]> git.kernelconcepts.de Git - karo-tx-linux.git/blob - net/bluetooth/hci_core.c
projects / karo-tx-linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth...
[karo-tx-linux.git] / net / bluetooth / hci_core.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2000-2001 Qualcomm Incorporated
4    Copyright (C) 2011 ProFUSION Embedded Systems
5
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25
26 /* Bluetooth HCI core. */
27
28 #include <linux/export.h>
29 #include <linux/idr.h>
30
31 #include <linux/rfkill.h>
32
33 #include <net/bluetooth/bluetooth.h>
34 #include <net/bluetooth/hci_core.h>
35
36 static void hci_rx_work(struct work_struct *work);
37 static void hci_cmd_work(struct work_struct *work);
38 static void hci_tx_work(struct work_struct *work);
39
40 /* HCI device list */
41 LIST_HEAD(hci_dev_list);
42 DEFINE_RWLOCK(hci_dev_list_lock);
43
44 /* HCI callback list */
45 LIST_HEAD(hci_cb_list);
46 DEFINE_RWLOCK(hci_cb_list_lock);
47
48 /* HCI ID Numbering */
49 static DEFINE_IDA(hci_index_ida);
50
51 /* ---- HCI notifications ---- */
52
53 static void hci_notify(struct hci_dev *hdev, int event)
54 {
55         hci_sock_dev_event(hdev, event);
56 }
57
58 /* ---- HCI requests ---- */
59
60 static void hci_req_sync_complete(struct hci_dev *hdev, u8 result)
61 {
62         BT_DBG("%s result 0x%2.2x", hdev->name, result);
63
64         if (hdev->req_status == HCI_REQ_PEND) {
65                 hdev->req_result = result;
66                 hdev->req_status = HCI_REQ_DONE;
67                 wake_up_interruptible(&hdev->req_wait_q);
68         }
69 }
70
71 static void hci_req_cancel(struct hci_dev *hdev, int err)
72 {
73         BT_DBG("%s err 0x%2.2x", hdev->name, err);
74
75         if (hdev->req_status == HCI_REQ_PEND) {
76                 hdev->req_result = err;
77                 hdev->req_status = HCI_REQ_CANCELED;
78                 wake_up_interruptible(&hdev->req_wait_q);
79         }
80 }
81
82 static struct sk_buff *hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
83                                             u8 event)
84 {
85         struct hci_ev_cmd_complete *ev;
86         struct hci_event_hdr *hdr;
87         struct sk_buff *skb;
88
89         hci_dev_lock(hdev);
90
91         skb = hdev->recv_evt;
92         hdev->recv_evt = NULL;
93
94         hci_dev_unlock(hdev);
95
96         if (!skb)
97                 return ERR_PTR(-ENODATA);
98
99         if (skb->len < sizeof(*hdr)) {
100                 BT_ERR("Too short HCI event");
101                 goto failed;
102         }
103
104         hdr = (void *) skb->data;
105         skb_pull(skb, HCI_EVENT_HDR_SIZE);
106
107         if (event) {
108                 if (hdr->evt != event)
109                         goto failed;
110                 return skb;
111         }
112
113         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
114                 BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
115                 goto failed;
116         }
117
118         if (skb->len < sizeof(*ev)) {
119                 BT_ERR("Too short cmd_complete event");
120                 goto failed;
121         }
122
123         ev = (void *) skb->data;
124         skb_pull(skb, sizeof(*ev));
125
126         if (opcode == __le16_to_cpu(ev->opcode))
127                 return skb;
128
129         BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
130                __le16_to_cpu(ev->opcode));
131
132 failed:
133         kfree_skb(skb);
134         return ERR_PTR(-ENODATA);
135 }
136
137 struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
138                                   const void *param, u8 event, u32 timeout)
139 {
140         DECLARE_WAITQUEUE(wait, current);
141         struct hci_request req;
142         int err = 0;
143
144         BT_DBG("%s", hdev->name);
145
146         hci_req_init(&req, hdev);
147
148         hci_req_add_ev(&req, opcode, plen, param, event);
149
150         hdev->req_status = HCI_REQ_PEND;
151
152         err = hci_req_run(&req, hci_req_sync_complete);
153         if (err < 0)
154                 return ERR_PTR(err);
155
156         add_wait_queue(&hdev->req_wait_q, &wait);
157         set_current_state(TASK_INTERRUPTIBLE);
158
159         schedule_timeout(timeout);
160
161         remove_wait_queue(&hdev->req_wait_q, &wait);
162
163         if (signal_pending(current))
164                 return ERR_PTR(-EINTR);
165
166         switch (hdev->req_status) {
167         case HCI_REQ_DONE:
168                 err = -bt_to_errno(hdev->req_result);
169                 break;
170
171         case HCI_REQ_CANCELED:
172                 err = -hdev->req_result;
173                 break;
174
175         default:
176                 err = -ETIMEDOUT;
177                 break;
178         }
179
180         hdev->req_status = hdev->req_result = 0;
181
182         BT_DBG("%s end: err %d", hdev->name, err);
183
184         if (err < 0)
185                 return ERR_PTR(err);
186
187         return hci_get_cmd_complete(hdev, opcode, event);
188 }
189 EXPORT_SYMBOL(__hci_cmd_sync_ev);
190
191 struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
192                                const void *param, u32 timeout)
193 {
194         return __hci_cmd_sync_ev(hdev, opcode, plen, param, 0, timeout);
195 }
196 EXPORT_SYMBOL(__hci_cmd_sync);
197
198 /* Execute request and wait for completion. */
199 static int __hci_req_sync(struct hci_dev *hdev,
200                           void (*func)(struct hci_request *req,
201                                       unsigned long opt),
202                           unsigned long opt, __u32 timeout)
203 {
204         struct hci_request req;
205         DECLARE_WAITQUEUE(wait, current);
206         int err = 0;
207
208         BT_DBG("%s start", hdev->name);
209
210         hci_req_init(&req, hdev);
211
212         hdev->req_status = HCI_REQ_PEND;
213
214         func(&req, opt);
215
216         err = hci_req_run(&req, hci_req_sync_complete);
217         if (err < 0) {
218                 hdev->req_status = 0;
219
220                 /* ENODATA means the HCI request command queue is empty.
221                  * This can happen when a request with conditionals doesn't
222                  * trigger any commands to be sent. This is normal behavior
223                  * and should not trigger an error return.
224                  */
225                 if (err == -ENODATA)
226                         return 0;
227
228                 return err;
229         }
230
231         add_wait_queue(&hdev->req_wait_q, &wait);
232         set_current_state(TASK_INTERRUPTIBLE);
233
234         schedule_timeout(timeout);
235
236         remove_wait_queue(&hdev->req_wait_q, &wait);
237
238         if (signal_pending(current))
239                 return -EINTR;
240
241         switch (hdev->req_status) {
242         case HCI_REQ_DONE:
243                 err = -bt_to_errno(hdev->req_result);
244                 break;
245
246         case HCI_REQ_CANCELED:
247                 err = -hdev->req_result;
248                 break;
249
250         default:
251                 err = -ETIMEDOUT;
252                 break;
253         }
254
255         hdev->req_status = hdev->req_result = 0;
256
257         BT_DBG("%s end: err %d", hdev->name, err);
258
259         return err;
260 }
261
262 static int hci_req_sync(struct hci_dev *hdev,
263                         void (*req)(struct hci_request *req,
264                                     unsigned long opt),
265                         unsigned long opt, __u32 timeout)
266 {
267         int ret;
268
269         if (!test_bit(HCI_UP, &hdev->flags))
270                 return -ENETDOWN;
271
272         /* Serialize all requests */
273         hci_req_lock(hdev);
274         ret = __hci_req_sync(hdev, req, opt, timeout);
275         hci_req_unlock(hdev);
276
277         return ret;
278 }
279
280 static void hci_reset_req(struct hci_request *req, unsigned long opt)
281 {
282         BT_DBG("%s %ld", req->hdev->name, opt);
283
284         /* Reset device */
285         set_bit(HCI_RESET, &req->hdev->flags);
286         hci_req_add(req, HCI_OP_RESET, 0, NULL);
287 }
288
289 static void bredr_init(struct hci_request *req)
290 {
291         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
292
293         /* Read Local Supported Features */
294         hci_req_add(req, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
295
296         /* Read Local Version */
297         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
298
299         /* Read BD Address */
300         hci_req_add(req, HCI_OP_READ_BD_ADDR, 0, NULL);
301 }
302
303 static void amp_init(struct hci_request *req)
304 {
305         req->hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_BLOCK_BASED;
306
307         /* Read Local Version */
308         hci_req_add(req, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
309
310         /* Read Local AMP Info */
311         hci_req_add(req, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
312
313         /* Read Data Blk size */
314         hci_req_add(req, HCI_OP_READ_DATA_BLOCK_SIZE, 0, NULL);
315 }
316
317 static void hci_init1_req(struct hci_request *req, unsigned long opt)
318 {
319         struct hci_dev *hdev = req->hdev;
320
321         BT_DBG("%s %ld", hdev->name, opt);
322
323         /* Reset */
324         if (!test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks))
325                 hci_reset_req(req, 0);
326
327         switch (hdev->dev_type) {
328         case HCI_BREDR:
329                 bredr_init(req);
330                 break;
331
332         case HCI_AMP:
333                 amp_init(req);
334                 break;
335
336         default:
337                 BT_ERR("Unknown device type %d", hdev->dev_type);
338                 break;
339         }
340 }
341
342 static void bredr_setup(struct hci_request *req)
343 {
344         __le16 param;
345         __u8 flt_type;
346
347         /* Read Buffer Size (ACL mtu, max pkt, etc.) */
348         hci_req_add(req, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
349
350         /* Read Class of Device */
351         hci_req_add(req, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
352
353         /* Read Local Name */
354         hci_req_add(req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
355
356         /* Read Voice Setting */
357         hci_req_add(req, HCI_OP_READ_VOICE_SETTING, 0, NULL);
358
359         /* Clear Event Filters */
360         flt_type = HCI_FLT_CLEAR_ALL;
361         hci_req_add(req, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
362
363         /* Connection accept timeout ~20 secs */
364         param = __constant_cpu_to_le16(0x7d00);
365         hci_req_add(req, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
366
367         /* Read page scan parameters */
368         if (req->hdev->hci_ver > BLUETOOTH_VER_1_1) {
369                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_ACTIVITY, 0, NULL);
370                 hci_req_add(req, HCI_OP_READ_PAGE_SCAN_TYPE, 0, NULL);
371         }
372 }
373
374 static void le_setup(struct hci_request *req)
375 {
376         struct hci_dev *hdev = req->hdev;
377
378         /* Read LE Buffer Size */
379         hci_req_add(req, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
380
381         /* Read LE Local Supported Features */
382         hci_req_add(req, HCI_OP_LE_READ_LOCAL_FEATURES, 0, NULL);
383
384         /* Read LE Advertising Channel TX Power */
385         hci_req_add(req, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
386
387         /* Read LE White List Size */
388         hci_req_add(req, HCI_OP_LE_READ_WHITE_LIST_SIZE, 0, NULL);
389
390         /* Read LE Supported States */
391         hci_req_add(req, HCI_OP_LE_READ_SUPPORTED_STATES, 0, NULL);
392
393         /* LE-only controllers have LE implicitly enabled */
394         if (!lmp_bredr_capable(hdev))
395                 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
396 }
397
398 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
399 {
400         if (lmp_ext_inq_capable(hdev))
401                 return 0x02;
402
403         if (lmp_inq_rssi_capable(hdev))
404                 return 0x01;
405
406         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
407             hdev->lmp_subver == 0x0757)
408                 return 0x01;
409
410         if (hdev->manufacturer == 15) {
411                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
412                         return 0x01;
413                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
414                         return 0x01;
415                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
416                         return 0x01;
417         }
418
419         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
420             hdev->lmp_subver == 0x1805)
421                 return 0x01;
422
423         return 0x00;
424 }
425
426 static void hci_setup_inquiry_mode(struct hci_request *req)
427 {
428         u8 mode;
429
430         mode = hci_get_inquiry_mode(req->hdev);
431
432         hci_req_add(req, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
433 }
434
435 static void hci_setup_event_mask(struct hci_request *req)
436 {
437         struct hci_dev *hdev = req->hdev;
438
439         /* The second byte is 0xff instead of 0x9f (two reserved bits
440          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
441          * command otherwise.
442          */
443         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
444
445         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
446          * any event mask for pre 1.2 devices.
447          */
448         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
449                 return;
450
451         if (lmp_bredr_capable(hdev)) {
452                 events[4] |= 0x01; /* Flow Specification Complete */
453                 events[4] |= 0x02; /* Inquiry Result with RSSI */
454                 events[4] |= 0x04; /* Read Remote Extended Features Complete */
455                 events[5] |= 0x08; /* Synchronous Connection Complete */
456                 events[5] |= 0x10; /* Synchronous Connection Changed */
457         }
458
459         if (lmp_inq_rssi_capable(hdev))
460                 events[4] |= 0x02; /* Inquiry Result with RSSI */
461
462         if (lmp_sniffsubr_capable(hdev))
463                 events[5] |= 0x20; /* Sniff Subrating */
464
465         if (lmp_pause_enc_capable(hdev))
466                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
467
468         if (lmp_ext_inq_capable(hdev))
469                 events[5] |= 0x40; /* Extended Inquiry Result */
470
471         if (lmp_no_flush_capable(hdev))
472                 events[7] |= 0x01; /* Enhanced Flush Complete */
473
474         if (lmp_lsto_capable(hdev))
475                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
476
477         if (lmp_ssp_capable(hdev)) {
478                 events[6] |= 0x01;      /* IO Capability Request */
479                 events[6] |= 0x02;      /* IO Capability Response */
480                 events[6] |= 0x04;      /* User Confirmation Request */
481                 events[6] |= 0x08;      /* User Passkey Request */
482                 events[6] |= 0x10;      /* Remote OOB Data Request */
483                 events[6] |= 0x20;      /* Simple Pairing Complete */
484                 events[7] |= 0x04;      /* User Passkey Notification */
485                 events[7] |= 0x08;      /* Keypress Notification */
486                 events[7] |= 0x10;      /* Remote Host Supported
487                                          * Features Notification
488                                          */
489         }
490
491         if (lmp_le_capable(hdev))
492                 events[7] |= 0x20;      /* LE Meta-Event */
493
494         hci_req_add(req, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
495
496         if (lmp_le_capable(hdev)) {
497                 memset(events, 0, sizeof(events));
498                 events[0] = 0x1f;
499                 hci_req_add(req, HCI_OP_LE_SET_EVENT_MASK,
500                             sizeof(events), events);
501         }
502 }
503
504 static void hci_init2_req(struct hci_request *req, unsigned long opt)
505 {
506         struct hci_dev *hdev = req->hdev;
507
508         if (lmp_bredr_capable(hdev))
509                 bredr_setup(req);
510
511         if (lmp_le_capable(hdev))
512                 le_setup(req);
513
514         hci_setup_event_mask(req);
515
516         /* AVM Berlin (31), aka "BlueFRITZ!", doesn't support the read
517          * local supported commands HCI command.
518          */
519         if (hdev->manufacturer != 31 && hdev->hci_ver > BLUETOOTH_VER_1_1)
520                 hci_req_add(req, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
521
522         if (lmp_ssp_capable(hdev)) {
523                 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
524                         u8 mode = 0x01;
525                         hci_req_add(req, HCI_OP_WRITE_SSP_MODE,
526                                     sizeof(mode), &mode);
527                 } else {
528                         struct hci_cp_write_eir cp;
529
530                         memset(hdev->eir, 0, sizeof(hdev->eir));
531                         memset(&cp, 0, sizeof(cp));
532
533                         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
534                 }
535         }
536
537         if (lmp_inq_rssi_capable(hdev))
538                 hci_setup_inquiry_mode(req);
539
540         if (lmp_inq_tx_pwr_capable(hdev))
541                 hci_req_add(req, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
542
543         if (lmp_ext_feat_capable(hdev)) {
544                 struct hci_cp_read_local_ext_features cp;
545
546                 cp.page = 0x01;
547                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
548                             sizeof(cp), &cp);
549         }
550
551         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
552                 u8 enable = 1;
553                 hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
554                             &enable);
555         }
556 }
557
558 static void hci_setup_link_policy(struct hci_request *req)
559 {
560         struct hci_dev *hdev = req->hdev;
561         struct hci_cp_write_def_link_policy cp;
562         u16 link_policy = 0;
563
564         if (lmp_rswitch_capable(hdev))
565                 link_policy |= HCI_LP_RSWITCH;
566         if (lmp_hold_capable(hdev))
567                 link_policy |= HCI_LP_HOLD;
568         if (lmp_sniff_capable(hdev))
569                 link_policy |= HCI_LP_SNIFF;
570         if (lmp_park_capable(hdev))
571                 link_policy |= HCI_LP_PARK;
572
573         cp.policy = cpu_to_le16(link_policy);
574         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
575 }
576
577 static void hci_set_le_support(struct hci_request *req)
578 {
579         struct hci_dev *hdev = req->hdev;
580         struct hci_cp_write_le_host_supported cp;
581
582         /* LE-only devices do not support explicit enablement */
583         if (!lmp_bredr_capable(hdev))
584                 return;
585
586         memset(&cp, 0, sizeof(cp));
587
588         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
589                 cp.le = 0x01;
590                 cp.simul = lmp_le_br_capable(hdev);
591         }
592
593         if (cp.le != lmp_host_le_capable(hdev))
594                 hci_req_add(req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
595                             &cp);
596 }
597
598 static void hci_init3_req(struct hci_request *req, unsigned long opt)
599 {
600         struct hci_dev *hdev = req->hdev;
601         u8 p;
602
603         /* Some Broadcom based Bluetooth controllers do not support the
604          * Delete Stored Link Key command. They are clearly indicating its
605          * absence in the bit mask of supported commands.
606          *
607          * Check the supported commands and only if the the command is marked
608          * as supported send it. If not supported assume that the controller
609          * does not have actual support for stored link keys which makes this
610          * command redundant anyway.
611          */
612         if (hdev->commands[6] & 0x80) {
613                 struct hci_cp_delete_stored_link_key cp;
614
615                 bacpy(&cp.bdaddr, BDADDR_ANY);
616                 cp.delete_all = 0x01;
617                 hci_req_add(req, HCI_OP_DELETE_STORED_LINK_KEY,
618                             sizeof(cp), &cp);
619         }
620
621         if (hdev->commands[5] & 0x10)
622                 hci_setup_link_policy(req);
623
624         if (lmp_le_capable(hdev)) {
625                 hci_set_le_support(req);
626                 hci_update_ad(req);
627         }
628
629         /* Read features beyond page 1 if available */
630         for (p = 2; p < HCI_MAX_PAGES && p <= hdev->max_page; p++) {
631                 struct hci_cp_read_local_ext_features cp;
632
633                 cp.page = p;
634                 hci_req_add(req, HCI_OP_READ_LOCAL_EXT_FEATURES,
635                             sizeof(cp), &cp);
636         }
637 }
638
639 static int __hci_init(struct hci_dev *hdev)
640 {
641         int err;
642
643         err = __hci_req_sync(hdev, hci_init1_req, 0, HCI_INIT_TIMEOUT);
644         if (err < 0)
645                 return err;
646
647         /* HCI_BREDR covers both single-mode LE, BR/EDR and dual-mode
648          * BR/EDR/LE type controllers. AMP controllers only need the
649          * first stage init.
650          */
651         if (hdev->dev_type != HCI_BREDR)
652                 return 0;
653
654         err = __hci_req_sync(hdev, hci_init2_req, 0, HCI_INIT_TIMEOUT);
655         if (err < 0)
656                 return err;
657
658         return __hci_req_sync(hdev, hci_init3_req, 0, HCI_INIT_TIMEOUT);
659 }
660
661 static void hci_scan_req(struct hci_request *req, unsigned long opt)
662 {
663         __u8 scan = opt;
664
665         BT_DBG("%s %x", req->hdev->name, scan);
666
667         /* Inquiry and Page scans */
668         hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
669 }
670
671 static void hci_auth_req(struct hci_request *req, unsigned long opt)
672 {
673         __u8 auth = opt;
674
675         BT_DBG("%s %x", req->hdev->name, auth);
676
677         /* Authentication */
678         hci_req_add(req, HCI_OP_WRITE_AUTH_ENABLE, 1, &auth);
679 }
680
681 static void hci_encrypt_req(struct hci_request *req, unsigned long opt)
682 {
683         __u8 encrypt = opt;
684
685         BT_DBG("%s %x", req->hdev->name, encrypt);
686
687         /* Encryption */
688         hci_req_add(req, HCI_OP_WRITE_ENCRYPT_MODE, 1, &encrypt);
689 }
690
691 static void hci_linkpol_req(struct hci_request *req, unsigned long opt)
692 {
693         __le16 policy = cpu_to_le16(opt);
694
695         BT_DBG("%s %x", req->hdev->name, policy);
696
697         /* Default link policy */
698         hci_req_add(req, HCI_OP_WRITE_DEF_LINK_POLICY, 2, &policy);
699 }
700
701 /* Get HCI device by index.
702  * Device is held on return. */
703 struct hci_dev *hci_dev_get(int index)
704 {
705         struct hci_dev *hdev = NULL, *d;
706
707         BT_DBG("%d", index);
708
709         if (index < 0)
710                 return NULL;
711
712         read_lock(&hci_dev_list_lock);
713         list_for_each_entry(d, &hci_dev_list, list) {
714                 if (d->id == index) {
715                         hdev = hci_dev_hold(d);
716                         break;
717                 }
718         }
719         read_unlock(&hci_dev_list_lock);
720         return hdev;
721 }
722
723 /* ---- Inquiry support ---- */
724
725 bool hci_discovery_active(struct hci_dev *hdev)
726 {
727         struct discovery_state *discov = &hdev->discovery;
728
729         switch (discov->state) {
730         case DISCOVERY_FINDING:
731         case DISCOVERY_RESOLVING:
732                 return true;
733
734         default:
735                 return false;
736         }
737 }
738
739 void hci_discovery_set_state(struct hci_dev *hdev, int state)
740 {
741         BT_DBG("%s state %u -> %u", hdev->name, hdev->discovery.state, state);
742
743         if (hdev->discovery.state == state)
744                 return;
745
746         switch (state) {
747         case DISCOVERY_STOPPED:
748                 if (hdev->discovery.state != DISCOVERY_STARTING)
749                         mgmt_discovering(hdev, 0);
750                 break;
751         case DISCOVERY_STARTING:
752                 break;
753         case DISCOVERY_FINDING:
754                 mgmt_discovering(hdev, 1);
755                 break;
756         case DISCOVERY_RESOLVING:
757                 break;
758         case DISCOVERY_STOPPING:
759                 break;
760         }
761
762         hdev->discovery.state = state;
763 }
764
765 void hci_inquiry_cache_flush(struct hci_dev *hdev)
766 {
767         struct discovery_state *cache = &hdev->discovery;
768         struct inquiry_entry *p, *n;
769
770         list_for_each_entry_safe(p, n, &cache->all, all) {
771                 list_del(&p->all);
772                 kfree(p);
773         }
774
775         INIT_LIST_HEAD(&cache->unknown);
776         INIT_LIST_HEAD(&cache->resolve);
777 }
778
779 struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
780                                                bdaddr_t *bdaddr)
781 {
782         struct discovery_state *cache = &hdev->discovery;
783         struct inquiry_entry *e;
784
785         BT_DBG("cache %p, %pMR", cache, bdaddr);
786
787         list_for_each_entry(e, &cache->all, all) {
788                 if (!bacmp(&e->data.bdaddr, bdaddr))
789                         return e;
790         }
791
792         return NULL;
793 }
794
795 struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
796                                                        bdaddr_t *bdaddr)
797 {
798         struct discovery_state *cache = &hdev->discovery;
799         struct inquiry_entry *e;
800
801         BT_DBG("cache %p, %pMR", cache, bdaddr);
802
803         list_for_each_entry(e, &cache->unknown, list) {
804                 if (!bacmp(&e->data.bdaddr, bdaddr))
805                         return e;
806         }
807
808         return NULL;
809 }
810
811 struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
812                                                        bdaddr_t *bdaddr,
813                                                        int state)
814 {
815         struct discovery_state *cache = &hdev->discovery;
816         struct inquiry_entry *e;
817
818         BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
819
820         list_for_each_entry(e, &cache->resolve, list) {
821                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
822                         return e;
823                 if (!bacmp(&e->data.bdaddr, bdaddr))
824                         return e;
825         }
826
827         return NULL;
828 }
829
830 void hci_inquiry_cache_update_resolve(struct hci_dev *hdev,
831                                       struct inquiry_entry *ie)
832 {
833         struct discovery_state *cache = &hdev->discovery;
834         struct list_head *pos = &cache->resolve;
835         struct inquiry_entry *p;
836
837         list_del(&ie->list);
838
839         list_for_each_entry(p, &cache->resolve, list) {
840                 if (p->name_state != NAME_PENDING &&
841                     abs(p->data.rssi) >= abs(ie->data.rssi))
842                         break;
843                 pos = &p->list;
844         }
845
846         list_add(&ie->list, pos);
847 }
848
849 bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
850                               bool name_known, bool *ssp)
851 {
852         struct discovery_state *cache = &hdev->discovery;
853         struct inquiry_entry *ie;
854
855         BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
856
857         hci_remove_remote_oob_data(hdev, &data->bdaddr);
858
859         if (ssp)
860                 *ssp = data->ssp_mode;
861
862         ie = hci_inquiry_cache_lookup(hdev, &data->bdaddr);
863         if (ie) {
864                 if (ie->data.ssp_mode && ssp)
865                         *ssp = true;
866
867                 if (ie->name_state == NAME_NEEDED &&
868                     data->rssi != ie->data.rssi) {
869                         ie->data.rssi = data->rssi;
870                         hci_inquiry_cache_update_resolve(hdev, ie);
871                 }
872
873                 goto update;
874         }
875
876         /* Entry not in the cache. Add new one. */
877         ie = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC);
878         if (!ie)
879                 return false;
880
881         list_add(&ie->all, &cache->all);
882
883         if (name_known) {
884                 ie->name_state = NAME_KNOWN;
885         } else {
886                 ie->name_state = NAME_NOT_KNOWN;
887                 list_add(&ie->list, &cache->unknown);
888         }
889
890 update:
891         if (name_known && ie->name_state != NAME_KNOWN &&
892             ie->name_state != NAME_PENDING) {
893                 ie->name_state = NAME_KNOWN;
894                 list_del(&ie->list);
895         }
896
897         memcpy(&ie->data, data, sizeof(*data));
898         ie->timestamp = jiffies;
899         cache->timestamp = jiffies;
900
901         if (ie->name_state == NAME_NOT_KNOWN)
902                 return false;
903
904         return true;
905 }
906
907 static int inquiry_cache_dump(struct hci_dev *hdev, int num, __u8 *buf)
908 {
909         struct discovery_state *cache = &hdev->discovery;
910         struct inquiry_info *info = (struct inquiry_info *) buf;
911         struct inquiry_entry *e;
912         int copied = 0;
913
914         list_for_each_entry(e, &cache->all, all) {
915                 struct inquiry_data *data = &e->data;
916
917                 if (copied >= num)
918                         break;
919
920                 bacpy(&info->bdaddr, &data->bdaddr);
921                 info->pscan_rep_mode    = data->pscan_rep_mode;
922                 info->pscan_period_mode = data->pscan_period_mode;
923                 info->pscan_mode        = data->pscan_mode;
924                 memcpy(info->dev_class, data->dev_class, 3);
925                 info->clock_offset      = data->clock_offset;
926
927                 info++;
928                 copied++;
929         }
930
931         BT_DBG("cache %p, copied %d", cache, copied);
932         return copied;
933 }
934
935 static void hci_inq_req(struct hci_request *req, unsigned long opt)
936 {
937         struct hci_inquiry_req *ir = (struct hci_inquiry_req *) opt;
938         struct hci_dev *hdev = req->hdev;
939         struct hci_cp_inquiry cp;
940
941         BT_DBG("%s", hdev->name);
942
943         if (test_bit(HCI_INQUIRY, &hdev->flags))
944                 return;
945
946         /* Start Inquiry */
947         memcpy(&cp.lap, &ir->lap, 3);
948         cp.length  = ir->length;
949         cp.num_rsp = ir->num_rsp;
950         hci_req_add(req, HCI_OP_INQUIRY, sizeof(cp), &cp);
951 }
952
953 static int wait_inquiry(void *word)
954 {
955         schedule();
956         return signal_pending(current);
957 }
958
959 int hci_inquiry(void __user *arg)
960 {
961         __u8 __user *ptr = arg;
962         struct hci_inquiry_req ir;
963         struct hci_dev *hdev;
964         int err = 0, do_inquiry = 0, max_rsp;
965         long timeo;
966         __u8 *buf;
967
968         if (copy_from_user(&ir, ptr, sizeof(ir)))
969                 return -EFAULT;
970
971         hdev = hci_dev_get(ir.dev_id);
972         if (!hdev)
973                 return -ENODEV;
974
975         hci_dev_lock(hdev);
976         if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX ||
977             inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) {
978                 hci_inquiry_cache_flush(hdev);
979                 do_inquiry = 1;
980         }
981         hci_dev_unlock(hdev);
982
983         timeo = ir.length * msecs_to_jiffies(2000);
984
985         if (do_inquiry) {
986                 err = hci_req_sync(hdev, hci_inq_req, (unsigned long) &ir,
987                                    timeo);
988                 if (err < 0)
989                         goto done;
990
991                 /* Wait until Inquiry procedure finishes (HCI_INQUIRY flag is
992                  * cleared). If it is interrupted by a signal, return -EINTR.
993                  */
994                 if (wait_on_bit(&hdev->flags, HCI_INQUIRY, wait_inquiry,
995                                 TASK_INTERRUPTIBLE))
996                         return -EINTR;
997         }
998
999         /* for unlimited number of responses we will use buffer with
1000          * 255 entries
1001          */
1002         max_rsp = (ir.num_rsp == 0) ? 255 : ir.num_rsp;
1003
1004         /* cache_dump can't sleep. Therefore we allocate temp buffer and then
1005          * copy it to the user space.
1006          */
1007         buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
1008         if (!buf) {
1009                 err = -ENOMEM;
1010                 goto done;
1011         }
1012
1013         hci_dev_lock(hdev);
1014         ir.num_rsp = inquiry_cache_dump(hdev, max_rsp, buf);
1015         hci_dev_unlock(hdev);
1016
1017         BT_DBG("num_rsp %d", ir.num_rsp);
1018
1019         if (!copy_to_user(ptr, &ir, sizeof(ir))) {
1020                 ptr += sizeof(ir);
1021                 if (copy_to_user(ptr, buf, sizeof(struct inquiry_info) *
1022                                  ir.num_rsp))
1023                         err = -EFAULT;
1024         } else
1025                 err = -EFAULT;
1026
1027         kfree(buf);
1028
1029 done:
1030         hci_dev_put(hdev);
1031         return err;
1032 }
1033
1034 static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
1035 {
1036         u8 ad_len = 0, flags = 0;
1037         size_t name_len;
1038
1039         if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
1040                 flags |= LE_AD_GENERAL;
1041
1042         if (!lmp_bredr_capable(hdev))
1043                 flags |= LE_AD_NO_BREDR;
1044
1045         if (lmp_le_br_capable(hdev))
1046                 flags |= LE_AD_SIM_LE_BREDR_CTRL;
1047
1048         if (lmp_host_le_br_capable(hdev))
1049                 flags |= LE_AD_SIM_LE_BREDR_HOST;
1050
1051         if (flags) {
1052                 BT_DBG("adv flags 0x%02x", flags);
1053
1054                 ptr[0] = 2;
1055                 ptr[1] = EIR_FLAGS;
1056                 ptr[2] = flags;
1057
1058                 ad_len += 3;
1059                 ptr += 3;
1060         }
1061
1062         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
1063                 ptr[0] = 2;
1064                 ptr[1] = EIR_TX_POWER;
1065                 ptr[2] = (u8) hdev->adv_tx_power;
1066
1067                 ad_len += 3;
1068                 ptr += 3;
1069         }
1070
1071         name_len = strlen(hdev->dev_name);
1072         if (name_len > 0) {
1073                 size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
1074
1075                 if (name_len > max_len) {
1076                         name_len = max_len;
1077                         ptr[1] = EIR_NAME_SHORT;
1078                 } else
1079                         ptr[1] = EIR_NAME_COMPLETE;
1080
1081                 ptr[0] = name_len + 1;
1082
1083                 memcpy(ptr + 2, hdev->dev_name, name_len);
1084
1085                 ad_len += (name_len + 2);
1086                 ptr += (name_len + 2);
1087         }
1088
1089         return ad_len;
1090 }
1091
1092 void hci_update_ad(struct hci_request *req)
1093 {
1094         struct hci_dev *hdev = req->hdev;
1095         struct hci_cp_le_set_adv_data cp;
1096         u8 len;
1097
1098         if (!lmp_le_capable(hdev))
1099                 return;
1100
1101         memset(&cp, 0, sizeof(cp));
1102
1103         len = create_ad(hdev, cp.data);
1104
1105         if (hdev->adv_data_len == len &&
1106             memcmp(cp.data, hdev->adv_data, len) == 0)
1107                 return;
1108
1109         memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
1110         hdev->adv_data_len = len;
1111
1112         cp.length = len;
1113
1114         hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
1115 }
1116
1117 /* ---- HCI ioctl helpers ---- */
1118
1119 int hci_dev_open(__u16 dev)
1120 {
1121         struct hci_dev *hdev;
1122         int ret = 0;
1123
1124         hdev = hci_dev_get(dev);
1125         if (!hdev)
1126                 return -ENODEV;
1127
1128         BT_DBG("%s %p", hdev->name, hdev);
1129
1130         hci_req_lock(hdev);
1131
1132         if (test_bit(HCI_UNREGISTER, &hdev->dev_flags)) {
1133                 ret = -ENODEV;
1134                 goto done;
1135         }
1136
1137         if (hdev->rfkill && rfkill_blocked(hdev->rfkill)) {
1138                 ret = -ERFKILL;
1139                 goto done;
1140         }
1141
1142         if (test_bit(HCI_UP, &hdev->flags)) {
1143                 ret = -EALREADY;
1144                 goto done;
1145         }
1146
1147         if (hdev->open(hdev)) {
1148                 ret = -EIO;
1149                 goto done;
1150         }
1151
1152         atomic_set(&hdev->cmd_cnt, 1);
1153         set_bit(HCI_INIT, &hdev->flags);
1154
1155         if (hdev->setup && test_bit(HCI_SETUP, &hdev->dev_flags))
1156                 ret = hdev->setup(hdev);
1157
1158         if (!ret) {
1159                 /* Treat all non BR/EDR controllers as raw devices if
1160                  * enable_hs is not set.
1161                  */
1162                 if (hdev->dev_type != HCI_BREDR && !enable_hs)
1163                         set_bit(HCI_RAW, &hdev->flags);
1164
1165                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
1166                         set_bit(HCI_RAW, &hdev->flags);
1167
1168                 if (!test_bit(HCI_RAW, &hdev->flags))
1169                         ret = __hci_init(hdev);
1170         }
1171
1172         clear_bit(HCI_INIT, &hdev->flags);
1173
1174         if (!ret) {
1175                 hci_dev_hold(hdev);
1176                 set_bit(HCI_UP, &hdev->flags);
1177                 hci_notify(hdev, HCI_DEV_UP);
1178                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
1179                     mgmt_valid_hdev(hdev)) {
1180                         hci_dev_lock(hdev);
1181                         mgmt_powered(hdev, 1);
1182                         hci_dev_unlock(hdev);
1183                 }
1184         } else {
1185                 /* Init failed, cleanup */
1186                 flush_work(&hdev->tx_work);
1187                 flush_work(&hdev->cmd_work);
1188                 flush_work(&hdev->rx_work);
1189
1190                 skb_queue_purge(&hdev->cmd_q);
1191                 skb_queue_purge(&hdev->rx_q);
1192
1193                 if (hdev->flush)
1194                         hdev->flush(hdev);
1195
1196                 if (hdev->sent_cmd) {
1197                         kfree_skb(hdev->sent_cmd);
1198                         hdev->sent_cmd = NULL;
1199                 }
1200
1201                 hdev->close(hdev);
1202                 hdev->flags = 0;
1203         }
1204
1205 done:
1206         hci_req_unlock(hdev);
1207         hci_dev_put(hdev);
1208         return ret;
1209 }
1210
1211 static int hci_dev_do_close(struct hci_dev *hdev)
1212 {
1213         BT_DBG("%s %p", hdev->name, hdev);
1214
1215         cancel_delayed_work(&hdev->power_off);
1216
1217         hci_req_cancel(hdev, ENODEV);
1218         hci_req_lock(hdev);
1219
1220         if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
1221                 del_timer_sync(&hdev->cmd_timer);
1222                 hci_req_unlock(hdev);
1223                 return 0;
1224         }
1225
1226         /* Flush RX and TX works */
1227         flush_work(&hdev->tx_work);
1228         flush_work(&hdev->rx_work);
1229
1230         if (hdev->discov_timeout > 0) {
1231                 cancel_delayed_work(&hdev->discov_off);
1232                 hdev->discov_timeout = 0;
1233                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1234         }
1235
1236         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1237                 cancel_delayed_work(&hdev->service_cache);
1238
1239         cancel_delayed_work_sync(&hdev->le_scan_disable);
1240
1241         hci_dev_lock(hdev);
1242         hci_inquiry_cache_flush(hdev);
1243         hci_conn_hash_flush(hdev);
1244         hci_dev_unlock(hdev);
1245
1246         hci_notify(hdev, HCI_DEV_DOWN);
1247
1248         if (hdev->flush)
1249                 hdev->flush(hdev);
1250
1251         /* Reset device */
1252         skb_queue_purge(&hdev->cmd_q);
1253         atomic_set(&hdev->cmd_cnt, 1);
1254         if (!test_bit(HCI_RAW, &hdev->flags) &&
1255             test_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks)) {
1256                 set_bit(HCI_INIT, &hdev->flags);
1257                 __hci_req_sync(hdev, hci_reset_req, 0, HCI_CMD_TIMEOUT);
1258                 clear_bit(HCI_INIT, &hdev->flags);
1259         }
1260
1261         /* flush cmd  work */
1262         flush_work(&hdev->cmd_work);
1263
1264         /* Drop queues */
1265         skb_queue_purge(&hdev->rx_q);
1266         skb_queue_purge(&hdev->cmd_q);
1267         skb_queue_purge(&hdev->raw_q);
1268
1269         /* Drop last sent command */
1270         if (hdev->sent_cmd) {
1271                 del_timer_sync(&hdev->cmd_timer);
1272                 kfree_skb(hdev->sent_cmd);
1273                 hdev->sent_cmd = NULL;
1274         }
1275
1276         kfree_skb(hdev->recv_evt);
1277         hdev->recv_evt = NULL;
1278
1279         /* After this point our queues are empty
1280          * and no tasks are scheduled. */
1281         hdev->close(hdev);
1282
1283         /* Clear flags */
1284         hdev->flags = 0;
1285         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
1286
1287         if (!test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags) &&
1288             mgmt_valid_hdev(hdev)) {
1289                 hci_dev_lock(hdev);
1290                 mgmt_powered(hdev, 0);
1291                 hci_dev_unlock(hdev);
1292         }
1293
1294         /* Controller radio is available but is currently powered down */
1295         hdev->amp_status = 0;
1296
1297         memset(hdev->eir, 0, sizeof(hdev->eir));
1298         memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
1299
1300         hci_req_unlock(hdev);
1301
1302         hci_dev_put(hdev);
1303         return 0;
1304 }
1305
1306 int hci_dev_close(__u16 dev)
1307 {
1308         struct hci_dev *hdev;
1309         int err;
1310
1311         hdev = hci_dev_get(dev);
1312         if (!hdev)
1313                 return -ENODEV;
1314
1315         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1316                 cancel_delayed_work(&hdev->power_off);
1317
1318         err = hci_dev_do_close(hdev);
1319
1320         hci_dev_put(hdev);
1321         return err;
1322 }
1323
1324 int hci_dev_reset(__u16 dev)
1325 {
1326         struct hci_dev *hdev;
1327         int ret = 0;
1328
1329         hdev = hci_dev_get(dev);
1330         if (!hdev)
1331                 return -ENODEV;
1332
1333         hci_req_lock(hdev);
1334
1335         if (!test_bit(HCI_UP, &hdev->flags))
1336                 goto done;
1337
1338         /* Drop queues */
1339         skb_queue_purge(&hdev->rx_q);
1340         skb_queue_purge(&hdev->cmd_q);
1341
1342         hci_dev_lock(hdev);
1343         hci_inquiry_cache_flush(hdev);
1344         hci_conn_hash_flush(hdev);
1345         hci_dev_unlock(hdev);
1346
1347         if (hdev->flush)
1348                 hdev->flush(hdev);
1349
1350         atomic_set(&hdev->cmd_cnt, 1);
1351         hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
1352
1353         if (!test_bit(HCI_RAW, &hdev->flags))
1354                 ret = __hci_req_sync(hdev, hci_reset_req, 0, HCI_INIT_TIMEOUT);
1355
1356 done:
1357         hci_req_unlock(hdev);
1358         hci_dev_put(hdev);
1359         return ret;
1360 }
1361
1362 int hci_dev_reset_stat(__u16 dev)
1363 {
1364         struct hci_dev *hdev;
1365         int ret = 0;
1366
1367         hdev = hci_dev_get(dev);
1368         if (!hdev)
1369                 return -ENODEV;
1370
1371         memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
1372
1373         hci_dev_put(hdev);
1374
1375         return ret;
1376 }
1377
1378 int hci_dev_cmd(unsigned int cmd, void __user *arg)
1379 {
1380         struct hci_dev *hdev;
1381         struct hci_dev_req dr;
1382         int err = 0;
1383
1384         if (copy_from_user(&dr, arg, sizeof(dr)))
1385                 return -EFAULT;
1386
1387         hdev = hci_dev_get(dr.dev_id);
1388         if (!hdev)
1389                 return -ENODEV;
1390
1391         switch (cmd) {
1392         case HCISETAUTH:
1393                 err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1394                                    HCI_INIT_TIMEOUT);
1395                 break;
1396
1397         case HCISETENCRYPT:
1398                 if (!lmp_encrypt_capable(hdev)) {
1399                         err = -EOPNOTSUPP;
1400                         break;
1401                 }
1402
1403                 if (!test_bit(HCI_AUTH, &hdev->flags)) {
1404                         /* Auth must be enabled first */
1405                         err = hci_req_sync(hdev, hci_auth_req, dr.dev_opt,
1406                                            HCI_INIT_TIMEOUT);
1407                         if (err)
1408                                 break;
1409                 }
1410
1411                 err = hci_req_sync(hdev, hci_encrypt_req, dr.dev_opt,
1412                                    HCI_INIT_TIMEOUT);
1413                 break;
1414
1415         case HCISETSCAN:
1416                 err = hci_req_sync(hdev, hci_scan_req, dr.dev_opt,
1417                                    HCI_INIT_TIMEOUT);
1418                 break;
1419
1420         case HCISETLINKPOL:
1421                 err = hci_req_sync(hdev, hci_linkpol_req, dr.dev_opt,
1422                                    HCI_INIT_TIMEOUT);
1423                 break;
1424
1425         case HCISETLINKMODE:
1426                 hdev->link_mode = ((__u16) dr.dev_opt) &
1427                                         (HCI_LM_MASTER | HCI_LM_ACCEPT);
1428                 break;
1429
1430         case HCISETPTYPE:
1431                 hdev->pkt_type = (__u16) dr.dev_opt;
1432                 break;
1433
1434         case HCISETACLMTU:
1435                 hdev->acl_mtu  = *((__u16 *) &dr.dev_opt + 1);
1436                 hdev->acl_pkts = *((__u16 *) &dr.dev_opt + 0);
1437                 break;
1438
1439         case HCISETSCOMTU:
1440                 hdev->sco_mtu  = *((__u16 *) &dr.dev_opt + 1);
1441                 hdev->sco_pkts = *((__u16 *) &dr.dev_opt + 0);
1442                 break;
1443
1444         default:
1445                 err = -EINVAL;
1446                 break;
1447         }
1448
1449         hci_dev_put(hdev);
1450         return err;
1451 }
1452
1453 int hci_get_dev_list(void __user *arg)
1454 {
1455         struct hci_dev *hdev;
1456         struct hci_dev_list_req *dl;
1457         struct hci_dev_req *dr;
1458         int n = 0, size, err;
1459         __u16 dev_num;
1460
1461         if (get_user(dev_num, (__u16 __user *) arg))
1462                 return -EFAULT;
1463
1464         if (!dev_num || dev_num > (PAGE_SIZE * 2) / sizeof(*dr))
1465                 return -EINVAL;
1466
1467         size = sizeof(*dl) + dev_num * sizeof(*dr);
1468
1469         dl = kzalloc(size, GFP_KERNEL);
1470         if (!dl)
1471                 return -ENOMEM;
1472
1473         dr = dl->dev_req;
1474
1475         read_lock(&hci_dev_list_lock);
1476         list_for_each_entry(hdev, &hci_dev_list, list) {
1477                 if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1478                         cancel_delayed_work(&hdev->power_off);
1479
1480                 if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1481                         set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1482
1483                 (dr + n)->dev_id  = hdev->id;
1484                 (dr + n)->dev_opt = hdev->flags;
1485
1486                 if (++n >= dev_num)
1487                         break;
1488         }
1489         read_unlock(&hci_dev_list_lock);
1490
1491         dl->dev_num = n;
1492         size = sizeof(*dl) + n * sizeof(*dr);
1493
1494         err = copy_to_user(arg, dl, size);
1495         kfree(dl);
1496
1497         return err ? -EFAULT : 0;
1498 }
1499
1500 int hci_get_dev_info(void __user *arg)
1501 {
1502         struct hci_dev *hdev;
1503         struct hci_dev_info di;
1504         int err = 0;
1505
1506         if (copy_from_user(&di, arg, sizeof(di)))
1507                 return -EFAULT;
1508
1509         hdev = hci_dev_get(di.dev_id);
1510         if (!hdev)
1511                 return -ENODEV;
1512
1513         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1514                 cancel_delayed_work_sync(&hdev->power_off);
1515
1516         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1517                 set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1518
1519         strcpy(di.name, hdev->name);
1520         di.bdaddr   = hdev->bdaddr;
1521         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
1522         di.flags    = hdev->flags;
1523         di.pkt_type = hdev->pkt_type;
1524         if (lmp_bredr_capable(hdev)) {
1525                 di.acl_mtu  = hdev->acl_mtu;
1526                 di.acl_pkts = hdev->acl_pkts;
1527                 di.sco_mtu  = hdev->sco_mtu;
1528                 di.sco_pkts = hdev->sco_pkts;
1529         } else {
1530                 di.acl_mtu  = hdev->le_mtu;
1531                 di.acl_pkts = hdev->le_pkts;
1532                 di.sco_mtu  = 0;
1533                 di.sco_pkts = 0;
1534         }
1535         di.link_policy = hdev->link_policy;
1536         di.link_mode   = hdev->link_mode;
1537
1538         memcpy(&di.stat, &hdev->stat, sizeof(di.stat));
1539         memcpy(&di.features, &hdev->features, sizeof(di.features));
1540
1541         if (copy_to_user(arg, &di, sizeof(di)))
1542                 err = -EFAULT;
1543
1544         hci_dev_put(hdev);
1545
1546         return err;
1547 }
1548
1549 /* ---- Interface to HCI drivers ---- */
1550
1551 static int hci_rfkill_set_block(void *data, bool blocked)
1552 {
1553         struct hci_dev *hdev = data;
1554
1555         BT_DBG("%p name %s blocked %d", hdev, hdev->name, blocked);
1556
1557         if (!blocked)
1558                 return 0;
1559
1560         hci_dev_do_close(hdev);
1561
1562         return 0;
1563 }
1564
1565 static const struct rfkill_ops hci_rfkill_ops = {
1566         .set_block = hci_rfkill_set_block,
1567 };
1568
1569 static void hci_power_on(struct work_struct *work)
1570 {
1571         struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
1572         int err;
1573
1574         BT_DBG("%s", hdev->name);
1575
1576         err = hci_dev_open(hdev->id);
1577         if (err < 0) {
1578                 mgmt_set_powered_failed(hdev, err);
1579                 return;
1580         }
1581
1582         if (test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
1583                 queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1584                                    HCI_AUTO_OFF_TIMEOUT);
1585
1586         if (test_and_clear_bit(HCI_SETUP, &hdev->dev_flags))
1587                 mgmt_index_added(hdev);
1588 }
1589
1590 static void hci_power_off(struct work_struct *work)
1591 {
1592         struct hci_dev *hdev = container_of(work, struct hci_dev,
1593                                             power_off.work);
1594
1595         BT_DBG("%s", hdev->name);
1596
1597         hci_dev_do_close(hdev);
1598 }
1599
1600 static void hci_discov_off(struct work_struct *work)
1601 {
1602         struct hci_dev *hdev;
1603         u8 scan = SCAN_PAGE;
1604
1605         hdev = container_of(work, struct hci_dev, discov_off.work);
1606
1607         BT_DBG("%s", hdev->name);
1608
1609         hci_dev_lock(hdev);
1610
1611         hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1612
1613         hdev->discov_timeout = 0;
1614
1615         hci_dev_unlock(hdev);
1616 }
1617
1618 int hci_uuids_clear(struct hci_dev *hdev)
1619 {
1620         struct bt_uuid *uuid, *tmp;
1621
1622         list_for_each_entry_safe(uuid, tmp, &hdev->uuids, list) {
1623                 list_del(&uuid->list);
1624                 kfree(uuid);
1625         }
1626
1627         return 0;
1628 }
1629
1630 int hci_link_keys_clear(struct hci_dev *hdev)
1631 {
1632         struct list_head *p, *n;
1633
1634         list_for_each_safe(p, n, &hdev->link_keys) {
1635                 struct link_key *key;
1636
1637                 key = list_entry(p, struct link_key, list);
1638
1639                 list_del(p);
1640                 kfree(key);
1641         }
1642
1643         return 0;
1644 }
1645
1646 int hci_smp_ltks_clear(struct hci_dev *hdev)
1647 {
1648         struct smp_ltk *k, *tmp;
1649
1650         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1651                 list_del(&k->list);
1652                 kfree(k);
1653         }
1654
1655         return 0;
1656 }
1657
1658 struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1659 {
1660         struct link_key *k;
1661
1662         list_for_each_entry(k, &hdev->link_keys, list)
1663                 if (bacmp(bdaddr, &k->bdaddr) == 0)
1664                         return k;
1665
1666         return NULL;
1667 }
1668
1669 static bool hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
1670                                u8 key_type, u8 old_key_type)
1671 {
1672         /* Legacy key */
1673         if (key_type < 0x03)
1674                 return true;
1675
1676         /* Debug keys are insecure so don't store them persistently */
1677         if (key_type == HCI_LK_DEBUG_COMBINATION)
1678                 return false;
1679
1680         /* Changed combination key and there's no previous one */
1681         if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
1682                 return false;
1683
1684         /* Security mode 3 case */
1685         if (!conn)
1686                 return true;
1687
1688         /* Neither local nor remote side had no-bonding as requirement */
1689         if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
1690                 return true;
1691
1692         /* Local side had dedicated bonding as requirement */
1693         if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
1694                 return true;
1695
1696         /* Remote side had dedicated bonding as requirement */
1697         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
1698                 return true;
1699
1700         /* If none of the above criteria match, then don't store the key
1701          * persistently */
1702         return false;
1703 }
1704
1705 struct smp_ltk *hci_find_ltk(struct hci_dev *hdev, __le16 ediv, u8 rand[8])
1706 {
1707         struct smp_ltk *k;
1708
1709         list_for_each_entry(k, &hdev->long_term_keys, list) {
1710                 if (k->ediv != ediv ||
1711                     memcmp(rand, k->rand, sizeof(k->rand)))
1712                         continue;
1713
1714                 return k;
1715         }
1716
1717         return NULL;
1718 }
1719
1720 struct smp_ltk *hci_find_ltk_by_addr(struct hci_dev *hdev, bdaddr_t *bdaddr,
1721                                      u8 addr_type)
1722 {
1723         struct smp_ltk *k;
1724
1725         list_for_each_entry(k, &hdev->long_term_keys, list)
1726                 if (addr_type == k->bdaddr_type &&
1727                     bacmp(bdaddr, &k->bdaddr) == 0)
1728                         return k;
1729
1730         return NULL;
1731 }
1732
1733 int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
1734                      bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
1735 {
1736         struct link_key *key, *old_key;
1737         u8 old_key_type;
1738         bool persistent;
1739
1740         old_key = hci_find_link_key(hdev, bdaddr);
1741         if (old_key) {
1742                 old_key_type = old_key->type;
1743                 key = old_key;
1744         } else {
1745                 old_key_type = conn ? conn->key_type : 0xff;
1746                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1747                 if (!key)
1748                         return -ENOMEM;
1749                 list_add(&key->list, &hdev->link_keys);
1750         }
1751
1752         BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
1753
1754         /* Some buggy controller combinations generate a changed
1755          * combination key for legacy pairing even when there's no
1756          * previous key */
1757         if (type == HCI_LK_CHANGED_COMBINATION &&
1758             (!conn || conn->remote_auth == 0xff) && old_key_type == 0xff) {
1759                 type = HCI_LK_COMBINATION;
1760                 if (conn)
1761                         conn->key_type = type;
1762         }
1763
1764         bacpy(&key->bdaddr, bdaddr);
1765         memcpy(key->val, val, HCI_LINK_KEY_SIZE);
1766         key->pin_len = pin_len;
1767
1768         if (type == HCI_LK_CHANGED_COMBINATION)
1769                 key->type = old_key_type;
1770         else
1771                 key->type = type;
1772
1773         if (!new_key)
1774                 return 0;
1775
1776         persistent = hci_persistent_key(hdev, conn, type, old_key_type);
1777
1778         mgmt_new_link_key(hdev, key, persistent);
1779
1780         if (conn)
1781                 conn->flush_key = !persistent;
1782
1783         return 0;
1784 }
1785
1786 int hci_add_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 addr_type, u8 type,
1787                 int new_key, u8 authenticated, u8 tk[16], u8 enc_size, __le16
1788                 ediv, u8 rand[8])
1789 {
1790         struct smp_ltk *key, *old_key;
1791
1792         if (!(type & HCI_SMP_STK) && !(type & HCI_SMP_LTK))
1793                 return 0;
1794
1795         old_key = hci_find_ltk_by_addr(hdev, bdaddr, addr_type);
1796         if (old_key)
1797                 key = old_key;
1798         else {
1799                 key = kzalloc(sizeof(*key), GFP_ATOMIC);
1800                 if (!key)
1801                         return -ENOMEM;
1802                 list_add(&key->list, &hdev->long_term_keys);
1803         }
1804
1805         bacpy(&key->bdaddr, bdaddr);
1806         key->bdaddr_type = addr_type;
1807         memcpy(key->val, tk, sizeof(key->val));
1808         key->authenticated = authenticated;
1809         key->ediv = ediv;
1810         key->enc_size = enc_size;
1811         key->type = type;
1812         memcpy(key->rand, rand, sizeof(key->rand));
1813
1814         if (!new_key)
1815                 return 0;
1816
1817         if (type & HCI_SMP_LTK)
1818                 mgmt_new_ltk(hdev, key, 1);
1819
1820         return 0;
1821 }
1822
1823 int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
1824 {
1825         struct link_key *key;
1826
1827         key = hci_find_link_key(hdev, bdaddr);
1828         if (!key)
1829                 return -ENOENT;
1830
1831         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1832
1833         list_del(&key->list);
1834         kfree(key);
1835
1836         return 0;
1837 }
1838
1839 int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
1840 {
1841         struct smp_ltk *k, *tmp;
1842
1843         list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
1844                 if (bacmp(bdaddr, &k->bdaddr))
1845                         continue;
1846
1847                 BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1848
1849                 list_del(&k->list);
1850                 kfree(k);
1851         }
1852
1853         return 0;
1854 }
1855
1856 /* HCI command timer function */
1857 static void hci_cmd_timeout(unsigned long arg)
1858 {
1859         struct hci_dev *hdev = (void *) arg;
1860
1861         if (hdev->sent_cmd) {
1862                 struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
1863                 u16 opcode = __le16_to_cpu(sent->opcode);
1864
1865                 BT_ERR("%s command 0x%4.4x tx timeout", hdev->name, opcode);
1866         } else {
1867                 BT_ERR("%s command tx timeout", hdev->name);
1868         }
1869
1870         atomic_set(&hdev->cmd_cnt, 1);
1871         queue_work(hdev->workqueue, &hdev->cmd_work);
1872 }
1873
1874 struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
1875                                           bdaddr_t *bdaddr)
1876 {
1877         struct oob_data *data;
1878
1879         list_for_each_entry(data, &hdev->remote_oob_data, list)
1880                 if (bacmp(bdaddr, &data->bdaddr) == 0)
1881                         return data;
1882
1883         return NULL;
1884 }
1885
1886 int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
1887 {
1888         struct oob_data *data;
1889
1890         data = hci_find_remote_oob_data(hdev, bdaddr);
1891         if (!data)
1892                 return -ENOENT;
1893
1894         BT_DBG("%s removing %pMR", hdev->name, bdaddr);
1895
1896         list_del(&data->list);
1897         kfree(data);
1898
1899         return 0;
1900 }
1901
1902 int hci_remote_oob_data_clear(struct hci_dev *hdev)
1903 {
1904         struct oob_data *data, *n;
1905
1906         list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
1907                 list_del(&data->list);
1908                 kfree(data);
1909         }
1910
1911         return 0;
1912 }
1913
1914 int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
1915                             u8 *randomizer)
1916 {
1917         struct oob_data *data;
1918
1919         data = hci_find_remote_oob_data(hdev, bdaddr);
1920
1921         if (!data) {
1922                 data = kmalloc(sizeof(*data), GFP_ATOMIC);
1923                 if (!data)
1924                         return -ENOMEM;
1925
1926                 bacpy(&data->bdaddr, bdaddr);
1927                 list_add(&data->list, &hdev->remote_oob_data);
1928         }
1929
1930         memcpy(data->hash, hash, sizeof(data->hash));
1931         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
1932
1933         BT_DBG("%s for %pMR", hdev->name, bdaddr);
1934
1935         return 0;
1936 }
1937
1938 struct bdaddr_list *hci_blacklist_lookup(struct hci_dev *hdev, bdaddr_t *bdaddr)
1939 {
1940         struct bdaddr_list *b;
1941
1942         list_for_each_entry(b, &hdev->blacklist, list)
1943                 if (bacmp(bdaddr, &b->bdaddr) == 0)
1944                         return b;
1945
1946         return NULL;
1947 }
1948
1949 int hci_blacklist_clear(struct hci_dev *hdev)
1950 {
1951         struct list_head *p, *n;
1952
1953         list_for_each_safe(p, n, &hdev->blacklist) {
1954                 struct bdaddr_list *b;
1955
1956                 b = list_entry(p, struct bdaddr_list, list);
1957
1958                 list_del(p);
1959                 kfree(b);
1960         }
1961
1962         return 0;
1963 }
1964
1965 int hci_blacklist_add(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1966 {
1967         struct bdaddr_list *entry;
1968
1969         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1970                 return -EBADF;
1971
1972         if (hci_blacklist_lookup(hdev, bdaddr))
1973                 return -EEXIST;
1974
1975         entry = kzalloc(sizeof(struct bdaddr_list), GFP_KERNEL);
1976         if (!entry)
1977                 return -ENOMEM;
1978
1979         bacpy(&entry->bdaddr, bdaddr);
1980
1981         list_add(&entry->list, &hdev->blacklist);
1982
1983         return mgmt_device_blocked(hdev, bdaddr, type);
1984 }
1985
1986 int hci_blacklist_del(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
1987 {
1988         struct bdaddr_list *entry;
1989
1990         if (bacmp(bdaddr, BDADDR_ANY) == 0)
1991                 return hci_blacklist_clear(hdev);
1992
1993         entry = hci_blacklist_lookup(hdev, bdaddr);
1994         if (!entry)
1995                 return -ENOENT;
1996
1997         list_del(&entry->list);
1998         kfree(entry);
1999
2000         return mgmt_device_unblocked(hdev, bdaddr, type);
2001 }
2002
2003 static void inquiry_complete(struct hci_dev *hdev, u8 status)
2004 {
2005         if (status) {
2006                 BT_ERR("Failed to start inquiry: status %d", status);
2007
2008                 hci_dev_lock(hdev);
2009                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2010                 hci_dev_unlock(hdev);
2011                 return;
2012         }
2013 }
2014
2015 static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status)
2016 {
2017         /* General inquiry access code (GIAC) */
2018         u8 lap[3] = { 0x33, 0x8b, 0x9e };
2019         struct hci_request req;
2020         struct hci_cp_inquiry cp;
2021         int err;
2022
2023         if (status) {
2024                 BT_ERR("Failed to disable LE scanning: status %d", status);
2025                 return;
2026         }
2027
2028         switch (hdev->discovery.type) {
2029         case DISCOV_TYPE_LE:
2030                 hci_dev_lock(hdev);
2031                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2032                 hci_dev_unlock(hdev);
2033                 break;
2034
2035         case DISCOV_TYPE_INTERLEAVED:
2036                 hci_req_init(&req, hdev);
2037
2038                 memset(&cp, 0, sizeof(cp));
2039                 memcpy(&cp.lap, lap, sizeof(cp.lap));
2040                 cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
2041                 hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
2042
2043                 hci_dev_lock(hdev);
2044
2045                 hci_inquiry_cache_flush(hdev);
2046
2047                 err = hci_req_run(&req, inquiry_complete);
2048                 if (err) {
2049                         BT_ERR("Inquiry request failed: err %d", err);
2050                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2051                 }
2052
2053                 hci_dev_unlock(hdev);
2054                 break;
2055         }
2056 }
2057
2058 static void le_scan_disable_work(struct work_struct *work)
2059 {
2060         struct hci_dev *hdev = container_of(work, struct hci_dev,
2061                                             le_scan_disable.work);
2062         struct hci_cp_le_set_scan_enable cp;
2063         struct hci_request req;
2064         int err;
2065
2066         BT_DBG("%s", hdev->name);
2067
2068         hci_req_init(&req, hdev);
2069
2070         memset(&cp, 0, sizeof(cp));
2071         cp.enable = LE_SCAN_DISABLE;
2072         hci_req_add(&req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(cp), &cp);
2073
2074         err = hci_req_run(&req, le_scan_disable_work_complete);
2075         if (err)
2076                 BT_ERR("Disable LE scanning request failed: err %d", err);
2077 }
2078
2079 /* Alloc HCI device */
2080 struct hci_dev *hci_alloc_dev(void)
2081 {
2082         struct hci_dev *hdev;
2083
2084         hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
2085         if (!hdev)
2086                 return NULL;
2087
2088         hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
2089         hdev->esco_type = (ESCO_HV1);
2090         hdev->link_mode = (HCI_LM_ACCEPT);
2091         hdev->io_capability = 0x03; /* No Input No Output */
2092         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
2093         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
2094
2095         hdev->sniff_max_interval = 800;
2096         hdev->sniff_min_interval = 80;
2097
2098         mutex_init(&hdev->lock);
2099         mutex_init(&hdev->req_lock);
2100
2101         INIT_LIST_HEAD(&hdev->mgmt_pending);
2102         INIT_LIST_HEAD(&hdev->blacklist);
2103         INIT_LIST_HEAD(&hdev->uuids);
2104         INIT_LIST_HEAD(&hdev->link_keys);
2105         INIT_LIST_HEAD(&hdev->long_term_keys);
2106         INIT_LIST_HEAD(&hdev->remote_oob_data);
2107         INIT_LIST_HEAD(&hdev->conn_hash.list);
2108
2109         INIT_WORK(&hdev->rx_work, hci_rx_work);
2110         INIT_WORK(&hdev->cmd_work, hci_cmd_work);
2111         INIT_WORK(&hdev->tx_work, hci_tx_work);
2112         INIT_WORK(&hdev->power_on, hci_power_on);
2113
2114         INIT_DELAYED_WORK(&hdev->power_off, hci_power_off);
2115         INIT_DELAYED_WORK(&hdev->discov_off, hci_discov_off);
2116         INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable_work);
2117
2118         skb_queue_head_init(&hdev->rx_q);
2119         skb_queue_head_init(&hdev->cmd_q);
2120         skb_queue_head_init(&hdev->raw_q);
2121
2122         init_waitqueue_head(&hdev->req_wait_q);
2123
2124         setup_timer(&hdev->cmd_timer, hci_cmd_timeout, (unsigned long) hdev);
2125
2126         hci_init_sysfs(hdev);
2127         discovery_init(hdev);
2128
2129         return hdev;
2130 }
2131 EXPORT_SYMBOL(hci_alloc_dev);
2132
2133 /* Free HCI device */
2134 void hci_free_dev(struct hci_dev *hdev)
2135 {
2136         /* will free via device release */
2137         put_device(&hdev->dev);
2138 }
2139 EXPORT_SYMBOL(hci_free_dev);
2140
2141 /* Register HCI device */
2142 int hci_register_dev(struct hci_dev *hdev)
2143 {
2144         int id, error;
2145
2146         if (!hdev->open || !hdev->close)
2147                 return -EINVAL;
2148
2149         /* Do not allow HCI_AMP devices to register at index 0,
2150          * so the index can be used as the AMP controller ID.
2151          */
2152         switch (hdev->dev_type) {
2153         case HCI_BREDR:
2154                 id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
2155                 break;
2156         case HCI_AMP:
2157                 id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
2158                 break;
2159         default:
2160                 return -EINVAL;
2161         }
2162
2163         if (id < 0)
2164                 return id;
2165
2166         sprintf(hdev->name, "hci%d", id);
2167         hdev->id = id;
2168
2169         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2170
2171         hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2172                                           WQ_MEM_RECLAIM, 1, hdev->name);
2173         if (!hdev->workqueue) {
2174                 error = -ENOMEM;
2175                 goto err;
2176         }
2177
2178         hdev->req_workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
2179                                               WQ_MEM_RECLAIM, 1, hdev->name);
2180         if (!hdev->req_workqueue) {
2181                 destroy_workqueue(hdev->workqueue);
2182                 error = -ENOMEM;
2183                 goto err;
2184         }
2185
2186         error = hci_add_sysfs(hdev);
2187         if (error < 0)
2188                 goto err_wqueue;
2189
2190         hdev->rfkill = rfkill_alloc(hdev->name, &hdev->dev,
2191                                     RFKILL_TYPE_BLUETOOTH, &hci_rfkill_ops,
2192                                     hdev);
2193         if (hdev->rfkill) {
2194                 if (rfkill_register(hdev->rfkill) < 0) {
2195                         rfkill_destroy(hdev->rfkill);
2196                         hdev->rfkill = NULL;
2197                 }
2198         }
2199
2200         set_bit(HCI_SETUP, &hdev->dev_flags);
2201
2202         if (hdev->dev_type != HCI_AMP)
2203                 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
2204
2205         write_lock(&hci_dev_list_lock);
2206         list_add(&hdev->list, &hci_dev_list);
2207         write_unlock(&hci_dev_list_lock);
2208
2209         hci_notify(hdev, HCI_DEV_REG);
2210         hci_dev_hold(hdev);
2211
2212         queue_work(hdev->req_workqueue, &hdev->power_on);
2213
2214         return id;
2215
2216 err_wqueue:
2217         destroy_workqueue(hdev->workqueue);
2218         destroy_workqueue(hdev->req_workqueue);
2219 err:
2220         ida_simple_remove(&hci_index_ida, hdev->id);
2221
2222         return error;
2223 }
2224 EXPORT_SYMBOL(hci_register_dev);
2225
2226 /* Unregister HCI device */
2227 void hci_unregister_dev(struct hci_dev *hdev)
2228 {
2229         int i, id;
2230
2231         BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
2232
2233         set_bit(HCI_UNREGISTER, &hdev->dev_flags);
2234
2235         id = hdev->id;
2236
2237         write_lock(&hci_dev_list_lock);
2238         list_del(&hdev->list);
2239         write_unlock(&hci_dev_list_lock);
2240
2241         hci_dev_do_close(hdev);
2242
2243         for (i = 0; i < NUM_REASSEMBLY; i++)
2244                 kfree_skb(hdev->reassembly[i]);
2245
2246         cancel_work_sync(&hdev->power_on);
2247
2248         if (!test_bit(HCI_INIT, &hdev->flags) &&
2249             !test_bit(HCI_SETUP, &hdev->dev_flags)) {
2250                 hci_dev_lock(hdev);
2251                 mgmt_index_removed(hdev);
2252                 hci_dev_unlock(hdev);
2253         }
2254
2255         /* mgmt_index_removed should take care of emptying the
2256          * pending list */
2257         BUG_ON(!list_empty(&hdev->mgmt_pending));
2258
2259         hci_notify(hdev, HCI_DEV_UNREG);
2260
2261         if (hdev->rfkill) {
2262                 rfkill_unregister(hdev->rfkill);
2263                 rfkill_destroy(hdev->rfkill);
2264         }
2265
2266         hci_del_sysfs(hdev);
2267
2268         destroy_workqueue(hdev->workqueue);
2269         destroy_workqueue(hdev->req_workqueue);
2270
2271         hci_dev_lock(hdev);
2272         hci_blacklist_clear(hdev);
2273         hci_uuids_clear(hdev);
2274         hci_link_keys_clear(hdev);
2275         hci_smp_ltks_clear(hdev);
2276         hci_remote_oob_data_clear(hdev);
2277         hci_dev_unlock(hdev);
2278
2279         hci_dev_put(hdev);
2280
2281         ida_simple_remove(&hci_index_ida, id);
2282 }
2283 EXPORT_SYMBOL(hci_unregister_dev);
2284
2285 /* Suspend HCI device */
2286 int hci_suspend_dev(struct hci_dev *hdev)
2287 {
2288         hci_notify(hdev, HCI_DEV_SUSPEND);
2289         return 0;
2290 }
2291 EXPORT_SYMBOL(hci_suspend_dev);
2292
2293 /* Resume HCI device */
2294 int hci_resume_dev(struct hci_dev *hdev)
2295 {
2296         hci_notify(hdev, HCI_DEV_RESUME);
2297         return 0;
2298 }
2299 EXPORT_SYMBOL(hci_resume_dev);
2300
2301 /* Receive frame from HCI drivers */
2302 int hci_recv_frame(struct sk_buff *skb)
2303 {
2304         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2305         if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
2306                       && !test_bit(HCI_INIT, &hdev->flags))) {
2307                 kfree_skb(skb);
2308                 return -ENXIO;
2309         }
2310
2311         /* Incoming skb */
2312         bt_cb(skb)->incoming = 1;
2313
2314         /* Time stamp */
2315         __net_timestamp(skb);
2316
2317         skb_queue_tail(&hdev->rx_q, skb);
2318         queue_work(hdev->workqueue, &hdev->rx_work);
2319
2320         return 0;
2321 }
2322 EXPORT_SYMBOL(hci_recv_frame);
2323
2324 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
2325                           int count, __u8 index)
2326 {
2327         int len = 0;
2328         int hlen = 0;
2329         int remain = count;
2330         struct sk_buff *skb;
2331         struct bt_skb_cb *scb;
2332
2333         if ((type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT) ||
2334             index >= NUM_REASSEMBLY)
2335                 return -EILSEQ;
2336
2337         skb = hdev->reassembly[index];
2338
2339         if (!skb) {
2340                 switch (type) {
2341                 case HCI_ACLDATA_PKT:
2342                         len = HCI_MAX_FRAME_SIZE;
2343                         hlen = HCI_ACL_HDR_SIZE;
2344                         break;
2345                 case HCI_EVENT_PKT:
2346                         len = HCI_MAX_EVENT_SIZE;
2347                         hlen = HCI_EVENT_HDR_SIZE;
2348                         break;
2349                 case HCI_SCODATA_PKT:
2350                         len = HCI_MAX_SCO_SIZE;
2351                         hlen = HCI_SCO_HDR_SIZE;
2352                         break;
2353                 }
2354
2355                 skb = bt_skb_alloc(len, GFP_ATOMIC);
2356                 if (!skb)
2357                         return -ENOMEM;
2358
2359                 scb = (void *) skb->cb;
2360                 scb->expect = hlen;
2361                 scb->pkt_type = type;
2362
2363                 skb->dev = (void *) hdev;
2364                 hdev->reassembly[index] = skb;
2365         }
2366
2367         while (count) {
2368                 scb = (void *) skb->cb;
2369                 len = min_t(uint, scb->expect, count);
2370
2371                 memcpy(skb_put(skb, len), data, len);
2372
2373                 count -= len;
2374                 data += len;
2375                 scb->expect -= len;
2376                 remain = count;
2377
2378                 switch (type) {
2379                 case HCI_EVENT_PKT:
2380                         if (skb->len == HCI_EVENT_HDR_SIZE) {
2381                                 struct hci_event_hdr *h = hci_event_hdr(skb);
2382                                 scb->expect = h->plen;
2383
2384                                 if (skb_tailroom(skb) < scb->expect) {
2385                                         kfree_skb(skb);
2386                                         hdev->reassembly[index] = NULL;
2387                                         return -ENOMEM;
2388                                 }
2389                         }
2390                         break;
2391
2392                 case HCI_ACLDATA_PKT:
2393                         if (skb->len  == HCI_ACL_HDR_SIZE) {
2394                                 struct hci_acl_hdr *h = hci_acl_hdr(skb);
2395                                 scb->expect = __le16_to_cpu(h->dlen);
2396
2397                                 if (skb_tailroom(skb) < scb->expect) {
2398                                         kfree_skb(skb);
2399                                         hdev->reassembly[index] = NULL;
2400                                         return -ENOMEM;
2401                                 }
2402                         }
2403                         break;
2404
2405                 case HCI_SCODATA_PKT:
2406                         if (skb->len == HCI_SCO_HDR_SIZE) {
2407                                 struct hci_sco_hdr *h = hci_sco_hdr(skb);
2408                                 scb->expect = h->dlen;
2409
2410                                 if (skb_tailroom(skb) < scb->expect) {
2411                                         kfree_skb(skb);
2412                                         hdev->reassembly[index] = NULL;
2413                                         return -ENOMEM;
2414                                 }
2415                         }
2416                         break;
2417                 }
2418
2419                 if (scb->expect == 0) {
2420                         /* Complete frame */
2421
2422                         bt_cb(skb)->pkt_type = type;
2423                         hci_recv_frame(skb);
2424
2425                         hdev->reassembly[index] = NULL;
2426                         return remain;
2427                 }
2428         }
2429
2430         return remain;
2431 }
2432
2433 int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
2434 {
2435         int rem = 0;
2436
2437         if (type < HCI_ACLDATA_PKT || type > HCI_EVENT_PKT)
2438                 return -EILSEQ;
2439
2440         while (count) {
2441                 rem = hci_reassembly(hdev, type, data, count, type - 1);
2442                 if (rem < 0)
2443                         return rem;
2444
2445                 data += (count - rem);
2446                 count = rem;
2447         }
2448
2449         return rem;
2450 }
2451 EXPORT_SYMBOL(hci_recv_fragment);
2452
2453 #define STREAM_REASSEMBLY 0
2454
2455 int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
2456 {
2457         int type;
2458         int rem = 0;
2459
2460         while (count) {
2461                 struct sk_buff *skb = hdev->reassembly[STREAM_REASSEMBLY];
2462
2463                 if (!skb) {
2464                         struct { char type; } *pkt;
2465
2466                         /* Start of the frame */
2467                         pkt = data;
2468                         type = pkt->type;
2469
2470                         data++;
2471                         count--;
2472                 } else
2473                         type = bt_cb(skb)->pkt_type;
2474
2475                 rem = hci_reassembly(hdev, type, data, count,
2476                                      STREAM_REASSEMBLY);
2477                 if (rem < 0)
2478                         return rem;
2479
2480                 data += (count - rem);
2481                 count = rem;
2482         }
2483
2484         return rem;
2485 }
2486 EXPORT_SYMBOL(hci_recv_stream_fragment);
2487
2488 /* ---- Interface to upper protocols ---- */
2489
2490 int hci_register_cb(struct hci_cb *cb)
2491 {
2492         BT_DBG("%p name %s", cb, cb->name);
2493
2494         write_lock(&hci_cb_list_lock);
2495         list_add(&cb->list, &hci_cb_list);
2496         write_unlock(&hci_cb_list_lock);
2497
2498         return 0;
2499 }
2500 EXPORT_SYMBOL(hci_register_cb);
2501
2502 int hci_unregister_cb(struct hci_cb *cb)
2503 {
2504         BT_DBG("%p name %s", cb, cb->name);
2505
2506         write_lock(&hci_cb_list_lock);
2507         list_del(&cb->list);
2508         write_unlock(&hci_cb_list_lock);
2509
2510         return 0;
2511 }
2512 EXPORT_SYMBOL(hci_unregister_cb);
2513
2514 static int hci_send_frame(struct sk_buff *skb)
2515 {
2516         struct hci_dev *hdev = (struct hci_dev *) skb->dev;
2517
2518         if (!hdev) {
2519                 kfree_skb(skb);
2520                 return -ENODEV;
2521         }
2522
2523         BT_DBG("%s type %d len %d", hdev->name, bt_cb(skb)->pkt_type, skb->len);
2524
2525         /* Time stamp */
2526         __net_timestamp(skb);
2527
2528         /* Send copy to monitor */
2529         hci_send_to_monitor(hdev, skb);
2530
2531         if (atomic_read(&hdev->promisc)) {
2532                 /* Send copy to the sockets */
2533                 hci_send_to_sock(hdev, skb);
2534         }
2535
2536         /* Get rid of skb owner, prior to sending to the driver. */
2537         skb_orphan(skb);
2538
2539         return hdev->send(skb);
2540 }
2541
2542 void hci_req_init(struct hci_request *req, struct hci_dev *hdev)
2543 {
2544         skb_queue_head_init(&req->cmd_q);
2545         req->hdev = hdev;
2546         req->err = 0;
2547 }
2548
2549 int hci_req_run(struct hci_request *req, hci_req_complete_t complete)
2550 {
2551         struct hci_dev *hdev = req->hdev;
2552         struct sk_buff *skb;
2553         unsigned long flags;
2554
2555         BT_DBG("length %u", skb_queue_len(&req->cmd_q));
2556
2557         /* If an error occured during request building, remove all HCI
2558          * commands queued on the HCI request queue.
2559          */
2560         if (req->err) {
2561                 skb_queue_purge(&req->cmd_q);
2562                 return req->err;
2563         }
2564
2565         /* Do not allow empty requests */
2566         if (skb_queue_empty(&req->cmd_q))
2567                 return -ENODATA;
2568
2569         skb = skb_peek_tail(&req->cmd_q);
2570         bt_cb(skb)->req.complete = complete;
2571
2572         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
2573         skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
2574         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
2575
2576         queue_work(hdev->workqueue, &hdev->cmd_work);
2577
2578         return 0;
2579 }
2580
2581 static struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode,
2582                                        u32 plen, const void *param)
2583 {
2584         int len = HCI_COMMAND_HDR_SIZE + plen;
2585         struct hci_command_hdr *hdr;
2586         struct sk_buff *skb;
2587
2588         skb = bt_skb_alloc(len, GFP_ATOMIC);
2589         if (!skb)
2590                 return NULL;
2591
2592         hdr = (struct hci_command_hdr *) skb_put(skb, HCI_COMMAND_HDR_SIZE);
2593         hdr->opcode = cpu_to_le16(opcode);
2594         hdr->plen   = plen;
2595
2596         if (plen)
2597                 memcpy(skb_put(skb, plen), param, plen);
2598
2599         BT_DBG("skb len %d", skb->len);
2600
2601         bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
2602         skb->dev = (void *) hdev;
2603
2604         return skb;
2605 }
2606
2607 /* Send HCI command */
2608 int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen,
2609                  const void *param)
2610 {
2611         struct sk_buff *skb;
2612
2613         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2614
2615         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2616         if (!skb) {
2617                 BT_ERR("%s no memory for command", hdev->name);
2618                 return -ENOMEM;
2619         }
2620
2621         /* Stand-alone HCI commands must be flaged as
2622          * single-command requests.
2623          */
2624         bt_cb(skb)->req.start = true;
2625
2626         skb_queue_tail(&hdev->cmd_q, skb);
2627         queue_work(hdev->workqueue, &hdev->cmd_work);
2628
2629         return 0;
2630 }
2631
2632 /* Queue a command to an asynchronous HCI request */
2633 void hci_req_add_ev(struct hci_request *req, u16 opcode, u32 plen,
2634                     const void *param, u8 event)
2635 {
2636         struct hci_dev *hdev = req->hdev;
2637         struct sk_buff *skb;
2638
2639         BT_DBG("%s opcode 0x%4.4x plen %d", hdev->name, opcode, plen);
2640
2641         /* If an error occured during request building, there is no point in
2642          * queueing the HCI command. We can simply return.
2643          */
2644         if (req->err)
2645                 return;
2646
2647         skb = hci_prepare_cmd(hdev, opcode, plen, param);
2648         if (!skb) {
2649                 BT_ERR("%s no memory for command (opcode 0x%4.4x)",
2650                        hdev->name, opcode);
2651                 req->err = -ENOMEM;
2652                 return;
2653         }
2654
2655         if (skb_queue_empty(&req->cmd_q))
2656                 bt_cb(skb)->req.start = true;
2657
2658         bt_cb(skb)->req.event = event;
2659
2660         skb_queue_tail(&req->cmd_q, skb);
2661 }
2662
2663 void hci_req_add(struct hci_request *req, u16 opcode, u32 plen,
2664                  const void *param)
2665 {
2666         hci_req_add_ev(req, opcode, plen, param, 0);
2667 }
2668
2669 /* Get data from the previously sent command */
2670 void *hci_sent_cmd_data(struct hci_dev *hdev, __u16 opcode)
2671 {
2672         struct hci_command_hdr *hdr;
2673
2674         if (!hdev->sent_cmd)
2675                 return NULL;
2676
2677         hdr = (void *) hdev->sent_cmd->data;
2678
2679         if (hdr->opcode != cpu_to_le16(opcode))
2680                 return NULL;
2681
2682         BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2683
2684         return hdev->sent_cmd->data + HCI_COMMAND_HDR_SIZE;
2685 }
2686
2687 /* Send ACL data */
2688 static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
2689 {
2690         struct hci_acl_hdr *hdr;
2691         int len = skb->len;
2692
2693         skb_push(skb, HCI_ACL_HDR_SIZE);
2694         skb_reset_transport_header(skb);
2695         hdr = (struct hci_acl_hdr *)skb_transport_header(skb);
2696         hdr->handle = cpu_to_le16(hci_handle_pack(handle, flags));
2697         hdr->dlen   = cpu_to_le16(len);
2698 }
2699
2700 static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
2701                           struct sk_buff *skb, __u16 flags)
2702 {
2703         struct hci_conn *conn = chan->conn;
2704         struct hci_dev *hdev = conn->hdev;
2705         struct sk_buff *list;
2706
2707         skb->len = skb_headlen(skb);
2708         skb->data_len = 0;
2709
2710         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2711
2712         switch (hdev->dev_type) {
2713         case HCI_BREDR:
2714                 hci_add_acl_hdr(skb, conn->handle, flags);
2715                 break;
2716         case HCI_AMP:
2717                 hci_add_acl_hdr(skb, chan->handle, flags);
2718                 break;
2719         default:
2720                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2721                 return;
2722         }
2723
2724         list = skb_shinfo(skb)->frag_list;
2725         if (!list) {
2726                 /* Non fragmented */
2727                 BT_DBG("%s nonfrag skb %p len %d", hdev->name, skb, skb->len);
2728
2729                 skb_queue_tail(queue, skb);
2730         } else {
2731                 /* Fragmented */
2732                 BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2733
2734                 skb_shinfo(skb)->frag_list = NULL;
2735
2736                 /* Queue all fragments atomically */
2737                 spin_lock(&queue->lock);
2738
2739                 __skb_queue_tail(queue, skb);
2740
2741                 flags &= ~ACL_START;
2742                 flags |= ACL_CONT;
2743                 do {
2744                         skb = list; list = list->next;
2745
2746                         skb->dev = (void *) hdev;
2747                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
2748                         hci_add_acl_hdr(skb, conn->handle, flags);
2749
2750                         BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
2751
2752                         __skb_queue_tail(queue, skb);
2753                 } while (list);
2754
2755                 spin_unlock(&queue->lock);
2756         }
2757 }
2758
2759 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
2760 {
2761         struct hci_dev *hdev = chan->conn->hdev;
2762
2763         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
2764
2765         skb->dev = (void *) hdev;
2766
2767         hci_queue_acl(chan, &chan->data_q, skb, flags);
2768
2769         queue_work(hdev->workqueue, &hdev->tx_work);
2770 }
2771
2772 /* Send SCO data */
2773 void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
2774 {
2775         struct hci_dev *hdev = conn->hdev;
2776         struct hci_sco_hdr hdr;
2777
2778         BT_DBG("%s len %d", hdev->name, skb->len);
2779
2780         hdr.handle = cpu_to_le16(conn->handle);
2781         hdr.dlen   = skb->len;
2782
2783         skb_push(skb, HCI_SCO_HDR_SIZE);
2784         skb_reset_transport_header(skb);
2785         memcpy(skb_transport_header(skb), &hdr, HCI_SCO_HDR_SIZE);
2786
2787         skb->dev = (void *) hdev;
2788         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
2789
2790         skb_queue_tail(&conn->data_q, skb);
2791         queue_work(hdev->workqueue, &hdev->tx_work);
2792 }
2793
2794 /* ---- HCI TX task (outgoing data) ---- */
2795
2796 /* HCI Connection scheduler */
2797 static struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type,
2798                                      int *quote)
2799 {
2800         struct hci_conn_hash *h = &hdev->conn_hash;
2801         struct hci_conn *conn = NULL, *c;
2802         unsigned int num = 0, min = ~0;
2803
2804         /* We don't have to lock device here. Connections are always
2805          * added and removed with TX task disabled. */
2806
2807         rcu_read_lock();
2808
2809         list_for_each_entry_rcu(c, &h->list, list) {
2810                 if (c->type != type || skb_queue_empty(&c->data_q))
2811                         continue;
2812
2813                 if (c->state != BT_CONNECTED && c->state != BT_CONFIG)
2814                         continue;
2815
2816                 num++;
2817
2818                 if (c->sent < min) {
2819                         min  = c->sent;
2820                         conn = c;
2821                 }
2822
2823                 if (hci_conn_num(hdev, type) == num)
2824                         break;
2825         }
2826
2827         rcu_read_unlock();
2828
2829         if (conn) {
2830                 int cnt, q;
2831
2832                 switch (conn->type) {
2833                 case ACL_LINK:
2834                         cnt = hdev->acl_cnt;
2835                         break;
2836                 case SCO_LINK:
2837                 case ESCO_LINK:
2838                         cnt = hdev->sco_cnt;
2839                         break;
2840                 case LE_LINK:
2841                         cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2842                         break;
2843                 default:
2844                         cnt = 0;
2845                         BT_ERR("Unknown link type");
2846                 }
2847
2848                 q = cnt / num;
2849                 *quote = q ? q : 1;
2850         } else
2851                 *quote = 0;
2852
2853         BT_DBG("conn %p quote %d", conn, *quote);
2854         return conn;
2855 }
2856
2857 static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
2858 {
2859         struct hci_conn_hash *h = &hdev->conn_hash;
2860         struct hci_conn *c;
2861
2862         BT_ERR("%s link tx timeout", hdev->name);
2863
2864         rcu_read_lock();
2865
2866         /* Kill stalled connections */
2867         list_for_each_entry_rcu(c, &h->list, list) {
2868                 if (c->type == type && c->sent) {
2869                         BT_ERR("%s killing stalled connection %pMR",
2870                                hdev->name, &c->dst);
2871                         hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
2872                 }
2873         }
2874
2875         rcu_read_unlock();
2876 }
2877
2878 static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
2879                                       int *quote)
2880 {
2881         struct hci_conn_hash *h = &hdev->conn_hash;
2882         struct hci_chan *chan = NULL;
2883         unsigned int num = 0, min = ~0, cur_prio = 0;
2884         struct hci_conn *conn;
2885         int cnt, q, conn_num = 0;
2886
2887         BT_DBG("%s", hdev->name);
2888
2889         rcu_read_lock();
2890
2891         list_for_each_entry_rcu(conn, &h->list, list) {
2892                 struct hci_chan *tmp;
2893
2894                 if (conn->type != type)
2895                         continue;
2896
2897                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2898                         continue;
2899
2900                 conn_num++;
2901
2902                 list_for_each_entry_rcu(tmp, &conn->chan_list, list) {
2903                         struct sk_buff *skb;
2904
2905                         if (skb_queue_empty(&tmp->data_q))
2906                                 continue;
2907
2908                         skb = skb_peek(&tmp->data_q);
2909                         if (skb->priority < cur_prio)
2910                                 continue;
2911
2912                         if (skb->priority > cur_prio) {
2913                                 num = 0;
2914                                 min = ~0;
2915                                 cur_prio = skb->priority;
2916                         }
2917
2918                         num++;
2919
2920                         if (conn->sent < min) {
2921                                 min  = conn->sent;
2922                                 chan = tmp;
2923                         }
2924                 }
2925
2926                 if (hci_conn_num(hdev, type) == conn_num)
2927                         break;
2928         }
2929
2930         rcu_read_unlock();
2931
2932         if (!chan)
2933                 return NULL;
2934
2935         switch (chan->conn->type) {
2936         case ACL_LINK:
2937                 cnt = hdev->acl_cnt;
2938                 break;
2939         case AMP_LINK:
2940                 cnt = hdev->block_cnt;
2941                 break;
2942         case SCO_LINK:
2943         case ESCO_LINK:
2944                 cnt = hdev->sco_cnt;
2945                 break;
2946         case LE_LINK:
2947                 cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
2948                 break;
2949         default:
2950                 cnt = 0;
2951                 BT_ERR("Unknown link type");
2952         }
2953
2954         q = cnt / num;
2955         *quote = q ? q : 1;
2956         BT_DBG("chan %p quote %d", chan, *quote);
2957         return chan;
2958 }
2959
2960 static void hci_prio_recalculate(struct hci_dev *hdev, __u8 type)
2961 {
2962         struct hci_conn_hash *h = &hdev->conn_hash;
2963         struct hci_conn *conn;
2964         int num = 0;
2965
2966         BT_DBG("%s", hdev->name);
2967
2968         rcu_read_lock();
2969
2970         list_for_each_entry_rcu(conn, &h->list, list) {
2971                 struct hci_chan *chan;
2972
2973                 if (conn->type != type)
2974                         continue;
2975
2976                 if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
2977                         continue;
2978
2979                 num++;
2980
2981                 list_for_each_entry_rcu(chan, &conn->chan_list, list) {
2982                         struct sk_buff *skb;
2983
2984                         if (chan->sent) {
2985                                 chan->sent = 0;
2986                                 continue;
2987                         }
2988
2989                         if (skb_queue_empty(&chan->data_q))
2990                                 continue;
2991
2992                         skb = skb_peek(&chan->data_q);
2993                         if (skb->priority >= HCI_PRIO_MAX - 1)
2994                                 continue;
2995
2996                         skb->priority = HCI_PRIO_MAX - 1;
2997
2998                         BT_DBG("chan %p skb %p promoted to %d", chan, skb,
2999                                skb->priority);
3000                 }
3001
3002                 if (hci_conn_num(hdev, type) == num)
3003                         break;
3004         }
3005
3006         rcu_read_unlock();
3007
3008 }
3009
3010 static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
3011 {
3012         /* Calculate count of blocks used by this packet */
3013         return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
3014 }
3015
3016 static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
3017 {
3018         if (!test_bit(HCI_RAW, &hdev->flags)) {
3019                 /* ACL tx timeout must be longer than maximum
3020                  * link supervision timeout (40.9 seconds) */
3021                 if (!cnt && time_after(jiffies, hdev->acl_last_tx +
3022                                        HCI_ACL_TX_TIMEOUT))
3023                         hci_link_tx_to(hdev, ACL_LINK);
3024         }
3025 }
3026
3027 static void hci_sched_acl_pkt(struct hci_dev *hdev)
3028 {
3029         unsigned int cnt = hdev->acl_cnt;
3030         struct hci_chan *chan;
3031         struct sk_buff *skb;
3032         int quote;
3033
3034         __check_timeout(hdev, cnt);
3035
3036         while (hdev->acl_cnt &&
3037                (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
3038                 u32 priority = (skb_peek(&chan->data_q))->priority;
3039                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3040                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3041                                skb->len, skb->priority);
3042
3043                         /* Stop if priority has changed */
3044                         if (skb->priority < priority)
3045                                 break;
3046
3047                         skb = skb_dequeue(&chan->data_q);
3048
3049                         hci_conn_enter_active_mode(chan->conn,
3050                                                    bt_cb(skb)->force_active);
3051
3052                         hci_send_frame(skb);
3053                         hdev->acl_last_tx = jiffies;
3054
3055                         hdev->acl_cnt--;
3056                         chan->sent++;
3057                         chan->conn->sent++;
3058                 }
3059         }
3060
3061         if (cnt != hdev->acl_cnt)
3062                 hci_prio_recalculate(hdev, ACL_LINK);
3063 }
3064
3065 static void hci_sched_acl_blk(struct hci_dev *hdev)
3066 {
3067         unsigned int cnt = hdev->block_cnt;
3068         struct hci_chan *chan;
3069         struct sk_buff *skb;
3070         int quote;
3071         u8 type;
3072
3073         __check_timeout(hdev, cnt);
3074
3075         BT_DBG("%s", hdev->name);
3076
3077         if (hdev->dev_type == HCI_AMP)
3078                 type = AMP_LINK;
3079         else
3080                 type = ACL_LINK;
3081
3082         while (hdev->block_cnt > 0 &&
3083                (chan = hci_chan_sent(hdev, type, &quote))) {
3084                 u32 priority = (skb_peek(&chan->data_q))->priority;
3085                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
3086                         int blocks;
3087
3088                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3089                                skb->len, skb->priority);
3090
3091                         /* Stop if priority has changed */
3092                         if (skb->priority < priority)
3093                                 break;
3094
3095                         skb = skb_dequeue(&chan->data_q);
3096
3097                         blocks = __get_blocks(hdev, skb);
3098                         if (blocks > hdev->block_cnt)
3099                                 return;
3100
3101                         hci_conn_enter_active_mode(chan->conn,
3102                                                    bt_cb(skb)->force_active);
3103
3104                         hci_send_frame(skb);
3105                         hdev->acl_last_tx = jiffies;
3106
3107                         hdev->block_cnt -= blocks;
3108                         quote -= blocks;
3109
3110                         chan->sent += blocks;
3111                         chan->conn->sent += blocks;
3112                 }
3113         }
3114
3115         if (cnt != hdev->block_cnt)
3116                 hci_prio_recalculate(hdev, type);
3117 }
3118
3119 static void hci_sched_acl(struct hci_dev *hdev)
3120 {
3121         BT_DBG("%s", hdev->name);
3122
3123         /* No ACL link over BR/EDR controller */
3124         if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
3125                 return;
3126
3127         /* No AMP link over AMP controller */
3128         if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
3129                 return;
3130
3131         switch (hdev->flow_ctl_mode) {
3132         case HCI_FLOW_CTL_MODE_PACKET_BASED:
3133                 hci_sched_acl_pkt(hdev);
3134                 break;
3135
3136         case HCI_FLOW_CTL_MODE_BLOCK_BASED:
3137                 hci_sched_acl_blk(hdev);
3138                 break;
3139         }
3140 }
3141
3142 /* Schedule SCO */
3143 static void hci_sched_sco(struct hci_dev *hdev)
3144 {
3145         struct hci_conn *conn;
3146         struct sk_buff *skb;
3147         int quote;
3148
3149         BT_DBG("%s", hdev->name);
3150
3151         if (!hci_conn_num(hdev, SCO_LINK))
3152                 return;
3153
3154         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, SCO_LINK, &quote))) {
3155                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3156                         BT_DBG("skb %p len %d", skb, skb->len);
3157                         hci_send_frame(skb);
3158
3159                         conn->sent++;
3160                         if (conn->sent == ~0)
3161                                 conn->sent = 0;
3162                 }
3163         }
3164 }
3165
3166 static void hci_sched_esco(struct hci_dev *hdev)
3167 {
3168         struct hci_conn *conn;
3169         struct sk_buff *skb;
3170         int quote;
3171
3172         BT_DBG("%s", hdev->name);
3173
3174         if (!hci_conn_num(hdev, ESCO_LINK))
3175                 return;
3176
3177         while (hdev->sco_cnt && (conn = hci_low_sent(hdev, ESCO_LINK,
3178                                                      &quote))) {
3179                 while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
3180                         BT_DBG("skb %p len %d", skb, skb->len);
3181                         hci_send_frame(skb);
3182
3183                         conn->sent++;
3184                         if (conn->sent == ~0)
3185                                 conn->sent = 0;
3186                 }
3187         }
3188 }
3189
3190 static void hci_sched_le(struct hci_dev *hdev)
3191 {
3192         struct hci_chan *chan;
3193         struct sk_buff *skb;
3194         int quote, cnt, tmp;
3195
3196         BT_DBG("%s", hdev->name);
3197
3198         if (!hci_conn_num(hdev, LE_LINK))
3199                 return;
3200
3201         if (!test_bit(HCI_RAW, &hdev->flags)) {
3202                 /* LE tx timeout must be longer than maximum
3203                  * link supervision timeout (40.9 seconds) */
3204                 if (!hdev->le_cnt && hdev->le_pkts &&
3205                     time_after(jiffies, hdev->le_last_tx + HZ * 45))
3206                         hci_link_tx_to(hdev, LE_LINK);
3207         }
3208
3209         cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
3210         tmp = cnt;
3211         while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, &quote))) {
3212                 u32 priority = (skb_peek(&chan->data_q))->priority;
3213                 while (quote-- && (skb = skb_peek(&chan->data_q))) {
3214                         BT_DBG("chan %p skb %p len %d priority %u", chan, skb,
3215                                skb->len, skb->priority);
3216
3217                         /* Stop if priority has changed */
3218                         if (skb->priority < priority)
3219                                 break;
3220
3221                         skb = skb_dequeue(&chan->data_q);
3222
3223                         hci_send_frame(skb);
3224                         hdev->le_last_tx = jiffies;
3225
3226                         cnt--;
3227                         chan->sent++;
3228                         chan->conn->sent++;
3229                 }
3230         }
3231
3232         if (hdev->le_pkts)
3233                 hdev->le_cnt = cnt;
3234         else
3235                 hdev->acl_cnt = cnt;
3236
3237         if (cnt != tmp)
3238                 hci_prio_recalculate(hdev, LE_LINK);
3239 }
3240
3241 static void hci_tx_work(struct work_struct *work)
3242 {
3243         struct hci_dev *hdev = container_of(work, struct hci_dev, tx_work);
3244         struct sk_buff *skb;
3245
3246         BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
3247                hdev->sco_cnt, hdev->le_cnt);
3248
3249         /* Schedule queues and send stuff to HCI driver */
3250
3251         hci_sched_acl(hdev);
3252
3253         hci_sched_sco(hdev);
3254
3255         hci_sched_esco(hdev);
3256
3257         hci_sched_le(hdev);
3258
3259         /* Send next queued raw (unknown type) packet */
3260         while ((skb = skb_dequeue(&hdev->raw_q)))
3261                 hci_send_frame(skb);
3262 }
3263
3264 /* ----- HCI RX task (incoming data processing) ----- */
3265
3266 /* ACL data packet */
3267 static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3268 {
3269         struct hci_acl_hdr *hdr = (void *) skb->data;
3270         struct hci_conn *conn;
3271         __u16 handle, flags;
3272
3273         skb_pull(skb, HCI_ACL_HDR_SIZE);
3274
3275         handle = __le16_to_cpu(hdr->handle);
3276         flags  = hci_flags(handle);
3277         handle = hci_handle(handle);
3278
3279         BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
3280                handle, flags);
3281
3282         hdev->stat.acl_rx++;
3283
3284         hci_dev_lock(hdev);
3285         conn = hci_conn_hash_lookup_handle(hdev, handle);
3286         hci_dev_unlock(hdev);
3287
3288         if (conn) {
3289                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
3290
3291                 /* Send to upper protocol */
3292                 l2cap_recv_acldata(conn, skb, flags);
3293                 return;
3294         } else {
3295                 BT_ERR("%s ACL packet for unknown connection handle %d",
3296                        hdev->name, handle);
3297         }
3298
3299         kfree_skb(skb);
3300 }
3301
3302 /* SCO data packet */
3303 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
3304 {
3305         struct hci_sco_hdr *hdr = (void *) skb->data;
3306         struct hci_conn *conn;
3307         __u16 handle;
3308
3309         skb_pull(skb, HCI_SCO_HDR_SIZE);
3310
3311         handle = __le16_to_cpu(hdr->handle);
3312
3313         BT_DBG("%s len %d handle 0x%4.4x", hdev->name, skb->len, handle);
3314
3315         hdev->stat.sco_rx++;
3316
3317         hci_dev_lock(hdev);
3318         conn = hci_conn_hash_lookup_handle(hdev, handle);
3319         hci_dev_unlock(hdev);
3320
3321         if (conn) {
3322                 /* Send to upper protocol */
3323                 sco_recv_scodata(conn, skb);
3324                 return;
3325         } else {
3326                 BT_ERR("%s SCO packet for unknown connection handle %d",
3327                        hdev->name, handle);
3328         }
3329
3330         kfree_skb(skb);
3331 }
3332
3333 static bool hci_req_is_complete(struct hci_dev *hdev)
3334 {
3335         struct sk_buff *skb;
3336
3337         skb = skb_peek(&hdev->cmd_q);
3338         if (!skb)
3339                 return true;
3340
3341         return bt_cb(skb)->req.start;
3342 }
3343
3344 static void hci_resend_last(struct hci_dev *hdev)
3345 {
3346         struct hci_command_hdr *sent;
3347         struct sk_buff *skb;
3348         u16 opcode;
3349
3350         if (!hdev->sent_cmd)
3351                 return;
3352
3353         sent = (void *) hdev->sent_cmd->data;
3354         opcode = __le16_to_cpu(sent->opcode);
3355         if (opcode == HCI_OP_RESET)
3356                 return;
3357
3358         skb = skb_clone(hdev->sent_cmd, GFP_KERNEL);
3359         if (!skb)
3360                 return;
3361
3362         skb_queue_head(&hdev->cmd_q, skb);
3363         queue_work(hdev->workqueue, &hdev->cmd_work);
3364 }
3365
3366 void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status)
3367 {
3368         hci_req_complete_t req_complete = NULL;
3369         struct sk_buff *skb;
3370         unsigned long flags;
3371
3372         BT_DBG("opcode 0x%04x status 0x%02x", opcode, status);
3373
3374         /* If the completed command doesn't match the last one that was
3375          * sent we need to do special handling of it.
3376          */
3377         if (!hci_sent_cmd_data(hdev, opcode)) {
3378                 /* Some CSR based controllers generate a spontaneous
3379                  * reset complete event during init and any pending
3380                  * command will never be completed. In such a case we
3381                  * need to resend whatever was the last sent
3382                  * command.
3383                  */
3384                 if (test_bit(HCI_INIT, &hdev->flags) && opcode == HCI_OP_RESET)
3385                         hci_resend_last(hdev);
3386
3387                 return;
3388         }
3389
3390         /* If the command succeeded and there's still more commands in
3391          * this request the request is not yet complete.
3392          */
3393         if (!status && !hci_req_is_complete(hdev))
3394                 return;
3395
3396         /* If this was the last command in a request the complete
3397          * callback would be found in hdev->sent_cmd instead of the
3398          * command queue (hdev->cmd_q).
3399          */
3400         if (hdev->sent_cmd) {
3401                 req_complete = bt_cb(hdev->sent_cmd)->req.complete;
3402
3403                 if (req_complete) {
3404                         /* We must set the complete callback to NULL to
3405                          * avoid calling the callback more than once if
3406                          * this function gets called again.
3407                          */
3408                         bt_cb(hdev->sent_cmd)->req.complete = NULL;
3409
3410                         goto call_complete;
3411                 }
3412         }
3413
3414         /* Remove all pending commands belonging to this request */
3415         spin_lock_irqsave(&hdev->cmd_q.lock, flags);
3416         while ((skb = __skb_dequeue(&hdev->cmd_q))) {
3417                 if (bt_cb(skb)->req.start) {
3418                         __skb_queue_head(&hdev->cmd_q, skb);
3419                         break;
3420                 }
3421
3422                 req_complete = bt_cb(skb)->req.complete;
3423                 kfree_skb(skb);
3424         }
3425         spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
3426
3427 call_complete:
3428         if (req_complete)
3429                 req_complete(hdev, status);
3430 }
3431
3432 static void hci_rx_work(struct work_struct *work)
3433 {
3434         struct hci_dev *hdev = container_of(work, struct hci_dev, rx_work);
3435         struct sk_buff *skb;
3436
3437         BT_DBG("%s", hdev->name);
3438
3439         while ((skb = skb_dequeue(&hdev->rx_q))) {
3440                 /* Send copy to monitor */
3441                 hci_send_to_monitor(hdev, skb);
3442
3443                 if (atomic_read(&hdev->promisc)) {
3444                         /* Send copy to the sockets */
3445                         hci_send_to_sock(hdev, skb);
3446                 }
3447
3448                 if (test_bit(HCI_RAW, &hdev->flags)) {
3449                         kfree_skb(skb);
3450                         continue;
3451                 }
3452
3453                 if (test_bit(HCI_INIT, &hdev->flags)) {
3454                         /* Don't process data packets in this states. */
3455                         switch (bt_cb(skb)->pkt_type) {
3456                         case HCI_ACLDATA_PKT:
3457                         case HCI_SCODATA_PKT:
3458                                 kfree_skb(skb);
3459                                 continue;
3460                         }
3461                 }
3462
3463                 /* Process frame */
3464                 switch (bt_cb(skb)->pkt_type) {
3465                 case HCI_EVENT_PKT:
3466                         BT_DBG("%s Event packet", hdev->name);
3467                         hci_event_packet(hdev, skb);
3468                         break;
3469
3470                 case HCI_ACLDATA_PKT:
3471                         BT_DBG("%s ACL data packet", hdev->name);
3472                         hci_acldata_packet(hdev, skb);
3473                         break;
3474
3475                 case HCI_SCODATA_PKT:
3476                         BT_DBG("%s SCO data packet", hdev->name);
3477                         hci_scodata_packet(hdev, skb);
3478                         break;
3479
3480                 default:
3481                         kfree_skb(skb);
3482                         break;
3483                 }
3484         }
3485 }
3486
3487 static void hci_cmd_work(struct work_struct *work)
3488 {
3489         struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
3490         struct sk_buff *skb;
3491
3492         BT_DBG("%s cmd_cnt %d cmd queued %d", hdev->name,
3493                atomic_read(&hdev->cmd_cnt), skb_queue_len(&hdev->cmd_q));
3494
3495         /* Send queued commands */
3496         if (atomic_read(&hdev->cmd_cnt)) {
3497                 skb = skb_dequeue(&hdev->cmd_q);
3498                 if (!skb)
3499                         return;
3500
3501                 kfree_skb(hdev->sent_cmd);
3502
3503                 hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
3504                 if (hdev->sent_cmd) {
3505                         atomic_dec(&hdev->cmd_cnt);
3506                         hci_send_frame(skb);
3507                         if (test_bit(HCI_RESET, &hdev->flags))
3508                                 del_timer(&hdev->cmd_timer);
3509                         else
3510                                 mod_timer(&hdev->cmd_timer,
3511                                           jiffies + HCI_CMD_TIMEOUT);
3512                 } else {
3513                         skb_queue_head(&hdev->cmd_q, skb);
3514                         queue_work(hdev->workqueue, &hdev->cmd_work);
3515                 }
3516         }
3517 }
3518
3519 u8 bdaddr_to_le(u8 bdaddr_type)
3520 {
3521         switch (bdaddr_type) {
3522         case BDADDR_LE_PUBLIC:
3523                 return ADDR_LE_DEV_PUBLIC;
3524
3525         default:
3526                 /* Fallback to LE Random address type */
3527                 return ADDR_LE_DEV_RANDOM;
3528         }
3529 }
Linux kernel for KaRo TX COM modules