2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2000-2001 Qualcomm Incorporated
4 Copyright (C) 2011 ProFUSION Embedded Systems
6 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License version 2 as
10 published by the Free Software Foundation;
12 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23 SOFTWARE IS DISCLAIMED.
26 /* Bluetooth HCI core. */
28 #include <linux/export.h>
29 #include <linux/idr.h>
30 #include <linux/rfkill.h>
31 #include <linux/debugfs.h>
32 #include <linux/crypto.h>
33 #include <asm/unaligned.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
40 static void hci_rx_work(struct work_struct *work);
41 static void hci_cmd_work(struct work_struct *work);
42 static void hci_tx_work(struct work_struct *work);
45 LIST_HEAD(hci_dev_list);
46 DEFINE_RWLOCK(hci_dev_list_lock);
48 /* HCI callback list */
49 LIST_HEAD(hci_cb_list);
50 DEFINE_RWLOCK(hci_cb_list_lock);
52 /* HCI ID Numbering */
53 static DEFINE_IDA(hci_index_ida);
55 /* ---- HCI notifications ---- */
57 static void hci_notify(struct hci_dev *hdev, int event)
59 hci_sock_dev_event(hdev, event);
62 /* ---- HCI debugfs entries ---- */
64 static ssize_t dut_mode_read(struct file *file, char __user *user_buf,
65 size_t count, loff_t *ppos)
67 struct hci_dev *hdev = file->private_data;
70 buf[0] = test_bit(HCI_DUT_MODE, &hdev->dev_flags) ? 'Y': 'N';
73 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
76 static ssize_t dut_mode_write(struct file *file, const char __user *user_buf,
77 size_t count, loff_t *ppos)
79 struct hci_dev *hdev = file->private_data;
82 size_t buf_size = min(count, (sizeof(buf)-1));
86 if (!test_bit(HCI_UP, &hdev->flags))
89 if (copy_from_user(buf, user_buf, buf_size))
93 if (strtobool(buf, &enable))
96 if (enable == test_bit(HCI_DUT_MODE, &hdev->dev_flags))
101 skb = __hci_cmd_sync(hdev, HCI_OP_ENABLE_DUT_MODE, 0, NULL,
104 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL,
106 hci_req_unlock(hdev);
111 err = -bt_to_errno(skb->data[0]);
117 change_bit(HCI_DUT_MODE, &hdev->dev_flags);
122 static const struct file_operations dut_mode_fops = {
124 .read = dut_mode_read,
125 .write = dut_mode_write,
126 .llseek = default_llseek,
129 static int features_show(struct seq_file *f, void *ptr)
131 struct hci_dev *hdev = f->private;
135 for (p = 0; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
136 seq_printf(f, "%2u: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
137 "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n", p,
138 hdev->features[p][0], hdev->features[p][1],
139 hdev->features[p][2], hdev->features[p][3],
140 hdev->features[p][4], hdev->features[p][5],
141 hdev->features[p][6], hdev->features[p][7]);
143 if (lmp_le_capable(hdev))
144 seq_printf(f, "LE: 0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x "
145 "0x%2.2x 0x%2.2x 0x%2.2x 0x%2.2x\n",
146 hdev->le_features[0], hdev->le_features[1],
147 hdev->le_features[2], hdev->le_features[3],
148 hdev->le_features[4], hdev->le_features[5],
149 hdev->le_features[6], hdev->le_features[7]);
150 hci_dev_unlock(hdev);
155 static int features_open(struct inode *inode, struct file *file)
157 return single_open(file, features_show, inode->i_private);
160 static const struct file_operations features_fops = {
161 .open = features_open,
164 .release = single_release,
167 static int blacklist_show(struct seq_file *f, void *p)
169 struct hci_dev *hdev = f->private;
170 struct bdaddr_list *b;
173 list_for_each_entry(b, &hdev->blacklist, list)
174 seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
175 hci_dev_unlock(hdev);
180 static int blacklist_open(struct inode *inode, struct file *file)
182 return single_open(file, blacklist_show, inode->i_private);
185 static const struct file_operations blacklist_fops = {
186 .open = blacklist_open,
189 .release = single_release,
192 static int uuids_show(struct seq_file *f, void *p)
194 struct hci_dev *hdev = f->private;
195 struct bt_uuid *uuid;
198 list_for_each_entry(uuid, &hdev->uuids, list) {
201 /* The Bluetooth UUID values are stored in big endian,
202 * but with reversed byte order. So convert them into
203 * the right order for the %pUb modifier.
205 for (i = 0; i < 16; i++)
206 val[i] = uuid->uuid[15 - i];
208 seq_printf(f, "%pUb\n", val);
210 hci_dev_unlock(hdev);
215 static int uuids_open(struct inode *inode, struct file *file)
217 return single_open(file, uuids_show, inode->i_private);
220 static const struct file_operations uuids_fops = {
224 .release = single_release,
227 static int inquiry_cache_show(struct seq_file *f, void *p)
229 struct hci_dev *hdev = f->private;
230 struct discovery_state *cache = &hdev->discovery;
231 struct inquiry_entry *e;
235 list_for_each_entry(e, &cache->all, all) {
236 struct inquiry_data *data = &e->data;
237 seq_printf(f, "%pMR %d %d %d 0x%.2x%.2x%.2x 0x%.4x %d %d %u\n",
239 data->pscan_rep_mode, data->pscan_period_mode,
240 data->pscan_mode, data->dev_class[2],
241 data->dev_class[1], data->dev_class[0],
242 __le16_to_cpu(data->clock_offset),
243 data->rssi, data->ssp_mode, e->timestamp);
246 hci_dev_unlock(hdev);
251 static int inquiry_cache_open(struct inode *inode, struct file *file)
253 return single_open(file, inquiry_cache_show, inode->i_private);
256 static const struct file_operations inquiry_cache_fops = {
257 .open = inquiry_cache_open,
260 .release = single_release,
263 static int link_keys_show(struct seq_file *f, void *ptr)
265 struct hci_dev *hdev = f->private;
266 struct list_head *p, *n;
269 list_for_each_safe(p, n, &hdev->link_keys) {
270 struct link_key *key = list_entry(p, struct link_key, list);
271 seq_printf(f, "%pMR %u %*phN %u\n", &key->bdaddr, key->type,
272 HCI_LINK_KEY_SIZE, key->val, key->pin_len);
274 hci_dev_unlock(hdev);
279 static int link_keys_open(struct inode *inode, struct file *file)
281 return single_open(file, link_keys_show, inode->i_private);
284 static const struct file_operations link_keys_fops = {
285 .open = link_keys_open,
288 .release = single_release,
291 static int dev_class_show(struct seq_file *f, void *ptr)
293 struct hci_dev *hdev = f->private;
296 seq_printf(f, "0x%.2x%.2x%.2x\n", hdev->dev_class[2],
297 hdev->dev_class[1], hdev->dev_class[0]);
298 hci_dev_unlock(hdev);
303 static int dev_class_open(struct inode *inode, struct file *file)
305 return single_open(file, dev_class_show, inode->i_private);
308 static const struct file_operations dev_class_fops = {
309 .open = dev_class_open,
312 .release = single_release,
315 static int voice_setting_get(void *data, u64 *val)
317 struct hci_dev *hdev = data;
320 *val = hdev->voice_setting;
321 hci_dev_unlock(hdev);
326 DEFINE_SIMPLE_ATTRIBUTE(voice_setting_fops, voice_setting_get,
327 NULL, "0x%4.4llx\n");
329 static int auto_accept_delay_set(void *data, u64 val)
331 struct hci_dev *hdev = data;
334 hdev->auto_accept_delay = val;
335 hci_dev_unlock(hdev);
340 static int auto_accept_delay_get(void *data, u64 *val)
342 struct hci_dev *hdev = data;
345 *val = hdev->auto_accept_delay;
346 hci_dev_unlock(hdev);
351 DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
352 auto_accept_delay_set, "%llu\n");
354 static int ssp_debug_mode_set(void *data, u64 val)
356 struct hci_dev *hdev = data;
361 if (val != 0 && val != 1)
364 if (!test_bit(HCI_UP, &hdev->flags))
369 skb = __hci_cmd_sync(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE, sizeof(mode),
370 &mode, HCI_CMD_TIMEOUT);
371 hci_req_unlock(hdev);
376 err = -bt_to_errno(skb->data[0]);
383 hdev->ssp_debug_mode = val;
384 hci_dev_unlock(hdev);
389 static int ssp_debug_mode_get(void *data, u64 *val)
391 struct hci_dev *hdev = data;
394 *val = hdev->ssp_debug_mode;
395 hci_dev_unlock(hdev);
400 DEFINE_SIMPLE_ATTRIBUTE(ssp_debug_mode_fops, ssp_debug_mode_get,
401 ssp_debug_mode_set, "%llu\n");
403 static ssize_t force_sc_support_read(struct file *file, char __user *user_buf,
404 size_t count, loff_t *ppos)
406 struct hci_dev *hdev = file->private_data;
409 buf[0] = test_bit(HCI_FORCE_SC, &hdev->dev_flags) ? 'Y': 'N';
412 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
415 static ssize_t force_sc_support_write(struct file *file,
416 const char __user *user_buf,
417 size_t count, loff_t *ppos)
419 struct hci_dev *hdev = file->private_data;
421 size_t buf_size = min(count, (sizeof(buf)-1));
424 if (test_bit(HCI_UP, &hdev->flags))
427 if (copy_from_user(buf, user_buf, buf_size))
430 buf[buf_size] = '\0';
431 if (strtobool(buf, &enable))
434 if (enable == test_bit(HCI_FORCE_SC, &hdev->dev_flags))
437 change_bit(HCI_FORCE_SC, &hdev->dev_flags);
442 static const struct file_operations force_sc_support_fops = {
444 .read = force_sc_support_read,
445 .write = force_sc_support_write,
446 .llseek = default_llseek,
449 static ssize_t sc_only_mode_read(struct file *file, char __user *user_buf,
450 size_t count, loff_t *ppos)
452 struct hci_dev *hdev = file->private_data;
455 buf[0] = test_bit(HCI_SC_ONLY, &hdev->dev_flags) ? 'Y': 'N';
458 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
461 static const struct file_operations sc_only_mode_fops = {
463 .read = sc_only_mode_read,
464 .llseek = default_llseek,
467 static int idle_timeout_set(void *data, u64 val)
469 struct hci_dev *hdev = data;
471 if (val != 0 && (val < 500 || val > 3600000))
475 hdev->idle_timeout = val;
476 hci_dev_unlock(hdev);
481 static int idle_timeout_get(void *data, u64 *val)
483 struct hci_dev *hdev = data;
486 *val = hdev->idle_timeout;
487 hci_dev_unlock(hdev);
492 DEFINE_SIMPLE_ATTRIBUTE(idle_timeout_fops, idle_timeout_get,
493 idle_timeout_set, "%llu\n");
495 static int rpa_timeout_set(void *data, u64 val)
497 struct hci_dev *hdev = data;
499 /* Require the RPA timeout to be at least 30 seconds and at most
502 if (val < 30 || val > (60 * 60 * 24))
506 hdev->rpa_timeout = val;
507 hci_dev_unlock(hdev);
512 static int rpa_timeout_get(void *data, u64 *val)
514 struct hci_dev *hdev = data;
517 *val = hdev->rpa_timeout;
518 hci_dev_unlock(hdev);
523 DEFINE_SIMPLE_ATTRIBUTE(rpa_timeout_fops, rpa_timeout_get,
524 rpa_timeout_set, "%llu\n");
526 static int sniff_min_interval_set(void *data, u64 val)
528 struct hci_dev *hdev = data;
530 if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
534 hdev->sniff_min_interval = val;
535 hci_dev_unlock(hdev);
540 static int sniff_min_interval_get(void *data, u64 *val)
542 struct hci_dev *hdev = data;
545 *val = hdev->sniff_min_interval;
546 hci_dev_unlock(hdev);
551 DEFINE_SIMPLE_ATTRIBUTE(sniff_min_interval_fops, sniff_min_interval_get,
552 sniff_min_interval_set, "%llu\n");
554 static int sniff_max_interval_set(void *data, u64 val)
556 struct hci_dev *hdev = data;
558 if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
562 hdev->sniff_max_interval = val;
563 hci_dev_unlock(hdev);
568 static int sniff_max_interval_get(void *data, u64 *val)
570 struct hci_dev *hdev = data;
573 *val = hdev->sniff_max_interval;
574 hci_dev_unlock(hdev);
579 DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
580 sniff_max_interval_set, "%llu\n");
582 static int identity_show(struct seq_file *f, void *p)
584 struct hci_dev *hdev = f->private;
590 hci_copy_identity_address(hdev, &addr, &addr_type);
592 seq_printf(f, "%pMR (type %u) %*phN %pMR\n", &addr, addr_type,
593 16, hdev->irk, &hdev->rpa);
595 hci_dev_unlock(hdev);
600 static int identity_open(struct inode *inode, struct file *file)
602 return single_open(file, identity_show, inode->i_private);
605 static const struct file_operations identity_fops = {
606 .open = identity_open,
609 .release = single_release,
612 static int random_address_show(struct seq_file *f, void *p)
614 struct hci_dev *hdev = f->private;
617 seq_printf(f, "%pMR\n", &hdev->random_addr);
618 hci_dev_unlock(hdev);
623 static int random_address_open(struct inode *inode, struct file *file)
625 return single_open(file, random_address_show, inode->i_private);
628 static const struct file_operations random_address_fops = {
629 .open = random_address_open,
632 .release = single_release,
635 static int static_address_show(struct seq_file *f, void *p)
637 struct hci_dev *hdev = f->private;
640 seq_printf(f, "%pMR\n", &hdev->static_addr);
641 hci_dev_unlock(hdev);
646 static int static_address_open(struct inode *inode, struct file *file)
648 return single_open(file, static_address_show, inode->i_private);
651 static const struct file_operations static_address_fops = {
652 .open = static_address_open,
655 .release = single_release,
658 static ssize_t force_static_address_read(struct file *file,
659 char __user *user_buf,
660 size_t count, loff_t *ppos)
662 struct hci_dev *hdev = file->private_data;
665 buf[0] = test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ? 'Y': 'N';
668 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
671 static ssize_t force_static_address_write(struct file *file,
672 const char __user *user_buf,
673 size_t count, loff_t *ppos)
675 struct hci_dev *hdev = file->private_data;
677 size_t buf_size = min(count, (sizeof(buf)-1));
680 if (test_bit(HCI_UP, &hdev->flags))
683 if (copy_from_user(buf, user_buf, buf_size))
686 buf[buf_size] = '\0';
687 if (strtobool(buf, &enable))
690 if (enable == test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags))
693 change_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags);
698 static const struct file_operations force_static_address_fops = {
700 .read = force_static_address_read,
701 .write = force_static_address_write,
702 .llseek = default_llseek,
705 static int white_list_show(struct seq_file *f, void *ptr)
707 struct hci_dev *hdev = f->private;
708 struct bdaddr_list *b;
711 list_for_each_entry(b, &hdev->le_white_list, list)
712 seq_printf(f, "%pMR (type %u)\n", &b->bdaddr, b->bdaddr_type);
713 hci_dev_unlock(hdev);
718 static int white_list_open(struct inode *inode, struct file *file)
720 return single_open(file, white_list_show, inode->i_private);
723 static const struct file_operations white_list_fops = {
724 .open = white_list_open,
727 .release = single_release,
730 static int identity_resolving_keys_show(struct seq_file *f, void *ptr)
732 struct hci_dev *hdev = f->private;
733 struct list_head *p, *n;
736 list_for_each_safe(p, n, &hdev->identity_resolving_keys) {
737 struct smp_irk *irk = list_entry(p, struct smp_irk, list);
738 seq_printf(f, "%pMR (type %u) %*phN %pMR\n",
739 &irk->bdaddr, irk->addr_type,
740 16, irk->val, &irk->rpa);
742 hci_dev_unlock(hdev);
747 static int identity_resolving_keys_open(struct inode *inode, struct file *file)
749 return single_open(file, identity_resolving_keys_show,
753 static const struct file_operations identity_resolving_keys_fops = {
754 .open = identity_resolving_keys_open,
757 .release = single_release,
760 static int long_term_keys_show(struct seq_file *f, void *ptr)
762 struct hci_dev *hdev = f->private;
763 struct list_head *p, *n;
766 list_for_each_safe(p, n, &hdev->long_term_keys) {
767 struct smp_ltk *ltk = list_entry(p, struct smp_ltk, list);
768 seq_printf(f, "%pMR (type %u) %u 0x%02x %u %.4x %.16llx %*phN\n",
769 <k->bdaddr, ltk->bdaddr_type, ltk->authenticated,
770 ltk->type, ltk->enc_size, __le16_to_cpu(ltk->ediv),
771 __le64_to_cpu(ltk->rand), 16, ltk->val);
773 hci_dev_unlock(hdev);
778 static int long_term_keys_open(struct inode *inode, struct file *file)
780 return single_open(file, long_term_keys_show, inode->i_private);
783 static const struct file_operations long_term_keys_fops = {
784 .open = long_term_keys_open,
787 .release = single_release,
790 static int conn_min_interval_set(void *data, u64 val)
792 struct hci_dev *hdev = data;
794 if (val < 0x0006 || val > 0x0c80 || val > hdev->le_conn_max_interval)
798 hdev->le_conn_min_interval = val;
799 hci_dev_unlock(hdev);
804 static int conn_min_interval_get(void *data, u64 *val)
806 struct hci_dev *hdev = data;
809 *val = hdev->le_conn_min_interval;
810 hci_dev_unlock(hdev);
815 DEFINE_SIMPLE_ATTRIBUTE(conn_min_interval_fops, conn_min_interval_get,
816 conn_min_interval_set, "%llu\n");
818 static int conn_max_interval_set(void *data, u64 val)
820 struct hci_dev *hdev = data;
822 if (val < 0x0006 || val > 0x0c80 || val < hdev->le_conn_min_interval)
826 hdev->le_conn_max_interval = val;
827 hci_dev_unlock(hdev);
832 static int conn_max_interval_get(void *data, u64 *val)
834 struct hci_dev *hdev = data;
837 *val = hdev->le_conn_max_interval;
838 hci_dev_unlock(hdev);
843 DEFINE_SIMPLE_ATTRIBUTE(conn_max_interval_fops, conn_max_interval_get,
844 conn_max_interval_set, "%llu\n");
846 static int adv_channel_map_set(void *data, u64 val)
848 struct hci_dev *hdev = data;
850 if (val < 0x01 || val > 0x07)
854 hdev->le_adv_channel_map = val;
855 hci_dev_unlock(hdev);
860 static int adv_channel_map_get(void *data, u64 *val)
862 struct hci_dev *hdev = data;
865 *val = hdev->le_adv_channel_map;
866 hci_dev_unlock(hdev);
871 DEFINE_SIMPLE_ATTRIBUTE(adv_channel_map_fops, adv_channel_map_get,
872 adv_channel_map_set, "%llu\n");
874 static ssize_t lowpan_read(struct file *file, char __user *user_buf,
875 size_t count, loff_t *ppos)
877 struct hci_dev *hdev = file->private_data;
880 buf[0] = test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags) ? 'Y' : 'N';
883 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
886 static ssize_t lowpan_write(struct file *fp, const char __user *user_buffer,
887 size_t count, loff_t *position)
889 struct hci_dev *hdev = fp->private_data;
892 size_t buf_size = min(count, (sizeof(buf)-1));
894 if (copy_from_user(buf, user_buffer, buf_size))
897 buf[buf_size] = '\0';
899 if (strtobool(buf, &enable) < 0)
902 if (enable == test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags))
905 change_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags);
910 static const struct file_operations lowpan_debugfs_fops = {
913 .write = lowpan_write,
914 .llseek = default_llseek,
917 static int le_auto_conn_show(struct seq_file *sf, void *ptr)
919 struct hci_dev *hdev = sf->private;
920 struct hci_conn_params *p;
924 list_for_each_entry(p, &hdev->le_conn_params, list) {
925 seq_printf(sf, "%pMR %u %u\n", &p->addr, p->addr_type,
929 hci_dev_unlock(hdev);
934 static int le_auto_conn_open(struct inode *inode, struct file *file)
936 return single_open(file, le_auto_conn_show, inode->i_private);
939 static ssize_t le_auto_conn_write(struct file *file, const char __user *data,
940 size_t count, loff_t *offset)
942 struct seq_file *sf = file->private_data;
943 struct hci_dev *hdev = sf->private;
951 /* Don't allow partial write */
958 buf = kzalloc(count, GFP_KERNEL);
962 if (copy_from_user(buf, data, count)) {
967 if (memcmp(buf, "add", 3) == 0) {
968 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu %hhu",
969 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
970 &addr.b[1], &addr.b[0], &addr_type,
979 err = hci_conn_params_add(hdev, &addr, addr_type, auto_connect,
980 hdev->le_conn_min_interval,
981 hdev->le_conn_max_interval);
982 hci_dev_unlock(hdev);
986 } else if (memcmp(buf, "del", 3) == 0) {
987 n = sscanf(&buf[4], "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu",
988 &addr.b[5], &addr.b[4], &addr.b[3], &addr.b[2],
989 &addr.b[1], &addr.b[0], &addr_type);
997 hci_conn_params_del(hdev, &addr, addr_type);
998 hci_dev_unlock(hdev);
999 } else if (memcmp(buf, "clr", 3) == 0) {
1001 hci_conn_params_clear(hdev);
1002 hci_pend_le_conns_clear(hdev);
1003 hci_update_background_scan(hdev);
1004 hci_dev_unlock(hdev);
1018 static const struct file_operations le_auto_conn_fops = {
1019 .open = le_auto_conn_open,
1021 .write = le_auto_conn_write,
1022 .llseek = seq_lseek,
1023 .release = single_release,
1026 /* ---- HCI requests ---- */
1028 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
1030 BT_DBG("%s result 0x%2.2x", hdev->name, result);
1032 if (hdev->req_status == HCI_REQ_PEND) {
1033 hdev->req_result = result;
1034 hdev->req_status = HCI_REQ_DONE;
1035 wake_up_interruptible(&hdev->req_wait_q);
1039 static void hci_req_cancel(struct hci_dev *hdev, int err)
1041 BT_DBG("%s err 0x%2.2x", hdev->name, err);
1043 if (hdev->req_status == HCI_REQ_PEND) {
1044 hdev->req_result = err;
1045 hdev->req_status = HCI_REQ_CANCELED;
1046 wake_up_interruptible(&hdev->req_wait_q);
1050 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
1053 struct hci_ev_cmd_complete *ev;
1054 struct hci_event_hdr *hdr;
1055 struct sk_buff *skb;
1059 skb = hdev->recv_evt;
1060 hdev->recv_evt = NULL;
1062 hci_dev_unlock(hdev);
1065 return ERR_PTR(-ENODATA);
1067 if (skb->len < sizeof(*hdr)) {
1068 BT_ERR("Too short HCI event");
1072 hdr = (void *) skb->data;
1073 skb_pull(skb, HCI_EVENT_HDR_SIZE);
1076 if (hdr->evt != event)
1081 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
1082 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
1086 if (skb->len < sizeof(*ev)) {
1087 BT_ERR("Too short cmd_complete event");
1091 ev = (void *) skb->data;
1092 skb_pull(skb, sizeof(*ev));
1094 if (opcode == __le16_to_cpu(ev->opcode))
1097 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
1098 __le16_to_cpu(ev->opcode));
1102 return ERR_PTR(-ENODATA);
1105 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
1106 const void *param, u8 event, u32 timeout)
1108 DECLARE_WAITQUEUE(wait, current);
1109 struct hci_request req;
1112 BT_DBG("%s", hdev->name);
1114 hci_req_init(&req, hdev);
1116 hci_req_add_ev(&req, opcode, plen, param, event);
1118 hdev->req_status = HCI_REQ_PEND;
1120 err = hci_req_run(&req, hci_req_sync_complete);
1122 return ERR_PTR(err);
1124 add_wait_queue(&hdev->req_wait_q, &wait);
1125 set_current_state(TASK_INTERRUPTIBLE);
1127 schedule_timeout(timeout);
1129 remove_wait_queue(&hdev->req_wait_q, &wait);
1131 if (signal_pending(current))
1132 return ERR_PTR(-EINTR);
1134 switch (hdev->req_status) {
1136 err = -bt_to_errno(hdev->req_result);
1139 case HCI_REQ_CANCELED:
1140 err = -hdev->req_result;
1148 hdev->req_status = hdev->req_result = 0;
1150 BT_DBG("%s end: err %d", hdev->name, err);
1153 return ERR_PTR(err);
1155 return hci_get_cmd_complete(hdev, opcode, event);
1157 EXPORT_SYMBOL(__hci_cmd_sync_ev);
1159 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
1160 const void *param, u32 timeout)
1162 return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
1164 EXPORT_SYMBOL(__hci_cmd_sync);
1166 /* Execute request and wait for completion. */
1167 static int __hci_req_sync(struct hci_dev *hdev,
1168 void (*func)(struct hci_request *req,
1170 unsigned long opt, __u32 timeout)
1172 struct hci_request req;
1173 DECLARE_WAITQUEUE(wait, current);
1176 BT_DBG("%s start", hdev->name);
1178 hci_req_init(&req, hdev);
1180 hdev->req_status = HCI_REQ_PEND;
1184 err = hci_req_run(&req, hci_req_sync_complete);
1186 hdev->req_status = 0;
1188 /* ENODATA means the HCI request command queue is empty.
1189 * This can happen when a request with conditionals doesn't
1190 * trigger any commands to be sent. This is normal behavior
1191 * and should not trigger an error return.
1193 if (err == -ENODATA)
1199 add_wait_queue(&hdev->req_wait_q, &wait);
1200 set_current_state(TASK_INTERRUPTIBLE);
1202 schedule_timeout(timeout);
1204 remove_wait_queue(&hdev->req_wait_q, &wait);
1206 if (signal_pending(current))
1209 switch (hdev->req_status) {
1211 err = -bt_to_errno(hdev->req_result);
1214 case HCI_REQ_CANCELED:
1215 err = -hdev->req_result;
1223 hdev->req_status = hdev->req_result = 0;
1225 BT_DBG("%s end: err %d", hdev->name, err);
1230 static int hci_req_sync(struct hci_dev *hdev,
1231 void (*req)(struct hci_request *req,
1233 unsigned long opt, __u32 timeout)
1237 if (!test_bit(HCI_UP, &hdev->flags))
1240 /* Serialize all requests */
1242 ret = __hci_req_sync(hdev, req, opt, timeout);
1243 hci_req_unlock(hdev);
1248 static void hci_reset_req(struct hci_request *req, unsigned long opt)
1250 BT_DBG("%s %ld", req->hdev->name, opt);
1253 set_bit(HCI_RESET, &req->hdev->flags);
1254 hci_req_add(req, HCI_OP_RESET, 0, NULL);
1257 static void bredr_init(struct hci_request *req)
1259 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
1261 /* Read Local Supported Features */
1262 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
1264 /* Read Local Version */
1265 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
1267 /* Read BD Address */
1268 hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
1271 static void amp_init(struct hci_request *req)
1273 req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
1275 /* Read Local Version */
1276 hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
1278 /* Read Local Supported Commands */
1279 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
1281 /* Read Local Supported Features */
1282 hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
1284 /* Read Local AMP Info */
1285 hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
1287 /* Read Data Blk size */
1288 hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
1290 /* Read Flow Control Mode */
1291 hci_req_add(req, HCI_OP_READ_FLOW_CONTROL_MODE, 0, NULL);
1293 /* Read Location Data */
1294 hci_req_add(req, HCI_OP_READ_LOCATION_DATA, 0, NULL);
1297 static void hci_init1_req(struct hci_request *req, unsigned long opt)
1299 struct hci_dev *hdev = req->hdev;
1301 BT_DBG("%s %ld", hdev->name, opt);
1304 if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
1305 hci_reset_req(req, 0);
1307 switch (hdev->dev_type) {
1317 BT_ERR("Unknown device type %d", hdev->dev_type);
1322 static void bredr_setup(struct hci_request *req)
1324 struct hci_dev *hdev = req->hdev;
1329 /* Read Buffer Size (ACL mtu, max pkt, etc.) */
1330 hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
1332 /* Read Class of Device */
1333 hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
1335 /* Read Local Name */
1336 hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
1338 /* Read Voice Setting */
1339 hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
1341 /* Read Number of Supported IAC */
1342 hci_req_add(req, HCI_OP_READ_NUM_SUPPORTED_IAC, 0, NULL);
1344 /* Read Current IAC LAP */
1345 hci_req_add(req, HCI_OP_READ_CURRENT_IAC_LAP, 0, NULL);
1347 /* Clear Event Filters */
1348 flt_type = HCI_FLT_CLEAR_ALL;
1349 hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
1351 /* Connection accept timeout ~20 secs */
1352 param = cpu_to_le16(0x7d00);
1353 hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, ¶m);
1355 /* AVM Berlin (31), aka "BlueFRITZ!", reports version 1.2,
1356 * but it does not support page scan related HCI commands.
1358 if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1) {
1359 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
1360 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
1364 static void le_setup(struct hci_request *req)
1366 struct hci_dev *hdev = req->hdev;
1368 /* Read LE Buffer Size */
1369 hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
1371 /* Read LE Local Supported Features */
1372 hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
1374 /* Read LE Supported States */
1375 hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
1377 /* Read LE Advertising Channel TX Power */
1378 hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
1380 /* Read LE White List Size */
1381 hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
1383 /* Clear LE White List */
1384 hci_req_add(req, HCI_OP_LE_CLEAR_WHITE_LIST, 0, NULL);
1386 /* LE-only controllers have LE implicitly enabled */
1387 if (!lmp_bredr_capable(hdev))
1388 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1391 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
1393 if (lmp_ext_inq_capable(hdev))
1396 if (lmp_inq_rssi_capable(hdev))
1399 if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
1400 hdev->lmp_subver == 0x0757)
1403 if (hdev->manufacturer == 15) {
1404 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
1406 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
1408 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
1412 if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
1413 hdev->lmp_subver == 0x1805)
1419 static void hci_setup_inquiry_mode(struct hci_request *req)
1423 mode = hci_get_inquiry_mode(req->hdev);
1425 hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
1428 static void hci_setup_event_mask(struct hci_request *req)
1430 struct hci_dev *hdev = req->hdev;
1432 /* The second byte is 0xff instead of 0x9f (two reserved bits
1433 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
1434 * command otherwise.
1436 u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
1438 /* CSR 1.1 dongles does not accept any bitfield so don't try to set
1439 * any event mask for pre 1.2 devices.
1441 if (hdev->hci_ver < BLUETOOTH_VER_1_2)
1444 if (lmp_bredr_capable(hdev)) {
1445 events[4] |= 0x01; /* Flow Specification Complete */
1446 events[4] |= 0x02; /* Inquiry Result with RSSI */
1447 events[4] |= 0x04; /* Read Remote Extended Features Complete */
1448 events[5] |= 0x08; /* Synchronous Connection Complete */
1449 events[5] |= 0x10; /* Synchronous Connection Changed */
1451 /* Use a different default for LE-only devices */
1452 memset(events, 0, sizeof(events));
1453 events[0] |= 0x10; /* Disconnection Complete */
1454 events[0] |= 0x80; /* Encryption Change */
1455 events[1] |= 0x08; /* Read Remote Version Information Complete */
1456 events[1] |= 0x20; /* Command Complete */
1457 events[1] |= 0x40; /* Command Status */
1458 events[1] |= 0x80; /* Hardware Error */
1459 events[2] |= 0x04; /* Number of Completed Packets */
1460 events[3] |= 0x02; /* Data Buffer Overflow */
1461 events[5] |= 0x80; /* Encryption Key Refresh Complete */
1464 if (lmp_inq_rssi_capable(hdev))
1465 events[4] |= 0x02; /* Inquiry Result with RSSI */
1467 if (lmp_sniffsubr_capable(hdev))
1468 events[5] |= 0x20; /* Sniff Subrating */
1470 if (lmp_pause_enc_capable(hdev))
1471 events[5] |= 0x80; /* Encryption Key Refresh Complete */
1473 if (lmp_ext_inq_capable(hdev))
1474 events[5] |= 0x40; /* Extended Inquiry Result */
1476 if (lmp_no_flush_capable(hdev))
1477 events[7] |= 0x01; /* Enhanced Flush Complete */
1479 if (lmp_lsto_capable(hdev))
1480 events[6] |= 0x80; /* Link Supervision Timeout Changed */
1482 if (lmp_ssp_capable(hdev)) {
1483 events[6] |= 0x01; /* IO Capability Request */
1484 events[6] |= 0x02; /* IO Capability Response */
1485 events[6] |= 0x04; /* User Confirmation Request */
1486 events[6] |= 0x08; /* User Passkey Request */
1487 events[6] |= 0x10; /* Remote OOB Data Request */
1488 events[6] |= 0x20; /* Simple Pairing Complete */
1489 events[7] |= 0x04; /* User Passkey Notification */
1490 events[7] |= 0x08; /* Keypress Notification */
1491 events[7] |= 0x10; /* Remote Host Supported
1492 * Features Notification
1496 if (lmp_le_capable(hdev))
1497 events[7] |= 0x20; /* LE Meta-Event */
1499 hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
1501 if (lmp_le_capable(hdev)) {
1502 memset(events, 0, sizeof(events));
1504 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
1505 sizeof(events), events);
1509 static void hci_init2_req(struct hci_request *req, unsigned long opt)
1511 struct hci_dev *hdev = req->hdev;
1513 if (lmp_bredr_capable(hdev))
1516 clear_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
1518 if (lmp_le_capable(hdev))
1521 hci_setup_event_mask(req);
1523 /* AVM Berlin (31), aka "BlueFRITZ!", doesn't support the read
1524 * local supported commands HCI command.
1526 if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1)
1527 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
1529 if (lmp_ssp_capable(hdev)) {
1530 /* When SSP is available, then the host features page
1531 * should also be available as well. However some
1532 * controllers list the max_page as 0 as long as SSP
1533 * has not been enabled. To achieve proper debugging
1534 * output, force the minimum max_page to 1 at least.
1536 hdev->max_page = 0x01;
1538 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
1540 hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
1541 sizeof(mode), &mode);
1543 struct hci_cp_write_eir cp;
1545 memset(hdev->eir, 0, sizeof(hdev->eir));
1546 memset(&cp, 0, sizeof(cp));
1548 hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
1552 if (lmp_inq_rssi_capable(hdev))
1553 hci_setup_inquiry_mode(req);
1555 if (lmp_inq_tx_pwr_capable(hdev))
1556 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
1558 if (lmp_ext_feat_capable(hdev)) {
1559 struct hci_cp_read_local_ext_features cp;
1562 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1566 if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
1568 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
1573 static void hci_setup_link_policy(struct hci_request *req)
1575 struct hci_dev *hdev = req->hdev;
1576 struct hci_cp_write_def_link_policy cp;
1577 u16 link_policy = 0;
1579 if (lmp_rswitch_capable(hdev))
1580 link_policy |= HCI_LP_RSWITCH;
1581 if (lmp_hold_capable(hdev))
1582 link_policy |= HCI_LP_HOLD;
1583 if (lmp_sniff_capable(hdev))
1584 link_policy |= HCI_LP_SNIFF;
1585 if (lmp_park_capable(hdev))
1586 link_policy |= HCI_LP_PARK;
1588 cp.policy = cpu_to_le16(link_policy);
1589 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
1592 static void hci_set_le_support(struct hci_request *req)
1594 struct hci_dev *hdev = req->hdev;
1595 struct hci_cp_write_le_host_supported cp;
1597 /* LE-only devices do not support explicit enablement */
1598 if (!lmp_bredr_capable(hdev))
1601 memset(&cp, 0, sizeof(cp));
1603 if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
1605 cp.simul = lmp_le_br_capable(hdev);
1608 if (cp.le != lmp_host_le_capable(hdev))
1609 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
1613 static void hci_set_event_mask_page_2(struct hci_request *req)
1615 struct hci_dev *hdev = req->hdev;
1616 u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1618 /* If Connectionless Slave Broadcast master role is supported
1619 * enable all necessary events for it.
1621 if (lmp_csb_master_capable(hdev)) {
1622 events[1] |= 0x40; /* Triggered Clock Capture */
1623 events[1] |= 0x80; /* Synchronization Train Complete */
1624 events[2] |= 0x10; /* Slave Page Response Timeout */
1625 events[2] |= 0x20; /* CSB Channel Map Change */
1628 /* If Connectionless Slave Broadcast slave role is supported
1629 * enable all necessary events for it.
1631 if (lmp_csb_slave_capable(hdev)) {
1632 events[2] |= 0x01; /* Synchronization Train Received */
1633 events[2] |= 0x02; /* CSB Receive */
1634 events[2] |= 0x04; /* CSB Timeout */
1635 events[2] |= 0x08; /* Truncated Page Complete */
1638 /* Enable Authenticated Payload Timeout Expired event if supported */
1639 if (lmp_ping_capable(hdev))
1642 hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
1645 static void hci_init3_req(struct hci_request *req, unsigned long opt)
1647 struct hci_dev *hdev = req->hdev;
1650 /* Some Broadcom based Bluetooth controllers do not support the
1651 * Delete Stored Link Key command. They are clearly indicating its
1652 * absence in the bit mask of supported commands.
1654 * Check the supported commands and only if the the command is marked
1655 * as supported send it. If not supported assume that the controller
1656 * does not have actual support for stored link keys which makes this
1657 * command redundant anyway.
1659 * Some controllers indicate that they support handling deleting
1660 * stored link keys, but they don't. The quirk lets a driver
1661 * just disable this command.
1663 if (hdev->commands[6] & 0x80 &&
1664 !test_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks)) {
1665 struct hci_cp_delete_stored_link_key cp;
1667 bacpy(&cp.bdaddr, BDADDR_ANY);
1668 cp.delete_all = 0x01;
1669 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
1673 if (hdev->commands[5] & 0x10)
1674 hci_setup_link_policy(req);
1676 if (lmp_le_capable(hdev))
1677 hci_set_le_support(req);
1679 /* Read features beyond page 1 if available */
1680 for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
1681 struct hci_cp_read_local_ext_features cp;
1684 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
1689 static void hci_init4_req(struct hci_request *req, unsigned long opt)
1691 struct hci_dev *hdev = req->hdev;
1693 /* Set event mask page 2 if the HCI command for it is supported */
1694 if (hdev->commands[22] & 0x04)
1695 hci_set_event_mask_page_2(req);
1697 /* Check for Synchronization Train support */
1698 if (lmp_sync_train_capable(hdev))
1699 hci_req_add(req, HCI_OP_READ_SYNC_TRAIN_PARAMS, 0, NULL);
1701 /* Enable Secure Connections if supported and configured */
1702 if ((lmp_sc_capable(hdev) ||
1703 test_bit(HCI_FORCE_SC, &hdev->dev_flags)) &&
1704 test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
1706 hci_req_add(req, HCI_OP_WRITE_SC_SUPPORT,
1707 sizeof(support), &support);
1711 static int __hci_init(struct hci_dev *hdev)
1715 err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
1719 /* The Device Under Test (DUT) mode is special and available for
1720 * all controller types. So just create it early on.
1722 if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
1723 debugfs_create_file("dut_mode", 0644, hdev->debugfs, hdev,
1727 /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
1728 * BR/EDR/LE type controllers. AMP controllers only need the
1731 if (hdev->dev_type != HCI_BREDR)
1734 err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
1738 err = __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
1742 err = __hci_req_sync(hdev, hci_init4_req, 0, HCI_INIT_TIMEOUT);
1746 /* Only create debugfs entries during the initial setup
1747 * phase and not every time the controller gets powered on.
1749 if (!test_bit(HCI_SETUP, &hdev->dev_flags))
1752 debugfs_create_file("features", 0444, hdev->debugfs, hdev,
1754 debugfs_create_u16("manufacturer", 0444, hdev->debugfs,
1755 &hdev->manufacturer);
1756 debugfs_create_u8("hci_version", 0444, hdev->debugfs, &hdev->hci_ver);
1757 debugfs_create_u16("hci_revision", 0444, hdev->debugfs, &hdev->hci_rev);
1758 debugfs_create_file("blacklist", 0444, hdev->debugfs, hdev,
1760 debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
1762 if (lmp_bredr_capable(hdev)) {
1763 debugfs_create_file("inquiry_cache", 0444, hdev->debugfs,
1764 hdev, &inquiry_cache_fops);
1765 debugfs_create_file("link_keys", 0400, hdev->debugfs,
1766 hdev, &link_keys_fops);
1767 debugfs_create_file("dev_class", 0444, hdev->debugfs,
1768 hdev, &dev_class_fops);
1769 debugfs_create_file("voice_setting", 0444, hdev->debugfs,
1770 hdev, &voice_setting_fops);
1773 if (lmp_ssp_capable(hdev)) {
1774 debugfs_create_file("auto_accept_delay", 0644, hdev->debugfs,
1775 hdev, &auto_accept_delay_fops);
1776 debugfs_create_file("ssp_debug_mode", 0644, hdev->debugfs,
1777 hdev, &ssp_debug_mode_fops);
1778 debugfs_create_file("force_sc_support", 0644, hdev->debugfs,
1779 hdev, &force_sc_support_fops);
1780 debugfs_create_file("sc_only_mode", 0444, hdev->debugfs,
1781 hdev, &sc_only_mode_fops);
1784 if (lmp_sniff_capable(hdev)) {
1785 debugfs_create_file("idle_timeout", 0644, hdev->debugfs,
1786 hdev, &idle_timeout_fops);
1787 debugfs_create_file("sniff_min_interval", 0644, hdev->debugfs,
1788 hdev, &sniff_min_interval_fops);
1789 debugfs_create_file("sniff_max_interval", 0644, hdev->debugfs,
1790 hdev, &sniff_max_interval_fops);
1793 if (lmp_le_capable(hdev)) {
1794 debugfs_create_file("identity", 0400, hdev->debugfs,
1795 hdev, &identity_fops);
1796 debugfs_create_file("rpa_timeout", 0644, hdev->debugfs,
1797 hdev, &rpa_timeout_fops);
1798 debugfs_create_file("random_address", 0444, hdev->debugfs,
1799 hdev, &random_address_fops);
1800 debugfs_create_file("static_address", 0444, hdev->debugfs,
1801 hdev, &static_address_fops);
1803 /* For controllers with a public address, provide a debug
1804 * option to force the usage of the configured static
1805 * address. By default the public address is used.
1807 if (bacmp(&hdev->bdaddr, BDADDR_ANY))
1808 debugfs_create_file("force_static_address", 0644,
1809 hdev->debugfs, hdev,
1810 &force_static_address_fops);
1812 debugfs_create_u8("white_list_size", 0444, hdev->debugfs,
1813 &hdev->le_white_list_size);
1814 debugfs_create_file("white_list", 0444, hdev->debugfs, hdev,
1816 debugfs_create_file("identity_resolving_keys", 0400,
1817 hdev->debugfs, hdev,
1818 &identity_resolving_keys_fops);
1819 debugfs_create_file("long_term_keys", 0400, hdev->debugfs,
1820 hdev, &long_term_keys_fops);
1821 debugfs_create_file("conn_min_interval", 0644, hdev->debugfs,
1822 hdev, &conn_min_interval_fops);
1823 debugfs_create_file("conn_max_interval", 0644, hdev->debugfs,
1824 hdev, &conn_max_interval_fops);
1825 debugfs_create_file("adv_channel_map", 0644, hdev->debugfs,
1826 hdev, &adv_channel_map_fops);
1827 debugfs_create_file("6lowpan", 0644, hdev->debugfs, hdev,
1828 &lowpan_debugfs_fops);
1829 debugfs_create_file("le_auto_conn", 0644, hdev->debugfs, hdev,
1830 &le_auto_conn_fops);
1836 static void hci_scan_req(struct hci_request *req, unsigned long opt)
1840 BT_DBG("%s %x", req->hdev->name, scan);
1842 /* Inquiry and Page scans */
1843 hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1846 static void hci_auth_req(struct hci_request *req, unsigned long opt)
1850 BT_DBG("%s %x", req->hdev->name, auth);
1852 /* Authentication */
1853 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
1856 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
1860 BT_DBG("%s %x", req->hdev->name, encrypt);
1863 hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
1866 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
1868 __le16 policy = cpu_to_le16(opt);
1870 BT_DBG("%s %x", req->hdev->name, policy);
1872 /* Default link policy */
1873 hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
1876 /* Get HCI device by index.
1877 * Device is held on return. */
1878 struct hci_dev *hci_dev_get(int index)
1880 struct hci_dev *hdev = NULL, *d;
1882 BT_DBG("%d", index);
1887 read_lock(&hci_dev_list_lock);
1888 list_for_each_entry(d, &hci_dev_list, list) {
1889 if (d->id == index) {
1890 hdev = hci_dev_hold(d);
1894 read_unlock(&hci_dev_list_lock);
1898 /* ---- Inquiry support ---- */
1900 bool hci_discovery_active(struct hci_dev *hdev)
1902 struct discovery_state *discov = &hdev->discovery;
1904 switch (discov->state) {
1905 case DISCOVERY_FINDING:
1906 case DISCOVERY_RESOLVING:
1914 void hci_discovery_set_state(struct hci_dev *hdev, int state)
1916 BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
1918 if (hdev->discovery.state == state)
1922 case DISCOVERY_STOPPED:
1923 hci_update_background_scan(hdev);
1925 if (hdev->discovery.state != DISCOVERY_STARTING)
1926 mgmt_discovering(hdev, 0);
1928 case DISCOVERY_STARTING:
1930 case DISCOVERY_FINDING:
1931 mgmt_discovering(hdev, 1);
1933 case DISCOVERY_RESOLVING:
1935 case DISCOVERY_STOPPING:
1939 hdev->discovery.state = state;
1942 void hci_inquiry_cache_flush(struct hci_dev *hdev)
1944 struct discovery_state *cache = &hdev->discovery;
1945 struct inquiry_entry *p, *n;
1947 list_for_each_entry_safe(p, n, &cache->all, all) {
1952 INIT_LIST_HEAD(&cache->unknown);
1953 INIT_LIST_HEAD(&cache->resolve);
1956 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
1959 struct discovery_state *cache = &hdev->discovery;
1960 struct inquiry_entry *e;
1962 BT_DBG("cache %p, %pMR", cache, bdaddr);
1964 list_for_each_entry(e, &cache->all, all) {
1965 if (!bacmp(&e->data.bdaddr, bdaddr))
1972 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
1975 struct discovery_state *cache = &hdev->discovery;
1976 struct inquiry_entry *e;
1978 BT_DBG("cache %p, %pMR", cache, bdaddr);
1980 list_for_each_entry(e, &cache->unknown, list) {
1981 if (!bacmp(&e->data.bdaddr, bdaddr))
1988 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
1992 struct discovery_state *cache = &hdev->discovery;
1993 struct inquiry_entry *e;
1995 BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
1997 list_for_each_entry(e, &cache->resolve, list) {
1998 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
2000 if (!bacmp(&e->data.bdaddr, bdaddr))
2007 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
2008 struct inquiry_entry *ie)
2010 struct discovery_state *cache = &hdev->discovery;
2011 struct list_head *pos = &cache->resolve;
2012 struct inquiry_entry *p;
2014 list_del(&ie->list);
2016 list_for_each_entry(p, &cache->resolve, list) {
2017 if (p->name_state != NAME_PENDING &&
2018 abs(p->data.rssi) >= abs(ie->data.rssi))
2023 list_add(&ie->list, pos);
2026 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
2027 bool name_known, bool *ssp)
2029 struct discovery_state *cache = &hdev->discovery;
2030 struct inquiry_entry *ie;
2032 BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
2034 hci_remove_remote_oob_data(hdev, &data->bdaddr);
2037 *ssp = data->ssp_mode;
2039 ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
2041 if (ie->data.ssp_mode && ssp)
2044 if (ie->name_state == NAME_NEEDED &&
2045 data->rssi != ie->data.rssi) {
2046 ie->data.rssi = data->rssi;
2047 hci_inquiry_cache_update_resolve(hdev, ie);
2053 /* Entry not in the cache. Add new one. */
2054 ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
2058 list_add(&ie->all, &cache->all);
2061 ie->name_state = NAME_KNOWN;
2063 ie->name_state = NAME_NOT_KNOWN;
2064 list_add(&ie->list, &cache->unknown);
2068 if (name_known && ie->name_state != NAME_KNOWN &&
2069 ie->name_state != NAME_PENDING) {
2070 ie->name_state = NAME_KNOWN;
2071 list_del(&ie->list);
2074 memcpy(&ie->data, data, sizeof(*data));
2075 ie->timestamp = jiffies;
2076 cache->timestamp = jiffies;
2078 if (ie->name_state == NAME_NOT_KNOWN)
2084 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
2086 struct discovery_state *cache = &hdev->discovery;
2087 struct inquiry_info *info = (struct inquiry_info *) buf;
2088 struct inquiry_entry *e;
2091 list_for_each_entry(e, &cache->all, all) {
2092 struct inquiry_data *data = &e->data;
2097 bacpy(&info->bdaddr, &data->bdaddr);
2098 info->pscan_rep_mode = data->pscan_rep_mode;
2099 info->pscan_period_mode = data->pscan_period_mode;
2100 info->pscan_mode = data->pscan_mode;
2101 memcpy(info->dev_class, data->dev_class, 3);
2102 info->clock_offset = data->clock_offset;
2108 BT_DBG("cache %p, copied %d", cache, copied);
2112 static void hci_inq_req(struct hci_request *req, unsigned long opt)
2114 struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
2115 struct hci_dev *hdev = req->hdev;
2116 struct hci_cp_inquiry cp;
2118 BT_DBG("%s", hdev->name);
2120 if (test_bit(HCI_INQUIRY, &hdev->flags))
2124 memcpy(&cp.lap, &ir->lap, 3);
2125 cp.length = ir->length;
2126 cp.num_rsp = ir->num_rsp;
2127 hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2130 static int wait_inquiry(void *word)
2133 return signal_pending(current);
2136 int hci_inquiry(void __user *arg)
2138 __u8 __user *ptr = arg;
2139 struct hci_inquiry_req ir;
2140 struct hci_dev *hdev;
2141 int err = 0, do_inquiry = 0, max_rsp;
2145 if (copy_from_user(&ir, ptr, sizeof(ir)))
2148 hdev = hci_dev_get(ir.dev_id);
2152 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2157 if (hdev->dev_type != HCI_BREDR) {
2162 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
2168 if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
2169 inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
2170 hci_inquiry_cache_flush(hdev);
2173 hci_dev_unlock(hdev);
2175 timeo = ir.length * msecs_to_jiffies(2000);
2178 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
2183 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
2184 * cleared). If it is interrupted by a signal, return -EINTR.
2186 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
2187 TASK_INTERRUPTIBLE))
2191 /* for unlimited number of responses we will use buffer with
2194 max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
2196 /* cache_dump can't sleep. Therefore we allocate temp buffer and then
2197 * copy it to the user space.
2199 buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
2206 ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
2207 hci_dev_unlock(hdev);
2209 BT_DBG("num_rsp %d", ir.num_rsp);
2211 if (!copy_to_user(ptr, &ir, sizeof(ir))) {
2213 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
2226 static int hci_dev_do_open(struct hci_dev *hdev)
2230 BT_DBG("%s %p", hdev->name, hdev);
2234 if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
2239 if (!test_bit(HCI_SETUP, &hdev->dev_flags)) {
2240 /* Check for rfkill but allow the HCI setup stage to
2241 * proceed (which in itself doesn't cause any RF activity).
2243 if (test_bit(HCI_RFKILLED, &hdev->dev_flags)) {
2248 /* Check for valid public address or a configured static
2249 * random adddress, but let the HCI setup proceed to
2250 * be able to determine if there is a public address
2253 * In case of user channel usage, it is not important
2254 * if a public address or static random address is
2257 * This check is only valid for BR/EDR controllers
2258 * since AMP controllers do not have an address.
2260 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
2261 hdev->dev_type == HCI_BREDR &&
2262 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2263 !bacmp(&hdev->static_addr, BDADDR_ANY)) {
2264 ret = -EADDRNOTAVAIL;
2269 if (test_bit(HCI_UP, &hdev->flags)) {
2274 if (hdev->open(hdev)) {
2279 atomic_set(&hdev->cmd_cnt, 1);
2280 set_bit(HCI_INIT, &hdev->flags);
2282 if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
2283 ret = hdev->setup(hdev);
2286 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
2287 set_bit(HCI_RAW, &hdev->flags);
2289 if (!test_bit(HCI_RAW, &hdev->flags) &&
2290 !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
2291 ret = __hci_init(hdev);
2294 clear_bit(HCI_INIT, &hdev->flags);
2298 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
2299 set_bit(HCI_UP, &hdev->flags);
2300 hci_notify(hdev, HCI_DEV_UP);
2301 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
2302 !test_bit(HCI_USER_CHANNEL, &hdev->dev_flags) &&
2303 hdev->dev_type == HCI_BREDR) {
2305 mgmt_powered(hdev, 1);
2306 hci_dev_unlock(hdev);
2309 /* Init failed, cleanup */
2310 flush_work(&hdev->tx_work);
2311 flush_work(&hdev->cmd_work);
2312 flush_work(&hdev->rx_work);
2314 skb_queue_purge(&hdev->cmd_q);
2315 skb_queue_purge(&hdev->rx_q);
2320 if (hdev->sent_cmd) {
2321 kfree_skb(hdev->sent_cmd);
2322 hdev->sent_cmd = NULL;
2330 hci_req_unlock(hdev);
2334 /* ---- HCI ioctl helpers ---- */
2336 int hci_dev_open(__u16 dev)
2338 struct hci_dev *hdev;
2341 hdev = hci_dev_get(dev);
2345 /* We need to ensure that no other power on/off work is pending
2346 * before proceeding to call hci_dev_do_open. This is
2347 * particularly important if the setup procedure has not yet
2350 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2351 cancel_delayed_work(&hdev->power_off);
2353 /* After this call it is guaranteed that the setup procedure
2354 * has finished. This means that error conditions like RFKILL
2355 * or no valid public or static random address apply.
2357 flush_workqueue(hdev->req_workqueue);
2359 err = hci_dev_do_open(hdev);
2366 static int hci_dev_do_close(struct hci_dev *hdev)
2368 BT_DBG("%s %p", hdev->name, hdev);
2370 cancel_delayed_work(&hdev->power_off);
2372 hci_req_cancel(hdev, ENODEV);
2375 if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
2376 del_timer_sync(&hdev->cmd_timer);
2377 hci_req_unlock(hdev);
2381 /* Flush RX and TX works */
2382 flush_work(&hdev->tx_work);
2383 flush_work(&hdev->rx_work);
2385 if (hdev->discov_timeout > 0) {
2386 cancel_delayed_work(&hdev->discov_off);
2387 hdev->discov_timeout = 0;
2388 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
2389 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
2392 if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
2393 cancel_delayed_work(&hdev->service_cache);
2395 cancel_delayed_work_sync(&hdev->le_scan_disable);
2397 if (test_bit(HCI_MGMT, &hdev->dev_flags))
2398 cancel_delayed_work_sync(&hdev->rpa_expired);
2401 hci_inquiry_cache_flush(hdev);
2402 hci_conn_hash_flush(hdev);
2403 hci_pend_le_conns_clear(hdev);
2404 hci_dev_unlock(hdev);
2406 hci_notify(hdev, HCI_DEV_DOWN);
2412 skb_queue_purge(&hdev->cmd_q);
2413 atomic_set(&hdev->cmd_cnt, 1);
2414 if (!test_bit(HCI_RAW, &hdev->flags) &&
2415 !test_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
2416 test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
2417 set_bit(HCI_INIT, &hdev->flags);
2418 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
2419 clear_bit(HCI_INIT, &hdev->flags);
2422 /* flush cmd work */
2423 flush_work(&hdev->cmd_work);
2426 skb_queue_purge(&hdev->rx_q);
2427 skb_queue_purge(&hdev->cmd_q);
2428 skb_queue_purge(&hdev->raw_q);
2430 /* Drop last sent command */
2431 if (hdev->sent_cmd) {
2432 del_timer_sync(&hdev->cmd_timer);
2433 kfree_skb(hdev->sent_cmd);
2434 hdev->sent_cmd = NULL;
2437 kfree_skb(hdev->recv_evt);
2438 hdev->recv_evt = NULL;
2440 /* After this point our queues are empty
2441 * and no tasks are scheduled. */
2446 hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
2448 if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2449 if (hdev->dev_type == HCI_BREDR) {
2451 mgmt_powered(hdev, 0);
2452 hci_dev_unlock(hdev);
2456 /* Controller radio is available but is currently powered down */
2457 hdev->amp_status = AMP_STATUS_POWERED_DOWN;
2459 memset(hdev->eir, 0, sizeof(hdev->eir));
2460 memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
2461 bacpy(&hdev->random_addr, BDADDR_ANY);
2463 hci_req_unlock(hdev);
2469 int hci_dev_close(__u16 dev)
2471 struct hci_dev *hdev;
2474 hdev = hci_dev_get(dev);
2478 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2483 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2484 cancel_delayed_work(&hdev->power_off);
2486 err = hci_dev_do_close(hdev);
2493 int hci_dev_reset(__u16 dev)
2495 struct hci_dev *hdev;
2498 hdev = hci_dev_get(dev);
2504 if (!test_bit(HCI_UP, &hdev->flags)) {
2509 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2515 skb_queue_purge(&hdev->rx_q);
2516 skb_queue_purge(&hdev->cmd_q);
2519 hci_inquiry_cache_flush(hdev);
2520 hci_conn_hash_flush(hdev);
2521 hci_dev_unlock(hdev);
2526 atomic_set(&hdev->cmd_cnt, 1);
2527 hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
2529 if (!test_bit(HCI_RAW, &hdev->flags))
2530 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
2533 hci_req_unlock(hdev);
2538 int hci_dev_reset_stat(__u16 dev)
2540 struct hci_dev *hdev;
2543 hdev = hci_dev_get(dev);
2547 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2552 memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
2559 int hci_dev_cmd(unsigned int cmd, void __user *arg)
2561 struct hci_dev *hdev;
2562 struct hci_dev_req dr;
2565 if (copy_from_user(&dr, arg, sizeof(dr)))
2568 hdev = hci_dev_get(dr.dev_id);
2572 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
2577 if (hdev->dev_type != HCI_BREDR) {
2582 if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
2589 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2594 if (!lmp_encrypt_capable(hdev)) {
2599 if (!test_bit(HCI_AUTH, &hdev->flags)) {
2600 /* Auth must be enabled first */
2601 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
2607 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
2612 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
2617 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
2621 case HCISETLINKMODE:
2622 hdev->link_mode = ((__u16) dr.dev_opt) &
2623 (HCI_LM_MASTER | HCI_LM_ACCEPT);
2627 hdev->pkt_type = (__u16) dr.dev_opt;
2631 hdev->acl_mtu = *((__u16 *) &dr.dev_opt + 1);
2632 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
2636 hdev->sco_mtu = *((__u16 *) &dr.dev_opt + 1);
2637 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
2650 int hci_get_dev_list(void __user *arg)
2652 struct hci_dev *hdev;
2653 struct hci_dev_list_req *dl;
2654 struct hci_dev_req *dr;
2655 int n = 0, size, err;
2658 if (get_user(dev_num, (__u16 __user *) arg))
2661 if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
2664 size = sizeof(*dl) + dev_num * sizeof(*dr);
2666 dl = kzalloc(size, GFP_KERNEL);
2672 read_lock(&hci_dev_list_lock);
2673 list_for_each_entry(hdev, &hci_dev_list, list) {
2674 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2675 cancel_delayed_work(&hdev->power_off);
2677 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2678 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2680 (dr + n)->dev_id = hdev->id;
2681 (dr + n)->dev_opt = hdev->flags;
2686 read_unlock(&hci_dev_list_lock);
2689 size = sizeof(*dl) + n * sizeof(*dr);
2691 err = copy_to_user(arg, dl, size);
2694 return err ? -EFAULT : 0;
2697 int hci_get_dev_info(void __user *arg)
2699 struct hci_dev *hdev;
2700 struct hci_dev_info di;
2703 if (copy_from_user(&di, arg, sizeof(di)))
2706 hdev = hci_dev_get(di.dev_id);
2710 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
2711 cancel_delayed_work_sync(&hdev->power_off);
2713 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2714 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
2716 strcpy(di.name, hdev->name);
2717 di.bdaddr = hdev->bdaddr;
2718 di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
2719 di.flags = hdev->flags;
2720 di.pkt_type = hdev->pkt_type;
2721 if (lmp_bredr_capable(hdev)) {
2722 di.acl_mtu = hdev->acl_mtu;
2723 di.acl_pkts = hdev->acl_pkts;
2724 di.sco_mtu = hdev->sco_mtu;
2725 di.sco_pkts = hdev->sco_pkts;
2727 di.acl_mtu = hdev->le_mtu;
2728 di.acl_pkts = hdev->le_pkts;
2732 di.link_policy = hdev->link_policy;
2733 di.link_mode = hdev->link_mode;
2735 memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
2736 memcpy(&di.features, &hdev->features, sizeof(di.features));
2738 if (copy_to_user(arg, &di, sizeof(di)))
2746 /* ---- Interface to HCI drivers ---- */
2748 static int hci_rfkill_set_block(void *data, bool blocked)
2750 struct hci_dev *hdev = data;
2752 BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
2754 if (test_bit(HCI_USER_CHANNEL, &hdev->dev_flags))
2758 set_bit(HCI_RFKILLED, &hdev->dev_flags);
2759 if (!test_bit(HCI_SETUP, &hdev->dev_flags))
2760 hci_dev_do_close(hdev);
2762 clear_bit(HCI_RFKILLED, &hdev->dev_flags);
2768 static const struct rfkill_ops hci_rfkill_ops = {
2769 .set_block = hci_rfkill_set_block,
2772 static void hci_power_on(struct work_struct *work)
2774 struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
2777 BT_DBG("%s", hdev->name);
2779 err = hci_dev_do_open(hdev);
2781 mgmt_set_powered_failed(hdev, err);
2785 /* During the HCI setup phase, a few error conditions are
2786 * ignored and they need to be checked now. If they are still
2787 * valid, it is important to turn the device back off.
2789 if (test_bit(HCI_RFKILLED, &hdev->dev_flags) ||
2790 (hdev->dev_type == HCI_BREDR &&
2791 !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
2792 !bacmp(&hdev->static_addr, BDADDR_ANY))) {
2793 clear_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2794 hci_dev_do_close(hdev);
2795 } else if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
2796 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
2797 HCI_AUTO_OFF_TIMEOUT);
2800 if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
2801 mgmt_index_added(hdev);
2804 static void hci_power_off(struct work_struct *work)
2806 struct hci_dev *hdev = container_of(work, struct hci_dev,
2809 BT_DBG("%s", hdev->name);
2811 hci_dev_do_close(hdev);
2814 static void hci_discov_off(struct work_struct *work)
2816 struct hci_dev *hdev;
2818 hdev = container_of(work, struct hci_dev, discov_off.work);
2820 BT_DBG("%s", hdev->name);
2822 mgmt_discoverable_timeout(hdev);
2825 void hci_uuids_clear(struct hci_dev *hdev)
2827 struct bt_uuid *uuid, *tmp;
2829 list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
2830 list_del(&uuid->list);
2835 void hci_link_keys_clear(struct hci_dev *hdev)
2837 struct list_head *p, *n;
2839 list_for_each_safe(p, n, &hdev->link_keys) {
2840 struct link_key *key;
2842 key = list_entry(p, struct link_key, list);
2849 void hci_smp_ltks_clear(struct hci_dev *hdev)
2851 struct smp_ltk *k, *tmp;
2853 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
2859 void hci_smp_irks_clear(struct hci_dev *hdev)
2861 struct smp_irk *k, *tmp;
2863 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
2869 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
2873 list_for_each_entry(k, &hdev->link_keys, list)
2874 if (bacmp(bdaddr, &k->bdaddr) == 0)
2880 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
2881 u8 key_type, u8 old_key_type)
2884 if (key_type < 0x03)
2887 /* Debug keys are insecure so don't store them persistently */
2888 if (key_type == HCI_LK_DEBUG_COMBINATION)
2891 /* Changed combination key and there's no previous one */
2892 if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
2895 /* Security mode 3 case */
2899 /* Neither local nor remote side had no-bonding as requirement */
2900 if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
2903 /* Local side had dedicated bonding as requirement */
2904 if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
2907 /* Remote side had dedicated bonding as requirement */
2908 if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
2911 /* If none of the above criteria match, then don't store the key
2916 static bool ltk_type_master(u8 type)
2918 if (type == HCI_SMP_STK || type == HCI_SMP_LTK)
2924 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, __le64 rand,
2929 list_for_each_entry(k, &hdev->long_term_keys, list) {
2930 if (k->ediv != ediv || k->rand != rand)
2933 if (ltk_type_master(k->type) != master)
2942 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2943 u8 addr_type, bool master)
2947 list_for_each_entry(k, &hdev->long_term_keys, list)
2948 if (addr_type == k->bdaddr_type &&
2949 bacmp(bdaddr, &k->bdaddr) == 0 &&
2950 ltk_type_master(k->type) == master)
2956 struct smp_irk *hci_find_irk_by_rpa(struct hci_dev *hdev, bdaddr_t *rpa)
2958 struct smp_irk *irk;
2960 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2961 if (!bacmp(&irk->rpa, rpa))
2965 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2966 if (smp_irk_matches(hdev->tfm_aes, irk->val, rpa)) {
2967 bacpy(&irk->rpa, rpa);
2975 struct smp_irk *hci_find_irk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
2978 struct smp_irk *irk;
2980 /* Identity Address must be public or static random */
2981 if (addr_type == ADDR_LE_DEV_RANDOM && (bdaddr->b[5] & 0xc0) != 0xc0)
2984 list_for_each_entry(irk, &hdev->identity_resolving_keys, list) {
2985 if (addr_type == irk->addr_type &&
2986 bacmp(bdaddr, &irk->bdaddr) == 0)
2993 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
2994 bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
2996 struct link_key *key, *old_key;
3000 old_key = hci_find_link_key(hdev, bdaddr);
3002 old_key_type = old_key->type;
3005 old_key_type = conn ? conn->key_type : 0xff;
3006 key = kzalloc(sizeof(*key), GFP_KERNEL);
3009 list_add(&key->list, &hdev->link_keys);
3012 BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
3014 /* Some buggy controller combinations generate a changed
3015 * combination key for legacy pairing even when there's no
3017 if (type == HCI_LK_CHANGED_COMBINATION &&
3018 (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
3019 type = HCI_LK_COMBINATION;
3021 conn->key_type = type;
3024 bacpy(&key->bdaddr, bdaddr);
3025 memcpy(key->val, val, HCI_LINK_KEY_SIZE);
3026 key->pin_len = pin_len;
3028 if (type == HCI_LK_CHANGED_COMBINATION)
3029 key->type = old_key_type;
3036 persistent = hci_persistent_key(hdev, conn, type, old_key_type);
3038 mgmt_new_link_key(hdev, key, persistent);
3041 conn->flush_key = !persistent;
3046 struct smp_ltk *hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3047 u8 addr_type, u8 type, u8 authenticated,
3048 u8 tk[16], u8 enc_size, __le16 ediv, __le64 rand)
3050 struct smp_ltk *key, *old_key;
3051 bool master = ltk_type_master(type);
3053 old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type, master);
3057 key = kzalloc(sizeof(*key), GFP_KERNEL);
3060 list_add(&key->list, &hdev->long_term_keys);
3063 bacpy(&key->bdaddr, bdaddr);
3064 key->bdaddr_type = addr_type;
3065 memcpy(key->val, tk, sizeof(key->val));
3066 key->authenticated = authenticated;
3069 key->enc_size = enc_size;
3075 struct smp_irk *hci_add_irk(struct hci_dev *hdev, bdaddr_t *bdaddr,
3076 u8 addr_type, u8 val[16], bdaddr_t *rpa)
3078 struct smp_irk *irk;
3080 irk = hci_find_irk_by_addr(hdev, bdaddr, addr_type);
3082 irk = kzalloc(sizeof(*irk), GFP_KERNEL);
3086 bacpy(&irk->bdaddr, bdaddr);
3087 irk->addr_type = addr_type;
3089 list_add(&irk->list, &hdev->identity_resolving_keys);
3092 memcpy(irk->val, val, 16);
3093 bacpy(&irk->rpa, rpa);
3098 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
3100 struct link_key *key;
3102 key = hci_find_link_key(hdev, bdaddr);
3106 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3108 list_del(&key->list);
3114 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 bdaddr_type)
3116 struct smp_ltk *k, *tmp;
3119 list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
3120 if (bacmp(bdaddr, &k->bdaddr) || k->bdaddr_type != bdaddr_type)
3123 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3130 return removed ? 0 : -ENOENT;
3133 void hci_remove_irk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type)
3135 struct smp_irk *k, *tmp;
3137 list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
3138 if (bacmp(bdaddr, &k->bdaddr) || k->addr_type != addr_type)
3141 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3148 /* HCI command timer function */
3149 static void hci_cmd_timeout(unsigned long arg)
3151 struct hci_dev *hdev = (void *) arg;
3153 if (hdev->sent_cmd) {
3154 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
3155 u16 opcode = __le16_to_cpu(sent->opcode);
3157 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
3159 BT_ERR("%s command tx timeout", hdev->name);
3162 atomic_set(&hdev->cmd_cnt, 1);
3163 queue_work(hdev->workqueue, &hdev->cmd_work);
3166 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
3169 struct oob_data *data;
3171 list_for_each_entry(data, &hdev->remote_oob_data, list)
3172 if (bacmp(bdaddr, &data->bdaddr) == 0)
3178 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
3180 struct oob_data *data;
3182 data = hci_find_remote_oob_data(hdev, bdaddr);
3186 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
3188 list_del(&data->list);
3194 void hci_remote_oob_data_clear(struct hci_dev *hdev)
3196 struct oob_data *data, *n;
3198 list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
3199 list_del(&data->list);
3204 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3205 u8 *hash, u8 *randomizer)
3207 struct oob_data *data;
3209 data = hci_find_remote_oob_data(hdev, bdaddr);
3211 data = kmalloc(sizeof(*data), GFP_KERNEL);
3215 bacpy(&data->bdaddr, bdaddr);
3216 list_add(&data->list, &hdev->remote_oob_data);
3219 memcpy(data->hash192, hash, sizeof(data->hash192));
3220 memcpy(data->randomizer192, randomizer, sizeof(data->randomizer192));
3222 memset(data->hash256, 0, sizeof(data->hash256));
3223 memset(data->randomizer256, 0, sizeof(data->randomizer256));
3225 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3230 int hci_add_remote_oob_ext_data(struct hci_dev *hdev, bdaddr_t *bdaddr,
3231 u8 *hash192, u8 *randomizer192,
3232 u8 *hash256, u8 *randomizer256)
3234 struct oob_data *data;
3236 data = hci_find_remote_oob_data(hdev, bdaddr);
3238 data = kmalloc(sizeof(*data), GFP_KERNEL);
3242 bacpy(&data->bdaddr, bdaddr);
3243 list_add(&data->list, &hdev->remote_oob_data);
3246 memcpy(data->hash192, hash192, sizeof(data->hash192));
3247 memcpy(data->randomizer192, randomizer192, sizeof(data->randomizer192));
3249 memcpy(data->hash256, hash256, sizeof(data->hash256));
3250 memcpy(data->randomizer256, randomizer256, sizeof(data->randomizer256));
3252 BT_DBG("%s for %pMR", hdev->name, bdaddr);
3257 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev,
3258 bdaddr_t *bdaddr, u8 type)
3260 struct bdaddr_list *b;
3262 list_for_each_entry(b, &hdev->blacklist, list) {
3263 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3270 static void hci_blacklist_clear(struct hci_dev *hdev)
3272 struct list_head *p, *n;
3274 list_for_each_safe(p, n, &hdev->blacklist) {
3275 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
3282 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3284 struct bdaddr_list *entry;
3286 if (!bacmp(bdaddr, BDADDR_ANY))
3289 if (hci_blacklist_lookup(hdev, bdaddr, type))
3292 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
3296 bacpy(&entry->bdaddr, bdaddr);
3297 entry->bdaddr_type = type;
3299 list_add(&entry->list, &hdev->blacklist);
3301 return mgmt_device_blocked(hdev, bdaddr, type);
3304 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3306 struct bdaddr_list *entry;
3308 if (!bacmp(bdaddr, BDADDR_ANY)) {
3309 hci_blacklist_clear(hdev);
3313 entry = hci_blacklist_lookup(hdev, bdaddr, type);
3317 list_del(&entry->list);
3320 return mgmt_device_unblocked(hdev, bdaddr, type);
3323 struct bdaddr_list *hci_white_list_lookup(struct hci_dev *hdev,
3324 bdaddr_t *bdaddr, u8 type)
3326 struct bdaddr_list *b;
3328 list_for_each_entry(b, &hdev->le_white_list, list) {
3329 if (!bacmp(&b->bdaddr, bdaddr) && b->bdaddr_type == type)
3336 void hci_white_list_clear(struct hci_dev *hdev)
3338 struct list_head *p, *n;
3340 list_for_each_safe(p, n, &hdev->le_white_list) {
3341 struct bdaddr_list *b = list_entry(p, struct bdaddr_list, list);
3348 int hci_white_list_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3350 struct bdaddr_list *entry;
3352 if (!bacmp(bdaddr, BDADDR_ANY))
3355 entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
3359 bacpy(&entry->bdaddr, bdaddr);
3360 entry->bdaddr_type = type;
3362 list_add(&entry->list, &hdev->le_white_list);
3367 int hci_white_list_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
3369 struct bdaddr_list *entry;
3371 if (!bacmp(bdaddr, BDADDR_ANY))
3374 entry = hci_white_list_lookup(hdev, bdaddr, type);
3378 list_del(&entry->list);
3384 /* This function requires the caller holds hdev->lock */
3385 struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev,
3386 bdaddr_t *addr, u8 addr_type)
3388 struct hci_conn_params *params;
3390 list_for_each_entry(params, &hdev->le_conn_params, list) {
3391 if (bacmp(¶ms->addr, addr) == 0 &&
3392 params->addr_type == addr_type) {
3400 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
3402 struct hci_conn *conn;
3404 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
3408 if (conn->dst_type != type)
3411 if (conn->state != BT_CONNECTED)
3417 static bool is_identity_address(bdaddr_t *addr, u8 addr_type)
3419 if (addr_type == ADDR_LE_DEV_PUBLIC)
3422 /* Check for Random Static address type */
3423 if ((addr->b[5] & 0xc0) == 0xc0)
3429 /* This function requires the caller holds hdev->lock */
3430 int hci_conn_params_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type,
3431 u8 auto_connect, u16 conn_min_interval,
3432 u16 conn_max_interval)
3434 struct hci_conn_params *params;
3436 if (!is_identity_address(addr, addr_type))
3439 params = hci_conn_params_lookup(hdev, addr, addr_type);
3443 params = kzalloc(sizeof(*params), GFP_KERNEL);
3445 BT_ERR("Out of memory");
3449 bacpy(¶ms->addr, addr);
3450 params->addr_type = addr_type;
3452 list_add(¶ms->list, &hdev->le_conn_params);
3455 params->conn_min_interval = conn_min_interval;
3456 params->conn_max_interval = conn_max_interval;
3457 params->auto_connect = auto_connect;
3459 switch (auto_connect) {
3460 case HCI_AUTO_CONN_DISABLED:
3461 case HCI_AUTO_CONN_LINK_LOSS:
3462 hci_pend_le_conn_del(hdev, addr, addr_type);
3464 case HCI_AUTO_CONN_ALWAYS:
3465 if (!is_connected(hdev, addr, addr_type))
3466 hci_pend_le_conn_add(hdev, addr, addr_type);
3470 BT_DBG("addr %pMR (type %u) auto_connect %u conn_min_interval 0x%.4x "
3471 "conn_max_interval 0x%.4x", addr, addr_type, auto_connect,
3472 conn_min_interval, conn_max_interval);
3477 /* This function requires the caller holds hdev->lock */
3478 void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3480 struct hci_conn_params *params;
3482 params = hci_conn_params_lookup(hdev, addr, addr_type);
3486 hci_pend_le_conn_del(hdev, addr, addr_type);
3488 list_del(¶ms->list);
3491 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3494 /* This function requires the caller holds hdev->lock */
3495 void hci_conn_params_clear(struct hci_dev *hdev)
3497 struct hci_conn_params *params, *tmp;
3499 list_for_each_entry_safe(params, tmp, &hdev->le_conn_params, list) {
3500 list_del(¶ms->list);
3504 BT_DBG("All LE connection parameters were removed");
3507 /* This function requires the caller holds hdev->lock */
3508 struct bdaddr_list *hci_pend_le_conn_lookup(struct hci_dev *hdev,
3509 bdaddr_t *addr, u8 addr_type)
3511 struct bdaddr_list *entry;
3513 list_for_each_entry(entry, &hdev->pend_le_conns, list) {
3514 if (bacmp(&entry->bdaddr, addr) == 0 &&
3515 entry->bdaddr_type == addr_type)
3522 /* This function requires the caller holds hdev->lock */
3523 void hci_pend_le_conn_add(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3525 struct bdaddr_list *entry;
3527 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3531 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
3533 BT_ERR("Out of memory");
3537 bacpy(&entry->bdaddr, addr);
3538 entry->bdaddr_type = addr_type;
3540 list_add(&entry->list, &hdev->pend_le_conns);
3542 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3545 hci_update_background_scan(hdev);
3548 /* This function requires the caller holds hdev->lock */
3549 void hci_pend_le_conn_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type)
3551 struct bdaddr_list *entry;
3553 entry = hci_pend_le_conn_lookup(hdev, addr, addr_type);
3557 list_del(&entry->list);
3560 BT_DBG("addr %pMR (type %u)", addr, addr_type);
3563 hci_update_background_scan(hdev);
3566 /* This function requires the caller holds hdev->lock */
3567 void hci_pend_le_conns_clear(struct hci_dev *hdev)
3569 struct bdaddr_list *entry, *tmp;
3571 list_for_each_entry_safe(entry, tmp, &hdev->pend_le_conns, list) {
3572 list_del(&entry->list);
3576 BT_DBG("All LE pending connections cleared");
3579 static void inquiry_complete(struct hci_dev *hdev, u8 status)
3582 BT_ERR("Failed to start inquiry: status %d", status);
3585 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3586 hci_dev_unlock(hdev);
3591 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status)
3593 /* General inquiry access code (GIAC) */
3594 u8 lap[3] = { 0x33, 0x8b, 0x9e };
3595 struct hci_request req;
3596 struct hci_cp_inquiry cp;
3600 BT_ERR("Failed to disable LE scanning: status %d", status);
3604 switch (hdev->discovery.type) {
3605 case DISCOV_TYPE_LE:
3607 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3608 hci_dev_unlock(hdev);
3611 case DISCOV_TYPE_INTERLEAVED:
3612 hci_req_init(&req, hdev);
3614 memset(&cp, 0, sizeof(cp));
3615 memcpy(&cp.lap, lap, sizeof(cp.lap));
3616 cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
3617 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
3621 hci_inquiry_cache_flush(hdev);
3623 err = hci_req_run(&req, inquiry_complete);
3625 BT_ERR("Inquiry request failed: err %d", err);
3626 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3629 hci_dev_unlock(hdev);
3634 static void le_scan_disable_work(struct work_struct *work)
3636 struct hci_dev *hdev = container_of(work, struct hci_dev,
3637 le_scan_disable.work);
3638 struct hci_request req;
3641 BT_DBG("%s", hdev->name);
3643 hci_req_init(&req, hdev);
3645 hci_req_add_le_scan_disable(&req);
3647 err = hci_req_run(&req, le_scan_disable_work_complete);
3649 BT_ERR("Disable LE scanning request failed: err %d", err);
3652 static void set_random_addr(struct hci_request *req, bdaddr_t *rpa)
3654 struct hci_dev *hdev = req->hdev;
3656 /* If we're advertising or initiating an LE connection we can't
3657 * go ahead and change the random address at this time. This is
3658 * because the eventual initiator address used for the
3659 * subsequently created connection will be undefined (some
3660 * controllers use the new address and others the one we had
3661 * when the operation started).
3663 * In this kind of scenario skip the update and let the random
3664 * address be updated at the next cycle.
3666 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
3667 hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT)) {
3668 BT_DBG("Deferring random address update");
3672 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6, rpa);
3675 int hci_update_random_address(struct hci_request *req, bool require_privacy,
3678 struct hci_dev *hdev = req->hdev;
3681 /* If privacy is enabled use a resolvable private address. If
3682 * current RPA has expired or there is something else than
3683 * the current RPA in use, then generate a new one.
3685 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3688 *own_addr_type = ADDR_LE_DEV_RANDOM;
3690 if (!test_and_clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags) &&
3691 !bacmp(&hdev->random_addr, &hdev->rpa))
3694 err = smp_generate_rpa(hdev->tfm_aes, hdev->irk, &hdev->rpa);
3696 BT_ERR("%s failed to generate new RPA", hdev->name);
3700 set_random_addr(req, &hdev->rpa);
3702 to = msecs_to_jiffies(hdev->rpa_timeout * 1000);
3703 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired, to);
3708 /* In case of required privacy without resolvable private address,
3709 * use an unresolvable private address. This is useful for active
3710 * scanning and non-connectable advertising.
3712 if (require_privacy) {
3715 get_random_bytes(&urpa, 6);
3716 urpa.b[5] &= 0x3f; /* Clear two most significant bits */
3718 *own_addr_type = ADDR_LE_DEV_RANDOM;
3719 set_random_addr(req, &urpa);
3723 /* If forcing static address is in use or there is no public
3724 * address use the static address as random address (but skip
3725 * the HCI command if the current random address is already the
3728 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3729 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3730 *own_addr_type = ADDR_LE_DEV_RANDOM;
3731 if (bacmp(&hdev->static_addr, &hdev->random_addr))
3732 hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
3733 &hdev->static_addr);
3737 /* Neither privacy nor static address is being used so use a
3740 *own_addr_type = ADDR_LE_DEV_PUBLIC;
3745 /* Copy the Identity Address of the controller.
3747 * If the controller has a public BD_ADDR, then by default use that one.
3748 * If this is a LE only controller without a public address, default to
3749 * the static random address.
3751 * For debugging purposes it is possible to force controllers with a
3752 * public address to use the static random address instead.
3754 void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
3757 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
3758 !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
3759 bacpy(bdaddr, &hdev->static_addr);
3760 *bdaddr_type = ADDR_LE_DEV_RANDOM;
3762 bacpy(bdaddr, &hdev->bdaddr);
3763 *bdaddr_type = ADDR_LE_DEV_PUBLIC;
3767 /* Alloc HCI device */
3768 struct hci_dev *hci_alloc_dev(void)
3770 struct hci_dev *hdev;
3772 hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
3776 hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
3777 hdev->esco_type = (ESCO_HV1);
3778 hdev->link_mode = (HCI_LM_ACCEPT);
3779 hdev->num_iac = 0x01; /* One IAC support is mandatory */
3780 hdev->io_capability = 0x03; /* No Input No Output */
3781 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
3782 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
3784 hdev->sniff_max_interval = 800;
3785 hdev->sniff_min_interval = 80;
3787 hdev->le_adv_channel_map = 0x07;
3788 hdev->le_scan_interval = 0x0060;
3789 hdev->le_scan_window = 0x0030;
3790 hdev->le_conn_min_interval = 0x0028;
3791 hdev->le_conn_max_interval = 0x0038;
3793 hdev->rpa_timeout = HCI_DEFAULT_RPA_TIMEOUT;
3795 mutex_init(&hdev->lock);
3796 mutex_init(&hdev->req_lock);
3798 INIT_LIST_HEAD(&hdev->mgmt_pending);
3799 INIT_LIST_HEAD(&hdev->blacklist);
3800 INIT_LIST_HEAD(&hdev->uuids);
3801 INIT_LIST_HEAD(&hdev->link_keys);
3802 INIT_LIST_HEAD(&hdev->long_term_keys);
3803 INIT_LIST_HEAD(&hdev->identity_resolving_keys);
3804 INIT_LIST_HEAD(&hdev->remote_oob_data);
3805 INIT_LIST_HEAD(&hdev->le_white_list);
3806 INIT_LIST_HEAD(&hdev->le_conn_params);
3807 INIT_LIST_HEAD(&hdev->pend_le_conns);
3808 INIT_LIST_HEAD(&hdev->conn_hash.list);
3810 INIT_WORK(&hdev->rx_work, hci_rx_work);
3811 INIT_WORK(&hdev->cmd_work, hci_cmd_work);
3812 INIT_WORK(&hdev->tx_work, hci_tx_work);
3813 INIT_WORK(&hdev->power_on, hci_power_on);
3815 INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
3816 INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
3817 INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
3819 skb_queue_head_init(&hdev->rx_q);
3820 skb_queue_head_init(&hdev->cmd_q);
3821 skb_queue_head_init(&hdev->raw_q);
3823 init_waitqueue_head(&hdev->req_wait_q);
3825 setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
3827 hci_init_sysfs(hdev);
3828 discovery_init(hdev);
3832 EXPORT_SYMBOL(hci_alloc_dev);
3834 /* Free HCI device */
3835 void hci_free_dev(struct hci_dev *hdev)
3837 /* will free via device release */
3838 put_device(&hdev->dev);
3840 EXPORT_SYMBOL(hci_free_dev);
3842 /* Register HCI device */
3843 int hci_register_dev(struct hci_dev *hdev)
3847 if (!hdev->open || !hdev->close)
3850 /* Do not allow HCI_AMP devices to register at index 0,
3851 * so the index can be used as the AMP controller ID.
3853 switch (hdev->dev_type) {
3855 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
3858 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
3867 sprintf(hdev->name, "hci%d", id);
3870 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3872 hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3873 WQ_MEM_RECLAIM, 1, hdev->name);
3874 if (!hdev->workqueue) {
3879 hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
3880 WQ_MEM_RECLAIM, 1, hdev->name);
3881 if (!hdev->req_workqueue) {
3882 destroy_workqueue(hdev->workqueue);
3887 if (!IS_ERR_OR_NULL(bt_debugfs))
3888 hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
3890 dev_set_name(&hdev->dev, "%s", hdev->name);
3892 hdev->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0,
3894 if (IS_ERR(hdev->tfm_aes)) {
3895 BT_ERR("Unable to create crypto context");
3896 error = PTR_ERR(hdev->tfm_aes);
3897 hdev->tfm_aes = NULL;
3901 error = device_add(&hdev->dev);
3905 hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
3906 RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
3909 if (rfkill_register(hdev->rfkill) < 0) {
3910 rfkill_destroy(hdev->rfkill);
3911 hdev->rfkill = NULL;
3915 if (hdev->rfkill && rfkill_blocked(hdev->rfkill))
3916 set_bit(HCI_RFKILLED, &hdev->dev_flags);
3918 set_bit(HCI_SETUP, &hdev->dev_flags);
3919 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
3921 if (hdev->dev_type == HCI_BREDR) {
3922 /* Assume BR/EDR support until proven otherwise (such as
3923 * through reading supported features during init.
3925 set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
3928 write_lock(&hci_dev_list_lock);
3929 list_add(&hdev->list, &hci_dev_list);
3930 write_unlock(&hci_dev_list_lock);
3932 hci_notify(hdev, HCI_DEV_REG);
3935 queue_work(hdev->req_workqueue, &hdev->power_on);
3940 crypto_free_blkcipher(hdev->tfm_aes);
3942 destroy_workqueue(hdev->workqueue);
3943 destroy_workqueue(hdev->req_workqueue);
3945 ida_simple_remove(&hci_index_ida, hdev->id);
3949 EXPORT_SYMBOL(hci_register_dev);
3951 /* Unregister HCI device */
3952 void hci_unregister_dev(struct hci_dev *hdev)
3956 BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
3958 set_bit(HCI_UNREGISTER, &hdev->dev_flags);
3962 write_lock(&hci_dev_list_lock);
3963 list_del(&hdev->list);
3964 write_unlock(&hci_dev_list_lock);
3966 hci_dev_do_close(hdev);
3968 for (i = 0; i < NUM_REASSEMBLY; i++)
3969 kfree_skb(hdev->reassembly[i]);
3971 cancel_work_sync(&hdev->power_on);
3973 if (!test_bit(HCI_INIT, &hdev->flags) &&
3974 !test_bit(HCI_SETUP, &hdev->dev_flags)) {
3976 mgmt_index_removed(hdev);
3977 hci_dev_unlock(hdev);
3980 /* mgmt_index_removed should take care of emptying the
3982 BUG_ON(!list_empty(&hdev->mgmt_pending));
3984 hci_notify(hdev, HCI_DEV_UNREG);
3987 rfkill_unregister(hdev->rfkill);
3988 rfkill_destroy(hdev->rfkill);
3992 crypto_free_blkcipher(hdev->tfm_aes);
3994 device_del(&hdev->dev);
3996 debugfs_remove_recursive(hdev->debugfs);
3998 destroy_workqueue(hdev->workqueue);
3999 destroy_workqueue(hdev->req_workqueue);
4002 hci_blacklist_clear(hdev);
4003 hci_uuids_clear(hdev);
4004 hci_link_keys_clear(hdev);
4005 hci_smp_ltks_clear(hdev);
4006 hci_smp_irks_clear(hdev);
4007 hci_remote_oob_data_clear(hdev);
4008 hci_white_list_clear(hdev);
4009 hci_conn_params_clear(hdev);
4010 hci_pend_le_conns_clear(hdev);
4011 hci_dev_unlock(hdev);
4015 ida_simple_remove(&hci_index_ida, id);
4017 EXPORT_SYMBOL(hci_unregister_dev);
4019 /* Suspend HCI device */
4020 int hci_suspend_dev(struct hci_dev *hdev)
4022 hci_notify(hdev, HCI_DEV_SUSPEND);
4025 EXPORT_SYMBOL(hci_suspend_dev);
4027 /* Resume HCI device */
4028 int hci_resume_dev(struct hci_dev *hdev)
4030 hci_notify(hdev, HCI_DEV_RESUME);
4033 EXPORT_SYMBOL(hci_resume_dev);
4035 /* Receive frame from HCI drivers */
4036 int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
4038 if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
4039 && !test_bit(HCI_INIT, &hdev->flags))) {
4045 bt_cb(skb)->incoming = 1;
4048 __net_timestamp(skb);
4050 skb_queue_tail(&hdev->rx_q, skb);
4051 queue_work(hdev->workqueue, &hdev->rx_work);
4055 EXPORT_SYMBOL(hci_recv_frame);
4057 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
4058 int count, __u8 index)
4063 struct sk_buff *skb;
4064 struct bt_skb_cb *scb;
4066 if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
4067 index >= NUM_REASSEMBLY)
4070 skb = hdev->reassembly[index];
4074 case HCI_ACLDATA_PKT:
4075 len = HCI_MAX_FRAME_SIZE;
4076 hlen = HCI_ACL_HDR_SIZE;
4079 len = HCI_MAX_EVENT_SIZE;
4080 hlen = HCI_EVENT_HDR_SIZE;
4082 case HCI_SCODATA_PKT:
4083 len = HCI_MAX_SCO_SIZE;
4084 hlen = HCI_SCO_HDR_SIZE;
4088 skb = bt_skb_alloc(len, GFP_ATOMIC);
4092 scb = (void *) skb->cb;
4094 scb->pkt_type = type;
4096 hdev->reassembly[index] = skb;
4100 scb = (void *) skb->cb;
4101 len = min_t(uint, scb->expect, count);
4103 memcpy(skb_put(skb, len), data, len);
4112 if (skb->len == HCI_EVENT_HDR_SIZE) {
4113 struct hci_event_hdr *h = hci_event_hdr(skb);
4114 scb->expect = h->plen;
4116 if (skb_tailroom(skb) < scb->expect) {
4118 hdev->reassembly[index] = NULL;
4124 case HCI_ACLDATA_PKT:
4125 if (skb->len == HCI_ACL_HDR_SIZE) {
4126 struct hci_acl_hdr *h = hci_acl_hdr(skb);
4127 scb->expect = __le16_to_cpu(h->dlen);
4129 if (skb_tailroom(skb) < scb->expect) {
4131 hdev->reassembly[index] = NULL;
4137 case HCI_SCODATA_PKT:
4138 if (skb->len == HCI_SCO_HDR_SIZE) {
4139 struct hci_sco_hdr *h = hci_sco_hdr(skb);
4140 scb->expect = h->dlen;
4142 if (skb_tailroom(skb) < scb->expect) {
4144 hdev->reassembly[index] = NULL;
4151 if (scb->expect == 0) {
4152 /* Complete frame */
4154 bt_cb(skb)->pkt_type = type;
4155 hci_recv_frame(hdev, skb);
4157 hdev->reassembly[index] = NULL;
4165 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
4169 if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
4173 rem = hci_reassembly(hdev, type, data, count, type - 1);
4177 data += (count - rem);
4183 EXPORT_SYMBOL(hci_recv_fragment);
4185 #define STREAM_REASSEMBLY 0
4187 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
4193 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
4196 struct { char type; } *pkt;
4198 /* Start of the frame */
4205 type = bt_cb(skb)->pkt_type;
4207 rem = hci_reassembly(hdev, type, data, count,
4212 data += (count - rem);
4218 EXPORT_SYMBOL(hci_recv_stream_fragment);
4220 /* ---- Interface to upper protocols ---- */
4222 int hci_register_cb(struct hci_cb *cb)
4224 BT_DBG("%p name %s", cb, cb->name);
4226 write_lock(&hci_cb_list_lock);
4227 list_add(&cb->list, &hci_cb_list);
4228 write_unlock(&hci_cb_list_lock);
4232 EXPORT_SYMBOL(hci_register_cb);
4234 int hci_unregister_cb(struct hci_cb *cb)
4236 BT_DBG("%p name %s", cb, cb->name);
4238 write_lock(&hci_cb_list_lock);
4239 list_del(&cb->list);
4240 write_unlock(&hci_cb_list_lock);
4244 EXPORT_SYMBOL(hci_unregister_cb);
4246 static void hci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
4248 BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
4251 __net_timestamp(skb);
4253 /* Send copy to monitor */
4254 hci_send_to_monitor(hdev, skb);
4256 if (atomic_read(&hdev->promisc)) {
4257 /* Send copy to the sockets */
4258 hci_send_to_sock(hdev, skb);
4261 /* Get rid of skb owner, prior to sending to the driver. */
4264 if (hdev->send(hdev, skb) < 0)
4265 BT_ERR("%s sending frame failed", hdev->name);
4268 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
4270 skb_queue_head_init(&req->cmd_q);
4275 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
4277 struct hci_dev *hdev = req->hdev;
4278 struct sk_buff *skb;
4279 unsigned long flags;
4281 BT_DBG("length %u", skb_queue_len(&req->cmd_q));
4283 /* If an error occured during request building, remove all HCI
4284 * commands queued on the HCI request queue.
4287 skb_queue_purge(&req->cmd_q);
4291 /* Do not allow empty requests */
4292 if (skb_queue_empty(&req->cmd_q))
4295 skb = skb_peek_tail(&req->cmd_q);
4296 bt_cb(skb)->req.complete = complete;
4298 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
4299 skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
4300 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
4302 queue_work(hdev->workqueue, &hdev->cmd_work);
4307 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
4308 u32 plen, const void *param)
4310 int len = HCI_COMMAND_HDR_SIZE + plen;
4311 struct hci_command_hdr *hdr;
4312 struct sk_buff *skb;
4314 skb = bt_skb_alloc(len, GFP_ATOMIC);
4318 hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
4319 hdr->opcode = cpu_to_le16(opcode);
4323 memcpy(skb_put(skb, plen), param, plen);
4325 BT_DBG("skb len %d", skb->len);
4327 bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
4332 /* Send HCI command */
4333 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
4336 struct sk_buff *skb;
4338 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
4340 skb = hci_prepare_cmd(hdev, opcode, plen, param);
4342 BT_ERR("%s no memory for command", hdev->name);
4346 /* Stand-alone HCI commands must be flaged as
4347 * single-command requests.
4349 bt_cb(skb)->req.start = true;
4351 skb_queue_tail(&hdev->cmd_q, skb);
4352 queue_work(hdev->workqueue, &hdev->cmd_work);
4357 /* Queue a command to an asynchronous HCI request */
4358 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
4359 const void *param, u8 event)
4361 struct hci_dev *hdev = req->hdev;
4362 struct sk_buff *skb;
4364 BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
4366 /* If an error occured during request building, there is no point in
4367 * queueing the HCI command. We can simply return.
4372 skb = hci_prepare_cmd(hdev, opcode, plen, param);
4374 BT_ERR("%s no memory for command (opcode 0x%4.4x)",
4375 hdev->name, opcode);
4380 if (skb_queue_empty(&req->cmd_q))
4381 bt_cb(skb)->req.start = true;
4383 bt_cb(skb)->req.event = event;
4385 skb_queue_tail(&req->cmd_q, skb);
4388 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
4391 hci_req_add_ev(req, opcode, plen, param, 0);
4394 /* Get data from the previously sent command */
4395 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
4397 struct hci_command_hdr *hdr;
4399 if (!hdev->sent_cmd)
4402 hdr = (void *) hdev->sent_cmd->data;
4404 if (hdr->opcode != cpu_to_le16(opcode))
4407 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
4409 return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
4413 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
4415 struct hci_acl_hdr *hdr;
4418 skb_push(skb, HCI_ACL_HDR_SIZE);
4419 skb_reset_transport_header(skb);
4420 hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
4421 hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
4422 hdr->dlen = cpu_to_le16(len);
4425 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
4426 struct sk_buff *skb, __u16 flags)
4428 struct hci_conn *conn = chan->conn;
4429 struct hci_dev *hdev = conn->hdev;
4430 struct sk_buff *list;
4432 skb->len = skb_headlen(skb);
4435 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
4437 switch (hdev->dev_type) {
4439 hci_add_acl_hdr(skb, conn->handle, flags);
4442 hci_add_acl_hdr(skb, chan->handle, flags);
4445 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
4449 list = skb_shinfo(skb)->frag_list;
4451 /* Non fragmented */
4452 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
4454 skb_queue_tail(queue, skb);
4457 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
4459 skb_shinfo(skb)->frag_list = NULL;
4461 /* Queue all fragments atomically */
4462 spin_lock(&queue->lock);
4464 __skb_queue_tail(queue, skb);
4466 flags &= ~ACL_START;
4469 skb = list; list = list->next;
4471 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
4472 hci_add_acl_hdr(skb, conn->handle, flags);
4474 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
4476 __skb_queue_tail(queue, skb);
4479 spin_unlock(&queue->lock);
4483 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
4485 struct hci_dev *hdev = chan->conn->hdev;
4487 BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
4489 hci_queue_acl(chan, &chan->data_q, skb, flags);
4491 queue_work(hdev->workqueue, &hdev->tx_work);
4495 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
4497 struct hci_dev *hdev = conn->hdev;
4498 struct hci_sco_hdr hdr;
4500 BT_DBG("%s len %d", hdev->name, skb->len);
4502 hdr.handle = cpu_to_le16(conn->handle);
4503 hdr.dlen = skb->len;
4505 skb_push(skb, HCI_SCO_HDR_SIZE);
4506 skb_reset_transport_header(skb);
4507 memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
4509 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
4511 skb_queue_tail(&conn->data_q, skb);
4512 queue_work(hdev->workqueue, &hdev->tx_work);
4515 /* ---- HCI TX task (outgoing data) ---- */
4517 /* HCI Connection scheduler */
4518 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
4521 struct hci_conn_hash *h = &hdev->conn_hash;
4522 struct hci_conn *conn = NULL, *c;
4523 unsigned int num = 0, min = ~0;
4525 /* We don't have to lock device here. Connections are always
4526 * added and removed with TX task disabled. */
4530 list_for_each_entry_rcu(c, &h->list, list) {
4531 if (c->type != type || skb_queue_empty(&c->data_q))
4534 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
4539 if (c->sent < min) {
4544 if (hci_conn_num(hdev, type) == num)
4553 switch (conn->type) {
4555 cnt = hdev->acl_cnt;
4559 cnt = hdev->sco_cnt;
4562 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
4566 BT_ERR("Unknown link type");
4574 BT_DBG("conn %p quote %d", conn, *quote);
4578 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
4580 struct hci_conn_hash *h = &hdev->conn_hash;
4583 BT_ERR("%s link tx timeout", hdev->name);
4587 /* Kill stalled connections */
4588 list_for_each_entry_rcu(c, &h->list, list) {
4589 if (c->type == type && c->sent) {
4590 BT_ERR("%s killing stalled connection %pMR",
4591 hdev->name, &c->dst);
4592 hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
4599 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
4602 struct hci_conn_hash *h = &hdev->conn_hash;
4603 struct hci_chan *chan = NULL;
4604 unsigned int num = 0, min = ~0, cur_prio = 0;
4605 struct hci_conn *conn;
4606 int cnt, q, conn_num = 0;
4608 BT_DBG("%s", hdev->name);
4612 list_for_each_entry_rcu(conn, &h->list, list) {
4613 struct hci_chan *tmp;
4615 if (conn->type != type)
4618 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
4623 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
4624 struct sk_buff *skb;
4626 if (skb_queue_empty(&tmp->data_q))
4629 skb = skb_peek(&tmp->data_q);
4630 if (skb->priority < cur_prio)
4633 if (skb->priority > cur_prio) {
4636 cur_prio = skb->priority;
4641 if (conn->sent < min) {
4647 if (hci_conn_num(hdev, type) == conn_num)
4656 switch (chan->conn->type) {
4658 cnt = hdev->acl_cnt;
4661 cnt = hdev->block_cnt;
4665 cnt = hdev->sco_cnt;
4668 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
4672 BT_ERR("Unknown link type");
4677 BT_DBG("chan %p quote %d", chan, *quote);
4681 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
4683 struct hci_conn_hash *h = &hdev->conn_hash;
4684 struct hci_conn *conn;
4687 BT_DBG("%s", hdev->name);
4691 list_for_each_entry_rcu(conn, &h->list, list) {
4692 struct hci_chan *chan;
4694 if (conn->type != type)
4697 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
4702 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
4703 struct sk_buff *skb;
4710 if (skb_queue_empty(&chan->data_q))
4713 skb = skb_peek(&chan->data_q);
4714 if (skb->priority >= HCI_PRIO_MAX - 1)
4717 skb->priority = HCI_PRIO_MAX - 1;
4719 BT_DBG("chan %p skb %p promoted to %d", chan, skb,
4723 if (hci_conn_num(hdev, type) == num)
4731 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
4733 /* Calculate count of blocks used by this packet */
4734 return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
4737 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
4739 if (!test_bit(HCI_RAW, &hdev->flags)) {
4740 /* ACL tx timeout must be longer than maximum
4741 * link supervision timeout (40.9 seconds) */
4742 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
4743 HCI_ACL_TX_TIMEOUT))
4744 hci_link_tx_to(hdev, ACL_LINK);
4748 static void hci_sched_acl_pkt(struct hci_dev *hdev)
4750 unsigned int cnt = hdev->acl_cnt;
4751 struct hci_chan *chan;
4752 struct sk_buff *skb;
4755 __check_timeout(hdev, cnt);
4757 while (hdev->acl_cnt &&
4758 (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
4759 u32 priority = (skb_peek(&chan->data_q))->priority;
4760 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4761 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4762 skb->len, skb->priority);
4764 /* Stop if priority has changed */
4765 if (skb->priority < priority)
4768 skb = skb_dequeue(&chan->data_q);
4770 hci_conn_enter_active_mode(chan->conn,
4771 bt_cb(skb)->force_active);
4773 hci_send_frame(hdev, skb);
4774 hdev->acl_last_tx = jiffies;
4782 if (cnt != hdev->acl_cnt)
4783 hci_prio_recalculate(hdev, ACL_LINK);
4786 static void hci_sched_acl_blk(struct hci_dev *hdev)
4788 unsigned int cnt = hdev->block_cnt;
4789 struct hci_chan *chan;
4790 struct sk_buff *skb;
4794 __check_timeout(hdev, cnt);
4796 BT_DBG("%s", hdev->name);
4798 if (hdev->dev_type == HCI_AMP)
4803 while (hdev->block_cnt > 0 &&
4804 (chan = hci_chan_sent(hdev, type, "e))) {
4805 u32 priority = (skb_peek(&chan->data_q))->priority;
4806 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
4809 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4810 skb->len, skb->priority);
4812 /* Stop if priority has changed */
4813 if (skb->priority < priority)
4816 skb = skb_dequeue(&chan->data_q);
4818 blocks = __get_blocks(hdev, skb);
4819 if (blocks > hdev->block_cnt)
4822 hci_conn_enter_active_mode(chan->conn,
4823 bt_cb(skb)->force_active);
4825 hci_send_frame(hdev, skb);
4826 hdev->acl_last_tx = jiffies;
4828 hdev->block_cnt -= blocks;
4831 chan->sent += blocks;
4832 chan->conn->sent += blocks;
4836 if (cnt != hdev->block_cnt)
4837 hci_prio_recalculate(hdev, type);
4840 static void hci_sched_acl(struct hci_dev *hdev)
4842 BT_DBG("%s", hdev->name);
4844 /* No ACL link over BR/EDR controller */
4845 if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
4848 /* No AMP link over AMP controller */
4849 if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
4852 switch (hdev->flow_ctl_mode) {
4853 case HCI_FLOW_CTL_MODE_PACKET_BASED:
4854 hci_sched_acl_pkt(hdev);
4857 case HCI_FLOW_CTL_MODE_BLOCK_BASED:
4858 hci_sched_acl_blk(hdev);
4864 static void hci_sched_sco(struct hci_dev *hdev)
4866 struct hci_conn *conn;
4867 struct sk_buff *skb;
4870 BT_DBG("%s", hdev->name);
4872 if (!hci_conn_num(hdev, SCO_LINK))
4875 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, "e))) {
4876 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4877 BT_DBG("skb %p len %d", skb, skb->len);
4878 hci_send_frame(hdev, skb);
4881 if (conn->sent == ~0)
4887 static void hci_sched_esco(struct hci_dev *hdev)
4889 struct hci_conn *conn;
4890 struct sk_buff *skb;
4893 BT_DBG("%s", hdev->name);
4895 if (!hci_conn_num(hdev, ESCO_LINK))
4898 while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
4900 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
4901 BT_DBG("skb %p len %d", skb, skb->len);
4902 hci_send_frame(hdev, skb);
4905 if (conn->sent == ~0)
4911 static void hci_sched_le(struct hci_dev *hdev)
4913 struct hci_chan *chan;
4914 struct sk_buff *skb;
4915 int quote, cnt, tmp;
4917 BT_DBG("%s", hdev->name);
4919 if (!hci_conn_num(hdev, LE_LINK))
4922 if (!test_bit(HCI_RAW, &hdev->flags)) {
4923 /* LE tx timeout must be longer than maximum
4924 * link supervision timeout (40.9 seconds) */
4925 if (!hdev->le_cnt && hdev->le_pkts &&
4926 time_after(jiffies, hdev->le_last_tx + HZ * 45))
4927 hci_link_tx_to(hdev, LE_LINK);
4930 cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
4932 while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
4933 u32 priority = (skb_peek(&chan->data_q))->priority;
4934 while (quote-- && (skb = skb_peek(&chan->data_q))) {
4935 BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
4936 skb->len, skb->priority);
4938 /* Stop if priority has changed */
4939 if (skb->priority < priority)
4942 skb = skb_dequeue(&chan->data_q);
4944 hci_send_frame(hdev, skb);
4945 hdev->le_last_tx = jiffies;
4956 hdev->acl_cnt = cnt;
4959 hci_prio_recalculate(hdev, LE_LINK);
4962 static void hci_tx_work(struct work_struct *work)
4964 struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
4965 struct sk_buff *skb;
4967 BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
4968 hdev->sco_cnt, hdev->le_cnt);
4970 if (!test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
4971 /* Schedule queues and send stuff to HCI driver */
4972 hci_sched_acl(hdev);
4973 hci_sched_sco(hdev);
4974 hci_sched_esco(hdev);
4978 /* Send next queued raw (unknown type) packet */
4979 while ((skb = skb_dequeue(&hdev->raw_q)))
4980 hci_send_frame(hdev, skb);
4983 /* ----- HCI RX task (incoming data processing) ----- */
4985 /* ACL data packet */
4986 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
4988 struct hci_acl_hdr *hdr = (void *) skb->data;
4989 struct hci_conn *conn;
4990 __u16 handle, flags;
4992 skb_pull(skb, HCI_ACL_HDR_SIZE);
4994 handle = __le16_to_cpu(hdr->handle);
4995 flags = hci_flags(handle);
4996 handle = hci_handle(handle);
4998 BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
5001 hdev->stat.acl_rx++;
5004 conn = hci_conn_hash_lookup_handle(hdev, handle);
5005 hci_dev_unlock(hdev);
5008 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
5010 /* Send to upper protocol */
5011 l2cap_recv_acldata(conn, skb, flags);
5014 BT_ERR("%s ACL packet for unknown connection handle %d",
5015 hdev->name, handle);
5021 /* SCO data packet */
5022 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
5024 struct hci_sco_hdr *hdr = (void *) skb->data;
5025 struct hci_conn *conn;
5028 skb_pull(skb, HCI_SCO_HDR_SIZE);
5030 handle = __le16_to_cpu(hdr->handle);
5032 BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
5034 hdev->stat.sco_rx++;
5037 conn = hci_conn_hash_lookup_handle(hdev, handle);
5038 hci_dev_unlock(hdev);
5041 /* Send to upper protocol */
5042 sco_recv_scodata(conn, skb);
5045 BT_ERR("%s SCO packet for unknown connection handle %d",
5046 hdev->name, handle);
5052 static bool hci_req_is_complete(struct hci_dev *hdev)
5054 struct sk_buff *skb;
5056 skb = skb_peek(&hdev->cmd_q);
5060 return bt_cb(skb)->req.start;
5063 static void hci_resend_last(struct hci_dev *hdev)
5065 struct hci_command_hdr *sent;
5066 struct sk_buff *skb;
5069 if (!hdev->sent_cmd)
5072 sent = (void *) hdev->sent_cmd->data;
5073 opcode = __le16_to_cpu(sent->opcode);
5074 if (opcode == HCI_OP_RESET)
5077 skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
5081 skb_queue_head(&hdev->cmd_q, skb);
5082 queue_work(hdev->workqueue, &hdev->cmd_work);
5085 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
5087 hci_req_complete_t req_complete = NULL;
5088 struct sk_buff *skb;
5089 unsigned long flags;
5091 BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
5093 /* If the completed command doesn't match the last one that was
5094 * sent we need to do special handling of it.
5096 if (!hci_sent_cmd_data(hdev, opcode)) {
5097 /* Some CSR based controllers generate a spontaneous
5098 * reset complete event during init and any pending
5099 * command will never be completed. In such a case we
5100 * need to resend whatever was the last sent
5103 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
5104 hci_resend_last(hdev);
5109 /* If the command succeeded and there's still more commands in
5110 * this request the request is not yet complete.
5112 if (!status && !hci_req_is_complete(hdev))
5115 /* If this was the last command in a request the complete
5116 * callback would be found in hdev->sent_cmd instead of the
5117 * command queue (hdev->cmd_q).
5119 if (hdev->sent_cmd) {
5120 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
5123 /* We must set the complete callback to NULL to
5124 * avoid calling the callback more than once if
5125 * this function gets called again.
5127 bt_cb(hdev->sent_cmd)->req.complete = NULL;
5133 /* Remove all pending commands belonging to this request */
5134 spin_lock_irqsave(&hdev->cmd_q.lock, flags);
5135 while ((skb = __skb_dequeue(&hdev->cmd_q))) {
5136 if (bt_cb(skb)->req.start) {
5137 __skb_queue_head(&hdev->cmd_q, skb);
5141 req_complete = bt_cb(skb)->req.complete;
5144 spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
5148 req_complete(hdev, status);
5151 static void hci_rx_work(struct work_struct *work)
5153 struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
5154 struct sk_buff *skb;
5156 BT_DBG("%s", hdev->name);
5158 while ((skb = skb_dequeue(&hdev->rx_q))) {
5159 /* Send copy to monitor */
5160 hci_send_to_monitor(hdev, skb);
5162 if (atomic_read(&hdev->promisc)) {
5163 /* Send copy to the sockets */
5164 hci_send_to_sock(hdev, skb);
5167 if (test_bit(HCI_RAW, &hdev->flags) ||
5168 test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
5173 if (test_bit(HCI_INIT, &hdev->flags)) {
5174 /* Don't process data packets in this states. */
5175 switch (bt_cb(skb)->pkt_type) {
5176 case HCI_ACLDATA_PKT:
5177 case HCI_SCODATA_PKT:
5184 switch (bt_cb(skb)->pkt_type) {
5186 BT_DBG("%s Event packet", hdev->name);
5187 hci_event_packet(hdev, skb);
5190 case HCI_ACLDATA_PKT:
5191 BT_DBG("%s ACL data packet", hdev->name);
5192 hci_acldata_packet(hdev, skb);
5195 case HCI_SCODATA_PKT:
5196 BT_DBG("%s SCO data packet", hdev->name);
5197 hci_scodata_packet(hdev, skb);
5207 static void hci_cmd_work(struct work_struct *work)
5209 struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
5210 struct sk_buff *skb;
5212 BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
5213 atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
5215 /* Send queued commands */
5216 if (atomic_read(&hdev->cmd_cnt)) {
5217 skb = skb_dequeue(&hdev->cmd_q);
5221 kfree_skb(hdev->sent_cmd);
5223 hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
5224 if (hdev->sent_cmd) {
5225 atomic_dec(&hdev->cmd_cnt);
5226 hci_send_frame(hdev, skb);
5227 if (test_bit(HCI_RESET, &hdev->flags))
5228 del_timer(&hdev->cmd_timer);
5230 mod_timer(&hdev->cmd_timer,
5231 jiffies + HCI_CMD_TIMEOUT);
5233 skb_queue_head(&hdev->cmd_q, skb);
5234 queue_work(hdev->workqueue, &hdev->cmd_work);
5239 void hci_req_add_le_scan_disable(struct hci_request *req)
5241 struct hci_cp_le_set_scan_enable cp;
5243 memset(&cp, 0, sizeof(cp));
5244 cp.enable = LE_SCAN_DISABLE;
5245 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
5248 void hci_req_add_le_passive_scan(struct hci_request *req)
5250 struct hci_cp_le_set_scan_param param_cp;
5251 struct hci_cp_le_set_scan_enable enable_cp;
5252 struct hci_dev *hdev = req->hdev;
5255 /* Set require_privacy to true to avoid identification from
5256 * unknown peer devices. Since this is passive scanning, no
5257 * SCAN_REQ using the local identity should be sent. Mandating
5258 * privacy is just an extra precaution.
5260 if (hci_update_random_address(req, true, &own_addr_type))
5263 memset(¶m_cp, 0, sizeof(param_cp));
5264 param_cp.type = LE_SCAN_PASSIVE;
5265 param_cp.interval = cpu_to_le16(hdev->le_scan_interval);
5266 param_cp.window = cpu_to_le16(hdev->le_scan_window);
5267 param_cp.own_address_type = own_addr_type;
5268 hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
5271 memset(&enable_cp, 0, sizeof(enable_cp));
5272 enable_cp.enable = LE_SCAN_ENABLE;
5273 enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
5274 hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
5278 static void update_background_scan_complete(struct hci_dev *hdev, u8 status)
5281 BT_DBG("HCI request failed to update background scanning: "
5282 "status 0x%2.2x", status);
5285 /* This function controls the background scanning based on hdev->pend_le_conns
5286 * list. If there are pending LE connection we start the background scanning,
5287 * otherwise we stop it.
5289 * This function requires the caller holds hdev->lock.
5291 void hci_update_background_scan(struct hci_dev *hdev)
5293 struct hci_request req;
5294 struct hci_conn *conn;
5297 hci_req_init(&req, hdev);
5299 if (list_empty(&hdev->pend_le_conns)) {
5300 /* If there is no pending LE connections, we should stop
5301 * the background scanning.
5304 /* If controller is not scanning we are done. */
5305 if (!test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5308 hci_req_add_le_scan_disable(&req);
5310 BT_DBG("%s stopping background scanning", hdev->name);
5312 /* If there is at least one pending LE connection, we should
5313 * keep the background scan running.
5316 /* If controller is connecting, we should not start scanning
5317 * since some controllers are not able to scan and connect at
5320 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
5324 /* If controller is currently scanning, we stop it to ensure we
5325 * don't miss any advertising (due to duplicates filter).
5327 if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
5328 hci_req_add_le_scan_disable(&req);
5330 hci_req_add_le_passive_scan(&req);
5332 BT_DBG("%s starting background scanning", hdev->name);
5335 err = hci_req_run(&req, update_background_scan_complete);
5337 BT_ERR("Failed to run HCI request: err %d", err);
projects / cascardo / linux.git / blob