1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2000-2001 Qualcomm Incorporated
4
   Copyright (C) 2011 ProFUSION Embedded Systems
5

6
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
7

8
   This program is free software; you can redistribute it and/or modify
9
   it under the terms of the GNU General Public License version 2 as
10
   published by the Free Software Foundation;
11

12
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20

21
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23
   SOFTWARE IS DISCLAIMED.
24
*/
25

26
/* Bluetooth HCI core. */
27

28
#include <linux/export.h>
29
#include <linux/rfkill.h>
30
#include <linux/debugfs.h>
31
#include <linux/crypto.h>
32
#include <linux/kcov.h>
33
#include <linux/property.h>
34
#include <linux/suspend.h>
35
#include <linux/wait.h>
36
#include <linux/unaligned.h>
37

38
#include <net/bluetooth/bluetooth.h>
39
#include <net/bluetooth/hci_core.h>
40
#include <net/bluetooth/l2cap.h>
41
#include <net/bluetooth/mgmt.h>
42

43
#include "hci_debugfs.h"
44
#include "smp.h"
45
#include "leds.h"
46
#include "msft.h"
47
#include "aosp.h"
48
#include "hci_codec.h"
49

50
static void hci_rx_work(struct work_struct *work);
51
static void hci_cmd_work(struct work_struct *work);
52
static void hci_tx_work(struct work_struct *work);
53

54
/* HCI device list */
55
LIST_HEAD(hci_dev_list);
56
DEFINE_RWLOCK(hci_dev_list_lock);
57

58
/* HCI callback list */
59
LIST_HEAD(hci_cb_list);
60
DEFINE_MUTEX(hci_cb_list_lock);
61

62
/* HCI ID Numbering */
63
static DEFINE_IDA(hci_index_ida);
64

65
/* Get HCI device by index.
66
 * Device is held on return. */
67
static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
68
{
69
	struct hci_dev *hdev = NULL, *d;
70

71
	BT_DBG("%d", index);
72

73
	if (index < 0)
74
		return NULL;
75

76
	read_lock(&hci_dev_list_lock);
77
	list_for_each_entry(d, &hci_dev_list, list) {
78
		if (d->id == index) {
79
			hdev = hci_dev_hold(d);
80
			if (srcu_index)
81
				*srcu_index = srcu_read_lock(&d->srcu);
82
			break;
83
		}
84
	}
85
	read_unlock(&hci_dev_list_lock);
86
	return hdev;
87
}
88

89
struct hci_dev *hci_dev_get(int index)
90
{
91
	return __hci_dev_get(index, NULL);
92
}
93

94
static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
95
{
96
	return __hci_dev_get(index, srcu_index);
97
}
98

99
static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
100
{
101
	srcu_read_unlock(&hdev->srcu, srcu_index);
102
	hci_dev_put(hdev);
103
}
104

105
/* ---- Inquiry support ---- */
106

107
bool hci_discovery_active(struct hci_dev *hdev)
108
{
109
	struct discovery_state *discov = &hdev->discovery;
110

111
	switch (discov->state) {
112
	case DISCOVERY_FINDING:
113
	case DISCOVERY_RESOLVING:
114
		return true;
115

116
	default:
117
		return false;
118
	}
119
}
120

121
void hci_discovery_set_state(struct hci_dev *hdev, int state)
122
{
123
	int old_state = hdev->discovery.state;
124

125
	if (old_state == state)
126
		return;
127

128
	hdev->discovery.state = state;
129

130
	switch (state) {
131
	case DISCOVERY_STOPPED:
132
		hci_update_passive_scan(hdev);
133

134
		if (old_state != DISCOVERY_STARTING)
135
			mgmt_discovering(hdev, 0);
136
		break;
137
	case DISCOVERY_STARTING:
138
		break;
139
	case DISCOVERY_FINDING:
140
		mgmt_discovering(hdev, 1);
141
		break;
142
	case DISCOVERY_RESOLVING:
143
		break;
144
	case DISCOVERY_STOPPING:
145
		break;
146
	}
147

148
	bt_dev_dbg(hdev, "state %u -> %u", old_state, state);
149
}
150

151
void hci_inquiry_cache_flush(struct hci_dev *hdev)
152
{
153
	struct discovery_state *cache = &hdev->discovery;
154
	struct inquiry_entry *p, *n;
155

156
	list_for_each_entry_safe(p, n, &cache->all, all) {
157
		list_del(&p->all);
158
		kfree(p);
159
	}
160

161
	INIT_LIST_HEAD(&cache->unknown);
162
	INIT_LIST_HEAD(&cache->resolve);
163
}
164

165
struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
166
					       bdaddr_t *bdaddr)
167
{
168
	struct discovery_state *cache = &hdev->discovery;
169
	struct inquiry_entry *e;
170

171
	BT_DBG("cache %p, %pMR", cache, bdaddr);
172

173
	list_for_each_entry(e, &cache->all, all) {
174
		if (!bacmp(&e->data.bdaddr, bdaddr))
175
			return e;
176
	}
177

178
	return NULL;
179
}
180

181
struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
182
						       bdaddr_t *bdaddr)
183
{
184
	struct discovery_state *cache = &hdev->discovery;
185
	struct inquiry_entry *e;
186

187
	BT_DBG("cache %p, %pMR", cache, bdaddr);
188

189
	list_for_each_entry(e, &cache->unknown, list) {
190
		if (!bacmp(&e->data.bdaddr, bdaddr))
191
			return e;
192
	}
193

194
	return NULL;
195
}
196

197
struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
198
						       bdaddr_t *bdaddr,
199
						       int state)
200
{
201
	struct discovery_state *cache = &hdev->discovery;
202
	struct inquiry_entry *e;
203

204
	BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
205

206
	list_for_each_entry(e, &cache->resolve, list) {
207
		if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
208
			return e;
209
		if (!bacmp(&e->data.bdaddr, bdaddr))
210
			return e;
211
	}
212

213
	return NULL;
214
}
215

216
void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
217
				      struct inquiry_entry *ie)
218
{
219
	struct discovery_state *cache = &hdev->discovery;
220
	struct list_head *pos = &cache->resolve;
221
	struct inquiry_entry *p;
222

223
	list_del(&ie->list);
224

225
	list_for_each_entry(p, &cache->resolve, list) {
226
		if (p->name_state != NAME_PENDING &&
227
		    abs(p->data.rssi) >= abs(ie->data.rssi))
228
			break;
229
		pos = &p->list;
230
	}
231

232
	list_add(&ie->list, pos);
233
}
234

235
u32 hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
236
			     bool name_known)
237
{
238
	struct discovery_state *cache = &hdev->discovery;
239
	struct inquiry_entry *ie;
240
	u32 flags = 0;
241

242
	BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
243

244
	hci_remove_remote_oob_data(hdev, &data->bdaddr, BDADDR_BREDR);
245

246
	if (!data->ssp_mode)
247
		flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
248

249
	ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
250
	if (ie) {
251
		if (!ie->data.ssp_mode)
252
			flags |= MGMT_DEV_FOUND_LEGACY_PAIRING;
253

254
		if (ie->name_state == NAME_NEEDED &&
255
		    data->rssi != ie->data.rssi) {
256
			ie->data.rssi = data->rssi;
257
			hci_inquiry_cache_update_resolve(hdev, ie);
258
		}
259

260
		goto update;
261
	}
262

263
	/* Entry not in the cache. Add new one. */
264
	ie = kzalloc(sizeof(*ie), GFP_KERNEL);
265
	if (!ie) {
266
		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
267
		goto done;
268
	}
269

270
	list_add(&ie->all, &cache->all);
271

272
	if (name_known) {
273
		ie->name_state = NAME_KNOWN;
274
	} else {
275
		ie->name_state = NAME_NOT_KNOWN;
276
		list_add(&ie->list, &cache->unknown);
277
	}
278

279
update:
280
	if (name_known && ie->name_state != NAME_KNOWN &&
281
	    ie->name_state != NAME_PENDING) {
282
		ie->name_state = NAME_KNOWN;
283
		list_del(&ie->list);
284
	}
285

286
	memcpy(&ie->data, data, sizeof(*data));
287
	ie->timestamp = jiffies;
288
	cache->timestamp = jiffies;
289

290
	if (ie->name_state == NAME_NOT_KNOWN)
291
		flags |= MGMT_DEV_FOUND_CONFIRM_NAME;
292

293
done:
294
	return flags;
295
}
296

297
static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
298
{
299
	struct discovery_state *cache = &hdev->discovery;
300
	struct inquiry_info *info = (struct inquiry_info *) buf;
301
	struct inquiry_entry *e;
302
	int copied = 0;
303

304
	list_for_each_entry(e, &cache->all, all) {
305
		struct inquiry_data *data = &e->data;
306

307
		if (copied >= num)
308
			break;
309

310
		bacpy(&info->bdaddr, &data->bdaddr);
311
		info->pscan_rep_mode	= data->pscan_rep_mode;
312
		info->pscan_period_mode	= data->pscan_period_mode;
313
		info->pscan_mode	= data->pscan_mode;
314
		memcpy(info->dev_class, data->dev_class, 3);
315
		info->clock_offset	= data->clock_offset;
316

317
		info++;
318
		copied++;
319
	}
320

321
	BT_DBG("cache %p, copied %d", cache, copied);
322
	return copied;
323
}
324

325
int hci_inquiry(void __user *arg)
326
{
327
	__u8 __user *ptr = arg;
328
	struct hci_inquiry_req ir;
329
	struct hci_dev *hdev;
330
	int err = 0, do_inquiry = 0, max_rsp;
331
	__u8 *buf;
332

333
	if (copy_from_user(&ir, ptr, sizeof(ir)))
334
		return -EFAULT;
335

336
	hdev = hci_dev_get(ir.dev_id);
337
	if (!hdev)
338
		return -ENODEV;
339

340
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
341
		err = -EBUSY;
342
		goto done;
343
	}
344

345
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
346
		err = -EOPNOTSUPP;
347
		goto done;
348
	}
349

350
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
351
		err = -EOPNOTSUPP;
352
		goto done;
353
	}
354

355
	/* Restrict maximum inquiry length to 60 seconds */
356
	if (ir.length > 60) {
357
		err = -EINVAL;
358
		goto done;
359
	}
360

361
	hci_dev_lock(hdev);
362
	if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
363
	    inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
364
		hci_inquiry_cache_flush(hdev);
365
		do_inquiry = 1;
366
	}
367
	hci_dev_unlock(hdev);
368

369
	if (do_inquiry) {
370
		hci_req_sync_lock(hdev);
371
		err = hci_inquiry_sync(hdev, ir.length, ir.num_rsp);
372
		hci_req_sync_unlock(hdev);
373

374
		if (err < 0)
375
			goto done;
376

377
		/* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
378
		 * cleared). If it is interrupted by a signal, return -EINTR.
379
		 */
380
		if (wait_on_bit(&hdev->flags, HCI_INQUIRY,
381
				TASK_INTERRUPTIBLE)) {
382
			err = -EINTR;
383
			goto done;
384
		}
385
	}
386

387
	/* for unlimited number of responses we will use buffer with
388
	 * 255 entries
389
	 */
390
	max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
391

392
	/* cache_dump can't sleep. Therefore we allocate temp buffer and then
393
	 * copy it to the user space.
394
	 */
395
	buf = kmalloc_array(max_rsp, sizeof(struct inquiry_info), GFP_KERNEL);
396
	if (!buf) {
397
		err = -ENOMEM;
398
		goto done;
399
	}
400

401
	hci_dev_lock(hdev);
402
	ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
403
	hci_dev_unlock(hdev);
404

405
	BT_DBG("num_rsp %d", ir.num_rsp);
406

407
	if (!copy_to_user(ptr, &ir, sizeof(ir))) {
408
		ptr += sizeof(ir);
409
		if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
410
				 ir.num_rsp))
411
			err = -EFAULT;
412
	} else
413
		err = -EFAULT;
414

415
	kfree(buf);
416

417
done:
418
	hci_dev_put(hdev);
419
	return err;
420
}
421

422
static int hci_dev_do_open(struct hci_dev *hdev)
423
{
424
	int ret = 0;
425

426
	BT_DBG("%s %p", hdev->name, hdev);
427

428
	hci_req_sync_lock(hdev);
429

430
	ret = hci_dev_open_sync(hdev);
431

432
	hci_req_sync_unlock(hdev);
433
	return ret;
434
}
435

436
/* ---- HCI ioctl helpers ---- */
437

438
int hci_dev_open(__u16 dev)
439
{
440
	struct hci_dev *hdev;
441
	int err;
442

443
	hdev = hci_dev_get(dev);
444
	if (!hdev)
445
		return -ENODEV;
446

447
	/* Devices that are marked as unconfigured can only be powered
448
	 * up as user channel. Trying to bring them up as normal devices
449
	 * will result into a failure. Only user channel operation is
450
	 * possible.
451
	 *
452
	 * When this function is called for a user channel, the flag
453
	 * HCI_USER_CHANNEL will be set first before attempting to
454
	 * open the device.
455
	 */
456
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
457
	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
458
		err = -EOPNOTSUPP;
459
		goto done;
460
	}
461

462
	/* We need to ensure that no other power on/off work is pending
463
	 * before proceeding to call hci_dev_do_open. This is
464
	 * particularly important if the setup procedure has not yet
465
	 * completed.
466
	 */
467
	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
468
		cancel_delayed_work(&hdev->power_off);
469

470
	/* After this call it is guaranteed that the setup procedure
471
	 * has finished. This means that error conditions like RFKILL
472
	 * or no valid public or static random address apply.
473
	 */
474
	flush_workqueue(hdev->req_workqueue);
475

476
	/* For controllers not using the management interface and that
477
	 * are brought up using legacy ioctl, set the HCI_BONDABLE bit
478
	 * so that pairing works for them. Once the management interface
479
	 * is in use this bit will be cleared again and userspace has
480
	 * to explicitly enable it.
481
	 */
482
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
483
	    !hci_dev_test_flag(hdev, HCI_MGMT))
484
		hci_dev_set_flag(hdev, HCI_BONDABLE);
485

486
	err = hci_dev_do_open(hdev);
487

488
done:
489
	hci_dev_put(hdev);
490
	return err;
491
}
492

493
int hci_dev_do_close(struct hci_dev *hdev)
494
{
495
	int err;
496

497
	BT_DBG("%s %p", hdev->name, hdev);
498

499
	hci_req_sync_lock(hdev);
500

501
	err = hci_dev_close_sync(hdev);
502

503
	hci_req_sync_unlock(hdev);
504

505
	return err;
506
}
507

508
int hci_dev_close(__u16 dev)
509
{
510
	struct hci_dev *hdev;
511
	int err;
512

513
	hdev = hci_dev_get(dev);
514
	if (!hdev)
515
		return -ENODEV;
516

517
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
518
		err = -EBUSY;
519
		goto done;
520
	}
521

522
	cancel_work_sync(&hdev->power_on);
523
	if (hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF))
524
		cancel_delayed_work(&hdev->power_off);
525

526
	err = hci_dev_do_close(hdev);
527

528
done:
529
	hci_dev_put(hdev);
530
	return err;
531
}
532

533
static int hci_dev_do_reset(struct hci_dev *hdev)
534
{
535
	int ret;
536

537
	BT_DBG("%s %p", hdev->name, hdev);
538

539
	hci_req_sync_lock(hdev);
540

541
	/* Drop queues */
542
	skb_queue_purge(&hdev->rx_q);
543
	skb_queue_purge(&hdev->cmd_q);
544

545
	/* Cancel these to avoid queueing non-chained pending work */
546
	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
547
	/* Wait for
548
	 *
549
	 *    if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
550
	 *        queue_delayed_work(&hdev->{cmd,ncmd}_timer)
551
	 *
552
	 * inside RCU section to see the flag or complete scheduling.
553
	 */
554
	synchronize_rcu();
555
	/* Explicitly cancel works in case scheduled after setting the flag. */
556
	cancel_delayed_work(&hdev->cmd_timer);
557
	cancel_delayed_work(&hdev->ncmd_timer);
558

559
	/* Avoid potential lockdep warnings from the *_flush() calls by
560
	 * ensuring the workqueue is empty up front.
561
	 */
562
	drain_workqueue(hdev->workqueue);
563

564
	hci_dev_lock(hdev);
565
	hci_inquiry_cache_flush(hdev);
566
	hci_conn_hash_flush(hdev);
567
	hci_dev_unlock(hdev);
568

569
	if (hdev->flush)
570
		hdev->flush(hdev);
571

572
	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
573

574
	atomic_set(&hdev->cmd_cnt, 1);
575
	hdev->acl_cnt = 0;
576
	hdev->sco_cnt = 0;
577
	hdev->le_cnt = 0;
578
	hdev->iso_cnt = 0;
579

580
	ret = hci_reset_sync(hdev);
581

582
	hci_req_sync_unlock(hdev);
583
	return ret;
584
}
585

586
int hci_dev_reset(__u16 dev)
587
{
588
	struct hci_dev *hdev;
589
	int err, srcu_index;
590

591
	hdev = hci_dev_get_srcu(dev, &srcu_index);
592
	if (!hdev)
593
		return -ENODEV;
594

595
	if (!test_bit(HCI_UP, &hdev->flags)) {
596
		err = -ENETDOWN;
597
		goto done;
598
	}
599

600
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
601
		err = -EBUSY;
602
		goto done;
603
	}
604

605
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
606
		err = -EOPNOTSUPP;
607
		goto done;
608
	}
609

610
	err = hci_dev_do_reset(hdev);
611

612
done:
613
	hci_dev_put_srcu(hdev, srcu_index);
614
	return err;
615
}
616

617
int hci_dev_reset_stat(__u16 dev)
618
{
619
	struct hci_dev *hdev;
620
	int ret = 0;
621

622
	hdev = hci_dev_get(dev);
623
	if (!hdev)
624
		return -ENODEV;
625

626
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
627
		ret = -EBUSY;
628
		goto done;
629
	}
630

631
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
632
		ret = -EOPNOTSUPP;
633
		goto done;
634
	}
635

636
	memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
637

638
done:
639
	hci_dev_put(hdev);
640
	return ret;
641
}
642

643
static void hci_update_passive_scan_state(struct hci_dev *hdev, u8 scan)
644
{
645
	bool conn_changed, discov_changed;
646

647
	BT_DBG("%s scan 0x%02x", hdev->name, scan);
648

649
	if ((scan & SCAN_PAGE))
650
		conn_changed = !hci_dev_test_and_set_flag(hdev,
651
							  HCI_CONNECTABLE);
652
	else
653
		conn_changed = hci_dev_test_and_clear_flag(hdev,
654
							   HCI_CONNECTABLE);
655

656
	if ((scan & SCAN_INQUIRY)) {
657
		discov_changed = !hci_dev_test_and_set_flag(hdev,
658
							    HCI_DISCOVERABLE);
659
	} else {
660
		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
661
		discov_changed = hci_dev_test_and_clear_flag(hdev,
662
							     HCI_DISCOVERABLE);
663
	}
664

665
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
666
		return;
667

668
	if (conn_changed || discov_changed) {
669
		/* In case this was disabled through mgmt */
670
		hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
671

672
		if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
673
			hci_update_adv_data(hdev, hdev->cur_adv_instance);
674

675
		mgmt_new_settings(hdev);
676
	}
677
}
678

679
int hci_dev_cmd(unsigned int cmd, void __user *arg)
680
{
681
	struct hci_dev *hdev;
682
	struct hci_dev_req dr;
683
	__le16 policy;
684
	int err = 0;
685

686
	if (copy_from_user(&dr, arg, sizeof(dr)))
687
		return -EFAULT;
688

689
	hdev = hci_dev_get(dr.dev_id);
690
	if (!hdev)
691
		return -ENODEV;
692

693
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
694
		err = -EBUSY;
695
		goto done;
696
	}
697

698
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
699
		err = -EOPNOTSUPP;
700
		goto done;
701
	}
702

703
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
704
		err = -EOPNOTSUPP;
705
		goto done;
706
	}
707

708
	switch (cmd) {
709
	case HCISETAUTH:
710
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
711
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
712
		break;
713

714
	case HCISETENCRYPT:
715
		if (!lmp_encrypt_capable(hdev)) {
716
			err = -EOPNOTSUPP;
717
			break;
718
		}
719

720
		if (!test_bit(HCI_AUTH, &hdev->flags)) {
721
			/* Auth must be enabled first */
722
			err = hci_cmd_sync_status(hdev,
723
						  HCI_OP_WRITE_AUTH_ENABLE,
724
						  1, &dr.dev_opt,
725
						  HCI_CMD_TIMEOUT);
726
			if (err)
727
				break;
728
		}
729

730
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_ENCRYPT_MODE,
731
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
732
		break;
733

734
	case HCISETSCAN:
735
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
736
					  1, &dr.dev_opt, HCI_CMD_TIMEOUT);
737

738
		/* Ensure that the connectable and discoverable states
739
		 * get correctly modified as this was a non-mgmt change.
740
		 */
741
		if (!err)
742
			hci_update_passive_scan_state(hdev, dr.dev_opt);
743
		break;
744

745
	case HCISETLINKPOL:
746
		policy = cpu_to_le16(dr.dev_opt);
747

748
		err = hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
749
					  2, &policy, HCI_CMD_TIMEOUT);
750
		break;
751

752
	case HCISETLINKMODE:
753
		hdev->link_mode = ((__u16) dr.dev_opt) &
754
					(HCI_LM_MASTER | HCI_LM_ACCEPT);
755
		break;
756

757
	case HCISETPTYPE:
758
		if (hdev->pkt_type == (__u16) dr.dev_opt)
759
			break;
760

761
		hdev->pkt_type = (__u16) dr.dev_opt;
762
		mgmt_phy_configuration_changed(hdev, NULL);
763
		break;
764

765
	case HCISETACLMTU:
766
		hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
767
		hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
768
		break;
769

770
	case HCISETSCOMTU:
771
		hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
772
		hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
773
		break;
774

775
	default:
776
		err = -EINVAL;
777
		break;
778
	}
779

780
done:
781
	hci_dev_put(hdev);
782
	return err;
783
}
784

785
int hci_get_dev_list(void __user *arg)
786
{
787
	struct hci_dev *hdev;
788
	struct hci_dev_list_req *dl;
789
	struct hci_dev_req *dr;
790
	int n = 0, err;
791
	__u16 dev_num;
792

793
	if (get_user(dev_num, (__u16 __user *) arg))
794
		return -EFAULT;
795

796
	if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
797
		return -EINVAL;
798

799
	dl = kzalloc(struct_size(dl, dev_req, dev_num), GFP_KERNEL);
800
	if (!dl)
801
		return -ENOMEM;
802

803
	dl->dev_num = dev_num;
804
	dr = dl->dev_req;
805

806
	read_lock(&hci_dev_list_lock);
807
	list_for_each_entry(hdev, &hci_dev_list, list) {
808
		unsigned long flags = hdev->flags;
809

810
		/* When the auto-off is configured it means the transport
811
		 * is running, but in that case still indicate that the
812
		 * device is actually down.
813
		 */
814
		if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
815
			flags &= ~BIT(HCI_UP);
816

817
		dr[n].dev_id  = hdev->id;
818
		dr[n].dev_opt = flags;
819

820
		if (++n >= dev_num)
821
			break;
822
	}
823
	read_unlock(&hci_dev_list_lock);
824

825
	dl->dev_num = n;
826
	err = copy_to_user(arg, dl, struct_size(dl, dev_req, n));
827
	kfree(dl);
828

829
	return err ? -EFAULT : 0;
830
}
831

832
int hci_get_dev_info(void __user *arg)
833
{
834
	struct hci_dev *hdev;
835
	struct hci_dev_info di;
836
	unsigned long flags;
837
	int err = 0;
838

839
	if (copy_from_user(&di, arg, sizeof(di)))
840
		return -EFAULT;
841

842
	hdev = hci_dev_get(di.dev_id);
843
	if (!hdev)
844
		return -ENODEV;
845

846
	/* When the auto-off is configured it means the transport
847
	 * is running, but in that case still indicate that the
848
	 * device is actually down.
849
	 */
850
	if (hci_dev_test_flag(hdev, HCI_AUTO_OFF))
851
		flags = hdev->flags & ~BIT(HCI_UP);
852
	else
853
		flags = hdev->flags;
854

855
	strscpy(di.name, hdev->name, sizeof(di.name));
856
	di.bdaddr   = hdev->bdaddr;
857
	di.type     = (hdev->bus & 0x0f);
858
	di.flags    = flags;
859
	di.pkt_type = hdev->pkt_type;
860
	if (lmp_bredr_capable(hdev)) {
861
		di.acl_mtu  = hdev->acl_mtu;
862
		di.acl_pkts = hdev->acl_pkts;
863
		di.sco_mtu  = hdev->sco_mtu;
864
		di.sco_pkts = hdev->sco_pkts;
865
	} else {
866
		di.acl_mtu  = hdev->le_mtu;
867
		di.acl_pkts = hdev->le_pkts;
868
		di.sco_mtu  = 0;
869
		di.sco_pkts = 0;
870
	}
871
	di.link_policy = hdev->link_policy;
872
	di.link_mode   = hdev->link_mode;
873

874
	memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
875
	memcpy(&di.features, &hdev->features, sizeof(di.features));
876

877
	if (copy_to_user(arg, &di, sizeof(di)))
878
		err = -EFAULT;
879

880
	hci_dev_put(hdev);
881

882
	return err;
883
}
884

885
/* ---- Interface to HCI drivers ---- */
886

887
static int hci_dev_do_poweroff(struct hci_dev *hdev)
888
{
889
	int err;
890

891
	BT_DBG("%s %p", hdev->name, hdev);
892

893
	hci_req_sync_lock(hdev);
894

895
	err = hci_set_powered_sync(hdev, false);
896

897
	hci_req_sync_unlock(hdev);
898

899
	return err;
900
}
901

902
static int hci_rfkill_set_block(void *data, bool blocked)
903
{
904
	struct hci_dev *hdev = data;
905
	int err;
906

907
	BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
908

909
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
910
		return -EBUSY;
911

912
	if (blocked == hci_dev_test_flag(hdev, HCI_RFKILLED))
913
		return 0;
914

915
	if (blocked) {
916
		hci_dev_set_flag(hdev, HCI_RFKILLED);
917

918
		if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
919
		    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
920
			err = hci_dev_do_poweroff(hdev);
921
			if (err) {
922
				bt_dev_err(hdev, "Error when powering off device on rfkill (%d)",
923
					   err);
924

925
				/* Make sure the device is still closed even if
926
				 * anything during power off sequence (eg.
927
				 * disconnecting devices) failed.
928
				 */
929
				hci_dev_do_close(hdev);
930
			}
931
		}
932
	} else {
933
		hci_dev_clear_flag(hdev, HCI_RFKILLED);
934
	}
935

936
	return 0;
937
}
938

939
static const struct rfkill_ops hci_rfkill_ops = {
940
	.set_block = hci_rfkill_set_block,
941
};
942

943
static void hci_power_on(struct work_struct *work)
944
{
945
	struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
946
	int err;
947

948
	BT_DBG("%s", hdev->name);
949

950
	if (test_bit(HCI_UP, &hdev->flags) &&
951
	    hci_dev_test_flag(hdev, HCI_MGMT) &&
952
	    hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
953
		cancel_delayed_work(&hdev->power_off);
954
		err = hci_powered_update_sync(hdev);
955
		mgmt_power_on(hdev, err);
956
		return;
957
	}
958

959
	err = hci_dev_do_open(hdev);
960
	if (err < 0) {
961
		hci_dev_lock(hdev);
962
		mgmt_set_powered_failed(hdev, err);
963
		hci_dev_unlock(hdev);
964
		return;
965
	}
966

967
	/* During the HCI setup phase, a few error conditions are
968
	 * ignored and they need to be checked now. If they are still
969
	 * valid, it is important to turn the device back off.
970
	 */
971
	if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
972
	    hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
973
	    (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
974
	     !bacmp(&hdev->static_addr, BDADDR_ANY))) {
975
		hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
976
		hci_dev_do_close(hdev);
977
	} else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
978
		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
979
				   HCI_AUTO_OFF_TIMEOUT);
980
	}
981

982
	if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
983
		/* For unconfigured devices, set the HCI_RAW flag
984
		 * so that userspace can easily identify them.
985
		 */
986
		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
987
			set_bit(HCI_RAW, &hdev->flags);
988

989
		/* For fully configured devices, this will send
990
		 * the Index Added event. For unconfigured devices,
991
		 * it will send Unconfigued Index Added event.
992
		 *
993
		 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
994
		 * and no event will be send.
995
		 */
996
		mgmt_index_added(hdev);
997
	} else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
998
		/* When the controller is now configured, then it
999
		 * is important to clear the HCI_RAW flag.
1000
		 */
1001
		if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
1002
			clear_bit(HCI_RAW, &hdev->flags);
1003

1004
		/* Powering on the controller with HCI_CONFIG set only
1005
		 * happens with the transition from unconfigured to
1006
		 * configured. This will send the Index Added event.
1007
		 */
1008
		mgmt_index_added(hdev);
1009
	}
1010
}
1011

1012
static void hci_power_off(struct work_struct *work)
1013
{
1014
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1015
					    power_off.work);
1016

1017
	BT_DBG("%s", hdev->name);
1018

1019
	hci_dev_do_close(hdev);
1020
}
1021

1022
static void hci_error_reset(struct work_struct *work)
1023
{
1024
	struct hci_dev *hdev = container_of(work, struct hci_dev, error_reset);
1025

1026
	hci_dev_hold(hdev);
1027
	BT_DBG("%s", hdev->name);
1028

1029
	if (hdev->hw_error)
1030
		hdev->hw_error(hdev, hdev->hw_error_code);
1031
	else
1032
		bt_dev_err(hdev, "hardware error 0x%2.2x", hdev->hw_error_code);
1033

1034
	if (!hci_dev_do_close(hdev))
1035
		hci_dev_do_open(hdev);
1036

1037
	hci_dev_put(hdev);
1038
}
1039

1040
void hci_uuids_clear(struct hci_dev *hdev)
1041
{
1042
	struct bt_uuid *uuid, *tmp;
1043

1044
	list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1045
		list_del(&uuid->list);
1046
		kfree(uuid);
1047
	}
1048
}
1049

1050
void hci_link_keys_clear(struct hci_dev *hdev)
1051
{
1052
	struct link_key *key, *tmp;
1053

1054
	list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
1055
		list_del_rcu(&key->list);
1056
		kfree_rcu(key, rcu);
1057
	}
1058
}
1059

1060
void hci_smp_ltks_clear(struct hci_dev *hdev)
1061
{
1062
	struct smp_ltk *k, *tmp;
1063

1064
	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1065
		list_del_rcu(&k->list);
1066
		kfree_rcu(k, rcu);
1067
	}
1068
}
1069

1070
void hci_smp_irks_clear(struct hci_dev *hdev)
1071
{
1072
	struct smp_irk *k, *tmp;
1073

1074
	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1075
		list_del_rcu(&k->list);
1076
		kfree_rcu(k, rcu);
1077
	}
1078
}
1079

1080
void hci_blocked_keys_clear(struct hci_dev *hdev)
1081
{
1082
	struct blocked_key *b, *tmp;
1083

1084
	list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
1085
		list_del_rcu(&b->list);
1086
		kfree_rcu(b, rcu);
1087
	}
1088
}
1089

1090
bool hci_is_blocked_key(struct hci_dev *hdev, u8 type, u8 val[16])
1091
{
1092
	bool blocked = false;
1093
	struct blocked_key *b;
1094

1095
	rcu_read_lock();
1096
	list_for_each_entry_rcu(b, &hdev->blocked_keys, list) {
1097
		if (b->type == type && !memcmp(b->val, val, sizeof(b->val))) {
1098
			blocked = true;
1099
			break;
1100
		}
1101
	}
1102

1103
	rcu_read_unlock();
1104
	return blocked;
1105
}
1106

1107
struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1108
{
1109
	struct link_key *k;
1110

1111
	rcu_read_lock();
1112
	list_for_each_entry_rcu(k, &hdev->link_keys, list) {
1113
		if (bacmp(bdaddr, &k->bdaddr) == 0) {
1114
			rcu_read_unlock();
1115

1116
			if (hci_is_blocked_key(hdev,
1117
					       HCI_BLOCKED_KEY_TYPE_LINKKEY,
1118
					       k->val)) {
1119
				bt_dev_warn_ratelimited(hdev,
1120
							"Link key blocked for %pMR",
1121
							&k->bdaddr);
1122
				return NULL;
1123
			}
1124

1125
			return k;
1126
		}
1127
	}
1128
	rcu_read_unlock();
1129

1130
	return NULL;
1131
}
1132

1133
static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1134
			       u8 key_type, u8 old_key_type)
1135
{
1136
	/* Legacy key */
1137
	if (key_type < 0x03)
1138
		return true;
1139

1140
	/* Debug keys are insecure so don't store them persistently */
1141
	if (key_type == HCI_LK_DEBUG_COMBINATION)
1142
		return false;
1143

1144
	/* Changed combination key and there's no previous one */
1145
	if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1146
		return false;
1147

1148
	/* Security mode 3 case */
1149
	if (!conn)
1150
		return true;
1151

1152
	/* BR/EDR key derived using SC from an LE link */
1153
	if (conn->type == LE_LINK)
1154
		return true;
1155

1156
	/* Neither local nor remote side had no-bonding as requirement */
1157
	if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1158
		return true;
1159

1160
	/* Local side had dedicated bonding as requirement */
1161
	if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1162
		return true;
1163

1164
	/* Remote side had dedicated bonding as requirement */
1165
	if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1166
		return true;
1167

1168
	/* If none of the above criteria match, then don't store the key
1169
	 * persistently */
1170
	return false;
1171
}
1172

1173
static u8 ltk_role(u8 type)
1174
{
1175
	if (type == SMP_LTK)
1176
		return HCI_ROLE_MASTER;
1177

1178
	return HCI_ROLE_SLAVE;
1179
}
1180

1181
struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1182
			     u8 addr_type, u8 role)
1183
{
1184
	struct smp_ltk *k;
1185

1186
	rcu_read_lock();
1187
	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1188
		if (addr_type != k->bdaddr_type || bacmp(bdaddr, &k->bdaddr))
1189
			continue;
1190

1191
		if (smp_ltk_is_sc(k) || ltk_role(k->type) == role) {
1192
			rcu_read_unlock();
1193

1194
			if (hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_LTK,
1195
					       k->val)) {
1196
				bt_dev_warn_ratelimited(hdev,
1197
							"LTK blocked for %pMR",
1198
							&k->bdaddr);
1199
				return NULL;
1200
			}
1201

1202
			return k;
1203
		}
1204
	}
1205
	rcu_read_unlock();
1206

1207
	return NULL;
1208
}
1209

1210
struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
1211
{
1212
	struct smp_irk *irk_to_return = NULL;
1213
	struct smp_irk *irk;
1214

1215
	rcu_read_lock();
1216
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1217
		if (!bacmp(&irk->rpa, rpa)) {
1218
			irk_to_return = irk;
1219
			goto done;
1220
		}
1221
	}
1222

1223
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1224
		if (smp_irk_matches(hdev, irk->val, rpa)) {
1225
			bacpy(&irk->rpa, rpa);
1226
			irk_to_return = irk;
1227
			goto done;
1228
		}
1229
	}
1230

1231
done:
1232
	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1233
						irk_to_return->val)) {
1234
		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1235
					&irk_to_return->bdaddr);
1236
		irk_to_return = NULL;
1237
	}
1238

1239
	rcu_read_unlock();
1240

1241
	return irk_to_return;
1242
}
1243

1244
struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1245
				     u8 addr_type)
1246
{
1247
	struct smp_irk *irk_to_return = NULL;
1248
	struct smp_irk *irk;
1249

1250
	/* Identity Address must be public or static random */
1251
	if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
1252
		return NULL;
1253

1254
	rcu_read_lock();
1255
	list_for_each_entry_rcu(irk, &hdev->identity_resolving_keys, list) {
1256
		if (addr_type == irk->addr_type &&
1257
		    bacmp(bdaddr, &irk->bdaddr) == 0) {
1258
			irk_to_return = irk;
1259
			break;
1260
		}
1261
	}
1262

1263
	if (irk_to_return && hci_is_blocked_key(hdev, HCI_BLOCKED_KEY_TYPE_IRK,
1264
						irk_to_return->val)) {
1265
		bt_dev_warn_ratelimited(hdev, "Identity key blocked for %pMR",
1266
					&irk_to_return->bdaddr);
1267
		irk_to_return = NULL;
1268
	}
1269

1270
	rcu_read_unlock();
1271

1272
	return irk_to_return;
1273
}
1274

1275
struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
1276
				  bdaddr_t *bdaddr, u8 *val, u8 type,
1277
				  u8 pin_len, bool *persistent)
1278
{
1279
	struct link_key *key, *old_key;
1280
	u8 old_key_type;
1281

1282
	old_key = hci_find_link_key(hdev, bdaddr);
1283
	if (old_key) {
1284
		old_key_type = old_key->type;
1285
		key = old_key;
1286
	} else {
1287
		old_key_type = conn ? conn->key_type : 0xff;
1288
		key = kzalloc(sizeof(*key), GFP_KERNEL);
1289
		if (!key)
1290
			return NULL;
1291
		list_add_rcu(&key->list, &hdev->link_keys);
1292
	}
1293

1294
	BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1295

1296
	/* Some buggy controller combinations generate a changed
1297
	 * combination key for legacy pairing even when there's no
1298
	 * previous key */
1299
	if (type == HCI_LK_CHANGED_COMBINATION &&
1300
	    (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1301
		type = HCI_LK_COMBINATION;
1302
		if (conn)
1303
			conn->key_type = type;
1304
	}
1305

1306
	bacpy(&key->bdaddr, bdaddr);
1307
	memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1308
	key->pin_len = pin_len;
1309

1310
	if (type == HCI_LK_CHANGED_COMBINATION)
1311
		key->type = old_key_type;
1312
	else
1313
		key->type = type;
1314

1315
	if (persistent)
1316
		*persistent = hci_persistent_key(hdev, conn, type,
1317
						 old_key_type);
1318

1319
	return key;
1320
}
1321

1322
struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1323
			    u8 addr_type, u8 type, u8 authenticated,
1324
			    u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
1325
{
1326
	struct smp_ltk *key, *old_key;
1327
	u8 role = ltk_role(type);
1328

1329
	old_key = hci_find_ltk(hdev, bdaddr, addr_type, role);
1330
	if (old_key)
1331
		key = old_key;
1332
	else {
1333
		key = kzalloc(sizeof(*key), GFP_KERNEL);
1334
		if (!key)
1335
			return NULL;
1336
		list_add_rcu(&key->list, &hdev->long_term_keys);
1337
	}
1338

1339
	bacpy(&key->bdaddr, bdaddr);
1340
	key->bdaddr_type = addr_type;
1341
	memcpy(key->val, tk, sizeof(key->val));
1342
	key->authenticated = authenticated;
1343
	key->ediv = ediv;
1344
	key->rand = rand;
1345
	key->enc_size = enc_size;
1346
	key->type = type;
1347

1348
	return key;
1349
}
1350

1351
struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
1352
			    u8 addr_type, u8 val[16], bdaddr_t *rpa)
1353
{
1354
	struct smp_irk *irk;
1355

1356
	irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
1357
	if (!irk) {
1358
		irk = kzalloc(sizeof(*irk), GFP_KERNEL);
1359
		if (!irk)
1360
			return NULL;
1361

1362
		bacpy(&irk->bdaddr, bdaddr);
1363
		irk->addr_type = addr_type;
1364

1365
		list_add_rcu(&irk->list, &hdev->identity_resolving_keys);
1366
	}
1367

1368
	memcpy(irk->val, val, 16);
1369
	bacpy(&irk->rpa, rpa);
1370

1371
	return irk;
1372
}
1373

1374
int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1375
{
1376
	struct link_key *key;
1377

1378
	key = hci_find_link_key(hdev, bdaddr);
1379
	if (!key)
1380
		return -ENOENT;
1381

1382
	BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1383

1384
	list_del_rcu(&key->list);
1385
	kfree_rcu(key, rcu);
1386

1387
	return 0;
1388
}
1389

1390
int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
1391
{
1392
	struct smp_ltk *k, *tmp;
1393
	int removed = 0;
1394

1395
	list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1396
		if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
1397
			continue;
1398

1399
		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1400

1401
		list_del_rcu(&k->list);
1402
		kfree_rcu(k, rcu);
1403
		removed++;
1404
	}
1405

1406
	return removed ? 0 : -ENOENT;
1407
}
1408

1409
void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
1410
{
1411
	struct smp_irk *k, *tmp;
1412

1413
	list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
1414
		if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
1415
			continue;
1416

1417
		BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1418

1419
		list_del_rcu(&k->list);
1420
		kfree_rcu(k, rcu);
1421
	}
1422
}
1423

1424
bool hci_bdaddr_is_paired(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1425
{
1426
	struct smp_ltk *k;
1427
	struct smp_irk *irk;
1428
	u8 addr_type;
1429

1430
	if (type == BDADDR_BREDR) {
1431
		if (hci_find_link_key(hdev, bdaddr))
1432
			return true;
1433
		return false;
1434
	}
1435

1436
	/* Convert to HCI addr type which struct smp_ltk uses */
1437
	if (type == BDADDR_LE_PUBLIC)
1438
		addr_type = ADDR_LE_DEV_PUBLIC;
1439
	else
1440
		addr_type = ADDR_LE_DEV_RANDOM;
1441

1442
	irk = hci_get_irk(hdev, bdaddr, addr_type);
1443
	if (irk) {
1444
		bdaddr = &irk->bdaddr;
1445
		addr_type = irk->addr_type;
1446
	}
1447

1448
	rcu_read_lock();
1449
	list_for_each_entry_rcu(k, &hdev->long_term_keys, list) {
1450
		if (k->bdaddr_type == addr_type && !bacmp(bdaddr, &k->bdaddr)) {
1451
			rcu_read_unlock();
1452
			return true;
1453
		}
1454
	}
1455
	rcu_read_unlock();
1456

1457
	return false;
1458
}
1459

1460
/* HCI command timer function */
1461
static void hci_cmd_timeout(struct work_struct *work)
1462
{
1463
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1464
					    cmd_timer.work);
1465

1466
	if (hdev->req_skb) {
1467
		u16 opcode = hci_skb_opcode(hdev->req_skb);
1468

1469
		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
1470

1471
		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
1472
	} else {
1473
		bt_dev_err(hdev, "command tx timeout");
1474
	}
1475

1476
	if (hdev->reset)
1477
		hdev->reset(hdev);
1478

1479
	atomic_set(&hdev->cmd_cnt, 1);
1480
	queue_work(hdev->workqueue, &hdev->cmd_work);
1481
}
1482

1483
/* HCI ncmd timer function */
1484
static void hci_ncmd_timeout(struct work_struct *work)
1485
{
1486
	struct hci_dev *hdev = container_of(work, struct hci_dev,
1487
					    ncmd_timer.work);
1488

1489
	bt_dev_err(hdev, "Controller not accepting commands anymore: ncmd = 0");
1490

1491
	/* During HCI_INIT phase no events can be injected if the ncmd timer
1492
	 * triggers since the procedure has its own timeout handling.
1493
	 */
1494
	if (test_bit(HCI_INIT, &hdev->flags))
1495
		return;
1496

1497
	/* This is an irrecoverable state, inject hardware error event */
1498
	hci_reset_dev(hdev);
1499
}
1500

1501
struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1502
					  bdaddr_t *bdaddr, u8 bdaddr_type)
1503
{
1504
	struct oob_data *data;
1505

1506
	list_for_each_entry(data, &hdev->remote_oob_data, list) {
1507
		if (bacmp(bdaddr, &data->bdaddr) != 0)
1508
			continue;
1509
		if (data->bdaddr_type != bdaddr_type)
1510
			continue;
1511
		return data;
1512
	}
1513

1514
	return NULL;
1515
}
1516

1517
int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1518
			       u8 bdaddr_type)
1519
{
1520
	struct oob_data *data;
1521

1522
	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1523
	if (!data)
1524
		return -ENOENT;
1525

1526
	BT_DBG("%s removing %pMR (%u)", hdev->name, bdaddr, bdaddr_type);
1527

1528
	list_del(&data->list);
1529
	kfree(data);
1530

1531
	return 0;
1532
}
1533

1534
void hci_remote_oob_data_clear(struct hci_dev *hdev)
1535
{
1536
	struct oob_data *data, *n;
1537

1538
	list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1539
		list_del(&data->list);
1540
		kfree(data);
1541
	}
1542
}
1543

1544
int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
1545
			    u8 bdaddr_type, u8 *hash192, u8 *rand192,
1546
			    u8 *hash256, u8 *rand256)
1547
{
1548
	struct oob_data *data;
1549

1550
	data = hci_find_remote_oob_data(hdev, bdaddr, bdaddr_type);
1551
	if (!data) {
1552
		data = kmalloc(sizeof(*data), GFP_KERNEL);
1553
		if (!data)
1554
			return -ENOMEM;
1555

1556
		bacpy(&data->bdaddr, bdaddr);
1557
		data->bdaddr_type = bdaddr_type;
1558
		list_add(&data->list, &hdev->remote_oob_data);
1559
	}
1560

1561
	if (hash192 && rand192) {
1562
		memcpy(data->hash192, hash192, sizeof(data->hash192));
1563
		memcpy(data->rand192, rand192, sizeof(data->rand192));
1564
		if (hash256 && rand256)
1565
			data->present = 0x03;
1566
	} else {
1567
		memset(data->hash192, 0, sizeof(data->hash192));
1568
		memset(data->rand192, 0, sizeof(data->rand192));
1569
		if (hash256 && rand256)
1570
			data->present = 0x02;
1571
		else
1572
			data->present = 0x00;
1573
	}
1574

1575
	if (hash256 && rand256) {
1576
		memcpy(data->hash256, hash256, sizeof(data->hash256));
1577
		memcpy(data->rand256, rand256, sizeof(data->rand256));
1578
	} else {
1579
		memset(data->hash256, 0, sizeof(data->hash256));
1580
		memset(data->rand256, 0, sizeof(data->rand256));
1581
		if (hash192 && rand192)
1582
			data->present = 0x01;
1583
	}
1584

1585
	BT_DBG("%s for %pMR", hdev->name, bdaddr);
1586

1587
	return 0;
1588
}
1589

1590
/* This function requires the caller holds hdev->lock */
1591
struct adv_info *hci_find_adv_instance(struct hci_dev *hdev, u8 instance)
1592
{
1593
	struct adv_info *adv_instance;
1594

1595
	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
1596
		if (adv_instance->instance == instance)
1597
			return adv_instance;
1598
	}
1599

1600
	return NULL;
1601
}
1602

1603
/* This function requires the caller holds hdev->lock */
1604
struct adv_info *hci_find_adv_sid(struct hci_dev *hdev, u8 sid)
1605
{
1606
	struct adv_info *adv;
1607

1608
	list_for_each_entry(adv, &hdev->adv_instances, list) {
1609
		if (adv->sid == sid)
1610
			return adv;
1611
	}
1612

1613
	return NULL;
1614
}
1615

1616
/* This function requires the caller holds hdev->lock */
1617
struct adv_info *hci_get_next_instance(struct hci_dev *hdev, u8 instance)
1618
{
1619
	struct adv_info *cur_instance;
1620

1621
	cur_instance = hci_find_adv_instance(hdev, instance);
1622
	if (!cur_instance)
1623
		return NULL;
1624

1625
	if (cur_instance == list_last_entry(&hdev->adv_instances,
1626
					    struct adv_info, list))
1627
		return list_first_entry(&hdev->adv_instances,
1628
						 struct adv_info, list);
1629
	else
1630
		return list_next_entry(cur_instance, list);
1631
}
1632

1633
/* This function requires the caller holds hdev->lock */
1634
int hci_remove_adv_instance(struct hci_dev *hdev, u8 instance)
1635
{
1636
	struct adv_info *adv_instance;
1637

1638
	adv_instance = hci_find_adv_instance(hdev, instance);
1639
	if (!adv_instance)
1640
		return -ENOENT;
1641

1642
	BT_DBG("%s removing %dMR", hdev->name, instance);
1643

1644
	if (hdev->cur_adv_instance == instance) {
1645
		if (hdev->adv_instance_timeout) {
1646
			cancel_delayed_work(&hdev->adv_instance_expire);
1647
			hdev->adv_instance_timeout = 0;
1648
		}
1649
		hdev->cur_adv_instance = 0x00;
1650
	}
1651

1652
	cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
1653

1654
	list_del(&adv_instance->list);
1655
	kfree(adv_instance);
1656

1657
	hdev->adv_instance_cnt--;
1658

1659
	return 0;
1660
}
1661

1662
void hci_adv_instances_set_rpa_expired(struct hci_dev *hdev, bool rpa_expired)
1663
{
1664
	struct adv_info *adv_instance, *n;
1665

1666
	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list)
1667
		adv_instance->rpa_expired = rpa_expired;
1668
}
1669

1670
/* This function requires the caller holds hdev->lock */
1671
void hci_adv_instances_clear(struct hci_dev *hdev)
1672
{
1673
	struct adv_info *adv_instance, *n;
1674

1675
	if (hdev->adv_instance_timeout) {
1676
		disable_delayed_work(&hdev->adv_instance_expire);
1677
		hdev->adv_instance_timeout = 0;
1678
	}
1679

1680
	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
1681
		disable_delayed_work_sync(&adv_instance->rpa_expired_cb);
1682
		list_del(&adv_instance->list);
1683
		kfree(adv_instance);
1684
	}
1685

1686
	hdev->adv_instance_cnt = 0;
1687
	hdev->cur_adv_instance = 0x00;
1688
}
1689

1690
static void adv_instance_rpa_expired(struct work_struct *work)
1691
{
1692
	struct adv_info *adv_instance = container_of(work, struct adv_info,
1693
						     rpa_expired_cb.work);
1694

1695
	BT_DBG("");
1696

1697
	adv_instance->rpa_expired = true;
1698
}
1699

1700
/* This function requires the caller holds hdev->lock */
1701
struct adv_info *hci_add_adv_instance(struct hci_dev *hdev, u8 instance,
1702
				      u32 flags, u16 adv_data_len, u8 *adv_data,
1703
				      u16 scan_rsp_len, u8 *scan_rsp_data,
1704
				      u16 timeout, u16 duration, s8 tx_power,
1705
				      u32 min_interval, u32 max_interval,
1706
				      u8 mesh_handle)
1707
{
1708
	struct adv_info *adv;
1709

1710
	adv = hci_find_adv_instance(hdev, instance);
1711
	if (adv) {
1712
		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1713
		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1714
		memset(adv->per_adv_data, 0, sizeof(adv->per_adv_data));
1715
	} else {
1716
		if (hdev->adv_instance_cnt >= hdev->le_num_of_adv_sets ||
1717
		    instance < 1 || instance > hdev->le_num_of_adv_sets + 1)
1718
			return ERR_PTR(-EOVERFLOW);
1719

1720
		adv = kzalloc(sizeof(*adv), GFP_KERNEL);
1721
		if (!adv)
1722
			return ERR_PTR(-ENOMEM);
1723

1724
		adv->pending = true;
1725
		adv->instance = instance;
1726

1727
		/* If controller support only one set and the instance is set to
1728
		 * 1 then there is no option other than using handle 0x00.
1729
		 */
1730
		if (hdev->le_num_of_adv_sets == 1 && instance == 1)
1731
			adv->handle = 0x00;
1732
		else
1733
			adv->handle = instance;
1734

1735
		list_add(&adv->list, &hdev->adv_instances);
1736
		hdev->adv_instance_cnt++;
1737
	}
1738

1739
	adv->flags = flags;
1740
	adv->min_interval = min_interval;
1741
	adv->max_interval = max_interval;
1742
	adv->tx_power = tx_power;
1743
	/* Defining a mesh_handle changes the timing units to ms,
1744
	 * rather than seconds, and ties the instance to the requested
1745
	 * mesh_tx queue.
1746
	 */
1747
	adv->mesh = mesh_handle;
1748

1749
	hci_set_adv_instance_data(hdev, instance, adv_data_len, adv_data,
1750
				  scan_rsp_len, scan_rsp_data);
1751

1752
	adv->timeout = timeout;
1753
	adv->remaining_time = timeout;
1754

1755
	if (duration == 0)
1756
		adv->duration = hdev->def_multi_adv_rotation_duration;
1757
	else
1758
		adv->duration = duration;
1759

1760
	INIT_DELAYED_WORK(&adv->rpa_expired_cb, adv_instance_rpa_expired);
1761

1762
	BT_DBG("%s for %dMR", hdev->name, instance);
1763

1764
	return adv;
1765
}
1766

1767
/* This function requires the caller holds hdev->lock */
1768
struct adv_info *hci_add_per_instance(struct hci_dev *hdev, u8 instance, u8 sid,
1769
				      u32 flags, u8 data_len, u8 *data,
1770
				      u32 min_interval, u32 max_interval)
1771
{
1772
	struct adv_info *adv;
1773

1774
	adv = hci_add_adv_instance(hdev, instance, flags, 0, NULL, 0, NULL,
1775
				   0, 0, HCI_ADV_TX_POWER_NO_PREFERENCE,
1776
				   min_interval, max_interval, 0);
1777
	if (IS_ERR(adv))
1778
		return adv;
1779

1780
	adv->sid = sid;
1781
	adv->periodic = true;
1782
	adv->per_adv_data_len = data_len;
1783

1784
	if (data)
1785
		memcpy(adv->per_adv_data, data, data_len);
1786

1787
	return adv;
1788
}
1789

1790
/* This function requires the caller holds hdev->lock */
1791
int hci_set_adv_instance_data(struct hci_dev *hdev, u8 instance,
1792
			      u16 adv_data_len, u8 *adv_data,
1793
			      u16 scan_rsp_len, u8 *scan_rsp_data)
1794
{
1795
	struct adv_info *adv;
1796

1797
	adv = hci_find_adv_instance(hdev, instance);
1798

1799
	/* If advertisement doesn't exist, we can't modify its data */
1800
	if (!adv)
1801
		return -ENOENT;
1802

1803
	if (adv_data_len && ADV_DATA_CMP(adv, adv_data, adv_data_len)) {
1804
		memset(adv->adv_data, 0, sizeof(adv->adv_data));
1805
		memcpy(adv->adv_data, adv_data, adv_data_len);
1806
		adv->adv_data_len = adv_data_len;
1807
		adv->adv_data_changed = true;
1808
	}
1809

1810
	if (scan_rsp_len && SCAN_RSP_CMP(adv, scan_rsp_data, scan_rsp_len)) {
1811
		memset(adv->scan_rsp_data, 0, sizeof(adv->scan_rsp_data));
1812
		memcpy(adv->scan_rsp_data, scan_rsp_data, scan_rsp_len);
1813
		adv->scan_rsp_len = scan_rsp_len;
1814
		adv->scan_rsp_changed = true;
1815
	}
1816

1817
	/* Mark as changed if there are flags which would affect it */
1818
	if (((adv->flags & MGMT_ADV_FLAG_APPEARANCE) && hdev->appearance) ||
1819
	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1820
		adv->scan_rsp_changed = true;
1821

1822
	return 0;
1823
}
1824

1825
/* This function requires the caller holds hdev->lock */
1826
u32 hci_adv_instance_flags(struct hci_dev *hdev, u8 instance)
1827
{
1828
	u32 flags;
1829
	struct adv_info *adv;
1830

1831
	if (instance == 0x00) {
1832
		/* Instance 0 always manages the "Tx Power" and "Flags"
1833
		 * fields
1834
		 */
1835
		flags = MGMT_ADV_FLAG_TX_POWER | MGMT_ADV_FLAG_MANAGED_FLAGS;
1836

1837
		/* For instance 0, the HCI_ADVERTISING_CONNECTABLE setting
1838
		 * corresponds to the "connectable" instance flag.
1839
		 */
1840
		if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))
1841
			flags |= MGMT_ADV_FLAG_CONNECTABLE;
1842

1843
		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
1844
			flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
1845
		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
1846
			flags |= MGMT_ADV_FLAG_DISCOV;
1847

1848
		return flags;
1849
	}
1850

1851
	adv = hci_find_adv_instance(hdev, instance);
1852

1853
	/* Return 0 when we got an invalid instance identifier. */
1854
	if (!adv)
1855
		return 0;
1856

1857
	return adv->flags;
1858
}
1859

1860
bool hci_adv_instance_is_scannable(struct hci_dev *hdev, u8 instance)
1861
{
1862
	struct adv_info *adv;
1863

1864
	/* Instance 0x00 always set local name */
1865
	if (instance == 0x00)
1866
		return true;
1867

1868
	adv = hci_find_adv_instance(hdev, instance);
1869
	if (!adv)
1870
		return false;
1871

1872
	if (adv->flags & MGMT_ADV_FLAG_APPEARANCE ||
1873
	    adv->flags & MGMT_ADV_FLAG_LOCAL_NAME)
1874
		return true;
1875

1876
	return adv->scan_rsp_len ? true : false;
1877
}
1878

1879
/* This function requires the caller holds hdev->lock */
1880
void hci_adv_monitors_clear(struct hci_dev *hdev)
1881
{
1882
	struct adv_monitor *monitor;
1883
	int handle;
1884

1885
	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
1886
		hci_free_adv_monitor(hdev, monitor);
1887

1888
	idr_destroy(&hdev->adv_monitors_idr);
1889
}
1890

1891
/* Frees the monitor structure and do some bookkeepings.
1892
 * This function requires the caller holds hdev->lock.
1893
 */
1894
void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1895
{
1896
	struct adv_pattern *pattern;
1897
	struct adv_pattern *tmp;
1898

1899
	if (!monitor)
1900
		return;
1901

1902
	list_for_each_entry_safe(pattern, tmp, &monitor->patterns, list) {
1903
		list_del(&pattern->list);
1904
		kfree(pattern);
1905
	}
1906

1907
	if (monitor->handle)
1908
		idr_remove(&hdev->adv_monitors_idr, monitor->handle);
1909

1910
	if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
1911
		hdev->adv_monitors_cnt--;
1912

1913
	kfree(monitor);
1914
}
1915

1916
/* Assigns handle to a monitor, and if offloading is supported and power is on,
1917
 * also attempts to forward the request to the controller.
1918
 * This function requires the caller holds hci_req_sync_lock.
1919
 */
1920
int hci_add_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1921
{
1922
	int min, max, handle;
1923
	int status = 0;
1924

1925
	if (!monitor)
1926
		return -EINVAL;
1927

1928
	hci_dev_lock(hdev);
1929

1930
	min = HCI_MIN_ADV_MONITOR_HANDLE;
1931
	max = HCI_MIN_ADV_MONITOR_HANDLE + HCI_MAX_ADV_MONITOR_NUM_HANDLES;
1932
	handle = idr_alloc(&hdev->adv_monitors_idr, monitor, min, max,
1933
			   GFP_KERNEL);
1934

1935
	hci_dev_unlock(hdev);
1936

1937
	if (handle < 0)
1938
		return handle;
1939

1940
	monitor->handle = handle;
1941

1942
	if (!hdev_is_powered(hdev))
1943
		return status;
1944

1945
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1946
	case HCI_ADV_MONITOR_EXT_NONE:
1947
		bt_dev_dbg(hdev, "add monitor %d status %d",
1948
			   monitor->handle, status);
1949
		/* Message was not forwarded to controller - not an error */
1950
		break;
1951

1952
	case HCI_ADV_MONITOR_EXT_MSFT:
1953
		status = msft_add_monitor_pattern(hdev, monitor);
1954
		bt_dev_dbg(hdev, "add monitor %d msft status %d",
1955
			   handle, status);
1956
		break;
1957
	}
1958

1959
	return status;
1960
}
1961

1962
/* Attempts to tell the controller and free the monitor. If somehow the
1963
 * controller doesn't have a corresponding handle, remove anyway.
1964
 * This function requires the caller holds hci_req_sync_lock.
1965
 */
1966
static int hci_remove_adv_monitor(struct hci_dev *hdev,
1967
				  struct adv_monitor *monitor)
1968
{
1969
	int status = 0;
1970
	int handle;
1971

1972
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
1973
	case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */
1974
		bt_dev_dbg(hdev, "remove monitor %d status %d",
1975
			   monitor->handle, status);
1976
		goto free_monitor;
1977

1978
	case HCI_ADV_MONITOR_EXT_MSFT:
1979
		handle = monitor->handle;
1980
		status = msft_remove_monitor(hdev, monitor);
1981
		bt_dev_dbg(hdev, "remove monitor %d msft status %d",
1982
			   handle, status);
1983
		break;
1984
	}
1985

1986
	/* In case no matching handle registered, just free the monitor */
1987
	if (status == -ENOENT)
1988
		goto free_monitor;
1989

1990
	return status;
1991

1992
free_monitor:
1993
	if (status == -ENOENT)
1994
		bt_dev_warn(hdev, "Removing monitor with no matching handle %d",
1995
			    monitor->handle);
1996
	hci_free_adv_monitor(hdev, monitor);
1997

1998
	return status;
1999
}
2000

2001
/* This function requires the caller holds hci_req_sync_lock */
2002
int hci_remove_single_adv_monitor(struct hci_dev *hdev, u16 handle)
2003
{
2004
	struct adv_monitor *monitor = idr_find(&hdev->adv_monitors_idr, handle);
2005

2006
	if (!monitor)
2007
		return -EINVAL;
2008

2009
	return hci_remove_adv_monitor(hdev, monitor);
2010
}
2011

2012
/* This function requires the caller holds hci_req_sync_lock */
2013
int hci_remove_all_adv_monitor(struct hci_dev *hdev)
2014
{
2015
	struct adv_monitor *monitor;
2016
	int idr_next_id = 0;
2017
	int status = 0;
2018

2019
	while (1) {
2020
		monitor = idr_get_next(&hdev->adv_monitors_idr, &idr_next_id);
2021
		if (!monitor)
2022
			break;
2023

2024
		status = hci_remove_adv_monitor(hdev, monitor);
2025
		if (status)
2026
			return status;
2027

2028
		idr_next_id++;
2029
	}
2030

2031
	return status;
2032
}
2033

2034
/* This function requires the caller holds hdev->lock */
2035
bool hci_is_adv_monitoring(struct hci_dev *hdev)
2036
{
2037
	return !idr_is_empty(&hdev->adv_monitors_idr);
2038
}
2039

2040
int hci_get_adv_monitor_offload_ext(struct hci_dev *hdev)
2041
{
2042
	if (msft_monitor_supported(hdev))
2043
		return HCI_ADV_MONITOR_EXT_MSFT;
2044

2045
	return HCI_ADV_MONITOR_EXT_NONE;
2046
}
2047

2048
struct bdaddr_list *hci_bdaddr_list_lookup(struct list_head *bdaddr_list,
2049
					 bdaddr_t *bdaddr, u8 type)
2050
{
2051
	struct bdaddr_list *b;
2052

2053
	list_for_each_entry(b, bdaddr_list, list) {
2054
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2055
			return b;
2056
	}
2057

2058
	return NULL;
2059
}
2060

2061
struct bdaddr_list_with_irk *hci_bdaddr_list_lookup_with_irk(
2062
				struct list_head *bdaddr_list, bdaddr_t *bdaddr,
2063
				u8 type)
2064
{
2065
	struct bdaddr_list_with_irk *b;
2066

2067
	list_for_each_entry(b, bdaddr_list, list) {
2068
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2069
			return b;
2070
	}
2071

2072
	return NULL;
2073
}
2074

2075
struct bdaddr_list_with_flags *
2076
hci_bdaddr_list_lookup_with_flags(struct list_head *bdaddr_list,
2077
				  bdaddr_t *bdaddr, u8 type)
2078
{
2079
	struct bdaddr_list_with_flags *b;
2080

2081
	list_for_each_entry(b, bdaddr_list, list) {
2082
		if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
2083
			return b;
2084
	}
2085

2086
	return NULL;
2087
}
2088

2089
void hci_bdaddr_list_clear(struct list_head *bdaddr_list)
2090
{
2091
	struct bdaddr_list *b, *n;
2092

2093
	list_for_each_entry_safe(b, n, bdaddr_list, list) {
2094
		list_del(&b->list);
2095
		kfree(b);
2096
	}
2097
}
2098

2099
int hci_bdaddr_list_add(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2100
{
2101
	struct bdaddr_list *entry;
2102

2103
	if (!bacmp(bdaddr, BDADDR_ANY))
2104
		return -EBADF;
2105

2106
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2107
		return -EEXIST;
2108

2109
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2110
	if (!entry)
2111
		return -ENOMEM;
2112

2113
	bacpy(&entry->bdaddr, bdaddr);
2114
	entry->bdaddr_type = type;
2115

2116
	list_add(&entry->list, list);
2117

2118
	return 0;
2119
}
2120

2121
int hci_bdaddr_list_add_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2122
					u8 type, u8 *peer_irk, u8 *local_irk)
2123
{
2124
	struct bdaddr_list_with_irk *entry;
2125

2126
	if (!bacmp(bdaddr, BDADDR_ANY))
2127
		return -EBADF;
2128

2129
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2130
		return -EEXIST;
2131

2132
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2133
	if (!entry)
2134
		return -ENOMEM;
2135

2136
	bacpy(&entry->bdaddr, bdaddr);
2137
	entry->bdaddr_type = type;
2138

2139
	if (peer_irk)
2140
		memcpy(entry->peer_irk, peer_irk, 16);
2141

2142
	if (local_irk)
2143
		memcpy(entry->local_irk, local_irk, 16);
2144

2145
	list_add(&entry->list, list);
2146

2147
	return 0;
2148
}
2149

2150
int hci_bdaddr_list_add_with_flags(struct list_head *list, bdaddr_t *bdaddr,
2151
				   u8 type, u32 flags)
2152
{
2153
	struct bdaddr_list_with_flags *entry;
2154

2155
	if (!bacmp(bdaddr, BDADDR_ANY))
2156
		return -EBADF;
2157

2158
	if (hci_bdaddr_list_lookup(list, bdaddr, type))
2159
		return -EEXIST;
2160

2161
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
2162
	if (!entry)
2163
		return -ENOMEM;
2164

2165
	bacpy(&entry->bdaddr, bdaddr);
2166
	entry->bdaddr_type = type;
2167
	entry->flags = flags;
2168

2169
	list_add(&entry->list, list);
2170

2171
	return 0;
2172
}
2173

2174
int hci_bdaddr_list_del(struct list_head *list, bdaddr_t *bdaddr, u8 type)
2175
{
2176
	struct bdaddr_list *entry;
2177

2178
	if (!bacmp(bdaddr, BDADDR_ANY)) {
2179
		hci_bdaddr_list_clear(list);
2180
		return 0;
2181
	}
2182

2183
	entry = hci_bdaddr_list_lookup(list, bdaddr, type);
2184
	if (!entry)
2185
		return -ENOENT;
2186

2187
	list_del(&entry->list);
2188
	kfree(entry);
2189

2190
	return 0;
2191
}
2192

2193
int hci_bdaddr_list_del_with_irk(struct list_head *list, bdaddr_t *bdaddr,
2194
							u8 type)
2195
{
2196
	struct bdaddr_list_with_irk *entry;
2197

2198
	if (!bacmp(bdaddr, BDADDR_ANY)) {
2199
		hci_bdaddr_list_clear(list);
2200
		return 0;
2201
	}
2202

2203
	entry = hci_bdaddr_list_lookup_with_irk(list, bdaddr, type);
2204
	if (!entry)
2205
		return -ENOENT;
2206

2207
	list_del(&entry->list);
2208
	kfree(entry);
2209

2210
	return 0;
2211
}
2212

2213
/* This function requires the caller holds hdev->lock */
2214
struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
2215
					       bdaddr_t *addr, u8 addr_type)
2216
{
2217
	struct hci_conn_params *params;
2218

2219
	list_for_each_entry(params, &hdev->le_conn_params, list) {
2220
		if (bacmp(&params->addr, addr) == 0 &&
2221
		    params->addr_type == addr_type) {
2222
			return params;
2223
		}
2224
	}
2225

2226
	return NULL;
2227
}
2228

2229
/* This function requires the caller holds hdev->lock or rcu_read_lock */
2230
struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list,
2231
						  bdaddr_t *addr, u8 addr_type)
2232
{
2233
	struct hci_conn_params *param;
2234

2235
	rcu_read_lock();
2236

2237
	list_for_each_entry_rcu(param, list, action) {
2238
		if (bacmp(&param->addr, addr) == 0 &&
2239
		    param->addr_type == addr_type) {
2240
			rcu_read_unlock();
2241
			return param;
2242
		}
2243
	}
2244

2245
	rcu_read_unlock();
2246

2247
	return NULL;
2248
}
2249

2250
/* This function requires the caller holds hdev->lock */
2251
void hci_pend_le_list_del_init(struct hci_conn_params *param)
2252
{
2253
	if (list_empty(&param->action))
2254
		return;
2255

2256
	list_del_rcu(&param->action);
2257
	synchronize_rcu();
2258
	INIT_LIST_HEAD(&param->action);
2259
}
2260

2261
/* This function requires the caller holds hdev->lock */
2262
void hci_pend_le_list_add(struct hci_conn_params *param,
2263
			  struct list_head *list)
2264
{
2265
	list_add_rcu(&param->action, list);
2266
}
2267

2268
/* This function requires the caller holds hdev->lock */
2269
struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev,
2270
					    bdaddr_t *addr, u8 addr_type)
2271
{
2272
	struct hci_conn_params *params;
2273

2274
	params = hci_conn_params_lookup(hdev, addr, addr_type);
2275
	if (params)
2276
		return params;
2277

2278
	params = kzalloc(sizeof(*params), GFP_KERNEL);
2279
	if (!params) {
2280
		bt_dev_err(hdev, "out of memory");
2281
		return NULL;
2282
	}
2283

2284
	bacpy(&params->addr, addr);
2285
	params->addr_type = addr_type;
2286

2287
	list_add(&params->list, &hdev->le_conn_params);
2288
	INIT_LIST_HEAD(&params->action);
2289

2290
	params->conn_min_interval = hdev->le_conn_min_interval;
2291
	params->conn_max_interval = hdev->le_conn_max_interval;
2292
	params->conn_latency = hdev->le_conn_latency;
2293
	params->supervision_timeout = hdev->le_supv_timeout;
2294
	params->auto_connect = HCI_AUTO_CONN_DISABLED;
2295

2296
	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2297

2298
	return params;
2299
}
2300

2301
void hci_conn_params_free(struct hci_conn_params *params)
2302
{
2303
	hci_pend_le_list_del_init(params);
2304

2305
	if (params->conn) {
2306
		hci_conn_drop(params->conn);
2307
		hci_conn_put(params->conn);
2308
	}
2309

2310
	list_del(&params->list);
2311
	kfree(params);
2312
}
2313

2314
/* This function requires the caller holds hdev->lock */
2315
void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
2316
{
2317
	struct hci_conn_params *params;
2318

2319
	params = hci_conn_params_lookup(hdev, addr, addr_type);
2320
	if (!params)
2321
		return;
2322

2323
	hci_conn_params_free(params);
2324

2325
	hci_update_passive_scan(hdev);
2326

2327
	BT_DBG("addr %pMR (type %u)", addr, addr_type);
2328
}
2329

2330
/* This function requires the caller holds hdev->lock */
2331
void hci_conn_params_clear_disabled(struct hci_dev *hdev)
2332
{
2333
	struct hci_conn_params *params, *tmp;
2334

2335
	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
2336
		if (params->auto_connect != HCI_AUTO_CONN_DISABLED)
2337
			continue;
2338

2339
		/* If trying to establish one time connection to disabled
2340
		 * device, leave the params, but mark them as just once.
2341
		 */
2342
		if (params->explicit_connect) {
2343
			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2344
			continue;
2345
		}
2346

2347
		hci_conn_params_free(params);
2348
	}
2349

2350
	BT_DBG("All LE disabled connection parameters were removed");
2351
}
2352

2353
/* This function requires the caller holds hdev->lock */
2354
static void hci_conn_params_clear_all(struct hci_dev *hdev)
2355
{
2356
	struct hci_conn_params *params, *tmp;
2357

2358
	list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list)
2359
		hci_conn_params_free(params);
2360

2361
	BT_DBG("All LE connection parameters were removed");
2362
}
2363

2364
/* Copy the Identity Address of the controller.
2365
 *
2366
 * If the controller has a public BD_ADDR, then by default use that one.
2367
 * If this is a LE only controller without a public address, default to
2368
 * the static random address.
2369
 *
2370
 * For debugging purposes it is possible to force controllers with a
2371
 * public address to use the static random address instead.
2372
 *
2373
 * In case BR/EDR has been disabled on a dual-mode controller and
2374
 * userspace has configured a static address, then that address
2375
 * becomes the identity address instead of the public BR/EDR address.
2376
 */
2377
void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
2378
			       u8 *bdaddr_type)
2379
{
2380
	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
2381
	    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2382
	    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
2383
	     bacmp(&hdev->static_addr, BDADDR_ANY))) {
2384
		bacpy(bdaddr, &hdev->static_addr);
2385
		*bdaddr_type = ADDR_LE_DEV_RANDOM;
2386
	} else {
2387
		bacpy(bdaddr, &hdev->bdaddr);
2388
		*bdaddr_type = ADDR_LE_DEV_PUBLIC;
2389
	}
2390
}
2391

2392
static void hci_clear_wake_reason(struct hci_dev *hdev)
2393
{
2394
	hci_dev_lock(hdev);
2395

2396
	hdev->wake_reason = 0;
2397
	bacpy(&hdev->wake_addr, BDADDR_ANY);
2398
	hdev->wake_addr_type = 0;
2399

2400
	hci_dev_unlock(hdev);
2401
}
2402

2403
static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
2404
				void *data)
2405
{
2406
	struct hci_dev *hdev =
2407
		container_of(nb, struct hci_dev, suspend_notifier);
2408
	int ret = 0;
2409

2410
	/* Userspace has full control of this device. Do nothing. */
2411
	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
2412
		return NOTIFY_DONE;
2413

2414
	/* To avoid a potential race with hci_unregister_dev. */
2415
	hci_dev_hold(hdev);
2416

2417
	switch (action) {
2418
	case PM_HIBERNATION_PREPARE:
2419
	case PM_SUSPEND_PREPARE:
2420
		ret = hci_suspend_dev(hdev);
2421
		break;
2422
	case PM_POST_HIBERNATION:
2423
	case PM_POST_SUSPEND:
2424
		ret = hci_resume_dev(hdev);
2425
		break;
2426
	}
2427

2428
	if (ret)
2429
		bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
2430
			   action, ret);
2431

2432
	hci_dev_put(hdev);
2433
	return NOTIFY_DONE;
2434
}
2435

2436
/* Alloc HCI device */
2437
struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
2438
{
2439
	struct hci_dev *hdev;
2440
	unsigned int alloc_size;
2441

2442
	alloc_size = sizeof(*hdev);
2443
	if (sizeof_priv) {
2444
		/* Fixme: May need ALIGN-ment? */
2445
		alloc_size += sizeof_priv;
2446
	}
2447

2448
	hdev = kzalloc(alloc_size, GFP_KERNEL);
2449
	if (!hdev)
2450
		return NULL;
2451

2452
	if (init_srcu_struct(&hdev->srcu)) {
2453
		kfree(hdev);
2454
		return NULL;
2455
	}
2456

2457
	hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2458
	hdev->esco_type = (ESCO_HV1);
2459
	hdev->link_mode = (HCI_LM_ACCEPT);
2460
	hdev->num_iac = 0x01;		/* One IAC support is mandatory */
2461
	hdev->io_capability = 0x03;	/* No Input No Output */
2462
	hdev->manufacturer = 0xffff;	/* Default to internal use */
2463
	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2464
	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2465
	hdev->adv_instance_cnt = 0;
2466
	hdev->cur_adv_instance = 0x00;
2467
	hdev->adv_instance_timeout = 0;
2468

2469
	hdev->advmon_allowlist_duration = 300;
2470
	hdev->advmon_no_filter_duration = 500;
2471
	hdev->enable_advmon_interleave_scan = 0x00;	/* Default to disable */
2472

2473
	hdev->sniff_max_interval = 800;
2474
	hdev->sniff_min_interval = 80;
2475

2476
	hdev->le_adv_channel_map = 0x07;
2477
	hdev->le_adv_min_interval = 0x0800;
2478
	hdev->le_adv_max_interval = 0x0800;
2479
	hdev->le_scan_interval = DISCOV_LE_SCAN_INT_FAST;
2480
	hdev->le_scan_window = DISCOV_LE_SCAN_WIN_FAST;
2481
	hdev->le_scan_int_suspend = DISCOV_LE_SCAN_INT_SLOW1;
2482
	hdev->le_scan_window_suspend = DISCOV_LE_SCAN_WIN_SLOW1;
2483
	hdev->le_scan_int_discovery = DISCOV_LE_SCAN_INT;
2484
	hdev->le_scan_window_discovery = DISCOV_LE_SCAN_WIN;
2485
	hdev->le_scan_int_adv_monitor = DISCOV_LE_SCAN_INT_FAST;
2486
	hdev->le_scan_window_adv_monitor = DISCOV_LE_SCAN_WIN_FAST;
2487
	hdev->le_scan_int_connect = DISCOV_LE_SCAN_INT_CONN;
2488
	hdev->le_scan_window_connect = DISCOV_LE_SCAN_WIN_CONN;
2489
	hdev->le_conn_min_interval = 0x0018;
2490
	hdev->le_conn_max_interval = 0x0028;
2491
	hdev->le_conn_latency = 0x0000;
2492
	hdev->le_supv_timeout = 0x002a;
2493
	hdev->le_def_tx_len = 0x001b;
2494
	hdev->le_def_tx_time = 0x0148;
2495
	hdev->le_max_tx_len = 0x001b;
2496
	hdev->le_max_tx_time = 0x0148;
2497
	hdev->le_max_rx_len = 0x001b;
2498
	hdev->le_max_rx_time = 0x0148;
2499
	hdev->le_max_key_size = SMP_MAX_ENC_KEY_SIZE;
2500
	hdev->le_min_key_size = SMP_MIN_ENC_KEY_SIZE;
2501
	hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
2502
	hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
2503
	hdev->le_num_of_adv_sets = HCI_MAX_ADV_INSTANCES;
2504
	hdev->def_multi_adv_rotation_duration = HCI_DEFAULT_ADV_DURATION;
2505
	hdev->def_le_autoconnect_timeout = HCI_LE_CONN_TIMEOUT;
2506
	hdev->min_le_tx_power = HCI_TX_POWER_INVALID;
2507
	hdev->max_le_tx_power = HCI_TX_POWER_INVALID;
2508

2509
	hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
2510
	hdev->discov_interleaved_timeout = DISCOV_INTERLEAVED_TIMEOUT;
2511
	hdev->conn_info_min_age = DEFAULT_CONN_INFO_MIN_AGE;
2512
	hdev->conn_info_max_age = DEFAULT_CONN_INFO_MAX_AGE;
2513
	hdev->auth_payload_timeout = DEFAULT_AUTH_PAYLOAD_TIMEOUT;
2514
	hdev->min_enc_key_size = HCI_MIN_ENC_KEY_SIZE;
2515

2516
	/* default 1.28 sec page scan */
2517
	hdev->def_page_scan_type = PAGE_SCAN_TYPE_STANDARD;
2518
	hdev->def_page_scan_int = 0x0800;
2519
	hdev->def_page_scan_window = 0x0012;
2520

2521
	mutex_init(&hdev->lock);
2522
	mutex_init(&hdev->req_lock);
2523
	mutex_init(&hdev->mgmt_pending_lock);
2524

2525
	ida_init(&hdev->unset_handle_ida);
2526

2527
	INIT_LIST_HEAD(&hdev->mesh_pending);
2528
	INIT_LIST_HEAD(&hdev->mgmt_pending);
2529
	INIT_LIST_HEAD(&hdev->reject_list);
2530
	INIT_LIST_HEAD(&hdev->accept_list);
2531
	INIT_LIST_HEAD(&hdev->uuids);
2532
	INIT_LIST_HEAD(&hdev->link_keys);
2533
	INIT_LIST_HEAD(&hdev->long_term_keys);
2534
	INIT_LIST_HEAD(&hdev->identity_resolving_keys);
2535
	INIT_LIST_HEAD(&hdev->remote_oob_data);
2536
	INIT_LIST_HEAD(&hdev->le_accept_list);
2537
	INIT_LIST_HEAD(&hdev->le_resolv_list);
2538
	INIT_LIST_HEAD(&hdev->le_conn_params);
2539
	INIT_LIST_HEAD(&hdev->pend_le_conns);
2540
	INIT_LIST_HEAD(&hdev->pend_le_reports);
2541
	INIT_LIST_HEAD(&hdev->conn_hash.list);
2542
	INIT_LIST_HEAD(&hdev->adv_instances);
2543
	INIT_LIST_HEAD(&hdev->blocked_keys);
2544
	INIT_LIST_HEAD(&hdev->monitored_devices);
2545

2546
	INIT_LIST_HEAD(&hdev->local_codecs);
2547
	INIT_WORK(&hdev->rx_work, hci_rx_work);
2548
	INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2549
	INIT_WORK(&hdev->tx_work, hci_tx_work);
2550
	INIT_WORK(&hdev->power_on, hci_power_on);
2551
	INIT_WORK(&hdev->error_reset, hci_error_reset);
2552

2553
	hci_cmd_sync_init(hdev);
2554

2555
	INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2556

2557
	skb_queue_head_init(&hdev->rx_q);
2558
	skb_queue_head_init(&hdev->cmd_q);
2559
	skb_queue_head_init(&hdev->raw_q);
2560

2561
	init_waitqueue_head(&hdev->req_wait_q);
2562

2563
	INIT_DELAYED_WORK(&hdev->cmd_timer, hci_cmd_timeout);
2564
	INIT_DELAYED_WORK(&hdev->ncmd_timer, hci_ncmd_timeout);
2565

2566
	hci_devcd_setup(hdev);
2567

2568
	hci_init_sysfs(hdev);
2569
	discovery_init(hdev);
2570

2571
	return hdev;
2572
}
2573
EXPORT_SYMBOL(hci_alloc_dev_priv);
2574

2575
/* Free HCI device */
2576
void hci_free_dev(struct hci_dev *hdev)
2577
{
2578
	/* will free via device release */
2579
	put_device(&hdev->dev);
2580
}
2581
EXPORT_SYMBOL(hci_free_dev);
2582

2583
/* Register HCI device */
2584
int hci_register_dev(struct hci_dev *hdev)
2585
{
2586
	int id, error;
2587

2588
	if (!hdev->open || !hdev->close || !hdev->send)
2589
		return -EINVAL;
2590

2591
	id = ida_alloc_max(&hci_index_ida, HCI_MAX_ID - 1, GFP_KERNEL);
2592
	if (id < 0)
2593
		return id;
2594

2595
	error = dev_set_name(&hdev->dev, "hci%u", id);
2596
	if (error)
2597
		return error;
2598

2599
	hdev->name = dev_name(&hdev->dev);
2600
	hdev->id = id;
2601

2602
	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2603

2604
	hdev->workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI, hdev->name);
2605
	if (!hdev->workqueue) {
2606
		error = -ENOMEM;
2607
		goto err;
2608
	}
2609

2610
	hdev->req_workqueue = alloc_ordered_workqueue("%s", WQ_HIGHPRI,
2611
						      hdev->name);
2612
	if (!hdev->req_workqueue) {
2613
		destroy_workqueue(hdev->workqueue);
2614
		error = -ENOMEM;
2615
		goto err;
2616
	}
2617

2618
	if (!IS_ERR_OR_NULL(bt_debugfs))
2619
		hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
2620

2621
	error = device_add(&hdev->dev);
2622
	if (error < 0)
2623
		goto err_wqueue;
2624

2625
	hci_leds_init(hdev);
2626

2627
	hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2628
				    RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2629
				    hdev);
2630
	if (hdev->rfkill) {
2631
		if (rfkill_register(hdev->rfkill) < 0) {
2632
			rfkill_destroy(hdev->rfkill);
2633
			hdev->rfkill = NULL;
2634
		}
2635
	}
2636

2637
	if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
2638
		hci_dev_set_flag(hdev, HCI_RFKILLED);
2639

2640
	hci_dev_set_flag(hdev, HCI_SETUP);
2641
	hci_dev_set_flag(hdev, HCI_AUTO_OFF);
2642

2643
	/* Assume BR/EDR support until proven otherwise (such as
2644
	 * through reading supported features during init.
2645
	 */
2646
	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
2647

2648
	write_lock(&hci_dev_list_lock);
2649
	list_add(&hdev->list, &hci_dev_list);
2650
	write_unlock(&hci_dev_list_lock);
2651

2652
	/* Devices that are marked for raw-only usage are unconfigured
2653
	 * and should not be included in normal operation.
2654
	 */
2655
	if (hci_test_quirk(hdev, HCI_QUIRK_RAW_DEVICE))
2656
		hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
2657

2658
	/* Mark Remote Wakeup connection flag as supported if driver has wakeup
2659
	 * callback.
2660
	 */
2661
	if (hdev->wakeup)
2662
		hdev->conn_flags |= HCI_CONN_FLAG_REMOTE_WAKEUP;
2663

2664
	hci_sock_dev_event(hdev, HCI_DEV_REG);
2665
	hci_dev_hold(hdev);
2666

2667
	error = hci_register_suspend_notifier(hdev);
2668
	if (error)
2669
		BT_WARN("register suspend notifier failed error:%d\n", error);
2670

2671
	queue_work(hdev->req_workqueue, &hdev->power_on);
2672

2673
	idr_init(&hdev->adv_monitors_idr);
2674
	msft_register(hdev);
2675

2676
	return id;
2677

2678
err_wqueue:
2679
	debugfs_remove_recursive(hdev->debugfs);
2680
	destroy_workqueue(hdev->workqueue);
2681
	destroy_workqueue(hdev->req_workqueue);
2682
err:
2683
	ida_free(&hci_index_ida, hdev->id);
2684

2685
	return error;
2686
}
2687
EXPORT_SYMBOL(hci_register_dev);
2688

2689
/* Unregister HCI device */
2690
void hci_unregister_dev(struct hci_dev *hdev)
2691
{
2692
	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2693

2694
	mutex_lock(&hdev->unregister_lock);
2695
	hci_dev_set_flag(hdev, HCI_UNREGISTER);
2696
	mutex_unlock(&hdev->unregister_lock);
2697

2698
	write_lock(&hci_dev_list_lock);
2699
	list_del(&hdev->list);
2700
	write_unlock(&hci_dev_list_lock);
2701

2702
	synchronize_srcu(&hdev->srcu);
2703
	cleanup_srcu_struct(&hdev->srcu);
2704

2705
	disable_work_sync(&hdev->rx_work);
2706
	disable_work_sync(&hdev->cmd_work);
2707
	disable_work_sync(&hdev->tx_work);
2708
	disable_work_sync(&hdev->power_on);
2709
	disable_work_sync(&hdev->error_reset);
2710

2711
	hci_cmd_sync_clear(hdev);
2712

2713
	hci_unregister_suspend_notifier(hdev);
2714

2715
	hci_dev_do_close(hdev);
2716

2717
	if (!test_bit(HCI_INIT, &hdev->flags) &&
2718
	    !hci_dev_test_flag(hdev, HCI_SETUP) &&
2719
	    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
2720
		hci_dev_lock(hdev);
2721
		mgmt_index_removed(hdev);
2722
		hci_dev_unlock(hdev);
2723
	}
2724

2725
	/* mgmt_index_removed should take care of emptying the
2726
	 * pending list */
2727
	BUG_ON(!list_empty(&hdev->mgmt_pending));
2728

2729
	hci_sock_dev_event(hdev, HCI_DEV_UNREG);
2730

2731
	if (hdev->rfkill) {
2732
		rfkill_unregister(hdev->rfkill);
2733
		rfkill_destroy(hdev->rfkill);
2734
	}
2735

2736
	device_del(&hdev->dev);
2737
	/* Actual cleanup is deferred until hci_release_dev(). */
2738
	hci_dev_put(hdev);
2739
}
2740
EXPORT_SYMBOL(hci_unregister_dev);
2741

2742
/* Release HCI device */
2743
void hci_release_dev(struct hci_dev *hdev)
2744
{
2745
	debugfs_remove_recursive(hdev->debugfs);
2746
	kfree_const(hdev->hw_info);
2747
	kfree_const(hdev->fw_info);
2748

2749
	destroy_workqueue(hdev->workqueue);
2750
	destroy_workqueue(hdev->req_workqueue);
2751

2752
	hci_dev_lock(hdev);
2753
	hci_bdaddr_list_clear(&hdev->reject_list);
2754
	hci_bdaddr_list_clear(&hdev->accept_list);
2755
	hci_uuids_clear(hdev);
2756
	hci_link_keys_clear(hdev);
2757
	hci_smp_ltks_clear(hdev);
2758
	hci_smp_irks_clear(hdev);
2759
	hci_remote_oob_data_clear(hdev);
2760
	hci_adv_instances_clear(hdev);
2761
	hci_adv_monitors_clear(hdev);
2762
	hci_bdaddr_list_clear(&hdev->le_accept_list);
2763
	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2764
	hci_conn_params_clear_all(hdev);
2765
	hci_discovery_filter_clear(hdev);
2766
	hci_blocked_keys_clear(hdev);
2767
	hci_codec_list_clear(&hdev->local_codecs);
2768
	msft_release(hdev);
2769
	hci_dev_unlock(hdev);
2770

2771
	ida_destroy(&hdev->unset_handle_ida);
2772
	ida_free(&hci_index_ida, hdev->id);
2773
	kfree_skb(hdev->sent_cmd);
2774
	kfree_skb(hdev->req_skb);
2775
	kfree_skb(hdev->recv_event);
2776
	kfree(hdev);
2777
}
2778
EXPORT_SYMBOL(hci_release_dev);
2779

2780
int hci_register_suspend_notifier(struct hci_dev *hdev)
2781
{
2782
	int ret = 0;
2783

2784
	if (!hdev->suspend_notifier.notifier_call &&
2785
	    !hci_test_quirk(hdev, HCI_QUIRK_NO_SUSPEND_NOTIFIER)) {
2786
		hdev->suspend_notifier.notifier_call = hci_suspend_notifier;
2787
		ret = register_pm_notifier(&hdev->suspend_notifier);
2788
	}
2789

2790
	return ret;
2791
}
2792

2793
int hci_unregister_suspend_notifier(struct hci_dev *hdev)
2794
{
2795
	int ret = 0;
2796

2797
	if (hdev->suspend_notifier.notifier_call) {
2798
		ret = unregister_pm_notifier(&hdev->suspend_notifier);
2799
		if (!ret)
2800
			hdev->suspend_notifier.notifier_call = NULL;
2801
	}
2802

2803
	return ret;
2804
}
2805

2806
/* Cancel ongoing command synchronously:
2807
 *
2808
 * - Cancel command timer
2809
 * - Reset command counter
2810
 * - Cancel command request
2811
 */
2812
static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err)
2813
{
2814
	bt_dev_dbg(hdev, "err 0x%2.2x", err);
2815

2816
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
2817
		disable_delayed_work_sync(&hdev->cmd_timer);
2818
		disable_delayed_work_sync(&hdev->ncmd_timer);
2819
	} else  {
2820
		cancel_delayed_work_sync(&hdev->cmd_timer);
2821
		cancel_delayed_work_sync(&hdev->ncmd_timer);
2822
	}
2823

2824
	atomic_set(&hdev->cmd_cnt, 1);
2825

2826
	hci_cmd_sync_cancel_sync(hdev, err);
2827
}
2828

2829
/* Suspend HCI device */
2830
int hci_suspend_dev(struct hci_dev *hdev)
2831
{
2832
	int ret;
2833

2834
	bt_dev_dbg(hdev, "");
2835

2836
	/* Suspend should only act on when powered. */
2837
	if (!hdev_is_powered(hdev) ||
2838
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2839
		return 0;
2840

2841
	/* If powering down don't attempt to suspend */
2842
	if (mgmt_powering_down(hdev))
2843
		return 0;
2844

2845
	/* Cancel potentially blocking sync operation before suspend */
2846
	hci_cancel_cmd_sync(hdev, EHOSTDOWN);
2847

2848
	hci_req_sync_lock(hdev);
2849
	ret = hci_suspend_sync(hdev);
2850
	hci_req_sync_unlock(hdev);
2851

2852
	hci_clear_wake_reason(hdev);
2853
	mgmt_suspending(hdev, hdev->suspend_state);
2854

2855
	hci_sock_dev_event(hdev, HCI_DEV_SUSPEND);
2856
	return ret;
2857
}
2858
EXPORT_SYMBOL(hci_suspend_dev);
2859

2860
/* Resume HCI device */
2861
int hci_resume_dev(struct hci_dev *hdev)
2862
{
2863
	int ret;
2864

2865
	bt_dev_dbg(hdev, "");
2866

2867
	/* Resume should only act on when powered. */
2868
	if (!hdev_is_powered(hdev) ||
2869
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
2870
		return 0;
2871

2872
	/* If powering down don't attempt to resume */
2873
	if (mgmt_powering_down(hdev))
2874
		return 0;
2875

2876
	hci_req_sync_lock(hdev);
2877
	ret = hci_resume_sync(hdev);
2878
	hci_req_sync_unlock(hdev);
2879

2880
	mgmt_resuming(hdev, hdev->wake_reason, &hdev->wake_addr,
2881
		      hdev->wake_addr_type);
2882

2883
	hci_sock_dev_event(hdev, HCI_DEV_RESUME);
2884
	return ret;
2885
}
2886
EXPORT_SYMBOL(hci_resume_dev);
2887

2888
/* Reset HCI device */
2889
int hci_reset_dev(struct hci_dev *hdev)
2890
{
2891
	static const u8 hw_err[] = { HCI_EV_HARDWARE_ERROR, 0x01, 0x00 };
2892
	struct sk_buff *skb;
2893

2894
	skb = bt_skb_alloc(3, GFP_ATOMIC);
2895
	if (!skb)
2896
		return -ENOMEM;
2897

2898
	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2899
	skb_put_data(skb, hw_err, 3);
2900

2901
	bt_dev_err(hdev, "Injecting HCI hardware error event");
2902

2903
	/* Send Hardware Error to upper stack */
2904
	return hci_recv_frame(hdev, skb);
2905
}
2906
EXPORT_SYMBOL(hci_reset_dev);
2907

2908
static u8 hci_dev_classify_pkt_type(struct hci_dev *hdev, struct sk_buff *skb)
2909
{
2910
	if (hdev->classify_pkt_type)
2911
		return hdev->classify_pkt_type(hdev, skb);
2912

2913
	return hci_skb_pkt_type(skb);
2914
}
2915

2916
/* Receive frame from HCI drivers */
2917
int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
2918
{
2919
	u8 dev_pkt_type;
2920

2921
	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2922
		      && !test_bit(HCI_INIT, &hdev->flags))) {
2923
		kfree_skb(skb);
2924
		return -ENXIO;
2925
	}
2926

2927
	/* Check if the driver agree with packet type classification */
2928
	dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb);
2929
	if (hci_skb_pkt_type(skb) != dev_pkt_type) {
2930
		hci_skb_pkt_type(skb) = dev_pkt_type;
2931
	}
2932

2933
	switch (hci_skb_pkt_type(skb)) {
2934
	case HCI_EVENT_PKT:
2935
		break;
2936
	case HCI_ACLDATA_PKT:
2937
		/* Detect if ISO packet has been sent as ACL */
2938
		if (hci_conn_num(hdev, CIS_LINK) ||
2939
		    hci_conn_num(hdev, BIS_LINK) ||
2940
			hci_conn_num(hdev, PA_LINK)) {
2941
			__u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle);
2942
			__u8 type;
2943

2944
			type = hci_conn_lookup_type(hdev, hci_handle(handle));
2945
			if (type == CIS_LINK || type == BIS_LINK ||
2946
			    type == PA_LINK)
2947
				hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
2948
		}
2949
		break;
2950
	case HCI_SCODATA_PKT:
2951
		break;
2952
	case HCI_ISODATA_PKT:
2953
		break;
2954
	case HCI_DRV_PKT:
2955
		break;
2956
	default:
2957
		kfree_skb(skb);
2958
		return -EINVAL;
2959
	}
2960

2961
	/* Incoming skb */
2962
	bt_cb(skb)->incoming = 1;
2963

2964
	/* Time stamp */
2965
	__net_timestamp(skb);
2966

2967
	skb_queue_tail(&hdev->rx_q, skb);
2968
	queue_work(hdev->workqueue, &hdev->rx_work);
2969

2970
	return 0;
2971
}
2972
EXPORT_SYMBOL(hci_recv_frame);
2973

2974
/* Receive diagnostic message from HCI drivers */
2975
int hci_recv_diag(struct hci_dev *hdev, struct sk_buff *skb)
2976
{
2977
	/* Mark as diagnostic packet */
2978
	hci_skb_pkt_type(skb) = HCI_DIAG_PKT;
2979

2980
	/* Time stamp */
2981
	__net_timestamp(skb);
2982

2983
	skb_queue_tail(&hdev->rx_q, skb);
2984
	queue_work(hdev->workqueue, &hdev->rx_work);
2985

2986
	return 0;
2987
}
2988
EXPORT_SYMBOL(hci_recv_diag);
2989

2990
void hci_set_hw_info(struct hci_dev *hdev, const char *fmt, ...)
2991
{
2992
	va_list vargs;
2993

2994
	va_start(vargs, fmt);
2995
	kfree_const(hdev->hw_info);
2996
	hdev->hw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
2997
	va_end(vargs);
2998
}
2999
EXPORT_SYMBOL(hci_set_hw_info);
3000

3001
void hci_set_fw_info(struct hci_dev *hdev, const char *fmt, ...)
3002
{
3003
	va_list vargs;
3004

3005
	va_start(vargs, fmt);
3006
	kfree_const(hdev->fw_info);
3007
	hdev->fw_info = kvasprintf_const(GFP_KERNEL, fmt, vargs);
3008
	va_end(vargs);
3009
}
3010
EXPORT_SYMBOL(hci_set_fw_info);
3011

3012
/* ---- Interface to upper protocols ---- */
3013

3014
int hci_register_cb(struct hci_cb *cb)
3015
{
3016
	BT_DBG("%p name %s", cb, cb->name);
3017

3018
	mutex_lock(&hci_cb_list_lock);
3019
	list_add_tail(&cb->list, &hci_cb_list);
3020
	mutex_unlock(&hci_cb_list_lock);
3021

3022
	return 0;
3023
}
3024
EXPORT_SYMBOL(hci_register_cb);
3025

3026
int hci_unregister_cb(struct hci_cb *cb)
3027
{
3028
	BT_DBG("%p name %s", cb, cb->name);
3029

3030
	mutex_lock(&hci_cb_list_lock);
3031
	list_del(&cb->list);
3032
	mutex_unlock(&hci_cb_list_lock);
3033

3034
	return 0;
3035
}
3036
EXPORT_SYMBOL(hci_unregister_cb);
3037

3038
static int hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
3039
{
3040
	int err;
3041

3042
	BT_DBG("%s type %d len %d", hdev->name, hci_skb_pkt_type(skb),
3043
	       skb->len);
3044

3045
	/* Time stamp */
3046
	__net_timestamp(skb);
3047

3048
	/* Send copy to monitor */
3049
	hci_send_to_monitor(hdev, skb);
3050

3051
	if (atomic_read(&hdev->promisc)) {
3052
		/* Send copy to the sockets */
3053
		hci_send_to_sock(hdev, skb);
3054
	}
3055

3056
	/* Get rid of skb owner, prior to sending to the driver. */
3057
	skb_orphan(skb);
3058

3059
	if (!test_bit(HCI_RUNNING, &hdev->flags)) {
3060
		kfree_skb(skb);
3061
		return -EINVAL;
3062
	}
3063

3064
	if (hci_skb_pkt_type(skb) == HCI_DRV_PKT) {
3065
		/* Intercept HCI Drv packet here and don't go with hdev->send
3066
		 * callback.
3067
		 */
3068
		err = hci_drv_process_cmd(hdev, skb);
3069
		kfree_skb(skb);
3070
		return err;
3071
	}
3072

3073
	err = hdev->send(hdev, skb);
3074
	if (err < 0) {
3075
		bt_dev_err(hdev, "sending frame failed (%d)", err);
3076
		kfree_skb(skb);
3077
		return err;
3078
	}
3079

3080
	return 0;
3081
}
3082

3083
static int hci_send_conn_frame(struct hci_dev *hdev, struct hci_conn *conn,
3084
			       struct sk_buff *skb)
3085
{
3086
	hci_conn_tx_queue(conn, skb);
3087
	return hci_send_frame(hdev, skb);
3088
}
3089

3090
/* Send HCI command */
3091
int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
3092
		 const void *param)
3093
{
3094
	struct sk_buff *skb;
3095

3096
	BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
3097

3098
	skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3099
	if (!skb) {
3100
		bt_dev_err(hdev, "no memory for command");
3101
		return -ENOMEM;
3102
	}
3103

3104
	/* Stand-alone HCI commands must be flagged as
3105
	 * single-command requests.
3106
	 */
3107
	bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
3108

3109
	skb_queue_tail(&hdev->cmd_q, skb);
3110
	queue_work(hdev->workqueue, &hdev->cmd_work);
3111

3112
	return 0;
3113
}
3114

3115
int __hci_cmd_send(struct hci_dev *hdev, u16 opcode, u32 plen,
3116
		   const void *param)
3117
{
3118
	struct sk_buff *skb;
3119

3120
	if (hci_opcode_ogf(opcode) != 0x3f) {
3121
		/* A controller receiving a command shall respond with either
3122
		 * a Command Status Event or a Command Complete Event.
3123
		 * Therefore, all standard HCI commands must be sent via the
3124
		 * standard API, using hci_send_cmd or hci_cmd_sync helpers.
3125
		 * Some vendors do not comply with this rule for vendor-specific
3126
		 * commands and do not return any event. We want to support
3127
		 * unresponded commands for such cases only.
3128
		 */
3129
		bt_dev_err(hdev, "unresponded command not supported");
3130
		return -EINVAL;
3131
	}
3132

3133
	skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, NULL);
3134
	if (!skb) {
3135
		bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
3136
			   opcode);
3137
		return -ENOMEM;
3138
	}
3139

3140
	hci_send_frame(hdev, skb);
3141

3142
	return 0;
3143
}
3144
EXPORT_SYMBOL(__hci_cmd_send);
3145

3146
/* Get data from the previously sent command */
3147
static void *hci_cmd_data(struct sk_buff *skb, __u16 opcode)
3148
{
3149
	struct hci_command_hdr *hdr;
3150

3151
	if (!skb || skb->len < HCI_COMMAND_HDR_SIZE)
3152
		return NULL;
3153

3154
	hdr = (void *)skb->data;
3155

3156
	if (hdr->opcode != cpu_to_le16(opcode))
3157
		return NULL;
3158

3159
	return skb->data + HCI_COMMAND_HDR_SIZE;
3160
}
3161

3162
/* Get data from the previously sent command */
3163
void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
3164
{
3165
	void *data;
3166

3167
	/* Check if opcode matches last sent command */
3168
	data = hci_cmd_data(hdev->sent_cmd, opcode);
3169
	if (!data)
3170
		/* Check if opcode matches last request */
3171
		data = hci_cmd_data(hdev->req_skb, opcode);
3172

3173
	return data;
3174
}
3175

3176
/* Get data from last received event */
3177
void *hci_recv_event_data(struct hci_dev *hdev, __u8 event)
3178
{
3179
	struct hci_event_hdr *hdr;
3180
	int offset;
3181

3182
	if (!hdev->recv_event)
3183
		return NULL;
3184

3185
	hdr = (void *)hdev->recv_event->data;
3186
	offset = sizeof(*hdr);
3187

3188
	if (hdr->evt != event) {
3189
		/* In case of LE metaevent check the subevent match */
3190
		if (hdr->evt == HCI_EV_LE_META) {
3191
			struct hci_ev_le_meta *ev;
3192

3193
			ev = (void *)hdev->recv_event->data + offset;
3194
			offset += sizeof(*ev);
3195
			if (ev->subevent == event)
3196
				goto found;
3197
		}
3198
		return NULL;
3199
	}
3200

3201
found:
3202
	bt_dev_dbg(hdev, "event 0x%2.2x", event);
3203

3204
	return hdev->recv_event->data + offset;
3205
}
3206

3207
/* Send ACL data */
3208
static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
3209
{
3210
	struct hci_acl_hdr *hdr;
3211
	int len = skb->len;
3212

3213
	skb_push(skb, HCI_ACL_HDR_SIZE);
3214
	skb_reset_transport_header(skb);
3215
	hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
3216
	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3217
	hdr->dlen   = cpu_to_le16(len);
3218
}
3219

3220
static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
3221
			  struct sk_buff *skb, __u16 flags)
3222
{
3223
	struct hci_conn *conn = chan->conn;
3224
	struct hci_dev *hdev = conn->hdev;
3225
	struct sk_buff *list;
3226

3227
	skb->len = skb_headlen(skb);
3228
	skb->data_len = 0;
3229

3230
	hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3231

3232
	hci_add_acl_hdr(skb, conn->handle, flags);
3233

3234
	list = skb_shinfo(skb)->frag_list;
3235
	if (!list) {
3236
		/* Non fragmented */
3237
		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3238

3239
		skb_queue_tail(queue, skb);
3240
	} else {
3241
		/* Fragmented */
3242
		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3243

3244
		skb_shinfo(skb)->frag_list = NULL;
3245

3246
		/* Queue all fragments atomically. We need to use spin_lock_bh
3247
		 * here because of 6LoWPAN links, as there this function is
3248
		 * called from softirq and using normal spin lock could cause
3249
		 * deadlocks.
3250
		 */
3251
		spin_lock_bh(&queue->lock);
3252

3253
		__skb_queue_tail(queue, skb);
3254

3255
		flags &= ~ACL_START;
3256
		flags |= ACL_CONT;
3257
		do {
3258
			skb = list; list = list->next;
3259

3260
			hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
3261
			hci_add_acl_hdr(skb, conn->handle, flags);
3262

3263
			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3264

3265
			__skb_queue_tail(queue, skb);
3266
		} while (list);
3267

3268
		spin_unlock_bh(&queue->lock);
3269
	}
3270

3271
	bt_dev_dbg(hdev, "chan %p queued %d", chan, skb_queue_len(queue));
3272
}
3273

3274
void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
3275
{
3276
	struct hci_dev *hdev = chan->conn->hdev;
3277

3278
	BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
3279

3280
	hci_queue_acl(chan, &chan->data_q, skb, flags);
3281

3282
	queue_work(hdev->workqueue, &hdev->tx_work);
3283
}
3284

3285
/* Send SCO data */
3286
void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
3287
{
3288
	struct hci_dev *hdev = conn->hdev;
3289
	struct hci_sco_hdr hdr;
3290

3291
	BT_DBG("%s len %d", hdev->name, skb->len);
3292

3293
	hdr.handle = cpu_to_le16(conn->handle);
3294
	hdr.dlen   = skb->len;
3295

3296
	skb_push(skb, HCI_SCO_HDR_SIZE);
3297
	skb_reset_transport_header(skb);
3298
	memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
3299

3300
	hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
3301

3302
	skb_queue_tail(&conn->data_q, skb);
3303

3304
	bt_dev_dbg(hdev, "hcon %p queued %d", conn,
3305
		   skb_queue_len(&conn->data_q));
3306

3307
	queue_work(hdev->workqueue, &hdev->tx_work);
3308
}
3309

3310
/* Send ISO data */
3311
static void hci_add_iso_hdr(struct sk_buff *skb, __u16 handle, __u8 flags)
3312
{
3313
	struct hci_iso_hdr *hdr;
3314
	int len = skb->len;
3315

3316
	skb_push(skb, HCI_ISO_HDR_SIZE);
3317
	skb_reset_transport_header(skb);
3318
	hdr = (struct hci_iso_hdr *)skb_transport_header(skb);
3319
	hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
3320
	hdr->dlen   = cpu_to_le16(len);
3321
}
3322

3323
static void hci_queue_iso(struct hci_conn *conn, struct sk_buff_head *queue,
3324
			  struct sk_buff *skb)
3325
{
3326
	struct hci_dev *hdev = conn->hdev;
3327
	struct sk_buff *list;
3328
	__u16 flags;
3329

3330
	skb->len = skb_headlen(skb);
3331
	skb->data_len = 0;
3332

3333
	hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3334

3335
	list = skb_shinfo(skb)->frag_list;
3336

3337
	flags = hci_iso_flags_pack(list ? ISO_START : ISO_SINGLE, 0x00);
3338
	hci_add_iso_hdr(skb, conn->handle, flags);
3339

3340
	if (!list) {
3341
		/* Non fragmented */
3342
		BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
3343

3344
		skb_queue_tail(queue, skb);
3345
	} else {
3346
		/* Fragmented */
3347
		BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3348

3349
		skb_shinfo(skb)->frag_list = NULL;
3350

3351
		__skb_queue_tail(queue, skb);
3352

3353
		do {
3354
			skb = list; list = list->next;
3355

3356
			hci_skb_pkt_type(skb) = HCI_ISODATA_PKT;
3357
			flags = hci_iso_flags_pack(list ? ISO_CONT : ISO_END,
3358
						   0x00);
3359
			hci_add_iso_hdr(skb, conn->handle, flags);
3360

3361
			BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
3362

3363
			__skb_queue_tail(queue, skb);
3364
		} while (list);
3365
	}
3366

3367
	bt_dev_dbg(hdev, "hcon %p queued %d", conn, skb_queue_len(queue));
3368
}
3369

3370
void hci_send_iso(struct hci_conn *conn, struct sk_buff *skb)
3371
{
3372
	struct hci_dev *hdev = conn->hdev;
3373

3374
	BT_DBG("%s len %d", hdev->name, skb->len);
3375

3376
	hci_queue_iso(conn, &conn->data_q, skb);
3377

3378
	queue_work(hdev->workqueue, &hdev->tx_work);
3379
}
3380

3381
/* ---- HCI TX task (outgoing data) ---- */
3382

3383
/* HCI Connection scheduler */
3384
static inline void hci_quote_sent(struct hci_conn *conn, int num, int *quote)
3385
{
3386
	struct hci_dev *hdev;
3387
	int cnt, q;
3388

3389
	if (!conn) {
3390
		*quote = 0;
3391
		return;
3392
	}
3393

3394
	hdev = conn->hdev;
3395

3396
	switch (conn->type) {
3397
	case ACL_LINK:
3398
		cnt = hdev->acl_cnt;
3399
		break;
3400
	case SCO_LINK:
3401
	case ESCO_LINK:
3402
		cnt = hdev->sco_cnt;
3403
		break;
3404
	case LE_LINK:
3405
		cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
3406
		break;
3407
	case CIS_LINK:
3408
	case BIS_LINK:
3409
	case PA_LINK:
3410
		cnt = hdev->iso_cnt;
3411
		break;
3412
	default:
3413
		cnt = 0;
3414
		bt_dev_err(hdev, "unknown link type %d", conn->type);
3415
	}
3416

3417
	q = cnt / num;
3418
	*quote = q ? q : 1;
3419
}
3420

3421
static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
3422
				     int *quote)
3423
{
3424
	struct hci_conn_hash *h = &hdev->conn_hash;
3425
	struct hci_conn *conn = NULL, *c;
3426
	unsigned int num = 0, min = ~0;
3427

3428
	/* We don't have to lock device here. Connections are always
3429
	 * added and removed with TX task disabled. */
3430

3431
	rcu_read_lock();
3432

3433
	list_for_each_entry_rcu(c, &h->list, list) {
3434
		if (c->type != type ||
3435
		    skb_queue_empty(&c->data_q))
3436
			continue;
3437

3438
		bt_dev_dbg(hdev, "hcon %p state %s queued %d", c,
3439
			   state_to_string(c->state),
3440
			   skb_queue_len(&c->data_q));
3441

3442
		if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
3443
			continue;
3444

3445
		num++;
3446

3447
		if (c->sent < min) {
3448
			min  = c->sent;
3449
			conn = c;
3450
		}
3451

3452
		if (hci_conn_num(hdev, type) == num)
3453
			break;
3454
	}
3455

3456
	rcu_read_unlock();
3457

3458
	hci_quote_sent(conn, num, quote);
3459

3460
	BT_DBG("conn %p quote %d", conn, *quote);
3461
	return conn;
3462
}
3463

3464
static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
3465
{
3466
	struct hci_conn_hash *h = &hdev->conn_hash;
3467
	struct hci_conn *c;
3468

3469
	bt_dev_err(hdev, "link tx timeout");
3470

3471
	hci_dev_lock(hdev);
3472

3473
	/* Kill stalled connections */
3474
	list_for_each_entry(c, &h->list, list) {
3475
		if (c->type == type && c->sent) {
3476
			bt_dev_err(hdev, "killing stalled connection %pMR",
3477
				   &c->dst);
3478
			hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
3479
		}
3480
	}
3481

3482
	hci_dev_unlock(hdev);
3483
}
3484

3485
static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
3486
				      int *quote)
3487
{
3488
	struct hci_conn_hash *h = &hdev->conn_hash;
3489
	struct hci_chan *chan = NULL;
3490
	unsigned int num = 0, min = ~0, cur_prio = 0;
3491
	struct hci_conn *conn;
3492
	int conn_num = 0;
3493

3494
	BT_DBG("%s", hdev->name);
3495

3496
	rcu_read_lock();
3497

3498
	list_for_each_entry_rcu(conn, &h->list, list) {
3499
		struct hci_chan *tmp;
3500

3501
		if (conn->type != type)
3502
			continue;
3503

3504
		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3505
			continue;
3506

3507
		conn_num++;
3508

3509
		list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
3510
			struct sk_buff *skb;
3511

3512
			if (skb_queue_empty(&tmp->data_q))
3513
				continue;
3514

3515
			skb = skb_peek(&tmp->data_q);
3516
			if (skb->priority < cur_prio)
3517
				continue;
3518

3519
			if (skb->priority > cur_prio) {
3520
				num = 0;
3521
				min = ~0;
3522
				cur_prio = skb->priority;
3523
			}
3524

3525
			num++;
3526

3527
			if (conn->sent < min) {
3528
				min  = conn->sent;
3529
				chan = tmp;
3530
			}
3531
		}
3532

3533
		if (hci_conn_num(hdev, type) == conn_num)
3534
			break;
3535
	}
3536

3537
	rcu_read_unlock();
3538

3539
	if (!chan)
3540
		return NULL;
3541

3542
	hci_quote_sent(chan->conn, num, quote);
3543

3544
	BT_DBG("chan %p quote %d", chan, *quote);
3545
	return chan;
3546
}
3547

3548
static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
3549
{
3550
	struct hci_conn_hash *h = &hdev->conn_hash;
3551
	struct hci_conn *conn;
3552
	int num = 0;
3553

3554
	BT_DBG("%s", hdev->name);
3555

3556
	rcu_read_lock();
3557

3558
	list_for_each_entry_rcu(conn, &h->list, list) {
3559
		struct hci_chan *chan;
3560

3561
		if (conn->type != type)
3562
			continue;
3563

3564
		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3565
			continue;
3566

3567
		num++;
3568

3569
		list_for_each_entry_rcu(chan, &conn->chan_list, list) {
3570
			struct sk_buff *skb;
3571

3572
			if (chan->sent) {
3573
				chan->sent = 0;
3574
				continue;
3575
			}
3576

3577
			if (skb_queue_empty(&chan->data_q))
3578
				continue;
3579

3580
			skb = skb_peek(&chan->data_q);
3581
			if (skb->priority >= HCI_PRIO_MAX - 1)
3582
				continue;
3583

3584
			skb->priority = HCI_PRIO_MAX - 1;
3585

3586
			BT_DBG("chan %p skb %p promoted to %d", chan, skb,
3587
			       skb->priority);
3588
		}
3589

3590
		if (hci_conn_num(hdev, type) == num)
3591
			break;
3592
	}
3593

3594
	rcu_read_unlock();
3595

3596
}
3597

3598
static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type)
3599
{
3600
	unsigned long timeout;
3601

3602
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
3603
		return;
3604

3605
	switch (type) {
3606
	case ACL_LINK:
3607
		/* tx timeout must be longer than maximum link supervision
3608
		 * timeout (40.9 seconds)
3609
		 */
3610
		timeout = hdev->acl_last_tx + HCI_ACL_TX_TIMEOUT;
3611
		break;
3612
	case LE_LINK:
3613
		/* tx timeout must be longer than maximum link supervision
3614
		 * timeout (40.9 seconds)
3615
		 */
3616
		timeout = hdev->le_last_tx + HCI_ACL_TX_TIMEOUT;
3617
		break;
3618
	case CIS_LINK:
3619
	case BIS_LINK:
3620
	case PA_LINK:
3621
		/* tx timeout must be longer than the maximum transport latency
3622
		 * (8.388607 seconds)
3623
		 */
3624
		timeout = hdev->iso_last_tx + HCI_ISO_TX_TIMEOUT;
3625
		break;
3626
	default:
3627
		return;
3628
	}
3629

3630
	if (!cnt && time_after(jiffies, timeout))
3631
		hci_link_tx_to(hdev, type);
3632
}
3633

3634
/* Schedule SCO */
3635
static void hci_sched_sco(struct hci_dev *hdev, __u8 type)
3636
{
3637
	struct hci_conn *conn;
3638
	struct sk_buff *skb;
3639
	int quote, *cnt;
3640
	unsigned int pkts = hdev->sco_pkts;
3641

3642
	bt_dev_dbg(hdev, "type %u", type);
3643

3644
	if (!hci_conn_num(hdev, type) || !pkts)
3645
		return;
3646

3647
	/* Use sco_pkts if flow control has not been enabled which will limit
3648
	 * the amount of buffer sent in a row.
3649
	 */
3650
	if (!hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3651
		cnt = &pkts;
3652
	else
3653
		cnt = &hdev->sco_cnt;
3654

3655
	while (*cnt && (conn = hci_low_sent(hdev, type, &quote))) {
3656
		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3657
			BT_DBG("skb %p len %d", skb, skb->len);
3658
			hci_send_conn_frame(hdev, conn, skb);
3659

3660
			conn->sent++;
3661
			if (conn->sent == ~0)
3662
				conn->sent = 0;
3663
			(*cnt)--;
3664
		}
3665
	}
3666

3667
	/* Rescheduled if all packets were sent and flow control is not enabled
3668
	 * as there could be more packets queued that could not be sent and
3669
	 * since no HCI_EV_NUM_COMP_PKTS event will be generated the reschedule
3670
	 * needs to be forced.
3671
	 */
3672
	if (!pkts && !hci_dev_test_flag(hdev, HCI_SCO_FLOWCTL))
3673
		queue_work(hdev->workqueue, &hdev->tx_work);
3674
}
3675

3676
static void hci_sched_acl_pkt(struct hci_dev *hdev)
3677
{
3678
	unsigned int cnt = hdev->acl_cnt;
3679
	struct hci_chan *chan;
3680
	struct sk_buff *skb;
3681
	int quote;
3682

3683
	__check_timeout(hdev, cnt, ACL_LINK);
3684

3685
	while (hdev->acl_cnt &&
3686
	       (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3687
		u32 priority = (skb_peek(&chan->data_q))->priority;
3688
		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3689
			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3690
			       skb->len, skb->priority);
3691

3692
			/* Stop if priority has changed */
3693
			if (skb->priority < priority)
3694
				break;
3695

3696
			skb = skb_dequeue(&chan->data_q);
3697

3698
			hci_conn_enter_active_mode(chan->conn,
3699
						   bt_cb(skb)->force_active);
3700

3701
			hci_send_conn_frame(hdev, chan->conn, skb);
3702
			hdev->acl_last_tx = jiffies;
3703

3704
			hdev->acl_cnt--;
3705
			chan->sent++;
3706
			chan->conn->sent++;
3707

3708
			/* Send pending SCO packets right away */
3709
			hci_sched_sco(hdev, SCO_LINK);
3710
			hci_sched_sco(hdev, ESCO_LINK);
3711
		}
3712
	}
3713

3714
	if (cnt != hdev->acl_cnt)
3715
		hci_prio_recalculate(hdev, ACL_LINK);
3716
}
3717

3718
static void hci_sched_acl(struct hci_dev *hdev)
3719
{
3720
	BT_DBG("%s", hdev->name);
3721

3722
	/* No ACL link over BR/EDR controller */
3723
	if (!hci_conn_num(hdev, ACL_LINK))
3724
		return;
3725

3726
	hci_sched_acl_pkt(hdev);
3727
}
3728

3729
static void hci_sched_le(struct hci_dev *hdev)
3730
{
3731
	struct hci_chan *chan;
3732
	struct sk_buff *skb;
3733
	int quote, *cnt, tmp;
3734

3735
	BT_DBG("%s", hdev->name);
3736

3737
	if (!hci_conn_num(hdev, LE_LINK))
3738
		return;
3739

3740
	cnt = hdev->le_pkts ? &hdev->le_cnt : &hdev->acl_cnt;
3741

3742
	__check_timeout(hdev, *cnt, LE_LINK);
3743

3744
	tmp = *cnt;
3745
	while (*cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3746
		u32 priority = (skb_peek(&chan->data_q))->priority;
3747
		while (quote-- && (skb = skb_peek(&chan->data_q))) {
3748
			BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3749
			       skb->len, skb->priority);
3750

3751
			/* Stop if priority has changed */
3752
			if (skb->priority < priority)
3753
				break;
3754

3755
			skb = skb_dequeue(&chan->data_q);
3756

3757
			hci_send_conn_frame(hdev, chan->conn, skb);
3758
			hdev->le_last_tx = jiffies;
3759

3760
			(*cnt)--;
3761
			chan->sent++;
3762
			chan->conn->sent++;
3763

3764
			/* Send pending SCO packets right away */
3765
			hci_sched_sco(hdev, SCO_LINK);
3766
			hci_sched_sco(hdev, ESCO_LINK);
3767
		}
3768
	}
3769

3770
	if (*cnt != tmp)
3771
		hci_prio_recalculate(hdev, LE_LINK);
3772
}
3773

3774
/* Schedule iso */
3775
static void hci_sched_iso(struct hci_dev *hdev, __u8 type)
3776
{
3777
	struct hci_conn *conn;
3778
	struct sk_buff *skb;
3779
	int quote, *cnt;
3780

3781
	BT_DBG("%s", hdev->name);
3782

3783
	if (!hci_conn_num(hdev, type))
3784
		return;
3785

3786
	cnt = &hdev->iso_cnt;
3787

3788
	__check_timeout(hdev, *cnt, type);
3789

3790
	while (*cnt && (conn = hci_low_sent(hdev, type, &quote))) {
3791
		while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3792
			BT_DBG("skb %p len %d", skb, skb->len);
3793

3794
			hci_send_conn_frame(hdev, conn, skb);
3795
			hdev->iso_last_tx = jiffies;
3796

3797
			conn->sent++;
3798
			if (conn->sent == ~0)
3799
				conn->sent = 0;
3800
			(*cnt)--;
3801
		}
3802
	}
3803
}
3804

3805
static void hci_tx_work(struct work_struct *work)
3806
{
3807
	struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3808
	struct sk_buff *skb;
3809

3810
	BT_DBG("%s acl %d sco %d le %d iso %d", hdev->name, hdev->acl_cnt,
3811
	       hdev->sco_cnt, hdev->le_cnt, hdev->iso_cnt);
3812

3813
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
3814
		/* Schedule queues and send stuff to HCI driver */
3815
		hci_sched_sco(hdev, SCO_LINK);
3816
		hci_sched_sco(hdev, ESCO_LINK);
3817
		hci_sched_iso(hdev, CIS_LINK);
3818
		hci_sched_iso(hdev, BIS_LINK);
3819
		hci_sched_iso(hdev, PA_LINK);
3820
		hci_sched_acl(hdev);
3821
		hci_sched_le(hdev);
3822
	}
3823

3824
	/* Send next queued raw (unknown type) packet */
3825
	while ((skb = skb_dequeue(&hdev->raw_q)))
3826
		hci_send_frame(hdev, skb);
3827
}
3828

3829
/* ----- HCI RX task (incoming data processing) ----- */
3830

3831
/* ACL data packet */
3832
static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3833
{
3834
	struct hci_acl_hdr *hdr;
3835
	struct hci_conn *conn;
3836
	__u16 handle, flags;
3837

3838
	hdr = skb_pull_data(skb, sizeof(*hdr));
3839
	if (!hdr) {
3840
		bt_dev_err(hdev, "ACL packet too small");
3841
		goto drop;
3842
	}
3843

3844
	handle = __le16_to_cpu(hdr->handle);
3845
	flags  = hci_flags(handle);
3846
	handle = hci_handle(handle);
3847

3848
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3849
		   handle, flags);
3850

3851
	hdev->stat.acl_rx++;
3852

3853
	hci_dev_lock(hdev);
3854
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3855
	hci_dev_unlock(hdev);
3856

3857
	if (conn) {
3858
		hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3859

3860
		/* Send to upper protocol */
3861
		l2cap_recv_acldata(conn, skb, flags);
3862
		return;
3863
	} else {
3864
		bt_dev_err(hdev, "ACL packet for unknown connection handle %d",
3865
			   handle);
3866
	}
3867

3868
drop:
3869
	kfree_skb(skb);
3870
}
3871

3872
/* SCO data packet */
3873
static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3874
{
3875
	struct hci_sco_hdr *hdr;
3876
	struct hci_conn *conn;
3877
	__u16 handle, flags;
3878

3879
	hdr = skb_pull_data(skb, sizeof(*hdr));
3880
	if (!hdr) {
3881
		bt_dev_err(hdev, "SCO packet too small");
3882
		goto drop;
3883
	}
3884

3885
	handle = __le16_to_cpu(hdr->handle);
3886
	flags  = hci_flags(handle);
3887
	handle = hci_handle(handle);
3888

3889
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3890
		   handle, flags);
3891

3892
	hdev->stat.sco_rx++;
3893

3894
	hci_dev_lock(hdev);
3895
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3896
	hci_dev_unlock(hdev);
3897

3898
	if (conn) {
3899
		/* Send to upper protocol */
3900
		hci_skb_pkt_status(skb) = flags & 0x03;
3901
		sco_recv_scodata(conn, skb);
3902
		return;
3903
	} else {
3904
		bt_dev_err_ratelimited(hdev, "SCO packet for unknown connection handle %d",
3905
				       handle);
3906
	}
3907

3908
drop:
3909
	kfree_skb(skb);
3910
}
3911

3912
static void hci_isodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3913
{
3914
	struct hci_iso_hdr *hdr;
3915
	struct hci_conn *conn;
3916
	__u16 handle, flags;
3917

3918
	hdr = skb_pull_data(skb, sizeof(*hdr));
3919
	if (!hdr) {
3920
		bt_dev_err(hdev, "ISO packet too small");
3921
		goto drop;
3922
	}
3923

3924
	handle = __le16_to_cpu(hdr->handle);
3925
	flags  = hci_flags(handle);
3926
	handle = hci_handle(handle);
3927

3928
	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
3929
		   handle, flags);
3930

3931
	hci_dev_lock(hdev);
3932
	conn = hci_conn_hash_lookup_handle(hdev, handle);
3933
	hci_dev_unlock(hdev);
3934

3935
	if (!conn) {
3936
		bt_dev_err(hdev, "ISO packet for unknown connection handle %d",
3937
			   handle);
3938
		goto drop;
3939
	}
3940

3941
	/* Send to upper protocol */
3942
	iso_recv(conn, skb, flags);
3943
	return;
3944

3945
drop:
3946
	kfree_skb(skb);
3947
}
3948

3949
static bool hci_req_is_complete(struct hci_dev *hdev)
3950
{
3951
	struct sk_buff *skb;
3952

3953
	skb = skb_peek(&hdev->cmd_q);
3954
	if (!skb)
3955
		return true;
3956

3957
	return (bt_cb(skb)->hci.req_flags & HCI_REQ_START);
3958
}
3959

3960
static void hci_resend_last(struct hci_dev *hdev)
3961
{
3962
	struct hci_command_hdr *sent;
3963
	struct sk_buff *skb;
3964
	u16 opcode;
3965

3966
	if (!hdev->sent_cmd)
3967
		return;
3968

3969
	sent = (void *) hdev->sent_cmd->data;
3970
	opcode = __le16_to_cpu(sent->opcode);
3971
	if (opcode == HCI_OP_RESET)
3972
		return;
3973

3974
	skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3975
	if (!skb)
3976
		return;
3977

3978
	skb_queue_head(&hdev->cmd_q, skb);
3979
	queue_work(hdev->workqueue, &hdev->cmd_work);
3980
}
3981

3982
void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
3983
			  hci_req_complete_t *req_complete,
3984
			  hci_req_complete_skb_t *req_complete_skb)
3985
{
3986
	struct sk_buff *skb;
3987
	unsigned long flags;
3988

3989
	BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3990

3991
	/* If the completed command doesn't match the last one that was
3992
	 * sent we need to do special handling of it.
3993
	 */
3994
	if (!hci_sent_cmd_data(hdev, opcode)) {
3995
		/* Some CSR based controllers generate a spontaneous
3996
		 * reset complete event during init and any pending
3997
		 * command will never be completed. In such a case we
3998
		 * need to resend whatever was the last sent
3999
		 * command.
4000
		 */
4001
		if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
4002
			hci_resend_last(hdev);
4003

4004
		return;
4005
	}
4006

4007
	/* If we reach this point this event matches the last command sent */
4008
	hci_dev_clear_flag(hdev, HCI_CMD_PENDING);
4009

4010
	/* If the command succeeded and there's still more commands in
4011
	 * this request the request is not yet complete.
4012
	 */
4013
	if (!status && !hci_req_is_complete(hdev))
4014
		return;
4015

4016
	skb = hdev->req_skb;
4017

4018
	/* If this was the last command in a request the complete
4019
	 * callback would be found in hdev->req_skb instead of the
4020
	 * command queue (hdev->cmd_q).
4021
	 */
4022
	if (skb && bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) {
4023
		*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4024
		return;
4025
	}
4026

4027
	if (skb && bt_cb(skb)->hci.req_complete) {
4028
		*req_complete = bt_cb(skb)->hci.req_complete;
4029
		return;
4030
	}
4031

4032
	/* Remove all pending commands belonging to this request */
4033
	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4034
	while ((skb = __skb_dequeue(&hdev->cmd_q))) {
4035
		if (bt_cb(skb)->hci.req_flags & HCI_REQ_START) {
4036
			__skb_queue_head(&hdev->cmd_q, skb);
4037
			break;
4038
		}
4039

4040
		if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
4041
			*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
4042
		else
4043
			*req_complete = bt_cb(skb)->hci.req_complete;
4044
		dev_kfree_skb_irq(skb);
4045
	}
4046
	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4047
}
4048

4049
static void hci_rx_work(struct work_struct *work)
4050
{
4051
	struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
4052
	struct sk_buff *skb;
4053

4054
	BT_DBG("%s", hdev->name);
4055

4056
	/* The kcov_remote functions used for collecting packet parsing
4057
	 * coverage information from this background thread and associate
4058
	 * the coverage with the syscall's thread which originally injected
4059
	 * the packet. This helps fuzzing the kernel.
4060
	 */
4061
	for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) {
4062
		kcov_remote_start_common(skb_get_kcov_handle(skb));
4063

4064
		/* Send copy to monitor */
4065
		hci_send_to_monitor(hdev, skb);
4066

4067
		if (atomic_read(&hdev->promisc)) {
4068
			/* Send copy to the sockets */
4069
			hci_send_to_sock(hdev, skb);
4070
		}
4071

4072
		/* If the device has been opened in HCI_USER_CHANNEL,
4073
		 * the userspace has exclusive access to device.
4074
		 * When device is HCI_INIT, we still need to process
4075
		 * the data packets to the driver in order
4076
		 * to complete its setup().
4077
		 */
4078
		if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
4079
		    !test_bit(HCI_INIT, &hdev->flags)) {
4080
			kfree_skb(skb);
4081
			continue;
4082
		}
4083

4084
		if (test_bit(HCI_INIT, &hdev->flags)) {
4085
			/* Don't process data packets in this states. */
4086
			switch (hci_skb_pkt_type(skb)) {
4087
			case HCI_ACLDATA_PKT:
4088
			case HCI_SCODATA_PKT:
4089
			case HCI_ISODATA_PKT:
4090
				kfree_skb(skb);
4091
				continue;
4092
			}
4093
		}
4094

4095
		/* Process frame */
4096
		switch (hci_skb_pkt_type(skb)) {
4097
		case HCI_EVENT_PKT:
4098
			BT_DBG("%s Event packet", hdev->name);
4099
			hci_event_packet(hdev, skb);
4100
			break;
4101

4102
		case HCI_ACLDATA_PKT:
4103
			BT_DBG("%s ACL data packet", hdev->name);
4104
			hci_acldata_packet(hdev, skb);
4105
			break;
4106

4107
		case HCI_SCODATA_PKT:
4108
			BT_DBG("%s SCO data packet", hdev->name);
4109
			hci_scodata_packet(hdev, skb);
4110
			break;
4111

4112
		case HCI_ISODATA_PKT:
4113
			BT_DBG("%s ISO data packet", hdev->name);
4114
			hci_isodata_packet(hdev, skb);
4115
			break;
4116

4117
		default:
4118
			kfree_skb(skb);
4119
			break;
4120
		}
4121
	}
4122
}
4123

4124
static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
4125
{
4126
	int err;
4127

4128
	bt_dev_dbg(hdev, "skb %p", skb);
4129

4130
	kfree_skb(hdev->sent_cmd);
4131

4132
	hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
4133
	if (!hdev->sent_cmd) {
4134
		skb_queue_head(&hdev->cmd_q, skb);
4135
		queue_work(hdev->workqueue, &hdev->cmd_work);
4136
		return;
4137
	}
4138

4139
	if (hci_skb_opcode(skb) != HCI_OP_NOP) {
4140
		err = hci_send_frame(hdev, skb);
4141
		if (err < 0) {
4142
			hci_cmd_sync_cancel_sync(hdev, -err);
4143
			return;
4144
		}
4145
		atomic_dec(&hdev->cmd_cnt);
4146
	}
4147

4148
	if (hdev->req_status == HCI_REQ_PEND &&
4149
	    !hci_dev_test_and_set_flag(hdev, HCI_CMD_PENDING)) {
4150
		kfree_skb(hdev->req_skb);
4151
		hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
4152
	}
4153
}
4154

4155
static void hci_cmd_work(struct work_struct *work)
4156
{
4157
	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
4158
	struct sk_buff *skb;
4159

4160
	BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
4161
	       atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
4162

4163
	/* Send queued commands */
4164
	if (atomic_read(&hdev->cmd_cnt)) {
4165
		skb = skb_dequeue(&hdev->cmd_q);
4166
		if (!skb)
4167
			return;
4168

4169
		hci_send_cmd_sync(hdev, skb);
4170

4171
		rcu_read_lock();
4172
		if (test_bit(HCI_RESET, &hdev->flags) ||
4173
		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
4174
			cancel_delayed_work(&hdev->cmd_timer);
4175
		else
4176
			queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
4177
					   HCI_CMD_TIMEOUT);
4178
		rcu_read_unlock();
4179
	}
4180
}
4181

4182