
1796 	hci_dev_put(hdev);
1797 	return err;
1798 }
1799 
1800 static int hci_dev_do_open(struct hci_dev *hdev)
1801 {
1802 	int ret = 0;
1803 
1804 	BT_DBG("%s %p", hdev->name, hdev);
1805 
1806 	hci_req_lock(hdev);
1807 
1808 	if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1809 		ret = -ENODEV;
1810 		goto done;
1811 	}
1812 
1813 	if (!test_bit(HCI_SETUP, &hdev->dev_flags)) {
1814 		/* Check for rfkill but allow the HCI setup stage to
1815 		 * proceed (which in itself doesn't cause any RF activity).
1816 		 */
1817 		if (test_bit(HCI_RFKILLED, &hdev->dev_flags)) {
1818 			ret = -ERFKILL;
1819 			goto done;
1820 		}
1821 
1822 		/* Check for valid public address or a configured static
1823 		 * random adddress, but let the HCI setup proceed to
1824 		 * be able to determine if there is a public address
1825 		 * or not.
1826 		 *
1827 		 * This check is only valid for BR/EDR controllers
1828 		 * since AMP controllers do not have an address.
1829 		 */
1830 		if (hdev->dev_type == HCI_BREDR &&
1831 		    !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
1832 		    !bacmp(&hdev->static_addr, BDADDR_ANY)) {
1833 			ret = -EADDRNOTAVAIL;
1834 			goto done;
1835 		}
1836 	}
1837 
1838 	if (test_bit(HCI_UP, &hdev->flags)) {
1839 		ret = -EALREADY;
1840 		goto done;
1841 	}
1842 
1843 	if (hdev->open(hdev)) {
1844 		ret = -EIO;
1845 		goto done;
1846 	}
1847 
1848 	atomic_set(&hdev->cmd_cnt, 1);
1849 	set_bit(HCI_INIT, &hdev->flags);
1850 
1851 	if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1852 		ret = hdev->setup(hdev);
1853 
1854 	if (!ret) {
1855 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1856 			set_bit(HCI_RAW, &hdev->flags);
1857 
1858 		if (!test_bit(HCI_RAW, &hdev->flags) &&
1859 		    !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
1860 			ret = __hci_init(hdev);
1861 	}
1862 
1863 	clear_bit(HCI_INIT, &hdev->flags);
1864 
1865 	if (!ret) {
1866 		hci_dev_hold(hdev);
1867 		set_bit(HCI_UP, &hdev->flags);
1868 		hci_notify(hdev, HCI_DEV_UP);
1869 		if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1870 		    !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
1871 		    hdev->dev_type == HCI_BREDR) {
1872 			hci_dev_lock(hdev);
1873 			mgmt_powered(hdev, 1);
1874 			hci_dev_unlock(hdev);
1875 		}
1876 	} else {
1877 		/* Init failed, cleanup */
1878 		flush_work(&hdev->tx_work);
1879 		flush_work(&hdev->cmd_work);
1880 		flush_work(&hdev->rx_work);
1881 
1882 		skb_queue_purge(&hdev->cmd_q);
1883 		skb_queue_purge(&hdev->rx_q);
1884 
1885 		if (hdev->flush)
1886 			hdev->flush(hdev);
1887 
1888 		if (hdev->sent_cmd) {
1889 			kfree_skb(hdev->sent_cmd);
1890 			hdev->sent_cmd = NULL;
1891 		}
1892 
1893 		hdev->close(hdev);
1894 		hdev->flags = 0;
1895 	}
1896 
1897 done:
1898 	hci_req_unlock(hdev);
1899 	return ret;
1900 }
1901 
1902 /* ---- HCI ioctl helpers ---- */
1903 
1904 int hci_dev_open(__u16 dev)
1905 {
1906 	struct hci_dev *hdev;
1907 	int err;
1908 
1909 	hdev = hci_dev_get(dev);
1910 	if (!hdev)
1911 		return -ENODEV;
1912 
1913 	/* We need to ensure that no other power on/off work is pending
1914 	 * before proceeding to call hci_dev_do_open. This is
1915 	 * particularly important if the setup procedure has not yet
1916 	 * completed.
1917 	 */
1918 	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1919 		cancel_delayed_work(&hdev->power_off);
1920 
1921 	/* After this call it is guaranteed that the setup procedure
1922 	 * has finished. This means that error conditions like RFKILL
1923 	 * or no valid public or static random address apply.
1924 	 */
1925 	flush_workqueue(hdev->req_workqueue);
1926 
1927 	err = hci_dev_do_open(hdev);
1928 
1929 	hci_dev_put(hdev);
1930 
1931 	return err;
1932 }
1933 
1934 static int hci_dev_do_close(struct hci_dev *hdev)
1935 {
1936 	BT_DBG("%s %p", hdev->name, hdev);
1937 
1938 	cancel_delayed_work(&hdev->power_off);
1939 
1940 	hci_req_cancel(hdev, ENODEV);
1941 	hci_req_lock(hdev);
1942 
1943 	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1944 		del_timer_sync(&hdev->cmd_timer);
1945 		hci_req_unlock(hdev);
1946 		return 0;
1947 	}
1948 
1949 	/* Flush RX and TX works */
1950 	flush_work(&hdev->tx_work);
1951 	flush_work(&hdev->rx_work);
1952 
1953 	if (hdev->discov_timeout > 0) {
1954 		cancel_delayed_work(&hdev->discov_off);
1955 		hdev->discov_timeout = 0;
1956 		clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1957 		clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1958 	}
1959 
1960 	if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1961 		cancel_delayed_work(&hdev->service_cache);
1962 
1963 	cancel_delayed_work_sync(&hdev->le_scan_disable);
1964 
1965 	hci_dev_lock(hdev);
1966 	hci_inquiry_cache_flush(hdev);
1967 	hci_conn_hash_flush(hdev);
1968 	hci_dev_unlock(hdev);
1969 
1970 	hci_notify(hdev, HCI_DEV_DOWN);
1971 
1972 	if (hdev->flush)
1973 		hdev->flush(hdev);
1974 
1975 	/* Reset device */
1976 	skb_queue_purge(&hdev->cmd_q);
1977 	atomic_set(&hdev->cmd_cnt, 1);
1978 	if (!test_bit(HCI_RAW, &hdev->flags) &&
1979 	    !test_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1980 	    test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1981 		set_bit(HCI_INIT, &hdev->flags);
1982 		__hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1983 		clear_bit(HCI_INIT, &hdev->flags);
1984 	}
1985 
1986 	/* flush cmd  work */
1987 	flush_work(&hdev->cmd_work);
1988 
1989 	/* Drop queues */
1990 	skb_queue_purge(&hdev->rx_q);
1991 	skb_queue_purge(&hdev->cmd_q);
1992 	skb_queue_purge(&hdev->raw_q);
1993 
1994 	/* Drop last sent command */
1995 	if (hdev->sent_cmd) {
1996 		del_timer_sync(&hdev->cmd_timer);
1997 		kfree_skb(hdev->sent_cmd);
1998 		hdev->sent_cmd = NULL;
1999 	}
2000 
2001 	kfree_skb(hdev->recv_evt);
2002 	hdev->recv_evt = NULL;
2003 
2004 	/* After this point our queues are empty
2005 	 * and no tasks are scheduled. */
2006 	hdev->close(hdev);
2007 
2008 	/* Clear flags */
2009 	hdev->flags = 0;
2010 	hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
2011 
2012 	if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2013 		if (hdev->dev_type == HCI_BREDR) {
2014 			hci_dev_lock(hdev);
2015 			mgmt_powered(hdev, 0);
2016 			hci_dev_unlock(hdev);
2017 		}
2018 	}
2019 
2020 	/* Controller radio is available but is currently powered down */
2021 	hdev->amp_status = AMP_STATUS_POWERED_DOWN;
2022 
2023 	memset(hdev->eir, 0, sizeof(hdev->eir));
2024 	memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
2025 
2026 	hci_req_unlock(hdev);
2027 
2028 	hci_dev_put(hdev);
2029 	return 0;
2030 }
2031 
2032 int hci_dev_close(__u16 dev)
2033 {
2034 	struct hci_dev *hdev;
2035 	int err;
2036 
2037 	hdev = hci_dev_get(dev);
2038 	if (!hdev)
2039 		return -ENODEV;
2040 
2041 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2042 		err = -EBUSY;
2043 		goto done;
2044 	}
2045 
2046 	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2047 		cancel_delayed_work(&hdev->power_off);
2048 
2049 	err = hci_dev_do_close(hdev);
2050 
2051 done:
2052 	hci_dev_put(hdev);
2053 	return err;
2054 }
2055 
2056 int hci_dev_reset(__u16 dev)
2057 {
2058 	struct hci_dev *hdev;
2059 	int ret = 0;
2060 
2061 	hdev = hci_dev_get(dev);
2062 	if (!hdev)
2063 		return -ENODEV;
2064 
2065 	hci_req_lock(hdev);
2066 
2067 	if (!test_bit(HCI_UP, &hdev->flags)) {
2068 		ret = -ENETDOWN;
2069 		goto done;
2070 	}
2071 
2072 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2073 		ret = -EBUSY;
2074 		goto done;
2075 	}
2076 
2077 	/* Drop queues */
2078 	skb_queue_purge(&hdev->rx_q);
2079 	skb_queue_purge(&hdev->cmd_q);
2080 
2081 	hci_dev_lock(hdev);
2082 	hci_inquiry_cache_flush(hdev);
2083 	hci_conn_hash_flush(hdev);
2084 	hci_dev_unlock(hdev);
2085 
2086 	if (hdev->flush)
2087 		hdev->flush(hdev);
2088 
2089 	atomic_set(&hdev->cmd_cnt, 1);
2090 	hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
2091 
2092 	if (!test_bit(HCI_RAW, &hdev->flags))
2093 		ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
2094 
2095 done:
2096 	hci_req_unlock(hdev);
2097 	hci_dev_put(hdev);
2098 	return ret;
2099 }
2100 
2101 int hci_dev_reset_stat(__u16 dev)
2102 {
2103 	struct hci_dev *hdev;
2104 	int ret = 0;
2105 
2106 	hdev = hci_dev_get(dev);
2107 	if (!hdev)
2108 		return -ENODEV;
2109 
2110 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2111 		ret = -EBUSY;
2112 		goto done;
2113 	}
2114 
2115 	memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
2116 
2117 done:
2118 	hci_dev_put(hdev);
2119 	return ret;
2120 }
2121 
2122 int hci_dev_cmd(unsigned int cmd, void __user *arg)
2123 {
2124 	struct hci_dev *hdev;
2125 	struct hci_dev_req dr;
2126 	int err = 0;
2127 
2128 	if (copy_from_user(&dr, arg, sizeof(dr)))
2129 		return -EFAULT;
2130 
2131 	hdev = hci_dev_get(dr.dev_id);
2132 	if (!hdev)
2133 		return -ENODEV;
2134 
2135 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2136 		err = -EBUSY;
2137 		goto done;
2138 	}
2139 
2140 	if (hdev->dev_type != HCI_BREDR) {
2141 		err = -EOPNOTSUPP;
2142 		goto done;
2143 	}
2144 
2145 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
2146 		err = -EOPNOTSUPP;
2147 		goto done;
2148 	}
2149 
2150 	switch (cmd) {
2151 	case HCISETAUTH:
2152 		err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2153 				   HCI_INIT_TIMEOUT);
2154 		break;
2155 
2156 	case HCISETENCRYPT:
2157 		if (!lmp_encrypt_capable(hdev)) {
2158 			err = -EOPNOTSUPP;
2159 			break;
2160 		}
2161 
2162 		if (!test_bit(HCI_AUTH, &hdev->flags)) {
2163 			/* Auth must be enabled first */
2164 			err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2165 					   HCI_INIT_TIMEOUT);
2166 			if (err)
2167 				break;
2168 		}
2169 
2170 		err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
2171 				   HCI_INIT_TIMEOUT);
2172 		break;
2173 
2174 	case HCISETSCAN:
2175 		err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
2176 				   HCI_INIT_TIMEOUT);
2177 		break;
2178 
2179 	case HCISETLINKPOL:
2180 		err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
2181 				   HCI_INIT_TIMEOUT);
2182 		break;
2183 
2184 	case HCISETLINKMODE:
2185 		hdev->link_mode = ((__u16) dr.dev_opt) &
2186 					(HCI_LM_MASTER | HCI_LM_ACCEPT);
2187 		break;
2188 
2189 	case HCISETPTYPE:
2190 		hdev->pkt_type = (__u16) dr.dev_opt;
2191 		break;
2192 
2193 	case HCISETACLMTU:
2194 		hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
2195 		hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
2196 		break;
2197 
2198 	case HCISETSCOMTU:
2199 		hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
2200 		hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
2201 		break;
2202 
2203 	default:
2204 		err = -EINVAL;
2205 		break;
2206 	}
2207 
2208 done:
2209 	hci_dev_put(hdev);
2210 	return err;
2211 }
2212 
2213 int hci_get_dev_list(void __user *arg)
2214 {
2215 	struct hci_dev *hdev;
2216 	struct hci_dev_list_req *dl;
2217 	struct hci_dev_req *dr;
2218 	int n = 0, size, err;
2219 	__u16 dev_num;
2220 
2221 	if (get_user(dev_num, (__u16 __user *) arg))
2222 		return -EFAULT;
2223 
2224 	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
2225 		return -EINVAL;
2226 
2227 	size = sizeof(*dl) + dev_num * sizeof(*dr);
2228 
2229 	dl = kzalloc(size, GFP_KERNEL);
2230 	if (!dl)
2231 		return -ENOMEM;
2232 
2233 	dr = dl->dev_req;
2234 
2235 	read_lock(&hci_dev_list_lock);
2236 	list_for_each_entry(hdev, &hci_dev_list, list) {
2237 		if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2238 			cancel_delayed_work(&hdev->power_off);
2239 
2240 		if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2241 			set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2242 
2243 		(dr + n)->dev_id  = hdev->id;
2244 		(dr + n)->dev_opt = hdev->flags;
2245 
2246 		if (++n >= dev_num)
2247 			break;
2248 	}
2249 	read_unlock(&hci_dev_list_lock);
2250 
2251 	dl->dev_num = n;
2252 	size = sizeof(*dl) + n * sizeof(*dr);
2253 
2254 	err = copy_to_user(arg, dl, size);
2255 	kfree(dl);
2256 
2257 	return err ? -EFAULT : 0;
2258 }
2259 
2260 int hci_get_dev_info(void __user *arg)
2261 {
2262 	struct hci_dev *hdev;
2263 	struct hci_dev_info di;
2264 	int err = 0;
2265 
2266 	if (copy_from_user(&di, arg, sizeof(di)))
2267 		return -EFAULT;
2268 
2269 	hdev = hci_dev_get(di.dev_id);
2270 	if (!hdev)
2271 		return -ENODEV;
2272 
2273 	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2274 		cancel_delayed_work_sync(&hdev->power_off);
2275 
2276 	if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2277 		set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2278 
2279 	strcpy(di.name, hdev->name);
2280 	di.bdaddr   = hdev->bdaddr;
2281 	di.type     = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2282 	di.flags    = hdev->flags;
2283 	di.pkt_type = hdev->pkt_type;
2284 	if (lmp_bredr_capable(hdev)) {
2285 		di.acl_mtu  = hdev->acl_mtu;
2286 		di.acl_pkts = hdev->acl_pkts;
2287 		di.sco_mtu  = hdev->sco_mtu;
2288 		di.sco_pkts = hdev->sco_pkts;
2289 	} else {
2290 		di.acl_mtu  = hdev->le_mtu;
2291 		di.acl_pkts = hdev->le_pkts;
2292 		di.sco_mtu  = 0;
2293 		di.sco_pkts = 0;
2294 	}
2295 	di.link_policy = hdev->link_policy;
2296 	di.link_mode   = hdev->link_mode;
2297 
2298 	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2299 	memcpy(&di.features, &hdev->features, sizeof(di.features));
2300 
2301 	if (copy_to_user(arg, &di, sizeof(di)))
2302 		err = -EFAULT;
2303 
2304 	hci_dev_put(hdev);
2305 
2306 	return err;
2307 }
2308 
2309 /* ---- Interface to HCI drivers ---- */
2310 
2311 static int hci_rfkill_set_block(void *data, bool blocked)
2312 {
2313 	struct hci_dev *hdev = data;
2314 
2315 	BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2316 
2317 	if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
2318 		return -EBUSY;
2319 
2320 	if (blocked) {
2321 		set_bit(HCI_RFKILLED, &hdev->dev_flags);
2322 		if (!test_bit(HCI_SETUP, &hdev->dev_flags))
2323 			hci_dev_do_close(hdev);
2324 	} else {
2325 		clear_bit(HCI_RFKILLED, &hdev->dev_flags);
2326 	}
2327 
2328 	return 0;
2329 }
2330 
2331 static const struct rfkill_ops hci_rfkill_ops = {
2332 	.set_block = hci_rfkill_set_block,
2333 };
2334 
2335 static void hci_power_on(struct work_struct *work)
2336 {
2337 	struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2338 	int err;
2339 
2340 	BT_DBG("%s", hdev->name);
2341 
2342 	err = hci_dev_do_open(hdev);
2343 	if (err < 0) {
2344 		mgmt_set_powered_failed(hdev, err);
2345 		return;
2346 	}
2347 
2348 	/* During the HCI setup phase, a few error conditions are
2349 	 * ignored and they need to be checked now. If they are still
2350 	 * valid, it is important to turn the device back off.
2351 	 */
2352 	if (test_bit(HCI_RFKILLED, &hdev->dev_flags) ||
2353 	    (hdev->dev_type == HCI_BREDR &&
2354 	     !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2355 	     !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2356 		clear_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2357 		hci_dev_do_close(hdev);
2358 	} else if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2359 		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2360 				   HCI_AUTO_OFF_TIMEOUT);
2361 	}
2362 
2363 	if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
2364 		mgmt_index_added(hdev);
2365 }
2366 
2367 static void hci_power_off(struct work_struct *work)
2368 {
2369 	struct hci_dev *hdev = container_of(work, struct hci_dev,
2370 					    power_off.work);
2371 
2372 	BT_DBG("%s", hdev->name);
2373 
2374 	hci_dev_do_close(hdev);
2375 }
2376 
2377 static void hci_discov_off(struct work_struct *work)
2378 {
2379 	struct hci_dev *hdev;
2380 
2381 	hdev = container_of(work, struct hci_dev, discov_off.work);
2382 
2383 	BT_DBG("%s", hdev->name);
2384 
2385 	mgmt_discoverable_timeout(hdev);
2386 }
2387 
2388 int hci_uuids_clear(struct hci_dev *hdev)
2389 {
2390 	struct bt_uuid *uuid, *tmp;
2391 
2392 	list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2393 		list_del(&uuid->list);
2394 		kfree(uuid);
2395 	}
2396 
2397 	return 0;
2398 }
2399 
2400 int hci_link_keys_clear(struct hci_dev *hdev)
2401 {
2402 	struct list_head *p, *n;
2403 
2404 	list_for_each_safe(p, n, &hdev->link_keys) {
2405 		struct link_key *key;
2406 
2407 		key = list_entry(p, struct link_key, list);
2408 
2409 		list_del(p);
2410 		kfree(key);
2411 	}
2412 
2413 	return 0;
2414 }
2415 
2416 int hci_smp_ltks_clear(struct hci_dev *hdev)
2417 {
2418 	struct smp_ltk *k, *tmp;
2419 
2420 	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2421 		list_del(&k->list);
2422 		kfree(k);
2423 	}
2424 
2425 	return 0;
2426 }
2427 
2428 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2429 {
2430 	struct link_key *k;
2431 
2432 	list_for_each_entry(k, &hdev->link_keys, list)
2433 		if (bacmp(bdaddr, &k->bdaddr) == 0)
2434 			return k;
2435 
2436 	return NULL;
2437 }
2438 
2439 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2440 			       u8 key_type, u8 old_key_type)
2441 {
2442 	/* Legacy key */
2443 	if (key_type < 0x03)
2444 		return true;
2445 
2446 	/* Debug keys are insecure so don't store them persistently */
2447 	if (key_type == HCI_LK_DEBUG_COMBINATION)
2448 		return false;
2449 
2450 	/* Changed combination key and there's no previous one */
2451 	if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2452 		return false;
2453 
2454 	/* Security mode 3 case */
2455 	if (!conn)
2456 		return true;
2457 
2458 	/* Neither local nor remote side had no-bonding as requirement */
2459 	if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2460 		return true;
2461 
2462 	/* Local side had dedicated bonding as requirement */
2463 	if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2464 		return true;
2465 
2466 	/* Remote side had dedicated bonding as requirement */
2467 	if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2468 		return true;
2469 
2470 	/* If none of the above criteria match, then don't store the key
2471 	 * persistently */
2472 	return false;
2473 }
2474 
2475 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
2476 {
2477 	struct smp_ltk *k;
2478 
2479 	list_for_each_entry(k, &hdev->long_term_keys, list) {
2480 		if (k->ediv != ediv ||
2481 		    memcmp(rand, k->rand, sizeof(k->rand)))
2482 			continue;
2483 
2484 		return k;
2485 	}
2486 
2487 	return NULL;
2488 }
2489 
2490 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2491 				     u8 addr_type)
2492 {
2493 	struct smp_ltk *k;
2494 
2495 	list_for_each_entry(k, &hdev->long_term_keys, list)
2496 		if (addr_type == k->bdaddr_type &&
2497 		    bacmp(bdaddr, &k->bdaddr) == 0)
2498 			return k;
2499 
2500 	return NULL;
2501 }
2502 
2503 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2504 		     bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
2505 {
2506 	struct link_key *key, *old_key;
2507 	u8 old_key_type;
2508 	bool persistent;
2509 
2510 	old_key = hci_find_link_key(hdev, bdaddr);
2511 	if (old_key) {
2512 		old_key_type = old_key->type;
2513 		key = old_key;
2514 	} else {
2515 		old_key_type = conn ? conn->key_type : 0xff;
2516 		key = kzalloc(sizeof(*key), GFP_ATOMIC);
2517 		if (!key)
2518 			return -ENOMEM;
2519 		list_add(&key->list, &hdev->link_keys);
2520 	}
2521 
2522 	BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
2523 
2524 	/* Some buggy controller combinations generate a changed
2525 	 * combination key for legacy pairing even when there's no
2526 	 * previous key */
2527 	if (type == HCI_LK_CHANGED_COMBINATION &&
2528 	    (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
2529 		type = HCI_LK_COMBINATION;
2530 		if (conn)
2531 			conn->key_type = type;
2532 	}
2533 
2534 	bacpy(&key->bdaddr, bdaddr);
2535 	memcpy(key->val, val, HCI_LINK_KEY_SIZE);
2536 	key->pin_len = pin_len;
2537 
2538 	if (type == HCI_LK_CHANGED_COMBINATION)
2539 		key->type = old_key_type;
2540 	else
2541 		key->type = type;
2542 
2543 	if (!new_key)
2544 		return 0;
2545 
2546 	persistent = hci_persistent_key(hdev, conn, type, old_key_type);
2547 
2548 	mgmt_new_link_key(hdev, key, persistent);
2549 
2550 	if (conn)
2551 		conn->flush_key = !persistent;
2552 
2553 	return 0;
2554 }
2555 
2556 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
2557 		int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
2558 		ediv, u8 rand[8])
2559 {
2560 	struct smp_ltk *key, *old_key;
2561 
2562 	if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
2563 		return 0;
2564 
2565 	old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
2566 	if (old_key)
2567 		key = old_key;
2568 	else {
2569 		key = kzalloc(sizeof(*key), GFP_ATOMIC);
2570 		if (!key)
2571 			return -ENOMEM;
2572 		list_add(&key->list, &hdev->long_term_keys);
2573 	}
2574 
2575 	bacpy(&key->bdaddr, bdaddr);
2576 	key->bdaddr_type = addr_type;
2577 	memcpy(key->val, tk, sizeof(key->val));
2578 	key->authenticated = authenticated;
2579 	key->ediv = ediv;
2580 	key->enc_size = enc_size;
2581 	key->type = type;
2582 	memcpy(key->rand, rand, sizeof(key->rand));
2583 
2584 	if (!new_key)
2585 		return 0;
2586 
2587 	if (type & HCI_SMP_LTK)
2588 		mgmt_new_ltk(hdev, key, 1);
2589 
2590 	return 0;
2591 }
2592 
2593 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2594 {
2595 	struct link_key *key;
2596 
2597 	key = hci_find_link_key(hdev, bdaddr);
2598 	if (!key)
2599 		return -ENOENT;
2600 
2601 	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2602 
2603 	list_del(&key->list);
2604 	kfree(key);
2605 
2606 	return 0;
2607 }
2608 
2609 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
2610 {
2611 	struct smp_ltk *k, *tmp;
2612 
2613 	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2614 		if (bacmp(bdaddr, &k->bdaddr))
2615 			continue;
2616 
2617 		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2618 
2619 		list_del(&k->list);
2620 		kfree(k);
2621 	}
2622 
2623 	return 0;
2624 }
2625 
2626 /* HCI command timer function */
2627 static void hci_cmd_timeout(unsigned long arg)
2628 {
2629 	struct hci_dev *hdev = (void *) arg;
2630 
2631 	if (hdev->sent_cmd) {
2632 		struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
2633 		u16 opcode = __le16_to_cpu(sent->opcode);
2634 
2635 		BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
2636 	} else {
2637 		BT_ERR("%s command tx timeout", hdev->name);
2638 	}
2639 
2640 	atomic_set(&hdev->cmd_cnt, 1);
2641 	queue_work(hdev->workqueue, &hdev->cmd_work);
2642 }
2643 
2644 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
2645 					  bdaddr_t *bdaddr)
2646 {
2647 	struct oob_data *data;
2648 
2649 	list_for_each_entry(data, &hdev->remote_oob_data, list)
2650 		if (bacmp(bdaddr, &data->bdaddr) == 0)
2651 			return data;
2652 
2653 	return NULL;
2654 }
2655 
2656 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
2657 {
2658 	struct oob_data *data;
2659 
2660 	data = hci_find_remote_oob_data(hdev, bdaddr);
2661 	if (!data)
2662 		return -ENOENT;
2663 
2664 	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
2665 
2666 	list_del(&data->list);
2667 	kfree(data);
2668 
2669 	return 0;
2670 }
2671 
2672 int hci_remote_oob_data_clear(struct hci_dev *hdev)
2673 {
2674 	struct oob_data *data, *n;
2675 
2676 	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
2677 		list_del(&data->list);
2678 		kfree(data);
2679 	}
2680 
2681 	return 0;
2682 }
2683 
2684 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
2685 			    u8 *randomizer)
2686 {
2687 	struct oob_data *data;
2688 
2689 	data = hci_find_remote_oob_data(hdev, bdaddr);
2690 
2691 	if (!data) {
2692 		data = kmalloc(sizeof(*data), GFP_ATOMIC);
2693 		if (!data)
2694 			return -ENOMEM;
2695 
2696 		bacpy(&data->bdaddr, bdaddr);
2697 		list_add(&data->list, &hdev->remote_oob_data);
2698 	}
2699 
2700 	memcpy(data->hash, hash, sizeof(data->hash));
2701 	memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
2702 
2703 	BT_DBG("%s for %pMR", hdev->name, bdaddr);
2704 
2705 	return 0;
2706 }
2707 
2708 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
2709 					 bdaddr_t *bdaddr, u8 type)
2710 {
2711 	struct bdaddr_list *b;
2712 
2713 	list_for_each_entry(b, &hdev->blacklist, list) {
2714 		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2715 			return b;
2716 	}
2717 
2718 	return NULL;
2719 }
2720 
2721 int hci_blacklist_clear(struct hci_dev *hdev)
2722 {
2723 	struct list_head *p, *n;
2724 
2725 	list_for_each_safe(p, n, &hdev->blacklist) {
2726 		struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
2727 
2728 		list_del(p);
2729 		kfree(b);
2730 	}
2731 
2732 	return 0;
2733 }
2734 
2735 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2736 {
2737 	struct bdaddr_list *entry;
2738 
2739 	if (!bacmp(bdaddr, BDADDR_ANY))
2740 		return -EBADF;
2741 
2742 	if (hci_blacklist_lookup(hdev, bdaddr, type))
2743 		return -EEXIST;
2744 
2745 	entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
2746 	if (!entry)
2747 		return -ENOMEM;
2748 
2749 	bacpy(&entry->bdaddr, bdaddr);
2750 	entry->bdaddr_type = type;
2751 
2752 	list_add(&entry->list, &hdev->blacklist);
2753 
2754 	return mgmt_device_blocked(hdev, bdaddr, type);
2755 }
2756 
2757 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
2758 {
2759 	struct bdaddr_list *entry;
2760 
2761 	if (!bacmp(bdaddr, BDADDR_ANY))
2762 		return hci_blacklist_clear(hdev);
2763 
2764 	entry = hci_blacklist_lookup(hdev, bdaddr, type);
2765 	if (!entry)
2766 		return -ENOENT;
2767 
2768 	list_del(&entry->list);
2769 	kfree(entry);
2770 
2771 	return mgmt_device_unblocked(hdev, bdaddr, type);
2772 }
2773 
2774 static void inquiry_complete(struct hci_dev *hdev, u8 status)
2775 {
2776 	if (status) {
2777 		BT_ERR("Failed to start inquiry: status %d", status);
2778 
2779 		hci_dev_lock(hdev);
2780 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2781 		hci_dev_unlock(hdev);
2782 		return;
2783 	}
2784 }
2785 
2786 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status)
2787 {
2788 	/* General inquiry access code (GIAC) */
2789 	u8 lap[3] = { 0x33, 0x8b, 0x9e };
2790 	struct hci_request req;
2791 	struct hci_cp_inquiry cp;
2792 	int err;
2793 
2794 	if (status) {
2795 		BT_ERR("Failed to disable LE scanning: status %d", status);
2796 		return;
2797 	}
2798 
2799 	switch (hdev->discovery.type) {
2800 	case DISCOV_TYPE_LE:
2801 		hci_dev_lock(hdev);
2802 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2803 		hci_dev_unlock(hdev);
2804 		break;
2805 
2806 	case DISCOV_TYPE_INTERLEAVED:
2807 		hci_req_init(&req, hdev);
2808 
2809 		memset(&cp, 0, sizeof(cp));
2810 		memcpy(&cp.lap, lap, sizeof(cp.lap));
2811 		cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
2812 		hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2813 
2814 		hci_dev_lock(hdev);
2815 
2816 		hci_inquiry_cache_flush(hdev);
2817 
2818 		err = hci_req_run(&req, inquiry_complete);
2819 		if (err) {
2820 			BT_ERR("Inquiry request failed: err %d", err);
2821 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2822 		}
2823 
2824 		hci_dev_unlock(hdev);
2825 		break;
2826 	}
2827 }
2828 
2829 static void le_scan_disable_work(struct work_struct *work)
2830 {
2831 	struct hci_dev *hdev = container_of(work, struct hci_dev,
2832 					    le_scan_disable.work);
2833 	struct hci_cp_le_set_scan_enable cp;
2834 	struct hci_request req;
2835 	int err;
2836 
2837 	BT_DBG("%s", hdev->name);
2838 
2839 	hci_req_init(&req, hdev);
2840 
2841 	memset(&cp, 0, sizeof(cp));
2842 	cp.enable = LE_SCAN_DISABLE;
2843 	hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2844 
2845 	err = hci_req_run(&req, le_scan_disable_work_complete);
2846 	if (err)
2847 		BT_ERR("Disable LE scanning request failed: err %d", err);
2848 }
2849 
2850 /* Alloc HCI device */
2851 struct hci_dev *hci_alloc_dev(void)
2852 {
2853 	struct hci_dev *hdev;
2854 
2855 	hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2856 	if (!hdev)
2857 		return NULL;
2858 
2859 	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2860 	hdev->esco_type = (ESCO_HV1);
2861 	hdev->link_mode = (HCI_LM_ACCEPT);
2862 	hdev->num_iac = 0x01;		/* One IAC support is mandatory */
2863 	hdev->io_capability = 0x03;	/* No Input No Output */
2864 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2865 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2866 
2867 	hdev->sniff_max_interval = 800;
2868 	hdev->sniff_min_interval = 80;
2869 
2870 	hdev->le_scan_interval = 0x0060;
2871 	hdev->le_scan_window = 0x0030;
2872 	hdev->le_conn_min_interval = 0x0028;
2873 	hdev->le_conn_max_interval = 0x0038;
2874 
2875 	mutex_init(&hdev->lock);
2876 	mutex_init(&hdev->req_lock);
2877 
2878 	INIT_LIST_HEAD(&hdev->mgmt_pending);
2879 	INIT_LIST_HEAD(&hdev->blacklist);
2880 	INIT_LIST_HEAD(&hdev->uuids);
2881 	INIT_LIST_HEAD(&hdev->link_keys);
2882 	INIT_LIST_HEAD(&hdev->long_term_keys);
2883 	INIT_LIST_HEAD(&hdev->remote_oob_data);
2884 	INIT_LIST_HEAD(&hdev->conn_hash.list);
2885 
2886 	INIT_WORK(&hdev->rx_work, hci_rx_work);
2887 	INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2888 	INIT_WORK(&hdev->tx_work, hci_tx_work);
2889 	INIT_WORK(&hdev->power_on, hci_power_on);
2890 
2891 	INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2892 	INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2893 	INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2894 
2895 	skb_queue_head_init(&hdev->rx_q);
2896 	skb_queue_head_init(&hdev->cmd_q);
2897 	skb_queue_head_init(&hdev->raw_q);
2898 
2899 	init_waitqueue_head(&hdev->req_wait_q);
2900 
2901 	setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2902 
2903 	hci_init_sysfs(hdev);
2904 	discovery_init(hdev);
2905 
2906 	return hdev;
2907 }
2908 EXPORT_SYMBOL(hci_alloc_dev);
2909 
2910 /* Free HCI device */
2911 void hci_free_dev(struct hci_dev *hdev)
2912 {
2913 	/* will free via device release */
2914 	put_device(&hdev->dev);
2915 }
2916 EXPORT_SYMBOL(hci_free_dev);
2917 
2918 /* Register HCI device */
2919 int hci_register_dev(struct hci_dev *hdev)
2920 {
2921 	int id, error;
2922 
2923 	if (!hdev->open || !hdev->close)
2924 		return -EINVAL;
2925 
2926 	/* Do not allow HCI_AMP devices to register at index 0,
2927 	 * so the index can be used as the AMP controller ID.
2928 	 */
2929 	switch (hdev->dev_type) {
2930 	case HCI_BREDR:
2931 		id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2932 		break;
2933 	case HCI_AMP:
2934 		id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2935 		break;
2936 	default:
2937 		return -EINVAL;
2938 	}
2939 
2940 	if (id < 0)
2941 		return id;
2942 
2943 	sprintf(hdev->name, "hci%d", id);
2944 	hdev->id = id;
2945 
2946 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2947 
2948 	hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2949 					  WQ_MEM_RECLAIM, 1, hdev->name);
2950 	if (!hdev->workqueue) {
2951 		error = -ENOMEM;
2952 		goto err;
2953 	}
2954 
2955 	hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2956 					      WQ_MEM_RECLAIM, 1, hdev->name);
2957 	if (!hdev->req_workqueue) {
2958 		destroy_workqueue(hdev->workqueue);
2959 		error = -ENOMEM;
2960 		goto err;
2961 	}
2962 
2963 	if (!IS_ERR_OR_NULL(bt_debugfs))
2964 		hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
2965 
2966 	dev_set_name(&hdev->dev, "%s", hdev->name);
2967 
2968 	error = device_add(&hdev->dev);
2969 	if (error < 0)
2970 		goto err_wqueue;
2971 
2972 	hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2973 				    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2974 				    hdev);
2975 	if (hdev->rfkill) {
2976 		if (rfkill_register(hdev->rfkill) < 0) {
2977 			rfkill_destroy(hdev->rfkill);
2978 			hdev->rfkill = NULL;
2979 		}
2980 	}
2981 
2982 	if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2983 		set_bit(HCI_RFKILLED, &hdev->dev_flags);
2984 
2985 	set_bit(HCI_SETUP, &hdev->dev_flags);
2986 	set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2987 
2988 	if (hdev->dev_type == HCI_BREDR) {
2989 		/* Assume BR/EDR support until proven otherwise (such as
2990 		 * through reading supported features during init.
2991 		 */
2992 		set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
2993 	}
2994 
2995 	write_lock(&hci_dev_list_lock);
2996 	list_add(&hdev->list, &hci_dev_list);
2997 	write_unlock(&hci_dev_list_lock);
2998 
2999 	hci_notify(hdev, HCI_DEV_REG);
3000 	hci_dev_hold(hdev);
3001 
3002 	queue_work(hdev->req_workqueue, &hdev->power_on);
3003 
3004 	return id;
3005 
3006 err_wqueue:
3007 	destroy_workqueue(hdev->workqueue);
3008 	destroy_workqueue(hdev->req_workqueue);
3009 err:
3010 	ida_simple_remove(&hci_index_ida, hdev->id);
3011 
3012 	return error;
3013 }
3014 EXPORT_SYMBOL(hci_register_dev);
3015 
3016 /* Unregister HCI device */
3017 void hci_unregister_dev(struct hci_dev *hdev)
3018 {
3019 	int i, id;
3020 
3021 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3022 
3023 	set_bit(HCI_UNREGISTER, &hdev->dev_flags);
3024 
3025 	id = hdev->id;
3026 
3027 	write_lock(&hci_dev_list_lock);
3028 	list_del(&hdev->list);
3029 	write_unlock(&hci_dev_list_lock);
3030 
3031 	hci_dev_do_close(hdev);
3032 
3033 	for (i = 0; i < NUM_REASSEMBLY; i++)
3034 		kfree_skb(hdev->reassembly[i]);
3035 
3036 	cancel_work_sync(&hdev->power_on);
3037 
3038 	if (!test_bit(HCI_INIT, &hdev->flags) &&
3039 	    !test_bit(HCI_SETUP, &hdev->dev_flags)) {
3040 		hci_dev_lock(hdev);
3041 		mgmt_index_removed(hdev);
3042 		hci_dev_unlock(hdev);
3043 	}
3044 
3045 	/* mgmt_index_removed should take care of emptying the
3046 	 * pending list */
3047 	BUG_ON(!list_empty(&hdev->mgmt_pending));
3048 
3049 	hci_notify(hdev, HCI_DEV_UNREG);
3050 
3051 	if (hdev->rfkill) {
3052 		rfkill_unregister(hdev->rfkill);
3053 		rfkill_destroy(hdev->rfkill);
3054 	}
3055 
3056 	device_del(&hdev->dev);
3057 
3058 	debugfs_remove_recursive(hdev->debugfs);
3059 
3060 	destroy_workqueue(hdev->workqueue);
3061 	destroy_workqueue(hdev->req_workqueue);
3062 
3063 	hci_dev_lock(hdev);
3064 	hci_blacklist_clear(hdev);
3065 	hci_uuids_clear(hdev);
3066 	hci_link_keys_clear(hdev);
3067 	hci_smp_ltks_clear(hdev);
3068 	hci_remote_oob_data_clear(hdev);
3069 	hci_dev_unlock(hdev);
3070 
3071 	hci_dev_put(hdev);
3072 
3073 	ida_simple_remove(&hci_index_ida, id);
3074 }
3075 EXPORT_SYMBOL(hci_unregister_dev);
3076 
3077 /* Suspend HCI device */
3078 int hci_suspend_dev(struct hci_dev *hdev)
3079 {
3080 	hci_notify(hdev, HCI_DEV_SUSPEND);
3081 	return 0;
3082 }
3083 EXPORT_SYMBOL(hci_suspend_dev);
3084 
3085 /* Resume HCI device */
3086 int hci_resume_dev(struct hci_dev *hdev)
3087 {
3088 	hci_notify(hdev, HCI_DEV_RESUME);
3089 	return 0;
3090 }
3091 EXPORT_SYMBOL(hci_resume_dev);
3092 
3093 /* Receive frame from HCI drivers */
3094 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
3095 {
3096 	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
3097 		      && !test_bit(HCI_INIT, &hdev->flags))) {
3098 		kfree_skb(skb);
3099 		return -ENXIO;
3100 	}
3101 
3102 	/* Incoming skb */
3103 	bt_cb(skb)->incoming = 1;
3104 
3105 	/* Time stamp */
3106 	__net_timestamp(skb);
3107 
3108 	skb_queue_tail(&hdev->rx_q, skb);
3109 	queue_work(hdev->workqueue, &hdev->rx_work);
3110 
3111 	return 0;
3112 }
3113 EXPORT_SYMBOL(hci_recv_frame);
3114 
3115 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
3116 			  int count, __u8 index)
3117 {
3118 	int len = 0;
3119 	int hlen = 0;
3120 	int remain = count;
3121 	struct sk_buff *skb;
3122 	struct bt_skb_cb *scb;
3123 
3124 	if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
3125 	    index >= NUM_REASSEMBLY)
3126 		return -EILSEQ;
3127 
3128 	skb = hdev->reassembly[index];
3129 
3130 	if (!skb) {
3131 		switch (type) {
3132 		case HCI_ACLDATA_PKT:
3133 			len = HCI_MAX_FRAME_SIZE;
3134 			hlen = HCI_ACL_HDR_SIZE;
3135 			break;
3136 		case HCI_EVENT_PKT:
3137 			len = HCI_MAX_EVENT_SIZE;
3138 			hlen = HCI_EVENT_HDR_SIZE;
3139 			break;
3140 		case HCI_SCODATA_PKT:
3141 			len = HCI_MAX_SCO_SIZE;
3142 			hlen = HCI_SCO_HDR_SIZE;
3143 			break;
3144 		}
3145 
3146 		skb = bt_skb_alloc(len, GFP_ATOMIC);
3147 		if (!skb)
3148 			return -ENOMEM;
3149 
3150 		scb = (void *) skb->cb;
3151 		scb->expect = hlen;
3152 		scb->pkt_type = type;
3153 
3154 		hdev->reassembly[index] = skb;
3155 	}
3156 
3157 	while (count) {
3158 		scb = (void *) skb->cb;
3159 		len = min_t(uint, scb->expect, count);
3160 
3161 		memcpy(skb_put(skb, len), data, len);
3162 
3163 		count -= len;
3164 		data += len;
3165 		scb->expect -= len;
3166 		remain = count;
3167 
3168 		switch (type) {
3169 		case HCI_EVENT_PKT:
3170 			if (skb->len == HCI_EVENT_HDR_SIZE) {
3171 				struct hci_event_hdr *h = hci_event_hdr(skb);
3172 				scb->expect = h->plen;
3173 
3174 				if (skb_tailroom(skb) < scb->expect) {
3175 					kfree_skb(skb);
3176 					hdev->reassembly[index] = NULL;
3177 					return -ENOMEM;
3178 				}
3179 			}
3180 			break;
3181 
3182 		case HCI_ACLDATA_PKT:
3183 			if (skb->len  == HCI_ACL_HDR_SIZE) {
3184 				struct hci_acl_hdr *h = hci_acl_hdr(skb);
3185 				scb->expect = __le16_to_cpu(h->dlen);
3186 
3187 				if (skb_tailroom(skb) < scb->expect) {
3188 					kfree_skb(skb);
3189 					hdev->reassembly[index] = NULL;
3190 					return -ENOMEM;
3191 				}
3192 			}
3193 			break;
3194 
3195 		case HCI_SCODATA_PKT:
3196 			if (skb->len == HCI_SCO_HDR_SIZE) {
3197 				struct hci_sco_hdr *h = hci_sco_hdr(skb);
3198 				scb->expect = h->dlen;
3199 
3200 				if (skb_tailroom(skb) < scb->expect) {
3201 					kfree_skb(skb);
3202 					hdev->reassembly[index] = NULL;
3203 					return -ENOMEM;
3204 				}
3205 			}
3206 			break;
3207 		}
3208 
3209 		if (scb->expect == 0) {
3210 			/* Complete frame */
3211 
3212 			bt_cb(skb)->pkt_type = type;
3213 			hci_recv_frame(hdev, skb);
3214 
3215 			hdev->reassembly[index] = NULL;
3216 			return remain;
3217 		}
3218 	}
3219 
3220 	return remain;
3221 }
3222 
3223 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
3224 {
3225 	int rem = 0;
3226 
3227 	if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
3228 		return -EILSEQ;
3229 
3230 	while (count) {
3231 		rem = hci_reassembly(hdev, type, data, count, type - 1);
3232 		if (rem < 0)
3233 			return rem;
3234 
3235 		data += (count - rem);
3236 		count = rem;
3237 	}
3238 
3239 	return rem;
3240 }
3241 EXPORT_SYMBOL(hci_recv_fragment);
3242 
3243 #define STREAM_REASSEMBLY 0
3244 
3245 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
3246 {
3247 	int type;
3248 	int rem = 0;
3249 
3250 	while (count) {
3251 		struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
3252 
3253 		if (!skb) {
3254 			struct { char type; } *pkt;
3255 
3256 			/* Start of the frame */
3257 			pkt = data;
3258 			type = pkt->type;
3259 
3260 			data++;
3261 			count--;
3262 		} else
3263 			type = bt_cb(skb)->pkt_type;
3264 
3265 		rem = hci_reassembly(hdev, type, data, count,
3266 				     STREAM_REASSEMBLY);
3267 		if (rem < 0)
3268 			return rem;
3269 
3270 		data += (count - rem);
3271 		count = rem;
3272 	}
3273 
3274 	return rem;
3275 }
3276 EXPORT_SYMBOL(hci_recv_stream_fragment);
3277 
3278 /* ---- Interface to upper protocols ---- */
3279 
3280 int hci_register_cb(struct hci_cb *cb)
3281 {
3282 	BT_DBG("%p name %s", cb, cb->name);
3283 
3284 	write_lock(&hci_cb_list_lock);
3285 	list_add(&cb->list, &hci_cb_list);
3286 	write_unlock(&hci_cb_list_lock);
3287 
3288 	return 0;
3289 }
3290 EXPORT_SYMBOL(hci_register_cb);
3291 
3292 int hci_unregister_cb(struct hci_cb *cb)
3293 {
3294 	BT_DBG("%p name %s", cb, cb->name);
3295 
3296 	write_lock(&hci_cb_list_lock);
3297 	list_del(&cb->list);
3298 	write_unlock(&hci_cb_list_lock);
3299 
3300 	return 0;
3301 }
3302 EXPORT_SYMBOL(hci_unregister_cb);
3303 
3304 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3305 {
3306 	BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
3307 
3308 	/* Time stamp */
3309 	__net_timestamp(skb);
3310 
3311 	/* Send copy to monitor */
3312 	hci_send_to_monitor(hdev, skb);
3313 
3314 	if (atomic_read(&hdev->promisc)) {
3315 		/* Send copy to the sockets */
3316 		hci_send_to_sock(hdev, skb);
3317 	}
3318 
3319 	/* Get rid of skb owner, prior to sending to the driver. */
3320 	skb_orphan(skb);
3321 
3322 	if (hdev->send(hdev, skb) < 0)
3323 		BT_ERR("%s sending frame failed", hdev->name);
3324 }
3325 
3326 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
3327 {
3328 	skb_queue_head_init(&req->cmd_q);
3329 	req->hdev = hdev;
3330 	req->err = 0;
3331 }
3332 
3333 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
3334 {
3335 	struct hci_dev *hdev = req->hdev;
3336 	struct sk_buff *skb;
3337 	unsigned long flags;
3338 
3339 	BT_DBG("length %u", skb_queue_len(&req->cmd_q));
3340 
3341 	/* If an error occured during request building, remove all HCI
3342 	 * commands queued on the HCI request queue.
3343 	 */
3344 	if (req->err) {
3345 		skb_queue_purge(&req->cmd_q);
3346 		return req->err;
3347 	}
3348 
3349 	/* Do not allow empty requests */
3350 	if (skb_queue_empty(&req->cmd_q))
3351 		return -ENODATA;
3352 
3353 	skb = skb_peek_tail(&req->cmd_q);
3354 	bt_cb(skb)->req.complete = complete;
3355 
3356 	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3357 	skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
3358 	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3359 
3360 	queue_work(hdev->workqueue, &hdev->cmd_work);
3361 
3362 	return 0;
3363 }
3364 
3365 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
3366 				       u32 plen, const void *param)
3367 {
3368 	int len = HCI_COMMAND_HDR_SIZE + plen;
3369 	struct hci_command_hdr *hdr;
3370 	struct sk_buff *skb;
3371 
3372 	skb = bt_skb_alloc(len, GFP_ATOMIC);
3373 	if (!skb)
3374 		return NULL;
3375 
3376 	hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
3377 	hdr->opcode = cpu_to_le16(opcode);
3378 	hdr->plen   = plen;
3379 
3380 	if (plen)
3381 		memcpy(skb_put(skb, plen), param, plen);
3382 
3383 	BT_DBG("skb len %d", skb->len);
3384 
3385 	bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
3386 
3387 	return skb;
3388 }
3389 
3390 /* Send HCI command */
3391 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3392 		 const void *param)
3393 {
3394 	struct sk_buff *skb;
3395 
3396 	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3397 
3398 	skb = hci_prepare_cmd(hdev, opcode, plen, param);
3399 	if (!skb) {
3400 		BT_ERR("%s no memory for command", hdev->name);
3401 		return -ENOMEM;
3402 	}
3403 
3404 	/* Stand-alone HCI commands must be flaged as
3405 	 * single-command requests.
3406 	 */
3407 	bt_cb(skb)->req.start = true;
3408 
3409 	skb_queue_tail(&hdev->cmd_q, skb);
3410 	queue_work(hdev->workqueue, &hdev->cmd_work);
3411 
3412 	return 0;
3413 }
3414 
3415 /* Queue a command to an asynchronous HCI request */
3416 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
3417 		    const void *param, u8 event)
3418 {
3419 	struct hci_dev *hdev = req->hdev;
3420 	struct sk_buff *skb;
3421 
3422 	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3423 
3424 	/* If an error occured during request building, there is no point in
3425 	 * queueing the HCI command. We can simply return.
3426 	 */
3427 	if (req->err)
3428 		return;
3429 
3430 	skb = hci_prepare_cmd(hdev, opcode, plen, param);
3431 	if (!skb) {
3432 		BT_ERR("%s no memory for command (opcode 0x%4.4x)",
3433 		       hdev->name, opcode);
3434 		req->err = -ENOMEM;
3435 		return;
3436 	}
3437 
3438 	if (skb_queue_empty(&req->cmd_q))
3439 		bt_cb(skb)->req.start = true;
3440 
3441 	bt_cb(skb)->req.event = event;
3442 
3443 	skb_queue_tail(&req->cmd_q, skb);
3444 }
3445 
3446 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
3447 		 const void *param)
3448 {
3449 	hci_req_add_ev(req, opcode, plen, param, 0);
3450 }
3451 
3452 /* Get data from the previously sent command */
3453 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3454 {
3455 	struct hci_command_hdr *hdr;
3456 
3457 	if (!hdev->sent_cmd)
3458 		return NULL;
3459 
3460 	hdr = (void *) hdev->sent_cmd->data;
3461 
3462 	if (hdr->opcode != cpu_to_le16(opcode))
3463 		return NULL;
3464 
3465 	BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3466 
3467 	return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
3468 }
3469 
3470 /* Send ACL data */
3471 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3472 {
3473 	struct hci_acl_hdr *hdr;
3474 	int len = skb->len;
3475 
3476 	skb_push(skb, HCI_ACL_HDR_SIZE);
3477 	skb_reset_transport_header(skb);
3478 	hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3479 	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3480 	hdr->dlen   = cpu_to_le16(len);
3481 }
3482 
3483 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3484 			  struct sk_buff *skb, __u16 flags)
3485 {
3486 	struct hci_conn *conn = chan->conn;
3487 	struct hci_dev *hdev = conn->hdev;
3488 	struct sk_buff *list;
3489 
3490 	skb->len = skb_headlen(skb);
3491 	skb->data_len = 0;
3492 
3493 	bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3494 
3495 	switch (hdev->dev_type) {
3496 	case HCI_BREDR:
3497 		hci_add_acl_hdr(skb, conn->handle, flags);
3498 		break;
3499 	case HCI_AMP:
3500 		hci_add_acl_hdr(skb, chan->handle, flags);
3501 		break;
3502 	default:
3503 		BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3504 		return;
3505 	}
3506 
3507 	list = skb_shinfo(skb)->frag_list;
3508 	if (!list) {
3509 		/* Non fragmented */
3510 		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3511 
3512 		skb_queue_tail(queue, skb);
3513 	} else {
3514 		/* Fragmented */
3515 		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3516 
3517 		skb_shinfo(skb)->frag_list = NULL;
3518 
3519 		/* Queue all fragments atomically */
3520 		spin_lock(&queue->lock);
3521 
3522 		__skb_queue_tail(queue, skb);
3523 
3524 		flags &= ~ACL_START;
3525 		flags |= ACL_CONT;
3526 		do {
3527 			skb = list; list = list->next;
3528 
3529 			bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
3530 			hci_add_acl_hdr(skb, conn->handle, flags);
3531 
3532 			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3533 
3534 			__skb_queue_tail(queue, skb);
3535 		} while (list);
3536 
3537 		spin_unlock(&queue->lock);
3538 	}
3539 }
3540 
3541 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3542 {
3543 	struct hci_dev *hdev = chan->conn->hdev;
3544 
3545 	BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3546 
3547 	hci_queue_acl(chan, &chan->data_q, skb, flags);
3548 
3549 	queue_work(hdev->workqueue, &hdev->tx_work);
3550 }
3551 
3552 /* Send SCO data */
3553 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3554 {
3555 	struct hci_dev *hdev = conn->hdev;
3556 	struct hci_sco_hdr hdr;
3557 
3558 	BT_DBG("%s len %d", hdev->name, skb->len);
3559 
3560 	hdr.handle = cpu_to_le16(conn->handle);
3561 	hdr.dlen   = skb->len;
3562 
3563 	skb_push(skb, HCI_SCO_HDR_SIZE);
3564 	skb_reset_transport_header(skb);
3565 	memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3566 
3567 	bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
3568 
3569 	skb_queue_tail(&conn->data_q, skb);
3570 	queue_work(hdev->workqueue, &hdev->tx_work);
3571 }
3572 
3573 /* ---- HCI TX task (outgoing data) ---- */
3574 
3575 /* HCI Connection scheduler */
3576 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3577 				     int *quote)
3578 {
3579 	struct hci_conn_hash *h = &hdev->conn_hash;
3580 	struct hci_conn *conn = NULL, *c;
3581 	unsigned int num = 0, min = ~0;
3582 
3583 	/* We don't have to lock device here. Connections are always
3584 	 * added and removed with TX task disabled. */
3585 
3586 	rcu_read_lock();
3587 
3588 	list_for_each_entry_rcu(c, &h->list, list) {
3589 		if (c->type != type || skb_queue_empty(&c->data_q))
3590 			continue;
3591 
3592 		if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3593 			continue;
3594 
3595 		num++;
3596 
3597 		if (c->sent < min) {
3598 			min  = c->sent;
3599 			conn = c;
3600 		}
3601 
3602 		if (hci_conn_num(hdev, type) == num)
3603 			break;
3604 	}
3605 
3606 	rcu_read_unlock();
3607 
3608 	if (conn) {
3609 		int cnt, q;
3610 
3611 		switch (conn->type) {
3612 		case ACL_LINK:
3613 			cnt = hdev->acl_cnt;
3614 			break;
3615 		case SCO_LINK:
3616 		case ESCO_LINK:
3617 			cnt = hdev->sco_cnt;
3618 			break;
3619 		case LE_LINK:
3620 			cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3621 			break;
3622 		default:
3623 			cnt = 0;
3624 			BT_ERR("Unknown link type");
3625 		}
3626 
3627 		q = cnt / num;
3628 		*quote = q ? q : 1;
3629 	} else
3630 		*quote = 0;
3631 
3632 	BT_DBG("conn %p quote %d", conn, *quote);
3633 	return conn;
3634 }
3635 
3636 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3637 {
3638 	struct hci_conn_hash *h = &hdev->conn_hash;
3639 	struct hci_conn *c;
3640 
3641 	BT_ERR("%s link tx timeout", hdev->name);
3642 
3643 	rcu_read_lock();
3644 
3645 	/* Kill stalled connections */
3646 	list_for_each_entry_rcu(c, &h->list, list) {
3647 		if (c->type == type && c->sent) {
3648 			BT_ERR("%s killing stalled connection %pMR",
3649 			       hdev->name, &c->dst);
3650 			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3651 		}
3652 	}
3653 
3654 	rcu_read_unlock();
3655 }
3656 
3657 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3658 				      int *quote)
3659 {
3660 	struct hci_conn_hash *h = &hdev->conn_hash;
3661 	struct hci_chan *chan = NULL;
3662 	unsigned int num = 0, min = ~0, cur_prio = 0;
3663 	struct hci_conn *conn;
3664 	int cnt, q, conn_num = 0;
3665 
3666 	BT_DBG("%s", hdev->name);
3667 
3668 	rcu_read_lock();
3669 
3670 	list_for_each_entry_rcu(conn, &h->list, list) {
3671 		struct hci_chan *tmp;
3672 
3673 		if (conn->type != type)
3674 			continue;
3675 
3676 		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3677 			continue;
3678 
3679 		conn_num++;
3680 
3681 		list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3682 			struct sk_buff *skb;
3683 
3684 			if (skb_queue_empty(&tmp->data_q))
3685 				continue;
3686 
3687 			skb = skb_peek(&tmp->data_q);
3688 			if (skb->priority < cur_prio)
3689 				continue;
3690 
3691 			if (skb->priority > cur_prio) {
3692 				num = 0;
3693 				min = ~0;
3694 				cur_prio = skb->priority;
3695 			}
3696 
3697 			num++;
3698 
3699 			if (conn->sent < min) {
3700 				min  = conn->sent;
3701 				chan = tmp;
3702 			}
3703 		}
3704 
3705 		if (hci_conn_num(hdev, type) == conn_num)
3706 			break;
3707 	}
3708 
3709 	rcu_read_unlock();
3710 
3711 	if (!chan)
3712 		return NULL;
3713 
3714 	switch (chan->conn->type) {
3715 	case ACL_LINK:
3716 		cnt = hdev->acl_cnt;
3717 		break;
3718 	case AMP_LINK:
3719 		cnt = hdev->block_cnt;
3720 		break;
3721 	case SCO_LINK:
3722 	case ESCO_LINK:
3723 		cnt = hdev->sco_cnt;
3724 		break;
3725 	case LE_LINK:
3726 		cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3727 		break;
3728 	default:
3729 		cnt = 0;
3730 		BT_ERR("Unknown link type");
3731 	}
3732 
3733 	q = cnt / num;
3734 	*quote = q ? q : 1;
3735 	BT_DBG("chan %p quote %d", chan, *quote);
3736 	return chan;
3737 }
3738 
3739 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3740 {
3741 	struct hci_conn_hash *h = &hdev->conn_hash;
3742 	struct hci_conn *conn;
3743 	int num = 0;
3744 
3745 	BT_DBG("%s", hdev->name);
3746 
3747 	rcu_read_lock();
3748 
3749 	list_for_each_entry_rcu(conn, &h->list, list) {
3750 		struct hci_chan *chan;
3751 
3752 		if (conn->type != type)
3753 			continue;
3754 
3755 		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3756 			continue;
3757 
3758 		num++;
3759 
3760 		list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3761 			struct sk_buff *skb;
3762 
3763 			if (chan->sent) {
3764 				chan->sent = 0;
3765 				continue;
3766 			}
3767 
3768 			if (skb_queue_empty(&chan->data_q))
3769 				continue;
3770 
3771 			skb = skb_peek(&chan->data_q);
3772 			if (skb->priority >= HCI_PRIO_MAX - 1)
3773 				continue;
3774 
3775 			skb->priority = HCI_PRIO_MAX - 1;
3776 
3777 			BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3778 			       skb->priority);
3779 		}
3780 
3781 		if (hci_conn_num(hdev, type) == num)
3782 			break;
3783 	}
3784 
3785 	rcu_read_unlock();
3786 
3787 }
3788 
3789 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3790 {
3791 	/* Calculate count of blocks used by this packet */
3792 	return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3793 }
3794 
3795 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3796 {
3797 	if (!test_bit(HCI_RAW, &hdev->flags)) {
3798 		/* ACL tx timeout must be longer than maximum
3799 		 * link supervision timeout (40.9 seconds) */
3800 		if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3801 				       HCI_ACL_TX_TIMEOUT))
3802 			hci_link_tx_to(hdev, ACL_LINK);
3803 	}
3804 }
3805 
3806 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3807 {
3808 	unsigned int cnt = hdev->acl_cnt;
3809 	struct hci_chan *chan;
3810 	struct sk_buff *skb;
3811 	int quote;
3812 
3813 	__check_timeout(hdev, cnt);
3814 
3815 	while (hdev->acl_cnt &&
3816 	       (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3817 		u32 priority = (skb_peek(&chan->data_q))->priority;
3818 		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3819 			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3820 			       skb->len, skb->priority);
3821 
3822 			/* Stop if priority has changed */
3823 			if (skb->priority < priority)
3824 				break;
3825 
3826 			skb = skb_dequeue(&chan->data_q);
3827 
3828 			hci_conn_enter_active_mode(chan->conn,
3829 						   bt_cb(skb)->force_active);
3830 
3831 			hci_send_frame(hdev, skb);
3832 			hdev->acl_last_tx = jiffies;
3833 
3834 			hdev->acl_cnt--;
3835 			chan->sent++;
3836 			chan->conn->sent++;
3837 		}
3838 	}
3839 
3840 	if (cnt != hdev->acl_cnt)
3841 		hci_prio_recalculate(hdev, ACL_LINK);
3842 }
3843 
3844 static void hci_sched_acl_blk(struct hci_dev *hdev)
3845 {
3846 	unsigned int cnt = hdev->block_cnt;
3847 	struct hci_chan *chan;
3848 	struct sk_buff *skb;
3849 	int quote;
3850 	u8 type;
3851 
3852 	__check_timeout(hdev, cnt);
3853 
3854 	BT_DBG("%s", hdev->name);
3855 
3856 	if (hdev->dev_type == HCI_AMP)
3857 		type = AMP_LINK;
3858 	else
3859 		type = ACL_LINK;
3860 
3861 	while (hdev->block_cnt > 0 &&
3862 	       (chan = hci_chan_sent(hdev, type, &quote))) {
3863 		u32 priority = (skb_peek(&chan->data_q))->priority;
3864 		while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3865 			int blocks;
3866 
3867 			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3868 			       skb->len, skb->priority);
3869 
3870 			/* Stop if priority has changed */
3871 			if (skb->priority < priority)
3872 				break;
3873 
3874 			skb = skb_dequeue(&chan->data_q);
3875 
3876 			blocks = __get_blocks(hdev, skb);
3877 			if (blocks > hdev->block_cnt)
3878 				return;
3879 
3880 			hci_conn_enter_active_mode(chan->conn,
3881 						   bt_cb(skb)->force_active);
3882 
3883 			hci_send_frame(hdev, skb);
3884 			hdev->acl_last_tx = jiffies;
3885 
3886 			hdev->block_cnt -= blocks;
3887 			quote -= blocks;
3888 
3889 			chan->sent += blocks;
3890 			chan->conn->sent += blocks;
3891 		}
3892 	}
3893 
3894 	if (cnt != hdev->block_cnt)
3895 		hci_prio_recalculate(hdev, type);
3896 }
3897 
3898 static void hci_sched_acl(struct hci_dev *hdev)
3899 {
3900 	BT_DBG("%s", hdev->name);
3901 
3902 	/* No ACL link over BR/EDR controller */
3903 	if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3904 		return;
3905 
3906 	/* No AMP link over AMP controller */
3907 	if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3908 		return;
3909 
3910 	switch (hdev->flow_ctl_mode) {
3911 	case HCI_FLOW_CTL_MODE_PACKET_BASED:
3912 		hci_sched_acl_pkt(hdev);
3913 		break;
3914 
3915 	case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3916 		hci_sched_acl_blk(hdev);
3917 		break;
3918 	}
3919 }
3920 
3921 /* Schedule SCO */
3922 static void hci_sched_sco(struct hci_dev *hdev)
3923 {
3924 	struct hci_conn *conn;
3925 	struct sk_buff *skb;
3926 	int quote;
3927 
3928 	BT_DBG("%s", hdev->name);
3929 
3930 	if (!hci_conn_num(hdev, SCO_LINK))
3931 		return;
3932 
3933 	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3934 		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3935 			BT_DBG("skb %p len %d", skb, skb->len);
3936 			hci_send_frame(hdev, skb);
3937 
3938 			conn->sent++;
3939 			if (conn->sent == ~0)
3940 				conn->sent = 0;
3941 		}
3942 	}
3943 }
3944 
3945 static void hci_sched_esco(struct hci_dev *hdev)
3946 {
3947 	struct hci_conn *conn;
3948 	struct sk_buff *skb;
3949 	int quote;
3950 
3951 	BT_DBG("%s", hdev->name);
3952 
3953 	if (!hci_conn_num(hdev, ESCO_LINK))
3954 		return;
3955 
3956 	while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3957 						     &quote))) {
3958 		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3959 			BT_DBG("skb %p len %d", skb, skb->len);
3960 			hci_send_frame(hdev, skb);
3961 
3962 			conn->sent++;
3963 			if (conn->sent == ~0)
3964 				conn->sent = 0;
3965 		}
3966 	}
3967 }
3968 
3969 static void hci_sched_le(struct hci_dev *hdev)
3970 {
3971 	struct hci_chan *chan;
3972 	struct sk_buff *skb;
3973 	int quote, cnt, tmp;
3974 
3975 	BT_DBG("%s", hdev->name);
3976 
3977 	if (!hci_conn_num(hdev, LE_LINK))
3978 		return;
3979 
3980 	if (!test_bit(HCI_RAW, &hdev->flags)) {
3981 		/* LE tx timeout must be longer than maximum
3982 		 * link supervision timeout (40.9 seconds) */
3983 		if (!hdev->le_cnt && hdev->le_pkts &&
3984 		    time_after(jiffies, hdev->le_last_tx + HZ * 45))
3985 			hci_link_tx_to(hdev, LE_LINK);
3986 	}
3987 
3988 	cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3989 	tmp = cnt;
3990 	while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3991 		u32 priority = (skb_peek(&chan->data_q))->priority;
3992 		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3993 			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3994 			       skb->len, skb->priority);
3995 
3996 			/* Stop if priority has changed */
3997 			if (skb->priority < priority)
3998 				break;
3999 
4000 			skb = skb_dequeue(&chan->data_q);
4001 
4002 			hci_send_frame(hdev, skb);
4003 			hdev->le_last_tx = jiffies;
4004 
4005 			cnt--;
4006 			chan->sent++;
4007 			chan->conn->sent++;
4008 		}
4009 	}
4010 
4011 	if (hdev->le_pkts)
4012 		hdev->le_cnt = cnt;
4013 	else
4014 		hdev->acl_cnt = cnt;
4015 
4016 	if (cnt != tmp)
4017 		hci_prio_recalculate(hdev, LE_LINK);
4018 }
4019 
4020 static void hci_tx_work(struct work_struct *work)
4021 {
4022 	struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4023 	struct sk_buff *skb;
4024 
4025 	BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4026 	       hdev->sco_cnt, hdev->le_cnt);
4027 
4028 	if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4029 		/* Schedule queues and send stuff to HCI driver */
4030 		hci_sched_acl(hdev);
4031 		hci_sched_sco(hdev);
4032 		hci_sched_esco(hdev);
4033 		hci_sched_le(hdev);
4034 	}
4035 
4036 	/* Send next queued raw (unknown type) packet */
4037 	while ((skb = skb_dequeue(&hdev->raw_q)))
4038 		hci_send_frame(hdev, skb);
4039 }
4040 
4041 /* ----- HCI RX task (incoming data processing) ----- */
4042 
4043 /* ACL data packet */
4044 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4045 {
4046 	struct hci_acl_hdr *hdr = (void *) skb->data;
4047 	struct hci_conn *conn;
4048 	__u16 handle, flags;
4049 
4050 	skb_pull(skb, HCI_ACL_HDR_SIZE);
4051 
4052 	handle = __le16_to_cpu(hdr->handle);
4053 	flags  = hci_flags(handle);
4054 	handle = hci_handle(handle);
4055 
4056 	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
4057 	       handle, flags);
4058 
4059 	hdev->stat.acl_rx++;
4060 
4061 	hci_dev_lock(hdev);
4062 	conn = hci_conn_hash_lookup_handle(hdev, handle);
4063 	hci_dev_unlock(hdev);
4064 
4065 	if (conn) {
4066 		hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
4067 
4068 		/* Send to upper protocol */
4069 		l2cap_recv_acldata(conn, skb, flags);
4070 		return;
4071 	} else {
4072 		BT_ERR("%s ACL packet for unknown connection handle %d",
4073 		       hdev->name, handle);
4074 	}
4075 
4076 	kfree_skb(skb);
4077 }
4078 
4079 /* SCO data packet */
4080 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4081 {
4082 	struct hci_sco_hdr *hdr = (void *) skb->data;
4083 	struct hci_conn *conn;
4084 	__u16 handle;
4085 
4086 	skb_pull(skb, HCI_SCO_HDR_SIZE);
4087 
4088 	handle = __le16_to_cpu(hdr->handle);
4089 
4090 	BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
4091 
4092 	hdev->stat.sco_rx++;
4093 
4094 	hci_dev_lock(hdev);
4095 	conn = hci_conn_hash_lookup_handle(hdev, handle);
4096 	hci_dev_unlock(hdev);
4097 
4098 	if (conn) {
4099 		/* Send to upper protocol */
4100 		sco_recv_scodata(conn, skb);
4101 		return;
4102 	} else {
4103 		BT_ERR("%s SCO packet for unknown connection handle %d",
4104 		       hdev->name, handle);
4105 	}
4106 
4107 	kfree_skb(skb);
4108 }
4109 
4110 static bool hci_req_is_complete(struct hci_dev *hdev)
4111 {
4112 	struct sk_buff *skb;
4113 
4114 	skb = skb_peek(&hdev->cmd_q);
4115 	if (!skb)
4116 		return true;
4117 
4118 	return bt_cb(skb)->req.start;
4119 }
4120 
4121 static void hci_resend_last(struct hci_dev *hdev)
4122 {
4123 	struct hci_command_hdr *sent;
4124 	struct sk_buff *skb;
4125 	u16 opcode;
4126 
4127 	if (!hdev->sent_cmd)
4128 		return;
4129 
4130 	sent = (void *) hdev->sent_cmd->data;
4131 	opcode = __le16_to_cpu(sent->opcode);
4132 	if (opcode == HCI_OP_RESET)
4133 		return;
4134 
4135 	skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4136 	if (!skb)
4137 		return;
4138 
4139 	skb_queue_head(&hdev->cmd_q, skb);
4140 	queue_work(hdev->workqueue, &hdev->cmd_work);
4141 }
4142 
4143 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
4144 {
4145 	hci_req_complete_t req_complete = NULL;
4146 	struct sk_buff *skb;
4147 	unsigned long flags;
4148 
4149 	BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
4150 
4151 	/* If the completed command doesn't match the last one that was
4152 	 * sent we need to do special handling of it.
4153 	 */
4154 	if (!hci_sent_cmd_data(hdev, opcode)) {
4155 		/* Some CSR based controllers generate a spontaneous
4156 		 * reset complete event during init and any pending
4157 		 * command will never be completed. In such a case we
4158 		 * need to resend whatever was the last sent
4159 		 * command.
4160 		 */
4161 		if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4162 			hci_resend_last(hdev);
4163 
4164 		return;
4165 	}
4166 
4167 	/* If the command succeeded and there's still more commands in
4168 	 * this request the request is not yet complete.
4169 	 */
4170 	if (!status && !hci_req_is_complete(hdev))
4171 		return;
4172 
4173 	/* If this was the last command in a request the complete
4174 	 * callback would be found in hdev->sent_cmd instead of the
4175 	 * command queue (hdev->cmd_q).
4176 	 */
4177 	if (hdev->sent_cmd) {
4178 		req_complete = bt_cb(hdev->sent_cmd)->req.complete;
4179 
4180 		if (req_complete) {
4181 			/* We must set the complete callback to NULL to
4182 			 * avoid calling the callback more than once if
4183 			 * this function gets called again.
4184 			 */
4185 			bt_cb(hdev->sent_cmd)->req.complete = NULL;
4186 
4187 			goto call_complete;
4188 		}
4189 	}
4190 
4191 	/* Remove all pending commands belonging to this request */
4192 	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4193 	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4194 		if (bt_cb(skb)->req.start) {
4195 			__skb_queue_head(&hdev->cmd_q, skb);
4196 			break;
4197 		}
4198 
4199 		req_complete = bt_cb(skb)->req.complete;
4200 		kfree_skb(skb);
4201 	}
4202 	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4203 
4204 call_complete:
4205 	if (req_complete)
4206 		req_complete(hdev, status);
4207 }
4208 
4209 static void hci_rx_work(struct work_struct *work)
4210 {
4211 	struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4212 	struct sk_buff *skb;
4213 
4214 	BT_DBG("%s", hdev->name);
4215 
4216 	while ((skb = skb_dequeue(&hdev->rx_q))) {
4217 		/* Send copy to monitor */
4218 		hci_send_to_monitor(hdev, skb);
4219 
4220 		if (atomic_read(&hdev->promisc)) {
4221 			/* Send copy to the sockets */
4222 			hci_send_to_sock(hdev, skb);
4223 		}
4224 
4225 		if (test_bit(HCI_RAW, &hdev->flags) ||
4226 		    test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4227 			kfree_skb(skb);
4228 			continue;
4229 		}
4230 
4231 		if (test_bit(HCI_INIT, &hdev->flags)) {
4232 			/* Don't process data packets in this states. */
4233 			switch (bt_cb(skb)->pkt_type) {
4234 			case HCI_ACLDATA_PKT:
4235 			case HCI_SCODATA_PKT:
4236 				kfree_skb(skb);
4237 				continue;
4238 			}
4239 		}
4240 
4241 		/* Process frame */
4242 		switch (bt_cb(skb)->pkt_type) {
4243 		case HCI_EVENT_PKT:
4244 			BT_DBG("%s Event packet", hdev->name);
4245 			hci_event_packet(hdev, skb);
4246 			break;
4247 
4248 		case HCI_ACLDATA_PKT:
4249 			BT_DBG("%s ACL data packet", hdev->name);
4250 			hci_acldata_packet(hdev, skb);
4251 			break;
4252 
4253 		case HCI_SCODATA_PKT:
4254 			BT_DBG("%s SCO data packet", hdev->name);
4255 			hci_scodata_packet(hdev, skb);
4256 			break;
4257 
4258 		default:
4259 			kfree_skb(skb);
4260 			break;
4261 		}
4262 	}
4263 }
4264 
4265 static void hci_cmd_work(struct work_struct *work)
4266 {
4267 	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4268 	struct sk_buff *skb;
4269 
4270 	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4271 	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4272 
4273 	/* Send queued commands */
4274 	if (atomic_read(&hdev->cmd_cnt)) {
4275 		skb = skb_dequeue(&hdev->cmd_q);
4276 		if (!skb)
4277 			return;
4278 
4279 		kfree_skb(hdev->sent_cmd);
4280 
4281 		hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4282 		if (hdev->sent_cmd) {
4283 			atomic_dec(&hdev->cmd_cnt);
4284 			hci_send_frame(hdev, skb);
4285 			if (test_bit(HCI_RESET, &hdev->flags))
4286 				del_timer(&hdev->cmd_timer);
4287 			else
4288 				mod_timer(&hdev->cmd_timer,
4289 					  jiffies + HCI_CMD_TIMEOUT);
4290 		} else {
4291 			skb_queue_head(&hdev->cmd_q, skb);
4292 			queue_work(hdev->workqueue, &hdev->cmd_work);
4293 		}
4294 	}
4295 }
4296